ML061280478
| ML061280478 | |
| Person / Time | |
|---|---|
| Site: | Peach Bottom  |
| Issue date: | 04/24/2006 |
| From: | Exelon Nuclear |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| Download: ML061280478 (692) | |
Text
{{#Wiki_filter:PBAPS UNIT 3 - LICENSE NO. DPR 56 TECHNICAL SPECIFICATIONS BASES PAGE REVISION LISTING B TABLE OF CONTENTS page(s) I ................... Rev 28 page(s) I - III (Inclusive)............................................................................................. Rev 3 B 2.0 SAFETY LIMITS (SLs) page(s) 2.0-1 .......... Rev 48 2.0-3 .......... Rev 48 2.0-4 .......... Rev 48 2.0-6 .......... Rev 48 B 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY page(s) 3.0-5.. Rev 53 3.0-5a .Rev 53 30-6 .Rev 53 3.0-12 .Rev 6 3.0-13. Rev 1 3.0-14 .Rev 53 3.0-15 .Rev 53 B 3.1 REACTIVITY CONTROL SYSTEMS page(s) 3.1-14 .Rev 50 3.1 18 (inclusive) .Rev 2 3.1-23. Rev 50 3.1 28 (inclusive) .Rev 9 3.1-29. Rev 50 3.1 33 (inclusive) .Rev 2 B 3.2 POWER DISTRIBUTION LIMITS page(s) 3.2 5 (inclusive) .Rev 50 3.2-7 .Rev 48 3.2-8 .Rev 17 3.2 11 (inclusive) .Rev 48 3.2-12 .Rev 50 3.2-12a .Rev 50 3.2-13 .Rev 48 B 3.3 INSTRUMENTATION page(s) 3.3 6 (Inclusive) .Rev 17 3.3-7 .Rev 55 3.3-8 .Rev 51 3.3-9 .Rev 51 3.3-10 .Rev 30 3.3-11 .Rev 30 3.3-12 .Re v 51 3.3-12a .Re. 51 3.3-12b .Rev 51 3.3 19 (inclusive) .Res 45 3.3-23 .Re, 30 3.3-24 .Rei 51 3.3-25. Rev 51 PBAPS UNIT 3 I Revision Nc. 57
PBAPS UNIT 3 - LICENSE NO. DPR 56 TECHNICAL SPECIFICATIONS BASES PAGE REVISION LISTING B 3.3 INSTRUMENTATION (continued) page(s) 3.3-26 ................. Rev 30 3.3-27. ................. Re 55 3.3-27a ................. Reif 55 3.3-28 .... Rev, 30 3.3-29 ... Rev,50 3.3-30..................Rev 30 3.3-31 ................. Re' 30 3.3-31 3Rev
. ................ 51 3.3-33 ................. Re' 51 3.3-34 ................. Rev 51 3.3-35 ................. Rev 51 3.3-36 ................. Re' 55 3.3-36a ................. Rev 51 3.3 45 (inclusive)................................................................................. Rev 17 3.3-46 ................. Re' 30 3.3-47 ................. Re 31 3.3 52 (inclusive) ................. Rev 3 3.3 56 (inclusive) ............. .... Re'i 30 3.3-57 .................. Rev 3 3.3-58 ................. Rev 30 3.3-59 ................. Rev 3 3.3-60 ................. Re' 45 3.3-61 ................. Rev 50 3.3 67 (inclusive) ................. Rev 3 3.3-6 3 . ................ Rev 7 3.3-69 ................. Rev 3 3.3-70 ................. Rev 3 3.3-71 ................. Rev 56 3.3-72 ................. Rev 53 3.3-73 ................. Reav 3 3.3-74 ................. Rev 3 3.3-75 ................. Re' 56 3.3-76 ................. Re', 56 3.3-77 ................. Rev 3 3.3-78 ................. Rev 3 3.3-79 ................. Rev 53 3.3 92 (Inclusive).................................................................................. Rev 3 3.3-92a .Res 28 3.3-92b .Rev 50 3.3-92c .Re, 50 3.3-92d - 92e (inclusive) .Rev 45 3.3-92f .Rev 28 3.3-92g .Re' 45 3.3-92h .Re, 28 3.3-921. Rev 45 3.3-92J. Rev 28 3.3 98 (Inclusive) .Rev 3 3.3-99 ... : Rev 23 3.3-100 - 149 (Inclusive) .. . Rev 3 3.3-150 ... Rei 49 PBAPS IJNIT 3 11 Revision Nc. 57
PBAPS UNIT 3 - LICENSE NO. DPR 56 TECHNICAL SPECIFICATIONS BASES PAGE REVISION LISTING B 3.3 INSTRUMENTATION (continued) page(s) 3.3-151 ................. Rev 3 3.3-152 .... Revr22 3.3-153 - 155 (inclusIve).Rolv 3 3.3-156 ................. Rev 34 3.3-157 - 162 (inclusive) ................. Riov 3 3.3-163 ................. Rei 46 3.3-164 ................. Rwv 3 3.3-165 .................. Rw!v 3 3.3-166.. Rev 3 3.3-1.67 .. ........ R......... Re 22 3.3-1687- 186 (inclusive)................. Rev 3 3.3-187 ................. Rev 5 3.3-188 - 190 (inclusive) ................. Re'v 32 3.3-191 - 198 (inclusive) ................. Rev 5 3.3-199 - 205 (Inclusive) ................. Rev 3 B 3.4 REACTOR COOLANT SYSTEM (RCS) page(s) 3.43 .. Re,/ 51 3.4-4 .. Rev 51 3.4-5 .. Rev 51 3.4-6 .. Rev 51 3.4-7 .. Re'v 51 3.4-8 .. Rev 51 3.4-9 .. Rev 51 3.4-10 .. Rev 51 3.4-18 .. Rev 25 3.4-27 .. Rev 53 3.4-31 .. Rev 53 3.4-35 .. Rev 53 3.4-39 .. Rev 1 3.4-52 .. Rev 50 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM page(s) 3.5-6.3................ ... Re, 53 3.5-10 ... Rev 57 3.5 15 (inclusive) .. . Rev 2 3.5-16 ... Re-v 25 3.5-17 ... Reifr52 3.5-26 ... Rev 53 3.5-27 ... Rev 57 3.5-28 ... Rev 43 B 3.6 CONTAINMENT SYSTEMS page(s) 3-6.7.............:.. Rev 27 3.6-2 .Rev 21 3.6-3. Rev 6 3.6 5 (Inclusive) .Rev 24 3.6-7 .Rev 53 3.6 12 (inclusive) .Rev 6 3.6-13 .Rev 21 3.6 18 (inclusive) .Rev 2 PBAPS UNIT 3 iii Revision No. 57
PBAPS UNIT 3 - LICENSE NO. DPR 56 TECHNICAL SPECIFICATIONS BASES PAGE REVISION LISTING B 3.6 CONTAINMENT SYSTEMS (continued) page(s) 3.6-27 ............... Rev 2 3.6-28 ............... Rev 37 3.6-29 ............... Rev 24 3.6-30 ............... Rev 16 3.6-31 ............... Rev 20 3.6-33 ............... Rev 21 3.6-43 ............... Rev 44 3.6-47 ............... Rev 44 3.6 51 (inclusive) ............... Rev 17 3.6-58 ................ Rev I 3.6 66 (inclusive) ............... Rev 38 3.6-69 ............... Rev 38 3.6 77 (inclusive) ............... Rev 26 3.6-90 ............... Rev 1 B 3.7 PLANT SYSTEMS page(s) 3.7-1 .. Rev 19 3.7-6 .. Rev 4 3.7-7 .. Rev 11 3.7-8 .. Rev 57 3.7-8a .. Rev 35 3.7-9 .. Rev 57 3.7-12 .. Rev 2 3.7-13 .. Rev 1 3.7-15 .. Rev 36 3.7-21 ..... Rev 22 3.7-26 .. Rev 50 3.7-27 .. Rev 50 3.7-29 .. Rev 33 B 3.8 ELECTRICAL POWER SYSTEMS page(s) 3.8 3 (inclusive) ............... Rev 35 3.8-5 ............... Revs 3.8-6 ............... Rev 53 3.8-7 ............... Rev5 3.8-8 ............... Rev5 3.8-9 ............... Rev 39 3.8 11 (Inclusive) ............... Rev 5 3.8-12 ................ Rev 1 3.8 23 (inclusive) ............... Rev 34 3.8 30 (Inclusive) ............... Rev 1 3.8-31 ............... Rev 54 3.8 37 (inclusive) ............... Rev 10 3.8-42 ............... Rev 35 3.8 47 (inclusive) ............... Rev 18 3.8-55 ............... Rev 38 PBAPS UNIT 3 iv Revision No. 57
PBAPS UNIT 3 - LICENSE NO. DPR 56 TECHNICAL SPECIFICATIONS BASES PAGE REVISION LISTING B 3.9 REFUELING OPERATIONS page(s) 3.9-1 .. . Rev 29 3.9-3 ... Rev 29 3.9-8 ... Rev 17 3.9-10 ... Rev 17 3.9-14 ... Rev 17 3.9-15 ... Rev2 B 3.10 SPECIAL OPERATIONS page(s) 3.10-1 .. . Rev 1 3.10-5 ... Rev 17 3.10-31 ... Rev 17 3.10-32 ... Rev 30 3.10-35 ... Rev 30 3.10-36 ... Rev 2 All remaining pages are Rev 0 dated 1/18196. PBAPS UNIT 3 v NRevision No. 57
TABLE OF CONTENTS B 2.0 SAFETY LIMITS (SLs) ................ B 2.0-1 B 2.1.1 Reactor Core SLs . . . . . . . . . . . . . . B 2.0-1 B 2. 1.2 Reactor Coolant System (RCS) Pressure SL B 2.0-7 B 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY . . . B 3.0-1 B 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY . . . . . . . B 3.0-10 B 3.1 REACTIVITY CONTROL SYSTEMS . . . . . . . . . . . . . . B 3.1-1 B.3.1.1 SHUTDOWN MARGIN (SDM) . . . . . . . . . . . . . . B 3.1-1 B 3.1.;2 Reactivity Anomalies . . . . . . . . . . . . . . . B 3.1-8 B 3.1.:3 Control Rod OPERABILITY . . . . . . . . . . . . . B 3.1-13 B 3.1.4 Control Rod Scram Times . . . . . . . . . . . . . B 3.1-22 B 3.1.5 Control Rod Scram Accumulators . . . . . . . . . . B 3.1-29 B 3.1.13 Rod Pattern Control . . . . . . . . . . . . . . . B 3.1-34 B 3.1.7 Standby Liquid Control (SLC) System . . . . . . . B 3.1-39 B 3.1.13 Scram Discharge Volume (SDV) Vent and Drain Valves B 3.1-48 B 3.2 POWER DISTRIBUTION LIMITS . . . . . . . . . . . . . . B 3.2-1 B 3.2.1 AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR) . . . . . . . ... . . . . . . . . . . B 3.2-1 B 3.2.2 MINIMUM CRITICAL POWER RATIO (MCPR) . . . . . . . B 3.2-6 B 3.2.3 LINEAR HEAT GENERATION RATE (LHGR) . . . . . . . B 3.2-11 B 3.3 INSTRUMENTATION . . . . . . .. B 3.3-1 B 3.3.1.1 Reactor Protection System (RPS) Instrumentation 3.3-1 04 B 3.3.1.2 B 3.3.2;.1 Wide Range Neutron Monitor (WRNM) Instrumentation Control Rod Block Instrumentation . . . . . . . . 3.3-37 3.3-46 B 3.3.2;.2 Feedwater and Main Turbine High Water Level Trip Instrumentation . . . . . . . . . . . . . . . . B 3.3-59 B 3.3.3.1 Post Accident Monitoring (PAM) Instrumentation . . 3.3-66 B 3.3.3.2 Remote Shutdown System . . . . . . . . . . . . . . 3.3-77 B 3.3.i.1 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT) Instrumentation . . . . . B 3.3-84 B 3.3. 4.2 End of Cycle Recirculation Pump Trip I B 3.3.5.1 (EOC-RPT) Instrumentation . . . B 3.3-92a thru Emergency Core Cooling System (ECCS) B 3.3-92j Instrumentation . . . . . . . . . . . . . . . . B 3.3-93 B 3.3.5..2 Reactor Core Isolation Cooling (RCIC) System Instrumentation . . . . B 3.3-131 B 3.3. 6.1 Primary Containment Isolation Instrumentation. B 3.3-142 B 3.3. 6.2 Secondary Containment Isolation Instrumentation B 3.3-169 B 3.3.7. 1 Main Control Room Emergency Ventilation (MCREV) System Instrumentation . . . . . . . . . . . . B 3.3-180 B 3.3.8.1 Loss of Power (LOP) Instrumentation . . . . . . . B 3.3-187 B 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring . . . . . . . . . . . . . . . . . . B 3.3-199 (continued) PBAPS-{INIT 3 i PRevision No. 28
TABLE OF CONTENTS (continued) B 3.4 REACTOR COOLANT SYSTEM (RCS) . . . . . . . . . . . . . B 3.4-1 B 3.4.1 Recirculation Loops Operating . . . . . . . . . . B 3.4-1 B 3.4.2 Jet Pumps ....... . . ..... . B 3.4-11 B 3.4.3 Safety Relief Valves (SRVs) and Safety Valves (SVs) B 3.4-15 B3.4.4 RCS Operational LEAKAGE . . . . . . . . . . . . . B 3.4-19 B 3.4.5 RCS Leakage Detection Instrumentation . . . . . . B 3.4-24 B 3.4.6 RCS Specific Activity . . . . . . . . . . . . . . B 3.4-29 B 3.4.7 Residual Heat Removal (RHR) Shutdown Cooling System-Hot Shutdown . . . . . . . . . . . . . B 3.4-33 B 3.4.8 Residual Heat Removal (RHR) Shutdown Cooling System-Cold Shutdown . . . . . . . . . . . . . B 3.4-38 B 3.4.9 RCS Pressure and Temperature (P/T) Limits . . . . B 3.4-43 B 3.4.10 Reactor Steam Dome Pressure . . . . . . . . . . . B 3.4-52 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM . . . . . . . . . . . 8 3.5-1 B 3.5.1 ECCS -Operating . . ............... . B 3.5-1 B 3.5.2 ECCS -Shutdown . . . . . . . . . . . . . . .. . . B 3.5-18 B 3.5.3 RCIC System . . . . . . . . . . . . . . .. ... . B 3.5-24 B3.6 CONTAINMENT SYSTEMS ..... . . . . . . . ..... . B 3.6-1 B3.6.1.1 Primary Containment . . . . ... . . . . . . . . . B 3.6-1 B3.6.1.2 Primary Containment Air Lock . . . . . . . . . . . B 3.6-6 B3.6.1.3 Primary Containment Isolation Valves (PCIVs) . . . B 3.6-14 B3.6.1.4 Drywell Air Temperature . . . . . . . . . . . . . B 3.6-31 B3.6.1.5 Reactor Building-to-Suppression Chamber Vacuum
. Breakers ...... .. .. . B 3.6-34 B3.6.1.6 Suppression Chamber-to-Drywell Vacuum Breakers . . B 3.6-42 B 3.6.2.1 Suppression Pool Average Temperature . . . . . . . B 3.6-48 B 3.6.2.2 Suppression Pool Water Level . . . . . . . . ... . B 3.6-53 B 3.6.2.3 Residual Heat Removal (RHR) Suppression Pool Cooling . .. . B3.6-56 8..........
B3.6.2.4 Residual Heat Removal (RHR) Suppression Pool Spray B 3.6-60 B3.6.3.1 Containment Atmospheric Dilution (CAD) System 8 3.6-64 B 3.6.3.2 Primary Containment Oxygen Concentration .... B 3.6-70 B 3.6.4.1 Secondary Containment . . . . . . . . . . . . . . B 3.6-73 B 3.6.4.2 Secondary Containment Isolation Valves (SCIVs) ... B 3.6-78 B 3.6.4.3 Standby Gas Treatment (SGT) System . ..... . . B 3.6-85 B 3.7 PLANT SYSTEMS .. .... ... B 3.7-1 B 3.7.1 High Pressure Service Water (HPSW) System . . B 3.7-1 B 3.7.2 Emergency Service Water (ESW) System and Normal Heat Sink .... . .... . B 3.7-6 B 3.7.3 Emergency Heat Sink ..... . . . .. B 3 7-11 B 3.7.4 Main Control Room Emergency Ventilation (MCREV) System . . . . . . . . . . . . . . . . . . . . B 3.7-15 B 3.7.5 Main Condenser Offgas . . . . . . . . . . . . . . B 37-22 (continued) PBAPS UNIT 3 Revision No. 3 ii
TABLE OF CONTENTS (continued) B 3.7 PLANT SYSTEMS (continued) B 3.7.6 Main Turbine Bypass System . . . . . . . . . . . . B 3.7-25 B 3.7.7 Spent Fuel Storage Pool Water Level . . . . . . . B 3.7-29 B 3.8 ELECTRICAL POWER SYSTEMS . . . . . . . . . . . . . . . B 3.8-1 B 3.8.1 AC Sources-Operating . . . . . . . . . . . . . . B 3.8-1 B 3.8.2 AC Sources- Shutdown . . . . . . . . . . . . . . . B 3.8-40 B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air . . . B 3.8-48 B 3.8.4 DC Sources-Operating . . . . . . . . . . . . . . B 3.8-58 B 3.8.5 DC Sources-Shutdown . . . . . . . . . . . . . . . 8 3.8-72 B 3.8.6 Battery Cell Parameters . . ... . . . . . . . . . B 3.8-77 B 3.8.7 Distribution Systems -Operating . . . . . . . . . B 3.8-83 B 3.8.8 Distribution Systems -Shutdown . . . . . . . . . . B 3.8-94 B 3.9 REFUELING OPERATIONS .B 3.9-1 B 3.9.1 Refueling Equipment Interlocks . . . . . . . . . . B 3.9-1 B 3.9.2 Refuel Position One-Rod-Out Interlock . . . . . . B 3.9-5 B 3.9.3 Control Rod Position . . . . . . . . . . . . . . . B 3.9-8 B 3.9.4 Control Rod Position Indication . . B 3.9-10 B 3.9.5 Control Rod OPERABILITY -Refueling . . . . . . . . B 3.9-14 B 3.9.6 Reactor Pressure Vessel (RPV) Water Level . . . . B 3.9-17 B 3.9.7 Residual Heat Removal (RHR)- High Water Level . . B 3.9-20 B 3.9.8 Residual Heat Removal (RHR) -Low Water Level . . . B 3.9-24 B 3.10 SPECIAL OPERATIONS .B 3.10-1 B 3.10.1 Inservice Leak and Hydrostatic Testing Operation . B 3.10-1 B 3.10.2 Reactor Mode Switch Interlock Testing . . . . . . B 3.10-5 B 3.10.3 Single Control Rod Withdrawal -Hot Shutdown . B 3.10-10 B 3.10.4 Single Control Rod Withdrawal -Cold Shutdown . B 3.10-14 B 3.10.5 Single Control Rod Drive (CRD) Removal- Refueling . . . . . . . . . . . . . . B 3.10-19 B 3.10.6 Multiple Control Rod Withdrawal- Refueling . . . . B 3.10-24 B 3.10.7 Control Rod Testing-Operating . . . . . . . . . . B 3.10-27 B 3.10.8 SHUTDOWN MARGIN (SDM) Test- Refueling . . . . . . B 3.10-31 PBAPS UNIT 3 Revision No. 3 iii
Reactor Core SLs B 2.1.1 B 2.0 SAFETY LIMITS (SLs) B 2.:.1 Reactor Core SLs BASES BACKGROUND SLs ensure that specified acceptable fuel design limits are not exceeded during steady state operation, normal operational transients, and abnormal operational transients. The fuel cladding integrity SL is set such that no fuel damage is calculated to occur if the limit is not violated. Because fuel damage is not directly observable, a stepback approach is used to establish an SL, such that the MCPR is not less than the limit specified in Specification 2.1.1.2
*for General Electric (GE) Company fuel. .MCPR greater than the specified limit represents a conservative margin relative
*to the conditions required to maintain fuel cladding integrity.
The fuel cladding is one of the physical barriers that separate the radioactive materials from the environs. The integrity of this cladding barrier is related to its relative freedom from perforations or cracking. Although some corrosion or use related cracking may occur during the life of the cladding, fission product migration from this source is incrementally cumulative and continuously measurable. Fuel cladding perforations, however, can result from thermal stresses, which occur from reactor operation significantly above design conditions. While fission product migration from cladding perforation is just as measurable as that from use related cracking, the thermally caused cladding perforations signal a threshold beyond which still greater thermal stresses may cause gross, rather than incremental, cladding deterioration. Therefore, the fuel cladding SL is defined with a margin to the conditions that would produce onset of transition boiling (i.e., MCPR = 1.00). These conditions represent a significant departure from the condition intended by design for planned operation. The MCPR fuel cladding integrity SL ensures that during normal operation and during abnormal operational transients, at least 99.9% of the fuel rods in the core do not experience transition boiling. {continued) PBAPS UNIT 3 B 2.0-1 Revision No. 48
Reactor Core SLs B 2.1.1 BASES; BACKGROUND Operation above the boundary of the nucleate boiling regime (continued) could result in excessive cladding temperature because of the onset of transition boiling and the resultant sharp reduction in heat transfer coefficient. Inside the steam film, high cladding temperatures are reached, and a cladding water (zirconium water) reaction may take place. This chemical reaction results in oxidation of the fuel cladding to a structurally weaker form. This weaker form may lose its integrity, resulting in an uncontrolled release of activity to the reactor coolant. The reactor vessel water level SL ensures that adequate core cooling capability is maintained during all MODES of reactor operation. Establishment of Emergency Core Cooling System initiation setpoints higher than this safety limit provides margin such that the safety limit will not be reached or exceeded. APPLI CABLE The fuel cladding must not sustain damage as a result of SAFETY ANALYSES normal operation and abnormal operational transients. The reactor core SLs are established to preclude violation of the fuel design criterion that a MCPR limit is to be established, such that at least 99.9% of the fuel rods in the core would not be expected to experience the onset Df transition boiling. The Reactor Protection System setpoints (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation"), in combination with other LCOs, are designed to prevent any anticipated combination of transient conditions for Reactor Coolant System water level, pressure, and THERMAL POWER level that would result in reaching the MCPR limit. 2L11lA Fuel Cladding Integrity GE critical power correlations are applicable for all critical power calculations at pressures 2 785 psig and core flows 2 10% of rated flow. For operation at low pressures or low flows, another basis is used, as follows: The pressure drop in the bypass region is essentially all elevation head with a value > 4.5 psi; therefore, the core pressure drop at low power and flows will always be > 4.5 psi. At power, the static head inside (continued) PBAPS UNIT 3 B 2.0-2 Revision No. 0
Reactor Core SLs B 2.1.1 BASE; APPLICABLE 2.1.1.1 Fuel Cladding Integrity (continued) SAFETY ANALYSES the bundle is less than the static head in the bypass region because the addition of heat reduces the density of the water. At the same time, dynamic head loss in the bundle will be greater than in the bypass region because of two phase flow effects. Analyses show that this combination of effects causes bundle pressure drop to be nearly independent of bundle power when bundle flow is 28 X 103 lb/hr and bundle pressure drop is 3.5 psi. Because core pressure drop at low power and flows will always be > 4.5 psi, the bundle flow will be > 28 X 10 I lb/hr. Full scale ATLAS test data taken at pressures from 14.7 psia (O psig) to 800 psia (785 psig) indicate that the fuel assembly critical power with bundle flow at 28 X 103 lb/hr is approximately 3.35 MWt. This is. equivalent-to a THERMAL POWER > 50% RTP even when design peaking factors are considered. Therefore, a THERMAL POWER limit of 25% RTP prevents any bundle from exceeding critical power and is a conservativE limit when reactor pressure < 785 psig.' 2 1.1.2 MCPR The fuel cladding integrity SL is set such that no fuel damage is calculated to occur if the limit is not violated. Since the parameters that result in fuel damage are not directly observable during reactor operation, the thermal and hydraulic conditions that result in the onset of transition boiling have been used to mark the beginning of the region in which fuel damage could occur. Although it is recognized that the onset of transition boiling would no:: result in damage to BWR fuel rods, the critical power at which boiling transition is calculated to occur has been adopted as a convenient limit. However, the uncertainties in monitoring the core operating state and in the procedures used to calculate the critical power result in an uncertainty in the value of the critical power. Therefore, (continued) .PBAPS UNIT 3 B 2.-O- 3 Revision No. 48
Reactor Core SLs B 2.1.1 BASES APPLICABLE 2.1.1.2 MCPR (continued) SAFETY ANALYSES the fuel cladding integrity SL is defined as the critical power ratio in the limiting fuel assembly for which more than 99.9% of the fuel rods in the core are expected to avoid boiling transition, considering the power distribution within the core and all uncertainties. The MCPR SL is determined using a statistical model that combines all the uncertainties in operating parameters and the procedures used to calculate critical power. The probability of the occurrence of boiling transition is determined using the approved General Electric Critical Power correlations. Details of the fuel cladding integrity SL calculation are given in Reference 2. Reference 2 also includes a tabulation of the uncertainties used in the determination of the MCPR SL and of the nominal values of the parameters used in the MCPR SL statistical analysis. 2.1.1.3 Reactor Vessel Water Level During MODES 1 and 2 the reactor vessel water level is required to be above the top of the active fuel to provide core cooling capability. With fuel in the reactor vessel during periods when the reactor is shut down, consideration must be given to water level requirements due to the effect of decay heat. If the water level should drop below the top of the active irradiated fuel during this period, the ability to remove decay heat is reduced. This reduction in cooling capability could lead to elevated cladding temperatures and clad perforation. The core can be adequately cooled as long as water level is above 2/3 of the core height. The reactor vessel water level SL has been established at the top of the active irradiated fuel to provide a point that can be monitored and to also provide adequate margin for effective action. (continued) PBAPS UNIT 3 8 2.0-4 Revision No. 48
Reactor Core SLs B 2.1.1 BASES (continued) SAFETY LIMITS The reactor core SLs are established to protect the integrity of the fuel clad barrier to the- release of radioactive materials to the environs. SL 2.1.1.1 and SL 2.1.1.2 ensure that the core operates within the fuel design criteria. SL 2.1.1.3 ensures that the reactor vessel water level is greater than the top of the active irradiated fuel in order to prevent elevated clad temperatures and resultant clad perforations. APPLICABILITY SLs 2.1.1.1, 2.1.1.2, and 2.1.1.3 are applicable in all MODES. SAFETY LIMIT 2.2.1 VIOLATIONS If any SL is violated, the NRC Operations Center must be notified within 1 hour, in accordance with 10 CFR 50.72 (Ref. 3). 2.2.2 Exceeding an SL may cause fuel damage and create a potential for radioactive releases in excess of 10 CFR 100, 'Reactor Site Criteria,' limits (Ref. 4). Therefore, it is required to insert all insertable control rods and restore compliance with the SLs within 2 hours. The 2 hour Completion Time ensures that the operators take prompt remedial action and also ensures that the probability of an accident occurring during this period is minimal.. 2.2.3 If any SL is violated, the senior management of the nuclear plant and the utility shall be notified within 24 hours. The 24 hour period provides time for plant operators arid staff to take the appropriate immediate action and assess the condition of the unit before reporting to the senior management. (continued) PBAPS UNIT 3 B 2.0-5 Revision No. 0
Reactor Core SLs B 2.1.1 BASES SAFETY LIMIT VIOLATIONS (continued) If any SL is violated, a Licensee Event Report shall be prepared and submitted within 30 days to the NRC in accordance with 10 CFR 50.73 (Ref. 5). A copy of the report shall also be provided to the senior management of the nuclear plant and the utility. If any SL is violated, restart of the unit shall not commence until authorized by the NRC. This requirement ensures the NRC that all necessary reviews, analyses, and actions are completed before the unit begins its restart: to normal operation. REFERENCES 1. DELETED I
- 2. NEDE-24011-P-A, "General Electric Standard Application for Reactor Fuel," latest approved revision. I
- 3. 10 CFR 50.72.
- 4. 10 CFR 100.
- 5. 10 CFR 50.73.
PBAPS LNIT 3 B 2.-0-E Revision No. 48
RCS Pressure SL B 2.1.2 B 2.0 SAFETY LIMITS (SLs) B 2.1.2 Reactor Coolant System (RCS) Pressure SL BASES
- m BACKGROUND The SL on reactor steam dome pressure protects the RCS against overpressurization. In the event of fuel claddling failure, fission products are released into the reactor coolant. The RCS then serves as the primary barrier in preventing the release of fission products into the atmosphere. Establishing an upper limit on reactor steaum dome pressure ensures continued RCS integrity with regard to pressure excursions. Per the UFSAR (Ref. 1), the reactor coolant pressure boundary (RCPB) shall be designed with sufficient margin to ensure that the design conditions are not exceeded during normal operation and abnormal operational transients.
During normal operation and abnormal operational transients, RCS pressure is limited from exceeding the design pressure by more than 10%, in accordance with Section III of the ASME Code (Ref. 2). To ensure system integrity, all RCS components are hydrostatically tested at 125% of design pressure, in accordance with ASME Code requirements, prior to initial operation when there is no fuel in the core. Any further hydrostatic testing with fuel in the core may be done under LCO 3.10.1, "Inservice Leak and Hydrostatic Testing Operation." Following inception of unit operation, RCS components shall be pressure tested in accordance with the requirements of ASME Code, Section XI (Ref. 3). Overpressurization of the RCS could result in a breach of the RCPB reducing the number of protective barriers designed to prevent radioactive releases from exceeding the limits specified in 10 CFR 100, 'Reactor Site Criteria" (Ref. 4.). If this occurred in conjunction with a fuel cladding failure, fission products could enter the containment atmosphere. APPLICABLE The RCS safety/relief valves and the Reactor Protection SAFETY ANALYSES System Reactor Pressure-High Function have settings established to ensure that the RCS pressure SL will not be exceeded. (continued) PBAPS UNIT 3 B 2.0-7 Revision No. 0
RCS Pressure SL B 2.1.2 BASES; APPLICABLE The RCS pressure SL has been selected such that it is at a SAFETY ANALYSES pressure below which it can be shown that the integrity of (continued) the system is not endangered. The reactor pressure vessel is designated to Section III, 1965 Edition of the ASME, Boiler and Pressure Vessel Code, including Addenda through the summer of 1966 (Ref. 5), which permits a maximum pressure transient of 110%, 1375 psig, of design pressure 1250 psig. The SL of 1325 psig, as measured in the reactor steam dome, is equivalent to 1375 psig at the lowest elevation of the RCS. The RCS is designed to ASME Section III, including Addenda through the winter of 1981 (Ref. 6), for the reactor recirculation piping, which permits a maximum pressure transient of 110% of design pressures 'Of 1250 psig for suction piping and 1500 psig for discharge piping. The RCS pressure SL is selected to be the lowest transient overpressure allowed by the applicable codes. SAFETY LIMITS The maximum transient pressure allowable in the RCS pressure vessel under the ASME Code, Section III, is 110% of design pressure. The maximum transient pressure allowable in the RCS piping, valves, and fittings is 110% of design pressures of 1250 psig for suction piping and 1500 psig for discharge piping. The most limiting of these allowances is the 110% of design pressures of 1250 psig; therefore, the SL on maximum allowable RCS pressure is established at 1325 psig as measured at the reactor steam dome. APPLICABILITY SL 2.1.2 applies in all MODES. SAFETY LIMIT 2.2.1 VIOLATIONS If any SL is violated, the NRC Operations Center must be notified within 1 hour, in accordance with 10 CFR 50.72 (Ref. 7). (continued) PBAPS UNIT 3 B 2.0-8 Revision lo. 0
RCS Pressure SL B 2.1.2 BASES SAFETY LIMIT VIOLAFIONS (continued) Exceeding the RCS pressure SL may cause immediate RCS failure and create a potential for radioactive releases in excess of 10 CFR 100, "Reactor Site Criteria," limits (Ref. 4). Therefore, it is required to insert all insertable control rods and restore compliance with the SL within 2 hours. The 2 hour Completion Time ensures that the operators take prompt remedial action and also assures that the probability of an accident occurring during the period is minimal. 2.2.-a If any SL is violated, the senior management of the nuclear plant and the utility shall be notified within 24 hours. The 24 hour period provides time for plant operators and staff to take the appropriate immediate action and assess the condition of the unit before reporting to the senior management. 2.2.4 If any SL is violated, a Licensee Event Report shall be prepared and submitted within 30 days to the NRC in accordance with 10 CFR 50.73 (Ref. 8). A copy of the report shall also be provided to the senior management of the nuclear plant and the utility. If any SL is violated, restart of the unit shall not commence until authorized by the NRC. This requirement ensures the NRC that all necessary reviews, analyses, and actions are completed before the unit begins its restart to normal operation. REFERE1CES 1. UFSAR, Section 1.5.2.2.
- 2. ASME, Boiler and Pressure Vessel Code, Section III, Article NB-7000.
4continued) PBAPS UNIT 3 B 2.0-9 Revision No. 0
RCS Pressure SL B 2.1.2 BASES REFERENCES 3. ASME, Boiler and Pressure Vessel Code, Section XI, (continued) Article IW-5000.
- 4. 10 CFR 100.
- 5. ASME, Boiler and Pressure Vessel Code, Section III, 1965 Edition, including Addenda to summer of 1966.
- 6. ASME, Boiler and Pressure Vessel Code, Section III, 1980 Edition, Addenda to winter of 1981.
- 7. 10 CFR 50.72.
- 8. 10 CFR 50.73.
PBAPS UNIT 3 B 2.0-10 Revision No. 0
LCO Applicability B 3.0 B 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY BASES; LCOs LCO 3.0.1 through LCO 3.0.7 establish the general requirements applicable to all Specifications in Sections 3.1 through 3.10 and apply at all times, unless otherwise stated. LCO 3.0.1 LCO 3.0.1 establishes the Applicability statement within each individual Specification as the requirement for when the LCO is required to be met (i.e., when the unit is in the MODES or other specified conditions of the Applicability statement of each Specification). LCO 3.0.2 LCO 3.0.2 establishes that upon discovery of a failure to meet an LCO, the associated ACTIONS shall be met. The Completion Time of each Required Action for an ACTIONS Condition is applicable from the point in time that an ACTIONS Condition is entered. The Required Actions establish those remedial measures that must be taken within specified Completion Times when the requirements of an LCO are not met. This Specification establishes that:
- a. Completion of the Required Actions within the specified Completion Times constitutes compliance with a Specification; and
- b. Completion of the Required Actions is not required when an LCO is met within the specified Completion Time, unless otherwise specified.
There are two basic types of Required Actions. The first type of Required Action specifies a time limit in which the LCO must be met. This time limit is the Completion Tinre to restore an inoperable system or component to OPERABLE status or to restore variables to within specified limits. If this type of Required Action is not completed within the specified Completion Time, a shutdown may be required to place the unit in a MODE or condition in which the Specification is not applicable. (Whether stated as a Required Action or not, correction of the entered Condition is an action that may always be considered upon entering ACTIONS.) The second type of Required Action specifies the {continued) PBAPS UNIT 3 B 3.0-1 Revision No. 0
LCO Applicability B 3.0 BASES LCO 3.0.2 remedial measures that permit continued operation of the (continued) unit that is not further restricted by the Completion Time. In this case, compliance with the Required Actions provides an acceptable level of safety for continued operation. Completing the Required Actions is not required when an LCO is met or is no longer applicable, unless otherwise stated in the individual Specifications. The nature of some Required Actions of some Conditions necessitates that, once the Condition is entered, the Required Actions must be completed even though the associated Condition no longer exists. The individual LCO's ACTIONS specify the Required Actions where this is the case. An example of this is in LCO 3.4.9, URCS Pressure and Temperature Limits.' The Completion Times of the Required Actions are also applicable when a system or component is removed from service intentionally. The reasons for intentionally relying on the ACTIONS include, but are not limited to, performance of Surveillances, preventive maintenance, corrective maintenance, or investigation of operational problems. Entering ACTIONS for these reasons must be clone in a manner that does not compromise safety. Intentional entry into ACTIONS should not be made for operational convenience. Alternatives that would not result in redundant equipment being inoperable should be used instead. Doing so limits the time both subsystems/divisions of a safety function are inoperable and limits the time other conditions exist which result in LCO 3.0.3 being entered. Individual Specifications may specify a time limit for performing an SR when equipment is removed from service or bypassed for testing. In this case, the Completion Times of the Required Actions are applicable when this time limiit expires, if the equipment remains removed from service or bypassed. When a change in MODE or other specified condition is required to comply with Required Actions, the unit may enter a MODE or other specified condition in which another Specification becomes applicable. In this case, the Completion Times of the associated Required Actions would apply from the point in time that the new Specification becomes applicable and the ACTIONS Condition(s) are entered. (continued) PBAPS UNIT 3 B 3.0-2 Revision No. 0
LCO Applicability 133.0 BASES (continued) LCO :3.0.3 LCO 3.0.3 establishes the actions that must be implemented when an LCO is not met and:
- a. An associated Required Action and Completion Time is not met and no other Condition applies; or
- b. The condition of the unit is not specifically addressed by the associated ACTIONS. This means that no combination of Conditions stated in the ACTIONS can be made that exactly corresponds to the actual condition of the unit. Sometimes, possible combinations of Conditions are such that entering LCO 3.0.3 is warranted; in such cases, the ACTIONS specifically state a Condition corresponding to such combinations and also that LCO 3.0.3 be entered immediately.
This Specification delineates the time limits for placing the unit in a safe MODE or other specified condition when operation cannot be maintained within the limits for safe operation as defined by the LCO and its ACTIONS. It is not intended to be used as an operational convenience that permits routine voluntary removal of redundant systems or components from service in lieu of other alternatives that would not result in redundant systems or components being inoperable. Upon entering LCO 3.0.3, 1 hour is allowed to prepare for an orderly shutdown before initiating a change in unit operation. This includes time to permit the operator to coordinate the reduction in electrical generation with the load dispatcher to ensure the stability and availability of the electrical grid. The time limits specified to reach lower MODES of operation permit the shutdown to proceed in a controlled and orderly manner that is well within the specified maximum cooldown rate and within the capabilities of the unit, assuming that only the minimum required equipment is OPERABLE. This reduces thermal stresses on components of the Reactor Coolant System and the potential for a plant upset that could challenge safety systems under conditions to which this Specification applies. The use and interpretation of specified times to complete the actions of LCO 3.0.3 are consistent with the discussion of Section 1.3, Completion Times. Icontinued) PBAPS UNIT 3 B 3.0-3 Revision No. 0
LCO Applicability B 3.0 BASES LCO 3.0.3 A unit shutdown required in accordance with LCO 3.0.3 may be (continued) terminated and LCO 3.0.3 exited if any of the following occurs:
- a. The LCO is now met.
- b. A Condition exists for which the Required Actions have now been performed.
- c. ACTIONS exist that do not have expired Completion Times. These Completion Times are applicable frorm the point in time that the Condition is initially entered and not from the time LCO 3.0.3 is exited.
The time limits of Specification 3.0.3 allow 37 hours for the unit to be in MODE 4 when a shutdown is required during MODE I operation. If the unit is in a lower MODE of operation when a shutdown is required, the time limit fror reaching the next lower MODE applies. If a lower MODE is reached in less time than allowed, however, the total allowable time to reach MODE 4, or other applicable MOI)E, is not reduced. For example, if MODE 2 is reached in 2 hours, then the time allowed for reaching MODE 3 is the next 11 hours, because the total time for reaching MODE 3 i; not reduced from the allowable limit of 13 hours. Therefore, if remedial measures are completed that would permit a return to MODE 1, a penalty is not incurred by having to reach a lower MODE of operation in less than the total time allowed. In MODES 1, 2, and 3, LCO 3.0.3 provides actions for Conditions not covered in other Specifications. The requirements of LCO 3.0.3 do not apply in MODES 4 and 5 because the unit is already in the most restrictive Condition required by LCO 3.0.3. The requirements of LCO 3.0.3 do not apply in other specified conditions of the Applicability (unless in MODE 1, 2, or 3) because the ACTIONS of individual Specifications sufficiently define the remedial measures to be taken. Exceptions to LCO 3.0.3 are provided in instances where requiring a unit shutdown, in accordance with LCO 3.0.3, would not provide appropriate remedial measures for the associated condition of the unit. An example of this is in LCO 3.7.7, Spent Fuel Storage Pool Water Level." LCO 3.7.7 has an Applicability of During movement of fuel assemblies (continued) PBARS UNIT 3 B 3.0-4 Revision No. 0
LCO Applicability B 3.0 BASES LCO 3.0.3 in the spent fuel storage pool." Therefore, this LCO can be (continued) applicable in any or all MODES. If the LCO and the Required Actions of LCO 3.7.7 are not met while in MODE 1, 2, or 3, there is no safety benefit to be gained by placing the unit in a shutdown condition. The Required Action of LCO 3.7.7 of "Suspend movement of fuel assemblies in the spent fuel storage pool" is the appropriate Required Action to complete in lieu of the actions of LCO 3.0.3. These exceptions are addressed in the individual Specifications. LCO 3.0.4 LCO 3.0.4 establishes limitations on changes in MODES or other specified conditions in the Applicability when an LCO is not met. It allows placing the unit in a MODE or otier specified condition stated in that Applicability (e.g., the Applicability desired to be entered) when unit conditions are such that the requirements of the LCO would not be met, in accordance with LCO 3.0.4.a, LCO 3.0.4.b, or LCO 3.0.4..:. LCO 3.0.4.a allows entry into a MODE or other specified condition in the Applicability with the LCO not met when the associated ACTIONS to be entered permit continued operation in the MODE or other specified condition in the Applicability for an unlimited period of time. Compliance with Required Actions that permit continued operation of the unit for an unlimited period of time in a MODE or other specified condition provides an acceptable level of safety for continued operation. This is without regard to the status of the unit before or after the MODE change. Therefore, in such cases, entry into a MODE or other specified condition in the Applicability may be made in accordance with the provis ons of the Required Actions. LCO 3.0.4.b allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering the MODE or other specified condition in the Applicability, and establishment of risk management actions, if appropriate. The risk assessment may use quantitative, qualitative, (Pr blended approaches, and the risk assessment will be conducted using the plant program, procedures, and criteria in plce to implement 10 CFR 50.65(a)(4), which requires that risk impacts of maintenance activities be assessed and managed. The risk assessment, for the purposes of LCO 3.0.4.b, must take into account all inoperable Technical Specification equipment regardless of whether the equipment is included in the normal 10 CFR 50.65(a)(4) risk assessment scope. The risk assessments will be conducted using the procedures and guidance endorsed by Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." Regulatory Guide 1.182 endorses the guidance (continued) PBAPS-UNIT 3 B 3.0-5 Revision No. 53
LCO Applicability 133.0 BASES LCO 3.0.4 in Section 11 of NUMARC 93-01, "Industry Guideline for (continued) Monitoring the Effectiveness of Maintenance at Nuclear Power Plants." These documents address general guidance for conduct of the risk assessment, quantitative and qualitative guidelines for establishing risk management actions, and example risk management actions. These include actions to plan and conduct other activities in a manner that controls overall risk, increased risk awareness by shift and management personnel, actions to reduce the duration of the condition, actions to minimize the magnitude of risk increases (establishment of backup success paths or compensatory measures), and determination that the proposed MODE change is acceptable. Consideration should also be given to the probability of completing restoration such that the requirements of the LCO would be met prior to the expiration of ACTIONS Completion Times that would require exiting the Applicability. LCO 3.0.4.b may be used with single, or multiple systems and components unavailable. NUMARC 93-01 provides guidance relative to consideration of simultaneous unavailability of multiple systems and components. The results of the risk assessment shall be considered in determining the acceptability of entering the MODE or other specified condition in the Applicability, and any corresponding risk management actions. The LCO 3.0.4.b risk assessments do not have to be documented. The Technical Specifications allow continued operation with equipment unavailable in MODE 1 for the duration of the Completion Time. Since this is allowable, and since in general the risk impact in that particular MODE bounds thne risk of transitioning into and through the applicable MODES or other specified conditions in the Applicability of the LCOj the use of the LCO 3.0.4.b allowance should be generally acceptable, as long as the risk is assessed and managed as stated above. However, there is a small subset of systems and components that have been determined to be more important to risk and use of the LCO 3.0.4.b allowance is prohibited. The LCOs governing these system and components contain Notes prohibiting the use of LCO 3.0.4.b by stating that LCO 3.0.4.b is not applicable. LCO 3.0.4.c allows entry into a MODE or other specified condition in the Applicability with the LCO not met based on a Note in the Specification which states LCO 3.0.4.c is applicable. These specific allowances permit entry into MODES or other specified conditions in the Applicability when the associated ACTIONS to be entered do not provide for continued operation for an unlimited period of time and a risk assessment has not been performed. This allowance may apply to all the ACTIONS or to a specific Required Actior of a Specification. The risk assessments performed to justify the use of LCO 3.0.4.b usually only consider systems and components. For this reason, LCO 3.0.4.c is typically (continued) PBAPS 11NIT 3 8 3.0-5a ARevision No. 53 1
LCO Applicability B 3.0 BASES LCO 3.0.4 applied to Specifications which describe values and (continued) parameters (e.g., Reactor Coolant System specific activity), and may be applied to other Specifications based on NRC plant-specific approval. The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability. The provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unit shutdown. In this context, a unit shutdown is defined as a change in MODE or other specified condition in the Applicability associated with transitioning from MODE 1 to MODE 2, MODE 2 to MODE 3, and MODE 3 to MODE 4. Upon entry into a MODE or other-specified condition in the Applicability with the LCO not met, LCO 3.0.1 and LCO 3.0.2 require entry into the applicable Conditions and Required Actions until the Condition is resolved, until the LCO is met, or until the unit is not within the Applicability cf the Technical Specification. Surveillances do not have to be performed on the associated inoperable equipment (or on variables outside the specified limits), as permitted by SR 3.0.1. Therefore, utilizing LCO 3.0.4 is not a violation of SR 3.0.1 or SR 3.0.4 for any Surveillances that have not been performed on inoperable equipment. However, SRs must be met to ensure OPERABILITY prior to declaring the associated equipment OPERABLE (or variable within limits) and restoring compliance with the affected LCO. LCO ;.0.5 LCO 3.0.5 establishes the allowance for restoring equipment to service under administrative controls when it has been removed from service or declared inoperable to comply with ACTIONS. The sole purpose of this Specification is to provide an exception to LCO 3.0.2 (e.g., to not comply with the applicable Required Action(s)) to allow the performance of SRs to demonstrate:
- a. The OPERABILITY of the equipment being returned to service; or
- b. The OPERABILITY of other equipment.
IO (continued) PBAPS UNIT 3 8 3.,0-6 Revision No. 53
LCO Applicability B 3.0 BASES LCO 3.0.5 The administrative controls ensure the time the equipment is (continued) returned to service in conflict with the requirements of the ACTIONS is limited to the time absolutely necessary to perform the allowed SRs. This Specification does not provide time to perform any other preventive or corrective maintenance. An example of demonstrating the OPERABILITY of the equipment being returned to service is reopening a containment isolation valve that has been closed to comply with Required Actions and must be reopened to perform the SRs. An example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to prevent the trip function from occurring during the performance of an SR on another channel in the other trip system. A similar example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to permit the logic to function and indicate the appropriate response during the performance of an SR on another channel in the same trip system. LCO 3.0.6 LCO 3.0.6 establishes an exception to LCO 3.0.2 for support systems that have an LCO specified in the Technical Specifications (TS). This exception is provided because LCO 3.0.2 would require that the Conditions and Required Actions of the associated inoperable supported system LCO be entered solely due to the inoperability of the support system. This exception is justified because the actions that are required to ensure the plant is maintained in a safe condition are specified in the support systems' LCO's Required Actions. These Required Actions may include entering the supported system's Conditions and Required Actions or may specify other Required Actions. When a support system is inoperable and there is an LCO specified for it in the TS, the supported system(s) are required to be declared inoperable if determined to be inoperable as a result of the support system inoperability. However, it is not necessary to enter into the supported systems' Conditions and Required Actions unless directed to do so by the support system's Required Actions. The potential confusion and inconsistency of requirements related to the entry into multiple support and supported (continued) PBAPS UNIT 3 B 3.0-7 Revision No. 0
LCO Applicability B 3.0 BASES LCO 3.0.6 systems' LCOs' Conditions and Required Actions are (continued) eliminated by providing all the actions that are necessary to ensure the plant is maintained in a safe condition iin the support system's Required Actions. However, there are instances where a support system's Required Action may either direct a supported system to be declared inoperable or direct entry into Conditions and Required Actions for the supported system. This may occur immediately or after some specified delay to perform some other Required Action. Regardless of whether it is immediate or after some delay, when a support system's Required Action directs a supported system to be declared inoperable or directs entry into Conditions and Required Actions for a supported system, the applicable Conditions and Required Actions shall be entered in accordance with CO 3.0.2. Specification 5.5.11, NSafety Function Determination Program (SFDP),w ensures loss of safety function is detected and appropriate actions are taken. Upon entry into LCO 3.0.6, an evaluation shall be made to determine if loss of safety function exists. Additionally, other limitations, remedial actions, or compensatory actions may be identified as a result of the support system inoperability and corresponding exception to entering supported system Conditions and Required Actions. The SFDP implements the requirements of LCO 3.0.6. Cross division checks to identify a loss of safety function for those support systems that support safety systems are required. The cross division check verifies that the supported systems of the redundant OPERABLE support system are OPERABLE, thereby ensuring safety function is retained. If this evaluation determines that a loss of safety function exists, the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists are required to be entered. LCO 3.0.7 There are certain special tests and' operations required to be performed at various times over the life of the unit. These special tests and operations are necessary-to demonstrate select unit performance characteristics, to perform special maintenance activities, and to perform {conti nued) PBAPS UNIT 3 B 3.0-8 Revision No. 0
LCO Applicability 103.0 BASES LCO :3.0.7 special evolutions. Special Operations LCOs in Section 3.10 (continued) allow specified TS requirements to be changed to permit performances of these special tests and operations, which otherwise could not be performed if required to comply with the requirements of these TS. Unless otherwise specified, all the other TS requirements remain unchanged. This will ensure all appropriate requirements of the MODE or other specified condition not directly associated with or required to be changed to perform the special test or operation will remain in effect. The Applicability of a Special Operations LCO represents a condition not necessarily in compliance with the normal requirements of the TS. Compliance with Special Operations LCOs is optional. A special operation may be performed either under the provisions of the appropriate Special Operations LCO or under the other applicable TS requirements. If it is desired to perform the special operation under the provisions of the Special Operations LCO, the requirements of the Special Operations LCO shall be followed. When a Special Operations LCO requires another LCO to be met, only the requirements of the LCO statement are required to be met regardless of that LCO's Applicability (i.e., should the requirements of this other LCO not be met, the ACTIONS of the Special Operations LCO apply, not the ACTIONS of the other LCO). However, there are instances where the Special Operations LCO's ACTIONS may direct the other LCO's ACTIONS be met. The Surveillances of the other LCO are not required to be met, unless specified in the Special Operations LCO. If conditions exist such that the Applicability of any other LCO is met, all the other LCO's requirements (ACTIONS and SRs) are required to be met concurrent with the requirements of the Special Operations LCO. PBAPS UNIT 3 B 3.0-9 Revision No. 0
SR Applicability B 3.0 B 3.10 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY BASES SRs SR 3.0.1 through SR 3.0.4 establish the general requirements applicable to all Specifications in Sections 3.1 through 3.10 and apply at all times, unless otherwise stated. SR :3.0.1 SR 3.0.1 establishes the requirement that SRs must be ;iet during the MODES or other specified conditions in the Applicability for which the requirements of the LCO apply, unless otherwise specified in the individual SRs. This Specification is to ensure that Surveillances are performed to verify the OPERABILITY of systems and components, and that variables are within specified limits. Failure to meet a Surveillance within the specified Frequency, in accordance with SR 3.0.2, constitutes a failure to meet an LCO. Systems and components are assumed to be OPERABLE when the associated SRs have been met. Nothing in this Specification, however, is to be construed as implying that systems or components are OPERABLE when:
- a. The systems or components are known to be inoperable, although still meeting the SRs; or
- b. The requirements of the'Surveillance(s) are known to be not met between required Surveillance performances.
Surveillances do not have to be performed when the unit is in a MODE or other specified condition for which the requirements of the associated LCO are not applicable, unless otherwise specified. The SRs associated with a Special Operations LCO are only applicable when the Special Operations LCO is used as an allowable exception to the requirements of a Specification. Surveillances, including Surveillances invoked by Required Actions, do not have to be performed on inoperable equipment because the ACTIONS define the remedial measures that apply. Surveillances have to be met and performed in accordance with SR 3.0.2, prior to returning equipment to OPERABLE status. (continued) PBAP'; UNIT 3 B 3.0-10 Revision No. 0
SR Applicability B 3.0 BASES SR 3.0.1 Upon completion of maintenance, appropriate post maintenance (continued) testing is required to declare equipment OPERABLE. This includes ensuring applicable Surveillances are not failed and their most recent performance is in accordance with SR 3.0.2. Post maintenance testing may not be possible in the current MODE or other specified conditions in the Applicability due to the necessary unit parameters not having been established. In these situations, the equipment may be considered OPERABLE provided testing has been satisfactorily completed to the extent possible and the equipment is not otherwise believed to be incapable of performing its function. This will allow operation to proceed to a MODE or other specified condition where other necessary post maintenance tests can be completed. Some examples of this process are:
- a. Control Rod Drive maintenance during refueling that requires scram testing at > 800 psi. However, if other appropriate testing is satisfactorily completed and the scram time testing of SR 3.1.4.3 is satisfied, the control rod can be considered OPERABLE. This allows startup to proceed to reach 800 psi to perform other necessary testing.
- b. High pressure coolant injection (HPCI) maintenance during shutdown that requires system functional tests at a specified pressure. Provided other appropriate testing is satisfactorily completed, startup can proceed with HPCI considered OPERABLE. This allows operation to reach the specified pressure to complete the necessary post maintenance testing.
SR 3.0.2 SR 3.0.2 establishes the requirements for meeting the specified Frequency for Surveillances and any Required Action with a Completion Time that requires the periodic performance of the Required Action on a 'once per...' interval. SR 3.0.2 permits a 25% extension of the interval specified in the Frequency. This extension facilitates Surveillance scheduling and considers plant operating conditions that may not be suitable for conducting the Surveillance (e.g., transient conditions or other ongoing Surveillance or maintenance activities).
. continued)
PBAPS UNIT 3 B 3.0-11 Revision No. 0
SR Applicability B 3.0 BASES SR 3.0.2 The 2556 extension does not significantly degrade the (continued) reliability that results from performing the Surveillance at its specified Frequency. This is based on the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the SRs. The exceptions to SR 3.0.2 are those Surveillances for which the 25% extension of the interval specified in the Frequency does not apply. These exceptions are stated in the individual Specifications. The requirements of regulations take precedence over the TS. Therefore, when a test interval is specified in the regulations, the test interval cannot be extended by the TS, and the SR include a Note in the Frequency stating, "SR 3.0.2 is not applicable." An example of an exception when the test interval is noot specified in the regulations is the Note in the Primary Containment Leakage Rate Testing Program, "SR 3.0.2 i; not applicable." This exception is provided because the program already includes extension of test intervals. As stated in SR 3.0.2, the 25% extension also does not apply to the initial portion of a periodic Completion Time that requires performance on a "once per..." basis. The 25% extension applies to each performance after the initial performance. The initial performance of the Required Action, whether it is a particular Surveillance or some other remedial action, is considered a single action wuith a single Completion Time. One reason for not allowing the 25% extension to this Completion Time is that such an action usually verifies that no loss of function has occurred by checking the status of redundant or diverse components or accomplishes the function of the inoperable equipment in an alternative manner. The provisions of SR 3.0.2 are not intended to be used repeatedly merely as an operational convenience to extend Surveillance intervals (other than those consistent with refueling intervals) or periodic Completion Time intervals beyond those specified. SR 3.0.3 SR 3.0.3 establishes the flexibility to defer declaring affected equipment inoperable or an affected variable! outside the specified limits when a Surveillance has not been completed within the specified Frequency. A delay period of up to 24 hours or up to the limit of the specified (continued) PBAPS UNIT 3 B 3.0-12 Revision No. 6
SR Applicability B 3.0 BASES SR 3.0.3 Frequency, whichever is greater, applies from the point in (continued) time that it is discovered that the Surveillance has not been performed in accordance with SR 3.0.2, and not at the time that the specified Frequency was not met. This delay period provides adequate time to complete Surveillances that have been missed. This delay period permits the completion of a Surveillance before complying with Required Actions or other remedial measures that might preclude completion of the Surveillance. The basis for this delay period includes consideration of unit conditions, adequate planning, availability of personnel, the time required to perform the Surveillance, the safety significance of the delay in completing the required Surveillance, and the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the requirements. When a Surveillance with a Frequency based not on time intervals, but upon specified unit conditions, operating situations, or requirements of regulations (e.g., prior to entering MODE 1 after each fuel loading, or in accordance with 10 CFR 50, Appendix J, as modified by approved exemptions, etc.) is discovered to not have been performed when specified, SR 3.0.3 allows for the full delay period of up to the specified Frequency to perform the Surveillance. However, since there is not a time interval specified, t;he missed Surveillance should be performed at the first reasonable opportunity. SR 3.0.3 provides a time limit for, and allowances for the performance of, Surveillances that become applicable as a consequence of MODE changes imposed by Required Actions Failure to comply with specified Frequencies for SRs is expected to be an infrequent occurrence. Use of the delay period established by SR 3.0.3 is a flexibility which is not intended to be used as an operational convenience to extend Surveillance intervals. While up to 24 hours or the limit of the specified Frequency is provided to perform the missed Surveillance, it is expected that the missed Surveillance will be performed at the first reasonable opportunity. The determination of the first reasonable opportunity should include consideration of the impact on plant risk (from delaying the Surveillance as well as any plant configuration changes required or shutting the plant down to perform the Surveillance) and impact on any analysis assumptions, in addition to unit conditions, planning, availability of personnel, and the time required to perform the Surveillance. This risk impact should be managed through the program in (continued) PBAPS UNIT 3 -B3.0O- 13 Revision No. 1
SR Applicability B 3.0 BASES SR 3.0.3 place to implement 10 CFR 50.65(a)(4) and its implementation (continued) guidance, NRC Regulatory Guide 1.182, 'Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants.' This Regulatory Guide addresses consideration of temporary and aggregate risk impacts, determination of risk management action thresholds, and risk management action up to and including plant shutdown. The missed Surveillance should be treated as an emergent condition as discussed in the Regulatory Guide. The risk evaluation may use quantitative, qualitative, or blended methods. The degree of depth and rigor of the evaluation should be commensurate with the importance of the component. Missed Surveillances for important components should be analyzed quantitatively. If the results of the risk evaluation determine the risk increase is significant, this evaluation should be used to determine the safest course of action. All missed Surveillances will be placed in the licensee's Corrective Action Program.
.If a Surveillance is not completed within the allowed delay period, then the equipment is considered inoperable or the variable is considered outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon expiration of the delay period. If a Surveillance is failed within the delay period, then the equipment is inoperable, or the variable is outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon the failure of the Surveillance.
Completion of the Surveillance within the delay period allowed by this Specification, or within the Completion Time of the ACTIONS, restores compliance with SR 3.0.1. SR :3.0.4 SR 3.0.4 establishes the requirement that all applicable SRs must be met before entry into a MODE or other specified condition in the Applicability. This Specification ensures that system and component OPERABILITY requirements and variable limits are met before entry into MODES or other specified conditions in the Applicability for which these systems and components ensure safe operation of the unit. The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability. A provision is included to allow entry into a MODE or other specified condition in the Applicability when an LCO is not.. met due to Surveillance not being met in accordance with LCO 3.0.4. (continued) PBAPS -UNIT 3 B 3.0-14 Revision No. 53
SR Applicability B 3.4 BASES SR 3.0.4 However, in certain circumstances, failing to meet an SR (continued) will not result in SR 3.0.4 restricting a MODE change or other specified condition change. When a system, subsystem, division, component, device, or variable is inoperable or outside its specified limits, the associated SR(s) are not required to be performed, per SR 3.0.1, which states that surveillances do not have to be performed on inoperable equipment. When equipment is inoperable, SR 3.0.4 does not apply to the associated SR(s) since the requirement for the SR(s) to be performed is removed. Therefore, failing tD perform the Surveillance(s) within the specified Frequency does not result in an SR 3.0.4 restriction to changing 1MODES or other specified conditions of the Applicability. However, since the LCO is not met in this instance, LCO 3.0.4 will govern any restrictions that may (or may not) apply to MODE or other specified condition changes. SR 3.0.4 does not restrict changing MODES or other specified conditions of the Applicability when a Surveillance has not been performed within the specified Frequency, provided the requirement to declare the LCO not met has been delayed in accordance with SR 3.0.3. The provisions of SR 3.0.4 shall not prevent entry into MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of SR 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from
*any unit shutdown. In this context, a unit shutdown is defined as a change in MODE or other specified condition in the Applicability associated with transitioning from MODE 1 to MODE 2, MODE 2 to MODE 3, and MODE 3 to MODE 4.
The precise requirements for performance of SRs are specified such that exceptions to SR 3.0.4 are not necessary. The specific time frames and conditions necessary for meeting the SRs are specified in the Frequency, in the Surveillance, or both. This allows performance of Surveillances when the prerequisite condition(s) specified in a Surveillance procedure require entry into the MODE or other specified condition in the Applicability of the associated LCO prior to the performance or completion of a Surveillance. A Surveillance that could not be performed until after entering the LCO's Applicability, would have its Frequency specified such that it is not "due" until the specific conditions needed are met. Alternately, the Surveillance may be stated in the form of a Note, as not required (to be met or performed) until a particular event, condition, or time has been reached. Further discussion of the specific formats of SRs' annotation is found in Section 1.4, Frequency. PBAPS UNIT 3 B 3.0-15 Revision No. 53
SDM B 3.1.1 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.1 SHUTDOWN MARGIN (SDM) BASES BACKGROUND SDM requirements are specified to ensure:
- a. The reactor can be made subcritical from all operating conditions and transients and Design Basis Events;
- b. The reactivity transients associated with postulated accident conditions are controllable within acceptable limits; and
- c. The reactor will be maintained sufficiently subcritical to preclude inadvertent criticality ir,the shutdown condition.
These requirements are satisfied by the control rods, as described in the UFSAR Section 1.5 (Ref. 1), which can compensate for the reactivity effects of the fuel and water temperature changes experienced during all operating conditions.- APPLICABLE The control rod drop accident (CRDA) analysis (Refs. 2 SAFETY ANALYSES and 3) assumes the core is subcritical with the highest worth control rod withdrawn. Typically, the first control rod withdrawn has a very high reactivity worth and, should the core be critical during the withdrawal of the first control rod, the consequences of a CRDA could exceed the fuel damage limits for a CRDA (see Bases for LCO 3.1.6, 'Rod Pattern Control"). Also, SDM is assumed as an initial condition for the control rod removal error during refueling (Ref. 4) and fuel assembly insertion error during refueling (Ref. 5) accidents. The analysis of these reactivity insertion events assumes the refueling interlocks are OPERABLE when the reactor is in the refueling mode of operation. These interlocks prevent the withdrawal of more than one control rod from the core during refueling. (Special consideration and requirements for multiple control rod withdrawal during refueling are covered in Special Operations LCO 3.10.6, "Multiple Control Rod Withdrawal-Refueling.") The analysis assumes this condition is acceptable since the core will be shut dovm with the highest worth control rod withdrawn, if adequate (continued) PBAPS UNIT 3 B 3.1-1 Revision No. 0
SDM B 3.1.1 BASES APPL:ICABLE SDM has been demonstrated. Prevention or mitigation of SAFETY ANALYSES reactivity insertion events is necessary to limit energy (continued) deposition in the fuel to prevent significant fuel damage, which could result in undue release of radioactivity. Adequate SDM ensures inadvertent criticalities and potential CRDAs involving high worth control rods (namely the first control rod withdrawn) will not cause significant fuel damage. SDM satisfies Criterion 2 of the NRC Policy Statement. LCO The specified SDM limit accounts for the uncertainty in the demonstration of SDM by testing. Separate SDM limits are provided for testing where the highest worth control red is determined analytically or by measurement. This is due to the reduced uncertainty in the SDM test when the highest worth control rod is determined by measurement. When SDM is demonstrated by calculations not associated with a test (e.g., to confirm SDM during the fuel loading sequence), additional margin is included to account for uncertainties in the calculation. To ensure adequate SDM during the design process, a design margin is included to account for uncertainties in the design calculations (Ref. 6). APPLICABILITY In MODES 1 and 2, SDM must be provided because subcriticality with the highest worth control rod withdrawn is assumed in the CRDA analysis (Ref. 2). In MODES 3 and 4, SDM is required to ensure the reactor will be held subcritical with margin for a single withdrawn control rod. SDM is required in MODE 5 to prevent an open vessel, inadvertent criticality during the withdrawal of a sing;le control rod from a core cell containing one or more fuel assemblies (Ref. 4) or a fuel assembly insertion error (Ref. 5). ACTIONS A.1 With SDM not within the limits of the LCO in MODE 1 or 2, SDM must be restored within 6 hours. Failure to meet the specified SDM may be caused by a control rod that cannot be inserted. The allowed Completion Time of 6 hours is (continued) PBAPS UNIT 3 B 3.1-2 Revision No. 0
-DM B 3.1.1
- BASES ACTIONS A.1 (continued) acceptable, considering that the reactor can still be shut down, assuming no failures of additional control rods to insert, and the low probability of an event occurring during this interval.
Li If the SDM cannot be restored, the plant must be brought to MODE 3 in 12 hours, to prevent the potential for further reductions in available SDM (e.g., additional stuck control rods). The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. Cal With SDM not within limits in MODE 3, the operator must immediately initiate action to fully insert all insertable control rods. Action must continue until all insertable control rods are fully inserted. This action results in the least reactive condition for the core. D.1. D.2. D.3. and D.4 With SDM not within limits in MODE 4, the operator must immediately initiate action to fully insert all insertable control rods. Action must continue until all insertable control rods are fully inserted. This action results in the least reactive condition for the core. Action must also be initiated within 1 hour to provide means for control of potential radioactive releases. This includes ensuring secondary containment is OPERABLE; at least one Standby Gas Treatment (SGT) subsystem for Unit 3 is OPERABLE; and secondary containment isolation capability (i.e., at least one secondary containment isolation valve and associated instrumentation are OPERABLE, or other acceptable administrative controls to assure isolation capability), in each associated secondary containment penetration flow path not isolated that is assumed to be isolated tc mitigate radioactivity releases. This may be performed as I S IT I 1. WII~IEi PBAPS 'UNIT 3 B 3.1-3 P3Revision No. 0
SDM B :3.1.1 BASES ACTIONS D.1. D.2. D.3. and D.4 (continued) an administrative check, by examining logs or other information, to determine if the components are out of service for maintenance or other reasons. It is not necessary to perform the surveillances needed to demonstrate the OPERABILITY of the components. If,however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, SRs may need to be performed to restore the component to OPERABLE status. Actions must continue until all required components are OPERABLE. E.1. E.2. E.3. E.4. and E.5 With SDM not within limits in MODE 5, the operator must immediately suspend CORE ALTERATIONS that could reduce SDM, e.g., insertion of fuel in the core or the withdrawal of control rods. Suspension of these activities shall not preclude completion of movement of a component to a safe condition. Inserting control rods or removing fuel from the core will reduce the total reactivity and are therefore excluded from the suspended actions. Action must also be immediately initiated to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Action must continue until all insertable control rods in core cells containing one or =ore fuel assemblies have been fully inserted. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and therefore do not have to be inserted. Action must also be initiated within 1 hour to provide means for control of potential radioactive releases. This includes ensuring secondary containment is OPERABLE; at least one SGT subsystem for Unit 3 is OPERABLE; and secondary containment isolation capability (i.e., at least one secondary containment isolation valve and associated instrumentation are OPERABLE, or other acceptable administrative controls to assure isolation capability), in each associated secondary containment penetration flow path not isolated that is assumed to be isolated to mitigate radioactive releases. This may be performed as an administrative check, by examining logs or other (continued) PRAPS UNIT 3 -B3.1-4 Revision Nc. 0
SDM B 3.1.1 BASES ACTIONS E.1. E.2. E.3. E.4. and E.5 (continued) information, to determine if the components are out of service for maintenance or other reasons. It is not necessary to perform the SRs needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, SRs may need to be performed to restore the component to OPERABLE status. Action must continue until all required components are OPERABLE. SURVEILLANCE SR 3.1.1.1 REQUIREMENTS Adequate SDM must be verified to ensure that the reactor can be made subcritical from any initial operating condition. This can be accomplished by a test, an evaluation, or a combination of the two. Adequate SDM is demonstrated before or during the first startup after fuel movement or shuffling within the reactor pressure vessel, or control rod replacement. Control rod replacement refers to the decoupling and removal of a control rod from a core location, and subsequent replacement with a new control rod or a control rod from another core location. Since core reactivity will vary during the cycle as a function of fuel depletion and poison burnup, the beginning of cycle (BOC) test must also account for changes in core reactivity during the cycle. Therefore, to obtain the SDM, the initial measured value must be increased by an adder, ORO, which is the difference between the calculated value of maximum core reactivity during the operating cycle and the calculated BOC core reactivity. If the value of R is negative *(that is, BOC is the most reactive point in the cycle), no correction to the BOC measured value is required (Ref. 7). For the SDM demonstrations that rely solely on calculation of the highest north control rod, additional margin (0.10% Ak/k) must be added to the SDM limit of 0.28% Ak/k to account for uncertainties in the calculation. The SDM may be demonstrated during an in sequence control rod withdrawal, in which the highest worth control rod is analytically determined, or during local criticals, where the highest worth control rod is determined by testing. Local critical tests require the withdrawal of out of (continued) PBAPS UNIT 3 B 3.1-5 Revision No. 0
SDM B :3.1.1 BASES SURVEILLANCE SR 3.1.1.1 (continued) REQUIREMENTS sequence control rods. This testing would therefore require bypassing of the Rod Worth Minimizer to allow the out of sequence withdrawal, and therefore additional requirements must be met (see LCO 3.10.7, "Control Rod Testing-Operating'). The Frequency of 4 hours after reaching criticality is allowed to provide a reasonable amount of time to perform the required calculations and have appropriate verification. During MODES 3 and 4, analytical calculation of SDM may be used to assure the requirements of SR 3.1.1.1 are met. During MODE 5, adequate SDM is required to ensure that the reactor does not reach criticality during control rod withdrawals. An evaluation of each in vessel fuel movement during fuel loading (including shuffling fuel within the core) is required to ensure adequate SDM is maintained during refueling. This evaluation ensures that the intermediate loading patterns are bounded by the safety analyses for the final core loading pattern. For example, bounding analyses that demonstrate adequate SDM for the most reactive configurations during the refueling may be performed to demonstrate acceptability of the entire fuel movement sequence. These bounding analyses include additional margins to the associated uncertainties. Spiral offload/reload sequences, including modified quadrant spiral offload/reload sequences, inherently satisfy the SR, provided the fuel assemblies are reloaded in the same configuration analyzed for the new cycle. Removing fuel from the core will always result in an increase in SDM. REFERENCES 1. UFSAR, Sections 1.5.1.8 and 1.5.2.2.7.
- 2. UFSAR, Section 14.6.2.
- 3. NEDE-24011-P-A-10-US, "General Electric Standard Application for Reactor Fuel," Supplement for United States, Section S.2.2.3.1, February 1991.
- 4. UFSAR, Section 14.5.3.3.
- 5. UFSAR, Section 14.5.3.4.
(continued) PBAPS UNIT 3 B 3.1-6 Revision No. 0
SDM B 3.1.1 BASES REFERENCES 6. UFSAR, Section 3.6.5.4. (continued)
- 7. NEDE-24011-P-A-10, General Electric Standard Application for Reactor Fuel," Section 3.2.4.1, February 1991.
PBAPS UNIT 3 B 3.1-7 Revision No. 0
Reactivity Anomalies B 3.1.2 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.2 Reactivity Anomalies BASES BACKGROUND In accordance with the UFSAR (Ref. 1), reactivity shall be controllable such that subcriticality is maintained under cold conditions and acceptable fuel design limits are net exceeded during normal operation and abnormal operational transients. Therefore, reactivity anomaly is used as a measure of the predicted versus measured core reactivity during power operation. The continual confirmation of core reactivity is necessary to ensure that the Design Basis Accident (DBA) and transient safety analyses remain valid. A large reactivity anomaly could be the result of unanticipated changes in fuel reactivity or control rod worth or operation at conditions not consistent with those assumed in the predictions of core reactivity, and could potentially result in a loss of SDM or violation of acceptable fuel design limits. Comparing predicted versus measured core reactivity validates the nuclear methods used in the safety analysis and supports the SDM demonstrations (LCO 3.1.1, SHUTDOWN MARGIN (SDM)") in assuring the reactor can be brought safely to cold, subcritical conditions. When the reactor core is critical or in normal power operation, a reactivity balance exists and the net reactivity is zero. A comparison of predicted and measured reactivity is convenient under such a balance, since parameters are being maintained relatively stable under steady state power conditions. The positive reactivity inherent in the core design is balanced by the negative reactivity of the control components, thermal feedback, neutron leakage, and materials in the core that absorb neutrons, such as burnable absorbers, producing zero net reactivity. In order to achieve the required fuel cycle energy output, the uranium enrichment in the new fuel loading and the fuel loaded in the previous cycles provide excess positive reactivity beyond that required to sustain steady state operation at the beginning of cycle (BOC). When the reactor is critical at RTP and operating moderator temperature, the excess positive reactivity is compensated by burnable absorbers (e.g., gadolinia), control rods, and whatever neutron poisons (mainly xenon and samarium) are present. in the fuel. The predicted core reactivity, as represented by {continued) PBAPS UNIT 3 B 3.1-8 Revision No. 0
Reactivity Anomalies B 3.1.2 BASES BACKGROUND control rod density, is calculated by a 3D core simulator (continued) code as a function of cycle exposure. This calculation is performed for projected operating states and conditions throughout the cycle. The core reactivity is determined from control rod densities for actual plant conditions and is then compared to the predicted value for the cycle exposure. APPLICABLE Accurate prediction of core reactivity is either an explicit SAFETY ANALYSES or implicit assumption in the accident analysis evaluations (Ref. 2). In particular, SDM and reactivity transients, such as control rod withdrawal accidents or rod drop accidents, are very sensitive to accurate prediction of core reactivity. These accident analysis evaluations rely on computer codes that have been qualified against available test data, operating plant data, and analytical benchmarks. Monitoring reactivity anomaly provides additional assurance that the nuclear methods provide an accurate representation of the core reactivity. The comparison between measured and predicted initial core reactivity provides a normalization for the calculational models used to predict core reactivity. If the measured and predicted rod density for identical core conditions at BOC do not reasonably agree, then the assumptions used in the reload cycle design analysis or the calculation models used to predict rod density may not be accurate. If reasonable agreement between measured and predicted core reactivity exists at BOC, then the prediction may be normalized to the measured value. Thereafter, any significant deviations -in the measured rod density from the predicted rod density that develop during fuel depletion may be an indication that the assumptions of the DBA and transient analyses are no longer valid, or that an unexpected change in core conditions his occurred. Reactivity anomalies satisfy Criterion 2 of the NRC Policy Statement. LCO The reactivity anomaly limit is established to ensure plant operation is maintained within the assumptions of the safety analyses. Large differences between monitored and predicted core reactivity may indicate that the assumptions of the DBA and transient analyses are no longer valid, or that the tcontinued) PBAPS UNIT 3 B 3.1-9 Revision ND. 0
Reactivity Anomalies B 3.1.2 BASES LCO uncertainties in the 'Nuclear Design Methodology' are larger (continued) than expected. A limit on the difference between the monitored and the predicted rod density of +/- 1% Ak/k has been established based on engineering judgment. A > 1% deviation in reactivity from that predicted is larger than expected for normal operation and should therefore be evaluated. A deviation as large as 1% would not exceed the design conditions of the reactor and is on the safe side of the postulated transients. APPLICABILITY In MODE 1, most of the control rods are withdrawn and steady state operation is typically achieved. Under these conditions, the comparison between predicted and monitored core reactivity provides an effective measure of the reactivity anomaly. In MODE 2, control rods are typically being withdrawn during a startup. In MODES 3 and 4, all control rods are fully inserted and therefore the reactor is in the least reactive state, where monitoring core reactivity is not necessary. In MODE 5, fuel loading results in a continually changing core reactivity. SDM requirements (LCO 3.1.1) ensure that fuel movements are performed within the bounds of the safety analysis, and an SDM demonstration is required during the first startup following operations that could have altered core reactivity (e.g., fuel movement, control rod replacement, shuffling). The SDM test, required by LC0 3.1.1, provides a direct comparison of the predicted and monitored core reactivity at cold conditions; therefore, reactivity anomaly is not required during these conditions. ACTIONS A.1 Should an anomaly develop between measured and predicted core reactivity, the core reactivity difference must be restored to within the limit to ensure continued operation is within the core design assumptions. Restoration to within the limit could be performed by an evaluation of the core design and safety analysis to determine the reason for the anomaly. This evaluation normally reviews the core conditions to determine their consistency with input to design calculations. Measured core and process parameters are also normally evaluated to determine that they are within the bounds of the safety analysis, and safety analysis calculational models may be reviewed to verify that they are adequate for representation of the core conditions. (continued) PBAPS UNIT 3 B 3.1-10 Revision No. 0
Reactivity AnoTmalies B 3.1.2 BASES ACTIONS A.1 (continued) The required Completion Time of 72 hours is based on the low probability of a DBA occurring during this period, and allows sufficient time to assess the physical condition of the reactor and complete the evaluation of the core design and safety analysis. Li If the core reactivity cannot be restored to within the 1%X k/k limit, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.1.2.1 REQUIREMENTS Verifying the reactivity difference between the monitored and predicted rod density is within the limits of the LCO provides added assurance that plant operation is maintained within the assumptions of the DBA and transient analyses. The core monitoring system calculates the rod density for the reactor conditions obtained from plant instrumentation. A comparison of the monitored rod density to the predicted rod density at the same cycle exposure is used to calculate the reactivity difference. The comparison is required when the core reactivity has potentially changed by a significant amount. This may occur following a refueling in which new fuel assemblies are loaded, fuel assemblies are shuffled within the core, or control rods are replaced or shuffled. Control rod replacement refers to the decoupling and removal of a control rod from a core location, and subsequent replacement with a new control rod or a control rod from another core location. Also, core reactivity changes during the cycle. The 24 hour interval after reaching equilibrium conditions following a startup is based on the need for equilibrium xenon concentrations in the core, such that an accurate comparison between the monitored and predicted rod density can be made. For the purposes of this SR, the reactor is assumed to be at equilibrium conditions when steady state operations (no control rod movement or core (continued) PBAPS UNIT 3 B 3.1-11 Revision No. 0
Reactivity Anomalies B 3.1.2 BASES SURVEILLANCE SR 3.1.2.1 (continued) REQUIREMENTS flow changes) at 2 75% RTP have been obtained. The 1000 MWD/T Frequency was developed, considering the relatively slow change in core reactivity with exposure and operating experience related to variations in core reactivity. The comparison requires the core to be operating at power levels which minimize the uncertainties and measurement errors, in order to obtain meaningful results. Therefore, the comparison is only done when in MODE 1. REFERENCES 1. UFSAR, Section 1.5.
- 2. UFSAR, Chapter 14.
PBAPS UNIT 3 B 3.1-12 Revision No. 0
Control Rod OPERABILITY B 3.1.3 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.:1.3 Control Rod OPERABILITY BASE'; BACKGROUND Control rods are components of the Control Rod Drive (CRD) System, which is the primary reactivity control system for the reactor. In conjunction with the Reactor Protection System, the CRD System provides the means for the reliable control of reactivity changes to ensure under conditions of normal operation, including abnormal operational transients, that specified acceptable fuel design limits are not exceeded. In addition, the control rods provide the capability to hold the reactor core subcritical under all conditions and to limit the potential amount and rate of reactivity increase caused by a malfunction in the CRD System. The CRD System is designed to satisfy the requirements specified in Reference 1. The CRD System consists of 185 locking piston control rod drive mechanisms (CRDMs) and a hydraulic control unit for each drive mechanism. The locking piston type CRDM is a double acting hydraulic piston, which uses condensate water as the operating fluid. Accumulators provide additional energy for scram. An index tube and piston, coupled to the control rod, are locked at fixed increments by a collet mechanism. The collet fingers engage notches in the index tube to prevent unintentional withdrawal of the control rod, but without restricting insertion. This Specification, along with LCO 3.1.4, 'Control Rod Scram Times," and LCO 3.1.5, "Control Rod Scram Accumulators," ensure that the performance of the control rods in the event of a Design Basis Accident (DBA) or transient meets the assumptions used in the safety analyses of References 2, 3, and 4.
- APPLICABLE The analytical methods and assumptions used in the SAFETY ANALYSES evaluations involving control rods are presented in References 2, 3, and 4. The control *rods provide the primary means for rapid reactivity control (reactor scram),
for maintaining the reactor subcritical and for limiting the potential effects of reactivity insertion events caused by malfunctions in the CRD System. (continued) PBAPS UNIT 3 B 3.1-13 Revision No. 0
Control Rod OPERAEBILITY B 3.1.3 BASES APPLICABLE The capability to insert the control rods provides assurance SAFETY ANALYSES that the assumptions for scram reactivity in the DBA arid (continued) transient analyses are not violated. Since the SDM ensures the reactor will be subcritical with the highest worth control rod withdrawn (assumed single failure), the additional failure of a second control rod to insert,.if required, could invalidate the demonstrated SDM and potentially limit the ability of the CRD System to hold the reactor subcritical. If the control rod is stuck at an inserted position and becomes decoupled from the CRD, a control rod drop accident (CRDA) can possibly occur. Therefore, the requirement-that all control rods be OPERABLE ensures the CRD System can perform its intended function. The control rods also protect the fuel from damage which could result in release of radioactivity. The limits protected are the MCPR Safety Limit (SL) (see Bases for SL 2.1.1, "Reactor Core SLs" and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)"), the 1X cladding plastic strain fuel design limit (see Bases for LCO 3.2.3, "LINEAR I HEAT GENERATION RATE (LHGR)"), and the fuel damage limit (see Bases for LCO 3.1.6, "Rod Pattern Control") durinc reactivity insertion events. The negative reactivity insertion (scram) provided by the CRD System provides the analytical basis for determination of plant thermal limits and provides protection against, fuel damage limits during a CRDA. The Bases for LCO 3.1.4, LCO 3.1.5, and LCO 3.1.6 discuss in more detail how the SLs are protected by the CRD System. Control rod OPERABILITY satisfies Criterion 3 of the NP.C Policy Statement. LCO The OPERABILITY of an individual control rod is based cn a combination of factors, primarily, the scram insertion times, the control rod coupling integrity, and the ability to determine the control rod position. Accumulator OPERABILITY is addressed by LCO 3.1.5. The associated scram accumulator status for a control rod only affects the scram insertion times; therefore, an inoperable accumulator coes not immediately require declaring a control rod inoperable. Although not all control rods are required to be OPERAELE to satisfy the intended reactivity control requirements, strict (continued) PBAP'; UNIT 3 B 3.1-14 Revision No. 50
Control Rod OPERABILITY B 3.1.3 BASEIS LCO control over the number and distribution of inoperable (Continued) control rods is required to satisfy the assumptions of the DBA and transient analyses. APPLICABILITY In MODES 1 and 2, the control rods are assumed to function during a DBA or transient and are therefore required to be OPERABLE in these MODES. In MODES 3 and 4, control rcids are not able to be withdrawn since the reactor mode switch is in shutdown and a control rod block is applied. This provides adequate requirements for control rod OPERABILITY during these conditions. Control rod requirements in MODE 5 are located in LCO 3.9.5, '"Control Rod OPERABILITY -Refueling.' ACTIONS The ACTIONS Table is modified by a Note indicating that a separate Condition entry is allowed for each control rod. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable control rod. Complying with the Required Actions may allow for continued operation, and subsequent inoperable control rods are governed by subsequent Condition entry and application of associated Required Actions. A.1. A.2. A.3. and A.4 A control rod is considered stuck if it will not insert by either CRD drive water or scram pressure (i.e., the control rod cannot be inserted by CRD drive water and cannot be inserted by scram pressure.) With a fully inserted control rod stuck, only those actions specified in Condition C are required as long as the control rod remains fully inserted. The Required Actions are modified by a Note, which allows the rod worth minimizer (RWM) to be bypassed if required to allow continued operation. LCO 3.3.2.1, "Control Rod Block Instrumentation," provides additional requirements when the RWM is bypassed to ensure compliance with the CRDA analysis. With one withdrawn control rod stuck, the local scram reactivity rate assumptions may not be met if the stuck control rod separation criteria are not met. Therefore, a verification that the separation criteria are met must be performed immediately. The separation criteria are not met if a) the stuck control rod occupies a location adjacent to two "slow" control rods, b) the stuck control rod occupies a location adjacent to one "slow' control rod, and the one
'slow" control rod is also adjacent to another "slow" control rod, or c) if the stuck control rod occupies a (continued)
PBAPS UNIT 3 B 3.1-15 Revision No. 2
Control Rod OPERABILITY B 3.1.3 BASES ACTIONS A.1. A.2. A.3. and A.4 (continued) location adjacent to one 'slow' control rod when there is another pair of 'slow" control rods adjacent to one another. The description of "slow" control rods is provided in LCO 3.1.4, 'Control Rod Scram Times." In addition, the associated control rod drive must be disarmed in 2 hours. The allowed Completion Time of 2 hours is acceptable, considering the reactor can still be shut down, assuming no additional control rods fail to insert, and provides a reasonable time to perform the Required Action in an orderly manner. The control rod must be isolated from both scram and normal insert and withdraw pressure. Isolating the control rod from scram and normal insert and withdraw pressure prevents damage to the CRDM. The control rod should be isolated from scram and normal insert and withdraw pressure, while maintaining cooling water to the CRD. Monitoring of the insertion capability of each withdrawn control rod must also be performed within 24 hours from discovery of Condition A concurrent with THERMAL POWER greater than the low power setpoint (LPSP) of the RWM. SR 3.1.3.2 and SR 3.1.3.3 perform periodic tests of the control rod insertion capability of withdrawn control rods. Testing each withdrawn control rod ensures that a generic problem does not exist. This Completion Time also allows for an exception to the normal "time zero' for beginning the allowed outage time "clock." The Required Action A.3 Completion Time only begins upon discovery of Condition A concurrent with THERMAL POWER greater than the actual LPSP of the RWM, since the notch insertions may not be compatible with the requirements of rod pattern control (LCO 3.1.15) and the RWM (LCO 3.3.2.1). The allowed Completion Time of 24 hours from discovery of Condition A concurrent with THERMAL POWER greater than the LPSP of the RWM provides a reasonable time to test the control rods, considering the potential for a need to reduce power to perform the tests. To allow continued operation with a withdrawn control rod stuck, an evaluation of adequate SDM is also required within 72 hours. Should a DBA or transient require a shutdown, to preserve the single failure criterion, an additional control rod would have to be assumed to fail to insert when required. Therefore, the original SDM demonstration may not be valid. The SDM must therefore be evaluated (by measurement or analysis) with the stuck control rod at its (continued) PBAPS UNIT 3 B 3.1-16 Revision No. 2
Control Rod OPERABILITY E 3.1.3 BASES ACTIONS A.I. A.2. A.3. and A.4 (continued) stuck position and the highest worth OPERABLE control rod assumed to be fully withdrawn. The allowed Completion Time of 72 hours to verify SDM is adequate, considering that with a single control rod stuck in a withdrawn position, the remaining OPERABLE control rods are capable of providing the required scram and shutdown reactivity. Failure to reach MODE 4 is only likely if an additional control rod adjacent to the stuck control rod also fails to insert during a required scram. Even with the postulated additional, single failure of an adjacent control rod to insert, sufficient reactivity control remains to reach and maintain MODE 3 conditions (Ref. 5). With two or more withdrawn control rods stuck, the plant must be brought to MODE 3 within 12 hours. The occurrence of more than one control rod stuck at a withdrawn position increases the probability that the reactor cannot be shut down if required. Insertion of all insertable control rods eliminates the possibility of an additional failure of a control rod to insert. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. C.1 and C.2 With one or more control rods inoperable for reasons other than being stuck in the withdrawn position (including ;a control rod which is stuck in the fully inserted position) operation may continue, provided the control rods are fully inserted within 3 hours and disarmed (electrically or hydraulically) within 4 hours. Inserting a control roil ensures the shutdown and scram capabilities are not adversely affected. The control rod is disarmed to prevent inadvertent withdrawal during subsequent operations. The control rods can be hydraulically disarmed by closing the drive water and exhaust water isolation valves. The control rods can be electrically disarmed by disconnecting power from all four directional control valve solenoids. Required Action C.1 is modified by a Note, which allows the RWM to be bypassed if required to allow insertion of the inoperable _continued} PBAP'; UNIT 3 B 3.1-17 -Revision No. 2
Control Rod OPERAI3LITY B 3.1.3 BASES ACTKONS C.1 and C.2 (continued) control rods and continued operation. LCO 3.3.2.1 provides additional requirements when the RWM is bypassed to ensure compliance with the CRDA analysis. The allowed Completion Times are reasonable, considering the small number of allowed inoperable control rods, and provide time to insert and disarm the control rods in an orderly manner and without challenging plant systems. D.1 and D.2 Out of sequence control rods may increase the potential reactivity worth of a dropped control rod during a CRDA. At s 10% RTP, the generic banked position withdrawal sequence (BPWS) analysis *(Ref. 5) requires inserted control rods not in compliance with BPWS to be separated by at least two OPERABLE control rods in all directions, including the diagonal. Therefore, if two or more inoperable control rods are not in compliance with BPWS and not separated by at least two OPERABLE control rods, action must be taken to restore compliance with BPWS or restore the control rods to OPERABLE status. Condition D is modified by a Note indicating that the Condition is not applicable when
> 10% RTP, since the BPWS is not required to be followed under these conditions, as described in the Bases for LCO 3.1.6. The allowed Completion Time of 4 hours is acceptable, considering the low probability of a CRDA occurring.
E. . If any Required Action and associated Completion Time of Condition A, C, or D are not met, or there are nine or more inoperable control rods, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours. This ensures all insertable control rods are inserted and places the reactor in a condition that does not require the active functionj(i.e., scram) of the control rods. The number of control rods permitted to be inoperable when operating above 10% RTP (e.g., no CRDA considerations) could be more 1han the value specified, but the occurrence of a large number of (continued) PBAPS UNIT 3 B 3.1-18 Revision No. 2
Control Rod OPERABILITY B 3.1.3 BASES ACTIONS E. (continued) inoperable control rods could be indicative of a generic problem, and investigation and resolution of the potential problem should be undertaken. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.1.3.1 REQUIREMENTS The position of each control rod must be determined to ensure adequate information on control rod position is available to the operator for determining control rod OPERABILITY and controlling rod patterns. Control rod position may be determined by the use of OPERABLE position indicators, by moving control rods to a position with an OPERABLE indicator, or by the use of other appropriate methods. The 24 hour Frequency of this SR is based on operating experience related to expected changes in control rod position and the availability of control rod position indications in the control room. SR 3.1.3.2 and SR 3.1.3.3 Control rod insertion capability is demonstrated by inserting each partially or fully withdrawn control rod at least one notch and observing that the control rod moves. The control rod may then be returned to its original position. This ensures the control rod is not stuck and is free to insert on a scram signal. These Surveillances are not required when THERMAL POWER is less than or equal to the actual LPSP of the RWM, since the notch insertions may not be compatible with the requirements of the Banked Position Withdrawal Sequence (BPWS) (LCO 3.1.6) and the RWM (LCO 3.3.2.1). The 7 day Frequency of SR 3.1.3.2 is based on operating experience related to the changes in CRD performance and the ease of performing notch testing for fully withdrawn control rods. Partially withdrawn control rods are tested at a 31 day Frequency, based on the potential power reduction required to allow the control rod movement and considering the large testing sample of SR 3.1.3.2. Furthermore, the 31 day Frequency takes into account operating experience related to changes in CRD performance. At any time, if a control rod is immovable., a (continued) PBAPS UNFIT 3 B 3.1-19 Revision Nc. 0
Control Rod OPERABILITY B 3.1.3 BASES SURVEILLANCE SR 3.1.3.2 and SR 3.1.3.3 (continued) REQUIREMENTS determination of that control rod's trippability (OPERABILITY) must be made and appropriate action taken. For example, the unavailability of the Reactor Manual Control System does not affect the OPERABILITY of the control rods, provided SR 3.1.3.2 and SR 3.1.3.3 are current in accordance with SR 3.0.2. SR 3.1.3.4 Verifying that the scram time for each control rod to notch position 06 is s 7 seconds provides reasonable assurance that the control rod will insert when required during a DBA or transient, thereby completing its shutdown function. This SR is performed in conjunction with the control rcd scram time testing of SR 3.1.4.1, SR 3.1.4.2, SR 3.1.4.3, and SR 3.1.4.4. The LOGIC SYSTEM FUNCTIONAL TEST in LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," and the functional testing of SDV vent and drain valves in LCO 3.1.8, 'Scram Discharge Volume (SDV) Vent and Drain Valves," overlap this Surveillance to provide complete testing of the assumed safety function. The associated Frequencies are acceptable, considering the more frequent testing performed to demonstrate other aspects of control rod OPERABILITY and operating experience, which shows scram times do not significantly change over an operating cycle. SR 3.1.3.5 Coupling verification is performed to ensure the control rod is connected to the CRDM and will perform its intended function when necessary. The Surveillance requires verifying a control rod does not go to the withdrawn overtravel position. The overtravel position feature provides a positive check on the coupling integrity since only an uncoupled CRD can reach the overtravel position. The verification is required to be performed any time a control rod is withdrawn to the "full out' position (notch position 48) or prior to declaring the control rod OPERABLE after work on the control rod or CRD System that could affect coupling (CRD changeout and blade replacement or complete cell disassembly, i.e., guide tube removal). This includes control rods inserted one notch and then returned Icontinued) PBAPS UNIT 3 B 3.1-20 Revision No. 0
Control Rod OPERAEILITY B 3.1.3 BASES SURVEILLANCE SR 3.1.3.5 (continued) REQUIREMENTS to the "full out' position during the performance of SR 3.1.3.2. This Frequency is acceptable, considering the low probability that a control rod will become uncoupled when it is not being moved and operating experience related to uncoupling events. REFERENCES 1. UFSAR, Sections 1.5.1.1 and 1.5.2.2.
- 2. UFSAR, Section 14.6.2.
- 3. UFSAR, Appendix K, Section VI.
- 4. UFSAR, Chapter 14.
- 5. NEDO-21231, "Banked Position Withdrawal Sequence,'
Section 7.2, January 1977. PBAPS UNIT 3 B 3.1-21 Revision Ho. 0
Control Rod Scram Times B 3.1.4 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.4 Control Rod Scram Times BASES - m BACKGROUND The scram function of the Control Rod Drive (CRD) System controls reactivity changes during abnormal operational transients to ensure that specified acceptable fuel design limits are not exceeded (Ref. 1). The control rods are scrammed by positive means using hydraulic pressure exerted on the CRD piston. When a scram signal is initiated, control air is vented from the scram valves, allowing them to open by spring action. Opening the exhaust valve reduces the pressure above the main drive piston to atmospheric pressure, and opening the inlet valve applies the accumulator or reactor pressure to the bottom of the piston. Since the notches in the index tube are tapered on the lower edge, the collet fingers are forced open by cam action, allowing the index tube to move upward without restriction because of the high differential pressure across the piston. As the drive moves upward and the accumulator pressure reduces below the reactor pressure, a ball check valve opens, letting the reactor pressure complete the scram action. If the reactor pressure is low, such as during startup, the accumulator will fully insert the control rod in the required time without assistance from reactor pressure. APPLICABLE The analytical methods and assumptions used in evaluating SAFETY ANALYSES the control rod scram function are presented in References 2, 3, and 4. The Design Basis Accident (DBA) and transient analyses assume that all of the control rods scram at a specified insertion rate. The resulting negative scram reactivity forms the basis for the determination of plant thermal limits (e.g., the MCPR). Other distributions of scram times (e.g., several control rods scramming slower than the average time with several control rods scramming faster than the average time) can also provide sufficient scram reactivity. Surveillance of each individual control rod's scram time ensures the scram reactivity assumed in the DBA and transient analyses can be met. (continued) PBAP!; UNIT 3 B 3.1-22 Revision No. 0
Control Rod Scram Times 8 3.1.4 BASES APPLICABLE The scram function of the CRD System protects the MCPR SAFETY ANALYSES Safety Limit (SL) (see Bases for SL 2.1.1, "Reactor Core (continued) SLs" and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)") and the 1X cladding plastic strain fuel design limit (see Bases for LCO 3.2.3, "LINEAR HEAT GENERATION RATE (LHGR)"), I which ensure that no fuel damage will occur if these limits are not exceeded. Above 800 psig, the scram function is designed to insert negative reactivity at a rate fast enough to prevent the actual MCPR from becoming less than the MCPR SL, during the analyzed limiting power transient. BelDw 800 psig, the scram function is assumed to perform during the control rod drop accident (Ref. 5) and, therefore, also provides protection against violating fuel damage limits during reactivity insertion accidents (see Bases for LCO 3.1.6, "Rod Pattern Control"). For the reactor vessel overpressure protection analysis, the scram function, along with the safety/relief valves, ensure that the peak vessel pressure is maintained within the applicable ASME Code limits. Control rod scram times satisfy Criterion 3 of the NRC Policy Statement. LC0 The scram times specified in Table 3.1.4-1 (in the accompanying LCO) are required to ensure that the scram reactivity assumed in the DBA and transient analysis is met (Ref. 6). To account for single failures and "slow" scramming control rods, the scram times specified in Table 3.1.4-1 are faster than those assumed in the design basis analysis. The scram times have a margin that allows up to approximately 7% of the control rods (e.g., 185 x 7X = 13) to have scram times exceeding the specified limits (i.e., "slow" control rods) assuming a single stuck control rod (as allowed by LCO 3.1.3, "Control Rod OPERABILITY") and an additional control rod failing to scram per the single failure criterion. The scram times are specified as a function of reactor steam dome pressure to account for the pressure dependence of the scram times. The scram times are specified relative to measurements based on reed switch positions, which provide the control rod position indication. The reed switch closes ("pickup") when the ( nnt-i mn el ) PBAP'; UNIT 3 B 3.1-23 Revision No. 50
Control Rod Scram Times B 3.1.4 BASES LCO index tube passes a specific location and then opens (continued) ("dropout") as the index tube travels upward. Verification of the specified scram times in Table 3.1.4-1 is accomplished through measurement of the 'dropout' times. To ensure that local scram reactivity rates are maintained within acceptable limits, no more than two of the allowged-
"slow" control rods may occupy adjacent locations.
Table 3.1.4-1 is modified by two Notes, which state that control rods with scram times not within the limits of the - table are considered 'slow' and that control rods with scram times > 7 seconds are considered inoperable as required by SR 3.1.3.4. This LCO applies only to OPERABLE control rods since inoperable control rods will be inserted and disarmed (LCO 3.1.3). Slow scramming control rods may be conservatively declared inoperable and not accounted for as
'slow' control rods.
APPLICABILITY In MODES 1 and 2, a scram is assumed to function during transients and accidents analyzed for these plant conditions. These events are assumed to occur during startup and power operation; therefore, the scram function of the control rods is required during these MODES. In MODES 3 and 4, the control rods are not able to be withdrawn since the reactor mode switch is in shutdown and a control rod block is applied. This provides adequate requirements for control rod scram capability during these conditions. Scram requirements in MODE 5 are contained in LCO 3.9.5,
'Control Rod OPERABILITY-Refueling.'
ACTIONS When the requirements of this LCO are not met, the rate of negative reactivity insertion during a scram may not le within the assumptions of the safety analyses. Therefore, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions; in an orderly manner and without challenging plant systems. (continued) PBAPS UNIT 3 8 3.1-24 Revision No. 0
Control Rod Scram Times B 3.1.4 BASES; (continued) SURVEILLANCE The four SRs of this LCO are modified by a Note stating that REQUIREMENTS during a single control rod scram time surveillance, the CRD pumps shall be isolated from the associated scram accumulator. With the CRD pump isolated, (i.e., charging valve closed) the influence of the CRD pump head does not affect the single control rod scram times. During a full core scram, the CR0 pump head would be seen by all control rods and would have a negligible effect on the scram insertion times; SR 3.1.4.1 The scram reactivity used in DBA and transient analyses is based on an assumed control rod scram time. Measurement of the scram times with reactor steam dome pressure 2 800 psig demonstrates acceptable scram times for the transients analyzed in References 3 and 4. Maximum scram insertion times occur at a reactor steam dome pressure of approximately 800 psig because of the competing effects of reactor steam dome pressure and stored accumulator energy. Therefore, demonstration of adequate scram times at reactor steam dome pressure 2 800 psig ensures that the measured scram times will be within the specified limits at higher pressures. Limits are specified as a function of reactor pressure to account for the sensitivity of the scram insertion times with pressure and to allow a range of pressures over which scram time testing can be performed. To ensure that scram time testing is performed within a reasonable time after fuel movement within the reactor pressure vessel or after a shutdown 2 120 days or longer, all control rods are required to be tested before exceeding 40% RTP. This Frequency is acceptable considering the additional surveillances performed for control rod OPERABILITY, the frequent verification of adequate accumulator pressure, and the required testing of control rods affected by work on control rods or the CRD System. SR 3.1.4.2 Additional testing of a sample of control rods is required to verify the continued performance of the scram function during the cycle. A representative sample contains at least 10% of the control rods. The sample remains representative (continued) PBAPS-UNIT 3 B 3.1-25 Revision No. 0
Control Rod Scram Times B 3.1.4 BASES SURVEILLANCE SR 3.1.4.2 (continued) REQUIREMENTS if no more than 20% of the control rods in the sample tested are determined to be Oslow'. With more than 20% of the sample declared to be 'slow' per the criteria in Table 3.1.4-1, additional control rods are tested until this 20% criterion (i.e., 20% of the active sample size) is satisfied, or until the total number of 'slow' control rods (throughout the core, from all Surveillances) exceeds the LCO limit. For planned testing, the control rods selected for the sample should be different for each test. Data from inadvertent scrams should be used whenever possible to avoid unnecessary testing at power, even if the control rods with data may have been previously tested in a sample. The 120 day Frequency is based on operating experience that has shown control rod scram times do not significantly change over an operating cycle. This Frequency is also reasonable based on the additional Surveillances done on the CRDs at more frequent intervals in accordance with LCO 3.1.3 and LCO 3.1.5, "Control Rod Scram Accumulators." SR 3.1.4.3 When work that could affect the scram insertion time is performed on a control rod or the CRD System, testing must be done to demonstrate that each affected control rod retains adequate scram performance over the range of applicable reactor pressures from zero to the maximum permissible pressure. This surveillance can be met by performance of either scram time testing or Diaphragm Alternative Response Time (DART) testing, when it is concluded that DART testing monitors the performance oF all affected components. The testing must be performed once before declaring the control rod OPERABLE. The required testing must demonstrate the affected control rod is still within acceptable limits. The limits for reactor pressures
< 800 psig are established based on a high probability of meeting the acceptance criteria at reactor pressures k 800 psig. Limits for k 800 psig are found in Table 3.1.4-1. If testing demonstrates the affected control rod does not meet these limits, but is within the 7 second limit of Table 3.1.4-1, Note 2, the control rod can be declared OPERABLE and 'slow.'
Icontinued) PBAFIS UNIT 3 B 3.1-26 Revision No. 9
Control Rod Scram 'Times B 3.1.4 BASES SURVEILLANCE SR 3.1.4'.3 (continued) REQU IREM ENTS' Specific examples of work that could affect the scram times are (but are not limited to) the following: removal of any CRD for maintenance or modification; replacement of a control rod; and maintenance or modification of a scraml solenoid pilot valve, scram valve, accumulator, isolation valve or check valve in the piping required for scram. The Frequency of once prior to declaring the affected control rod OPERABLE is acceptable because of the capability to test the control rod over a range of operating conditions and the more frequent surveillances on other aspects of control rod OPERABILITY. SR 3.1.4.4 When work that could affect the scram insertion time is performed on a control rod or CRD System, or when fuel movement within the reactor vessel occurs testing must be done to demonstrate each affected control rod is still within the limits of Table 3.1.4-1 with the reactor steam dome pressure 2 800 psig. Where work has been performed at high reactor pressure, the requirements of SR 3.1.4.3 find SR 3.1.4.4 can be satisfied with one test. For a control rod affected by work performed while shut down, however, a zero pressure and high pressure test may be required. This testing ensures that, prior to withdrawing the control rod for continued operation, the control rod scram performance is acceptable for operating reactor pressure condition!;. Alternatively, a control rod scram test during hydrostatic pressure testing could also satisfy both criteria. When only fuel movement occurs, then only those control rod; associated with the core cells affected by the fuel movement are required to be scram time tested. The Frequency of once prior to exceeding 40% RTP is acceptable because of the capability to test the control rod over a range of operating conditions and the more frequent surveillances on other aspects of control rod OPERABILITY. REFERENCES 1. UFSAR, Sections 1.5.1.3 and 1.5.2.2.
- 2. UFSAR, Section 14.6.2.
(cont inued) PBAPS UNIT 3 B 3.1-27 Revision No. 9
Control Rod Scram Times B 3.1.4 BASES REFERENCES 3. UFSAR, Appendix K, Section VI.
- 4. UFSAR, Chapter 14.
- 5. NEDE-24011-P-A-10, General Electric Standard Application for Reactor Fuel," Section 3.2.4.1, February 1991.
- 6. Letter from R. E. Janecek (BWROG) to R. W. Starostecki (NRC), NBWR Owners Group Revised Reactivity ContrDl System Technical Specifications," BWROG-8754, September 17, 1987.
PBAPS UNIT 3 B 3.1-28 Revision No. 9
Control Rod Scram Accumulators B 3.1.5 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.:L.5 Control Rod Scram Accumulators BASES BACKGROUND The control rod scram accumulators are part of the Control Rod Drive (CRD) System and are provided to ensure that the control rods scram under varying reactor conditions. The control rod scram accumulators store sufficient energy to fully insert a control rod at any reactor vessel pressure. The accumulator is a hydraulic cylinder with a free floating piston. The piston separates the water used to scram the control rods from.the nitrogen, which provides the required energy. The scram accumulators are necessary to scram the control rods within the required insertion times of LCO 3.1.4, "Control Rod Scram Times." APPLICABLE The analytical methods and assumptions used in evaluating SAFETY ANALYSES the control rod scram function are presented in References 1, 2, and 3. The Design Basis Accident (DBA) and transient analyses assume that all of the control rods scram at a specified insertion rate. OPERABILITY of each individual control rod scram accumulator, along with LCO 3.1.3, "Control Rod OPERABILITY," and LCO 3.1.4, ensures that the scram reactivity assumed in the DBA and transient analyses can be met. The existence of an inoperable accumulator may invalidate prior scram time measurements for the associated control rod. The scram function of the CRD System, and therefore the OPERABILITY of the accumulators, protects the MCPR Safety Limit (see Bases for SL 2.1.1, "Reactor Core SLs" and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)") and' 1% cladding plastic strain fuel design limit (see Bases for LCO 3.2.3, "LINEAR HEAT GENERATION RATE (LHGR)"), which I ensure that no fuel damage will occur if these limits are not exceeded (see Bases for LCO 3.1.4). In addition, the scram function at low reactor vessel pressure (i.e., startup conditions) provides protection against violating fuel design limits during reactivity insertion accidents (see Bases for LCO 3.1.6, "Rod Pattern Control"). Control rod scram accumulators satisfy Criterion 3 of the NRC Policy Statement. (continued) PBAPS UNIT 3 B 3.1-29 Revision No. 50
Control Rod Scram Accumulators B 3.1.5 BASES (continued) LCO The OPERABILITY of the control rod scram accumulators is required to ensure that adequate scram insertion capability exists when needed over the entire range of reactor pressures. The OPERABILITY of the scram accumulators is based on maintaining adequate accumulator pressure. APPLICABILITY In MODES 1 and 2, the scram function is required for mitigation of DBAs and transients, and therefore the scram accumulators must be OPERABLE to support the scram function. In MODES 3 and 4, control rods are not able to be withdrawn since the reactor mode switch is in shutdown and a control rod block is applied. This provides adequate requirements for control rod scram accumulator OPERABILITY during these conditions. Requirements for scram accumulators in MODE 5 are contained in LCO 3.9.5, Control Rod OPERABILITY-Refueling." ACTIONS The ACTIONS Table is modified by a Note indicating that. a separate Condition entry is allowed for each control rcd scram accumulator. This is acceptable since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable accumulator. Complying with the Required Actions may allow for continued operation and subsequent inoperable accumulators governed by subsequent Condition entry and application of associated Required Actions. A.1 and A.2 With one control rod scram accumulator inoperable and the reactor steam dome pressure 2 900 psig, the control rod may be declared 'slow,' since the control rod will still scram at the reactor operating pressure but may not satisfy the required scram times in Table 3.1.4-1. Required Action' A.l is modified by a Note indicating that declaring the control rod 'slow' only applies if the associated control scraml time was within the limits of Table 3.1.4-1 during the last scram time test. Otherwise, the control rod would already be. considered 'slow' and the further degradation of scram performance with an inoperable accumulator could result in excessive scram times. In this event, the associated (continued) PBAPS UNIT 3 B 3.1-30 Revision No. 0
Control. Rod Scram Accumulators E,3.1.5 BASES ACTIONS A.1 and A.2 (continued) control rod is declared inoperable (Required Action A.2) and LCO 3.1.3 is entered. This would result in requiring the affected control rod to be fully inserted and disarmed, thereby satisfying its intended function, in accordanc:e with ACTIONS of LCO 3.1.3. The allowed Completion Time of 8 hours is reasonable, based on the large number of control rods available to provide the scram function and the ability of the affected control: rod to scram only with reactor pressure at high reactor pressures. B.1. B.2.1. and B.2.2 With two or more control rod scram accumulators inoperable and reactor steam dome pressure a 900 psig, adequate pressure must be supplied to the charging water header. With inadequate charging water pressure, all of the accumulators could become inoperable, resulting in a potentially severe degradation of the scram performance. Therefore, within 20 minutes from discovery of charging water header pressure < 940 psig concurrent with Condition B, adequate charging water header pressure Just be restored. The allowed Completion Time of 20 minutes is reasonable, to place a CRD pump into service to restore the charging water header pressure, if required. This Completion Time is based on the ability of the reactor pressure alone to fully insert all control rods. The control rod may be declared "slow," since the control rod will still scram using only reactor pressure, but may not satisfy the times in Table 3.1.4-1. Required Action B.2.1 is modified by a Note indicating that declaring the control rod "slow' only applies if the associated control scram time is within the limits of Table 3.1.4-1 during the last scram time test. Otherwise, the control rod would already be considered "slow" and the further degradation of scram performance with an inoperable accumulator could result in excessive scram times. In this event, the associated control rod is declared inoperable (Required Action B.2.2) and LCO 3.1.3 entered. This would 1(continued) PBAPS UNIT 3 B 3.1-31 Revision No. 2
Control Rod Scram Accumulators E 3.1.5 BASEIS ACTIONS B.1. B.2.1. and B.2.2 (continued) result in requiring the affected control rod to be fully inserted and disarmed, thereby satisfying its intended function in accordance with ACTIONS of LCO 3.1.3. The allowed Completion Time of 1 hour is reasonable, based on the ability of only the reactor pressure to scram the control rods and the low probability of a DBA or transient occurring while the affected accumulators are inoperable. C.1 and C.2 With one or more control rod scram accumulators inoperable and the reactor steam dome pressure < 900 psig, the pressure supplied to the charging water header must be adequate to ensure that accumulators remain charged. With the reactor steam dome pressure < 900 psig, the function of the accumulators in providing the scram force becomes much more important since the scram function could become severely degraded during a depressurization event or at low reactor pressures. Therefore, immediately upon discovery of charging water header pressure < 940 psig, concurrent with Condition C, all control rods associated with inoperable accumulators must be verified to be fully inserted. Withdrawn control rods with inoperable accumulators may fail to scram under these low pressure conditions. The associated control rods must also be declared inoperable within 1 hour. The allowed Completion Time'of 1 hour is reasonable for Required Action C.2, considering the low probability of a DBA or transient occurring during the time that the accumulator is inoperable. The reactor mode switch must be immediately placed in the shutdown position if either Required Action and associated Completion Time associated with the loss of the CRD charging pump (Required Actions B.1 and C.1) cannot be met. This ensures that all insertable control rods are inserted and that the reactor is in a condition that does not require the Icontiinued) PBAP'S UNIT 3 B 3.1-32 Revision No. 2
Control Rod Scram Accumulators B 3.1.5 BASES ACTIONS Li (continued) active function (i.e., scram) of the control rods. This Required Action is modified by a Note stating that the action is not applicable if all control rods associated with the inoperable scram accumulators are fully inserted, since the function of the control rods has been performed. SURVEILLANCE SR 3.1.5.1 REQUIREMENTS SR 3.1.5.1 requires that the accumulator pressure be checked every 7 days to ensure adequate accumulator pressure exists to provide sufficient scram force. The primary indicator of accumulator OPERABILITY is the accumulator pressure. A minimum accumulator pressure is specified, below which the capability of the accumulator to perform its intended function becomes degraded and the accumulator is considered I inoperable. The minimum accumulator pressure of 940 psig is well below the expected pressure of approximately 1450 psig (Ref. 1). Declaring the accumulator inoperable when the minimum pressure is not maintained ensures that significant degradation in scram times does not occur. The 7 day Frequency has been shown to be acceptable through operating experience and takes into account indications available in the control room. REFERENCES 1. UFSAR, Section 3.4.5.3 and Figure 3.4.10.
- 2. UFSAR, Appendix K, Section VI.
- 3. UFSAR, Chapter 14.
- .m_
PBAP-S UNIT 3 8 3.1-33 Revision No. 2
Rod Pattern Control B 3.1.6 B 3.] REACTIVITY CONTROL SYSTEMS J B 3.1.6 Rod Pattern Control BASES BACKGROUND Control rod patterns during startup conditions are controlled by the operator and the rod worth minimizer (RWM) (LCO 3.3.2.1, 'Control Rod Block Instrumentation'), so that only specified control rod sequences and relative positions are allowed over the operating range of all control rods inserted to 10% RTP. The sequences limit the potential amount of reactivity addition that could occur in the event of a Control Rod Drop Accident (CRDA). This Specification assures that the control rod patterns are consistent with the assumptions of the CRDA analyses of References 1 and 2. APPLICABLE The analytical methods and assumptions used in evaluating SAFETY ANALYSES the CRDA are summarized in References 1 and 2. CRDA analyses assume that the reactor operator follows prescribed withdrawal sequences. These sequences define the potential initial conditions for the CRDA analysis. The RWM (LCO 3.3.2.1) provides backup to operator control of the withdrawal sequences to ensure that the initial conditions of the CRDA analysis are not'violated. Prevention or mitigation of positive reactivity insertion events is necessary to limit the energy deposition in the fuel, thereby preventing significant fuel damage which could result in the undue release of radioactivity. Since the failure consequences for Uo2 have been shown to be insignificant below fuel energy depositions of 300 cal/gm (Ref. 3), the fuel damage limit of 280 cal/gm provides a margin of safety from significant core damage which would result in release of radioactivity (Refs. 4 and 5). Generic evaluations (Refs. 1 and 6) of a design basis CRDA (i.e., a CRDA resulting in a peak fuel energy deposition of 280 cal/gm) have shown that if the peak fuel enthalpy remains below 280 cal/gm, then the maximum reactor pressure will be less than the required ASME Code limits (Ref. 7) and the calculated offsite doses will be well within the required limits (Ref. 5). (continued) PBAPS UNIT 3 B 3.1-34 Revision INo. 0
Rod Pattern Control B 3.1.6 BASES APPLICABLE Control rod patterns analyzed in Reference 1 follow the SAFETY ANALYSES banked position withdrawal sequence (BPWS). The BPWS is (continued) applicable from the condition of all control rods fully inserted to 10% RTP (Ref. 2). For the BPWS, the control rods are required to be moved in groups, with all control rods assigned to a specific group required to be within specified banked positions (e.g., between notches 08 and 12). The banked positions are established to minimize the maximum incremental control rod worth without being overly restrictive during normal plant operation. Generic analysis of the BPWS (Ref. 1) has demonstrated that the 280 cal/gm fuel damage limit will not be violated during a CRDA while following the BPWS mode of operation. The generic BPWS analysis (Ref. 8) also evaluates the effect of fully inserted, inoperable control rods not in compliance with the sequence, to allow a limited number (i.e., eight) and distribution of fully inserted, inoperable control rods. Rod pattern control satisfies Criterion 3 of the NRC PDliCy Statement. LCO Compliance with the prescribed control rod sequences minimizes the potential consequences of a CRDA by limiting the initial conditions to those consistent with the BPWS. This LCO only applies to OPERABLE control rods. For inoperable control rods required to be inserted, separate requirements are specified in LCO 3.1.3, "Control Rod OPERABILITY," consistent with the allowances for inoperable control rods in the BPWS. APPLICABILITY In MODES 1 and 2, when THERMAL POWER is S 10% RTP, the CRDA is a Design Basis Accident and, therefore, compliance with the assumptions of the safety analysis is required. When THERMAL POWER is > 10% RTP, there is no credible control rod configuration that results in a control rod worth that could exceed the 280 cal/gm fuel damage limit during a CRDA (Ref. 2). In MODES 3, 4, and 5, since the reactor is shut down and only a single control rod can be withdrawn from a core cell containing fuel assemblies, adequate SDM ensures that the consequences of a CRDA are acceptable, since the reactor will remain subcritical with a single control rod withdrawn. (continued) PBAPS UNIT 3 B 3.1-35 Revision No. 0
Rod Pattern Control B 3.1.6 BASES (continued) ACTIONS A.1 and A.2 With one or more OPERABLE control rods not in compliance with the prescribed control rod sequence, actions may be taken to either correct the control rod pattern or declare the associated control rods inoperable within 8 hours. Noncompliance with the prescribed sequence may be the result of 'double notching,' drifting from a control rod drive cooling water transient, leaking scram valves, or a power reduction to < 10% RTP before establishing the correct control rod pattern. The number of OPERABLE control rods not in compliance with the prescribed sequence is limited to eight, to prevent the operator from attempting to correct a control rod pattern that significantly deviates from the prescribed sequence. When the control rod pattern is not in compliance with the prescribed sequence, all control rod movement must be stopped except for moves needed to correct the rod pattern, or scram if warranted. Required Action A.1 is modified by a Note which allows the RWM to be bypassed to allow the affected control rods to be returned to their correct position. LCO 3.3.2.1 requires verification of control rod movement by a second licensed operator or a qualified member of the technical staff (ii.e., personnel trained in accordance with an approved training program). This ensures that the control rods will be moved to the correct position. A control rod not in compliance with the prescribed sequence is not considered inoperable except as required by Required Action A.2. The allowed Completion Time of 8 hours is reasonable, considering the restrictions on the number of allowed out of sequence control rods and the low probability of a CRDA occurring during the time the control rods are out of sequence. B.1 and 8.2 If nine or more OPERABLE control rods are out of sequence, the control rod pattern significantly deviates from the prescribed sequence. Control rod withdrawal should be suspended immediately to prevent the potential for further deviation from the prescribed sequence. Control rod insertion to correct control rods withdrawn beyond their allowed position is allowed since, in general, insertion of (continued} PBAPS UNIT 3 B 3.1-36 Revision No. 0
Rod Pattern Control B 3.1.6 BASES ACTIONS B.1 and Q.2 (continued) control rods has less impact on control rod worth than withdrawals have. Required Action B.1 is modified by a Note which allows the RWM to be bypassed to allow the affected control rods to be returned to their correct position. LCO 3.3.2.1 requires verification of control rod movement by a second licensed operator or a qualified member of the technical staff. When nine or more OPERABLE control rods are not in compliance with BPWS, the reactor mode switch must be placed in the shutdown position within 1 hour. With the mode switch in shutdown, the reactor is shut down, and as such, does not meet the applicability requirements of this LCD. The allowed Completion Time of 1 hour is reasonable to allow insertion of control rods to restore compliance, and is appropriate relative to the low probability of a CRDA occurring with the control rods out of sequence. SURVEILLANCE SR 3.1.6.1 REQUIREMENTS. The control rod pattern is verified to be in compliance with the BPWS at a 24 hour Frequency to ensure the assumptions of the CRDA analyses are met. The 24 hour Frequency was developed considering that the primary check on compliance with the BPWS is performed by the RWM (LCO 3.3.2.1), which provides control rod blocks to enforce the required sequence and is required to be OPERABLE when operating at S 10% IRTP. REFERINCES 1. NEDE-24011-P-A-10-US, General Electric Standard Application for Reactor Fuel, Supplement for United States," Section 2.2.3.1, February 1991.
- 2. Letter (BWROG-8644) from T. Pickens (BWROG) to G. C.
Lainas (NRC), Amendment 17 to General Electric Licensing Topical Report NEDE-24011-P-A. a
- 3. UFSAR, Section 14.6.2.3.
- 4. NUREG-0800, Section 15.4.9, Revision 2, July 1981.
- 5. 10 CFR 100.11.
(continued) PBAPS UNIT 3 B 3.1-37 Revision No. 0
Rod Pattern Control B 3.1.6 BASES REFERENCES 6. NEDO-21778-A, 'Transient Pressure Rises Affected (continued) Fracture Toughness Requirements for Boiling Water Reactors,' December 1978.
- 7. ASME, Boiler and Pressure Vessel Code.
- 8. NEDO-21231, "Banked Position Withdrawal Sequence,'
January 1977. PBAPS UNIT 3 B 3.1-38 Revision No. 0
SLC System B 3.1.7 B 3.] REACTIVITY CONTROL SYSTEMS B 3.1.7 Standby Liquid Control (SLC) System BASES BACKGROUND The SLC System is designed to provide the capability of bringing the reactor, at any time in a fuel cycle, from full power and minimum control rod inventory (which is at the peak of the xenon transient) to a subcritical condition with the reactor in the most reactive, xenon free state without taking credit for control rod movement. The SLC System satisfies the requirements of 10 CFR 50.62 (Ref. 1) on anticipated transient without scram using enriched boron. Reference 1 requires a SLC System with a minimum flow capacity and boron content equivalent in control capacity to 86 gpm of 13 weight percent sodium pentaborate solution. Natural sodium pentaborate solution is 19.8% atom Boron-IO. Therefore, the system parameters of concern, boron concentration (C), SLC pump flow rate (Q), and Boron-10 enrichment (E), may be expressed as a multiple of ratio;. The expression is as follows: C Q E x x 13% weight 86 gpm 19.8% atom If the product of this expression is - 1, then the SLC System satisfies the criteria of Reference 1. As such, the equation forms the basis for acceptance criteria for the surveillances of concentration, flow rate, and boron enrichment and is presented in Table 3.1.7-1. The SLC System consists of a boron solution storage tank., two positive displacement pumps, two explosive valves that are provided in parallel for redundancy, and associated piping and valves used to transfer borated water from the storage tank to the reactor pressure vessel (RPV). The borated solution is discharged near'the bottom of the core shroud, where it then mixes with the cooling water rising through the core. A smaller tank containing demineralized water is provided for testing purposes. (continued) PBAPS UNIT 3 B 3.1-39 Revision ND. 0
SLC 'System B 3.1.7 BASES (continued) APPLICABLE The SLC System is manually initiated from the main control SAFETY ANALYSES room, as directed by the emergency operating procedures, if the operator believes the reactor cannot be shut down, or kept shut down, with the control rods. The SLC System is used in the event that enough control rods cannot be inserted to accomplish shutdown and cooldown in the normal manner. The SLC System injects borated water into the reactor core to add negative reactivity to compensate Ifor all of the various reactivity effects that could occur during plant operations. To meet this objective, it i<; necessary to inject a quantity of boron, which produces a concentration of 660 ppm of natural boron, in the reactor coolant at 680F. To allow for potential leakage and imperfect mixing in the reactor system, an additional ;tmount of boron equal to 25% of the amount cited above is added (Ref. 2). The minimum mass of Boron-10 (162.7 lbm) needed for injection is calculated such that the required quantity is achieved accounting for dilution in the RPV with normal water level and including the water volume in the residual heat remDval shutdown cooling piping and in the recirculation loop piping. This quantity of borated solution is the amount that is above the pump suction shutoff level in the boron solution storage tank. No credit is taken for the portion of the tank volume that cannot be injected. The maximum concentration of sodium pentaborate listed in Table 3.1.7-1 has been established to ensure that the solution saturation temperature does not exceed 43*F. The SLC System satisfies Criterion 4 of the NRC Policy Statement. LCO The OPERABILITY of the SLC System provides backup capability for reactivity control independent of normal reactivity control provisions provided by the control rods. The OPERABILITY of the SLC System is based on the conditions of the borated solution in the storage tank and the availability of a flow path to the RPV, including the OPERABILITY of the pumps and valves. Two SLC subsystems are required to be OPERABLE; each contains an OPERABLE pump, an explosive valve, and associated piping, valves, and instruments and controls to ensure an OPERABLE flow path. (continued) PBAPS UNIT 3 B 3.1-40 Revision Ho. 0
SLC System B 3.1.7 BASES (continued) APPLICABILITY In MODES 1 and 2, shutdown capability is required. In MODES 3 and 4, control rods are not able to be withdrawn since the reactor mode switch is in shutdown and a control rod block is applied. This provides adequate controls to ensure that the reactor remains subcritical. In MODE 5, only a single control rod can be withdrawn from a core cell containing fuel assemblies. Demonstration of adequate SDM (LCO 3.1.1, SHUTDOWN MARGIN (SDM)U) ensures that the reactor will not become critical. Therefore, the SLC System is not required to be OPERABLE when only a single control rod can be withdrawn. ACTIONS A.I and A.2 If the boron solution concentration is > 9.82% weight bout the concentration and temperature of boron in solution and pump suction piping temperature are within the limits of Figure 3.1.7-1, operation is permitted for a limited period since the SLC subsystems are capable of performing the intended function. It is not necessary under these conditions to declare both SLC subsystems inoperable since the SLC subsystems are capable of performing their intended function. The concentration and temperature of boron in solution and pump suction piping temperature must be verified to be within the limits of Figure 3.1.7-1 within 8 hours and once per 12 hours thereafter (Required Action A.1). The temperature versus concentration curve of Figure 3.1.7-1 ensures a 10F margin will be maintained above the saturation temperature. This verification ensures that boron does not precipitate out of solution in the storage tank or in the pump suction piping due to low boron solution temperature (below the saturation temperature for the given concentration). The Completion Time for performing Reqluired Action A.1 is considered acceptable given the low probability of a Design Basis Accident (DBA) or transient occurring concurrent with the failure of the control rods to shut down the reactor and operating experience which ha-s shown there are relatively slow variations in the measured parameters of concentration and temperature over these time periods. (continuedi PBAPS UNIT 3 B 3.1-41 Revision No. 0
SLC System B :3.1.7 BASES ACTIONS A.1 and A.2 (continued) Continued operation is only permitted for 72 hours before boron solution concentration must be restored to es 9.82%, weight. Taking into consideration that the SLC System design capability still exists for vessel injection under these conditions and the low probability of the temperature and concentration limits of Figure 3.1.7-1 not being met, the allowed Completion Time of 72 hours is acceptable arid provides adequate time to restore concentration to within limits. The second Completion Time for Required Action A.1 establishes a limit on the maximum time allowed for any combination of concentration out of limits or inoperable SLC subsystems during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, an SLC subsystem is inoperable and that subsystem is subsequently returned to OPERABLE, the LCO may already have been not met for up to 7 days. This situation could lead to a total duration of 10 days (7 days in Condition B, followed by 3 days in Condition A), since initial failure of the LCO, to restore the SLC System. Then an SLC subsystem could be found inoperable again, and concentration could be restored to within limits. This could continue indefinitely. This Completion Time allows for an exception to the normal
'time zero' for beginning the allowed outage time 'clock,'
resulting in establishing the 'time zero" at the time thu LCO was initially not met instead of at the time Condition A was entered. The 10 day Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely. B.1 If one SLC subsystem is inoperable for reasons other than Condition A, the inoperable subsystem must be restored to OPERABLE status within 7 days. In this condition, the remaining OPERABLE subsystem is adequate to perform the shutdown function. However, the overall reliability is reduced because a single failure in the remaining OPERABLE subsystem could result in the loss of SLC System shutdown capability. The 7 day Completion Time is based on the (continued) PBAPS UNIT 3 0 3.1-42 Revision No. 0
SLC 5system B 3.1.7 BASES ACTIONS i.. (continued) availability of an OPERABLE subsystem capable of performing the intended SLC System function and the low probability of a DBA or severe transient occurring concurrent with the. failure of the Control Rod Drive (CRD) System to shut clown the plant. The second Completion Time for Required Action B.1 establishes a limit on the maximum time allowed for an) combination of concentration out of limits or inoperable SLC subsystem during any single contiguous occurrence of falling to meet the LCO. If Condition B is entered while, for instance, concentration is out of limits, and is subsequently returned to within limits, the LCO may already have been not met for up to 3 days. This situation coulid lead to a total duration of 10 days (3 days in Condition A, followed by 7 days in Condition B), since initial failure of the LCO, to restore the SLC System. Then concentration could be found out of limits again, and the SLC subsystem could be restored to OPERABLE. This could continue indefinitely. This Completion Time allows for an exception to the normal time zero* for beginning the allowed outage time 'clock," resulting in establishing the time zero' at the time the LCO was initially not met instead of at the time Condition B was entered. The 10 day Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely. C.1 If both SLC subsystems are inoperable for reasons other than Condition A, at least one subsystem must be restored to OPERABLE status within 8 hours. The allowed Completion Time of 8 hours is considered acceptable given the low probability of a DBA or transient occurring concurrent with the failure of the control rods to shut down the reactor. D.1 If any Required Action and associated Completion Time is not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be
,continued)
PBAPS UNIT 3 B 3.1-43 Revision No. 0
SLC System B 3.1.7 BASES ACTIONS . (continued) brought to MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.1.7.1. SR 3.1.7.2. and SR 3.1.7.3 REQUIREMENTS SR 3.1.7.1 through SR 3.1.7.3 are 24 hour Surveillances verifying certain characteristics of the SLC System (e.g., the level and temperature of the borated solution in the storage tank), thereby ensuring SLC System OPERABILITY without disturbing normal plant operation. These Surveillances ensure that the proper borited solution level and temperature, including the temperature of the pump suction piping, are maintained. Maintaining a minimum specified borated solution temperature is important in ensuring that the boron remains in solution and does not precipitate out in the storage tank or in the pump suction piping. The temperature limit specified in SR 3.1.7.2 and SR 3.1.7.3 and the maximum sodium pentaborate concentration specified in Table 3.1.7-1 ensures that a 10-F margin will be maintained above the saturation temperature. Control room alarnis for low SLC storage tank temperature and low SLC System piping temperature are available and are set at 55F. As such, SR 3.1.7.2 and SR 3.1.7.3 may be satisfied by verifying the absence of low temperature alarms for the SLC storage tank and SLC System piping. The 24 hour Frequency is based on operating experience and has shown there are relatively slow variations in the measured parameters of level and temperature. SR 3.1.7.4 and SR 3.1.7.6 SR 3.1.7.4 verifies the continuity of the explosive charges in the injection valves to ensure that proper operation will occur if required. Other administrative controls, such as those that limit the shelf life of the explosive charges, must be followed. The 31 day Frequency is based on operating experience and has demonstrated the reliability of the explosive charge continuity. {continued) PBAPS UNIT 3 B 3.1-44 Revision No. 0
SLC System B 3.1.7 BASES SURVEILLANCE SR 3.1.7.4 and'SR 3.1.7.6 (continued) REQU[REMENTS SR 3.1.7.6 verifies that each valve in the system is in its correct position, but does not apply to the squib (i.e., explosive) valves. Verifying the correct alignment for manual and power operated valves in the SLC System flow path provides assurance that the proper flow paths will exis!t for system operation. A valve is also allowed to be in the nonaccident position provided it can be aligned to the accident position from the control room, or locally by a dedicated operator at the valve control. This is acceptable
*since the SLC System is a manually initiated system. This Surveillance also does not apply to valves that are locked, sealed, or otherwise secured in position since they are!
verified to be in the correct position prior to locking, sealing, or securing. This verification of valve alignment does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. The 31 day Frequency is based on engineering judgment and is consistent with the procedural controls governing valve operation that ensures correct valve positions. SR 3.1.7.5 This Surveillance requires an examination of the sodium pentaborate solution by using chemical analysis to ensure that the proper concentration of boron exists in the storage tank. SR 3.1.7.5 must be performed anytime boron or water is added to the storage tank solution to determine that the boron solution concentration is 5 9.82% weight and within the limits of Table 3.1.7-1. SR 3.1.7.5 must also be performed anytime the temperature is restored to within limits to ensure that no significant boron precipitation occurred. The 31 day Frequency of this Surveillance is. appropriate because of the relatively slow variation of boron concentration between surveillances. SR 3.1.7.7 Verifying the quantity of Boron-10 (B-10) in the SLC tank ensures the reactor can be shutdown in the event that enough control rods cannot be inserted to accomplish shutdown and (continued) PBAPS UNIT 3 B 3.1-45 Revision INo. 0
SLC System B 3.1.7 BASES SURVEILLANCE SR 3.1.7.7 (continued) REQUIREMENTS cooldown in the normal manner. The required quantity contains an additional amount of B-10 equal to 25% of the minimum required amount of B-10 necessary to shutdown the reactor, to account for potential leakage and imperfect mixing. The 31 day frequency is based on operating experience and is appropriate because of the relatively slow variations in the quantity of B-10 between surveillances. SR 3.1.7.8 Demonstrating that each SLC System pump develops a flow rate x 43.0 gpm at a discharge pressure - 1255 psig ensures that pump performance has not degraded below design values during the fuel cycle. This test is indicative of overall performance. Such inservice inspections confirm component OPERABILITY, trend performance, and detect incipient failures by indicating abnormal performance. In addition, the test results for each pump are used to determine that the limits of Table 3.1.7-1 are satisfied for each SLC subsystem. The Frequency of this Surveillance is in accordance with the Inservice Testing Program. SR 3.1.7.9 This Surveillance ensures that there is a functioning flow path from the boron solution storage tank to the RPV, including the firing of an explosive valve. The replacement charge for the explosive valve shall be from the same manufactured batch as the one fired or from another batch that has been certified by having one of that batch successfully fired. The pump and explosive valve tested should be alternated such that both complete flow path!; are tested every 48 months at alternating 24 month intervals. The Surveillance may be performed in separate steps to prevent injecting boron into the RPV. An acceptable method for verifying flow from the pump to the RPV is to pump demineralized water from a test tank through one SLC subsystem and into the RPV. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components will pass the Lcontinued) PBAPS UNIT 3 B 3.1-46 Revision No. 0
SLC System B 3.1.7 BASES SURVEILLANCE SR 3.1.7.9 (continued) REQUY:REMENTS Surveillance when performed at the 24 month Frequency; therefore, the Frequency was concluded to be acceptable from a reliability standpoint. SR 3.1.7.10 Enriched sodium pentaborate solution is made by mixing granular, enriched sodium pentaborate with water. In order to ensure the proper B-10 atom percentage (in accordance with Table 3.1.7-1) is being used, calculations must be performed to verify the actual B-10 enrichment within 8 hours after addition of the solution to the SLC tank. The calculations may be performed using the results of isotDpic tests on the granular sodium pentaborate or vendor certification documents. The Frequency is acceptable considering that boron enrichment is verified during the procurement process and any time boron is added to the SLC tank. REFERENCES 1. 10 CFR 50.62.
- 2. UFSAR, Section 3.8.4.
PBAPS UNIT 3 B 3.1-47 Revision lo. 0
SDV Vent and Drain Valves B 3.1.8 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.8 Scram Discharge Volume (SDV) Vent and Drain Valves BASES BACKGROUND The SDV vent and drain valves are normally open and discharge any accumulated water in the SDV to ensure that sufficient volume is available at all times to allow a complete scram. During a scram, the SDV vent and drain valves close to contain reactor water. As discussed in Reference 1, the SDV vent and drain valves need not be considered primary containment isolation valves (PCIVs) for the Scram Discharge System. (However, at PBAPS, these valves are considered PCIVs.) The SDV is a volume of header piping that connects to each hydraulic control unit (HCU) and drains into an instrument volume. There are two SDVs (headers) and a common instrument volume that receives all of the control rod drive (CRD) discharges. The instrument volume is connected to a common drain line with two valves in series. Each header is connected to a common vent line with two valves in series for a total of four vent valves. The header piping is sized to receive and contain all the water discharged by the CRDs during a scram. The design and functions of the SDV are described in Reference 2. APPLICABLE The Design Basis Accident and transient analyses assume all SAFETY ANALYSES of the control rods are capable of scramming. The acceptance criteria for the SDV vent and drain valves are that they operate automatically to close during scram to limit the amount of reactor coolant discharged so that adequate core cooling is maintained and offsite doses remain within the limits of 10 CFR 100 (Ref. 3). Isolation of the SDV can also be accomplished by manual closure of the SDV valves. Additionally, the discharge of reactor coolant to the SDV can be terminated by scram reset or closure of the HCU manual isolation valves. For a bounding leakage case, the offsite doses are well within the limits of 10 CFR 100 (Ref. 3), and adequate core cooling is maintained (Ref. 1). The SDV vent 'and drain valves allow continuous drainage of the SDV during normal plant operation to ensure that the SDV has sufficient capacity to contain the reactor coolant discharge during a full core scram. To automatically ensure this capacity, a reactor scram (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation) is initiated if the SDV water level in the (continued) PBAPS UNIT 3 B 3.1-48 Revision No. 0
SDV Vent and Drain Valves B 3.1.8 BASES APPLICABLE instrument volume exceeds a specified setpoint. The SAFETY ANALYSES setpoint is chosen so that all control rods are inserted (continued) before the SDV has insufficient volume to accept a full scram. SDV vent and drain valves satisfy Criterion 3 of the N.C Policy Statement. LCO The OPERABILITY of all SOV vent and drain valves ensures that the SDV vent and drain valves will close during a scram to contain reactor water discharged to the SDV piping. Since the vent and drain lines are provided with two valves in series, the single failure of one valve in the open position will not impair the isolation function of the system. Additionally, the valves are required to be opened following scram reset to ensure that a path is available for the SDV piping to drain freely at other times. APPLICABILITY In MODES 1 and 2, scram may be required; therefore, the SDV vent and drain valves must be OPERABLE. In MODES 3 and 4, control rods are not able to be withdrawn since the reactor mode switch is in shutdown and a control rod block is applied. This provides adequate controls to ensure that only a single control rod can be withdrawn. Also, during MODE 5, only a single control rod can be withdrawn from a core cell containing fuel assemblies. Therefore, the SIY vent and drain valves are not required to be OPERABLE in these MODES since the reactor is subcritical and only one rod may be withdrawn and subject to scram. ACTIONS The ACTIONS Table is modified by a Note indicating that a separate Condition entry is allowed for each SDV vent and drain line. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable SDV line. Complying with the Required Actions may allow for continued operation, and subsequent inoperable SDV lines are governed by subsequent Condition entry and application of associated'Required Actions. (continued) PBAPS UNIT 3 B 3.1-49 Revision Ho. 0
SDY Vent and Drain Valves B 3.1.8 BASES ACTIONS AAl (continued) When one SDV vent or drain valve is inoperable in one or more lines, the valve must be restored to OPERABLE status within 7 days. The Completion Time is reasonable, given the level of redundancy in the lines and the low probability of a scram occurring during the time the valves are inoperable. The SDV is still isolable since the redundant valve in the affected line is OPERABLE. During these periods, the single failure criterion may not be preserved, and a higher risk exists to allow reactor water out of the primary system during a scram. LI If both valves in a line are inoperable, the line must be isolated to contain the reactor coolant during a scram. When a line is isolated, the potential for an inadvertent scram due to high SDV level is increased. Required Action B.1 is modified by a Note that allows periodic draining and venting of the SDY when a line is isolated. During these periods, the line may be unisolated under administrative control. This allows any accumulated water in the line to be drained, to preclude a reactor scram on SDV high level. This is acceptable since the administrative controls ensure the valve can be closed quickly, by a dedicated operator, if a scram occurs with the valve open. The 8 hour Completion Time to isolate the line is based on the low probability of a scram occurring while the line is not isolated and unlikelihood of significant CRD seal leakage. C.1 If any Required Action and associated Completion Time is not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. (continued) PBAPS UNIT 3 B 3.1-50 Revision No. 0
SDV Vent and Drain Valves B 3.1.8 BASES (continued) SURVEILLANCE SR 3.1.8.1 REQUIREMENTS During normal operation, the SDV vent and drain valves should be in the open position (except when performing SR 3.1.8.2 or SR 3.3.1.1.9 for Function 13, Manual Scram, of Table 3.3.1.1-1) to allow for drainage of the SDV piping. Verifying that each valve is in the open position ensures that the SDV vent and drain valves will perform their intended functions during normal operation. This SR does not require any testing or valve manipulation; rather, it involves verification that the valves are in the correct position. The 31 day Frequency is based on engineering judgment and is consistent with the procedural controls governing valve operation, which ensure correct valve positions. SR 3.1,8.2 During a scram, the SDV vent and drain valves should close to contain the reactor water discharged to the SDV piping. Cycling each valve through its complete range of motion (closed and open) ensures that the valve will function properly during a scram. The 92 day Frequency is based on operating experience and takes into account the level of redundancy in the system design. SR 3.1.8.3 SR 3.1.8.3 is an integrated test of the SDV vent and drain valves to verify total system performance. After receipt of a simulated or actual scram signal, the closure of the SDV vent and drain valves is verified. The closure time of 15 seconds after receipt of a scram signal is based on the bounding leakage case evaluated in the accident analysis (Ref. 2). The LOGIC SYSTEM FUNCTIONAL TEST in LCD 3.3.1.1 and the scram time testing of control rods in LCO 3.1.3 overlap this Surveillance to provide complete testing of the assumed safety function. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an (continued) PBAPS UNIT 3 8 3.1-51 Revision No. 0
SDY Vent and Drain halves B 3.1.8 BASES SURVEILLANCE SR 3.1.8.3 (continued) REQUIREMENTS unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components will pass the Surveillance when performed atL the 24 month Frequency; therefore, the Frequency was concluded to be acceptable from a reliability standpoint. REFERENCES 1. *NUREG-0803, NGeneric Safety Evaluation Report Regarding Integrity of BWR Scram System Piping," August 1981.
- 2. UFSAR, Sections 3.4.5.3.1 and 7.2.3.6.
- 3. 10 CFR 100.
PBAPS UNIT 3 B 3.1-52 Revision No. 0
APLHGR B 3.2.1 B 3.;? POWER DISTRIBUTION LIMITS B 3.2.1 AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR) BASE:; BACKGROUND The APLHGR is a measure of the average LHGR of all the fuel rods in a fuel assembly at any axial location. Limits on the APLHGR are specified to ensure that the peak cladding I temperature (PCT) during the postulated design basis loss of coolant accident (LOCA) does not exceed the limits specified in 10 CFR 50.46. APPLICABLE The analytical methods and assumptions used in evaluating SAFETY ANALYSES Design Basis Accidents (DBAs) that determine the APLHGR limits are presented in References 1, 2, 3, 4, 5,, and 7.. 6-contin ed) PBAPS UINIT 3 8 3.2-1 Revision No. -50
APLHGR B 3.2.1 BASES APPLICABLE SAFETY ANALYSES (continued) LOCA analyses are performed to ensure that the APLHGR limits are adequate to meet the PCT and maximum oxidation limits of 10 CFR 50.46. The analysis is performed using calculational models that are consistent with the requirements of 10 CFR 50, Appendix K. A complete discussion of the analysis code is provided in Reference 11. The PCT following a postulated LOCA is a function of the average heat generation rate of all the rods of a fuel assembly at any axial location and is not strongly influenced by the rcd to rod power distribution within an assembly. A conservative multiplier is applied to the LHGR assumed in the LOCA analysis to account for the uncertainty associated with the measurement of the APLHGR. For single recirculation loop operation, a conservative multiplier is applied to the APLHGR as specified in the COLR (Ref. 12). This is due to the conservative analysis assumption of an earlier departure from nucleate boiling with one recirculation loop available, resulting in a more severe cladding heatup during a LOCA. Power-dependent and flow-dependent APLHGR adjustment factors may also be provided per Reference 1 to ensure that fuel design limits are not exceeded due to the occurrence of a postulated transient event during operation at off-rated (less than 100%) reactor power or core flow conditions. These adjustment factors are applied, if required, per the COLR and decrease the allowable APLHGR value. The APLHGR satisfies Criterion 2 of the NRC Policy Statement. LCO The APLHGR limits specified in the COLR are the result of the fuel design and OBA analyses. The limits are developed as a function of exposure and are applied per the COLR. (coitinued) PBAPS UJNIT 3 B 3.2-2 Revision No. 50
APLHGR B 3.2.1 BASE:S LCO (continued) With only one recirculation loop in operation, in conformance with the requirements of LCO 3.4.1, "Recirculation Loops Operating," the limit is determined by multiplying the exposure dependent APLHGR limit by a conservative factor. APPLICABILITY The APLHGR limits are primarily derived from LOCA analyses that are assumed to occur at high power levels. Design calculations (Ref. 6) and operating experience have shown that as power is reduced, the margin to the required APLHGR limits increases. This trend continues down to the power range of 5% to 15% RTP when entry into MODE 2 occurs. When in MODE 2, the wide range neutron monitor period-short scram function provides prompt scram initiation during any significant transient, thereby effectively removing any APLHGR limit compliance concern in MODE 2. Therefore, at THERMAL POWER levels < 25% RTP, the reactor is operatirg with substantial margin to the APLHGR limits; thus, this LCO is not required. ACTIONS A.1 If any APLHGR exceeds the required limits, an assumption regarding an initial condition of the DBA analyses may not be met. Therefore, prompt action should be taken to restore the APLHGR(s) to within the required limits such that the plant operates within analyzed conditions and within design limits of the fuel rods. The 2 hour Completion Time is sufficient to restore the APLHGR(s) to within its limits and is acceptable based on the low probability of a DBA occurring simultaneously with the APLHGR out of specification. LI If the APLHGR cannot be restored to within its required limits within the associated Completion Time, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, THERMAL POWER must be reduced to < 25% RTP within 4 hours. The {continued) PBAPS UNIT 3 B 3.2-3 Revision No. 50
APLHGR B 3.2.1 BASES ACTIONS Bi1 (continued) allowed Completion Time is reasonable; based on operating experience, to reduce THERMAL POWER to < 25X RTP in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.2.1.1 REQUIREMENTS APLHGRs are required to be initially calculated within 12 hours after THERMAL POWER is 2 25X RTP and then every 24 hours thereafter. They are compared to the specified limits in the COLR to ensure that the reactor is operating within the assumptions of the safety analysis. The 24 hour Frequency is based on both engineering judgment and recognition of the slowness of changes in power distribution during normal operation. The 12 hour allowance after THERMAL POWER 2 25X RTP is achieved is acceptable given the large inherent margin to operating limits at low power levels. REFERENCES 1. NEDO-24011-P-A, "General Electric Standard Application for Reactor Fuel," latest approved revision.
- 2. UFSAR, Chapter 3.
- 3. UFSAR, Chapter 6.
- 4. UFSAR, Chapter 14.
- 5. NEDO-24229-1, "Peach Bottom Atomic Power Station Units 2 and 3, Single Loop Operation," May 1980.
- 6. NEDC-32162P, "Maximum Extended Load Line Limit and ARTS Improvement Program Analyses for Peach Bottom Atomic Power Station Units 2 and 3," Revision 2, March 1995.
- 7. NEDC-32183P, "Power Rerate Safety Analysis Report for Peach Bottom 2 & 3," May 1993.
- 8. Deleted I
- 9. NEDO-30130-A, "Steady State Nuclear Methods,"
April 1985. (continued) PBAPS IJNIT 3 B 3.2-4 Revision No. 50
APLHGR B 3.2.1 BASES REFERENCES 10. Deleted (continued) I
- 11. NEDC-32163P, "Peach Bottom Atomic Power Station Units 2 and 3 SAFER/GESTR-LOCA Loss-of-Coolant Accident Analysis," January 1993.
- 12. Peach Bottom Unit 3 Core Operating Limits Report (COLR).
PBAPS UNIT 3 B 3.2-5 Revision No. 50
MCPR B 3.2.2 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.2 MINIMUM CRITICAL POWER RATIO (MCPR) BASES BACKGROUND MCPR is a ratio of the fuel assembly power that would result in the onset of boiling transition to the actual fuel assembly power. The MCPR Safety Limit (SI) is set such that 99.9% of the fuel rods avoid boiling transition if the limit is not violated (refer to the Bases for SL 2.1.1.2). The operating limit MCPR is established to ensure that no fuel damage results during abnormal operational transients. Although fuel damage does not necessarily occur if a fuel rod actually experienced boiling transition (Ref. 1), the critical power at which boiling transition is calculated to occur has been adopted as a fuel design criterion. The onset of transition boiling is a phenomenon that is readily detected during the testing of various fuel bundle designs. Based on these experimental data, correlations have been developed to predict critical bundle power (i.e., the bundle power level at the onset of transition boiling) for a given set of plant parameters (e.g., reactor vessel pressure, flow, and-subcooling). Because plant operating conditions and bundle power levels are monitored and determined relatively easily, monitoring the MCPR is a convenient way of ensuring that fuel failures due to inadequate cooling do not occur. APPLICABLE The analytical methods and assumptions used in evaluating SAFETY ANALYSES the abnormal operational transients to establish the operating limit MCPR are presented in References 2, 3, 4, 5, 6, 7, 8, and 9. To ensure that the MCPR SL is not exceeded during any transient event that occurs with moderate frequency, limiting transients have been analyzed to determine the largest reduction in critical power ratio (CPR). The types of transients evaluated are loss of flow, increase in pressure and power, positive reactivity insertion, and coolant temperature decrease. The limiting transient yields the largest change in CPR (ACPR). When the largest ACPR (corrected for analytical uncertainties) is added to the MCPR SL, the required operating limit MCPR is obtained. icontiilued) PBAPS UJNIT 3 B 3.2-6 Revision Igo. 0
MCPR B 3.2.2 BASES APPLICABLE The MCPR operating limits derived from the transient SAFETY ANALYSES analysis are dependent on the operating core flow and power (continued) state (MCPRf and MCPRV, respectively) to ensure adherence to fuel design limits during the worst transient that occurs with moderate frequency (Refs. 6, 7, 8, and 9). Flow dependent MCPR limits are determined by steady state thermal hydraulic methods with key physics response inputs benchmarked using the three dimensional BWR simulator code (Ref. 10) to analyze slow flow runout transients. The flow dependent operating limit, MCPRf, is evaluated based on a single recirculation pump flow runout event (Ref. 9). Power dependent MCPR limits (MCPRP) are determined mainly by the one dimensional transient code (Ref. 11). Due to the sensitivity of the transient response to initial core flow levels at power levels below those at which the turbine stop valve closure and turbine control valve fast closure scrams are bypassed, high and low flow MCPRP operating limits age provided for operating between 25% RTP and the previously mentioned bypass power level. I The MCPR satisfies Criterion 2 of the NRC Policy Statement. LCO The MCPR operating limits specified in the C-OLR are the result of the Design Basis Accident (MBA) and transient analysis. The operating limit MCPR is determined by the larger of the MCPRf and MCPRP limits. APPLICABILITY The MCPR operating limits are primarily derived from transient analyses that are assumed to occur at high power levels. Below 25% RTP, the reactor is operating at a minimum recirculation pump speed and the moderator void ratio is small. Surveillance of thermal limits below 25% RTP is unnecessary due to the large inherent margin that ensures that the MCPR SL is not exceeded even if a limiting transient-occurs. Statistical analyses indicate-that the nominal value of the initial MCPR expected at 25% RTP is
> 3.5. Studies of the variation of limiting transient behavior have been performed over the range of power and (continued)
PBAPS-UNIT 3 ,B3.2- 7 Revision No. 48
MCPR B 3.2.2 BAS ES APPLICABILITY flow conditions. These studies encompass the range of key (continued) actual plant parameter values important to typically limiting transients. The results of these studies demonstrate that a margin is expected between performance and the MCPR requirements, and that margins increase a; power is reduced to 25% RTP. This trend is expected to continue to the 5% to 15% power range when entry into I4ODE 2 occurs. When in MODE 2, the wide range neutron monitor period-short function provides rapid scram initiation For any significant power increase transient, which effectively eliminates any MCPR compliance concern. Therefore, at THERMAL POWER levels < 25% RTP, the reactor is operating with substantial margin to the MCPR limits and this LCO is not required. ACTIONS A. If any PICPR is outside the required limits, an assumption regarding an initial condition of the design basis transient analyses may not be met. Therefore, prompt action should be taken to restore the MCPR(s) to within the required limits such that the plant remains operating within analyzed conditions. The 2 hour Completion Time is normally sufficient to restore the MCPR(s) to within its limits and is acceptable based on the low probability of a transient or DBA occurring simultaneously with the MCPR out of specification. B.1 If the MCPR cannot be restored to within its required limits within the associated Completion Time, the plant must be brought to a MODE or other specified condition in which. the LCO does not apply. To achieve this status, THERMAL PCWER must be reduced to < 25% RTP within 4 hours. The allowed Completion Time is reasonable, based on operating experience, to reduce THERMAL POWER to < 25% RTP in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.2.2.1 REQUIREMENTS The MCPR is required to be initially calculated within 12 hours after THERMAL POWER is 2 25% RTP and then every 24 hours thereafter. It is compared to the specified limits (continued) PBAPS UNIT 3 8 3.2-8 Revision No. 17
MCPR B 3.2.2 BASES SURV,-ILLANCE SR 3.2.2.1 (continued) REQUIREMENTS in the COLR (Ref. 12) to ensure that the reactor is operating within the assumptions of the safety analysis. The 24 hour Frequency is based on both engineering judgment and recognition of the slowness of changes in power distribution during normal operation. The 12 hour allowance after THERMAL POWER 2 25% RTP is achieved is acceptable given the large inherent margin to operating limits at low power levels., SR 3.2.2.2 Because the transient analysis takes credit for conservatism in the scram speed performance, it must be demonstrated that the specific scram speed distribution is consistent with that used in the transient analysis. SR 3.2.2.2 determines the value of T, which is a measure of the actual scram speed distribution compared with the assumed distribution. The MCPR operating limit is then determined based on an interpolation between the applicable limits for "Option.A (scram times of LCO 3.1.4,"Control Rod Scram Times") and Option B (realistic scram times) analyses. The parameter T must be determined once within 72 hours after each set of scram time tests required by SR 3.1.4.1 and SR 3.1.4.2 because the effective scram speed distribution may change during the cycle. The 72 hour Completion Time is acceptable due to the relatively minor changes in t expected during the fuel cycle. REFERENCES 1. NUREG-0562, June 1979.
- 2. NEDO-24011-P-A, "General Electric Standard Application for Reactor Fuel," latest approved revision.
- 3. UFSAR, Chapter 3.
- 4. UFSAR, Chapter 6.
- 5. UFSAR, Chapter 14.
- 6. NEDO-24229-1, "Peach Bottom Atomic Power Station Units 2 and 3, Single Loop Operation," May 1980.
(continuod) PBAPS UNIT 3 B 3.2-9 Revision No. 48
MCPR B 3.2.2 BASES REFERENCES 7. NEDC-32162P, "Maximum Extended Load Line Limit anc (continued) ARTS Improvement Program Analyses for Peach Bottom Atomic Power Station Units 2 and 3," Revision 2, March 1995. I
- 8. NEDC-32183P, "Power Rerate Safety Analysis Report for Peach Bottom 2 & 3," May 1993.
- 9. NEDC-32427P, "Peach Bottom Atomic Power Station Unit 3 Cycle 10 ARTS Thermal Limits Analyses," December 1994.
- 10. NEDO-30130-A, "Steady State Nuclear Methods,"
April 1985. I
- 11. NEDO-24154, "Qualification of the One-Dimensional Core Transient Model for Boiling Water Reactors,"
October 1978.
- 12. Peach Bottom Unit 3 Core Operating Limits Report (COLR). I PBAPS UNIT 3 8 3.2-10 Revision No. 48
LHGR 8 3.2.3 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.3 LINEAR HEAT GENERATION RATE (LHGR) BASE:; BACKGROUND The LHGR is a measure of the heat generation rate of a fuel rod in a fuel assembly at any axial location. Limits oi LHGR are specified to ensure that fuel design limits are not exceeded anywhere in the core during normal operation, including abnormal operational transients. Exceeding the LHGR limit could potentially result in fuel damage and subsequent release of radioactive materials. Fuel design limits are specified to ensure that fuel system damage, fuel rod failure, or inability to cool the fuel does not occur during the anticipated operating conditions identified in Reference 1. APPLICABLE The analytical methods and assumptions used in'evaluating SAFETY' ANALYSES the fuel system design are presented in References 1, 2, 3, 4, 5, 6, 7, and 8. The fuel assembly is designed to ensure .1 (in conjunction with the core nuclear and thermal hydraulic design, plant equipment, instrumentation, and protection system) that fuel damage will not result in the release of radioactive materials in excess of the guidelines of 10 CFR, Parts 20, 50, and 100. The mechanisms that could cause fuel damage during operational transients and that are considered in fuel evaluations are:
- a. Rupture of the fuel rod cladding caused by strain from the relative expansion of the U02 pellet; and
- b. Severe overheating of the fuel rod cladding caused by inadequate cooling.
A value of 1% plastic strain of the fuel cladding has been defined as the limit below which fuel damage caused by overstraining of the fuel cladding is not expected to occur (Ref. 10). Fuel design evaluations have been performed and demonstrate that the 1% fuel cladding plastic strain design limit is not exceeded during continuous operation with LHGRs up to the operating limit specified in the COLR. The analysis also (continued) PBAPS UNIT 3 B 3.2 -11 Revision No. 48
LHGR B 3.2.3 BASE:S APPlICABLE includes allowances *for short term transient operation above SAFETY ANALYSES the operating limit to account for abnormal operational (continued) transients, plus an allowance for densification power spiking. Power-dependent and flow-dependent LHGR adjustment factors may also be provided per Reference 1 to ensure that fuel design limits are not exceeded due to the occurrence of a postulated transient event during operation at off-rated (less than 100X) reactor power or core flow conditions. These adjustment factors are applied, if required, per the COLR and decrease the allowable LHGR value. Additionally, for single recirculation loop operation, an LHGR multiplier may be provided per Reference 1. This multiplier is applied per the COLR and decreases the allowable LHGR value. This additional margin may be necessary during SLO to account for the conservative analysis assumption of an earlier departure from nucleate boiling with only one recirculation loop available. The LHGR satisfies Criterion 2 of the NRC Policy Statement. LCO The LHGR is a basic assumption in the fuel design analysis. The fuel has been designed to operate at rated core power with sufficient design margin to the LHGR calculated tc cause a 1%fuel cladding plastic strain. The operating limit to accomplish this objective is specified in the COLR. APPLICABILITY The LHGR limits are derived from fuel design analysis that is limiting at high power level conditions. At core thermal power levels < 25% RTP, the reactor is operating with a substantial margin to the LHGR limits and, therefore, the Specification is only required when the reactor is operating at,- 25X RTP. ACTIONS A.1 If any LHGR exceeds its required limit, an assumption regarding an initial condition of the fuel design analysis is not met. Therefore, prompt action should be taken to restore the LHGR(s) to within its required limits such that the plant is operating within analyzed conditions. The (continued) PBAPS UNIT 3 8 3.2 -12 Revision ND. 50
L.HGR 8 3.2.3 BASES ACTIONS AA (continued) 2 hour Completion Time is normally sufficient to restore the LHGR(s) to within its limits and is acceptable based on the
*low probability of a transient or Design Basis Accident occurring simultaneously with the LHGR out of specification.
- B.1 If the LHGR cannot be restored to within its required limits within the associated Completion Time, the plant irmst. be brought to a MODE or other specified condition in which she LCO does not apply. To achieve this status, THERMAL POWER is reduced to < 25X RTP within 4 hours. The allowed Completion Time is reasonable, based on operating experience, to reduce THERMAL POWER TO < 25% RTP an an orderly manner and without challenging plant systems.
(c.onti nued) PBAPS -UNIT 3 B 3.2-12a Revision No. 50
LHGR 8 3.2.3 BASES (continued) SURVEILLANCE SR 3.2.3.1 REQUIREMENTS The LHGR is required to be initially calculated within 12 hours after THERMAL POWER is 2 25% RTP and then every 24 hours thereafter. It is compared to the specified limits in the COLR (Ref. 11) to ensure that the reactor is operating within the assumptions of the safety analysis. The 24 hour Frequency is based on both engineering judgment and recognition of the slow changes in power distribution during normal operation. The 12 hour allowance after THERMAL POWER 2 25% RTP is achieved is acceptable given the large inherent margin to operating limits at lower power levels. REFERENCES 1. NEDO-24011-P-A, "General Electric Standard Application for Reactor Fuel," latest approved revision.
- 2. UFSAR, Chapter 3.
- 3. UFSAR, Chapter 6.
- 4. UFSAR, Chapter 14.
- 5. NEDO-24229-1, "Peach Bottom Atomic Power Station Units 2 and 3, Single-Loop Operation," May 1980.
- 6. NEDC-32162P, "Maximum Extended Load Line Limit and ARTS Improvements Program Analyses for Peach Bottom Atomic Power Station Units 2 and 3," Revision 2, March 1995.
- 7. NEDC-32183P, "Power Rerate Safety Analysis Report for Peach Bottom 2 & 3," May 1993.
- 8. NEDC-32163P, "Peach Bottom Atomic Power Station Units 2 and 3 SAFER/GESTR-LOCA Loss-of-Coolant Accident Analysis," January 1993.
- 9. DELETED
- 10. NUREG-0800, Section 4.2, Subsection II.A.2(g),
Revision 2, July 1981.
- 11. Peach Bottom Unit 3 Core Operating Limits Report (C('LR).
PBAPS -UNIT 3 aB 3.2-13 Revision No. 48
RPS Instrumentation B 3.3.1.1 B 3.3 INSTRUMENTATION B 3.3.1.1 Reactor Protection System (RPS) Instrumentation BASES _ m BACKGROUND The RPS initiates a reactor scram when one or more monitored parameters exceed their specified limits, to preserve the integrity of the fuel cladding and the Reactor Coolant System (RCS) and minimize the energy that must be absorbed following a loss of coolant accident (LOCA). This can be accomplished either automatically or manually. The protection and monitoring functions of the RPS have been designed to ensure safe operation .of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and equipment performance. The LSSS are defined in this Specification as the Allowable.Values, which, in conjunction with the LCOs, establish the threshold for protective system action to prevent exceeding acceptable limits, including Safety Limits (SLs) during Design Basis Accidents (DBAs;). The RPS, as shown in the UFSAR Section 7.2, (Ref. 1), includes sensors, relays, bypass circuits, and switches that are necessary to cause initiation of a reactor scram. Functional diversity is provided by monitoring a wide range of dependent and independent parameters. The input parameters to the scram logic are from instrumentation that monitors reactor vessel water level, reactor vessel pressure, neutron flux, main steam line isolation valve position, turbine control valve (TCY) fast closure trip oil pressure, turbine stop valve (TSV) position, drywell pressure, scram discharge volume (SDV) water level, condenser vacuum, main steam line radiation, as well as reactor mode switch in shutdown position, manual scram signals, and RPS test switches. There are at least four redundant sensor input signals from each of these parameters (with the exception of the manual scram signal and the reactor mode switch in shutdown scram signal). Most channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs an RPS trip signal to the trip logic. (continued) PBAPS UNIT 3 B 3.3-1 Revision INo. 0
RPS Instrumentation B 3.3.1.1 BASES BACKGROUND The RPS is comprised of two independent trip systems (continued) (A and B) with three logic channels in each trip system (logic channels Al, A2, and A3; B1, 82, and B3) as shown in the Reference I figures. Logic channels Al, AM, Bi, and B2 contain automatic logic for which the above monitored parameters each have at least one input to each of these logic channels. The outputs of the logic channels in a trip system are combined in a one-out-of-two logic so that either channel can trip the associated trip system. The tripping of both trip systems will produce a reactor scram. This logic arrangement is referred to as a one-out-of-two taken twice logic. In addition to the automatic logic channels, logic channels A3 and B3 (one logic channel per trip system) are manual scram channels. Both must be depressed in order to initiate the manual trip function. Each trip system can be reset by use of a reset switch. If a full scram occurs (both trip systems trip), a relay prevents reset of the trip systems for 10 seconds after the full scram signal is received. This 10 second delay on reset ensures that the scram function will be completed. Two scram pilot valves are located in the hydraulic control unit for each control rod drive (CRD). Each scram pilot valve is solenoid operated, with the solenoids normally energized. The scram pilot valves control the air supply to the scram inlet and outlet valves for the associated CR!). When either scram pilot valve solenoid is energized, air pressure holds the scram valves closed and, therefore, both scram pilot valve solenoids must be de-energized to cau;e a control rod to scram. The scram valves control the supply and discharge paths for the CRD water during a scram. One of the scram pilot valve solenoids for each CRD is controlled by trip system A, and the other solenoid is controlled by trip system B. Any trip of trip system A in conjunction with any trip in trip system B results in de-energizing both solenoids, air bleeding off, scram valves opening, and control rod scram. The backup scram valves, which energize on a scram signal to depressurize the scram air header, are also controlled by the RPS. Additionally, the RPS controls the SDV vent arid drain valves such that when logic channels Al and BI are deenergized or when logic channel A3 is deenergized the (continued) PBAPS UNIT 3 B 3.3-2 Revision No. 0
RPS Instrumentation B 3.3.1.1 BASES BACKGROUND inboard SDV vent and drain valves close to isolate the SDV, (continued) and when logic channels A2 and B2 are deenergized or when logic channel B3 is deenergized the outboard SDY vent and drain valves close to isolate the SOV. APPLICABLE The actions of the RPS are assumed in the safety analyses of SAFETY ANALYSES, References 2 and 3. The RPS is required to initiate a LCO, and reactor scram when monitored parameter values exceed the APPLICABILITY Allowable Values, specified by the setpoint methodology and listed in Table 3.3.1.1-1, to maintain OPERABILITY and to preserve the integrity of the fuel cladding, the reactor coolant pressure boundary (RCPB), and the containment, by minimizing the energy that must be absorbed following a LOCA. RPS instrumentation satisfies Criterion 3 of the NRC Pollicy Statement. Functions not specifically credited in the accident analysis are retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis. The OPERABILITY of the RPS is dependent on the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.1.1-1. Each Function must have a required number of OPERABLE channels per RPS trip system, with their setpoints within the specified Allowable Value, where appropriate. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. Allowable Values, where applicable, are specified for each RPS Function specified in the Table. Trip setpoints are specified in the setpoint calculations. The trip setpoints are selected to ensure that the actual setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setting less conservative than the trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setting is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of
. continiued)
PBAPS UNIT 3 8 3.3-3 Revision No. 0
RPS Instrumentation B 3.3.1.1 BASES APPLICABLE the process parameter exceeds the setpoint, the associated SAFETY ANALYSES, device (e.g., trip unit) changes state. The analytic or LCO, and design limits are derived from the limiting values of t~he APPLICABILITY process parameters obtained from the safety analysis or (cDntinued) other appropriate documents. The Allowable Values are derived from the analytic or design limits, corrected for calibration, process, and instrument errors. The trip setpoints are determined from analytical or design limits, corrected for calibration, process, and instrument errors, as well as instrument drift. In selected cases, the Allowable Values and trip setpoints are determined by engineering judgement or historically accepted practice relative to the intended function of the trip channel. The trip setpoints determined in this manner provide adequate protection by assuring instrument and process uncertainties expected for the environments during the operating time of the associated trip channels are accounted for. The OPERABILITY of scram pilot valves and associated solenoids, backup scram valves, and SDV valves, described in the Background section, are not addressed by this LCO. The individual Functions are required to be OPERABLE in the MODES or other specified conditions specified in the Table, which may require an RPS trip to mitigate the consequences of a design basis accident ortransient. To ensure a reliable scram function, a combination of Functions are required in each MODE to provide primary and diverse initiation signals. The only MODES specified in Table 3.3.1.1-1 are MODES 1 and 2, and MDDE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies. No RPS Function is required in MODES 3 and 4, since all control rods are fully inserted and the Reactor Mode Switch Shutdown Position control rod withdrawal block (LCO 3.3.2.1) does not allow any control rod to be withdrawn. In MODE 5, control rods withdrawn from a core cell containing no fuel assemblies do not affect the reactivity of the core and, therefore, are not required to have the capability to scram. Provided all other control rods remain inserted, no RPS function is required. In this condition, the required SDM (LCO 3.1.1) and refuel position one-rod-out interlock (LCO 3.9.2) ensure that no event requiring RPS will occur. (continued) PBAPS UNIT 3 B 3.3-4 Revision No. 0
RPS Instrumenl;ation B 3.3.1.1 BASES APPLICABLE The specific Applicable Safety Analyses, LCO, and SAFETY ANALYSES, Applicability discussions are listed below on a Function by LCO, and Function basis. APPLICABILITY (continued) Wide Range Neutron Monitor (WRNM) 1.a. Wide Range Neutron Monitor Period-Short The WRN14s provide signals to facilitate reactor scram In the event that core reactivity increase (shortening period) exceeds a predetermined reference rate. To determine the reactor period, the neutron flux signal is filtered. 1[he period of this filtered neutron flux signal is used to generate trip signals when the respective trip setpoints are exceeded. The time to trip for a particular reactor period is dependent on the filter time constant, actual period of the signal and the trip setpoints. This period based signal isavailable over the entire operating range from initial control rod withdrawal to full power operation. In the startup range, the most significant source of reactivity change is due to control rod withdrawal. The WRNM provides diverse protection from the rod worth minimizer (RWM), which monitors and controls the movement of control rods at low power. The RWM prevents the withdrawal of an out of sequence control rod during startup that could result in an unacceptable neutron flux excursion (Ref. 2). The WRNS1 provides mitigation of the neutron flux excursion. To demonstrate the capability of the WRNM System to mitigate control rod withdrawal events, an analysis has been performed (Ref. 3) to evaluate the consequences of control rod withdrawal events during startup that are mitigated only by the WRNM period-short function. The withdrawal of a control rod out of sequence, during startup, analysis :Ref.
- 3) assumes that one WRNM channel ineach trip system i!;
bypassed, demonstrates that the WRNMs provide protection against local control rod withdrawal errors and results; in peak fuel enthalpy below the 170 cal/gm fuel failure threshold criterion. The WRNMs are also capable of limiting other reactivity excursions during startup, such as cold water injection events, although no credit is specifically assumed. (continued) PBAP'; UNIT 3 B 3.3-5 Revision No. 17
RPS Instrument1ation B 3.3.1.1 BASES APPLICABLE I.a. Wide Range Neutron Monitor Period-Short SAFETY ANALYSES, (continued) LCO, and APPLICABILITY The WRNM System is divided into two groups of WRNM channels, with four channels inputting to each trip system. The analysis of Reference 3 assumes that one channel in earh trip system is bypassed. Therefore, six channels with three I channels in each trip system are required for WRNM OPERABILITY to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. I The analysis of Reference 3 has adequate conservatism to I permit an Allowable Value of 13 seconds. I The WRNM Period-Short Function must be OPERABLE during MODE 2 when control rods may be withdrawn and the potential for criticality exists. In MODE 5, when a cell with fuel has its control rod withdrawn, the WRNMs provide monitoring for and protection against unexpected reactivity excursions. In MODE 1, the APRM System and the RWM provide protection against control rod withdrawal error events and the WRNMs I are not required. The WRNMs are automatically bypassed when the mode switch is in the Run position. I 1.b. Wide Range Neutron Monitor-Inop This trip signal provides assurance that a minimum number of WRNMs are OPERABLE. Anytime a WRNM mode switch is moved to any position other than "Operate," a loss of power occurs, or the self-test system detects a failure which would result in the loss of a safety-related function, an inoperative trip signal will be received by the RPS unless the WRNM is bypassed. Since only one WRNM in each trip system may be bypassed, only one WRNM in each RPS trip system may be inoperable without resulting in an RPS trip signal. This Function was not specifically credited in the accident analysis but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis. (continued) PBAPS UNIT 3 B 3.3-6 Revision No. 17
RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 1.b. Wide Range Neutron Monitor-Inop (continued) SAFETY ANALYSES, LCO, and Six channels of the Wide Range Neutron Monitor-Inop APPLICABILITY Function, with three channels in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. Since this Function is not assumed in the safety analysis, there is no Allowable Value for this Function. This Function is required to be OPERABLE when the Wide Range Neutron Monitor Period-Short Function is required. Average Power Range Monitor (APRM) The APRM channels provide the primary indication of neutron flux within the core and respond almost instantaneously to neutron flux increases. The APRM channels receive inpLt signals from the local power range monitors (LPRMs) within the reactor core to provide an indication of the power distribution and local power changes. The APRM channels average these LPRM signals to provide a continuous indication of average reactor power from a few percent to greater than RTP. Each APRM also includes an Oscillation Power Range Monitor (OPRM) Upscale Function which monitors small groups of LPRM signals to detect thermal-hydraulic instabilities. The APRM System is divided into four APRM channels and four 2-out-of-4 voter channels. Each APRM channel provides inputs to each of the four voter channels. The four voter channels are divided into two groups of two each, with each group of two providing inputs to one RPS trip system. The system is designed to allow one APRM channel, but no voter channels, to be bypassed. A trip from any one unbypassed APRM will result in a "half-trip' in all four of the voter channels, but no trip inputs to either RPS trip system. APRM trip Functions 2.a, 2.b, 2.c, and 2.d are voted independently from OPRM Upscale Function 2.f. Therefore, any Function 2.a, 2.b, 2.c, or 2.d trip from any two unbypassed APRM channels will result in a full trip in each of the four voter channels, which in turn results in two trip inputs into each RPS trip system logic channel (Al, A2, B1, and B2), thus resulting in a full scram signal. Similarly, a Function 2.f trip from any two unbypassed APRM channels will result in a full trip from each of the four voter channels. Three of the four APRM channels and all four of the voter channels are required to be OPERABLE to ensure that no single failure will preclude a scram on a valid signal. In addition, to provide adequate coverage of the entire core, consistent with the design bases for the APRM Functions 2.a, 2.b, and 2.c, at least 20 LPRM inputs, with at least three LPRM inputs from each of the four axial levels at which the LPRMs are located, must be operable for each APRM channel, and the number of LPRM inputs that have become inoperable (and bypassed) since the last APRM calibration (SR 3.3.1.1.2) must be less than ten for each APRM channel. For the OPRM Upscale, Function 2.f, LPRMs are assigned to "cells" of 3 or 4 detectors. A minimum of 25 cells per channel, each with a minimum of 2 OPERABLE LPRMs, must be OPERABLE for the OPRM Upscale Function 2.f to be OPERABLE. (continued) PBAPS UNIT 3 B 3.3-7 Revision No. 55
RPS Instrumentation B 3.3.1.1 BASES
- I".--
APPLICABLE 2.a. Average Power Ranae Monitor Neutron Flux-High SAFETY ANALYSES, (Setdown) (continued) LCO, and APPLICABILITY For operation at low power (i.e.,-MODE 2), the Average Power Range Monitor Neutron Flux-High (Setdown) Function is capable of generating a trip signal that prevents fuel damage resulting from abnormal operating transients in this power range. For most operation at low power levels, the Average Power Range Monitor Neutron Flux-High (Setdown) Function will provide a secondary scram to the Wide Range Neutron Monitor Period-Short Function because of the relative setpoints. At higher power levels, it is pos.ible that the Average Power Range Monitor Neutron Flux-High (Setdown) Function will provide the primary trip signal for a corewide increase in power. No specific safety analyses take direct credit for the Average Power Range Monitor Neutron Flux-High (Setdown' Function. However, this Function indirectly ensures that before the reactor mode switch is placed in the run position, reactor power does not exceed 25% RTP (SL 2.1.1.1) when operating at low reactor pressure and low core flow. Therefore, it indirectly prevents fuel damage during significant reactivity increases with THERMAL POWER
< 25% RTP.
The Allowable Value is based on preventing significant increases in power when THERMAL POWER is < 25% RTP. The Average Power Range Monitor Neutron Flux-High (Setdown) Function must be OPERABLE during MODE 2 when control rods may be withdrawn since the potential for criticality exists. In MODE 1, the Average Power Range Monitor Neutron Flux-High Function provides protection against reactivity transients and the RWM and rod block monitor protect against control rod withdrawal error events. 2.bh Avpranp Pnwer Rannp Monitnr SimulatPd Thermal Power-High The Average Power Range Monitor Simulated Thermal Power-High Function monitors average neutron flux to approximate the THERMAL POWER being transferred to the reactor coolant.. The APRM neutron flux is electronically filtered with a tine constant representative of the fuel heat transfer dynanics to generate a signal proportional to the THERMAL POWER in the reactor. The trip level is varied as a function of recirculation drive flow (i.e., at lower core flows, the setpoint is reduced proportional to the reduction in power experienced as core flow is reduced with a fixed control rod attern) but is clamped at an upper limit that is always ower than the Average Power Range Monitor Neutron Flux-High Function Allowable Value. A note is included, applicable when the plant is in single recirculation loop operation per LCO 3.4.1, which requires the flow value, used in the Allowable Value equation, be reduced by AW. The value of AW 4cont nued) PBAPS UNIT 3 B 3.3-8 Revision Nto. 51
RPS Instrumentation B 3.3.1.1 (I4v -i BASES APPLICABLE 2.b. Averaae Power Ranae Monitor Simulated Thermal SAFETY ANALYSES, Power-High (continued) LCO, and APPLICABILITY is established to conservatively bound the inaccuracy created in the core flow/drive flow correlation due to back flcw in the jet pumps associated with the inactive recirculation loop. The Allowable Value thus maintains thermal margirs essentially unchanged from those for two loop operatior. The value of AW is plant specific and is defined in plant procedures. The Allowable Value equation for single locp operation is only valid for flows down to W = AW; the Allowable Value does not go below 63.7% RTP. This is acceptable because back flow in the inactive recirculation loop is only evident with drive flows of approximately 35% or greater (Reference 19). The Average Power Range Monitor Simulated Thermal Power-High Function is not specifically credited in the safety analysis but is intended to provide an additional margin of protection from transient induced fuel damage during operation where recirculation flow is reduced to below the minimum required for rated power operation. The Averase Power Range Monitor Simulated Thermal Power-High Function provides protection against transients where THERMAL POWER increases slowly (such as' the loss of feedwater heatinG event) and protects the fuel cladding integrity by ensuring that the MCPR SL is not exceeded. During these events, the THERMAL POWER increase does not significantly lag the neutron flux scram. For rapid neutron flux increase events, the THERMAL POWER lags the neutron flux and the Average Power Range Monitor Neutron Flux-High Function will provide a scram signal before the Average Power Range Monitor Simulated Thermal Power-High Function setpoint is exceeded. Each APRM channel uses one total drive flow signal representative of total core flow. The total drive flcw signal is generated by the flow processing logic, part of the APRM channel, by summing up the flow -calculated frcm two flow transmitter signal inputs, one from each of the two recirculation loop flows. The flow processing logic OPERABILITY is part of the APRM channel OPERABILITY requirements for this Function. The APRM flow processing logic is considered inoperable whenever it cannot deliver a flow signal less than or equal to actual Recirculation flow conditions for all steady state and transient reactor conditions while in Mode 1. Reduced or Downscale flow conditions due to planned maintenance or testing activities during derated plant conditions (i.e. end of cycle coast down) will result in conservative setpoints for the APFM Simulated Thermal Power-High function, thus maintaining that function operable. (continued) PBAPS UNIT 3 B 3.3-9 Revision No. 51
RPS Instrumentation B 3.3.1.1 ism BASES APPLICABLE 2.b. Averaqe Power Range Monitor Simulated Thermal SAFETY ANALYSES, Power-High (continued) LCO, and APPLICABILITY The Allowable Value is based on analyses that take credit for the Average Power Range Monitor Simulated Thermal Power-High Function for the mitigation of non-limiting events. The THERMAL POWER time constant of < 7 seconds is based on the fuel heat transfer dynamics and provides a signal proportional to the THERMAL POWER. I The Average Power Range Monitor Simulated Thermal Power-High Function is required to be OPERABLE in MODE 1 when there is the possibility of generating excessive THERMAL POWER and potentially exceeding the SL applicable to high pressure and core flow conditions (MCPR SL). During MODES 2 and 5, other WRNM and APRM Functions provide protection for fuel cladding integrity. I 2.c. Average Power Ranqe Monitor Neutron Flux-Hiqh I The Average Power Range Monitor Neutron Flux-High Function is capable of generating a trip signal to prevent fuel damage or excessive RCS pressure. For the overpressurization protection analysis of Reference 4, the Average Power Range Monitor Neutron Flux-High Function is assumed to terminate the main steam isolation valve JiMSIV) closure event and, along with the safety/relief valves (S/RVs), limit the peak reactor pressure vessel (RPV) pressure to less than the ASME Code limits. The control rod drop accident (CRDA) analysis (Ref. 5) takes credit fDr the Average Power Range Monitor Neutron Flux-High Function to terminate the CRDA. _continued) PBAPS UNIT 3 B 3.3-10 Revision No. 30
RPS Instrumentation B 3.3.1.1 1i) BASES I APPLICABLE 2.c. Average Power Range Monitor Neutron Flux-High SAFETY ANALYSES, (continued) LCO, and APPLICABILITY The Allowable Value is based on the Analytical Limit assumed in the CRDA analysis. The Average Power Range Monitor Neutron Flux-High Function is required to be OPERABLE in MODE 1 where the potential consequences of the analyzed transients could result in the SLs (e.g., MCPR and RCS pressure) being exceeded. Although the Average Power Range Monitor Neutron Flux-High Function is assumed in the CRDA analysis, which is applicable in I MODE 2, the Average Power Range Monitor Neutron Flux-High (Setdown) Function conservatively bounds the assumed trip and, together with the assumed WRNM trips, provides adequate. protection. Therefore, the Average Power Range Monitor Neutron Flux-High Function is not required in MODE 2. Icontinued) PBAPS UNIT 3 B 3.3-11 Revision No. 30
RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 2.d. Average Power Range Monitor-lnop SAFETY ANALYSES, LCO, and Three of the four APRM channels are required to be OPERABLE APPLICABILITY for each of the APRM Functions. This Function (Inop) (continued) provides assurance that the minimum number of APRM channels are OPERABLE. For any APRM channel, any time its mode switch is not in the "Operate" position, an APRM module required to issue a trip is unplugged, or the automatic self-test system detects a critical fault with the APRM channel, an Inop trip is sent to all four voter channels. Inop trips from two or more unbypassed APRM channels result in a trip output from each of the four voter channels to it's associated trip system. This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis. There is no Allowable Value for this Function. This Function is required to be OPERABLE in the MODES where the APRM Functions are required. 2.e. 2-Out-Of-4 Voter The 2-Out-Of-4 Voter Function provides the interface between the APRM Functions, including the OPRM Upscale Function, and the final RPS trip system logic. As such, it is required to be OPERABLE in the MODES where the APRM Functions are required and is necessary to support the safety analysis applicable to each of those Functions. Therefore, the 2-Out-Of-4 Voter Function needs to be-OPERABLE in MODES I and 2. All four voter channels are required to be OPERABLE. Each voter channel includes self-diagnostic functions. If any voter channel detects a critical fault in its own processing, a trip is issued from that voter channel tc the associated trip system. The 2-Out-Of-4 Logic Module includes 2-Out-Of-4 Voter hardware and the APRM Interface hardware. The 2-Out-Of-4 Voter Function 2.e votes APRM Functions 2.a, 2.b, 2.c, and 2.d independently of Function 2.f. This voting is accomplished by the 2-Out-Of-4 Voter hardware in the 2-Out-Of-4 Logic Module. Each 2-Out-Of-4 Voter includes two redundant sets of outputs to RPS. Each output set contains two independent contacts; one contact for Functions 2.a, 2.b, 2.c and 2.d, and the other contact for Function 2.f. The analysis in Reference 12 took credit for this redundancy in the justification of the 12-hour Completion Time for Condition A, so the voter Function 2.e must be declared inoperable if any of its functionality is inoperable. However, the voter Function 2.e does not reed to be declared inoperable due to any failure affecting only the plant interface portions of the 2-Out-Of-4 Logic Mcdule that are not necessary to perform the 2-Out-Of-4 Voter function. There is no Allowable Value for this Function. (continued) PBAPS UNIT 3 B 3.3-12 Revision No. 51
RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 2.f. Oscillation Power Range Monitor (OPRM) Upscale SAFETY ANALYSES, LCO, and The OPRM Upscale Function provides compliance with 10 CFR APPLICABILITY 50, Appendix A, General Design Criteria (GDC) 10 and 12, (continued) thereby providing protection from exceeding the fuel MCPR safety limit (SL) due to anticipated thermal-hydraulic power oscillations. References 14, 15 and 16 describe three algorithms for detecting thermal-hydraulic instability related neutron flux oscillations: the period based detection algorithm (PBOA), the amplitude based algorithm (ABA), and the growth rate algorithm (GRA). All three are implemented in the OPRM Upscale Function, but the safety analysis takes credit only for the PBDA. The r-emaining algorithms provide defense in depth and additional protection against unanticipated oscillations. OPRM Upscale Function OPERABILITY for Technical Specifications purposes is based only on the PBDA. The OPRM Upscale Function receives input signals from the local power range monitors (LPRMs) within the reactor core, which are combined into "cells" for evaluation by the OPRM algorithms. Each channel is capable of detecting r thermal-hydraulic instabilities, by detecting the related Lujoo} neutron flux oscillations, and issuing a trip signal before the MCPR SL is exceeded. Three of the four channels are required to be OPERABLE. The OPRM Upscale trip is automatically enabled (bypass removed) when THERMAL POWER is 2 29.5% RTP, as indicated by the APRM Simulated Thermal Power, and reactor core flow is
< 60% of rated flow, as indicated by APRM measured recirculation drive flow. This is the operating region where actual thermal-hydraulic instability and related neutron flux oscillations may occur (Reference 18). These setpoints, which are sometimes referred to as the "auto-bypass" setpoints, establish the boundaries of the OPRM Upscale trip enabled region.
The OPRM Upscale Function is required to be OPERABLE when the plant is at 2 25% RTP. The 25% RTP level is selected to provide margin in the unlikely event that a reactor power increase transient occurring while the plant is operating below 29.5% RTP causes a power increase to or beyond the 29.5% APRM Simulated Thermal Power OPRM Upscale trip auto-enable setpoint without operator action. This OPERABILITY requirement assures that the OPRM Upscale trip auto-enable function will be OPERABLE when required. (continued) PBAPS UNIT 3 B 3.3-12a Revision rio. 51
RPS Instrument'ation B 3.3.1.1 A"N4~ BASE:S APPLICABLE 2.f. Oscillation Power Range Monitor 0OPRM) SAFE-TY ANALYSES, Upscale (continued) LCO, and APPLICABILITY An OPRM Upscale trip is issued from an APRM channel when (continued) the PBDA in that channel detects oscillatory changes in the neutron flux, indicated by the combined signals of the LPRM detectors in a cell, with period confirmations and relative cell amplitude exceeding specified setpoints. One or more cells in a channel exceeding the trip conditions will result in a channel trip. An OPRM Upscale trip is also issued from the channel if either the GRA or ABA detects oscillatory changes in the neutron flux for one or more cells in that channel. There are four "sets" of OPRM related setpoints or adjustment parameters: a) OPRM trip auto-enable setpoints for APRM Simulated Thermal Power (29.5%) and drive flow (60%); b) PBDA confirmation count and amplitude setpoints; c) PBDA tuning parameters; and d) GRA and AEBA setpoints. The first set, the OPRM auto-enable region setpoints, z.s discussed in the SR 3.3.1.1.19 Bases, are treated as nominal setpoints without the application of setpoint methodology per Reference 18. The settings, 29.5% APRM Simulated ThermE.l Power and 60% drive flow, are defined (limit values) in and confirmed by SR 3.3.1.1.19. The second set, the OPRM PE;DA trip setpoints, are established in accordance with methodologies defined in Reference 16, and are documented in the COLR. There are no allowable values for these setpoints. The third set, the OPRM PBDA "tuning" parameters, are established or adjusted in accordance with and controlled by PBAPS procedures. The fourth set, the GRA and ABA setpoints, in accordance with References 14, 15, and 16, are established as nominal values only, and are controlled by PBAPS procedures. (continued) PBAP'; UNIT 3 B 3.3-12b Revision No. 51
RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 3. Reactor Pressure-High SAFETY ANALYSES, LCO, and An increase in the RPV pressure during reactor operation APPLICABILITY compresses the steam voids and results in a positive (continued) reactivity insertion. This causes the neutron flux and THERMAL POWER transferred to the reactor coolant to increase, which could challenge the integrity of the fuel cladding and the RCPB. No specific safety analysis takes direct credit for this Function. However, the Reactor Pressure-High Function initiates a scram for transients that result in a pressure increase, counteracting the pressure increase by rapidly reducing core power. For the overpressurization protection analysis of Reference 4, the Reactor Pressure-High Function is credited as a backup Scram Function only. The analyses conservatively assume the scram occurs on the Average Power Range Monitor Scram Clamp signal, not the Reactor Pressure-High signal. The reactor scram, along with the S/RVs, limits the peak RPV pressure to less than the ASME Section III Code limits. High reactor pressure signals are initiated from four pressure transmitters that sense reactor pressure. The Reactor Pressure-High Allowable Value is chosen to provide a sufficient margin to the ASME Section III Code limits during the event. Four channels of Reactor Pressure-High Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. The Function is required to be OPERABLE in MODES 1 and 2 when the RCS is pressurized and the potential for pressure increase exists.
- 4. Reactor Vessel Water Level-Low (Level 3)
Low RPV water level indicates the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, a reactor scram is initiated at Level 3 to substantially reduce the heat: generated in the fuel from fission. The Reactor Vessel Water Level-Low (Level 3) Function is assumed in the analysis of events resulting in the decrease of reactor coolant inventory (Ref. f). This is credited as'a backup scram function for large and intermediate break LOCAs inside (continued) PBAPS UNIT 3 B 3.3-13 Revision No. 0
RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 4. Reactor Vessel Water Level-Low (Level 3) (continued) SAFETY ANALYSES,
- LCO, and primary containment. The reactor scram reduces the amount APPLICABILITY of energy required to be absorbed and, along with the actions of the Emergency Core Cooling Systems (ECCS),
ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Reactor Vessel Water Level-Low (Level 3) signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low (Level 3) Function, with two channels in each trip system arrangec in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. The Reactor Vessel Water Level-Low (Level 3) Allowable Value is selected to ensure that during normal operation the separator skirts are not uncovered (this protects available recirculation pump net positive suction head (NPSH) from significant carryunder) and, for transients involving loss of all normal feedwater flow, initiation of the low pressure ECCS subsystems at Reactor Vessel Water-Low Low Low (Level 1) will not be required. The Function is required in MODES 1 and 2 where considerable energy exists in the RCS resulting in the limiting transients and accidents. ECCS initiations at Reactor Vessel Water Level-Low Low (Level 2) and Low Low Low (Level 1) provide sufficient protection for level transients in all other MODES.
- 5. Main Steam Isolation Valve-Closure MSIV closure results in loss of the main turbine and the condenser as a heat sink for the nuclear steam supply system and indicates a need to shut down the reactor to reduce heat generation. Therefore, a reactor scram is initiated on a Main Steam Isolation Valve-Closure signal before the MSIVs are completely closed in anticipation of the complete loss of the normal heat sink and subsequent overpressurizatiort (continued)
PBAPS UJNIT 3 B 3.3-14 Revision Nc. 0
RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 5. Main Steam Isolation Valve-Closure (continued) SAFETY ANALYSES, LCO, and transient. However, for the overpressurization protection APPLICABILITY analysis of Reference 4, the Average Power Range Monitor Scram Clamp Function, along with the S/RVs, limits the peak RPV pressure to less than the ASME Section III Code limi.ts. That is, the direct scram on position switches for MSIV closure events is not assumed in the overpressurization analysis. The reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the ECCS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. MSIV closure signals are initiated from position switches located on each of the eight MSIVs. Each MSIV has two position switches; one inputs to RPS trip system A while the other inputs to RPS trip system B. Thus, each RPS trip system receives an input from eight Main Steam Isolation Valve-Closure channels, each consisting of one position switch. The logic for the Main Steam Isolation Valve-Closure Function is arranged such that either the inboard or outboard valve on three or more of the main steam lines must close in order for a scram to occur. In addition, certain combinations of valves closed in two lines will result in a half-scram. The Main Steam Isolation Valve-Closure Allowable Value is specified to ensure that a scram occurs prior to a significant reduction in steam flow, thereby reducing the severity of the subsequent pressure transient. Eight channels of the Main Steam Isolation Valve-Closure Function, with four channels in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude the scram from this Function on a valid signal. This Function is only required in MODE 1 since, with the MSIVs open and the heat generation rate high, a pressurization transient can occur if the MSIVs close. In MODE 2, the heat generation rate is low enough so that the other diverse RPS functions provide sufficient protection. (continued) PBAPS UNIT 3 B 3.3-15 Revision No. 0
RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 6. Drywell Pressure-Hiqh SAFETY ANALYSES, LCO, and High pressure in the drywell could indicate a break in the APPLICABILITY RCPB. A reactor scram is initiated to minimize the (continued) possibility of fuel damage and to reduce the amount of energy being added to the coolant and the drywell. The Drywell Pressure-High Function is assumed to scram the reactor during large and intermediate break LOCAs inside primary containment. The reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the ECCS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. High drywell pressure signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and indicative of a LOCA inside primary containment. Four channels of Drywell Pressure-High Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this FunctLon on a valid signal. The Function is required in MODES 1 and 2 where considerable energy exists in the RCS, resull:ing in the limiting transients and accidents.
- 7. Scram Discharge Volume Water Level-High The SDV receives the water displaced by the motion of the CRD pistons during a reactor scram. Should this volume fill to a point where there is insufficient volume to accept the displaced water, control rod insertion would be hindered.
Therefore, a reactor scram is initiated while the remaining free volume is still sufficient to accommodate the water from a full core scram. No credit is taken for a scram initiated from the-Scram Discharge Volume Water Level-High Function for any of the design basis accidents or transients analyzed in the UFSAR. However, this function is retained to ensure the RPS remains OPERABLE. (continued) PBAPS U14IT 3 B 3.3-16 Revision No. 0
RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 7. Scram Discharge Volume Water Level-High (continued) SAFETY ANALYSES, LCO, and SDV water level is measured by two diverse methods. The APPLICABILITY level is measured by two float type level switches and two thermal probes for a total of four level signals. The outputs of these devices are arranged so that one device provides input to one RPS logic channel. The level measurement instrumentation satisfies the recommendations of Reference S. The Allowable Value is chosen low enough to ensure that there is sufficient volume in the SDV to accommodate the water from a full scram. Four high water level inputs to the RPS from four device:; are required to be OPERABLE, with two devices in each trip system, to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. This Function is required in MODES 1 and 2, and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn. At all other times, this Function may be bypassed.
- 8. Turbine Stop Valve-Closure Closure of the TSVs results in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, a reactor scram is initiated at the start of TSV closure in anticipation of the transients that would result from the closure of these valves. The Turbine Stop Valve-Closure Function is the primary scram signal for the turbine trip event analyzed in Reference 7 and the feedwater controller failure event. lor these events, the reactor scram reduces the amount of energy required to be absorbed and ensures that the MCPR SL is not exceeded.
Turbine Stop Valve-Closure signals are initiated from four position switches; one located on each of the four TSVs. Each switch provides two input signals; one to RPS trip system A and the other, to RPS trip system B. Thus, each RPS trip system receives an input from four Turbine Stop Valve-Closure channels. The logic for the Turbine Stop (continued) PBAPS UNIT 3 B 3.3-17 Revision No. 0
RPS Instrumen;:ation 8 3.3.1.1 BASEES APPLICABLE 8. Turbine Stop Valve-Closure (continued) SAFETY ANALYSES, LCO, and Valve-Closure Function is such that three or more TSVs must APPLICABILITY be closed to produce a scram. In addition, certain combinations of two valves closed will result in a half-scram. This Function must be enabled at THERMAL POWER 2 29.5% RTP as measured at the turbine first stage pressure. I This is normally accomplished automatically by pressure switches sensing turbine first stage pressure; therefore, opening of the turbine bypass valves may affect this Function. The Turbine Stop Valve-Closure Allowable Value is selected to be high enough to detect imminent TSV closure, thereby reducing the severity of the subsequent pressure transient. Eight channels of Turbine Stop Valve-Closure Function, with four channels in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function if any three TSVs should close. This Function is required, consistent with analysis assumptions, whenever THERMAL POWER is 2 29.5% RTP. This Function is not required when THERMAL POWER is < 29.5% RTP since the Reactor Pressure-High and the Average Power Range I Monitor Scram Clamp Functions are adequate to maintain the necessary safety margins.
- 9. Turbine Control Valve Fast Closure. Trip Oil Pressure-Low Fast closure of the TCVs results in the loss of a heat s-nk that produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, a reactor sc:ram is initiated on TCV fast closure in anticipation of the transients that would result from the closure of these valves. The Turbine Control Valve Fast Closure, Trip Oil Pressure-Low Function is the primary scram signal for the generator load rejection event analyzed in Reference 7 and the generator load rejection with bypass failure event. For these events, the reactor scram reduces the amount of-energy required to be absorbed and ensures that the MCPR SL is not exceeded.
(continued) PBAPS UNIT 3 B 3.3-18 Revision No. 45
RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 9. Turbine Control Valve Fast Closure. Trip Oil SAFETY ANALYSES, Pressure-Low (continued) LCO, and APPLICABILITY Turbine Control Valve Fast Closure, Trip Oil Pressure-Low signals are initiated by the relayed emergency trip supply oil pressure at each control valve. One pressure switch is associated with each control valve, and the signal fror each switch is assigned to a separate RPS logic channel. This Function must be enabled at THERMAL POWER 2 29.5% RTP. This I is normally accomplished automatically by pressure switches sensing turbine first stage pressure; therefore, opening of the turbine bypass valves may affect this Function. The Turbine Control Valve Fast Closure, Trip Oil Pressure-Low Allowable Value is selected high enough tc detect imminent TCV fast closure. Four channels of Turbine Control Valve Fast Closure, Trip Oil Pressure-Low Function with two channels in each trip system arranged in a one-out-of-two logic are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. This Function is required, consistent with the analysis assumptions, whenever THERMAL POWER is 2 29.5% RTP. This Function is not required when THERMAL POWER is < 29.5% RTP, since the Reactor Pressure-High and the Average Power Range I Monitor Scram Clamp Functions are adequate to maintain the necessary safety margins.
- 10. Turbine Condenser-Low Vacuum The Turbine Condenser-Low Vacuum Function protects the integrity of the main condenser by scramming the reactor and thereby decreasing the severity of the low condenser vacuum transient on the condenser. This function also ensures integrity of the reactor due to loss of its normal heat sink. The reactor scram on a Turbine Condenser-Low Vacuum signal will occur prior to a reactor scram from a Turbine Stop Valve-Closure signal. This function is not specifically credited in any accident analysis but is being retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.
(continued) PBAPS UNIT 3 B 3.3-19 Revision No. 45
RPS Instrumentation B 3.:3.1.1 BASES APPLICABLE 10. Turbine Condenser-Low Vacuum (continued) SAFETY ANALYSES, LCO, and Turbine Condenser-Low Vacuum signals are initiated from APPLICABILITY four vacuum pressure transmitters that provide inputs to associated trip systems. There are two trip systems and two channels per trip system. Each trip system is arranged in a one-out-of-two logic and both trip systems must be tripped in order to scram the reactor. The Turbine Condenser-Low Vacuum Allowable Value is specified to ensure that a scram occurs prior to the integrity of the main condenser being breached, thereby limiting the damage to the normal heat sink of the reactor. Four channels of the Turbine Condenser-Low Vacuum Funct..on with two channels in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this function on a valid signal. This Function is only required in MODE 1 where considerable energy exists which could challenge the integrity of the main condenser if vacuum is low. In MODE 2, the Turbine Condenser-Low Vacuum Function is not required because at low power levels the transients are less severe.
- 11. Main Steam Line-High Radiation Main Steam Line-High Radiation Function ensures prompt reactor shutdown upon detection of high radiation in the vicinity of the main steam lines. High radiation in the vicinity of the main steam lines could indicate a gross fuel failure in the core. The scram is initiated to limit the fission product release from the fuel. This Function is not specifically credited in any accident analysis but is being retained for overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.
Main Steam Line-High Radiation signals are initiated from four radiation monitors. Each monitor senses high gamma radiation in the vicinity of the main steam line. The Main Steam Line-High Radiation Allowable Value is selected high enough above background radiation levels to avoid spurious scrams, yet low enough to promptly detect a gross release of fission products from the fuel. (continued) PBAPS UNIT 3 B 3.3-20 Revision No. 0
RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 11. Main Steam Line-High Radiation (continued) SAFETY ANALYSES, LCO, and Four channels of Main Steam Line-High Radiation Function APPLICABILITY with two channels in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this function on a valid signal. This Function is required in MODES 1 and 2 where considerable energy exists such that steam is being produced at a rate which could release considerable fission products from the fuel.
- 12. Reactor Mode Switch-Shutdown Position The Reactor Mode Switch-Shutdown Position Function provides signals, via the manual scram logic channels, directly to the scram pilot solenoid power circuits. These manual scram logic channels are redundant to the automatic protective instrumentation channels and provide manual reactor trip capability. This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.
The reactor mode switch is a keylock four-position, four-bank switch. The reactor mode switch is capable of scramming the reactor if the mode switch is placed in the shutdown position. Scram signals from the mode switch are input into each of the two RPS manual scram logic channels. There is no Allowable Value for this Function, since the channels are mechanically actuated based solely on reactor mode switch position. Two channels of Reactor Mode Switch-Shutdown Position Function, with one channel in each manual scram trip system, are available and required to be OPERABLE. The Reactor Mode Switch-Shutdown Position Function is required to be OPERABLE in MODES 1 and 2, and MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn. (continued) PBAPS UJNIT 3 B 3.3-21 Revision No. O
RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 13. Manual Scram SAFETY ANALYSES, LCO, and The Manual Scram push button channels provide signals, via APPLICABILITY the manual scram logic channels, directly to the scram pilot (continued) solenoid power circuits. These manual scram logic channels are redundant to the automatic protective instrumentation channels and provide manual reactor trip capability. This Function was not specifically credited in the accident analysis but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis. There is one Manual Scram push button channel for each of the two RPS manual scram logic channels. In order to cause a scram it is necessary that each channel in both manual scram trip systems be actuated. There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons. Two channels of Manual Scram with one channel in each manual scram trip system are available and required to be OPERkBLE in MODES 1 and 2, and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn.
- 14. RPS Channel Test Switch There are four RPS Channel Test Switches, one associated with each of the four automatic scram logic channels (AL, A2, Bi, and B2). These keylock switches allow the operator to test the OPERABILITY of each individual logic channel without the necessity of using a scram function trip. This is accomplished by placing the RPS Channel Test Switch in test, which will input a trip signal into the associated RPS logic channel. The RPS Channel Test Switches were not specifically credited in the accident analysis. However, because the Manual Scram Functions at Peach Bottom Atom-.c Power Station, were not configured the same as the generic model in Reference 9, the RPS Channel Test Switches were included in the analysis in Reference 10. Reference 10 concluded that the Surveillance Frequency extensions from (continued)
PBAPS UNIT 3 B 3.3-22 Revision No. 0
RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 14. RPS Channel Test Switch (continued) SAFETY ANALYSES, LCO, and RPS Functions, described in Reference 9, were not affected APPLICABILITY by the difference in configuration, since each automatic RPS channel has a test switch which is functionally the same as the manual scram switches in the generic model. As such, the RPS Channel Test Switches are retained in the Technical Specifications. There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the switches. Four channels of RPS Channel Test Switch with two channels in each trip system arranged in a one-out-of-two logic are available and required to be OPERABLE in MODES 1 and 2, and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn. ACTIONS A Note has been provided to modify the ACTIONS related to RPS instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable RPS instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable RPS instrumentation channel. A.1 and A.2 Because of the diversity of sensors available to provide trip signals and the redundancy of the RPS design, an allowable out of service time of 12 hours has been shown to be acceptable (Refs. 9, 12 & 13) to permit restoration of any inoperable channel to OPERABLE status. However, this out of service time is only acceptable provided the associated (continued) PBAPS UNIT 3 B 3.3-23 Revision No. 30
RPS Instrumentation B 3.3.1.1 BASES ACTIONS A.1 and A.2 (continued) Function's inoperable channel is in one trip system and the Function still maintains RPS trip capability (refer to Required Actions B.1, 8.2, and C.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel or the associated trip system must be placed in the tripped condition per Required Actions A.1 and A.2. Placing the inoperable channel in trip (or the associated trip system in trip) would conservatively compensate for the inoperability, restore capability to accommodate a single failure, anc. allow operation to continue. Alternatively, if it is riot desired to place the channel (or trip system) in trip (e.g., as in the case where placing the inoperable channel in trip would result in a full scram), Condition D must be entered and its Required Action taken. As noted, Action A.2 is not applicable for APRM Functicns 2.a, 2.b, 2.c, 2.d, or 2.f. Inoperability of one required APRM channel affects both trip systems. For that condition, Required Action A.1 must be satisfied, and is the only action (other than restoring operability) that will restore capability to accommodate a single failure. Inoperability of more than one required APRM channel of the same trip function results in loss of trip capability and entry into Condition C, as well as entery into Condition A for each channel. B.1 and B.2 Condition B exists when, for any one or more Functions, at least one required channel is inoperable in each trip system. In this condition, provided at least one channel per trip system is OPERABLE, the RPS still maintains trip capability for that Function, but cannot accommodate a single failure in either trip system. Required Actions 8.1 and B.2 limit the time the RPS scram logic, for any Function, would not accommodate single failure in both trip systems (e.g., one-out-of-one and one-out-of-one arrangement for a typical four channel Function). The reduced reliability of this logic arrangement was not evaluated in References 9, 12 or 13 for the 12 hour Completion Time. Within the 6 hour allowance, the associated Function will have all required channels OPERABLE or in trip (or any combination) in one trip system. (conti nued PBAPS; UNIT 3 B 3.3-24.- Revision No. 51
RPS Instrumentation 8 3.3.1.1 BASES ACTIONS B.1 and B.2 (continued) Completing one of these Required Actions restores RPS to a reliability level equivalent to that evaluated in References 9, 12 or 13, which justified a 12 hour allowable out of service time as presented in Condition A. The trip system in the more degraded state should be placed in trip or, alternatively, all the inoperable channels in that trip system should be placed in trip (e.g., a trip system with two inoperable channels could be in a more degraded state than a trip system with four inoperable channels if the two inoperable channels are in the same Function while the four inoperable channels are all in different Functions). The decision of which trip system is in the more ~degraded state should be based on prudent judgment and take into account current plant conditions (i.e., what MODE the plant is in). If this action would result in a scram or RPT, it is permissible to place the other trip system or its inoperable channels in trip. The 6 hour Completion Time is judged acceptable based on the remaining capability to trip, the diversity of the sensors available to provide the trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of a scram. Alternately, if it is not desired to place the inoperable channels (or one trip system) in trip (e.g., as'in the case where placing the inoperable channel or associated trip system in trip would result in a scram, Condition D must be entered and its Required Action taken. As noted, Condition B is not applicable for APRM Functions 2.a, 2.b, 2.c, 2.d, or 2.f. Inoperability of an APRM channel affects both trip systems and is not associated with a specific trip system as are the APRM 2-Out-Of-4 voter and other non-APRM channels for which Condition B applies. For an inoperable APRM channel, Required Action A.1 must be satisfied, and is the only action (other than restoring operability) that will restore capability to accommodate a single failure. Inoperability of a Function in more than one required APRM channel results in loss of trip capability for that Function and entry into Condition C, as well as entry into Condition A for each channel. Because Condition A and C provide Required Actions that are appropriate for the inoperability of APRM Functions 2.a, 2.b, 2.c, 2.d, or 2.f, and these functions are not associated with specific trip systems as are the APRM 2-Out-Of-4 voter and other non-APRM channels, Condition 8 does not apply. (continued) PBAPS -UNIT 3 B 3.3-25 Revision No. 51
RPS Instrumentation B 3.3.1.1 BASES AC7IONS C.1 (continued) Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same trip system for the same Function result in an automatic Function, or two or more manual Functions, not maintaining RPS trip capability. A Function is considered to be maintaining RPS trip capability when sufficient channels are OPERABLE or in trip (or the associated trip system is in trip), such that both trip systems will generate a trip signal from the given Function on a valid signal. For the typical Function with one-out-of-two taken twice logic and the IRM and APRM Functions, this would require both trip systems to have one channel OPERABLE or in trip (or the associated trip system in trip). For Function 5 (Main Steam Isolation Valve-Closure), this would require both trip systems to have each channel associated with the MSIVs in three main steam lines (not necessarily the same main steam lines for both trip systems)OPERABLE or in trip (or the associated trip system in trip). For Function 8 (Turbine Stop Valve-Closure), this would require both trip systems to have three channels, each OPERABLE or in trip (or the associated trip system in trip). For Functions 12 (Reactor Mode Switch-Shutdown Position) and 13 (Manual Scram), this would require bath trip systems to have one channel, each OPERABLE or in trip {or the associated trip system in trip). The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. D.1 Required Action D.1 directs entry into the appropriate Condition referenced in Table 3.3.1.1-1. The applicable condition specified in the Table is Function and MODE or other specified condition dependent and may change as the Required Action of a previous Condition is completed. Each time an inoperable channel has not met any Required Action of Condition A, B, or C and the associated Completion Time has expired, Condition D will be entered for that channel and provides for transfer to the appropriate subsequent Condition. NO {continued) PBAPS UNIT 3 B 3.3-26 Revision No. 30
RPS Instrumentation B 3.3.1.1 BASE'S ACTIONS E.1. F.1. G.1. and J.1 (continued) If the channel(s) is not restored to OPERABLE status or placed in trip (or the associated trip system placed in trip) within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. The allowed Completion Times are reasonable, based on operating experience, to reach the specified condition from full power conditions in an orderly manner and without challenging plant systems. In addition, the Completion Time of Required Actions E.1 and J.1 are consistent with the Completion Time provided in LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)." If the channel(s) is not restored to OPERABLE status or placed in trip (or the associated trip system placed in trip) within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by immediately initialing action to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and are, therefore, not required to be inserted. Action must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted. If OPRM Upscale trip capability is not maintained, Condition I exists. References 12 and 13 justified use of alternate methods to detect and suppress oscillations for a limited period of time. The alternate methods are procedurally established consistent with the guidelines identified in Reference 17 requiring manual operator action to scram the plant if certain predefined events occur. The 12-hour allowed Completion Time for Required Action I.1 is based on engineering judgment to allow orderly transition to the alternate methods while limiting the period of time during which no automatic or alternate detect and suppress trip capability is formally in place. Based on the small probability of an instability event occurring at all, the 12 hour duration is judged to be reasonable. The 12 hour Completion Time of I.1 is provided to establish the alternate detect and suppress method regardless of whether the 120 day Completion time of I.2 applies. If the inoperable condition is such that action I.2 does not apply, then Condition J is entered once Required Action I.1 ha<; been completed or once the Completion Time of Required Action 1.1 has expired. PBAPS UNIT 3 -B 3.3-27 Revision No. '55
RPS Instrumentation B 3.3.1.1 BASES ACTIONS 1.2 (continued) The alternate method to detect and suppress oscillations implemented in accordance with I.1 was evaluated (References 12 and 13) based on use up to 120 days only. The evaluation, based on engineering judgment, concluded that the likelihood of an instability event that could not be adequately handled by the alternate methods during this 120-day period was negligibly small. The 120-day period is intended to be an outside limit to allow for the case where design changEs or extensive analysis might be required to understand or correct some unanticipated characteristic of the instability detection algorithms or equipment. This action is not intended and was not evaluated as a routine alternative to returning failed or inoperable equipment to OPERABLE status. Correction of routine equipment failure or inoperability is expected to normally be accomplished within the completion times allowed for Actions for Condition A. The 12 hour Completion Time of I.1 is provided to establish the alternate detect and suppress method regardless of whether the 120 day Completion time of I.2 applies. If the inoperable condition is such that action I.2 does not apply, then Condition J is entered once Required Action 1.1 has been completed or once the Completion Time of Required Action I.1 has expired. A note is provided to indicate that LCO 3.0.4 is not applicable. The intent of that note is to allow plant start-up while within the 120-day completion time for action I.2. The primary purpose of this exclusion is to allow an orderly completion of design and verification activities, in the event of a required design change, without undue impact on plant operation. SURVEILLANCE As noted at the beginning of the SRs, the SRs for each RPS REQUIREMENTS instrumentation Function are located in the SRs column of Table 3.3.1.1-1. The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours, provided the associated Function maintains RPS trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 9, 12 & 13) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the RPS will trip when necessary. (continued) PBAPS UNIT 3 B 3.3-27a -Revision No. 55
RPS Instrumentation B 3.3.1.1 cI BASES SURVEILLANCE SR 3.3.1.1.1 REQUIREMENTS (continued) Performance of the CHANNEL CHECK once every 12 hours ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO. SR 3.3.1.1.2 To ensure that the APRMs are accurately indicating the true core average power, the APRMs are calibrated to the redactor power calculated from a heat balance. The Frequency of once per 7 days is based on minor changes in LPRM sensitivity, which could affect the APRM reading between performances of SR 3.3.1.1.8. _continued) PBAP'S UNIT 3 B 3.3-28 Revision No. 30
RPS Instrumentation B 3.3.1.1 -BASES SURVEILLANCE SR 3.3.1.1.2 (continued) REQUIREMENTS A restriction to satisfying this SR when < 25X RTP is provided that requires the.SR to be met only at 2 25X flTP because it is difficult to accurately maintain APRM indication of core THERMAL POWER consistent.with a hea: balance when < 25X RTP. At low power levels, a high degree of accuracy is unnecessary because of the large, inherent margin to thermal limits (MCPR, LHGR and APLHGR). At a 25X RTP, the Surveillance is required to have been satisfactorily' performed within the last 7 days, in accordance with SR 3.0.2. A Note is.provided which allows an increase in THERMAL POWER above 25% if the 7 day Frequency is not net per SR 3.0.2. In this event, the SR must be performed within 12 hours after reaching or exceeding 25X RTP. Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR.
- SR 3.3.1.1-3 (Not Used.)
SR 3.3.1.1.4 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. A Frequency of 7 days provides an acceptable level of system average availability over the Frequency and is based on the reliability analysis of References 9 and 10. (The RPS Channel Test Switch Function's CHANNEL FUNCTIONAL TEST Frequency was credited in the analysis to extend many automatic scram Functions' Frequencies.) SR 3.3.1.1.5 and SR 3.3.1.1.6 A CHANNEL FUNCTIONAL TEST is performed on each requirec channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be made consistent with the assumptions of the current plant specific setpoint methodology. (continued) PBAPS. UNIT 3 B 3.3-29 Revision No. 50
RPS Instrumentation B :3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.5 and SR 3.3.1.1.6 (continued) REQUIREMENTS As noted, SR 3.3.1.1.5 is not required to be performed when entering MODE 2 from MODE 1, since testing of the MODE: 2 required WRNM Functions cannot be performed in MODE 1 without utilizing jumpers, lifted leads, or movable links. This allows entry into MODE 2 if the 31 day Frequency is not met per SR 3.0.2. In this event, the SR must be performed within 12 hours after entering MODE 2 from MODE 1. Twelve hours is based on operating experience and in-consideration of providing a reasonable time in which to complete the SR. A Frequency of 31 days provides an acceptable level of system average unavailability over the Frequency interval and is based on fixed incore detectors, overall reliability, and self-monitoring features. SR 3.3.1.1.7 (Not Used.) (continued) PBAPS UNIT 3 B 3.3-30 Revision No. 30
RPS Instrumentation B 3.3.1.1 BAS ES l SURVEILLANCE SR 3.3.1.1.8 REQUIREMENTS (continued) LPRM gain settings are determined from the local flux profiles measured by the Traversing Incore Probe (TIP) System. This establishes the relative local flux profile for appropriate representative input to the APRM System. The 1000 MWD/T Frequency is based on operating experience with LPRM sensitivity changes. SR 3.3.1.1.9 and SR 3.3.1.1.14 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. For Function 5, 7, and 8 channels, verification that the trip settings are less than or equal to the specified Allowable Value during the CHANNEL FUNCTIONAL TEST is not required since the channels consist of mechanical switches and are not subject to drift. An exception to this are two of the Function 7 level switches which are not mechanical. These Scram Discharge Volurle (SDV) RPS switches (Fluid Components Inc.) are heat sensitive electronic level detectors which actuate by sensing a difference in temperature. The temperature detectors are permanently affixed within the scram discharge volume piping conservatively below the level (allowable value as measured in gallons) at which an RPS actuation signal will occur. Since there is no drift involved with the physical location of these switches, verifying the trip settings are less than or equal to the specified allowable value during the CHANNEL FUNCTIONAL TEST is not required. Additionally, historical calibration data has indicated that the FCI level switches have not exceeded their Allowable Value when tested. {continued) PBAPS UNIT 3 B 3.3-31 Revision Ho. 30
RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.9 and SR 3.3.1.1.14 (continued) REQUIREMENTS In addition, Function 5 and 7 instruments are not accessible while the unit is operating at power due to high radiation and the installed indication instrumentation does not rovide accurate indication of the trip setting. For the Function 9 channels, verification that the trip settings are less than or equal to the specified Allowable Value during the CHANNEL FUNCTIONAL TEST is not required since the instruments are not accessible while the unit is operating at power due to high radiation and the installed indication instrumentation does not provided accurate indication of the trip setting. Waiver of these verifications for the above functions is considered acceptable since the magnitude of drift assumed in the setpoint calculation is based on a 24 month calibration interval. The 92 day Frequency of SR 3.3.1.1.9 is based on the reliability analysis of Reference 9. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown that these components will ass the Surveillance when performed at the 24 month Frequency. SR 3.3.1.1.10. SR 3.3.1.1.12. SR 3.3.1.1.15. and SR 3.3.1.1.16 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies that the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the current plant specific setpoint methodology. As noted for SR 3.3.1.1.10, radiation detectors are excluded from CHANNEL CALIBRATION due to ALARA reasons (when the plant is operating, the radiation detectors are generally in a high radiation area; the steam tunnel). This exclusion is acceptable because the radiation detectors are passive devices, with minimal drift. To complete the radiation CHANNEL CALIBRATION, SR 3.3.1.1.16 requires that the radiation detectors be calibrated on a once per 24 months Frequency. The once per 92 days Frequency of SR 3.3.1.1.10 is conservative with respect to the magnitude of equipment drift assumed in the setpoint analysis. The Frequency of SR 3.3.1.1.16 is based upon the assumption of a 24-month calibration interval used in the determination of the equipment drift in the setpoint analysis. As noted for SR 3.3.1.1.12, neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Changes in (continued) PBAPS UNIT 3 B 3.3-32 Revision No. 51
RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.10. SR 3.3.1.1.12. SR 3.3.1.1.15. REQUIREMENTS and SR 3.3.1.1.16 (continued) neutron detector sensitivity are compensated for by performing the 7 day calorimetric calibration (SR 3.3.1.1.2) and the 1000 MWD/T LPRM calibration against the TIPs (SR 3.3.1.1.8). A second note is provided for SR 3.3.1.1.12 that allows the WRNM SR to be performed within 12 hours of entering MODE 2 from MODE 1. Testing of the MODE 2 WRNM Functions cannot be performed in MODE 1 without utilizing jumpers, lifted leads or movable links. This Note allows entry into MODE 2 from MODE 1, if the 24 month Frequency is not met per SR 3.0.2. Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR. A third note is provided for SR 3.3.1.1.12 that includes in the SR the recirculation flow (drive flow) transmitters, which supply the flow signal to the APRMs. The APRM Simulated Thermal Power-High Function (Function 2.b) and the OPRM Upscale Function (Function 2.f), both require a valid drive flow signal. The APRM Simulated Thermal Power-High Function uses drive flow to vary the trip setpoint. The OPRM Upscale Function uses drive flow to automatically enable or bypass the OPRM Upscale trip output to RPS. A CHANNEL CALIBRATION of the APRM drive flow signal requires both calibrating the drive flow transmitters and establishing a valid drive flow / core flow relationship. The drive flow /core flow relationship is established once per refuel cycle, while operating at or near rated power and flow conditions. This method of correlating core flow and drive flow is consistent with GE recommendations. Changes throughout the cycle in the drive flow / core flow relationship due to the changing thermal hydraulic operating conditions of the core are accounted for in the margins included in the bases or analyses used to establish the setpoints for the APRM Simulated Thermal Power-High Function and the OPRM Upscale Function. The Frequencies of SR 3.3.1.1.12 and SR 3.3.1.1.15 are based upon the assumption of a 24-month calibration interval used in the determination of the equipment drift in the setpDint analysis. SR 3.3.1.1.11 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the (continued) PBAPS UNIT 3 B 3.3-33 Revision No. 51
RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.11 (continued) REQUIREMENTS intended function. For the APRM Functions, this test supplements the automatic self-test functions that operate continuously in the APRM and voter channels. The scope of the APRM CHANNEL FUNCTIONAL TEST is limited to verification of system trip output hardware. Software controlled functions are tested only incidentally. Automatic internal self-test functions check the EPROMs in which the software-controlled logic is defined. Any changes in the EPROMs will be detected by the self-test function resulting in a trip and/or alarm condition. The APRM CHANNEL FUNCTIONAL TEST covers the APRM channels (including recirculation flow processing - applicable to Function 2.b and the auto-enable portion of Function 2.f only), the 2-Out-Of-4 voter channels, and the interface connections into the RPS trip systems from the voter channels. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The 184 day Frequency of SR 3.3.1.1.11 is based on the reliability analyses cf References 12 and 13. (NOTE: The actual voting logic of the 2-Out-Of-4 Voter Function is tested as part of SR 3.3.1.1.17. The actual auto-enable setpoints for the CPRM Upscale trip are confirmed by SR 3.3.1.1.19.) A Note is provided for Function 2.a that requires this SR to be performed within 12 hours of entering MODE 2 from MCDE 1. Testing of the MODE 2 APRM Function cannot be performed in MODE 1 without utilizing jumpers or lifted leads. This Note allows entry into MODE 2 from MODE 1 if the associated Frequency is not met per SR 3.0.2. A second Note is provided for Function 2.b that clarifies that the CHANNEL FUNCTIONAL TEST for Function 2.b includes testing of the recirculation flow processing electronics, excluding the flow transmitters. SR 3.3.1.1.13 This SR ensures that scrams initiated from the Turbine Stop Valve-Closure and Turbine Control Valve Fast Closure, Trip Oil Pressure-Low Functions will not be inadvertently bypassed when THERMAL POWER is 2 29.5% RTP. This involves calibration of the bypass channels. Adequate margins for the instrument setpoint methodologies are incorporated into the Allowable Value (* 28.9% RTP which is equivalent to s 138.4 psig as measured from turbine first stage pressure) and the actual setpoint. Because main turbine bypass flow can affect this setpoint nonconservatively (THERMAL POWER is derived from turbine first stage pressure), the main turbine bypass valves must remain closed during the calibration at THERMAL POWER 2 29.5% RTP to ensure that the calibration is valid. If any bypass channel's setpoint is nonconservative (i.e., the Functions are bypassed at 2 29.5% RTP, either due to open main turbine bypass valve(s) or other reasons), then the (continued) PBAP'; UNIT 3 B 3.3-34 Revision No. 51
RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.13 (continued) REQUIREMENTS affected Turbine Stop Valve-Closure and Turbine Control Valve Fast Closure, Trip Oil Pressure-Low Functions are considered inoperable. Alternatively, the bypass channel can be placed in the conservative condition (nonbypass). If placed in the nonbypass condition, this SR is met and the channel is considered OPERABLE. The Frequency of 24 months is based on engineering judgment and reliability of the components. SR 3.3.1.1.17 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The functional testing of control rods (LCO 3.1.3), and SDV vent and drain valves (LCO 3.1.8), overlaps this Surveillance to provide complete testing of the assumed safety function. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown that these components will pass the Surveillance when performed at the 24 month Frequency. The LOGIC SYSTEM FUNCTIONAL TEST for APRM Function 2.e simulates APRM and OPRM trip conditions at the 2-Out-Of-4 voter channel inputs to check all combinations of two tripped inputs to the 2-Out-Of-4 logic in the voter channels and APRM related redundant RPS relays. SR 3.3.1.1.18 This SR ensures that the individual channel response times are maintained less than or equal to the original design value. The RPS RESPONSE TIME acceptance criterion is included in Reference 11. RPS RESPONSE TIME tests are conducted on a 24 month Frequency. The 24 month Frequency is consistent with the PBAPS refueling cycle and is based upon plant operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences. (continued) PBAPS UNIT 3 B 3.3-35 Revision No. 51
RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.19 REQUIREMENTS (continued) This surveillance involves confirming the OPRM Upscale trip auto-enable setpoints. The auto-enable setpoint values are considered to be nominal values as discussed in Reference 18. This surveillance ensures that the OPRM Upscale trip is enabled (not bypassed) for the correct values of APRM Simulated Thermal Power and recirculation drive flow. Other surveillances ensure that the APRM Simulated Thermal Power and recirculation drive flow properly correlate with THERMAL POWER (SR 3.3.1.1.2) and core flow (SR 3.3.1.1.12), respectively. I The Frequency of 24 months is based on engineering judgment and reliability of the components. REFERENCES 1. UFSAR, Section 7.2.
- 2. UFSAR, Chapter 14.
- 3. NEDO-32368, "Nuclear Measurement Analysis and Control Wide Range Neutron Monitoring System Licensing Report for Peach Bottom Atomic Power Station, Units 2 and 3,"
November 1994.
- 4. NEDC-32183P, "Power Rerate Safety Analysis Report for Peach Bottom 2 & 3," dated May 1993.
- 5. UFSAR, Section 14.6.2.
- 6. UFSAR, Section 14.5.4.
- 7. UFSAR, Section 14.5.1.
- 8. P. Check (NRC) letter to G. Lainas (NRC), "BWR Scram Discharge System Safety Evaluation," December 1, 1980.
- 9. NEDO-30851-P-A, "Technical Specification Improvement Analyses for BWR Reactor Protection System,"
March 1988. (continued) PBAPS UNIT 3 8 3.3-36 Revision ND. 55
RPS Instrumentation B 3.3.1.1 BASES REFERENCES 10. MDE-87-0485-1, "Technical Specification Improvemert (continued) Analysis for the Reactor Protection System for Peach Bottom Atomic Power Station Units 2 and 3," October 1987.
- 11. UFSAR, Section 7.2.3.9.
- 12. NEDC-32410P-A, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM)
Retrofit Plus Option III Stability Trip Function", October 1995.
- 13. NEDC-32410P Supplement 1, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function, Supplement 1", November 1997.
- 14. NEDO-31960-A, "BWR Owners' Group Long-Term Stabil-ty Solutions Licensing Methodology," November 1995.
- 15. NEDO-31960-A, Supplement 1, "BWR Owners' Group Long-Term Stability Solutions Licensing Methodology,"
November 1995.
- 16. NEDO-32465-A, "Reactor Stability Detect and Suppress Solutions Licensing Basis Methodology And Reload Applications," August 1996.
- 17. Letter, L. A. England (BWROG) to M. J. Virgilio, "BWR Owners' Group Guidelines for Stability Interim Corrective Action," June 6, 1994.
- 18. BWROG Letter 96113, K. P. Donovan (BWROG) to L. E.
Phillips (NRC), "Guidelines for Stability Option HII
'Enable Region' (TAC M92882)," September 17, 1996.
- 19. NEDO-24229-1, "Peach Bottom Atomic Power Station Units 2 and 3 Single-Loop Operation," May 1980.
PBAPS UNIT 3 8 3.3-36a Revision No. 51 1
WRNM Instrumentation B 3.3.1.2 B 3.3 INSTRUMENTATION l B 3.3.1.2 Wide Range Neutron Monitor (WRNM) Instrumentation BASES BACKGROUND The WRN?1s are capable of providing the operator with information relative to the neutron flux level at very low flux levels in the core. As such, the WRNM indication is used by the operator to monitor the approach to criticality and determine when criticality is achieved. The WRNI subsystem of the Neutron Monitoring System (N14S) consists of eight channels. Each of the WRNM channels can be bypassed, but only one at any given time per RPS trip system, by the operation of a bypass switch. Each channel includes one detector that is permanently positioned in the core. Each detector assembly consists of a miniature fission chamber with associated cabling, signal conditioning equipment, and electronics associated with the various WRNM functions. The signal conditioning equipment converts the current pulses from the fission chamber to analog DC currents that correspond to the count rate.. Each channel also includes indication, alarm, and control rod blocks. However, this LCO specifies OPERABILITY requirements only for the monitoring and indication functions of the WRNMs. During refueling, shutdown, and low power operations, the primary indication of neutron flux levels is provided by the WRNMs or special movable detectors connected to the normal WRNM circuits. The WRNMs provide monitoring of reactivity changes during fuel or control rod movement and give the control room operator early indication of unexpected subcritical multiplication that could be indicative of an approach to criticality. APPLICABLE Prevention and mitigation of prompt reactivity excursions SAFETY ANALYSES during refueling and low power operation is provided by LCO 3.9.1, "Refueling Equipment Interlocks'; LCO 3.1.1, "SHUTDOWN MARGIN (SDM)"; LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation"; WRNM Period-Short and (continued) PBAPS UNIT 3 B 3.3-37 Revision No. 17
WRNM Instrumentation B 3.3.1.2 BASES APPLICABLE Average Power Range Monitor (APRM) Startup High Flux Scram SAFETY ANALYSES Functions; and LCO 3.3.2.1, "Control Rod Block (continued) Instrumentation." The WRNFIs have no safety function associated with monitoring neutron flux at very low levels and are not assumed to function during any UFSAR design basis accident or transient analysis which would occur at very low neutron flux levels. However, the WRNMs provide the only on-scale monitoring of neutron flux levels during startup and refueling. Therefore, they are being retained in Technical Specifications. - LCO During startup in MODE 2, three of the eight WRNM channels are required to be OPERABLE to monitor the reactor flux level and reactor period prior to and during control rod withdrawal, subcritical multiplication and reactor criticality. These three required channels must be located in different core quadrants in order to provide a representation of the overall core response during those periods when reactivity changes are occurring throughout the core. In MODES 3 and 4, with the reactor shut down, two WRNM channels in two different quadrants provide redundant monitoring of flux levels in the core. In MODE 5, during a spiral offload or reload, a WRNM outside the fueled region will no longer be required to be OPERABLE, since it is not capable of monitoring neutron flux in the fueled region of the core. Thus, CORE ALTERATIONS are allowed in a quadrant with no OPERABLE WRNM in an adjacent quadrant provided the Table 3.3.1.2-1, footnote (b), requirement that the bundles being spiral reloaded or spiral offloaded are all in a single fueled region containing at least one OPERABLE WRNM is met. Spiral reloading and F offloading encompass reloading or offloading a cell on the edge of a continuous fueled region (the cell can be reloaded or offloaded in any sequence). In nonspiral routine operations, two WRNMs are required to be OPERABLE to provide redundant monitoring of reactivity changes in the reactor core. Because of the local nature. of reactivity changes during refueling, adequate coverage is provided by requiring one WRNM to be OPERABLE for the connected fuel in the quadrant of the reactor core where (continued) PBAPS UNIT 3 B 3.3-38 Revision No. 17
I WRNN Instrumentation B 3.3.1.2 BASES LCO CORE ALTERATIONS are being performed. There are two WRNMs (continued) in each quadrant. Any CORE ALTERATIONS must be performed in a region of fuel that is connected to an OPERABLE WRNM to ensure that the reactivity changes are monitored within the fueled region(s) of the quadrant. The other WRNM that is required to be OPERABLE must be in an adjacent quadrant containing fuel. These requirements ensure that the reactivity of the core will be continuously monitored during CORE ALTERATIONS. Special movable detectors, according to footnote (c)of I Table 3.3.1.2-1, may be used in place of the normal WRNM nuclear detectors. These special detectors must be I connected to the normal WRNM circuits in the NMS, such that the applicable neutron flux indication can be generated. These special detectors provide more flexibility in monitoring reactivity changes during fuel loading, since they can be positioned anywhere within the core during refueling. They must still meet the location requirements I of SR 3.3.1.2.2 and all other required SRs for WRNMs. The Table 3.3.1.2-1, footnote {d), requirement provides for conservative spatial core coverage. I For a WRNM channel to be considered OPERABLE, it must be providing neutron flux monitoring indication. APPLICABILITY The WRNMs are required to be OPERABLE in MODES .2,3, 4, and 5 prior to the WRNMs reading 125E-5 % power to provide for neutron monitoring. In MODE 1, the APRMs provide adequate monitoring of reactivity changes in the core; therefore, the WRNMs are not required. In MODE 2, with WRNMs reading greater than 125E-5 % power, the WRNM Period-Short function provides adequate monitoring and the WRNMs monitoring indication is not required. ACTIONS A.1 and B.1 I In MODE 2, the WRNM channels provide the means of monitoring core reactivity and criticality. With any number of the I required WRNMs inoperable, the ability to monitor neutron flux is degraded. Therefore, a limited time is allowed to restore the inoperable channels to OPERABLE status. {continued) PBAFIS UMIT 3 B 3.3-39 Revision No. 17
WRNM Instrumentation B 3.3.1.2 BASES ACTIONS A.1 and 8.1 (continued) Provided at least one WRNM remains OPERABLE, Required Action A.1 allows 4 hours to restore the required WRNMs to OPERABLE status. This time is reasonable because there is adequate capability remaining to monitor the core, there is limited risk of an event during this time, and there is sufficient time to take corrective actions to restore the required WRNMs to OPERABLE status. During this time, control rod withdrawal and power increase is not precluded by this Required Action. Having the ability to monitor the core with at least one WRNM, proceeding to WRNM indication greater than 125E-5 % power, and thereby exiting the Applicability of this LCO, is acceptable for ensuring adequate core monitoring and allowing continued operation. With three required WRNMs inoperable, Required Action 13.1 allows no positive changes in reactivity (control rod withdrawal must be immediately suspended) due to inability to monitor the changes. Required Action A.1 still applies and allows 4 hours to restore monitoring capability prior to requiring control rod insertion. This allowance is based on the limited risk of an event during this time, provided that no. control rod withdrawals are allowed, and the desire to concentrate efforts on repair, rather than to immediately shut down, with no WRNMs OPERABLE. C.1 In MODE 2, if the required number of WRNMs is not restored to OPERABLE status within the allowed Completion Time, the reactor shall be placed in MODE 3. With all control rods fully inserted, the core is in its least reactive state with the most margin to criticality. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. D.1 and D.2 With one or more required WRNMs inoperable in MODE 3 oir 4, the neutron flux monitoring capability is degraded or nonexistent. The requirement to fully insert all insertable control rods ensures that the reactor will be at its minimum reactivity level while no neutron monitoring capability is fcontinued) PBAPS UNIT 3 B 3.3-40 Revision No. 17
WRNM Instrumentation B 3.3.1.2 BASES ACTIONS D.1 and D.2 (continued) available. Placing the reactor mode switch in the shutdown position prevents subsequent control rod withdrawal by maintaining a control rod block. The allowed Completion Time of 1 hour is sufficient to accomplish the Required Action, and takes into account the low probability of an event requiring the WRNM occurring during this interval. E.1 and E.2 With one or more required WRNMs inoperable in MODE 5, the ability to detect local reactivity changes in the core during refueling is degraded. CORE ALTERATIONS must be immediately suspended and action must be immediately initiated to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Suspending CORE ALTERATIONS prevents the two most probable causes of reactivity changes, fuel loading and control rod withdrawal, from occurring. Inserting all insertable control rods ensures that the reactor will be at its minimum reactivity given that fuel is present in the core. Suspension of CORE ALTERATIONS shall not preclude completion of the movement of a component to a safe, conservative position. Action (once required to be initiated) to insert control rods must continue until all insertable rods in core cells containing one or more fuel assemblies are inserted. SURVEILLANCE As noted at the beginning of the SRs, the SRs for each WRNM REQUIREMENTS Applicable MODE or other specified conditions are found in the SRs column of Table 3.3.1.2-1. SR 3.3.1.2.1 and SR 3.3.1.2.3 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on another channel. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. (continued) PBAPIS UNIT 3 B 3.3-41 Revision No. 17
WRNM Instrumentation B 3.3.1.2 BASES SURVEILLANCE SR 3.3.1.2.1 and SR 3.3.1.2.3 (continued) REQUIREMENTS A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Frequency of once every 12 hours for SR 3.3.1.2.1 is based on operating experience that demonstrates channel failure is rare. While in MODES 3 and 4, reactivity changes are not expected; therefore, the 12 hour Frequency is relaxed to 24 hours for SR 3.3.1.2.3. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO. SR 3.3.1.2.2 To provide adequate coverage of potential reactivity changes in the core, one WRNM is required to be OPERABLE for the connected fuel in the quadrant where the CORE ALTERATIONS are being performed, and the other OPERABLE WRNM must be in an adjacent quadrant containing fuel. Note 1 states that the SR is required to be met only during CORE ALTERATIONS. It is not required to be met at other times in MODE 5 since core reactivity changes are not occurring. This Surveillance consists of a review of plant logs to ensure that WRNMs required to be OPERABLE for given CORE ALTERATIONS are, in fact, OPERABLE. In the event that only one WRNM is required to be OPERABLE, per Table 3.3.1.2-1, footnote (b), only the a. portion of this SR is required. Note 2 clarifies that more than one of the three requirements can be met by the same OPERABLE WRNM. The 12 hour Frequency is based upon operating experience and supplements operational controls over refueling activities that include steps to ensure that the WRNMs required by the LCO are in the proper quadrant. (continued) PBAFS UNIT 3 B 3.3-42 Revision No. 17
I. WRNM Instrumentation B 3.3.1.2 BASES SURVEILLANCE SR 3.3.1.2.4 REQUIREMENTS (continued) This Surveillance consists of a verification of the WRNM instrument readout to ensure that the WRNM reading is greater than a specified minimum count rate, which ensures that the detectors are indicating count rates indicative of neutron flux levels within the core. The signal-to-noise ratio shown in Figure 3.3.1.2-1 is the WRNM count rate at I which there is a 95% probability that the WRNM signal indicates the presence of neutrons and only a 5% probability that the WRNM signal is the result of noise (Ref. 1). With few fuel assemblies loaded, the WRNMs will not have a high enough count rate to satisfy the SR. Therefore, allowances are made for loading sufficient "source" material, in the form of irradiated fuel assemblies, to establish the minimum count rate. To accomplish this, the SR is modified by Note 1 that states that the count rate is not required to be met on a WR1IM that has less than or equal to four fuel assemblies adjacent to the WRNM and no other fuel assemblies are in the associated core quadrant. With four or less fuel assemblies loaded I .I around each WRNM and no other fuel assemblies in the associated core quadrant, even with a control rod withdrawn, the configuration will not be critical. In addition, Note 2 states that this requirement does not have to be met (luring spiral unloading. If the core is being unloaded in this manner, the various core configurations encountered will not be critical. The Frequency is based upon channel redundancy and other information available in the control room, and ensure; that the required channels are frequently monitored while core reactivity changes are occurring. When no reactivity changes are in progress, the Frequency is relaxed from 12 hours to 24 hours.
.1 SR 3.3.1.2.5 Performance of a CHANNEL FUNCTIONAL TEST demonstrates the associated channel will function properly. SR 3.3.1.2.5 is I required in MODES 2,3,4 and 5 and the 31 day Frequency ensures that the channels are OPERABLE while core reactivity I _continued)
PBAIPS UNIT 3 B 3.3-43 Revision No. 17
WRNM Instrumentation B 3.3.1.2 BASES SURVEILLANCE SR 3.3.1.2.5 (continued) REQUIREMENTS changes could be in progress. This Frequency is reasonable, based on operating experience, fixed incore detectors, overall reliability, self-monitoring features, and on other Surveillances (such as a CHANNEL CHECK), that ensure proper functioning between CHANNEL FUNCTIONAL TESTS. Verification of the signal to noise ratio also ensures that the detectors are correctly monitoring the neutron fux. The Note to the Surveillance allows the Surveillance to be delayed until entry into the specified condition of the Applicability (THERMAL POWER decreased to WRNM reading of 125E-5 % power or below). The SR must be performed within 12 hours after WRNMs are reading 125E-5 % power or below. The allowance to enter the Applicability with the 31 day Frequency not met is reasonable, based on the limited time of 12 hours allowed after entering the Applicability. Although the Surveillance could be performed while at higher power, the plant would not be expected to maintain steady state operation at this power level. In this event, the 12 hour Frequency is reasonable, based on the WRNMs being otherwise verified to be OPERABLE (i.e., satisfactorily performing the CHANNEL CHECK) and the time required tc perform the Surveillances. SR 3.3.1.2.6 Performance of a CHANNEL CALIBRATION at a Frequency of 24 months verifies the performance of the WRNM detectors and associated circuitry. The Frequency considers the plant conditions required to perform the test, the ease of performing the test, and the likelihood of a change in the system or component status. Note 1 excludes the neutron detectors from the CHANNEL CALIBRATION because they cannot readily be adjusted. The detectors are fission chambers that are designed to have a relatively constant sensitivity over the range and with an accuracy specified for a fixed useful life. {continued) PBAPS UNIT 3 B 3.3-44 Revision No. 17
WRNM Instrumentation B 3.3.1.2 BASES l SURVEILLANCE SR 3.3.1.2.6 (continued) REQUIREMENTS Note 2 to the Surveillance allows the Surveillance to be delayed until entry into the specified condition of the Applicability. The SR must be performed in MODE 2 within 12 hours of entering MODE 2 with WRNMs reading 125E-5 a; power or below. The allowance to enter the Applicability with the 24 month Frequency not met is reasonable, based on the limited time of 12 hours allowed after entering the Applicability. Although the Surveillance could be performed while at higher power, the plant would not be expected to maintain steady state operation at this power level. ]n this event, the 12 hour Frequency is reasonable, based on the WRNMs being otherwise verified to be OPERABLE (i.e., satisfactorily performing the CHANNEL CHECK) and the time required to perform the Surveillance. REFERENCES 1. NRC Safety Evaluation Report for Amendment Numbers 147 and 149 to Facility Operating License Numbers DPR--44 and DPR-56, Peach Bottom Atomic Power Station, Unit Nos. 2 and 3, August 28, 1989. PBAPS UNIT 3 B 3.3-45 Revision No. 17
Control Rod Block Instrumentation B 3.3.2.1 B 3.3 INSTRUMENTATION B 3.3.2.1 Control Rod Block Instrumentation BASES BACKGROUND Control rods provide the primary means for control of reactivity changes. Control rod block instrumentation includes channel sensors, logic circuitry, switches, and relays that are designed to ensure that specified fuel design limits are not exceeded for postulated transients and accidents. During high power operation, the rod block monitor (RBM) provides protection for control rod withdrawal error events. During low power operations, control rod blocks from the rod worth minimizer (RWM) enforce specific control rod sequences designed to mitigate the consequences of the control rod drop accident (CRDA). During shutdown conditions, control rod blocks from the Reactor Mode Switch-Shutdown Position Function ensure that all control rods remain inserted to prevent inadvertent criticalities. The purpose of the RBM is to limit control rod withdrawal if localized neutron flux exceeds a predetermined setpoint during control rod manipulations. It is assumed to function to block further control rod withdrawal to preclude a MCPR Safety Limit (SL) violation. The RBM supplies a trip signal to the Reactor Manual Control System (RMCS) to appropriately inhibit control rod withdrawal during power operation above the low power range setpoint. The RBM has two channels, either of which can initiate a control rod block when the channel output exceeds the control rod block setpoint. One RBM channel inputs into one RMCS rod block circuit and the other RBM channel inputs into the second RMCS rod block circuit. The RBM channel signal is generated by averaging a set of local power range monitor (LPRM) signals at various core heights surrounding the control rod being withdrawn. A signal from one of the four redundant average power range monitor (APRM) channels supplies a reference signal for ione of the RBM channels and a signal from another of the APRMl channels supplies the reference signal to the second RBM channel. This reference signal is used to determine which RBM range setpoint (low, intermediate, or high) is enabled. If the APRM is indicating less than the low power range setpoint, the RBM is automatically bypassed. The RBM is also automatically bypassed if a peripheral control rod is selected (Ref. 1). A rod block signal is also generated if an RBM inoperable trip occurs, since this could indicate a I problem with the RBM channel. {conti nued) PBAPS UNIT 3 B 3.3-46 Revision No. 30
-Control Rod Block Instrumentation B S.3.2.1 BASES BACKGROUND The inoperable trip will occur if, during the nulling (continued) (normalization) sequence, the RBM channel fails to null or too few LPRM inputs are available, if a critical self-test fault has been detected, or the RBM instrument mode switch is moved to any position other than "Operate".
The purpose of the RWM is to control rod patterns during startup and shutdown, such that only specified control rod sequences and relative positions are allowed over the operating range from all control rods inserted to 10% RTP. The sequences effectively limit the potential amount and rate of reactivity increase during a CRDA. Prescribed control rod sequences are stored in the RWM, which will initiate control rod withdrawal and insert blocks when the actual sequence deviates beyond allowances from the stored sequence. The RWM determines the actual sequence based position indication for each control rod. The RWM also uses feedwater flow and steam flow signals to determine when the reactor power is above the preset power level at which the RWM is automatically bypassed (Ref. 2). The RWM is a single channel system that provides input into both RMCS rod block circuits. With the reactor mode switch in the shutdown position, a control rod withdrawal block is applied to all control rods to ensure that the shutdown condition is maintained. This Function prevents inadvertent criticality as the result of a control rod withdrawal during MODE 3 or 4, or during MIODE 5 when the reactor mode switch is required to be in the shutdown position. The reactor mode switch has two channels, each inputting into a separate RMCS rod block circuit. A rod block in either RMCS circuit will provide a control rod block to all control rods. APPLICABLE 1. Rod Block Monitor SAFETY ANALYSES, LCO, and The RBM is designed to-prevent violation of the MCPR APPLICABILITY SL and the cladding 1% plastic strain fuel design limit that may result from a single control rod withdrawal error (RWE) event. The analytical methods and assumptions used in evaluating the RWE event are summarized in Reference L. A (continued) PBAPS UNIT 3 B 3.3-47 Revision No. 31
Control Rod Block Instrumentation B 3.3.2.1 BASES APPLICABLE 1. Rod Block Monitor (continued) SAFETY ANALYSES, LCO, and statistical analysis of RWE events was performed to APPLICABILITY determine the RBM response for both channels for each event. From these responses, the fuel thermal performance as a function of RBM Allowable Value was determined. The Allowable Values are chosen as a function of power level. The Allowable Values are specified in the CORE OPERATING LIMITS REPORT (COLR). Based on the specified Allowable Values, operating limits are established. The RBM Function satisfies Criterion 3 of the NRC Policy Statement. Two channels of the RBM are required to be OPERABLE, with their setpoints within the appropriate Allowable Values to ensure that no single instrument failure can preclude a rod block from this Function. The actual setpoints are calibrated consistent with applicable setpoint methodology. Trip setpoints are specified in the setpoint calculations. The trip setpoints are selected to ensure that the set-points do not exceed the Allowable Values between successive CHANNEL CALIBRATIONS. Operation with a trip setting less conservative than the trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor power), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic or design limits are derived front the limiting values of the process parameters obtained from the safety analysis or other appropriate documents. The Allowable Values are derived from the analytic or design limits, corrected for calibration, process, and instrument errors. The trip setpoints are determined from analytical or design limits, corrected for calibration, process, and instrument errors, as well as, instrument drift. In selected cases, the Allowable Values and trip setpoints are determined by engineering judgement or historically accepted practice relative to the intended function of the channel. The trip setpoints determined in this manner provide adequate protection by assuring instrument and process uncertainties expected for the environments during the operating time of the channels are accounted for. (continued) PBAPS UNIT 3 B 3.3-48 Revision No. 3
Control Rod Block Instrumentation B 3.3.2.1 BASES APPLICABLE 1. Rod Block Monitor (continued) SAFETY ANALYSES, LCO, and The RBM is assumed to mitigate the consequences of an RWE APPLICABILITY event when operating 2 30% RTP. Below this power level, the consequences of an RWE event will not exceed the MCPR SL and, therefore, the RBM is not required to be OPERABLE (Ref. 1). When operating < 90% RTP, analyses (Ref. 1) have shown that with an initial MCPR 2 1.70, no RWE event will result in exceeding the MCPR SL. Also, the analyses demonstrate that when operating at 2 90% RTP with MCPR 2 1.40, no RWE event will result in exceeding the MCPR SL (Ref. 1). Therefore, under these conditions, the R13M is also not required to be OPERABLE.
- 2. Rod Worth Minimizer The RWM enforces the banked position withdrawal sequence (BPWS) to ensure that the initial conditions of the CRDA analysis are not violated. The analytical methods and assumptions used in evaluating the CRDA are summarized in References 3, 4, 5, and 6. The BPWS requires that control rods be moved in groups, with all control rods assigned to a specific group required to be within specified banked positions. Requirements that the control rod sequence is in compliance with the BPWS are specified in LCO 3.1.6, 'Rod Pattern Control."
The RWM Function satisfies Criterion 3 of the NRC Policy Statement. Since the RWM is a hardwired system designed to act as a backup to operator control of the rod sequences, only one channel of the RWM is available and required to be OPERABLE (Ref. 6). Special circumstances provided for in the Required Action of LCO 3.1.3, "Control Rod OPERABILITY," and LCO 3.1.6 may necessitate bypassing the RWM to allow continued operation with inoperable control rods, or to allow correction of a control rod pattern not in compliance with the BPWS. The RWM may be bypassed as required by these conditions, but then it must be considered inoperable and the Required Actions of this LCO followed. _continued) PBAPS UNIT 3 B 3.3-49 Revision No. 3
Control Rod Block Instrumentation B 3.3.2.1 BASES APPLICABLE 2. Rod Worth Minimizer {continued) SAFETY ANALYSES, LCO, and Compliance with the BPWS, and therefore OPERABILITY of the APPLICABILITY RWM, is required in MODES 1 and 2 when THERMAL POWER is
< 10% RTP. When THERMAL POWER is > 10% RTP, there is no possible control rod configuration that results in a control rod worth that could exceed the 280 cal/gm fuel damage limit during a CRDA (Refs. 4 and 6). In MODES 3 and 4, all control rods are required to be inserted into the core; therefore, a CRDA cannot occur. In MODE 5, since only a single control rod can be withdrawn from a core cell containing fuel assemblies, adequate SDM ensures that the consequences of a CRDA are acceptable, since the reactor will be subcritical.
- 3. Reactor Mode Switch-Shutdown Position During MODES 3 and 4, and during MODE 5 when the reactor mode switch is required to be in the shutdown position, the core is assumed to be subcritical; therefore, no positive reactivity insertion events are analyzed. The Reactor Mode Switch-Shutdown Position control rod withdrawal block ensures that the reactor remains subcritical by blocking control rod withdrawal, thereby preserving the assumptions of the safety analysis.
The Reactor Mode Switch-Shutdown Position Function satisfies Criterion 3 of the NRC Policy Statement. Two channels are required to be OPERABLE to ensure that no single channel failure will preclude a rod block when required. There is no Allowable Value for this Function since the channels are mechanically actuated based solely on reactor mode switch position. During shutdown conditions (MODE 3, 4, or 5), no positive reactivity insertion events are analyzed because assumptions are that control rod withdrawal blocks are provided to prevent criticality. Therefore, when the reactor mode switch is in the shutdown position, the control rod withdrawal block is required to be OPERABLE. During MODE 5 with the reactor mode switch in the refueling position, the refuel position one-rod-out interlock (LCO 3.9.2, "Refuel Position One-Rod-Out Interlock") provides the required control rod withdrawal blocks. (continued) PBAPS UNIT 3 B 3.3-50 Revision No. 3
Control Rod Block Instrumentation B 3.3.2.1 BASES (continued) ACTIONS A.1 With one RBM channel inoperable, the remaining OPERABLE channel is adequate to perform the control rod block function; however, overall reliability is reduced because a single failure in the remaining OPERABLE channel can result in no control rod block capability for the RBM. For this reason, Required Action A.1 requires restoration of the inoperable channel to OPERABLE status. The Completion Time of 24 hours is based on the low probability of an event occurring coincident with a failure in the remaining OPERABLE channel. B.1 If Required Action A.1 is not met and the associated Completion Time has expired, the inoperable channel must be placed in trip within 1 hour. If both RBM channels are inoperable, the RBM is not capable of performing its intended function; thus, one channel must also be placed in trip. This initiates a control rod withdrawal block, thereby ensuring that the RBM function is met. The 1 hour Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities and is acceptable because it minimizes risk while allowing time for restoration or tripping of inoperable channels. C.1. C.2.1.1. C.2.1.2. and C.2.2 With the RWM inoperable during a reactor startup, the operator is still capable of enforcing the prescribed control rod sequence. However, the overall reliability is reduced because a single operator error can result in. violating the control rod sequence. Therefore, control rod movement must be immediately suspended except by scram. Alternatively, startup may continue if at least 12 control rods have already been withdrawn, or a reactor startup with an inoperable RWM was not performed in the last 12 months. These requirements minimize the number of reactor startups initiated with the RWM inoperable. Required Actions (.2.1.1 and C.2.1.2 require verification of these conditions by review of plant logs and control room indications. Once Required Action C.2.1.1 or C.2.1.2 is satisfactorily s-kuls. I:_ cu PBAP'S UNIT 3 B 3.3-51 Revision No. 3
Control Rod Block Instrumentation B 3.3.2.1 BASES ACTIONS C.1. C.2.1.1. C.2.1.2. and C.2.2 (continued) completed, control rod withdrawal may proceed in accordance with the restrictions imposed by Required Action C.2.2. Required Action C.2.2 allows for the RWM Function to be performed manually and requires a double check of compliance with the prescribed rod sequence by a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff. The RWM may be bypassed under these conditions to allow continued operations. In addition, Required Actions of LCO 3.1.3 and LCO 3.1.6 may require bypassing the RWM, during which time the RWM must be considered inoperable with Condition C entered and its Required Actions taken.
*L.
With the RWM inoperable during a reactor shutdown, the operator is still capable of enforcing the prescribed control rod sequence. Required Action D.1 allows for the RWM Function to be performed manually and requires a double check of compliance with the prescribed rod sequence toy a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff. The RWM may be bypassed under these conditions to allow the reactor shutdown to continue. E.1 and E.2 With one Reactor Mode Switch-Shutdown Position control rod withdrawal block channel inoperable, the remaining OPERABLE channel is adequate to perform the control rod withdrawal block function. However, since the Required Actions a.re consistent with the normal action of an OPERABLE Reactor Mode Switch-Shutdown Position function (i.e., maintaining all control rods inserted), there is no distinction between having one or two channels inoperable. In both cases (one or both channels inoperable), suspending all control rod withdrawal and initiating action to fully insert all insertable control rods in core cells containing one or more fuel assemblies will ensure that the core is subcritical with adequate SDM ensured by LCO 3.1.1. Control rods in core cells containing no fuel assemblies do not (continued) PBAPS UNIT 3 B 3.3-52 Revision No. 3
Control Rod Block Instrumentation B 3.3.2.1 BASES ACTIONS E.1 and E.2 (continued) affect the reactivity of the core and are therefore not required to be inserted. Action must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted. SURVEILLANCE As noted at the beginning of the SRs, the SRs for each REQUIREMENTS Control Rod Block instrumentation Function are found in the SRs column of Table 3.3.2.1-1. The Surveillances are modified by a Note to indicate that when an RBM channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains control rod block capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 8, 9,
& 10) assumptions of the average time required to perform channel surveillances. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that a control rod block will be initiated when necessary.
SR 3.3.2.1.1 A CHANNEL FUNCTIONAL TEST is performed for each RBM channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Frequency of 184 days is based on reliability analyses (Refs. 7, 9 & 10). (continued) PBAPS UNIT 3 B 3.3-53 Revision No. 30
Control Rod Block Instrumentation B 3.3.2.1 BASES l SURVEILLANCE REQUIREMENTS (continued) SR 3.3.2.1.2 and SR 3.3.2.1.3 A CHANNEL FUNCTIONAL TEST is performed for the RWM to ensure that the entire system will perform the intended function. The CHANNEL FUNCTIONAL TEST for the RWM is performed by attempting to withdraw a control rod not in compliance with the prescribed sequence and verifying a control rod blockoccurs. SR 3.3.2.1.2 is performed during a startup and SR 3.3.2.1.3 is performed during a shutdown (or power reduction to
- 10% RTP). As noted in the SRs, SR 3.3.2.1.2 is not required to be performed until 1 hour after any control rod is withdrawn at ! 10% RTP in MODE 2. As noted, K$) SR 3.3.2.1.3 isnot required to be performed until 1 hour after THERMAL POWER is
- 10% RTP in MODE 1. This allows entry at g 10% RTP in MODE 2 for SR 3.3.2.1.2 and entry into MODE 1 when THERMAL POWER is s 10% RTP for SR 3.3.2.1.3 to perform the required Surveillance if the 92 day Frequency is not met per SR 3.0.2. The 1 hour allowance is based on operating experience and in consideration of providing a reasonable time in which to complete the SRs. The Frequencies are based on reliability analysis (Ref. 7).
SR 3.3.2.1.4 The RBM setpoints are automatically varied as a function of power. Three Allowable Values are specified in the COLR, each within a specific power range. The power at which the control rod block Allowable Values automatically change are based on the APRM signal's input to each RBM channel. Below the minimum power setpoint, the RBM is automatically bypassed. These power Allowable Values must be verified using a simulated or actual signal periodically to be less than or equal to the specified values. If any power range setpoint is nonconservative, then the affected RBM channel is considered inoperable. Alternatively, the power range icontinued) PBAPS UNIT 3 B 3.3-54 Revision No. 30
Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE SR 3.3.2.1.4 (continued) REQUIREMENTS channel can be placed in the conservative condition (i.e., enabling the proper RBM setpoint). If placed in this. condition, the SR is met and the RBM channel is not considered inoperable. As noted, neutron detectors are excluded from the Surveillance because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Neutron detectors are adequately tested in SR 3.3.1.1.2 and SR 3.3.1.1.8. The 24 month Frequency is based on the actual trip setpoint methodology utilized for these channels.. SR 3.3.2.1.5 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpcint methodology. As noted, neutron detectors are excluded from the CHANNEL CALIBRATION because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Neutron detectors are adequately tested in SR 3.3.1.1.2 and SR 3.3.1.1.8. The Frequency is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. {continued) PBAPS UNIT 3 B 3.3-:55 Revision No. 30
Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE REQUIREMENTS (continued) SR 3.3.2.1.6 The RWM is automatically bypassed when power is above a specified value. The power level is determined from feedwater flow and steam flow signals. The automatic bypass setpoint must be verified periodically to be > 10% RTP. If the RWM low power setpoint is nonconservative, then the RWM is considered inoperable. Alternately, the low power setpoint channel can be placed in the conservative condition (nonbypass). If placed in the nonbypassed condition, the SR is met and the RWM is not considered inoperable. The Frequency is based on the trip setpoint methodology utilized for the low power setpoint channel. SR 3.3.2.1.7 A CHANNEL FUNCTIONAL TEST is performed for the Reactor Mode Switch -Shutdown Position Function to ensure that the entire channel will perform the intended function. The CHANNEL FUNCTIONAL TEST for the Reactor Mode Switch -Shutdown Position Function is performed by attempting to withdraw any control rod with the reactor mode switch in the shutdown position and verifying a control rod block occurs. As noted in the SR, the Surveillance is not required to be performed until 1 hour after the reactor mode switch is in the shutdown position, since testing of this interlock with the reactor mode switch in any other position cannot be performed without using jumpers, lifted leads, or movable links. This allows entry into MODES 3 and 4 if the 24 month Frequency is not met per SR 3.0.2. The 1 hour allowance is based on operating experience and in consideration of providing a reasonable time in which to complete the SR. (continued) PBAPS UNIT 3 B 3.3-56 Revision No. 30
Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE SR 3.3.2.1.7 (continued) REQUIREMENTS The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components will pass the Surveillance when performed at the 24 month Frequency. SR 3.3.2.1.8 The RWM will only enforce the proper control rod sequence if the rod sequence is properly input into the RWM computer. This SR ensures that the proper sequence is loaded into the RWM so that it can perform its intended function. The Surveillance is performed once prior to declaring RWM OPERABLE following loading of sequence into RWM, since this is when rod sequence input errors are possible. REFERENCES 1. NEDC-32162-P, "Maximum Extended Load Line Limit find ARTS Improvement Program Analysis for Peach Bottom Atomic Power Station, Units 2 and 3," Revision 1,, February 1993.
- 2. UFSAR, Sections 7.10.3.4.8 and 7.16.3.
- 3. NEDE-24011-P-A-10-US, "General Electric Standard Application for Reload Fuel," Supplement for United States, Section S 2.2.3.1, February 1991.
- 4. "Modifications to the Requirements for Control Rod Drop Accident Mitigating Systems," BWR Owners' Group, July 1986.
- 5. NEDO-21231, "Banked Position Withdrawal Sequence,"
January 1977.
- 6. NRC SER, "Acceptance of Referencing of Licensing Topical Report NEDE-24011-P-A," "General Electric Standard Application for Reactor Fuel, Revision 13, Amendment 17," December 27, 1987.
(continued) PBAPS UNIT 3 B 3.3-57 Revision No. 3
Control Rod Block Instrumentation B 3.3.2.1 BASES REFERENCES 7. NEDC-30851-P-A, "Technical Specification Improvement (continued) Analysis for BWR Control Rod Block Instrumentation," October 1988.
- 8. GENE-770-06-1, "Addendum to Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991.
- 9. NEDC-32410P-A, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM)
Retrofit Plus Option III Stability Trip Functiorl", March 1995.
- 10. NEDC-32410P Supplement 1, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function, Supplement 1", November 1997.
PBAPS UNIT 3 B 3.3-58 Revision No. 30
Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 B 3.3 INSTRUMENTATION B 3.3.2.2 Feedwater and hain Turbine High Water Level Trip Instrumentation BASES BACKGROUND The feedwater and main turbine high water level trip instrumentation is designed to detect a potential failure of the Feedwater Level Control System that causes excessive feedwater flow. With excessive feedwater flow, the water level in the reactor vessel rises toward the high water level setpoint, causing the trip of the three feedwater pump turbines and the main turbine. Digital Feedwater Control System (DFCS) high water level signals are provided by six level sensors. However, only three narrow range level sensors are required to perform the function with sufficient redundancy. The three level sensors sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level in the reactor vessel (variable leg). The three level signals are input into two redundant digital control computers. Any one of the three signals is automatically selected (by the digital control computer) as the signal to be used for the high level trip. Each digital control computer has two redundant digital outputs (channels) to provide redundant signals to an associated trip system. Each digital control computer processes input signals and compares them to pre-established setpoints. When the setpoint is exceeded, the two digital outputs actuate two contacts arranged in parallel so that either digital output can trip the associated trip system. The tripping of both digital computer trip systems will initiate a trip of the feedwater pump turbines and the main turbine. A trip of the feedwater pump turbines limits further increase in reactor vessel water level by limiting further addition of feedwater to the reactor vessel. A trip of the main turbine and closure of the stop valves protects the turbine from damage due to water entering the turbine. (continued) PBAPS UNIT 3 B 3.3-59 Revision No. 3
Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES (continued) APPLICABLE The feedwater and main turbine high water level trip SAFETY ANALYSES instrumentation is assumed to be capable of providing a turbine trip in the design basis transient analysis for a feedwater controller failure, maximum demand event (Ref. 1). The high water level trip indirectly initiates a reactor scram from the main turbine trip (above 29.5% RTP) and trips the feedwater pumps, thereby terminating the event. The reactor scram mitigates the reduction in MCPR. Feedwater and main turbine high water level trip instrumentation satisfies-Criterion 3 of the NRC Policy Statement. LCO The LCO requires two DFCS channels per trip system of high water level trip instrumentation to be OPERABLE to ensLre the feedwater pump turbines and main turbine will trip on a valid reactor vessel high water level signal. Two DFCS channels (one per trip system) are needed to provide trip signals in order for the feedwater and main turbine trips to occur. Two level signals are also required to ensure a single sensor failure will not prevent the trips of the feedwater pump turbines and main turbine when reactor vessel water level is at the high water level reference point. Each channel must have its setpoint set within the specified Allowable Value of SR 3.3.2.2.3. The Allowable Value is set to ensure that the thermal limits are not exceeded during the event. The actual setpoint is calibrated to be consistent with the applicable setpoint methodology assumptions. Trip setpoints are specified in the setpoint calculations. The trip setpoints are selected to ensure i that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setting less conservative than the trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic or design limits are derived from the limiting values of the process parameters obtained from the safety analysis or (continued) PBAPS UNIT 3 B 3.3-60 Revision No. 45
Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES LCO other appropriate documents. The Allowable Values are (continued) derived from the analytic or design limits, corrected for calibration, process, and instrument errors. A channel is inoperable if its actual trip setting is not within its required Allowable Value. The trip setpoints are determined from analytical or design limits, corrected for calibration, process and instrument errors, as well as, instrument drift. The trip setpoints determined in this manner provide adequate protection by assuring instrument and process uncertainties expected for the environment during the operating time for the associated channels are accounted for. APPLICABILITY The feedwater and main turbine high water level-trip instrumentation is required to be OPERABLE at 2 25% RTP to ensure that the fuel cladding integrity Safety Limit and the cladding 1% plastic strain limit are not violated during the feedwater controller failure, maximum demand event. As discussed in the Bases for LCO 3.2.3, "LINEAR HEAT GENERATION RATE (LHGR)," and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)," sufficient margin to these limits exists below I 25% RTP; therefore, these requirements are only necessary when operating at or above this power level. ACTIONS A Note has been provided to modify the ACTIONS related to feedwater and main turbine high water level trip instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable feedwater and main turbine high water level trip instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable feedwater and main-turbine high water level trip instrumentation channel. (continued) PBAPS UNIT 3 B 3.3-61 Revision No. 50
Feedwater and Main Turbine High Water Level Trip Instrumentation B 3J.3.2.2 BASES ACTIONS A.1 (continued) With one or more feedwater and main turbine high water level trip channels inoperable, but with feedwater and main turbine high water level trip capability maintained (refer to Required Action B.1 Bases), the remaining OPERABLE channels can provide the required trip signal. However, overall instrumentation reliability is reduced because a single active instrument failure in one of the remaining channels may result in the instrumentation not being able to perform its intended function. Therefore, continued operation is only allowed for a limited time with one or more channels inoperable. If the inoperable channels cannot be restored to OPERABLE status within the Completion '[ime, the channels must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single active instrument failure, and allow operation to continue with no further restrictions. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in the feedwater and main turbine trip), Condition C must be entered and its Required Action taken. The Completion Time of 72 hours is based on the low probability of the event occurring coincident with a single failure in a remaining OPERABLE channel. B.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels result in the High Water Level Function of DFCS not maintaining feedwater and main turbine trip capability. In this condition, the feedwater and main turbine high water level trip instrumentation cannot perform its design function. Therefore, continued operation is only permitted for a 2 hour period, during which feedwater and main turbine high water level trip capability must be restored. The trip capability is considered maintained when sufficient channels are OPERABLE or in trip such that the feedwater and main turbine high water level trip logic will generate a trip (continued) PBAPS UNIT 3 B 3.3-62 Revision No. 3
Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASEES ACTIONS B.1 (continued) signal on a valid signal. This requires one channel per trip system to be OPERABLE or in trip. If the required channels cannot be restored to OPERABLE status or placed in trip, Condition C must be entered and its Required Action taken. The 2 hour Completion Time is sufficient for the operator to. take corrective action, and takes into account the likelihood of an event requiring actuation of feedwater and main turbine high water level trip instrumentation occurring during this period. It is also consistent with the 2 hour Completion Time provided in LCO 3.2.2 for Required Action A.1, since this instrumentation's purpose is to preclude a MCPR violation. With any Required Action and associated Completion Time not met, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, THERMAL POWER must be reduced to < 25% RTP within 4 hours. As discussed in the Applicability section of' the Bases, operation below 25% RTP results in sufficient margin to the required limits, and the feedwater and main turbine high water level trip instrumentation is not required to protect fuel integrity during the feedwater controller, failure, maximum demand event. The allowed Completion Time of 4 hours is based on operating experience to reduce THERMAL POWER to < 25% RTP from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains feedwater and main turbine high water level trip capability. Upon completion of the Surveillance, or expiration of the Hihour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 2) assumption of the average time required to perform Icont-inued) PBAPS UNIT 3 8 3.3-63 Revision No. 3
Feedwater and Main Turbine High Water Level Trip Instrumentation B 3..3.2.2 BASES SURVEILLANCE channel Surveillance. That analysis demonstrated that the REQUIREMENTS 6 hour testing allowance does not significantly reduce the (continued) probability that-the feedwater pump turbines and main turbine will trip when necessary. SR 3.3.2.2.1 Performance of the CHANNEL CHECK once every 24 hours ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. The CHANNEL CHECK may be performed by comparing indication or by verifying the absence of the DFCS "TROUBLE" alarm in the control room. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels, or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limits. The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel status during normal operational use of the displays associated with the channels required by the LCO. SR 3.3.2.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Frequency of 92 days is based on reliability analysis (Ref. 2). (continued) PBAPS UNIT 3 B 3.3-64 Revision No. 3
Feedwater and Main Turbine High Water Level Trip Instrumentation B ,.3.2.2 BASES SURVEILLANCE SR 3.3.2.2.3 REQUIREMENTS (continued) CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the assumptions of the current plant specific setpoint methodology. The Frequency is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. SR 3.3.2.2.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the feedwater and main turbine stop valves is included as part of this Surveillance and overlaps the LOGIC SYSTEM FUNCTIONAL TEST to provide complete testing of the assumed safety function. Therefore, if a stop valve is incapable of operating, the associated instrumentation channels would be inoperable. The 24 month Frequency is based on the need to perforri this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.. Operating experience has shown that these components Will pass the Surveillance when performed at the 24 month Frequency. REFERENCES 1. UFSAR, Section 14.5.2.2.
- 2. GENE-770-06-1, "Bases for Changes to Surveillance Test Intervals and Allowed Out-Of-Service Times for Selected Instrumentation Technical Specifications,"
February 1991. PBAPS UNIT 3 B 3.3-65 Revision No. 3
PAM Instrumentation B 3.3.3.1 B 3.3 INSTRUMENTATION B 3.3.3.1 Post Accident Monitoring (PAM) Instrumentation BAS!ES BACKGROUND The primary purpose of the PAM instrumentation is to display plant variables that provide information required by the control room operators during accident situations. This information provides the necessary support for the operator to take the manual actions for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for Design Basis Events. The instruments that monitor these variables are designated as Type A, Category I, and non-Type A, Category I, in accordance with Regulatory Guide 1.97 (Ref. 1). The OPERABILITY of the accident monitoring instrumentation ensures that there is sufficient information available on selected plant parameters to monitor and assess plant status and behavior following an accident. This capability is consistent with the recommendations of Reference 1. APPLICABLE The PAM instrumentation LCO ensures the OPERABILITY of SAFETY ANALYSES Regulatory Guide 1.97, Type A variables so that the control room operating staff can:
- Perform the diagnosis specified in the Emergency Operating Procedures (EOPs). These variables are restricted to preplanned actions for the primary success path of Design Basis Accidents (DBAs), (e.g.,
loss of coolant accident (LOCA)), and
- Take the specified, preplanned, manually controlled actions for which no automatic control is provided, which are required for safety systems to accomplish their safety function.
The PAM instrumentation LCO also ensures OPERABILITY of Category I, non-Type A, variables so that the control room operating staff can:
- Determine whether systems important to safety are performing their intended functions; Icontinued)
PBAFIS UNIT 3 B 3.3-66 Revision No. 3
PAM Instrumentation B 3.3.3.1 BASES APPLICABLE
- Determine the potential for causing a gross breach of SAFETY ANALYSES the barriers to radioactivity release; (continued)
- Determine whether a gross breach of a barrier has.
occurred; and
- Initiate action necessary to protect the public find for an estimate of the magnitude of any impending threat.
The plant specific Regulatory Guide 1.97 Analysis (Refs. 2, 3, and 4) documents the process that identified Type A and Category I, non-Type A, variables. Accident monitoring instrumentation that satisfies the definition of Type A in Regulatory Guide 1.97 meets Criterion 3 of the NRC Policy Statement. Category I, non-Type A, instrumentation is retained in Technical Specifications (TS) because they are intended to assist operators in minimizing the consequences of accidents. Therefore, these Category I variables are important for reducing public risk. LCO LCO 3.3.3.1 requires two OPERABLE channels for all but one Function to ensure that no single failure prevents the! operators from being presented with the information necessary to determine the status of the plant and to bring the plant to, and maintain it in, a safe condition following that accident. Furthermore, provision of two channels. allows a CHANNEL CHECK during the post accident phase to confirm the validity of displayed information. The exception to the two channel requirement is primary containment isolation valve (PCIV) position. In this case, the important information is the status of the primary containment penetrations. The LCO requires one position indicator for each active PCIV. This is sufficient tc redundantly verify the isolation status of each isolable penetration either via indicated status of the active valve and prior knowledge of passive valve or via system boundary status. If a normally active PCIV is known to be closed and deactivated, position indication is not needed to determine status. Therefore, the position indication for valves in this state is not required to be OPERABLE. (continued) PBAF'S UNIT 3 B 3.3-67 Revision No. 3
PAM Instrumentation B 3.3.3.1 BASES LCO The following list is a discussion of the specified continued) instrument Functions listed in Table 3.3.3.1-1 in the accompanying LCO.
- 1. Reactor Pressure Instruments: PR-3-2-3-404 A, B Reactor pressure is a Category I variable provided to support monitoring of Reactor Coolant System (RCS) integrity and to verify operation of the Emergency Core Cooling Systems (ECCS). Two independent pressure transmitters with a range of 0 psig to 1500 psig monitor pressure and associated independent wide range recorders are the primary indication used by the operator during an accident.
Therefore, the PAM Specification deals specifically with this portion of the instrument channel.
- 2. 3. Reactor Vessel Water Level MWide Ranae and Fuel Zone)
Instruments: Wide Range: LR-3-2-3-110 A, B (Green Pen) Fuel Zone: LR-3-2-3-110 A, B (Blue Pen) Reactor vessel water level is a Category I variable provided to support monitoring of core cooling and to verify operation of the ECCS. The wide range and fuel zone water level channels provide the PAM Reactor Vessel Water Level Functions. The ranges of the wide range water level channels and the fuel zone water level channels overlap to cover a range of -325 inches (just below the bottom of the active fuel) to +50 inches (above the normal water level). Reactor vessel water level is measured by separate differential pressure transmitters. The output from these channels is recorded on two independent pen recorders, which is the primary indication used by the operator during an accident. Each recorder has two channels, one for wide range reactor vessel water level and one for fuel zone reactor vessel water level. Therefore, the PAM Specification deals specifically with these portions of the instrument channels. (continued) PBAPS UNIT 3 B 3.3--68 Revision No. 7
PAM Instrumentation B 3.3.3.1 BASE.S LCd 4. SuDpression Chamber Water Level (Wide Range) (continued) Instruments: LR-9123 A, B Suppression chamber water level is a Category I variable provided to detect a breach in the reactor coolant pressure boundary (RCPB). This variable is also used to verify and provide long term surveillance of ECCS function. The wide range suppression chamber water level measurement provides the operator with sufficient information to assess the status of both the RCPB and the water supply to the ECCS. The wide range water level recorders monitor the suppression chamber water level from the bottom of the ECCS suction lines to five feet above normal water level. Two wide range suppression chamber water level signals are transmitted from separate differential pressure transmitters and are continuously recorded on two recorders in the control room. These recorders are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel.
- 5. 6. Drywell Pressure (Wide Range and Subatmospheric.
Range) Instruments: Wide Range: PR-9102 A, B (Red Pen) Subatmospheric Range: PR-9102 A, B (Green Pen) Drywell pressure is a Category I variable provided to detect breach of the RCPB and to verify ECCS functions that ciperate to maintain RCS integrity. The wide range and subatmospheric range drywell pressure channels provide the PAM Drywell Pressure Functions. The wide range and subatmospheric range drywell pressure channels overlap to cover a range of 5 psia to 225 psig (in excess of four times the design pressure of the drywell). Drywell pressure signals are transmitted from separate pressure transmitters and are continuously recorded and displayed on two independent control room recorders. Each recorder has two channels, one for wide range drywell pressure and one for subatmospheric range drywell pressure. These recorders are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with these portions of the instrument channels. _ icontinued) PBAPS UNIT 3 B 3.3-69 Revision No. 3
PAM Instrumentation B 3.3.3.1 BASES LCO 7. Drywell High Range Radiation (continued) Instruments: RR-9103 A, B (Green Pen) Drywell high range radiation is a Category I variable provided to monitor the potential of significant radiation releases and to provide release assessment for use by operators in determining the need to invoke site emergency plans. Post accident drywell radiation levels are moritored by four instrument channels each with a range of 1 to lxlO' R/hr. These radiation monitors drive two dual channel recorders located in the control room. Each recorder and the two associated channels are in a separate division. As such, two recorders and two channels of radiation monitoring instrumentation (one per recorder) are required to be OPERABLE for compliance with this LCO. Therefore, the PAM Specification deals specifically with these portions cf the instrument channels.
- 8. Primary Containment Isolation Valve (PCIV) Position PCIV position is a Category I variable provided for verification of containment integrity. In the case of PCIV position, the important information is the isolation status of the containment penetration. The LCO requires one channel of valve position indication in the control room to be OPERABLE for each active PCIV in a containment penetration flow path, i.e., two total channels of PCIV position indication for a penetration flow path with two active valves. For containment penetrations with only one active PCIV having control room indication, Note (b) requires a single channel of valve position indication to be OPERABLE. This is sufficient to redundantly verify the isolation status of each isolable penetration via indicated status of the active valve, as applicable, and prior knowledge of passive valve or system boundary status. If a penetration flow path is isolated, position indication for the PCIV(s) in the associated penetration flow path is not needed to determine status. Therefore, the position indication for valves in an isolated penetration flow path is not required to be OPERABLE. The PCIV position PAII instrumentation consists of position switches, associated wiring and control room indicating lamps for active PQIVs (check valves and manual valves are not required to have position indication). Therefore, the PAM Specification deals specifically with these instrument channels.
(continued) PBAPS UNIT 3 B 3.3-70 Revision No. 3
PAM Instrumentation B 3.3.3.1 BASES LCO 9. 10. Deleted (continued)
- 11. Suppression Chamber Water Temperature Instruments: TR-9123 A, B qi) TIS-3-2-71 A, B Recorders Suppression chamber water temperature is a Category I variable provided to detect a condition that could potentially lead to containment breach and to verify the effectiveness of ECCS actions taken to prevent containment breach. The suppression chamber water temperature instrumentation allows operators to detect trends in suppression chamber water temperature in sufficient tine to take action to prevent steam quenching vibrations in the suppression pool. Suppression chamber water temperature is monitored by two redundant channels. Each channel is assigned to a separate safeguard power division. Each channel consists of 13 resistance temperature detectors (RTDs) mounted in thermowells installed in the suppression chamber shell below the minimum water level, a processor, and control room recorders. The RTDs are mounted in each of 13 of the 16 segments of the suppression chamber. The RTD (continued)
PBAPS UNIT 3 ,B3.3-71 Revision ho. 56
PAM Instrumentation B 3.3.3.1 BASES LCO inputs are averaged by the processor to provide a bulk (continued) average temperature output to the associated control room recorder. The allowance that only 10 RTDs are required to be OPERABLE for a channel to be considered OPERABLE provided no 2 adjacent RTDs are inoperable is acceptable based on engineering judgement considering the temperature response profile of the suppression chamber water volume for previously analyzed events and the most challenging RT[)s inoperable. These recorders are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channels. Four recorders are provided. A recorder in each division is required to be OPERABLE to satisfy the LCO. APPLICABILITY The PAM instrumentation LCO is applicable in MODES 1 and 2. These variables are related to the diagnosis and preplanned actions required to mitigate DBAs. The applicable OBAs are assumed to occur in MODES 1 and 2. In MODES 3, 4, and 5, plant conditions are such that the likelihood of an event that would require PAM instrumentation is extremely low; therefore, PAM instrumentation is not required to be OPERABLE in these MODES. ACTIONS A Note has been provided to modify the ACTIONS related to PAM instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actiors for (continued) PBAPS UNIT 3 B 3.3-72 URevision No. 53
PAM Instrumentation B 3.3.3.1 BASIES Actions inoperable PAM instrumentation channels provide appropriate (continued) compensatory measures for separate Functions. As such, a Note has been provided that allows separate Condition entry for each inoperable PAM Function. A.1 When one or more Functions have one required channel that is inoperable, the required inoperable channel must be restored to OPERABLE status within 30 days. The 30 day Completion Time is based on operating experience and takes into account the remaining OPERABLE channels (or, in the case of a Function that has only one required channel, other non-Regulatory Guide 1.97 instrument channels to monitor the Function), the passive nature of the instrument (no critical automatic action is assumed to occur from these instruments), and the low probability of an event requiring PAM instrumentation during this interval. B. 1 If a channel has not been restored to OPERABLE status in 30 days, this Required Action specifies initiation of action in accordance with Specification 5.6.6, which requires a written report to be submitted to the NRC. This report discusses the results of the root cause evaluation of the inoperability and identifies proposed restorative actions. This action is appropriate in lieu of a shutdown requirement, since alternative actions are identified before. loss of functional capability, and given the likelihood of plant conditions that would require information provided by this instrumentation. C.1 When one or more Functions have two required channels that are inoperable (i.e., two channels inoperable in the same Function), one channel in the Function should be restored to OPERABLE status within 7 days. The Completion Time of 7 days is based on the relatively low probability of an event requiring PAM instrument operation and the availability of alternate means to obtain the required information. Continuous operation with two required (continued) PBAP'S UNIT 3 B 3.3-73 Revision No. 3
PAM Instrumentation B :3.3.3.1 BASES Actions C.1 (continued) channels inoperable in a Function is not acceptable because the alternate indications may not fully meet all performance qualification requirements applied to the PAM instrumentation. Therefore, requiring restoration of one inoperable channel of the Function limits the risk that the PAM Function will be in a degraded condition should an accident occur. D.1 This Required Action directs entry into the appropriate Condition referenced in Table 3.3.3.1-1. The applicable Condition referenced in the Table is Function dependent. Each time an inoperable channel has not met the Required Action of Condition C and the associated Completion Time has expired, Condition D is entered for.that channel and
- provides for.transfer to the appropriate subsequent Condition.
E.1 For the majority of Functions in Table 3.3.3.1-1, if the Required Action and associated Completion Time of Condition C is not met, the plant must be brought to a MODE in which the LCO not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. F.1 Since alternate means of monitoring drywell high range radiation have been developed and tested, the Required Action is not to shut down the plant, but rather to follow the directions of Specification 5.6.6. These alternate means may be temporarily installed if the normal PAM channel cannot be restored to OPERABLE status within the allotted time. The report provided to the NRC should discuss the alternate means used, describe the degree to which the alternate means are equivalent to the installed PAM channels, justify the areas in which they are not equivalent, and provide a schedule for restoring the normal PAM channels. (continued) PBAPS UNIT 3 B 3.3-74 Revision No. 3
PAM Instrumentation 8 3.3.3.1 BASES (continued) SURVEILLANCE SR 3.3.3. .1 REQUIREMENTS Performance of the CHANNEL CHECK once every 31 days ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel against a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. The high radiation instrumentation should be compared to similar plant instruments located throughout the plant. Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. The Frequency of 31 days is based upon plant operating experience, with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one channel of a given Function in any 31 day interval is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of those displays associated with the channels required by the lCO. SR 3.3.3.1.2 Deleted SR 3.3.3.1.3 These SRs require CHANNEL CALIBRATIONs to be performed. A CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies the channel responds to measured parameter with the necessary range and accuracy. For the PCIV Position Function, the CHANNEL CALIBRATION consists of verifying the remote indication conforms to actual valve position. (continued) PBAPS UNIT 3 B 3.3-75 Revision l1o. 56
PAM Instrumentation B 3.3.3.1 BASES SURVEILLANCE SR 3.3.3.1.3 (continued) I REQUIREMENTS The 24 month Frequency for CHANNEL CALIBRATION of PAM I instrumentation of Table 3.3.3.1-1 is based on operating experience and consistency with the Peach Bottom Atomic Power Station refueling cycles. REFERENCES 1. Regulatory Guide 1.97, "Instrumentation for Light Water Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident," Revision 3, May 1983.
- 2. NRC Safety Evaluation Report, "Peach Bottom Atomic Power Station, Unit Nos. 2 and 3, Conformance to Regulatory Guide 1.97," January 15, 1988.
- 3. Letter from G. Y. Suh (NRC) to G. J. Beck (PECo) dated February 13, 1991 concerning "Conformance to Regulatory Guide 1.97 for Peach Bottom Atomic Power Station, Units 2 and 3".
- 4. Letter from S. Dembek (NRC) to G. A. Hunger (PECO Energy) dated March 7, 1994 concerning "Regulatory Guide 1.97 - Boiling Water Reactor Neutron Flux Monitoring, Peach Bottom Atomic Power Station (PBAPS),
Units 2 and 3". PBAPS UJNIT 3 B 3.3-76 Revision No. 56
Remote Shutdown System B 3.3.3.2 B 3.3 INSTRUMENTATION B 3.3.3.2 Remote Shutdown System BASES BACKGROUND The Remote Shutdown System provides the control room operator with sufficient instrumentation and controls to place and maintain the plant in a safe shutdown condition from a location other than the control room. This capability is necessary to protect against the possibility of the control room becoming inaccessible. A safe shutdown condition is defined as MODE 3. With the plant in MODE 3, the Reactor Core Isolation Cooling (RCIC) System, the safety/relief valves, and the Residual Heat Removal (RHR) Shutdown Cooling System can be used to remove core decay heat and meet all safety requirements. The long term supply of water for the RCIC and the ability to operate shutdown cooling from outside the control room allow extended operation in MODE 3. In the event that the control room becomes inaccessible, the operators can establish control at the remote shutdown panel and place and maintain the plant in MODE 3. The plant automatically reaches MODE 3 following a plant shutdown and can be maintained safely in MODE 3 for at least 1 hour. If control room operations cannot be resumed within 1 hour, the control capability available at the remote shutdown panel and locally does not prevent cooling down the reactor. The OPERABILITY of the Remote Shutdown System control and instrumentation Functions ensures that there is sufficient information available on selected plant parameters to place and maintain the plant in MODE 3 should the control room become inaccessible. APPLICABLE The Remote Shutdown System is required to provide SAFETY ANALYSES instrumentation and controls at appropriate locations outside the control room with a design capability to promptly shut down the reactor to MODE 3, including the necessary instrumentation and controls, to maintain the plant in a safe condition in MODE 3. (continued) PBAPS UNIT 3 B 3.3-77 Revision No. 3
- Remote Shutdown System B n.3.3.2 BASES APPLICABLE The criteria governing the design and the specific system SAFETY ANALYSES requirements of the Remote Shutdown System are located in (continued) the UFSAR (Refs. 1 and 2).
The Remote Shutdown System is considered an important contributor to reducing the risk of accidents; as such, it meets Criterion 4 of the NRC Policy Statement. LCO The Remote Shutdown System LCO provides the requirements for the OPERABILITY of the instrumentation and controls necessary to place and maintain the plant in MODE 3 from a location other than the control room. The instrumentation and controls required are listed in Table B 3.3.3.2-1.. The controls, instrumentation, and transfer switches are those required for:
- Reactor pressure vessel (RPV) pressure control;
- Decay heat removal;
- RPV inventory control; and
- Safety support systems for the above functions, including emergency service water (ESW) and emergency switch gear.
The Remote Shutdown System is OPERABLE if all instrument and control channels needed to support the remote shutdown function are OPERABLE. The Remote Shutdown System instruments and control circuits covered by this LCO do not need to be energized to be considered OPERABLE. This LCO is intended to ensure that the instruments and control circuits will be OPERABLE if plant conditions require that the Remote Shutdown System be placed in operation. APPLICABILITY The Remote Shutdown System LCO is applicable in MODES 1 and 2. This is required so that the plant can be placed and maintained in MODE 3 for an extended period of time from a location other than the control room. (continued) PBAPS UNIT 3 B 3.3-78 Revision No. 3
Remote Shutdown System B 3.3.3.2 BASES APPLICABILITY This LCO is not applicable in MODES 3, 4, and 5. In these (continued) MODES, the plant is already subcritical and in a condition of reduced Reactor Coolant System energy. Under these conditions, considerable time is available to restore necessary instrument control Functions if control room instruments or control becomes unavailable. Consequently, the TS do not require OPERABILITY in MODES 3, 4, and 5. ACTIONS A Note has been provided to modify the ACTIONS related to Remote Shutdown System Functions. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable Remote Shutdown System Functions provide appropriate compensatory measures for separate Functions. As such, a Note has been provided that allows separate Condition entry for each inoperable Remote Shutdown System Function. Condition A addresses the situation where one or more required Functions of the Remote Shutdown System is inoperable. This includes the control and transfer switches for any required function. The Required Action is to restore the Function (all required channels) to OPERABLE status within 30 days. The Completion Time is based on operating experience and the low probability of an event that would require evacuation of the control room. (continued) -PBAPS -UNIT 3 8 3.3 -79 Revision No. 53
Remote Shutdown System B *..3.3.2 BASES ACTIONS B. (continued) If the Required Action and associated Completion Time of Condition A are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours. The allowed Completion Time is reasonable, based on operating experience, to reach the required MODE from full power conditions in an orderly manner and without challenging plant systems. SURFVEILLANCE SR 3.3.3.2.1 REQUIREMENTS SR 3.3.3.2.1 verifies each required Remote Shutdown System transfer switch and control circuit performs the intended function. This verification is performed from the remote shutdown panel and locally, as appropriate. Operation of equipment from the remote shutdown panel is not necessary. The Surveillance can be satisfied by performance of a continuity check of the circuitry. This will ensure that if the control room becomes inaccessible, the plant can be placed and maintained in MODE 3 from the remote shutdown panel and the local control stations. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience indicates that Remote Shutdown System control channels will pass the Surveillance when performed at the 24 month Frequency. SR 3.3.3.2.2 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. The test verifies the channel responds to measured parameter values with the necessary range and accuracy. The 24 month Frequency is based upon operating experience and consistency with the plant refueling cycle. REFERENCES 1. UFSAR, Section 1.5.1.
- 2. UFSAR, Section 7.18.
. 6) PBAPS UNIT 3 8 3.3-80 Revision No. 3
Remote Shutdown System B 3.3.3.2 Table B 3.3.3.2-1 (page 1 of 3) Remote Shutdown System Instrumentation FUNCTION REQUIRED NUMBER OF CHANNELS Instrument Parameter
- 1. Reactor Pressure 2
- 2. Reactor Level (Wide Range) 2
- 3. Torus Temperature 2
- 4. Torus Level '1
- 5. Condensate Storage Tank Level I
- 6. RCIC Flow
- 7. RCIC Turbine Speed
- 8. RCIC Pump Suction Pressure
- 9. RCIC Pump Discharge Pressure
- 10. RCIC Turbine Supply Pressure
- 11. RCIC Turbine Exhaust Pressure 1 1.
- 12. Drywell Pressure 1 Transfer/Control Parameter .1
- 13. RCIC Pump Flow 1
- 14. RCIC Drain Isolation to Radwaste 1
- 15. RCIC Steam Pot Drain Steam Trap Bypass
- 16. RCIC Drain Isolation to Main Condenser
- 17. RCIC Exhaust Line Drain Isolation (1/valve)
- 18. RCIC Steam Isolation 2 (1/valve) fcon-tinged)
PBAPS UNIT 3 B 3.3-81 Revision No. 3
Remote Shutdown System B 3.3.3.2 Table B 3.3.3.2-1 (page 2 of 3) Remote Shutdown System Instrumentation FUNCTION REQUIRED NUMBER OF CHANNELS Trarsfer/Control Parameter (continued)
- 19. RCIC Suction from Condensate Storage Tank 1
- 20. RCIC Pump Discharge 2 (1/valve)
- 21. RCIC Minimum Flow 1
- 22. RCIC Pump Discharge to Full Flow Test Line 1
- 23. RCIC Suction from Torus 2 (1/valve)
- 24. RCIC Steam Supply 1
- 25. RCIC Lube Oil Cooler Valve 1
- 26. RCIC Trip Throttle Valve Operator Position 1
- 27. RCIC Trip Throttle Valve Position 1
- 28. RCIC Vacuum Breaker 1
- 29. RCIC Condensate Pump 1
- 30. RCIC Vacuum Pump 1
- 31. Safety/Relief Valves (S/RVs) 3 (1/valve)
- 32. "Al CRD Pump 1
- 33. "B" CRD Pump 1
- 34. RHR Shutdown Cooling Isolation 2 (1/valve)
- 35. Auto Isolation Reset 2 (1/division)
(continued) PBAF'S UNIT 3 B 3.3-82 Revision No. 3
Remote Shutdown System 8 3.3.3.2 Table B 3.3.3.2-1 (page 3 of 3) Remote Shutdown System Instrumentation FUNCTION REQUIRED NUMBER OF CHANNELS Transfer/Control Parameter (continued)
- 36. Instrument Transfer 5 (1/transfer switch)
- 37. E223 Breaker 1
- 38. E323 Breaker 1
- 39. E243 Breaker 1
- 40. E343 Breaker 1
- 41. E234 Breaker 1
- 42. E213 Breaker 1
- 43. E313 Breaker 1
- 44. E233 Breaker 1
- 45. E333 Breaker 1 PBAPS UNIT 3 B 3.3-83 Revision No. 3
ATWS-RPT Instrumentation B 3.3.4.1 B 3.3 INSTRUMENTATION B 3.3.4.1 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT) Instrumentation BASES BACKGROUND The ATWS-RPT System initiates an RPT, adding negative reactivity, following events in which a scram does not (but should) occur; to lessen the effects of an ATWS event. Tripping the recirculation pumps adds negative reactivity from the increase in steam voiding in the core area as core flow decreases. When Reactor Vessel Water Level -Low Low (Level 2) or Reactor Pressure-High setpoint is reached, the recirculation pump drive motor breakers trip. The ATWS-RPT System includes sensors, relays, and switches that are necessary to cause initiation of an RPT. The channels include electronic equipment that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs an ATWS-RPT signal to the trip logic. The ATWS-RPT consists of two trip systems. There are two ATWS-RPT Functions: Reactor Pressure- High and Reactor Vessel Water Level -Low Low (Level 2). Each trip system has two channels of Reactor Pressure-High and two channels of Reactor Vessel Water Level- Low Low (Level 2). Each ATWS-RPT trip system is a one-out-of-two logic for each Function. Thus, one Reactor Water Level- Low Low (Level 2) or one Reactor Pressure-High signal is needed to trip a trip system. Both trip systems must be in a tripped condition to initiate the trip of both recirculation pumps (by tripping the respective recirculation pump drive motor breakers). There is one recirculation pump drive motor breaker provided for each of the two recirculation punips for a total of two breakers. APPLICABLE The ATWS-RPT is not assumed in the safety analysis. The SAFETY ANALYSES, ATWS-RPT initiates an RPT to aid in preserving the integrity LCO, and of the fuel cladding following events in which a scram does APPLICABILITY not, but should, occur. Based on its contribution to the reduction of overall plant risk, however, the instrumentation meets Criterion 4 of the NRC Policy Statement. {continued) PBAPS UNIT 3 B 3.3-84 Revision No. 3
ATWS-RPT Instrumentation B 3.3.4.1 BASES APPLICABLE The OPERABILITY of the ATWS-RPT is dependent on the SAFETY ANALYSES, OPERABILITY of the individual instrumentation channel LCO, and Functions. Each Function must have a required number of APPLICABILITY OPERABLE channels in each trip system, with their (continued) setpoints within the specified Allowable Value of SR 3.3.4.1.3. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. Channel OPERABILITY also includes the associated recirculation pump drive motor breakers. A channel is inoperable if its actual trip setting is not within its required Allowable Value. Allowable Values are specified for each ATWS-RPT Function specified in the LCO. Trip setpoints are specified in the setpoint calculations. The trip setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation-with a trip setting less conservative than the trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter {e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device changes state. The analytic or design limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic or design limits, corrected for calibration, process, and instrument errors as well as instrument drift. In selected cases, the Allowable Values and trip setpoints are determined by engineering judgement or historically accepted practice relative to the intended function of the channel. The trip setpoints determined in this manner provide adequate protection by assuring instrument and process uncertainties expected for the environments during the operating time of the associated channels are accounted for. The individual Functions are required to be OPERABLE in MODE 1 to protect against common mode failures of the Reactor Protection System by providing a diverse trip to mitigate the consequences of a postulated ATWS event. The Reactor Pressure -High and Reactor Vessel Water Level --Low Low (Level 2) Functions are required to be OPERABLE in MODE 1 since the reactor is producing significant power and (continued PBAP'S UNIT 3 B 3.3-85 Revisior No. 3
ATWS-RPT Instrumentation B 3.3.4.1 BASE.S APPLICABLE the recirculation system could be at high flow. During this SAFETY ANALYSES, MODE, the potential exists for pressure increases or low LCO, and water level, assuming an ATIWS event. In MODE 2, the reactor APPLICABILITY is at low power and the recirculation system is at low flow; (continued) thus, the potential is low for a pressure increase or low water level, assuming an ATWS event. Therefore, the ATWS-RPT is not necessary. In MODES 3 and 4, the reactor is shut down with all control rods inserted; thus, an ATWIS event is not significant and the possibility of a significant pressure increase or low water level is negligible. In MODE 5, the one rod out interlock ensures that the reactor remains subcritical; thus, an ATWS event is not significant. In addition, the reactor pressure vessel (RPV) head is not fully tensioned and no pressure transient threat to the reactor coolant pressure boundary (RCPB], exists. The specific Applicable Safety Analyses and LCO discussions are listed below on a Function by Function basis.
- a. Reactor Vessel Water Level- Low Low (Level 2)
Low RPV water level indicates that a reactor scram should have occurred and the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. The ATWS-RPT System is initiated at Level 2 to assist in the mitigation of the ATWS event. The resultant reduction of core flow reduces the neutron flux and THERMAL POWER and, therefore, the rate of coolant boiloff. Reactor vessel water level signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level -Low Low (Level 2), with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure can preclude an ATWS-RPT from this Function on a valid signal. The ReactDr Vessel Water Level - Low Low (Level 2) Allowable Value (continued) PBAPS UNIT 3 B 3.3-86 Revision No. 3
ATWS-RPT Instrumentation B 3.3.4.1 BASES APPLICABLE a. Reactor Vessel Water Level - Low Low {Level 2) SAFETY ANALYSES, (continued) LCO, and APPLICABILITY is chosen so that the system will not be initiated after a Level 3 scram with feedwater still available, and for convenience with the reactor core isolation cooling initiation.
- b. Reactor Pressure-High Excessively high RPV pressure may rupture the RCFB.
An increase in the RPV pressure during reactor operation compresses the steam voids and results in a positive reactivity insertion. This increases neutron flux and THERMAL POWER, which could potentially result in fuel failure and overpressurization. The Reactor Pressure-High Function initiates an RPT for transients that result in a pressure increase, counteracting the pressure increase by rapidly reducing core power generation. For the overpressurization event, the RPT aids in the termination of the ATWS event and, along with the safety/relief valves, limits the peak RF'V pressure to less than the ASME Section III Code limits. The Reactor Pressure-High signals are initiated from four pressure transmitters that monitor reactor steam dome pressure. Four channels of Reactor Pressure-High, with two channels in each trip system, are available and are required to be OPERABLE to ensure that no single instrument failure can preclude an ATWS-RPT from this Function on a valid signal. The Reactor Pressure- High Allowable Value is chosen to provide an adequate margin to the ASME Section III Code limits. ACTIONS A Note has been provided to modify the ACTIONS related to ATWS-RPT instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each (continued) PBAP'S UNIT 3 B 3.3-87 Revision No. 3
ATWS-RPT Instrumentation B 3.3.4.1 BASE.S ACTIONS additional failure, with Completion Times based on initial (continued) entry into the Condition. However, the Required Actions for inoperable ATWS-RPT instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable ATWS-RPT instrumentation channel. A.1 and A.2 With one or more channels inoperable, but with ATWS-RPT trip capability for each Function maintained (refer to Required Actions B.1 and C.1 Bases), the ATWS-RPT System is capable of performing the intended function. However, the reliability and redundancy of the ATWS-RPT instrumentation is reduced, such that a single failure in the remaining trip system could result in the inability of the ATWS-RPT System to perform the intended function. Therefore, only a limited time is allowed to restore the inoperable channels to OPERABLE status. Because of the diversity of sensors available to provide trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of ATWS-RPT, 14 days is provided to restore the inoperable channel (Required Action A.1). Alternately, the inoperable channel may be placed in trip (Required Action A.2), since this would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. As noted, placing the channel in trip with no further restrictions is not allowed if the inoperable channel is the result of an inoperable breaker, since this may not adequately compensate for the inoperable breaker (e.g., the breaker may be inoperable such that it will not open). If it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel would result in an RPT), or if the inoperable channel is the result of an inoperable breaker, Condition D must be entered and itls Required Actions taken. B.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in the Function not (continued) PBAPS UNIT 3 B 3.3-88 Revision No. 3
ATWS-RPT Instrumentation B 3.3.4.1 BASES ACTIONS B.1 (continued) maintaining ATWS-RPT trip capability. A Function is considered to be maintaining ATWS-RPT trip capability when sufficient channels are OPERABLE or in trip such that the ATWS-RPT System will generate a trip signal from the given Function on a valid signal, and both recirculation pumps can be tripped. This requires one channel of the Function in each trip system to be OPERABLE or in trip, and the recirculation pump drive motor breakers to be OPERABLE or in trip. The 72 hour Completion Time is sufficient for the operator to take corrective action (e.g., restoration or tripping of channels) and takes into account the likelihood of an event requiring actuation of the ATWS-RPT instrumentation during this period and that one Function is still maintaining ATWS-RPT trip capability. C.i1 Required Action C.1 is intended to ensure that appropriate Actions are taken if multiple, inoperable, untripped channels within both Functions result in both Functions not maintaining ATWS-RPT trip capability. The description of a Function maintaining ATWS-RPT trip capability is discussed in the Bases for Required Action B.1 above. The 1 hour Completion Time is sufficient for the operator to take corrective action and takes into account the likelihood of an event requiring actuation of the ATWS-RPT instrumentation during this period. D.1 and D.2 With any Required Action and associated Completion Time not met, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 2 within 6 hours (Required Action D.2). Alternately, the associated recirculation pump may be removed from service since this performs the intended function of the instrumentation (Required Action D.1). The allowed Completion Time of (continued) PBAPS UNIT 3 B 3.3-89 Revision No. 3
ATWS-RPT Instrumentation B 3.3.4.1 BASES ACTIONS D.1 and D.2 (continued) 6 hours is reasonable, based on operating experience, both to reach MODE 2 from full power conditions and to remove a recirculation pump from service in an orderly manner and without challenging plant systems. SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into the associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains ATWS-RPT trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. J) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the recirculation pumps will trip when necessary. SR 3.3.4.1.1 Performance of the CHANNEL CHECK once every 12 hours ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. (continued) (W V' PBAPS UNIT 3 B 3.3-90 Revision No. 3
ATWS-RPT Instrumentation B 3.3.4.1 BASES SURVEILLANCE SR 3.3.4.1.1 (continued) REQUIREMENTS The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal; but more frequent, checks of channels during normal operational use of the displays associated with the required channels of this LCO. SR 3.3.4.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Frequency of 92 days is based on the reliability analysis of Reference 1. SR 3.3.4.1.3 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the assumptions of the current plant specific setpoint methodology. The Frequency is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. SR 3.3.4.1.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the pump breakers is included as part of this Surveillance and overlaps the LOGIC SYSTEM FUNCTIONAL TEST to provide complete testing of the assumed safety function. Therefore, if a breaker is incapable of operating, the associated instrument channel(s) would be inoperable. {continued) PBAP'S UNIT 3 B 3.3-91 Revision No. 3
ATWS-RPT Instrumentation B 3.3.4.1 BAS ES SURVEILLANCE SR 3.3.4.1.4 (continued) REQUIREMENTS The 24 month Frequency is based on the need to perforn this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.. Operating experience has shown these components will pass the Surveillance when performed at the 24 month Frequency. REFERENCES 1. GENE-770-06-1, 'Bases for Changes To Surveillance Test Intervals and Allowed Out-of-Service Times For Selected Instrumentation Technical Specifications," February 1991. PBAPS UNIT 3 B 3.3-92 Revision No. 3
EOC-RPT Instrumentation B 3.3.4.2 B 3.3 INSTRUMENTATION B 3.3.4.2 End of Cycle Recirculation Pump Trip {EOC-RPT) Instrumentation BASES BACKGROUND The EOC-RPT instrumentation initiates a recirculation pump trip (RPT) to reduce the peak reactor pressure and power resulting from turbine trip or generator load rejection transients and to minimize the decrease in core MCPR during these transients. The benefit of the additional negative reactivity in excess of that normally inserted on a scram reflects end of cycle reactivity considerations. Flux shapes at the end of cycle are such that the control rods insert only a small amount of negative reactivity during the first few feet of rod travel upon a scram caused by Turbine Control Valve (TCV) Fast Closure, Trip Oil Pressure-Low or Turbine Stop Valve (TSV)-Closure. The physical phenomenon involved is that the void reactivity feedback due to a pressurization transient can add positive reactivity at a faster rate than the control rods can add negative reactivity. The EOC-RPT instrumentation, as shown in Reference 1, is composed of sensors that detect initiation of closure of the TSVs or fast closure of the TCVs, combined with relays, logic circuits, and fast acting circuit breakers that interrupt power from the recirculation pump motor generator (MG) set generators to each of the recirculation pump motors. When the setpoint is exceeded, the channel output relay actuates, which then outputs an EOC-RPT signal to the trip logic. When the RPT breakers trip open, the recirculation pumps coast down under their own inertia. The EOC-RPT has two identical trip systems, either of which can actuate an RPT. Each EOC-RPT trip system is a two-out-of-two logic for each Function; thus, either two TSV- Closure or two TCV Fast Closure, Trip Oil Pressure-Low signals are required for a trip system to actuate. If either trip system actuates, both recirculation pumps will trip. There are two EOC-RPT breakers in series per recirculation pump. One trip system trips one of the two EOC-RPT breakers for each recirculation (continued) PBAPS UNIT 3 B 3.3-92a Revision No. 28
EOC-RPT Instrumentation B -;.3.4.2 BASES BACKGROUND pump, and the second trip system trips the other EOC-FPT (continued) breaker for each recirculation pump. APPLICABLE The TSV-Closure and the TCV Fast Closure, Trip Oil SAFETY ANALYSES, Pressure-Low Functions are designed to trip the LCO, and recirculation pumps in the event of a turbine trip or APPLICABILITY generator load rejection to mitigate the neutron flux, heat flux, and pressurization transients, and to minimize the decrease in MCPR. The analytical methods and assumptions used in evaluating the turbine trip and generator load rejection, as well as other safety analyses that utilize EOC-RPT, are summarized in References 2, 3, and 4. To mitigate pressurization transient effects, the EOC-RPT must trip the recirculation pumps after initiation of closure movement of either the TSVs or the TCVs. The combined effects of this trip and a scram reduce fuel bundle power more rapidly than a scram alone so that the Safety Limit MCPR .isnot exceeded. Alternatively, APLHGR operating limits (LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)"), the MCPR operating limits (LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)"), and the LHGR operating limits (LCO 3.2.3, "LINEAR HEAT GENERATION RATE (LHGR)") for an inoperable EOC-RPT, as specified in the COLR, are sufficient to allow this LCO to be met. The EOC-RPT function is automatically disabled when turbine fi!st stage pressure is < 29.5% RTP. EOC-RPT instrumentation satisfies Criterion 3 of the NRC Policy Statement. The OPERABILITY of the EOC-RPT is dependent on the OPERABILITY of the individual instrumentation channel Functions, i.e., the TSV-Closure and the TCV Fast 'Closure, Trip Oil Pressure-Low Functions. Each Function must have a required number of OPERABLE channels in each trip system, with their setpoints within the specified Allowable Va ue of SR 3.3.4.2.3. Channel OPERABILITY also includes the associated EOC-RPT breakers. Each channel (including the associated EOC-RPT breakers) must also respond within its assumed response time. Allowable Values are specified for each EOC-RPT Function specified in the LCO. Trip setpoints are specified in the plant design documentation. The trip setpoints are selected {continued) PBAPS UNIT 3 B 3.3-92b Revision N'o. 50
EOC-RPT Instrumentation B 3.3.4.2 BASES APPLICABLE to ensure that the actual setpoints do not exceed the SAFETY ANALYSES, Allowable Value between successive CHANNEL CALI8RATIONS. LCO, and Operation with a trip setpoint less conservative than the APPLICABILITY trip setpoint, but within its Allowable Value, is (contirued) acceptable. A channel is inoperable if its actual trip setting is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameters (e.g. TSV position), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., limit switch) changes state. The analytic limit for the TCV Fast ClDsure, Trip Oil Pressure-Low Function was determined based on the TCV hydraulic oil circuit design. The Allowable Value is derived from the analytic limit, corrected for calibration, process, and instrument errors. The trip setpoint is determined from the analytical limit corrected for calibration, process, and instrumentation errors,, as well as instrument drift, as applicable. The Allowable Value -and trip setpoint for the TSV-Closure Function was determined by engineering judgment and historically accepted practice for similar trip functions. The specific Applicable Safety Analysis, LCO, and Applicability discussions are listed below on a Function by Function basis. Alternatively, since the instrumentation protects against a MCPR SL violation, with the instrumentation inoperable, modifications to the APLHGR operating limits (LCO 3.2.L, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)"), the MCPR operating limits (LCO 3.2.2, "MINIMUM CRITICAL POWIER RATIO (MCPR)"), and the LHGR operating limits (LCO 3.2.3, "LINEAR HEAT GENERATION RATE (LHGR)") may be applied to allow this LCO to be met. The appropriate MCPR operating l limits and power-dependent thermal limit adjustments for the EOC-RPT inoperable condition are specified in the COLR.. Turbine Ston Valve-Closure Closure of the TSVs and a main turbine trip result in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, an RPT is initiated on TSV-Closure in anticipation of the transients that would result from closure of these valves. £0C-RPT decreases peak reactor power and aids the reactor scram in ensuring that the KCPR SL is not exceeded during the worst case transient. (continued) PBAP'i UNIT 3 B 3.3-92c Revision No. 50
EOC-RPT Instrumentation B 3.3.4.2 BASES APPLICABLE Turbine Stop Valve-Closure (continued) SAFE'Y ANALYSIS, LCO, and Closure of the TSVs is determined by measuring the position APPLICABILITY of each valve. There are position switches associated with each stop valve, the signal from each switch being assigned to a separate trip channel. The logic for the TSV-Clcsure Function is such that two or more TSVs must be closed to produce an EOC-RPT. This Function must be enabled at THERMAL POWER 2 29.5% RTP as measured at the turbine first
- I stage pressure. This is normally accomplished automatically by pressure switches sensing turbine first stage pressure; therefore, opening of the turbine bypass valves may affect this Function. Four channels of TSV-Closure, with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure will preclude an EOC-RPT from this Function on a valid signal.
The TSV-Closure Allowable Value is selected to detect imminent TSV closure. This EOC-RPT Function is required, consistent with the safety analysis assumptions, whenever THERMAL POWER is 2 29.5% RTP. Below 29.5% RTP, the Reactor Pressure-High and I the Average Power Range Monitor (APRM) Scram Clamp Functions of the Reactor Protection-System (RPS) are adequate to maintain the necessary safety margins. Turbine Control Valve Fast Closure. Trip Oil Pressure-Law Fast closure of the TCVs during a generator load rejection results in the loss of a heat sink that produces reacton pressure, neutron flux, and heat flux transients that must be limited. Therefore, an RPT is initiated on TCV Fast Closure, Trip Oil Pressure-Low in anticipation of the transients that would result from the closure of these valves. The EOC-RPT decreases peak reactor power and aids the reactor scram in ensuring that the MCPR SL is not exceeded during the worst case transient. Fast closure of the TCVs is determined by measuring the electrohydraulic control fluid pressure at each control valve. There is one pressure switch associated with each control valve, and the signal from each switch is assigned to a separate trip channel. The logic for the TCV Fast Closure, Trip Oil Pressure-Low Function is such that two or more TCVs must be closed (pressure switch trips) (!continued) LI* PBAPS IINIT 3 8 3.3-92d Revision No. 45
EOC-RPT Instrumentation B 3.3.4.2 I BASES APPLICABLE Turbine Control Valve Fast Closure. Trip Oil Pressure-LoQ SAFETY ANALYSIS, (continued) LCO, and APPLICABILITY to produce an EOC-RPT. This Function must be enabled -it THERMAL POWER 2 29.5% RTP as measured at the turbine first I stage pressure. This is normally accomplished automatically by pressure switches sensing turbine first stage pressure; therefore, opening of the turbine bypass valves may affect this Function. Four channels of TCV Fast Closure, Trip Oil Pressure-Low, with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure will preclude an EOC-RPT from this Function on a valid signal. The TCV Fast Closure, Trip Oil Pressure-Low Allowable Value is selEcted high enough to detect imminent TCV fast closure. This protection is required consistent with the safety analysis whenever THERMAL POWER is 2 29.5% RTP. Below 29.5% RTP, the Reactor Pressure-High and the APRM Scram Clamp Functions of the RPS are adequate to maintain the necessary I safety margins. ACTIONS A Note has been provided to modify the ACTIONS related to EOC-RPT instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable EOC-RPT instrumentation channels provide; appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable EOC-RPT instrumentation channel. (continued) PBAPS UNIT 3 B 3.3--92e Revision Nc. 45
EOC-RPT Instrumentation B 3.3.4.2 BASES ACTIONS A.1 (continued) With one or more channels inoperable, but with EOC-RPT trip capability maintained (refer to Required Action B.1 Bases), the EOC-RPT System is capable of performing the intended function. However, the reliability and redundancy of the EOC-RPT instrumentation is reduced such that a single failure in the remaining trip system could result in the inability of the EOC-RPT System to perform the intended function. Therefore, only a limited time is allowed to restore compliance with the LCO. Because of the diversity of sensors available to provide trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of an EOC-RPT, 72 hours is provided to restore the inoperable channels (Required Action A.1). Alternately, the inoperable channels may be placed in trip (Required Action A.2) since this would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. As noted, placing the channel in trip with no further restrictions is not allowed if the inoperable channel is the result of an inoperable breaker, since this may not adequately compensate for the inoperable breaker (e.g., the breaker may be inoperable such that it will not open). If it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an RPT, or if the inoperable channel is the result of an inoperable breaker), Condition C must be entered and its Required Actions taken. B.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in the Function not maintaining EOC-RPT trip capability. A Function is considered to be maintaining EOC-RPT trip capability when sufficient channels are OPERABLE or in trip, such that the EOC-RPT System will generate a trip signal from the given Function on a valid signal and both recirculation pumps can be tripped. This requires two channels of the Function in the same trip system, to each be OPERABLE or in trip, and the associated EOC-RPT breakers to be OPERABLE. (continued) PBAPS UNIT 3 B 3.3-92f Revision No. 28
EOC-RPT Instrumentation B 3.3.4.2 BASES ACTICNS B.1 (continued) The 2 hour Completion Time is sufficient time for the operator to take corrective action, and takes into account the likelihood of an event requiring actuation of the EOC-RPT instrumentation during this period. It is also consistent with the 2 hour Completion Time provided in LCO 3.2.1 and 3.2.2 for Required Action A.1, since this instrumentation's purpose is to preclude a thermal limit violation. C.1 and C.2 With any Required Action and associated Completion Time not met, THERMAL POWER must be reduced to < 29.5% RTP within 4 hours. Alternately, for an inoperable breaker (e.g., the breaker may be inoperable such that it will not open) the associated recirculation pump may be removed from service, since this performs the intended function of the instrumentation. The allowed Completion Time of 4 hours is reasonable, based on operating experience, to reduce THERMAL POWER to < 29.5% RTP from full power conditions in an orderly l manner and without challenging plant systems. SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains EOC-1ZPT trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 5) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the recirculation pumps will trip when necessary. (continued) PBAPS UNIT 3 8 3.3-92g Revision No. 45
EOC-RPT Instrumentation B 3.3.4.2 BASES SURVEILLANCE SR 3.3.4.2.1 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. The Frequency of 92 days is based on reliability analysis of Reference 5. SR 3.3.4.2.2 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology. The Frequency is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. SR 3.3.4.2.3 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the pump breakers is included as a part of this test, overlapping the LOGIC SYSTEM FUNCTIONAL TEST, to provide complete testing of the associated safety function. Therefore, if a breaker is incapable of operating, the associated instrument -channel(s) would also be inoperable. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components usually pass the Surveillance when performed at the 24 month Frequency. (continued) PBAPSIUNIT 3 B 3.3-92h Revision No. -28
EOC-RPT Instrumentation 8 3.3.4.2 BASES SURVEILLANCE SR 3.3.4.2.4 REQUIREMENTS (continued) This SR ensures that an EOC-RPT initiated from the TSV-Closure and TCV Fast Closure, Trip Oil Pressure-LDw Functions will not be inadvertently bypassed when THERMAL POWER is 2 29.5% RTP. This involves calibration of the I bypass channels. Adequate margins for the instrument setpoint methodologies are incorporated into the actua, setpoint. Because main turbine bypass flow can affect this setpoint nonconservatively (THERMAL POWER is derived from first stage pressure) the main turbine bypass valves must remain closed during the calibration at THERMAL POWER
> 29.5% RTP to ensure that the calibration remains valid. I If any bypass channel's setpoint is nonconservative (i.e.,
the Functions are bypassed at 2 29.5% RTP, either due to .I open main turbine bypass valves or other reasons), the affected TSV-Closure and TCV Fast Closure, Trip Oil Pressure-Low Functions are considered inoperable. Alternatively, the bypass channel can be placed in the conservative condition (nonbypass). If placed in the nonbypass condition, this SR is met with the channel considered OPERABLE. The Frequency of 24 months is based on engineering judgement and reliability of the components. SR 3.3.4.2.5 This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the accident analysis. The EOC-RPT SYSTEM RESPONSE TIME acceptance criterion is included in Reference 6 . A Note to the Surveillance states that breaker interruption time may be assumed from the most recent performance of SR 3.3.4.2.6. This is allowed since the time to open the contacts after energization of the trip coil and the arc suppression time are short and do not appreciably change, due to the design of the breaker opening device and the fact that the breaker is not routinely cycled. {continued) PBAPS UNIT 3 -B3.3-92i Revision No. 45
EOC-RPT Instrumentation B 3.3.4.2 BASES SURVEILLANCE SR 3.3.4.2.5 (continued) REQUIREMENTS EOC-RPT SYSTEM RESPONSE TIME tests are conducted on a 24 month STAGGERED TEST BASIS. Response times cannot be determined at power because operation of final actuated devices is required. Therefore, the 24 month Frequency is consistent with the typical industry refueling cycle and is based upon plant operating experience, which shows that random failures of instrumentation components that cause serious response time degradation, but not channel failure, are infrequent occurrences. SR 3.3.4.2.6 This SR ensures that the RPT breaker interruption time (arc suppression time plus time to open the contacts) is provided to the EOC-RPT SYSTEM RESPONSE TIME test. The 60 month Frequency of the testing is based on the difficulty of performing the test and the reliability of the circuit breakers. REFERENCES 1. UFSAR, Figure 7.9.4A, Sheet 3 of 3 (EOC-RPT logic diagram).
- 2. UFSAR, Section 7.9.4.4.3.
- 3. UFSAR, Section 14.5.1.2.4.
- 4. NEDE-24011-P-A, "General Electric Standard Application for Reactor Fuel," latest approved version.
- 5. GENE-770-06-1-A, "Bases for Changes to Surveillance Test Intervals and Allowed Out-Of-Service Times for Selected Instrumentation Technical Specifications,"
December 1992.
- 6. Core Operating Limits Report.
PBAPS tINIT 3 -B 3.3-92i Revision No. 28
ECCS Instrumentation B S.3.5.1 B 3.3 INSTRUMENTATION B 3.3.5.1 Emergency Core Cooling System {ECCS) Instrumentation BASES BACKGROUND The purpose of the ECCS instrumentation is to initiate appropriate responses from the systems to ensure that the fuel is adequately cooled in the event of a design basis accident or transient.
- For most abnormal operational transients and Design Basis Accidents (DBAs), a wide range of dependent and independent parameters are monitored.
The ECCS instrumentation actuates core spray (CS), low pressure coolant injection (LPCI), high pressure coolant injection (HPCI), Automatic Depressurization System (ADS), and the diesel generators (DGs). The equipment involved with each of these systems is described in the Bases for LCO 3.5.1, "ECCS -Operating." Core Sprav System The CS System may be initiated by automatic means. Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low Low (Level 1) or Drywell Pressure - High with a Reactor Pressure-Low permissive. The reactor vessel water level and the reactor pressure variables are monitored by four redundant transmitters, which are, in turn, connected to four pressure compensation instruments. The drywell pressure variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the pressure compensation instruments and the trip units are connected to relays which send signals to two trip systems, with each trip system arranged in a one-out-of-two taken twice logic (each trip unit sends a signal to both trip systems.) Each trip system initiates two of the four CS pumps. Upon receipt of an initiation signal, if normal AC powher is available, CS pumps A and C start after a time delay cif approximately 13 seconds and CS pumps B and D start after a time delay of approximately 23 seconds. If normal AC power is not available, the four CS pumps start simultaneously after a time delay of approximately 6 seconds after the respective DG is ready to load. Icont.inued) PBAF'S UNIT 3 B 3.3-93 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASES BACIGROUND Core SDrav System (continued) The CS test line isolation valve, which is also a primary containment isolation valve (PCIV), is closed on a CS initiation signal to allow full system flow assumed in the accident analyses and maintain primary containment isolated in the event CS is not operating. The CS pump discharge flow is monitored by a differential pressure indicating switch. When the pump is running and discharge flow is low enough so that pump overheating may occur, the minimum flow return line valve is opened. The valve is automatically closed if flow is above the minimum flow setpoint to allow the full system flow assumed in the accident analysis. The CS System also monitors the pressure in the reactor to ensure that, before the injection valves open, the reactor pressure has fallen to a value below the CS System's maximum design pressure. The variable is monitored by four redundant transmitters, which are, in turn, connected to four pressure compensation instruments. The outputs of the pressure compensation instruments are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic. Low Pressure Coolant Iniection System The LPCI is an operating mode of the Residual Heat Removal (RHR) System, with two LPCI subsystems. The LPCI subsystems may be initiated by automatic means. Automatic initiation occurs for conditions of Reactor Vessel Water Level -LDw Low Low (Level 1); Drywell Pressure-High with a Reactor Pressure-Low (Injection Permissive). The drywell pressure variable is monitored by four redundant transmitters, which, in turn, are connected to four trip units. 'The reactor vessel water level and the reactor pressure variables are monitored by four redundant transmitters, which are, in turn, connected to four pressure compensation instruments. The outputs of the trip units and pressure compensation instruments are connected to relays which send signals to two trip systems, with each trip system arranged in a one-out-of-two taken twice logic (each trip unit sends a signal to both trip systems). Each trip system can initiate all four LPCI pumps.
-continued)
PBAPS UNIT 3 B 3.3-94 Revision No. 3
ECCS Instrumeritation B 3.3.5.1 BASES BACKGROUND Low Pressure Coolant InJection System (continued) Upon receipt of an initiation signal if normal AC power is available, the LPCI A and B pumps start after a delay of approximately 2 seconds. The LPCI C and D pumps are started after a delay of approximately 8 seconds. If normal AC power is not available, the four LPCI pumps start simultaneously with no delay as soon as the standby power source is available. Each LPCI subsystem's discharge flow is monitored by ai differential pressure indicating switch. When a pump is running and discharge flow is low enough so that pump overheating may occur, the respective minimum flow return line valve is opened. If flow is above the minimum flow setpoint, the valve is automatically closed to allow the full system flow assumed in the analyses. The RHR test line suppression pool cooling isolation valve, suppression pool spray isolation valves, and containment spray isolation valves (which are also PCIVs) are also closed on a LPCI initiation signal to allow the full system flow assumed in the accident analyses and maintain prilmary containment isolated in the event LPCI is not operating. The LPCI System monitors the pressure in the reactor to ensure that, before an injection valve opens, the reactor pressure has fallen to a value below the LPCI System's maximum design pressure. The variable is monitored by four redundant transmitters, which are, in turn, connected to four pressure compensation instruments. The outputs of the pressure compensation instruments are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic. Additionally, instruments are provided to close the recirculation pump discharge valves to ensure that LPCI flow does not bypass the core when it injects into the recirculation lines. The variable is monitored by four redundant transmitters, which are, in turn, connected to four pressure compensation instruments. The outputs of the pressure compensation instruments are -connected to relays whose contacts are arranged in a one-out-of-two taken twice logic. (continued) PBAPS UNIT 3 B 3.3-95 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Low Pressure Coolant Injection System (continued) Low reactor water level in the shroud is detected by two additional instruments. When the level is greater than the low level setpoint LPCI may no longer be required, therefore other modes of RHR (e.g., suppression pool cooling) are allowed. Manual overrides for the isolations below the low level setpoint are provided. High Pressure Coolant Injection System The HPCI System may be initiated by automatic means. Automatic initiation occurs for conditions of Reactor Vessel Water Level-Low Low (Level 2) or Drywell Pressure-High. The reactor vessel water level variable is monitored by four redundant transmitters, which are, in turn, connected to four pressure compensation instruments. The drywell pressure variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the pressure compensation instruments and the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic for each Function. The HPCI pump discharge flow is monitored by a flow switch. When the pump is running and discharge flow is low enough so that pump overheating may occur, the minimum flow return line valve is opened. The valve is automatically closed if flow is above the minimum flow setpoint to allow the full system flow assumed in the safety analysis. The HPCI test line isolation valve (which is also a PCIV) is closed upon receipt of a HPCI initiation signal to allow the full system flow assumed in the accident analysis and maintain primary containment isolated in the event HPC.I is not operating. The HPCI System also monitors the water levels in the condensate storage tank (CST) and the suppression pool because these are the two sources of water for HPCI operation. Reactor grade water in the CST is the normal source. Upon receipt of a HPCI initiation signal, the CST {continued) PBAP'S UNIT 3 B 3.3-96 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BAStES BACKGROUND High Pressure Coolant Injection System (continued) suction valve is automatically signaled to open (it is normally in the open position) unless both suppression pool suction valves are open. If the water level in the CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. Two level switches are used to detect low water level in the CST. Either switch can cause the suppression pool suction valves to open and the CUST suction valve to close. The suppression pool suction valves also automatically open and the CST suction valve closes if high water level is detected in the suppression pool. To prevent losing suction to the pump, the suction valve<; are interlocked so that one suction path must be open before the other automatically closes. The HPCI provides makeup water to the reactor until the reactor vessel water level reaches the Reactor Vessel Water Level -High (Level 8) trip, at which time the HPCI turbine trips, which causes the turbine's stop valve and the control valves to close. The logic is two-out-of-two to provide high reliability of the HPCI System. The HPCI System automatically restarts if a Reactor Vessel Water Level -Low Low (Level 2) signal is subsequently received. Automatic DeDressurization System The ADS may be initiated by automatic means. Automatic initiation occurs when signals indicating Reactor Vessel Water Level -Low Low Low (Level 1); Drywell Pressure -High or ADS Bypass Low Water Level Actuation Timer; Reactor Vessel Water Confirmatory Level-Low (Level 4); and C!; or LPCI Pump Discharge Pressure-High are all present and the ADS Initiation Timer has timed out. There are two transmitters each for Reactor Vessel Water Level -Low Low Low (Level 1) and Drywell Pressure-High, and one transmitter for Reactor Vessel Water Confirmatory Level - Low (Level 4) in each of the two ADS trip systems. Each of these transmitters connects to a trip unit, which then drives a relay whose contacts form the initiation logic. Each ADS trip system includes a time delay between satisfying the initiation logic and the actuation of the ADS valves. The ADS Initiation Timer time delay setpoint chosen is long enough that the HPCI has sufficient operating time (continued) PBAPS UNIT 3 B 3.3-97 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Automatic Denressurization System (continued) to recover to a level above Level 1, yet not so long that the LPCI and CS Systems are unable to adequately cool the fuel if the HPCI fails to maintain that level. An alarm in the control room is annunciated when either of the tirers is timing. Resetting the ADS initiation signals resets the ADS Initiation Timers. The ADS also monitors the discharge pressures of the four LPCI pumps and the four CS pumps. Each ADS trip system includes two discharge pressure permissive switches from all four LPCI pumps and one discharge pressure permissive switch from all four CS pumps. The signals are used as a permissive for ADS actuation, indicating that there is a source of core coolant available once the ADS has depressurized the vessel. Two CS pumps in proper combination (C or D and A or B) or any one of the four LPCI pumps is sufficient to permit automatic depressurization. The ADS logic in each trip system is arranged in two strings. Each string has a contact from each of the following variables: Reactor Vessel Water Level-Low Low Low (Level 1); Drywell Pressure-High; Low Water Level Actuation Timer; and Reactor Vessel Water Level -Low Low Low (Level 1) Permissive. One of the two strings in each trip system must also have a Reactor Vessel Water Confirmatory Level -Low (Level 4). After the contacts for the initiation signal from either drywell pressure or reactor vessel level (and the timer for reactor vessel level timing out) close, the following must be present to initiate an ADS trip system: all other contacts in both logic strings must close, the ADS initiation timer must time out, and a CS or LPCI pump discharge pressure signal must be present. Either the A or B trip system will cause all the ADS relief valves to open. Once the Drywell Pressure-High signal, the ADS Low Water Level Actuation Timer, or the ADS initiation signal is present, it is individually sealed in until manually reset. Manual inhibit switches are provided in the control room for the ADS; however, their function is not required for ADS OPERABILITY (provided ADS is not inhibited when required to be OPERABLE). (continued) PBAPIS UNIT 3 B 3.3-98 BRevision No. 3
ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Diesel Generators (continued) The DGs may be initiated by automatic means. Automatic initiation occurs for conditions of Reactor Vessel Water Level -Low Low Low (Level 1) or Drywell Pressure-High. The DGs are also initiated upon loss of voltage signals. (Refer to the Bases for LCO 3.3.8.1, "Loss of Power (LOP) Instrumentation," for a discussion of these signals.) The reactor vessel water level variable is monitored by four redundant transmitters, which are, in turn, connected to four pressure compensation instruments. The drywell pressure variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the four pressure compensation instruments and the trip units are connected to relays which send signals to two trip systems, with each trip system arranged in a one-out-of-two taken twice logic (each trip unit sends a signal to both trip systems). The B trip system initiates all four DGs, and the A trip system initiates all four DGs. The DGs receive their initiation signals from the CS System initiation logic. The DGs can also be started manually from the contro1 room and locally from the associated DG room. Upon receipt of a loss of coolant accident (LOCA) initiation signal, each DG is automatically started, is ready to load in approximately 10 seconds, and will run in standby conditions (rated voltage and speed, with the DG output breaker open). The DGs will only energize their respective Engineered Safety Feature buses if a loss of offsite power occurs. (Refer to Bases for LCO 3.3.8.1.) APPLICABLE The actions of the ECCS are explicitly assumed in the safety SAFETY ANALYSES, analyses of References 1, 2, and 3. The ECCS is initiated LCO, and to preserve the integrity of the fuel cladding by limiting APPLICABILITY the post LOCA peak cladding temperature to less than the 10 CFR 50.46 limits. ECCS instrumentation satisfies Criterion 3 of the NRC Policy Statement. Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion. The OPERABILITY of the ECCS instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.1-1. Each Function must have a required number of OPERABLE channel<,
-continued)
I PBAP'; UNIT 3 B 3.3-99 Revision No. 23
ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE with their setpoints within the specified Allowable Values, SAFETY ANALYSES, where appropriate. The actual setpoint is calibrated LCO., and consistent with applicable setpoint methodology assumptions. APPi.ICABILITY Table 3.3.5.1-1, footnote (b), is added to show that certain (continued) ECCS instrumentation Functions are also required to be OPERABLE to perform DG initiation. Allowable Values are specified for each ECCS Function specified in the Table. Trip setpoints are specified in the setpoint calculations. The trip setpoints are selected to ensure that the settings do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation' with a trip setting less conservative than the trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic or design limits are derived from the limiting values of the process parameters obtained from the safety analysis or other appropriate documents. The Allowable Values are derived from the analytic or design limits, corrected for calibration, process, and instrument errors. The trip setpoints are determined from analytical or design limits, corrected for calibration, process, and instrument errors, as well as, instrument drift. In selected cases, the Allowable Values and trip setpoints are determined from engineering judgement or historically accepted practice relative to the intended functions of the channel. The trip setpoints determined in this manner provide adequate protection by assuming instrument and process uncertainties expected for the environments during the operating tinie of the associated channels are accounted for. For the Core Spray and LPCI Pump Start-Time Delay Relays, adequate margins for applicable setpoint methodologies are incorporated into the Allowable Values and actual setpoints. In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions that may require ECCS (or DG) initiation to mitigate the consequences of a design basis transient or accident. To ensure reliable ECCS and OG function, a combination of Functions is required to provide primary and secondary initiation signals. (continued) PBAPS UNIT 3 8 3.3-100 BRevision No. 3
ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE The specific Applicable Safety Analyses, LCO, and SAFETY ANALYSES, Applicability discussions are listed below on a function by LCO, and Function basis. APPLICABILITY (continued) Core SDrav and Low Pressure Coolant Injection Systems I.a. 2.a. Reactor Vessel Water Level -Low Low Low fLevel 1) Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. The low pressure ECCS and associated DGs are initiated at Reactor Vessel Water Level -Low Low Low (Level 1) to ensure that core spray and flooding functions are available to prevent or minimize fuel damage. The DGs are initiated from Function 1.a signals. This Function, in conjunction with a Reactor Pressure-Low (Injection Permissive) signal, a.lso initiates the closure of the Recirculation Discharge Valves to ensure the LPCI subsystems inject into the proper FRPV location. The Reactor Vessel Water Level -Low Low Low (Level 1) is one of the Functions assumed to be OPERABELE and capable of initiating the ECCS during the transients analyzed in References 1 and 3. In addition, the Reactor Vessel Water Level -Low Low Low (Level 1) Function is directly assumed in the analysis of the recirculation line break (Ref. 4) and the control rod drop accident (CRDA) analysis. The core cooling function of the ECCS, along with the scram action of the Reactor Protection System {RP!;), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Reactor Vessel Water Level -Low Low Low (Level 1) signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Reactor Vessel Water Level - Low Low Low (Level 1) Allowable Value is chosen to allow time for the low pressure core flooding systems to activate and provide adequate cooling. Four channels of Reactor Vessel Water Level -Low Low Low (Level 1) Function are only required to be OPERABLE when the ECCS or DG(s) are required to be OPERABLE to ensure that no single instrument failure can preclude ECCS and DG iconniAnued) PBAP'S UNIT 3 B 3.3-101 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE I.a. 2.a. Reactor Vessel Water Level- Low Low Low (Level 1) SAFETY ANALYSES, (continued) LCO, and APPLICABILITY initiation. Refer to LCO 3.5.1 and LCO 3.5.2, 'ECCS - Shutdown," for Applicability Bases for the low pressure ECCS subsystems; LCO 3.8.1, "AC Sources -Operating"; and LCO 3.8.2, "AC Sources-Shutdown," for Applicability Bases for the DGs. 1.b. 2.b. Drywell Pressure -High High pressure in the drywell could indicate a break in the reactor coolant pressure boundary (RCPB). The low pressure ECCS and associated DGs are initiated upon receipt of the Drywell Pressure-High Function with a Reactor Pressure-Low (Injection Permissive) in order to minimize the possibility of fuel damage. The DGs are initiated from Function 1.b signals. This Function also initiates the closure of the recirculation discharge valves to ensure the LPCI subsystems inject into the proper RPV location. The Drywell Pressure-High Function with a Reactor Pressure-Low (Injection Permissive), along with the Reactor Water Level - Low Low Low (Level 1) Function, is directly assumed in the analysis of the recirculation line break (Ref. 4). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. High drywell pressure signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment. The Drywell Pressure-High Function is required to be OPERABLE when the ECCS or DG is required to be OPERABLE in conjunction with times when the primary containment is required to be OPERABLE. Thus, four channels of the CS and LPCI Drywell Pressure- High Function are required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single instrument failure can preclude ECCS and DG initiation. In MODES 4 and 5, the Drywell Pressure -High Function is not required, since there is insufficient energy in the reactor to pressurize the primary containment to Drywell Pressure - High setpoint. Refer to LCO 3.5.1 for Applicability Bases for the low pressure ECCS subsystems and to LCO 3.8.1 for Applicability Bases for the DGs. fcontinued) PBARS UNIT 3 B 3.3-102 Revision No. 3
ECCS Instrumentation B :3.3.5.1 BASES APPLICABLE 1.c. 2.c. Reactor Pressure-Low (Injection Permissive) SAFETY ANALYSES, LCC, and Low reactor pressure signals are used as permissives for the APPLICABILITY low pressure ECCS subsystems. This ensures that, prior to (continued) opening the injection valves of the low pressure ECCS subsystems or initiating the low pressure ECCS subsystems on a Drywell Pressure-High signal, the reactor pressure has fallen to a value below these subsystems' maximum design pressure and a break inside the RCPB has occurred respectively. This Function also provides permissive for the closure of the recirculation discharge valves to ensure the LPCI subsystems inject into the proper RPV location. The Reactor Pressure-Low is one of the Functions assumed to be OPERABLE and capable of permitting initiation of the ECCS during the transients analyzed in References 1 and 3. In addition, the Reactor Pressure-Low Function is directly assumed in the analysis of the recirculation line break (Ref. 4). The core cooling function of the ECCS, along with. the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Pressure-Low signals are initiated from four pressure transmitters that sense the reactor dome pressure. The Allowable Value is low enough to prevent overpressuring the equipment in the low pressure ECCS, but high enough to ensure that the ECCS injection prevents the fuel peak cladding temperature from exceeding the limits of 10 CFR 50.46. Four channels of Reactor Pressure-Low Function are only required to be OPERABLE when the ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude ECCS initiation. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems. I.d. 2.a. Core Sprav and Low Pressure Coolant Injection Pump DischarQe Flow- Low (Bvpass) The minimum flow instruments are provided to protect the associated low pressure ECCS pump from overheating when the pump is operating and the associated injection valve is not fully open. The minimum flow line valve is opened when low flow is sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump. The LPCI and {continued) PBAIS UNIT 3 B 3.3-103 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASEIS APPLICABLE I.d. 2.c. Core Sprav and Low Pressure Coolant Injection SAFETY ANALYSES Pump Discharge Flow-Low (ByDass) (continued) LCO:, and APPLICABILITY CS Pump Discharge Flow-Low Functions are assumed to be OPERABLE and capable of closing the minimum flow valves to ensure that the low pressure ECCS flows assumed during the transients and accidents analyzed in References 1, 2, and 3 are met. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. One differential pressure switch per ECCS pump is used to detect the associated subsystems' flow rates. The logic is arranged such that each switch causes its associated minimum flow valve to open. The logic will close the minimum flow valve once the closure setpoint is exceeded. The LPCI minimum flow valves are time delayed such that the valves will not open for 10 seconds after the switches detect low flow. The time delay is provided to limit reactor vessel inventory loss during the startup of the RHR shutdown cooling mode. The Pump Discharge Flow-Low Allowable Values are high enough to ensure that the pump flow rate is sufficient to protect the pump, yet low enough to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core. Each channel of Pump Discharge Flow-Low Function (four CS channels and four LPCI channels) is only required to tie OPERABLE when the associated ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude the ECCS function. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems. I.e. I.f. Core SDrav PumD Start-Time Delay Relay The purpose of this time delay is to stagger the start. of the CS pumps that are in each of Divisions I and II to prevent overloading the power source. This Function is necessary when power is being supplied from the offsite sources or the standby power sources (DG). The CS Pump Start -Time Delay Relays are assumed to be OPERABLE in the accident and transient analyses requiring ECCS initiation. That is, the analyses assume that the pumps will initiate when required and excess loading will not cause failure of the power sources. (continued) PBAPS UNIT 3 B 3.3-104 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE I.e. I.f. Core Spray Pump Start-Time Delay Relay SAFETY ANALYSES, (continued) LCO, and APPLICABILITY There are eight-Core Spray Pump Start-Time Delay Relays, two in each of the CS pump start logic circuits (one for when offsite power is available and one for when offsite power is not available). One of each type of time delay relay is dedicated to a single pump start logic, such that a single failure of a Core Spray Pump Start-Time Delay Relay will not result in the failure of more than one CS pump. In this condition, three of the four CS pumps will remain OPERABLE; thus, the single failure criterion is met (i.e., loss of one instrument does not preclude ECCS initiation). The Allowable Value for the Core Spray Pump Start-Time Delay Relays is chosen to be long enough so that the power source will not be overloaded and short enough so that. ECCS operation is not degraded. Each channel of Core Spray Pump Start-Time Delay Relay Function is required to be OPERABLE only when the associated CS subsystem is required to be OPERABLE. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the CS subsystems. 2.d. Reactor Pressure-Low Low (Recirculation Discharge Valve Permissive) Low reactor pressure signals are used as permissives for recirculation discharge valve closure. This ensures that the LPCI subsystems inject into the proper RPV location assumed in the safety analysis. The Reactor Pressure.-Low Low is one of the Functions assumed to be OPERABLE and capable of closing the valve during the transients analyzed in References 1 and 3. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Pressure- Low Low Function is directly assumed in the analysis of the recirculation line break (Ref. 4). The Reactor Pressure- Low Low signals are initiated from four pressure transmitters that sense the reactor pressure. The Allowable Value is chosen to ensure that the valves close prior to commencement of LPCI injection flow into the core, as assumed in the safety analysis. tconl;inued) PBAP'S UNIT 3 B 3.3-105 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 2.d. Reactor Pressure- Low Low (Recirculation Discharqe SAFETY ANALYSES, Valve Permissive) (continued) LCO, and APPLICABILITY Four channels of the Reactor .Pressure- Low Low Function are only required to be OPERABLE in MODES 1, 2, and 3 with the associated recirculation pump discharge valve open. With the valve(s) closed, the function of the instrumentation has been performed; thus, the Function is not required. In MODES 4 and 5, the loop injection location is not critical since LPCI injection through the recirculation loop in either direction will still ensure that LPCI flow reaches the core (i.e., there is no significant reactor back pressure). 2.e. Reactor Vessel Shroud Level -Level 0 The Reactor Vessel Shroud Level- Level 0 Function is provided as a permissive to allow the RHR System to be manually aligned from the LPCI mode to the suppression pool cooling/spray or drywell spray modes. The reactor vessel shroud level permissive ensures that water in the vessel is approximately two thirds core height before the manual transfer is allowed. This ensures that LPCI is available to prevent or minimize fuel damage. This function may be overridden during accident conditions as allowed by plant procedures. Reactor Vessel Shroud Level -Level 0 Function is implicitly assumed in the analysis of the recirculation line break (Ref. 4) since the analysis assumes that no LPCI flow diversion occurs when reactor water level is below Level 0. Reactor Vessel Shroud Level - Level 0 signals are initiated from two level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Reactor Vessel Shroud Level- Level 0 Allowable Value is chosen to allow the low pressure core flooding systems to activate and provide adequate cooling before allowing a manual transfer. (continued) PBAPS UNIT 3 B 3.3-106 Revision No. 3
ECCS Instrumentation B !.3.5.1 BASES APPLICABLE 2.e. Reactor Vessel Shroud Level- Level 0 (continued) SAFETY ANALYSES, LCO, and Two channels of the Reactor Vessel Shroud Level -Level 0 APPLICABILITY Function are only required to be OPERABLE in MODES 1, 2, and 3. In MODES 4 and 5, the specified initiation tire of the LPCI subsystems is not assumed, and other administrative controls are adequate to control the valves associated with this Function (since the systems that the valves are opened for are not required to be OPERABLE in MODES 4 and 5 aind are normally not used). 2.f. Low Pressure Coolant Iniection Pump Start-Time Delay Relay The purpose of this time delay is to stagger the start of the LPCI pumps that are in each of Divisions I and II, to prevent overloading the power source. This Function is only necessary when power is being supplied from offsite sources. The LPCI pumps start simultaneously with no time delay as soon as the standby source is available. The LPCI Puinp Start-Time Delay Relays are assumed to be OPERABLE in the accident and transient analyses requiring ECCS initiation. That is, the analyses assume that the pumps will initiate when required and excess loading will not cause failure -of the power sources. There are eight LPCI Pump Start-Time Delay Relays, two in each of the RHR pump start logic circuits. Two time delay relays are dedicated to a single pump start logic. Both timers in the RHR pump start logic would have to fail to prevent an RHR pump from starting within the required time; therefore, the low pressure ECCS pumps will remain OPERABLE; thus, the single failure criterion is met (i.e., loss of one instrument does not preclude ECCS initiation). The Allowable Values for the LPCI Pump Start-Time Delay Relays are chosen to be long enough so that most of the starting transient of the first pump is complete before starting the second pump on the same 4 kV emergency bus and short enough so that ECCS operation is not degraded. Each channel of LPCI Pump Start-Time Delay Relay Function is required to be OPERABLE only when the associated LPCI subsystem is required to be OPERABLE. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the LPCI subsystems. (continued) PBAPS UNIT 3 B 3.3-107 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE High Pressure Coolant Iniection (HPCI) System SAFETY ANALYSES, LCO, and 3.a. Reactor Vessel Water Level - Low Low (Level 2) APPLICABILITY (continued) Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the HPCI System is initiated at Level 2 to maintain level above the top of the active fuel. The Reactor Vessel Water Level -Low Low (Level 2) is one of the Functions assumed to be OPERABLE and capable of initiating HPCI during the transients analyzed in References 1 and 3. Additionally, the Reactor Vessel Water Level -Low Low (Level 2) Function associated with HPCI is credited as a backup to the Drywell Pressure-High Function for initiating HPCI in the analysis of the recirculation line break. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Reactor Vessel Water Level- Low Low (Level 2) signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Reactor Vessel Water Level- Low Low (Level 2) Allowable Value is high enough such that for complete loss of feedwater flow, the Reactor Core Isolation Cooling (RCIC) System flow with HPCI assumed to fail will be sufficient to avoid initiation of low pressure ECCS at Reactor Vessel Water Level- Low Low Low (Level 1). Four channels of Reactor Vessel Water Level -Low Low (Level 2) Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation. Refer to LCO 3.5.1 for HPCI Applicability Bases. 3.b. Drvwell Pressure -Hiqh High pressure in the drywell could indicate a break in the RCPB. The HPCI System is initiated upon receipt of the Drywell Pressure-High Function in order to minimize the possibility of fuel damage. The Drywell Pressure -High Function is directly assumed in the analysis of the (continued) PBAPS UNIT 3 B 3.3-108 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.b. Drvwell Pressure -High (continued) SAFETY ANALYSES, LCO, and recirculation line break (Ref. 4). The core cooling APPLICABILITY function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. High drywell pressure signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible to be indicative of a LOCA inside primary containment. Four channels of the Drywell Pressure-High Function are required to be OPERABLE when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation. Refer to LCO 3.5.1 for the Applicability Bases for the HPCI System. 3.c. Reactor Vessel Water Level -High (Level 8) High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel. Therefore, the Level 8 signal is used to trip the HPCI turbine to prevent overflow into the main steam lines (MSLs). The Reactor Vessel Water Level -High (Level 8) Function is assumed to trip the HPCI turbine in the feedwater controller failure transient analysis if HPCI is initiated. Reactor Vessel Water Level -High (Level 8) signals for HPCI are initiated from two level transmitters from the wide range water level measurement instrumentation. Both L.evel 8 signals are required in order to trip the HPCI turbine. This ensures that no single instrument failure can preclude HPCI initiation. The Reactor Vessel Water Level -High (Level 8) Allowable Value is chosen to prevent flow from the HPCI System from overflowing into the MSLs. Two channels of Reactor Vessel Water Level-High (Level 8) Function are required to be OPERABLE only when HPCI i; required to be OPERABLE. Refer to LCO 3.5.1 and LCO :3.5.2 for HPCI Applicability Bases. (continued) PBAPS UNIT 3 B 3.3-109 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.d. Condensate Storage Tank Level -Low SAFETY ANALYSES, LCO,, and Low level in the CST indicates the unavailability of an APPLICABILITY adequate supply of makeup water from this normal source. (continued) Normally the suction valves between HPCI and the CST are open and, upon receiving a HPCI initiation signal, water for HPCI injection would be taken from the CST. However, if the water level in the CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. This ensures that an adequate supply of makeup water is available to the HPCI pump. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CST suction valve automatically closes. The Function is implicitly assumed in the accident and transient analyses (which take credit for HPCI) since the analyses assume that the HPCI suction source is the suppression pool. Condensate Storage Tank Level -Low signals are initial;ed from two level switches. The logic is arranged such that either level switch can cause the suppression pool suction valves to open and the CST suction valve to close. The Condensate Storage Tank Level - Low Function Allowable Value is high enough to ensure adequate pump suction head while water is being taken from the CST. Two channels of the Condensate Storage Tank Level -Low Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source. Refer to LCO 3.5.1 for HPCI Applicability Bases. 3.e. Suppression Pool Water Level -High Excessively high suppression pool water could result in the loads on the suppression pool exceeding design values should there be a blowdown of the reactor vessel pressure through the safety/relief valves. Therefore, signals indicating high suppression pool water level are used to transfer the suction source of HPCI from the CST to the suppression pool to eliminate the possibility of HPCI continuing to provide additional water from a source outside containment. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CST suction valve automatically closes. (continued) PBAPS UNIT 3 B 3.3-110 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASIES APPLICABLE 3.e. SuDDression Pool Water Level- High (continued) SAFETY ANALYSES, LCO, and This Function is implicitly assumed in the accident and APPLICABILITY transient analyses (which take credit for HPCI) since the analyses assume that the HPCI suction source is the suppression pool. Suppression Pool Water Level-High signals are initiated from two level switches. The logic is arranged such that either switch can cause the suppression pool suction valves to open and the CST suction valve to close. The Allowable Value for the Suppression Pool Water Level -High Function is chosen to ensure that HPCI will be aligned for suction from the suppression pool to prevent HPCI from contributing to any further increase in the suppression pool level. Two channels of Suppression Pool Water Level -High Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source. Refer to LCO 3.5.1 for HPCI Applicability Bases. 3.f. High Pressure Coolant Iniection Pump Discharge Flow-Low (BYDass) The minimum flow instrument is provided to protect the HPCI pump from overheating when the pump is operating at reduced flow. The minimum flow line valve is opened when low flow is sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump. The High Pressure Coolant Injection Pump Discharge Flow-Low Function is assumed to be OPERABLE and capable of closing the minimum flow valve to ensure that the ECCS flow assumed during the transients analyzed in Reference 4 is met. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. One flow switch is used to detect the HPCI System's flow rate. The logic is arranged such that the transmitter causes the minimum flow valve to open. The logic will close the minimum flow valve once the closure setpoint is exceeded. (continued) PBAI'S UNIT 3 B 3.3-111 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.f. High Pressure Coolant Injection Pump Discharge SAFETY ANALYSES, Flow-Low (Bvpass) (continued) LCO, and APPLICABILITY The High Pressure Coolant Injection Pump Discharge Flow-Low Allowable Value is high enough to ensure that pump flow rate is sufficient to protect the pump, yet low enough to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core. One channel is required to be OPERABLE when the HPCI is required to be OPERABLE. Refer to LCO 3.5.1 for HPCI Applicability Bases. Automatic DeDressurization System 4.a. 5.a. Reactor Vessel Water Level-Low Low Low fLevel 1) Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, ADS receives one of the signals necessary for initiation from this Function. The Reactor Vessel Water Level -Low Low Low (Level 1) is one of the Functions assumed to be OPERABLE and capable of initiating the ADS during the accident analyzed in Reference 4. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Reactor Vessel Water Level-Low Low Low (Level 1) signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low Low Low (Level 1) Function are required to be OPERABLE only when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip system A, while the other two channels input to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases. The Reactor Vessel Water Level -Low Low Low (Level 1) Allowable Value is chosen to allow time for the low pressure core flooding systems to initiate and provide adequate cooling. (continued) PBAPS UNIT 3 B 3.3-112 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.b. 5.b. Drvwell Pressure -Hiah SAFETY ANALYSES, LCO, and High pressure in the drywell could indicate a break in the APPLICABILITY RCPB. Therefore, ADS receives one of the signals necessary (continued) for initiation from this Function in order to minimize the possibility of fuel damage. The Drywell Pressure-High is assumed to be OPERABLE and capable of initiating the ADS during the accidents analyzed in Reference 4. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Drywell Pressure-High signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment. Four channels of Drywell Pressure-High Function are Cinly required to be OPERABLE when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip system A, while the other two channels input to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases. 4.c. 5.c. Automatic Depressurization System Initiation Timer The purpose of the Automatic Depressurization System Initiation Timer is to delay depressurization of the reactor. vessel to allow the HPCI System time to maintain reactor vessel water level. Since the rapid depressurization caused by ADS operation is one of the most severe transients on the reactor vessel, its occurrence should be limited. By delaying initiation of the ADS Function, the operator is given the chance to monitor the success or failure of the HPCI System to maintain water level, and then to decide whether or not to allow ADS to initiate, to delay initiation further by recycling the timer, or to inhibit initiation permanently. The Automatic Depressurization System Initiation Timer Function is assumed to be OPERABLE for the accident analysis of Reference 4 that requires ECCS initiation and assumes failure of the HPCI System. (continued) PBAPS UNIT 3 B 3.3-113 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASE.S APPLICABLE 4.c. 5.c. Automatic Depressurization System Initiation SAFETY ANALYSES Timer (continued) LCO., and APPLICABILITY There are two Automatic Depressurization System Initiation Timer relays, one in each of the two ADS trip systems. The Allowable Value for the Automatic Depressurization System Initiation Timer is chosen so that there is still time after depressurization for the low pressure EUCS subsystems to provide adequate core cooling. Two channels of the Automatic Depressurization System Initiation Timer Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that; no single instrument failure can preclude ADS initiation. (One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases. 4.d. 5.d. Reactor Vestsel Water Level - Low Low Low (Level 1) (Permissive) Low reactor water level signals are used as permissives in the ADS trip systems. This ensures after a high drywell pressure signal or a low reactor water level signal {Level 1) is received and the timer times out that a low reactor water level (Level 1), signal is present to allow the ADS initiation (after a confirmatory Level 4 signal, see Bases for Functions 4.e, 5.e, Reactor Vessel Water Confirmatory Level- Low (Level 4). Reactor Vessel Water Level-Low Low Low (Level 1), signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water {reference leg) and the pressure doe to the actual water level (variable leg) in the vessel. The Reactor Vessel Water Level-Low Low Low (Level 1) Allowable Value is chosen to allow time for the low pressure core flooding system to initiate and provide adequate cooling. Four channels of the Reactor Vessel Water Level -Low L.ow Low (Level 1) Function are required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip system A while the other two channels input to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases. _continued) PBAP'S UNIT 3 B 3.3-114 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BAS ES APPLICABLE 4.e. 5.e. Reactor Vessel Water Confirmatory Level - Low SAFETY ANALYSES, (Level 4) LCD, and APPLICABILITY The Reactor Vessel Water Confirmatory Level -Low (Level 4) (continued) Function is used by the ADS only as a confirmatory low water level signal. ADS receives one of the signals necessary for initiation from Reactor Vessel Water Level -Low Low Low (Level 1) signals. In order to prevent spurious initiation of the ADS due to spurious Level 1 signals, a Level 4 signal must also be received before ADS initiation commences. Reactor- Vessel Water Confirmatory Level - Low (Level 4'i signals are initiated from two level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Allowable Value for Reactor Vessel Water Confirmatory Level - Low (Level 4) is selected to be above the RPS Level 3 scram Allowable Value for convenience. Two channels of Reactor Vessel Water Confirmatory Level -Low (Level 4) Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases. 4.f. 4.a. 5.f. 5.a. Core Sprav and Low Pressure Coolant Injection Pump Discharge Pressure -High The Pump Discharge Pressure-High signals from the CS and LPCI pumps are used as permissives for ADS initiation, indicating that there is a source of low pressure cooling water available once the ADS has depressurized the ve;sel. Pump Discharge Pressure- High is one of the Functions assumed to be OPERABLE and capable of permitting ADS initiation during the events analyzed in Reference 4 with an assumed HPCI failure. For these events the ADS depressurizes the reactor vessel so that the low pres;ure ECCS can perform the core cooling functions. This core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Icontinued) PBAPS UNIT 3 B 3.3-115 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.f. 4.g. 5.f. 5.9. Core Spray and Low Pressure Coolant SAFETY ANALYSES, Injection PumD Discharge Pressure-High (continued) LCO, and APPLICABILITY Pump discharge pressure signals are initiated from twelve pressure transmitters, two on the discharge side of each of the four LPCI pumps and one on the discharge side of each CS pump. There are two ADS low pressure ECCS pump permissives in each trip system. Each of the permissives receives inputs from all four LPCI pumps (different signals for each permissive) and two CS pumps, one from each subsystem (different pumps for each permissive). In order to generate an ADS permissive in one trip system, it is necessary that only one LPCI pump or two CS pumps in proper combination (C or D and A or B) indicate the high discharge pressure condition in each of the two permissives. The Pump Discharge Pressure-High Allowable Value is less than the pump discharge pressure when the pump is operating in a full flow mode and high enough to avoid any condition that results in a discharge pressure permissive when the CS and LPCI pumps are aligned for injection and the pumps are not running. The actual operating point of this function is not assumed in any transient or accident analysis. However, this Function is indirectly assumed to operate (in Reference
- 4) to provide the ADS permissive to depressurize the RCS to allow the ECCS low pressure systems to operate.
Twelve channels of Core Spray and Low Pressure Coolant Injection Pump Discharge Pressure-High Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Four CS channels associated with CS pumps A through D and eight LPCI channels associated with LPCI pumps A through D are required for both trip systems. Refer to LCO 3.5.1 for ADS Applicability Bases. 4.h. 5.h. Automatic Depressurization System Low Water Level Actuation Timer One of the signals required for ADS initiation is Drywell Pressure-High. However, if the event requiring ADS initiation occurs outside the drywell (e.g., main steam line break outside containment), a high drywell pressure signal may never be present. Therefore, the Automatic Depressurization System Low Water Level Actuation Timer is used to bypass the Drywell Pressure-High Function after a (continued) PBAPS UNIT 3 B 3.3-116 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.h. 5.h. Automatic DeDressurization System Low Water Level SAFETY ANALYSES, Actuation Timer (continued) LCO,, and APPLICABILITY certain time period has elapsed. Operation of the Automatic Depressurization System Low Water Level Actuation Timer Function is assumed in the accident analysis of Reference 4 that requires ECCS initiation and assumes failure of the HPCI system. There are four Automatic Depressurization System Low Water Level Actuation Timer relays, two in each of the two ADS trip systems. The Allowable Value for the Automatic Depressurization System Low Water Level Actuation Timer is chosen to ensure that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling. Four channels of the Automatic Depressurization Systen Low Water Level Actuation Timer Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Refer to LCO 3.5.1 for ADS Applicability Bases. ACTIONS A Note has been provided to modify the ACTIONS related to ECCS instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable ECCS instrumentation channels provide appropriate compensatory measures for separate inoperable Condition entry for each inoperable ECCS instrumentation channel. A.1 Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.1-1. The applicable Condition referenced in the table is Function dependent. Each time a channel is discovered inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.
-continued)
PBAPS UNIT 3 B 3.3-117 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASES ACTIONS B.1. B.2. and B.3 (continued) Required Actions B.1 and B.2 are intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in redundant automatic initiation capability being lost for the feature(s). Required Action B.1 features would be those that are initiated by Functions 1.a, 1.b, 2.a, and 2.b (e.g., low pressure ECCS). The Required Action B.2 system would be HPCI. For Required Action B.1, redundant automatic initiation capability is lost if (a) two or more Function l.a channels are inoperable and untripped such that both trip systems lose initiation capability, (b) two or more Function 2.a channels are inoperable and untripped such that both trip systems lose initiation capability, (c) two or more Function 1.b channels are inoperable and untripped such that both trip systems lose initiation capability, or (d) two or more Function 2.b channels are inoperable and untripped such that both trip systems lose initiation capability. For low pressure ECCS, since each inoperable channel would have Required Action B.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated system of low pressure ECCS and DGs to be declared inoperable. However, since channels in both associated low pressure ECCS subsystems (e.g., both CS subsystems) are inoperable and untripped, and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in the associated low pressure ECCS and DGs being concurrently declared inoperable. For Required Action B.2, redundant automatic HPCI initiation capability is lost if two or more Function 3.a or two Function 3.b channels are inoperable and untripped such that the trip system loses initiation capability. In this situation (loss of redundant automatic initiation capability), the 24 hour allowance of Required Action B.3 is not appropriate and the HPCI System must be declared inoperable within 1 hour. As noted (Note 1 to Required Action B.1), Required Action B.1 is only applicable ir MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the low pressure ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of _rcont.inued) PBAPS UNIT 3 B 3.3-118 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASES ACTIONS B.1. B.2. and B.3 (continued) initiation capability for 24 hours (as allowed by Required Action B.3) is allowed during MODES 4 and 5. There is no similar Note provided for Required Action B.2 since HFCI instrumentation is not required in MODES 4 and 5; thus, a Note is not necessary. Notes are also provided (Note 2 to Required Action B.1 and the Note to Required Action B.2) to delineate which Required Action is applicable for each Function that requires entry into Condition B if an associated channel is inoperable. This ensures that the proper loss of initiation capability check is performed. Required Action B.1 (the Required Action for certain inoperable channels in the low pressure ECCS subsystems) is not applicable to Function 2.e, since this Function provides backup to administrative controls ensuring that operators do not divert LPCI flow from injecting into the core when needed. Thus, a total loss of Function 2.e capability for 24 hours is allowed, since the LPCI subsystems remain capable of performing their intended function. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action B.1, the Completion Time only begins upon discovery that a redundant feature in the same system (e.g., both CS subsystems) cannot be automatically initiated due to inoperable, untripped channels within the same Function as described in the paragraph above. For Required Action B.2, the Completion Time only begins upon discovery that the HPCI System cannot be automatically initiated due to two inoperable, untripped channels for the associated Function in the same trip system. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS desiign, an allowable out of service time of 24 hours has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the (continued) PBAPS UNIT 3 B 3.3-119 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASEIS ACTIONS B.1. B.2. and B.3 (continued) allowable out of service time, the channel must be placed in the tripped condition per Required Action B.3. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken. C.1 and C.2 Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the same Function result in redundant automatic initiation capability being lost for the feature(s). Required Action C.1 features would be those that are initiated by Functions 1.c, i.e, 1.f, 2.c, 2.d, and 2.f (i.e., low pressure ECCS). Redundant automatic initiation capability is lost if either (a) two or more Function 1.c channels are inoperable in the same trip system such that the trip system loses initiation capability, (b) two or more Function i.e channels are inoperable affecting CS pumps in different subsystems, (c) two or more Function 1.f channels are inoperable affecting CS pumps in different subsystems, id) two or more Function 2.c channels are inoperable in the same trip system such that the trip system loses initiation capability, (e) two or more Function 2.d channels are inoperable in the same trip system such that the trip system loses initiation capability, or (f) three or more Function 2.f channels are inoperable. In this situation (loss of redundant automatic initiation capability), the 24 hour allowance of Required Action C.2 is not appropriate and the feature(s) associated with the inoperable channels must be declared inoperable within 1 hour. Since each inoperable channel would have Required Action C.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated system to be declared inoperable. However, since channels for both low pressure ECCS subsystems are inoperable (e.g., both CS subsystems), and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in both subsystems being fcontinued) PBAI'S UNIT 3 B 3.3-120 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASES ACTIONS C.1 and C.2 (continued) concurrently declared inoperable. For Functions 1.c, 1.e, 1.f, 2.c, 2.d, and 2.f, the affected portions are the associated low pressure ECCS pumps. As noted (Note 1), Required Action C.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of automatic initiation capability for 24 hours (as allowed by Required Action C.2) is allowed during MODES 4 and 5. Note 2 states that Required Action C.1 is only applicable for Functions 1.c, 1.e, 1.f, 2.c, 2.d, and 2.f. Required Action C.1 is not applicable to Function 3.c (which also requires entry into this Condition if a channel in this Function is inoperable), since the loss of one channel results in a loss of the Function (two-out-of-two logic). This loss was considered during the development of Reference 5 and considered acceptable for the 24 hours, allowed by Required Action C.2. The Completion Time is intended to allow the operator time to evaluate-and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action C.1, the Completion Time only begins upon discovery that the same feature in both subsystems (e.g., both CS subsystems) cannot be automatically initiated. due to inoperable channels within the same Function as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels. Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would either cause the initiation or it would not necessarily result in a safe state for the channel in all events. {continued) PBAPS UNIT 3 B 3.3-121 Revision No. 3
ECCS Instrumentation B 3.3.5.1 O BASES ACTIONS D.1.-D.2.1. and D.2.2 (continued) Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic component initiation capability for the HPCI System. Automatic component initiation capability is lost if two Function 3.d channels or two Function 3.e channels are inoperable and untripped. In this situation (loss of automatic suction swap), the 24 hour allowance of Required Actions D.2.1 and D.2.2 is not appropriate and the HPCI System must be declared inoperable within 1 hour after discovery of loss of HPCI initiation capability. As noted, Required Action D.1 is only applicable if the HPCI puap suction is not aligned to the suppression pool, since, if aligned, the Function is already performed. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clack." For Required Action D.1, the Completion Time only begins upon discovery that the HPCI System cannot be automatically aligned to the suppression pool due to two inoperable, untripped channels in the same Function. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1 or the suction source must be aligned to the suppression pool per Required Action D.2.2. Placing the inoperable channel in trip performs the intended function of the channel (shifting the suction source to the suppression pool). Performance of either of these two Required Actions will allow operation to continue. If Required Action D.2.1 or D.2.2 is performed, measures should be taken to ensure that the HPCI System (continued) PBAPS UNIT 3 B 3.3-122 Revision No. 3
ECCS Instrumentation B :3.3.5.1 BASES ACTIONS D.1. D.2.1. and D.2.2 (continued) piping remains filled with water. Alternately, if it is not desired to perform Required Actions D.2.1 and D.2.2 (e.g., as in the case where shifting the suction source could drain
- down the HPCI suction piping), Condition H must be entered and its Required Action taken.
E.1 ani E.2 Required Action E.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the Core Spray and Low Pressure Coolant Injection Pump, Discharge Flow - Low (Bypass) Functions result in redundant automatic initiation capability being lost for the feature(s). For Required Action E.1, the features would be those that are initiated by Functions 1.d and 2.g (e.g., low pressure ECCS). Redundant automatic initiation capability is lost if (a) two or more Function 1.d channels are inoperable affecting CS pumps in different subsystems or (b) three or more Function 2.g channels are inoperable. Since each inoperable channel would have Required Action E.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected low pressure ECCS pump to be declared inoperable. However, since channels for more than one low pressure ECCS pump are inoperable, and the Completion Times started concurrently for the channels of the low pressure ECCS pumps, this results in the affected low pressure ECCS pumps being concurrently declared inoperable. In this situation (loss of redundant automatic initiation capability), the 7 day allowance of Required'Action E.2 is not appropriate and the subsystem associated with each inoperable channel must be declared inoperable within 1 hour. As noted (Note I to Required Action E.1), Required Action E.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of initiation capability for 7 days (as allowed by Required Action E.2) is allowed during MODES 4 and 5. A Note is also provided (Note 2 to Required Action E.1) to delineate that Required Action E.1 is only applicable to low (continued) PBAPS UNIT 3 B 3.3-123 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASE.S ACTtONS E.1 and E.2 (continued) pressure ECCS Functions. Required Action E.1 is not applicable to HPCI Function 3.f since the loss of one channel results in a loss of function (one-out-of-one logic). This loss was considered during the development of Reference 5 and considered acceptable for the 7 days allowed by Required Action E.2. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action E.1, the Completion Time only begins upon discovery that a redundant feature in the same system (e.g., both CS subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The I hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels. If the instrumentation that controls the pump minimum flow valve is inoperable, such that the valve will not automatically open, extended pump operation with no injection path available could lead to pump overheatirg and failure. If there were a failure of the instrumentation, such that the valve would not automatically close, a portion of the pump flow could be diverted from the reactor vessel injection path, causing insufficient core cooling. These consequences can be averted by the operator's manual control of the valve, which would be adequate to maintain ECC'; pump protection and required flow. Furthermore, other ECCS pumps would be sufficient to complete the assumed safety function if no additional single failure were to occur. The 7 day Completion Time of Required Action E.2 to restore the inoperable channel to OPERABLE status is reasonable based on the remaining capability of the associated ECCS subsystems, the redundancy available in the ECCS design, and the low probability of a DBA occurring during the allowed out of service time. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.
*4continued)
PBAPS UNIT 3 B 3.3-124 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASES ACTIONS F.1 and F.2 (continued) Required Action F.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within similar ADS trip system A and B Functions result in redundant automatic initiation capability being lost for the ADS. Redundant automatic initiation capability is lost if either (a) one or more Function 4.a channel and one or more Function 5.a channel are inoperable and untripped, (b) one or more Function 4.b channel and one or more Function 5.b channel are inoperable and untripped, (c) one or more Function 4.d channel and one or more Function 5.d channel are inoperable and untripped, or (d) one Function 4.e channel and one Function 5.e channel are inoperable and untripped. In this situation (loss of automatic initiation capability), the 96 hour or 8 day allowance, as applicable, of Required Action F.2 is not appropriate and all ADS valves must be declared inoperable within 1 hour after discovery of loss of ADS initiation capability. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal
'time zero" for beginning the allowed outage time "clock."
For Required Action F.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable, untripped channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE. If either HPCI or RCIC is inoperable, the time is shortened to 96 hours. If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours, the 96 hours begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable, untripped channel cannot exceed 8 days. If the status of (continued) PBAP'; UNIT 3 B 3.3-125 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BAS!ES ACTIONS F.1 and F.2 (continued) HPCI or RCIC changes such that the Completion Time changes from 96 hours to 8 days, the "time zero' for beginning the 8 day Oclock' begins upon discovery of the inoperable, untripped channel. If the inoperable channel cannot lie restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action F.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken. G.1 and G.2 Required Action G.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within similar ADS trip system Functions result in automatic initiation capability being lost for the ADS. Automatic initiation capability is lost if either (a) one Function 4.c channel and one Function 5.c channel are inoperable, (:b) a combination of Function 4.f, 4.g, 5.f, and 5.g channels are inoperable such that channels associated with five or more low pressure ECCS pumps are inoperable, or (c) one or more Function 4.h channels and one or more Function 5.h channels are inoperable. In this situation (loss of automatic initiation capability), the 96 hour or 8 day allowance, as applicable, of Required Action G.2 is not appropriate, and all ADS valves must be declared inoperable within 1 hour after discovery of loss of ADS initiation capability. The Note to Required Action G.1 states that Required Action G.1 is only applicable for Functions 4.c, 4.f, 4.9, 4.h, 5.c, 5.f, 5.g, and 5.h. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action G.1, the Completion Time only begins (continued) PBAP'S UNIT 3 B 3.3-126 Revision No. 3
ECCS Instrumentation B .3.5.1 BASES ACTIONS G.1 and G.2 (continued) upon discovery that the ADS cannot be automatically initiated due to inoperable channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE (Required Action G.2). If either HPCI or RC[C is inoperable, the time shortens to 96 hours. If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours, the 96 hours begins upon discovery of HPCI or RCIC inoperability. However, the total tine for an inoperable channel cannot exceed 8 days. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events. H.1 With any Required Action and associated Completion Time not met, the associated feature(s) may be incapable of performing the intended function, and the supported feature(s) associated with inoperable untripped channels must be declared inoperable immediately. (continued) PBAPS UNIT 3 B 3.3-127 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASES (continued) SURVEILLANCE As noted in the beginning of the SRs, the SRs for each ECCS REQUIREMENTS instrumentation Function are found in the SRs column of Table 3.3.5.1-1. The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours as follows: (a)for Functions 3.c and 3.f; ard (b)for Functions other than 3.c and 3.f provided the associated Function or the redundant Function maintains ECCS initiation capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 5) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the -ECCS: will initiate when necessary. SR 3.3.5.1.1 Performance of the CHANNEL CHECK once every 12 hours ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK guarantees that undetected outright channel failure is limited to 12 hours; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. (continued) PBAP'S UNIT 3 B 3.3-128 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE SR 3.3.5.1.1 (continued) REQUIREMENTS The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO. SR 3.3.5.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Frequency of 92 days is based on the reliability analyses of Reference 5. SR 3.3.5.1.3 and SR 3.3.5.1.4 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the assumptions of the current plant specific setpoint methodology. The 92 day Frequency of SR 3.3.5.1.3 is conservative with respect to the magnitude of equipment drift assumed in the setpoint analysis. The Frequency of SR 3.3.5.1.4 is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. 1continued) PBAPS UNIT 3 B 3.3-129 Revision No. 3
ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE SR 3.3.5.1.5 REQUIREMENTS (continued) The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.1, LCO 3.5.2, LCO 3.8.1, and LCO 3.8.2 overlaps this Surveillance to complete testing of the assumed safety function. While this Surveillance can be performed with the reactor at power for some of the Functions, operating experience has shown that these components will pass the Surveillance when performed at the 24 month Frequency. Therefore, the Frequency was found to be acceptable from a reliability standpoint. REFERENCES 1. UFSAR, Section 6.5.
- 2. UFSAR, Section 7.4.
- 3. UFSAR, Chapter 14.
- 4. NEDC-32163-P, "Peach Bottom Atomic Power Station Units 2 and 3, SAFER/GESTR-LOCA, Loss-of-Coolant Accident Analysis," January 1993.
- 5. NEDC-30936-P-A, "BWR Owners' Group Technical Specification Improvement Analyses for ECCS Actuation Instrumentation, Part 2," December 1988.
PBAI'S UNIT 3 B 3.3-130 Revision No. 3
RCIC System Instrumentation B 3.3.5.2 B 3.3 INSTRUMENTATION B 3.3.5.2 Reactor Core Isolation Cooling (RCIC) System Instrumentation BASES BACKGROUND The purpose of the RCIC System instrumentation is to initiate actions to ensure adequate core cooling when the reactor vessel is isolated from its primary heat sink (the main condenser) and normal coolant makeup flow from the Reactor Feedwater System is insufficient or unavailable, such that RCIC System initiation occurs and maintains sufficient reactor water level such that an initiation of the low pressure Emergency Core Cooling Systems (ECCS) pumps does not occur. A more complete discussion of RCIC System operation is provided in the Bases of LCO 3.5.3, "RCIC System." The RCIC System may be initiated by automatic means. Automatic initiation occurs for conditions of Reactor Vessel Water Level-Low Low (Level 2). The variable is monitored by four transmitters that are connected to four pressure compensation instruments. The outputs of the pressure compensation instruments are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic arrangement. Once initiated, the RCIC logic seals in and can be reset by the operator only when the reactor vessel water level signals have cleared. The RCIC test line isolation valve is closed on a RCIC initiation signal to allow full system flow and maintain primary containment isolated in the event RCIC is not operating. The RCIC System also monitors the water level in the condensate storage tank (CST) since this is the initial source of water for RCIC operation. Reactor grade water in the CST is the normal source. Upon receipt of a RCIC initiation signal, the CST suction valve is automatically signaled to open (it is normally in the open position) unless the pump suction from the suppression pool valves is open. If the water level in the CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. Two level switches are used to detect low water level in the CST. Either switch can cause the suppression pool suction valves to open. The opening of the (continued) PBAPS UNIT 3 B 3.3-131 Revision No. 3
RCIC System Instrumentation B 3.3.5.2 BASES BACKGROUND suppression pool suction valves causes the CST suction valve (continued) to close. This prevents losing suction to the pump when automatically transferring suction from the CST to the suppression pool on low CST level. The RCIC System provides makeup water to the reactor until the reactor vessel water level reaches the high water level (Level 8) setting (two-out-of-two logic), at which tiffe the RCIC steam supply valve closes. The RCIC System restarts if vessel level again drops to the low level initiation point (Level 2). APPLICABLE The function of the RCIC System is to respond to transient SAFETY ANALYSES, events by producing makeup coolant to the reactor. The RCIC LCO , and System is not an Engineered Safeguard System and no credit APPLICABILITY is taken in the safety analyses for RCIC System operation. Based on its contribution to the reduction of overall plant risk, however, the system, and therefore its instrumentation meets Criterion 4 of NRC Policy Statement. The OPERABILITY of the RCIC System instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.2-1. Each Function must have a required number of OPERABLE channels with their setpoints within the specified Allowable Values, where appropriate. A channel is inoperable if its actual trip setting is not within its required Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. Allowable Values are specified for each RCIC System instrumentation Function specified in the Table. Trip setpoints are specified in the setpoint calculations. The setpoints are selected to ensure that the settings do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setting less conservative than the trip setpoint, but within its Allowable Value, is acceptable. Each Allowable Value specified accounts for instrument uncertainties appropriate to the Function. These uncertainties are described in the setpoint methodology. (continued) PBAPS UNIT 3 B 3.3-132 Revision No. 3
RCIC System Instrumentation B 3.3.5.2 BASES APPLICABLE The individual Functions are required to be OPERABLE in SAFETY ANALYSES, MODE 1, and in MODES 2 and 3 with reactor steam dome LCO, and pressure > 150 psig since this is when RCIC is required to APPLICABILITY be OPERABLE. (Refer to LCO 3.5.3 for Applicability Bases (continued) for the RCIC System.) The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.
- 1. Reactor Vessel Water Level- Low Low (Level 2)
Low reactor pressure vessel (RPV) water level indicates that normal feedwater flow is insufficient to maintain reactor vessel water level and that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the RCIC System is initiated at Level 2 to assist in maintaining water level above the top of the active fuel. Reactor Vessel Water Level -Low Low (Level 2) signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Reactor Vessel Water Level - Low Low (Level 2) Allowable Value is set high enough such that for complete loss of feedwater flow, the RCIC System flow with high pressure coolant injection assumed to fail will be sufficient to avoid initiation of low pressure ECCS at Level 1. Four channels of Reactor Vessel Water Level -Low Low (Level 2) Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC initiation. Refer to LCO 3.5.3 for RCIC Applicability Bases. (continued) PBAFS UNIT 3 B 3.3-133 Revisior No. 3
RCIC. System Instrumentation B 3.3.5.2 BASES APPLICABLE 2. Reactor Vessel Water Level -Hich (Level 8) SAFETY ANALYSES, LCO, and - High RPV water level indicates that sufficient cooling water APPLICABILITY inventory exists in the reactor vessel such that there is no (continued) danger to the fuel. Therefore, the Level 8 signal is used to close the RCIC steam supply valve to prevent overflow into the main steam lines (MSLs). Reactor Vessel Water Level-High (Level 8) signals for RCIC are initiated from four level transmitters, which sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. These four level transmitters are connected to two pressure compensation instruments (channels). The Reactor Vessel Water Level-High (Level 8) Allowable Value is high enough to preclude isolating the injection valve of the RCIC during normal operation, yet low enough to trip the RCIC System prior to water overflowing into the MSLs. Two channels of Reactor Vessel Water Level-High (Level 8) Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC initiation. Refer to LCO 3.5.3 for RCIC Applicability Bases.
- 3. Condensate Storage Tank Level -Low Low level in the CST indicates the unavailability of an adequate supply of makeup water from this normal source.
Normally, the suction valve between the RCIC pump and the CST is open and, upon receiving a RCIC initiation signal, water for RCIC injection would be taken from the CST. However, if the water level in the CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. This ensures that an adequate supply of makeup water is available to the RCIC pump. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CST suction valve automatically closes. (continued) PBAP'S UNIT 3 B 3.3-134 Revision No. 3
RCIC System Instrumentation B 3.3.5.2 BASES APPLICABLE 3. Condensate Storage Tank Level- Low (continued) SAFETY ANALYSES, LCO, and Two level switches are used to detect low water level in the APPLICABILITY CST. The Condensate Storage Tank Level -Low Function Allowable Value is set high enough to ensure-adequate pump suction head while water is being taken from the CST. Two channels of the CST Level - Low Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC swap to suppression pool source. Refer to LCO 3.5.3 for RCIC Applicability Bases. ACTIONS A Note has been provided to modify the ACTIONS related to RCIC System instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable RCIC System instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable RCIC System instrumentation channel. A.1 Required Action A.1 directs entry into the appropriate! Condition referenced in Table 3.3.5.2-1. The applicable Condition referenced in the Table is Function dependent. Each time a channel is discovered to be inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition. _continuedl PBAPS UNIT 3 -B3.3-135 Revision No. 3
RCIC System Instrumentation B 3.3.5.2 BASE.S ACT[ONS B.1 and B.2 (continued) Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic initiation capability for the RCIC System. In this case, automatic initiation capability is lost if two Function 1 channels in the same trip system are inoperable and untripped. In this situation (loss of automatic initiation capability), the 24 hour allowance of Required Action B.2 is not appropriate, and the RCIC System must be declared inoperable within 1 hour after discovery of loss of RCIC initiation capability. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action B.1, the Completion Time only begins upon discovery that the RCIC System cannot be automatically initiated due to two or more inoperable, untripped Reactor Vessel Water Level-Low Low (Level 2) channels such that the trip system loses initiation capability. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. Because of the redundancy of sensors available to provide initiation signals and the fact that the RCIC System is not assumed in any accident or transient analysis, an allowable out of service time of 24 hours has been shown to be acceptable (Ref. 1) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action B.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition E must be entered and its Required Action taken. (continued) PBAP'S UNIT 3 B 3.3-136 Revision No. 3
RCIC System Instrumentation B 3.3.5.2 BASES ACTIONS C.1 (continued) A risk based analysis was performed and determined that an allowable out of service time of 24 hours (Ref. 1) is acceptable to permit restoration of any inoperable channel to OPERABLE status (Required Action C.1). A Required Action (similar to Required Action B.1) limiting the allowable out of service time, if a loss of automatic RCIC initiation capability exists, is not required. This Condition applies to the Reactor Vessel Water Level -High (Level 8) Function whose logic is arranged such that any inoperable channel will result in a loss of automatic RCIC initiation capability (closure of the RCIC steam supply valve). As stated above, this loss of automatic RCIC initiation capability was analyzed and determined to be acceptable. The Required Action does not allow placing a channel *intrip since this action would not necessarily result in a safe state for the channel in all events. D.I. D.2.1. and D.2.2 Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in automatic component initiation capability being lost for the feature(s). For Required Action D.1, the RCIC System is the only associated feature. In this case, automatic initiation capability is lost if two Function 3 channels are inoperable and untripped. In this situation (loss of automatic suction swap), the 24 hour allowance of Required Actions D.2.1 and 0.2.2 is only appropriate after Action D.1 has been performed. Action D.1 requires that the RCIC System Ibe declared inoperable within 1 hour from discovery of loss of RCIC initiation capability. As noted, Required Action D.1 is only applicable if the RCIC pump suction is not aligned to the suppression pool since, if aligned, the Function is already performed.
. ...... t * *%I~u PBAPS UNIT 3 B 3.3-137 Revision No. 3
RCIC System Instrumentation B 3.3.S.2 BASES ACTIONS D.1. D.2.1. and D.2.2 (continued) The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action D.1, the Completion Time only begins upon discovery that the RCIC System cannot be automatically aligned to the suppression pool due to two inoperable, untripped channels in the same Function. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. Because the RCIC System is not assumed in any accident or transient analysis, an allowable out of service time of 24 hours has been shown to be acceptable (Ref. 1) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1, which performs the intended function of the channel. Alternatively, Required Action D.2.2 allows the manual alignment of the RCIC suction to the suppression pool, which also performs the intended function. If Required Action D.2.1 or D.2.2 is performed, measures should be taken to ensure that the RCIC System piping remain!; filled with water. If it is not desired to perform Required Actions D.2.1 and D.2.2 (e.g., as in the case where shifting the suction source could drain down the RCIC suction piping), Condition E must be entered and its Required Action taken. E.1 With any Required Action and associated Completion Tirae not met, the RCIC System may be incapable of performing the intended function, and the RCIC System must be declared inoperable immediately. (continued) PBAPS UNIT 3 B 3.3-138 Revision No. 3
RCIC System Instrumentation B 3.3.5.2 BASES (continued) SURVEILLANCE As noted in the beginning of the SRs, the SRs for each RCIC REQUIREMENTS System instrumentation Function are found in the SRs column of Table 3.3.5.2-1. The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed as follows: (a) for up to 6 hours for Function 2 and (b) for up toc 6 hours for Functions 1 and 3, provided the associated Function maintains trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 3) assumption of the average time required to perform channel surveillance.. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the RCIC will initiate when necessary. SR 3.3.5.2.1 Performance of the CHANNEL CHECK once every 12 hours ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a parameter on other similar channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. rconntinued) PBAPS UNIT 3 B 3.3-139 Revision No. 3
RCIC System Instrumentation B 3.3.5.2 BASES SURVEILLANCE SR 3.3.5.2.1 (continued) REQUIREMENTS The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO. SR 3.3.5.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Frequency of 92 days is based on the reliability analysis of Reference 1. SR 3.3.5.2.3 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. The Frequency of SR 3.3.5.2.3 is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. SR 3.3.5.2.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.3 overlaps this Surveillance to provide complete testing of the safety function. 4continued) PBAIPS UNIT 3 B 3.3-140 Revision No. 3
RCIC. System Instrumentation B 3.3.5.2 BASES SURVEILLANCE SR 3.3.5.2.4 (continued) REQUIREMENTS While this Surveillance can be performed with the reactor at power for some of the Functions, operating experience has shown that these components will pass the Surveillance when performed at the 24 month Frequency. Therefore, the Frequency was found to be acceptable from a reliability standpoint. REFERENCES 1. GENE-770-06-2, "Addendum to Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991. PBAP'S UNIT 3 B 3.3-141 Revision No. 3
Primary Containment Isolation Instrumentation B 3.3.6.1 B 3.3 INSTRUMENTATION B 3.3.Z.1 Primary Containment Isolation Instrumentation BASES BACKGROUND The primary containment isolation instrumentation automatically initiates closure of appropriate primary containment isolation valves (PCIVs). The function of the PCIVs, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs). Primary containment isolation within the time limits specified for those isolation valves designed to close automatically ensures that the release of radioactive material to the environment will be consistent with the assumptions used in the analyses for a DBA. The isolation instrumentation includes the sensors, relays, and switches that are necessary to cause initiation of primary containment and reactor coolant pressure boundary (RCPB) isolation. Most channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a primary containment isolation signal to the isolation logic. Functional diversity is provided by monitoring a wide range of independent parameters. The input parameters to the isolation logics are (a)reactor vessel water level, (b)reactor pressure, (c)main steam line (MSL) flow measurement, (d)main steam line radiation, (e)main steam line pressure, (f)drywell pressure, (sg) high pressure coolant injection (HPCI) and reactor core isolation cooling (RCIC) steam line flow, (h)HPCI and RCIC steam line pressure, (i)reactor water cleanup (RWCU) flow, fj) Standby Liquid Control (SLC) System initiation, (k) area ambient temperatures, (1)reactor building ventilation and refueling floor ventilation exhaust radiation, and (m)main stack radiation. Redundant sensor input signals from each parameter are provided for initiation of isolation. Primary containment isolation instrumentation has inputs to the trip logic of the isolation functions listed below. I(conntinued) PBAP'S UNIT 3 B 3.3-142 Revision No. 3
Primary Containment Isolation Instrumentation B 3,.3.6.1 BASES BACKGROUND I. Main Steam Line Isolation (continued) Most MSL Isolation Functions receive inputs from four channels. The outputs from these channels are combined in a one-out-of-two taken twice logic to initiate isolation of the Group I isolation valves (MSIVs and MSL drains, M!;L sample lines, and recirculation loop sample line valves). To initiate a Group I isolation, both trip systems must be tripped. The exceptions to this arrangement are the Main Steam Line Flow-High Function and Main Steam Tunnel Temperature.-High Functions. The Main Steam Line Flow-High Function uses 16 flow channels, four for each steam line. One channel from each steam line inputs to one of the four trip strings. Two trip strings make up each trip system and both trip systems must trip to cause an MSL isolation. Each trip string has four inputs (one per MSL), any one of which will trip the trip string. The trip systems are arranged in a one-out-of-two taken twice logic. This is effectively a one-out-of-eight taken twice logic arrangement to initiate a Group I isolation. The Main Steam Tunnel Temperature -High Function receives input from 16 channels. The logic is arranged similar to the Main Steam Line Flow-High Function except that high temperature on any channel is not related to a specific MSL.
- 2. Primary Containment Isolation Most Primary Containment Isolation Functions receive inputs from four channels. The outputs from these channels are arranged in a one-out-of-two taken twice logic. Isolation of inboard and outboard primary containment isolation valves occurs when both trip systems are in trip.
The exception to this arrangement is the Main Stack Monitor Radiation-High Function. This Function has two channels, whose outputs are arranged in two trip systems which use a one-out-of-one logic. Each trip system isolates one salve per associated penetration. The Main Stack Monitor Radiation-High Function will isolate vent and purge valves greater than two inches in diameter during containment purging (Ref. 2). The valves isolated by each of the Primary Containment Isolation Functions are listed in Reference 1. {continued) PBAPS UNIT 3 B 3.3-143 Revision No. 3
Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND 3.. 4. High Pressure Coolant Iniection System Isolation and (continued) Reactor Core Isolation Cooling System Isolation The Steam Line Flow-High Functions that isolate HPCI and RCIC receive input from two channels, with each channel comprising one trip system using a one-out-of-one logic. Each of the two trip systems in each isolation group 4:HPCI and RCIC) is connected to the two valves on each associated penetration. Each HPCI and RCIC Steam Line Flow-High channel has a time delay relay to prevent isolation due to flow transients during startup. The HPCI and RCIC Isolation Functions for Drywell Pressure-High and Steam Supply Line Pressure-Low receive inputs from four channels. The outputs from these channels are combined in a one-out-of-two taken twice logic to initiate isolation of the associated valves. The HPCI and RCIC Compartment and Steam Line Area Temperature-High Functions receive input from 16 channels. The logic is similar to the Main Steam Tunnel Temperature - High Function. The HPCI and RCIC Steam Line Flow-High Functions, Steam Supply Line Pressure-Low Functions, and Compartment and Steam Line Area Temperature-High Functions isolate the associated steam supply and turbine exhaust valves and pump suction valves. The HPCI and RCIC Drywell Pressure-High Functions isolate the HPCI and RCIC test return line valves. The HPCI and RCIC Drywell Pressure-High Functions, in conjunction with the Steam Supply Line Pressure-Low Functions, isolate the HPCI and RCIC turbine exhaust vacuum relief valves.
- 5. Reactor Water CleanuR System Isolation The Reactor Vessel Water Level -Low (Level 3) Isolation Function receives input from four reactor vessel water level channels. The outputs from the reactor vessel water level channels are connected into a one-out-of-two taken twiice logic which isolates both the inboard and outboard isolation valves. The RWCU Flow-High Function receives input from two channels, with each channel inone trip system usiing a one-out-of-one logic, with one channel tripping the inboard valve and one channel tripping the outboard valves. The SLC (continued)
PBAPS UNIT 3 B 3.3-144 Revision No. 3
Primary Containment Isolation Instrumentation B s.3.6.1 BASES BACKGROUND 5. Reactor Water Cleanup System Isolation (continued) System Isolation Function receives input from two channels with each channel in one trip system using a one-out-of-one logic. When either SLC pump is started remotely, one channel trips the inboard isolation valve and one channel isolates the outboard isolation valves. The RWCU Isolation Function isolates the inboard and outboard RWCU pump suction penetration and the outboard valve at the RWCU connection to reactor feedwater.
- 6. Shutdown Cooling System Isolation The Reactor Vessel Water Level -Low (Level 3) Function receives input from four reactor vessel water level channels. The outputs from the channels are connected to a one-out-of-two taken twice logic, which isolates both valves on the RHR shutdown cooling pump suction penetration. The Reactor Pressure-High Function receives input from taio channels, with each channel in one trip system using a one-out-of-one logic. Each trip system is connected to both valves on the RHR shutdown cooling pump suction penetration.
- 7. Feedwater Recirculation Isolation The Reactor Pressure-High Function receives inputs from four channels. The outputs from the four channels are connected into a one-out-of-two taken twice logic which isolates the feedwater recirculation valves.
APPLICABLE The isolation signals generated by the primary containment SAFETY ANALYSES, isolation instrumentation are implicitly assumed in the LCO,, and safety analyses of References 1 -and 3 to initiate closure APPLICABILITY of valves to limit offsite doses. Refer to LCO 3.6.1.3, "Primary Containment Isolation Valves (PCIVs)," Applicable Safety Analyses Bases for more detail of the safety analyses. Primary containment isolation instrumentation satisfies Criterion 3 of the NRC Policy Statement. Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion. (continued) PBAPS UNIT 3 B 3.3-145 Revision No. 3
Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE The OPERABILITY of the primary containment instrumentation SAFETY ANALYSES, is dependent on the OPERABILITY of the individual LCO, and instrumentation channel Functions specified in APPLICABILITY Table 3.3.6.1-1. Each Function must have a required number (continued) of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. A channel is inoperable if its actual trip setting is not within its required Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. Allowable Values, where applicable, are specified for each Primary Containment Isolation Function specified in the Table. Trip setpoints are specified in the setpoint calculations. The trip setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setting less conservative than the trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual
-process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic or design limits are derived from the limiting values of the process parameters obtained from the safety analysis or other appropriate documents. The Allowable Values are derived from the analytic or design limits, corrected for calibration, process, and instrument errors. The trip setpoints are determined from analytical or design limits, corrected for calibration, process, and instrument errors, as well as, instrument drift. In selected cases, the Allowable Values and trip setpoints are determined by engineering judgment or historically accepted practice relative to the intended function of the channel. The trip setpoints determined in this manner provide adequate protection by assuring instrument and process uncertainties expected for the environments during the operating time of the associated channels are accounted for.
Certain Emergency Core Cooling Systems (ECCS) and RCIC valves (e.g., minimum flow) also serve the dual function of automatic PCIVs. The signals that isolate these valves are also associated with the automatic initiation of the ECCS (continued) PBAPS UNIT 3 B 3.3-146 Revision No. 3
Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE and RCIC. The instrumentation requirements and ACTIONS SAFETY ANALYSES, associated with these signals are addressed in LCO 3.3l.5.1, LCO, and "Emergency Core Cooling Systems (ECCS) Instrumentation," and APPLICABILITY LCO 3.3.5.2, "Reactor Core Isolation Cooling (RCIC) System (continued) Instrumentation," and are not included in this LCO. In general, the individual Functions are required to be OPERABLE in MODES 1, 2, and 3 consistent with the Applicability for LCO 3.6.1.1, "Primary Containment." Functions that have different Applicabilities are discussed below in the individual Functions discussion. The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis. Main Steam Line Isolation 1.a. Reactor Vessel Water Level -Low Low Low (Level L1 Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of the MSIVs and other interfaces with the reactor vessel occurs to prevent offsite dose limits from being exceeded. The Reactor Vessel Water Level -Low Low Low (Level 1) Function is one of the many Functions assumed to be OPERABLE and capable of providing isolation signals. The Reactor Vessel Water Level-Low Low Low (Level 1) Function associated with isolation is assumed in the analysis of the recirculation line break (Ref. 1). The isolation of the MSLs on Level 1 supports actions to ensure that offsite dose limits are not exceeded for a DBA. Reactor vessel water level signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low Low Low (Level 1) Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. (continued) PBAPS UNIT 3 B 3.3-147 Revision No. 3
Primary Containment Isolation Instrumentation B 3.3.6.1 BASEIS APPLICABLE l.a. Reactor Vessel Water Level- Low Low Low {Level 11 SAFETY ANALYSES, (continued) LCO, and APPLICABILITY The Reactor Vessel Water Level- Low Low Low (Level 1) Allowable Value is chosen to be the same as the ECCS Level 1 Allowable Value (LCO 3.3.5.1) to ensure that the MSLs isolate on a potential loss of coolant accident (LOCA) to prevent offsite doses from exceeding 10 CFR 100 limits.. This Function isolates MSIVs, MSL drains, MSL sample lines and recirculation loop sample line valves. 1.b. Main Steam Line Pressure- Low Low MSL pressure indicates that there may be a problem with the turbine pressure regulation, which could result in a low reactor vessel water level condition and the RPV cooling down more than 100 0F/hr if the pressure loss is allowed to continue. The Main Steam Line Pressure-Low Function is directly assumed in the analysis of the pressure regulator failure (Ref. 3). For this event, the closure of the MSIVs ensures that the RPV temperature change limit (100 0F/hr) is not reached. In addition, this Function supports actions to ensure that Safety Limit 2.1.1.1 is not exceeded. (This Function closes the MSIVs prior to pressure decreasing below 785 psig, which results in a scram due to MSIV closure, thus reducing reactor power to < 25% RTP.) The MSL low pressure signals are initiated from four transmitters that are connected to the MSL header. The transmitters are arranged such that, even though physically separated from each other, each transmitter is able to detect low MSL pressure. Four channels of Main Steam Line Pressure- Low Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Value was selected to be high enough to prevent excessive RPV depressurization. The Main Steam Line Pressure- Low Function is only required
.to be OPERABLE in MODE 1 since this is when the assumed transient can occur (Ref. 1).
This Function isolates MSIVs, MSL drains, MSL sample lines and recirculation loop sample line valves. 1continued) PBAPS UNIT 3 B 3.3-148 Revision No. 3
Primary Containment Isolation Instrumentation B 'Z.3.6.1 BASES APPILICABLE 1.c. Main Steam Line Flow-Hioh SAFETY ANALYSES, LCO, and Main Steam Line Flow-High is provided to detect a break of APPLICABILITY the MSL and to initiate closure of the MSIVs. If the steam (continued) were allowed to continue flowing out of the break, the reactor would depressurize and the core could uncover.. If the RPV water level decreases too far, fuel damage could occur. Therefore, the isolation is initiated on high flow to prevent or minimize core damage. The Main Steam Line Flow-High Function is directly assumed in the analysis of the main steam line break (MSLB) (Ref. 3). The isolation action, along with the scram function of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46 and offsite doses do not exceed the 10 CFR 100 limits. The MSL flow signals are initiated from 16 transmitters that are connected to the four MSLs. The transmitters are arranged such that, even though physically separated from each other, all four connected to one MSL would be able to detect the high flow. Four channels of Main Steam Line Flow-High Function for each MSL (two channels per trip system) are available and are required to be OPERABLE so that no single instrument failure will preclude detecting a break in any individual MSL. The Allowable Value is chosen to ensure that offsite dose limits are not exceeded due to the break. This Function isolates MSIVs, MSL drains, MSL sample lines and recirculation loop sample line valves. 1.d. Main Steam Line-High Radiation The Main Steam Line-High Radiation Function is provided to detect gross release of fission products from the fuel and to initiate closure of the MSIVs. The trip setting is set low enough so that a high radiation trip results from a design basis rod drop accident and high enough above background radiation levels in the vicinity of the main steam lines so that spurious trips at rated power are avoided. The Main Steam Line-High Radiation Function is directly assumed in the analysis of the control rod drop accident (Ref. 3). _ continued) PBAPS UNIT 3 B 3.3-149 Revision No. 3
Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 1.d. Main Steam Line-High Radiation (continued) SAFETY ANALYSES, LCO, and The Main Steam Line-High Radiation signals are initiated APPlICABILITY from four gamma sensitive instruments. Four channels are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Value is chosen to ensure that offsite dose limits are not exceeded. This Function isolates MSIVs, MSL drains, MSL sample lines and recirculation loop sample line valves. I.e. Main Steam Tunnel Temperature-High The Main Steam Tunnel Temperature Function is provided to detect a break in a main steam line and provides diversity to the high flow instrumentation. Main Steam Tunnel Temperature signals are initiated from resistance temperature detectors (RTDs) located along the main steam line between the drywell wall and the turbine. Sixteen channels of Main Steam Tunnel Temperature-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Value is chosen to detect a leak equivalent to between 1% and 10% rated steam flow. This Function isolates MSIVs, MSL drains, MSL sample lines and recirculation loop sample line valves. This Function in Unit 3 combines Unit 2 Functions i.e. and l.f. Primary Containment Isolation 2.a. Reactor Vessel Water Level-Low (Level 3) Low RPV water level indicates that the capability to ccool the fuel may be threatened. The valves whose penetrations communicate with the primary containment are isolated to limit the release of fission products. The isolation of the primary containment on Level 3 supports actions to enstre that offsite dose limits of 10 CFR 100 are not exceeded.. _continued) PBAP'; UNIT 3 B 3.3-150 Revision No. 49
Primary Containment Isolation Instrumertation B S.3.6.1 BASES APPLICABLE 2.a. Reactor Vessel Water Level -Low (Level 3) (continued) SAFETY ANALYSES, LCO, and The Reactor Vessel Water Level- Low (Level 3) Function APPLICABILITY associated with isolation is implicitly assumed in the UFSAR analysis as these leakage paths are assumed to be isolated post LOCA. Reactor Vessel Water Level -Low (Level 3) signals are initiated from level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level -Low (Level 3) Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Reactor Vessel Water Level - Low (Level 3) Allowable Value was chosen to be the same as the RPS Level 3 scram Allowable Value (LCO 3.3.1.1), since isolation of these valves is not critical to orderly plant shutdown. This Function isolates the Group II(A) valves listed *in Reference I with the exception of RWCU isolation valves and RHR shutdown cooling pump suction valves which are addressed in Functions 5.c and 6.b, respectively. 2.b. Drvwell Pressure-Hiah High drywell pressure can indicate a break in the RCP13 inside the primary containment. The isolation of some of the primary containment isolation valves on high drywell pressure supports actions to ensure that offsite dose limits of 10 CFR 100 are not exceeded. The Drywell Pressure-High Function, associated with isolation of the primary containment, is implicitly assumed in the UFSAR accident analysis as these leakage paths are assumed to be isolated post LOCA. High drywell pressure signals are initiated from pressure transmitters that sense the pressure in the drywell. Four channels of Drywell Pressure-High are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. lcontinued) 'Aw, PBAPS UNIT 3 B 3.3-151 Revision No. 3
Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 2.b. Drywell Pressure-High (continued) SAFETY ANALYSES, LCO, and The Allowable Value was selected to be the same as the ECCS APPLICABILITY Drywell Pressure-High Allowable Value (LCO 3.3.5.1), since this may be indicative of a LOCA inside primary containment. This Function isolates the Group II(B) valves listed in Reference 1. 2.c. Main Stack Monitor Radiation-High Main stack monitor radiation is an indication that the release of radioactive material may exceed established[ limits. Therefore, when Main Stack Monitor Radiation.-High is detected when there is flow through the Standby Gas Treatment System, an isolation of primary containment purge supply and exhaust penetrations is initiated to limit the release of fission products. However, this Function is not assumed in any accident or transient analysis in the LIFSAR because other leakage paths (e.g., MSIVs) are more limiting. The drywell radiation signals are initiated from radiation detectors that isokinetically sample the main stack utilizing sample pumps. Two channels of Main Stack Radiation-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Value is set below the maximum allowable release limit in accordance with the Offsite Dose Calculation Manual (ODCM). This Function isolates the containment vent and purge valves and other Group III(E) valves listed in Reference 1. 2.d.. 2.e. Reactor Building Ventilation and Refuelingi Floor Ventilation Exhaust Radiation -High High secondary containment exhaust radiation is an indication of possible gross failure of the fuel cladding. The release may have originated from the primary containment due to a break in the RCPB. When Reactor Building or Refueling Floor Ventilation Exhaust Radiation -High is detected, the affected ventilation pathway and primary 4continued) PBAPS UNIT 3 B 3.3-152 Revision No. 22
Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 2.d.. 2.e. Reactor Building Ventilation and Refuelinci Floor SAFETY ANALYSES, Ventilation Exhaust Radiation-High (continued) LCO, and APPLICABILITY containment purge supply and exhaust valves are isolated to limit the release of fission products. Additionally, Ventilation Exhaust Radiation-High Function initiates Standby Gas Treatment System. The Ventilation Exhaust Radiation-High signals are initiated from radiation detectors that are located on the ventilation exhaust piping coming from the reactor building and the refueling floor zones, respectively. The signal from each detector is input to an individual monitor whose trip outputs are assigned to an isolation channel. Four channels of Reactor Building Ventilation Exhaust-High Function and four channels of Refueling Floor Ventilation Exhaust-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Values are chosen to promptly detect gross failure of the fuel cladding during a refueling accident. These Functions isolate the Group III(C) and III(D) valves listed in Reference 1. High Pressure Coolant Iniection and Reactor Core Isolation Cooling Systems Isolation 3.a.. 3.b.. 4.a.. 4.b. HPCI and RCIC Steam Line Flow.-High and Time Delay Relays Steam Line Flow-High Functions are provided to detect a break of the RCIC or HPCI steam lines and initiate closure of the steam line isolation valves of the appropriate system. If the steam is allowed to continue flowing out of the break, the reactor will depressurize and the core can uncover. Therefore, the isolations are initiated on high flow to prevent or minimize core damage. The isolation action, along with the scram function of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Specific credit for these Functions is not assumed in any UFSAR accident analyses since the (continued) PBAP'S UNIT 3 B 3.3-153 Revision No. 3
Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 3.a.. 3.b.. 4.a.. 4.b. HPCI and RCIC Steam Line Flow-High SAFETY ANALYSES, and Time Delay Relays (continued) LCO., and APPLICABILITY bounding analysis is performed for large breaks such as recirculation and MSL breaks. However, these instruments prevent the RCIC or HPCI steam line breaks from becoming bounding. The HPCI and RCIC Steam Line Flow-High signals are initiated from transmitters (two for HPCI and two for RCIC) that are connected to the system steam lines. A time delay is provided to prevent isolation due to high flow transients during startup with one Time Delay Relay channel associated with each Steam Line Flow-High channel. Two channels of both HPCI and RCIC Steam Line Flow-High Functions and the associated Time Delay Relays are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Values for Steam Line Flow-High Function and associated Time Delay Relay Function are chosen to be low enough to ensure that the trip occurs to maintain the 4SLB event as the bounding event. These Functions isolate the associated HPCI and RCIC steam supply and turbine exhaust valves and pump suction valves. 3.c.. 4.c. HPCI and RCIC Steam SuDplv Line Pressure-Low Low MSL pressure indicates that the pressure of the steam in the HPCI or RCIC turbine may be too low to continue operation of the associated system's turbine. These isolations prevent radioactive gases and steam from escaping through the pump shaft seals into the reactor building but are primarily for equipment protection and are also assumed for long term containment isolation. However, they also provide a diverse signal to indicate a possible system break. These instruments are included in Technical Specifications (TS) because of the potential for risk due to possible failure of the instruments preventing HPCI ard RCIC initiations (Ref. 4). The HPCI and RCIC Steam Supply Line Pressure -Low signals are initiated from transmitters (four for HPCI and foUr for RCIC) that are connected to the system steam line. Four (continued) PBAP'S UNIT 3 B 3.3-154 Revision No. 3
Primary Containment Isolation Instrumentation B :3.3.6.1 BASES APPLICABLE 3.c.. 4.c. HPCI and RCIC Steam SUDDly Line Pressure-.Low SAFETY ANALYSES, (continued) LCO, and APPLICABILITY channels of both HPCI and RCIC Steam.Supply Line Pressure-Low Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Values are selected to be high enough tD prevent damage to the system's turbine. These Functions isolate the associated HPCI and RCIC steam supply and turbine exhaust valves and pump suction valves. 3.d.. 4.d. Drywell Pressure-High (Vacuum Breakers) High drywell pressure can indicate a break in the RCPB. The HPCI and RCIC isolation of the turbine exhaust vacuum breakers is provided to prevent communication with the drywell when high drywell pressure exists. The HPCI and RCIC turbine exhaust vacuum breaker isolation occurs following a permissive from the associated Steam Supply Line Pressure-Low Function which indicates that the system is no longer required or capable of performing coolant injection. The isolation of the HPCI and RCIC turbine exhaust vacuum breakers by Drywell Pressure-High is indirectly assumed in the UFSAR accident analysis because the turbine exhaust leakage path is not assumed to contribute to offsite doses. High drywell pressure signals are initiated from pressure transmitters that sense the pressure in the drywell. Four channels for both HPCI and RCIC Drywell Pressure-High (Vacuum Breakers) Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The All owabl e Value was selected to be the same as the ECCS Drywell Pressure-High Allowable Value (LCO 3.3.5.1), since this is indicative of a LOCA inside primary containment. This Function isolates the associated HPCI and RCIC vacuum relief valves and test return line valves. {con tinued) PBAPS UNIT 3 B 3.3-155 Revision No. 3
Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 3.e.. 4.e. HPCI and RCIC Compartment and Steam Line Area SAFETY ANALYSES, Temperature -High LCO,, and APPLICABILITY HPCI and RCIC Compartment and Steam Line Area temperatures (continued) are provided to detect a leak from the associated system steam piping. The isolation occurs when a very small leak has occurred and is diverse to the high flow instrumentation. If the small leak is allowed to continue without isolation, offsite dose limits may be reached. These Functions are not assumed in any UFSAR transient or accident analysis, since bounding analyses are performed for large breaks such as recirculation or MSL breaks. HPCI and RCIC Compartment and Steam Line Area Temperature-High signals are initiated from resistance temperature detectors (RTDs) that are appropriately located to protect the system that is being monitored. The HFCI and RCIC Compartment and Steam Line Area Temperature -High Functions each use 16 temperature channels. Sixteen channels for each HPCI and RCIC Compartment and Steam Line Area Temperature-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Values are set low enough to detect a leak. These Functions isolate the associated HPCI and RCIC steam supply and turbine exhaust valves and pump suction valves. Reactor Water Cleanup (RWCU) System Isolation 5.a. RlWCU Flow-High The high flow signal is provided to detect a break in the RWCU System. Should the reactor coolant continue to flow out of the break, offsite dose limits may be exceeded. Therefore, isolation of the RWCU System is initiated when high RWCU flow is sensed to prevent exceeding offsite -doses. This Function is not assumed in any.UFSAR transient or accident analysis, since bounding analyses are performed for large breaks such as MSLBs. (continued) PBAPS UNIT 3 B 3.3-156 Revision lNo. 34
Primary Containment Isolation Instrumentation B .3.6.1 BASES APPLICABLE 5.a. RWCU Flow-High (continued) SAFETY ANALYSES, LCO, and The high RWCU flow signals are initiated from transmitters APPLICABILITY that are connected to the pump suction line of the RWCU System. Two channels of RWCU Flow-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The RWCU Flow-High Allowable Value ensures that a break of the RWCU piping is detected. This Function isolates the inboard and outboard RWCU pump suction penetration and the outboard valve at the RWCIJ connection to reactor feedwater. 5.b. Standby Liguid Control (SLC) System Initiation The isolation of the RWCU System is required when the SLC System has been initiated to prevent dilution and removal of the boron solution by the RWCU System (Ref. 5). SLC System initiation signals are initiated from the remote SLC System start switch. There is no Allowable Value associated with this Function since the channels are mechanically actuated based solely on the position of the SLC System initiation switch. Two channels of the SLC System Initiation Function are available and are required to be OPERABLE only in MODES 1 and 2, since these are the only MODES where the reactor can be critical, and these MODES are consistent with the Applicability for the SLC System (LCO 3.1.7). This Function isolates the inboard and outboard RWCU pump suction penetration and the outboard valve at the RWCIJ connection to reactor feedwater. 5.c. Reactor Vessel Water Level- Low (Level 3) Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of some interfaces with the reactor vessel occurs to isolate the potential sources of a break. The isolation of the RWCU System on Level 3 supports actions to ensure that the fuel {continued) PBAPS UNIT 3 B 3.3-157 Revision No. 3
Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE S.c. Reactor Vessel Water Level -Low (Level 3) (continued) SAFETY ANALYSES, LCO. and peak cladding temperature remains below the limits of APPLICABILITY 10 CFR 50.46. The Reactor Vessel Water Level -Low (Level 3) Function associated with RWCU isolation is not directly assumed in the UFSAR safety analyses because the RWCU System line break is bounded by breaks of larger systems (recirculation and MSL breaks are more limiting). Reactor Vessel Water Level -Low (Level 3) signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level -Low (Level 3) Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Reactor Vessel Water Level - Low (Level 3) Allowable Value was chosen to be the same as the RPS Reactor Vessel Water Level-Low (Level 3) Allowable Value (LCO 3.3.1.1), since the capability to cool the fuel may be threatened. This Function isolates the inboard and outboard RWCU suction penetration and the outboard valve at the RWCU connection to reactor feedwater. Shutdown Cooling System Isolation 6.a. Reactor Pressure-High The Reactor Pressure-High Function is provided to isolate the shutdown cooling portion of the Residual Heat Removal (RHR) System. This Function is provided only for equipment protection to prevent an intersystem LOCA scenario, ard credit for the Function is not assumed in the accident. or transient analysis in the UFSAR. The Reactor Pressure-High signals are initiated from two switches that are connected to different taps on the FPV. Two channels of Reactor Pressure- High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Function is only required to be OPERABLE in 1continued) PBAF'S UNIT 3 B 3.3-158 Revision No. 3
Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 6.a. Reactor Pressure -High (continued) SAFETY ANALYSES, LCO:, and MODES 1, 2, and 3, since these are the only MODES in which APPLICABILITY the reactor can be pressurized; thus, equipment protection is needed. The Allowable Value was chosen to be low enough to protect the system equipment from overpressurization. This Function isolates both RHR shutdown cooling pump suction valves. 6.b. Reactor Vessel Water Level- Low (Level 3) Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of some reactor vessel interfaces occurs to begin isolating the potential sources of a break. The Reactor Vessel Water Level -Low (Level 3) Function associated with RHR Shutdown Cooling System isolation is not directly assumed in sa.fety analyses because a break of the RHR Shutdown Cooling system is bounded by breaks of the recirculation and MSL. The RHR Shutdown Cooling System isolation on Level 3 supports actions to ensure that the RPV water level does not drop below the top of the active fuel during a vessel drairidown event caused by a leak (e.g., pipe break or inadvertent valve opening) in the RHR Shutdown Cooling System. Reactor Vessel Water Level- Low (Level 3) signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels (two channels per trip system) of the Reactor Vessel Water Level -Low (Level 3) Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. As noted (footnote (a) to Table 3.3.6.1-1), only one channel per trip system (with an isolation signal available to one shutdown cooling pump suction isolation valve) of the Reactor Vessel Water Level -Low (Level 3) Function are required to be OPERABLE in MODES 4 and 5, provided the RHR Shutdown Cooling System integrity is maintained. System integrity is maintained provided the piping is intact and no maintenance is being performed that has the potential for draining the reactor vessel through the system. (continued) PBAPS UNIT 3 B 3.3-159 Revision No. 3
Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 6.b. Reactor Vessel Water Level -Low (Level 3) {continued) SAFETY ANALYSES, LCO, and The Reactor Vessel Water Level - Low (Level 3) Allowable APPLICABILITY Value was chosen to be the same as the RPS Reactor Vessel Water Level-Low (Level 3) Allowable Value (LCO 3.3.1.1), since the capability to cool the fuel may be threatened. The Reactor Vessel Water Level-Low {Level 3) Function is only required to be OPERABLE in MODES 3, 4, and 5 to prevent this potential flow path from lowering the reactor vessel level to the top of the fuel. In MODES 1 and 2, another isolation (i.e., Reactor Pressure-High) and administrative controls ensure that this flow path remains isolated to prevent unexpected loss of inventory via this flow path. This Function isolates both RHR shutdown cooling pump suction valves. Feedwater Recirculation Isolation 7.a. Reactor Pressure -High The Reactor Pressure-High Function is provided to isolate the feedwater recirculation line. This interlock is provided only for equipment protection to prevent an intersystem LOCA scenario, and credit for the interlock is not assumed in the accident or transient analysis in *the UFSAR. The Reactor Pressure-High signals are initiated from four transmitters that are connected to different taps on the RPV. Four channels of Reactor Pressure-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Function is only required to be OPERABLE in MODES 1, 2, and 3, since these are the only MODES in which the reactor can be pressurized; thus, equipment protection is needed. The Allowable Value was chosen to be low enough to protect the system equipment from overpressurization. This Function isolates the feedwater recirculation valves. (continued) PBAPS UNIT 3 B 3.3-160 Revisiun No. 3
Primary Containment Isolation Instrumentation B 3.3.6.1 BASES (continued) ACTIONS A Note has been provided to modify the ACTIONS related to primary containment isolation instrumentation channels;. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable primary containment isolation instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable primary containment isolation instrumentation channel. A.1 Because of the diversity of sensors available to provide isolation signals and the redundancy of the isolation design, an allowable out of service time of 12 hours for Functions 1.d, 2.a, and 2.b and 24 hours for Function; other than Functions 1.d, 2.a, and 2.b has been shown to be acceptable (Refs. 6 and 7) to permit restoration of any inoperable channel to OPERABLE status. This out of service time is only acceptable provided the associated Function is still maintaining isolation capability (refer to Required Action B.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue with no further restrictions. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an isolation), Condition C must be entered and its Required Action taken. (continued) PBAPS UNIT 3 B 3.3-161 Revision No. 3
Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS B.1 (c~ontinued) Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in redundant isolation capability being lost for the associated penetration flow path(s). For those MSL, Primary Containment, HPCI, RCIC, RWCU, SDC, and Feedwater Recirculation Isolation Functions, where actuation of both trip systems is needed to isolate a penetration, the Functions are considered to be maintaining isolation capability when sufficient channels are OPERABLE or in trip (or the associated trip system in trip), such that both trip systems will generate a trip signal from the given Function on a valid signal. For those Primary Containment, HPCI, RCIC, RWCU, and SDC isolation functions, where actuation of one trip system is needed to isolate a penetration, the Functions are considered to be maintaining isolation capability when sufficient channels are OPERABLE or in trip, such that one trip system will. generate a trip signal from the given function on a valid signal. This ensures that at least one of the PCIVs in the associated penetration flow path can receive an isolation signal from the given Function. For all Functions except 1.c, 1.e, 2.c, 3.a, 3.b, 3.e, 4.a, 4.b, 4.e, 5.a, 5.b, and 6.a, this would require both trip systems to have one channel OPERABLE or in trip. For Function 1.c, this would require both trip systems. to have one channel, associated with each MSL, OPERABLE or in trip. For Functions 1.e, 3.e and 4.e, each Function consists of channels that monitor several locations within a given area (e.g., different locations within the main steam tunnel area). Therefore, this would require both trip systems to have one channel per location OPERABLE or in trip. For Functions 2.c, 3.a, 3.b, 4.a, 4.b, 5.a, and 6.a, this would require one trip system to have one channel OPERABLE or in trip. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour Completion Time is acceptable because it minimizes - risk while allowing time for restoration or tripping of channels. (continued) PBAS UNIT 3 B 3.3-162 Revision No. 3
Primary Containment Isolation Instrumentation B 3.3.,6.1 BASES ACTIONS B.1 (continued) Entry into Condition B and Required Action B.1 may be necessary to avoid an MSL isolation transient resulting from a temporary loss of ventilation in the main steam line tunnel area. As allowed by LCO 3.0.2 (and discussed in the Bases of LCO 3.0.2), the plant may intentionally enter this Condition to avoid an MSL isolation transient following the loss of ventilation flow, and then raise the setpoints for the Main Steam Tunnel Temperature-High Function to 2500 F causing all channels of Main Steam Tunnel Temperature-High Function to be inoperable. However, during the period that multiple Main Steam Tunnel Temperature-High Function channels are inoperable due to this intentional action, an additional compensatory measure is deemed necessary and shall be taken: an operator shall observe control room indications of the duct temperature so the main steam line isolation valves may be promptly closed in the event of a rapid increase in MSL tunnel temperature indicative of a steam line break. Required Action C.1 directs entry into the appropriate Condition referenced in Table 3.3.6.1-1. The applicable Condition specified in Table 3.3.6.1-1 is Function and MODE or other specified condition dependent and may change es the Required Action of a previous Condition is completed. Each time an inoperable channel has not met any Required Action of Condition A or B and the associated Completion Time has expired, Condition C will be entered for that channel and provides for transfer to the appropriate subsequent Condition. D.1. D.2.1. and D.2.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the plant irust be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours and in MODE 4 within 36 hours (Required Actions D.2.1 and D.2.2). Alternately, the associated MSLs may be isolated (Required Action 0.1), {contin ed) PBAPS UNIT 3 B 3.3-163 Revision ND. 46
Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS D.1. D.2.1. and D.2.2 (continued) and, if allowed (i.e., plant safety analysis allows operation with an MSL isolated), operation with that MSL isolated may continue. Isolating the affected MSL accomplishes the safety function of the inoperable channel. The Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. E.1 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 2 within 6 hours. The allowed Completion Time of 6 hours is reasonable, based on operating experience, to reach MODE 2 from full power conditions in an orderly manner and without challenging plant systems. F.1 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, plant operations may continue if the affected penetration flow path(s) is isolated. Isolating the affected penetration flow path(s) accomplishes the safety function of the inoperable channels. Alternately, if it is not desired to isolate the affected penetration flow path(s) {e.g., as in the case where isolating the penetration flow path(s) could result in a reactor scram), Condition G must be entered and its Required Actions taken. The 1 hour Completion Time is acceptable because it minimizes risk while allowing sufficient time for plant operations personnel to isolate the affected penetration flow path(s). (continued) PBAPS UNIT 3 B 3.3-164 Revision No. 3
Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS G.1 and G.2 (continued) If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, or the Required Action of Condition F is not met and the associated Completion Time has expired, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. H.1 and H.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the associated SLC subsystem(s) is declared inoperable or the RWCU System is isolated. Since this Function is required to ensure that the SLC System performs its intended function, sufficient remedial measures are provided by declaring the associated SLC subsystems inoperable or isolating the RWCU System. The 1 hour Completion Time is acceptable because it minimizes risk while allowing sufficient time for personnel to isolate the RWCU System. 1.1 and 1.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the associated penetration flow path should be closed. However, if the shutdorn cooling function is needed to provide core cooling, these Required Actions allow the penetration flow path to remain unisolated provided action is immediately initiated to restore the channel to OPERABLE status or to isolate the RHR Shutdown Cooling System (i.e., provide alternate decay heat removal capabilities so the penetration flow path can be isolated). Actions must continue until the channel is restored to OPERABLE status or the RHR Shutdown Cooling System is isolated. (continued) PBAPS UNIT 3 B 3.3-165 Revision No. 3
Primary Containment Isolation Instrumentation B 3.3.6.1 BASES (continued) SURVEILLANCE As noted at the beginning of the SRs, the SRs for each REQUIREMENTS Primary Containment Isolation instrumentation Function are found in the SRs column of Table 3.3.6.1-1. The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated. Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 6 and 7) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the PCIVs will isolate the penetration flow path(s) when necessary. SR 3.3.6.1.1 Performance of the CHANNEL CHECK once every 12 hours ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or cf something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO. (continued) PBAP'S UNIT 3 B 3.3-166 Revision No. 3
Primary Containment Isolation Instrumentation B 3.3.6.1 BASES SURVEILLANCE SR 3.3.6.1.2 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The 92 day Frequency of SR 3.3.6.1.2 is based on the reliability analysis described in Reference 7. SR 3.3.6.1.3. SR 3.3.6.1.4. SR 3.3.6.1.5. and SR 3.3.6.1.6 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the assumptions of the current setpoint methodology. SR 3.3.6.1.6, however, is only a calibration of the radiation detectors using a standard radiation source. As noted for SR 3.3.6.1.3, the main steam line radiation detectors (Function 1.d) are excluded from CHANNEL CALIBRATION due to ALARA reasons (when the plant is operating, the radiation detectors are generally in a high radiation area; the steam tunnel). This exclusion is acceptable because the radiation detectors are passive devices, with minimal drift. The radiation detectors are calibrated in accordance with SR 3.3.6.1.6 on a 24 month Frequency. The 92 day Frequency of SR 3.3.6.1.3 is conservative with respect to the magnitude of equipment drift assumed in the setpoint analysis. The Frequency of SR 3.3.6.1.4 is based on the assumption of an 18 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. The Frequencies of SR 3.3.6.1.5 and SR 3.3.6.1.6 are based on the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. (coniai nued) PBAIS UNIT 3 B 3.3-167 Revision No. 22
Primary Containment Isolation Instrumertation B 3.3.6.1 BASES SURVEILLANCE SR 3.3.6.1.7 REQUIREMENTS (continued) The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required isolation logic for a speciific channel. The system functional testing performed on F'CIVs in LCO 3.6.1.3 overlaps this Surveillance to provide complete testing of the assumed safety function. While this Surveillance can be performed with the reactor at power for some of the Functions, operating experience has shown these components will pass the Surveillance when performed at the 24 month Frequency. Therefore, the Frequency was found to be acceptable from a reliability standpoint. REFERENCES 1. UFSAR, Section 7.3.
- 2. NRC Safety Evaluation Report for Amendment Numbers 156 and 158 to Facility Operating License Numbers DPIU-44 and DPR-56, Peach Bottom Atomic Power Station, Unit Nos. 2 and 3, September 7, 1990.
- 3. UFSAR, Chapter 14.
- 4. NEDO-31466, "Technical Specification Screening Criteria Application and Risk Assessment,"
November 1987.
- 5. UFSAR, Section 4.9.3.
- 6. NEDC-31677P-A, "Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation,"
July 1990.
- 7. NEDC-30851P-A Supplement 2, "Technical Specifications Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation," March 1989.
PBAPS UNIT 3 B 3.3-168 Revision No. 3
Secondary Containment Isolation Instrumentation B 3.3.6.2 B 3.3 INSTRUMENTATION B 3.3.6.2 Secondary Containment Isolation Instrumentation BASIES BACKGROUND The secondary containment isolation instrumentation automatically initiates closure of appropriate secondary containment isolation valves (SCIVs) and starts the Standby Gas Treatment (SGT) System. The function of these systems, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs) (Ref. 1). Secondary containment isolation and establishment of vacuum with the SGT System within the required time limits ensures that fission products that leak from primary containment following a DBA, or are released outside primary containment, or are released during certain operations when primary containment is not required to be OPERABLE are maintained within applicable limits. The isolation instrumentation includes the sensors, relays, and switches that are necessary to cause initiation of secondary containment isolation. Most channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a secondary containment isolation signal to the isolation logic. Functional diversity is provided by. monitoring a wide range of independent parameters. The input parameters to the isolation logic are (1) reactor vessel water level, (2) drywell pressure, (3) reactor building ventilation exhaust high radiation, and (4)refueling floor ventilation exhaust high radiation. Redundant sensor input signals from each parameter are provided for initiation of isolation. The outputs of the channels are arranged in a one-out--of-two taken twice logic. Automatic isolation valves (dampers) isolate and SGT subsystems start when both trip systerms are in trip. Operation of both trip systems is required t;o isolate the secondary containment and provide for the necessary filtration of fission products. (continued) PBAP'S UNIT 3 B 3.3-169 Revision No. 3
Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES (continued) APPLICABLE The isolation signals generated by the secondary containment SAFETY ANALYSES, isolation instrumentation are implicitly assumed in the LCO, and safety analyses of References 1 and 2 to initiate closure APPLICABILITY of valves and start the SGT System to limit offsite doses. Refer to LCO 3.6.4.2, "Secondary Containment Isolation Valves (SCIVs)," and LCO 3.6.4.3, "Standby Gas Treatment (SGT) System," Applicable Safety Analyses Bases for more detail of the safety analyses. The secondary containment isolation instrumentation satisfies Criterion 3 of the NRC Policy Statement. Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion. The OPERABILITY of the secondary containment isolation instrumentation is dependent on the OPERABILITY of the individual instrumentation channel Functions. Each Function must have the required number of OPERABLE channels with their setpoints set within the specified Allowable Values, as shown in Table 3.3.6.2-1. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. A channel is inoperable if its actual trip setting is not within its required Allowable Value. Allowable Values are specified for each Function specified in the Table. Trip setpoints are specified in the setpoint calculations. The trip setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setting less conservative than the trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic or design limits are derived from the limiting values of the process parameters obtained from the safety analysis or other appropriate documents. The Allowable Values are derived from the analytic or design limits, corrected for calibration, process, and instrument errors. The trip setpoints are then determined from analytical or design limits, corrected for calibration, process, and instrument (continued) PBAPS UNIT 3 B 3.3-17.0 Revision No. 3
Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE errors, as well as, instrument drift. In selected cases, SAFETY ANALYSES, the Allowable Values and trip setpoints are determined by LCO., and engineering judgement or historically accepted practice APPLICABILITY relative to the intended function of the channel. The (continued) trip setpoints determined in this manner provide adequate protection by assuring instrument and process uncertainties expected for the environments during the operating tine of the associated channels are accounted for. In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions when SCIVs and the SGT System are required. The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.
- 1. Reactor Vessel Water Level- Low (Level 3)
Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. An isolation of the secondary containment and actuation of the SGT System are initiated in order to minimize the potential of an offsite dose release. The Reactor Vessel Water Level -Low (Level 3) Function is one of the Functions assumed to be OPERABLE and capable of providing isolation and initiation signals. The isolation and initiation systems on Reactor Vessel Water Level -Low (Level 3) support actions to ensure that any offsite releases are within the limits calculated in the safety analysis. Reactor Vessel Water Level -Low (Level 3) signals are initiated from level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level -Low (Level 3) Function are available and are required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single instrument failure can preclude the isolation function. _conlinued) PBAPS UNIT 3 B 3.3-171 Revision No. 3
Secondary Containment Isolation Instrument~ation B 3.3.6.2 BASES APPLICABLE 1. Reactor Vessel Water Level- Low (Level 3) (continued) SAFETY ANALYSES, LCO, and The Reactor Vessel Water Level - Low (Level 3) Allowable APPLICABILITY Value was chosen to be the same as the RPS Level 3 scram Allowable Value (LCO 3.3.1.1), since isolation of these valves and SGT System start are not critical to orderly plant shutdown. The Reactor Vessel Water Level - Low (Level 3) Function is required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists in the Reactor Coolant System (RCS); thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. In MODES 4 and 5, the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES; thus, this Function is not required. In addition, the Function is also required to be OPERABLE during operations with a potential for draining the reactor vessel (OPDRVs) because the capability of isolating potential sources of leakage must be provided to ensure that offsite dose limits are not exceeded if core damage occurs.
- 2. Drywell Pressure -High High-drywell pressure can indicate a break in the reactor coolant pressure boundary (RCPB). An isolation of the secondary containment and actuation of the SGT System are initiated in order to minimize the potential of an offsite dose release. The isolation on high drywell pressure supports actions to ensure that any offsite releases are within the limits calculated in the safety analysis. The Drywell Pressure -High Function associated with isolation is not assumed in any UFSAR accident or transient analyses but will provide an isolation and initiation signal. It is retained for the overall redundancy and diversity of the secondary containment isolation instrumentation as required by the NRC approved licensing basis.
_-continued) PBAPS UNIT 3 B 3.3-172 Revision No. 3
Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE 2. Drywell Pressure-High (continued) SAFETY ANALYSES, LCO,, and High drywell pressure signals are initiated from pressure APPLICABILITY transmitters that sense the pressure in the drywell. Four channels of Drywell Pressure-High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude performance of the isolation function. The Allowable Value was chosen to be the same as the ECCS Drywell Pressure-High Function Allowable Value (LCO 3.3.5.1) since this is indicative of a loss of coolant accident (LOCA). The Drywell Pressure-High Function is required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists in the RCS; thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. This Function is not required in MODES 4 and 5 because the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES. 3.. 4. Reactor Building Ventilation and Refueling Floor Ventilation Exhaust Radiation-High High secondary containment exhaust radiation is an indication of possible gross failure of the fuel cladding. The release may have originated from the primary containment due to a break in the RCPB or during refueling due to a fuel handling accident. When Ventilation Exhaust Radiation-High is detected, secondary containment isolation and actuation of the SGT System are initiated to limit the release of fission products as assumed in the UFSAR safety analyses (Ref. 4). The Ventilation Exhaust Radiation-High signals are initiated from radiation detectors that are located on the ventilation exhaust piping coming from the reactor bujilding and the refueling floor zones, respectively. The signal from each detector is input to an individual monitor Whose trip outputs are assigned to an isolation channel. Four tconl:inued) PBAP'S UNIT 3 B 3.3-173 Revision No. 3
Secondary Containment Isolation Instrumeritation B S..3.6.2 BASES APPLICABLE 3. 4. Reactor Building Ventilation and Refueling Floor SAFETY ANALYSES, Ventilation Exhaust Radiation-High (continued) LCO, and APPLICABILITY channels of Reactor Building Ventilation Exhaust Radiation-High Function and four channels of Refueling Floor Ventilation Exhaust Radiation-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Values are chosen to promptly detect gross failure of the fuel cladding. The Reactor Building Ventilation and Refueling Floor Ventilation Exhaust Radiation-High Functions are required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists; thus, there is a probability of pipe breaks resulting in significant releases of radioactive steato and gas. In MODES 4 and 5, the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES; thus, these Functions are not required. In addition, the Functions are also required to be OPERABLE during CORE ALTERATIONS, OPDRVs, and movement of irradiated fuel assemblies in the secondary containment, because the capability of detecting radiation releases due to fuel failures (due to fuel uncovery or dropped fuel assemblies) must be provided to ensure that offsite dose limits are not exceeded. ACTIONS A Note has been provided to modify the ACTIONS related to secondary containment isolation instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable secondary containment isolation instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable secondary containment isolation instrumentation channel. (continued) PBAPS UNIT 3 B 3.3-174 Revision No. 3
Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES ACT]ONS A.1 (continued) Because of the diversity of sensors available to provide isolation signals and the redundancy of the isolation design, an allowable out of service time of 12 hours for Functions 1 and 2, and 24 hours for Functions other than Functions 1 and 2, has been shown to be acceptable (Refs. 5 and 6) to permit restoration of any inoperable channel to OPERABLE status. This out of service time is only acceptable provided the associated Function is still maintaining isolation capability (refer to Required Action B.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an isolation), Condition C must be entered a.nd its Required Actions taken. B.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of isolation capability for the associated penetration flow path(s) or a complete loss of automatic initiation capability for the SGT System. A Function is considered to be maintaining secondary containment isolation capabiliity when sufficient channels are OPERABLE or in trip, such that both trip systems will generate a trip signal from the given Function on a valid signal. This ensures that at least one of the two SCIVs in the associated penetration flow path and at least one SGT subsystem can be initiated on an isolation signal from the given Function. For Functions 1, 2, 3, and 4, this would require both trip systems to have one channel OPERABLE or in trip. (continued) PBAPS UNIT 3 B 3.3-175 Revision No. 3
Secondary Containment Isolation Instrumentation B 1.3.6.2 BAS ES SURVEILLANCE The Surveillances are modified by a Note to indicate that REqUIREMENTS when a channel is placed in an inoperable status solely for (continued) performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains secondary containment isolation capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 5 and 6) assumption that of the average time required to perform channel surveillance. That analysis demonstrated the 6 hour testing allowance does not significantly reduce the probability that the SCIVs will isolate the associated penetration flow paths and that the SGT System will initiate when necessary. SR 3.3.6.2.1 Performance of the CHANNEL CHECK once every 12 hours ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel status during normal operational use of the displays associated with channels required by the LCO. {continued) PBAPS UNIT 3 B 3.3-177 Revision No. 3
Secondary Containment Isolation Instrumentation B .3.36.2 BASES SURVEILLANCE SR 3.3.6.2.2 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Frequency of 92 days for SR 3.3.6.2.2 is based on the reliability analysis of References 5 and 6. SR 3.3.6.2.3 and SR 3.3.6.2.4 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the current plant specific setpoint methodology. The Frequencies of SR 3.3.6.2.3 and SR 3.3.6.2.4 are based on the assumption of the magnitude of equipment drift in the setpoint analysis. SR 3.3.6.2.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required isolation logic for a specific channel. The system functional testing performed on SCIVs and the SGT System in LCO 3.6.4.2 and LCO 3.6.4.3, respectively, overlaps this Surveillance to provide complete testing of the assumed safety function. While this Surveillance can be performed with the reactor at power for some of the Functions, operating experience has shown that these components will pass the Surveillance when performed at the 24 month Frequency. Therefore, the Frequency was found to be acceptable from a reliability standpoint. (continued) PBAPS UNIT 3 B 3.3-178 Revision No. 3
Secondary Containment Isolation Instrumentation B 3.3.6.2 BAS1ES ACTIONS B.1 (continued) The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. C.I.I. C.1.2. C.2.1. and C.2.2 If any Required Action and associated Completion Time of Condition A or B are not met, the ability to isolate the secondary containment and start the SGT System cannot be ensured. Therefore, further actions must be performed to ensure the ability to maintain the secondary containment function. Isolating the associated secondary containment penetration flow path(s) and starting the associated SGT subsystem (Required Actions C.1.1 and C.2.1) performs the intended function of the instrumentation and allows operation to continue. Alternately, declaring the associated SCIVs or SGT subsystem(s) inoperable (Required Actions C.1.2 and C.2.2) is also acceptable since the Required Actions of the respective LCOs (LCO 3.6.4.2 and LCO 3.6.4.3) provide appropriate actions for the inoperable components. One hour is sufficient for plant operations personnel to establish required plant conditions or to declare the associated components inoperable without unnecessarily challenging plant systems. SURVEILLANCE As noted at the beginning of the SRs, the SRs for each REQUIREMENTS Secondary Containment Isolation instrumentation Function are located in the SRs column of Table 3.3.6.2-1. _continued) PBAPS UNIT 3 B 3.3-176 Revision No. 3
Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES (continued) REFERENCES 1. UFSAR, Section 14.6.
- 2. UFSAR, Chapter 14.
- 3. UFSAR, Section 14.6.5.
- 4. UFSAR, Sections 14.6.3 and 14.6.4.
- 5. NEDC-31677P-A, 'Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation,"
July 1990.
- 6. NEDC-30851P-A Supplement 2, "Technical Specifications Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation," March 1S89.
PBAPS UNIT 3 B 3.3-179 Revision No. 3
MCREV System Instrumentation B 3.3.7.1 B 3.3 INSTRUMENTATION B 3.3.7.1 Main Control Room Emergency Ventilation (MCREV) System Instrumentation BASES BACKGROUND The MCREV System is designed to provide a radiologically controlled environment to ensure the habitability of the control room for the safety of control room operators under all plant conditions. Two independent MCREV subsystems are each capable of fulfilling the stated safety function. The instrumentation and controls for the MCREV System automatically initiate action to pressurize the main control room (MCR) to minimize the consequences of radioactive material in the control room environment. In the event of a Control Room Air Intake Radiation-FHigh signal, the MCREV System is automatically started in the pressurization mode. The outside air from the normal ventilation intake is then passed through one of the charcoal filter subsystems. Sufficient outside air is drawn in through the normal ventilation intake to maintain the MCR slightly pressurized with respect to the turbine building. The MCREV System instrumentation has two trip systems with two Control Room Air Intake Radiation-High channels in each trip system. The outputs of the Control Room Air Intake Radiation-High channels are arranged in two trip systems, which use a one-out-of-two logic. The tripping of both trip. systems will initiate both MCREV subsystems. The channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channeil output relay actuates, which then outputs a MCREV System initiation signal to the initiation logic. APPLICABLE The ability of the MCREV System to maintain the habitability SAFETY ANALYSES, of the MCR is explicitly assumed for certain accidents as LCO, and discussed in the UFSAR safety analyses (Refs. 1, 2, and 3). APPLICABILITY MCREV System operation ensures that the radiation exposure of control room personnel, through the duration of any one of the postulated accidents, does not exceed acceptable limits.
-contijnued)
PBAPS UNIT 3 B 3.3-180 Revision No. 3
MCREV System Instrumentation B 3.3.7.1 BASES APPLICABLE MCREV System instrumentation satisfies Criterion 3 of the SAFETY ANALYSES, NRC Policy Statement. LCO, and APPLICABILITY The OPERABILITY of the MCREV System instrumentation is (Continued) dependent upon the OPERABILITY of the Control Room Air Intake Radiation-High instrumentation channel Function. The Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. A channel is inoperable if its actual trip setting is not within its required Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. Allowable Values are specified for the MCREV System Control Room Air Intake Radiation-High Function. Trip setpoints are specified in the setpoint calculations. The trip setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setting less conservative than the trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., control room air intake radiation), and when the measured output value of the process parameter exceeds the setpoint, the associated device changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic liruits, corrected for calibration, process, and instrument errors. The trip setpoints are determined from analytical or design limits, corrected for calibration, process, and instrument errors, as well as, instrument drift. The trip setpoints derived in this manner provide adequate protection by ensuring instrument and process uncertainties expected for the environments during the operating time of the associated channels are accounted for. The control room air intake radiation monitors measure radiation levels in the fresh air supply plenum. A high radiation level may pose a threat to MCR personnel; thus, automatically initiating the MCREV System. ncontinued) PBAPS UNIT 3 B 3.3-181 Revision No. 3
MCREV System Instrumentation B 3.3.7.1 BASES APPI;ICABLE The Control Room Air Intake Radiation-High Function SAFETY ANALYSES, consists of four independent monitors. Two channels of LCO, and Control Room Air Intake Radiation-High per trip system are APPLICABILITY available and are required to be OPERABLE to ensure that no (continued) single instrument failure can preclude MCREV System initiation. The Allowable Value was selected to ensure protection of the control room personnel. The Control Room Air Intake Radiation-High Function is required to be OPERABLE in MODES 1, 2, and 3 and during CORE ALTERATIONS, OPDRVs, and movement of irradiated fuel assemblies in the secondary containment, to ensure tha4t control room personnel are protected during a LOCA, fiel handling event, or vessel draindown event. During MODES 4 and 5, when these specified conditions are not in prociress (e.g., CORE ALTERATIONS), the probability of a LOCA oi fuel damage is low; thus, the Function is not required. ACTIONS A Note has been provided to modify the ACTIONS related to MCREV System instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for. inoperable MCREV System instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable MCREV System instrumentation channel. A.1 and A.2 Because of the redundancy of sensors available to provide initiation signals and the redundancy of the MCREV Sy;tem design, an allowable out of service time of 6 hours has been shown to be acceptable (Ref. 4), to permit restoration of any inoperable channel to OPERABLE status. However, this out of service time is only acceptable provided the Control Room Air Intake Radiation -High Function is still maintaining MCREV System initiation capability. The Function is considered to be maintaining MCREV System _continued) PBAPS UNIT 3 B 3.3-182 Revision No. 3
MCREV System Instrumentation B 3.3.7.1 BASIES ACTIONS A.1 and A.2 (continued) initiation capability when sufficient channels are OPERABLE or in trip such that the two.trip systems will generate an initiation signal from the given Function on a valid signal. For the Control Room Air Intake Radiation -High Function, this would require the two trip systems to have one channel per trip system OPERABLE or in trip. In this situation (loss of MCREV System initiation capability), the 6 hour allowance of Required Action A.2 is not appropriate. If the Function is not maintaining MCREV System initiation capability, the MCREV System must be declared inoperable within 1 hour of discovery of the loss of MCREV System initiation capability in both trip systems. The 1 hour Completion Time (A.1) is acceptable because it minimizes risk while allowing time for restoring or tripping of channels. If the inoperable channel cannot be restored to OPERAEBLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result ir an initiation), Condition B must be entered and its Required Action taken. B.1 and B.2 With any Required Action and associated Completion Time not met, the associated MCREV subsystem(s) must be placed in operation per Required Action B.1 to ensure that control room personnel will be protected in the event of a Design Basis Accident. The method used to place the MCREV subsystem(s) in operation must provide for automatically re-initiating the subsystem(s) upon restoration of power following a loss of power to the MCREV subsystem(s). Alternately, if it is not desired to start the subsystem(s), the MCREV subsystem(s) associated with inoperable, untripped (continued) PBAPS UNIT 3 B 3.3-183 Revision No. 3
MCREV System Instrumentation B 3.3.7.1 BASES ACTIONS B.1 and B.2 (continued) channels must be declared inoperable within 1 hour. Since each trip system can affect both MCREV subsystems, Required Actions B.1 and B.2 can be performed independently on each MCREV subsystem. That is, one MCREV subsystem can be placed in operation (Required Action B.1) while the other MCREV subsystem can be declared inoperable (Required Action 13.2). The 1 hour Completion Time is intended to allow the operator time to place the MCREV subsystem(s) in operation. The 1 hour Completion Time is acceptable because it minimizes risk while allowing time for placing the associated MCREV subsystem(s) in operation, or for entering the applicable Conditions and Required Actions for the inoperable MCREV subsystem(s). SURVEILLANCE The Surveillances are modified by a Note to indicate that REQUIREMENTS when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours, provided the associated Function maintains MCREV System initiation capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 4) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that thepM6EWiSi+/-tem will initiate when necessary. SR 3.3.7.1.1 Performance of the CHANNEL CHECK once every 12 hours ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect (continued) PBAP'S UNIT 3 B 3.3-184 Revision No. 3
MCREV System Instrumentation B 3.3.7.1 BASES SURVEILLANCE SR 3.3.7.1.1 (continued) REQUIREMENTS gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel status during normal operational use of the displays associated with channels required by the LCO. SR 3.3.7.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Frequency of 92 days is based on the reliability analyses of Reference 4. SR 3.3.7.1.3 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the assumptions of the plant specific setpoint methodology. The Frequency is based upon the assumption of an 18 month calibration interval in the determination of the magnitude of the equipment drift in the setpoint analysis. (continued) PBAPS UNIT 3 B 3.3-185 Revision No. 3
MCREV System Instrumentation B 3.3.7.1 BASES SURVEILLANCE SR 3.3.7.1.4 REQUIREMENTS (continued) The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.7.4, Main Control Room Emergency Ventilation (MCREV) System," overlaps this Surveillance to provide complete testing of the assumed safety function. While this Surveillance can be performed with the reactor at power, operating experience has shown these components will pass the Surveillance when performed at the 24 month Frequency. Therefore, the Frequency was found to be acceptable from a reliability standpoint. REFERENCES 1. UFSAR, Section 10.13.
- 2. UFSAR, Section 12.3.4.
- 3. UFSAR, Section 14.9.1.5.
- 4. GENE-770-06-1, 'Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications,"
February 1991. PBAP'S UNIT 3 B 3.3-186 Revision No. 3
LOP Instrumentation B .3.3.8.1 If B 3.3 INSTRUMENTATION B 3.3.8.1 Loss of Power (LOP) Instrumentation BASES m - BACKGROUND Successful operation of the required safety functions of the Emergency Core Cooling Systems (ECCS) is dependent upon the I availability of adequate power for energizing various components such as pump motors, motor operated valves, and the associated control components. The LOP instrumentation I monitors the 4 kV emergency buses voltage. Offsite power is the preferred source of power for the 4 kV emergency buses. If the LOP instrumentation detects that voltage levels are I too low, the buses are disconnected from the offsite power sources and connected to the onsite diesel generator (DG) power sources. Each Unit 3 4 kV emergency bus has its own independent LOP instrumentation and associated trip logic. The voltage for each bus is monitored at five levels, which can be considered as two different undervoltage Functions: one level of loss of voltage and four levels of degraded voltage. The Functions cause various bus transfers and disconnects. The degraded voltage Function is monitored by four undervoltage relays per source and the loss of voltage Function is monitored by one undervoltage relay for each emergency bus. The degraded voltage outputs and the loss of voltage outputs are arranged in a one-out-of-one trip logic configuration. Each channel consists of four protective relays that compare offsite source voltages with pre-established setpoints. When the sensed voltage is below the setpoint for a degraded voltage channel, the preferred offsite source breaker to the 4 kV emergency bus is tripped and autotransfer to the alternate offsite source is initiated. If the alternate source does not provide adequate voltage to the bus as sensed by its degraded arid I relays, a diesel generator start signal is initiated. A description of the Unit 2 LOP instrumentation is provided in the Bases for Unit 2 LCO 3.3.8.1. (continued) PBAP'i UNIT 3 B 3.3-187 Revision Ho. 5
LOP Instrumentation B t.3.8.1 BASES (continued) APPLICABLE The LOP instrumentation is required for Engineered Safety SAFETY ANALYSES, Features to function in any accident with a loss of offsite LCO, and power. The required channels of LOP instrumentation ensure APPLICABILITY that the ECCS and other assumed systems powered from the DGs, provide plant protection in the event of any of the Reference 1 (UFSAR) analyzed accidents in which a loss of offsite power is assumed. The first level is loss of voltage. This loss of voltage level detects and disconnects the Class IE buses from the offsite power source upon a total loss of voltage. The second level of undervoltage protection is provided by the four levels of degraded grid voltage relays which are set to detect a sustained low voltage condition. These degraded grid relays disconnect the Class IE buses from the offsite power source if the degraded voltage condition exists for a time interval which could prevent the Class lE equipment from achieving its safety function. The degraded grid relays also prevent the Class lE equipment from sustaining damage from prolonged operation at reduced voltage. The combination of the loss of voltage relaying and the degraded grid relaying provides protection to the Class IE distribution system for all credible conditions of voltage collapse or sustained voltage degradation. The initiation of the DGs on loss of off~site power, and subsequent initiation of the ECCS, ensure that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Accident analyses credit the loading of the DG based on the loss of offsite power during a loss of coolant accident. The diesel starting and loading times have been included-in the delay time associated with each safety system component requiring DG supplied power following a loss of offsite power. The LOP instrumentation satisfies Criterion 3 of the A1RC Policy Statement. The OPERABILITY of the LOP instrumentation is dependent upon the OPERABILITY of the individual instrumentation relay channel Functions specified in Table 3.3.8.1-1. Each Function must have a required number of OPERABLE channels per 4 kV emergency bus, with their setpoints within the specified Allowable Values except the bus undervoltage relay which does not have an Allowable Value. A degraded voltage channel is inoperable if its actual trip setpoint is riot within its required Allowable Value. Setpoints are calibrated consistent with the Improved Instrument Setpoint Control Program (IISCP) methodology assumptions. (Note: Table 3.3.8.1-1 contains a note that prior to the implementation of modification 96-01511, the relay voltage and timer trip setpoint Allowable Vaulues for the indicated (continued) PBAPS UNIT 3 B 3.3-188 Revision No. 32
LOP Instrumentation B 3.3.8.1 BASES APPLICABLE functions remain at the reviously approved values on a SAFETY ANALYSES, relay by relay basis.) he loss of voltage channel is LCO, and inoperable if it will not start the diesel on a loss of APPLICABILITY power to a 4 kV emergency bus.
~continued) The Allowable Values are specified for each applicable Function in the Table 3.3.8.1-1. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint within the Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., voltage), and when the measured output value of the process parameter exceeds the setpoint, the protective relay output chan es state. The Allowable Values were set equal to the limiting values determined by the voltage regulation calculation. The setpoints were corrected using IISCP methodology to account for relay drift, relay accuracy, potential transformer accuracy, measuring and test equipment accuracy margin, and includes a calibration leave alone zone. IISCP methodology utilizes the square root of the sum of the squares to combine random non-directional accuracy values. IISCP then includes relay drift, calibration leave alone zones, and margins. (Note: Table 3.3.8.1-1 contains a note that prior to the implementation of modification 96-01511, the relay voltage and timer trip setpoint Allowable Values for the indicated functions remain at the previously approved values on a relay by relay basis.) The setpoint assumes a nominal 35/1 potential transformer ratio.
The specific Applicable Safety Analyses, LCO, and Applicability discussions for Unit 3 LOP instrumentation are listed below on a Function by Function basis. In addition, since some equipment raquired by Unit 3 is powered from Unit 2 sources, the Unit 2 LOP instrumentation supporting the required sources must also be OPERABLE. The OPERABILITY requirements for the Unit 2 LOP instrumentation is the same as described in this section, except Function 4 (4 kV Emergency Bus Undervoltage, Degraded Voltage LOCA) is not required to be OPERABLE, since this Function is related to a LOCA on Unit 2 only. The Unit 2 instrumentation is listed in Unit 2 Table 3.3.8.1-1.
- 1. 4 kV Emergencv Bus Undervoltage (Loss of Voltage)
When both offsite sources are lost, a loss of voltage condition on a 4 kV emergency bus indicates that the respective emergency bus is unable to supply sufficient power for proper operation of the applicable equipment. herefore, the power supply to the bus is transferred from offsite power to DG power. This ensures that adequate power will be available to the required equipment. _ (continued) PBAP'S UNIT 3 B 3.3-189 Revision No. 32
LOP Instrumentation B 3.3.8.1 BASES APPLICABLE 1. 4 kV Emergency Bus Undervoltage (Loss of Voltaae) SAFETY ANALYSIS, (continued) LCO, and APPLICABILITY The single channel of 4 kV Emergency Bus Undervoltage (Loss of Voltage) Function per associated emergency bus is only required to be OPERABLE when the associated DG and offsite circuit are required to be OPERABLE. This ensures no single instrument failure can preclude the start of three of four DGs. (One channel inputs to each of the four DGs.) Refer to LCO 3.8.1, "AC Sources-Operating," and 3.8.2, "AC Sources-Shutdown," for Applicability Bases for the DGs. 2., 3.. 4.. 5. 4 kV Emergency Bus Undervoltage (Degraded Voltage) A degraded voltage condition on a 4 kV emergency bus indicates that, while offsite power may not be completely lost to the respective emergency bus, available power may be insufficient for starting large ECCS motors without risking damage to the motors that could disable the ECCS function. Therefore, power to the bus is transferred from offsite power to onsite DG power when there is insufficient offsite power to the bus. This transfer will occur only if the voltage of the preferred and alternate power sources drop below the Degraded Voltage Function Allowable Values (degraded voltage with a time delay) and the source breakers trip which causes the bus undervoltage relay to initiate the DG. This ensures that adequate power will be available to the required equipment. Four Functions are provided to monitor degraded voltage at four different levels. These Functions are the Degraded Voltage Non-LOCA, Degraded Voltage LOCA, Degraded Voltage High Setting, and Degraded Voltage Low Setting. These relays monitor the following voltage levels with the following time delays: the function 2 relay, 2286 - 2706 volts in approximately 2 seconds when source voltage is reduced abruptly to zero volts (inverse time delay); the Function 3 relay, 3409 - 3829 volts in approximately 30 seconds when source voltage is reduced abruptly to 2940 volts (inverse time delay); the Function 4 relay, 3766 - 3836 volts in approximately 10 seconds; and the Function 5 relay, 4116 - 4186 volts in approximately 60 seconds. (Note: Table 3.3.8.1-1 contains a note that prior to the implementation of modification 96-01511, the relay voltage and timer trip setpoint Allowable Values for the indicated functions remain at the previously approved values on a relay by relay basis.) The Function 2 and 3 relays are inverse time delay relays. These relays operate along a repeatable characteristic curve. With relay operation being inverse with time, for (continued) PBAPS UNIT 3 B 3.3-190 Revision No. 32
LOP Instrumentation B 3.3.8.1 BASES APPLICABLE 2.. 3.. 4.. 5. 4 kV Emergency Bus Undervoltaae (Degraded SAFETY ANALYSES, Voltage) (continued) LCO, and APPLICABILITY an abrupt reduction in voltage the relay operating time will be short; conversely, for a slight reduction in voltage, the operating time delay will be long. The Degraded Voltage LOCA Function preserves the assumptions of the LOCA analysis and the combined Functions of the other relays preserves the assumptions of the accident sequence analysis in the UFSAR. The Degraded Voltage Non-LOCA Function provides assurance that equipment powered froni the 4kV emergency buses is not damaged by degraded voltage that might occur under other than LOCA conditions. This degraded grid non-LOCA relay has an associated 60 second timer. This timer allows for offsite source transformer load tap changer operation. Degraded voltage conditions can be mitigated by tap changer operations and other manual actions. The 6O second timer provides the time for these actions to take place. The degraded grid voltage Allowable Values are low enough to prevent inadvertent power supply transfer, but high enough to ensure that sufficient power is available to the required equipment. The Time Delay Allowable Values are long enough to provide time for the offsite power supply to recover to normal voltages, but short enough to ensure that sufficient power is available to the required equipment. Two channels (one channel per source) of 4 kV Emergency Bus Degraded Voltage (Functions 2, 3, 4, and 5) per associated bus are required to be OPERABLE when the associated DG and offsite circuit are required to be OPERABLE. This ensures no single instrument failure can preclude the start of three of four DGs (each logic inputs to each of the four DGs). Refer to LCO 3.8.1 and LCO 3.8.2 for Applicability Bases for the DGs. ACTIONS A Note has been provided (Note 1) to modify the ACTIONS related to LOP instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial (continued) PBAPS UNIT 3 B 3.3-191 Revision lo. 5
LOP Instrumentation B 3.3.8.1 BASES ACTIONS entry into the Condition. However, the Required Actions for (continued) inoperable LOP instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable LOP instrumentation channel. LL Pursuant to LCO 3.0.6, the AC Sources-Operating ACTIONS would not have to be entered even if the LOP instrumentation inoperability resulted in an inoperable offsite circuit. Therefore, the Required Action of Condition A is modified by a Note to indicate that when performance of a Required Action results in the inoperability of an offsite circuit, Actions for LCO 3.8.1, "AC Sources-Operating," must be immediately entered. A Unit 3 offsite circuit is considered to be inoperable if it is not supplying or not capable of supplying (due to loss of autotransfer capability) at least three Unit 3 4 kV emergency buses when the other offsite circuit is providing power or capable of supplying power to all four Unit 3 4 kV emergency buses. A Unit 3 offsite circuit is also considered to be inoperable if the Unit 3 4 kV emergency buses being powered or capable of being powered from the two offsite circuits are all the same when at least one of the two circuits does not provide power or is not capable of supplying power to all four Unit 3 4 kV emergency buses. Inoperability of a Unit 2 offsite circuit is the same as described for a Unit 3 offsite circuit, except that the circuit path is to the Unit 2 4 kV emergency buses required to be OPERABLE by LCO 3.8.7, "Distribution Systems - Operating." The Note allows Condition A to provide requirements for the loss of a LOP instrumentation channel without regard to whether an offsite circuit is rendered inoperable. LCO 3.8.1 provides appropriate restriction for an inoperable offsite circuit. Required Action A.1 is applicable when one 4 kV emergency bus has one or two required Function 3 (Degraded Voltage High Setting) channels inoperable or when one 4 kV emergency bus has one or two required Function 5 (Degraded Voltage Non-LOCA) channels inoperable. In this Condition, the affected Function may not be capable of performing its intended function automatically for these buses. However, the operators would still receive indication in the control room of a degraded voltage condition on the unaffected buses and a manual transfer of the affected bus power supply to _continued) PBAPS UNIT 3 B 3.3-192 Revision No. 5
- LOP Instrumentation B 3.3.8.1 BASES ACTIONS A.1 (continued) the alternate source could be made without damaging plant equipment. Therefore, Required Action A.1 allows 14 days to restore the inoperable channel(s) to OPERABLE status or-place the inoperable channel(s) in trip. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore design trip capability to the LOP instrumentation, and allow operation to continue.
Alternatively, if it is not desired to place the channel in trip (e.g., as in the case where placing the channel in trip would result in DG initiation), Condition D must be entered and its Required Action taken. The 14 day Completion Time is intended to allow time to restore the channel(s) to OPERABLE status. The Completion Time takes into consideration the diversity of the Degraded Voltage Functions, the capabilities of the remaining OPERABLE LOP Instrumentation Functions on the affected 4 kV emergency bus and on the other 4 kV emergency buses (only one 4 kV emergency bus is affected by the inoperable channels), the fact that the Degraded Voltage High Setting and Degraded Voltage Non-LOCA Functions provide only a marginal increase in the protection provided by the voltage monitoring scheme, the low probability of the grid operating in the voltage band protected by these Functions, and the ability of the operators to perform the Functions manually. Pursuant to LCO 3.0.6, the AC Sources-Operating ACTIONS would not have to be entered even if the LOP instrumentation inoperability resulted in an inoperable offsite circuit;. Therefore, the Required Action of Condition B is modified by a Note to indicate that when performance of a Required Action results in the inoperability of an offsite circuit, Actions for LCO 3.8.1, "AC Sources-Operating,' must be immediately entered. A Unit 3 offsite circuit is considered to be inoperable if it is not supplying or not capable of supplying (due to loss of autotransfer capability) at least three Unit 3 4 kV emergency buses when the other offsite circuit is providing power or capable of supplying power to all four Unit 3 4 kV emergency buses. A Unit 3 offsito circuit is also considered to be inoperable if the Unilt 3 4 kV emergency buses being powered or capable of being powered from the two offsite circuits are all the same when at least one of the two circuits does not provide power or (continued) PBAPS UNIT 3 B 3.3-193 Revision No. 5
LOP Instrumentation B 3.3.8.1 BASES ACTIONS B.1 (continued) is not capable of supplying power to all four Unit 3 4 IkV emergency buses. Inoperability of a Unit 2 offsite circuit is the same as described for a Unit 3 offsite circuit, except that the circuit path is to the Unit 2 4 kV emergency buses required to be OPERABLE by LCO 3.8.7, "Distribution Systems - Operating." This allows Condition B to provide requirements for the loss of a LOP instrumentation channel without regard to whether an offsite circuit is renderer inoperable. LCO 3.8.1 provides appropriate restriction for an inoperable offsite circuit. Required Action B.1 is applicable when two 4 kV emergency buses have one required Function 3 (Degraded Voltage High Setting) channel inoperable, or when two 4 kV emergency
.buses have one required Function 5 (Degraded Voltage Non-LOCA) channel inoperable, or when one 4 kV emergency bus has one required Function 3 channel inoperable and a different 4 kV emergency bus has one required Function 5 channel inoperable. In this Condition, the affected Function may not be capable of performing its intended function automatically for these buses. However, the operators would still receive indication in the control room of a degraded voltage condition on the unaffected buses and a manual transfer of the affected bus power supply to the alternate source could be made without damaging plant equipment.
Therefore, Required Action B.1 allows 24 hours to restore the inoperable channels to OPERABLE status or place the inoperable channels in trip. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore design trip capability to the LOP instrumentation, and allow operation to continue. Alternatively, if it is not desired to place the channel in trip (e.g., as in the case where placing the channel in trip would result in DG initiation), Condition D must be entered and its Required Action taken. The 24 hour Completion Time is intended to allow time to restore the channel(s) to OPERABLE status. The Completion Time takes into consideration the diversity of the Degraded Voltage Functions, the capabilities of the remaining OPERABLE LOP Instrumentation Functions on the affected 4 kV emergency buses and on the other 4 kV emergency buses {only two 4 kV emergency buses are affected by the inoperable channels), the fact that the Degraded Voltage High Setting and Degraded Voltage Non-LOCA Functions provide only a (continued) PBAPS UNIT 3 B 3.3-194 Revision No. 5
LOP Instrumentation B 3.3.8.1 BASES ACTItlNS LI (continued) marginal increase in the protection provided by the voltage monitoring scheme, the low probability of the grid operating in the voltage band protected by these Functions, and the ability of the operators to perform the Functions manually. Pursuant to LCO 3.0.6, the AC Sources-Operating ACTIONS would not have to be entered even if the LOP Instrumentation inoperability resulted in an inoperable offsite circuit. Therefore, the Required Action of Condition C is modified by a Note to indicate that when performance of the Required Action results in the inoperability of an offsite circuit, Actions for LCO 3.8.1, "AC Sources-Operating," must be immediately entered. A Unit 3 offsite circuit is considered to be inoperable if it is not supplying or not capable of supplying (due to loss of autotransfer capability) at least three Unit 3 4 kV emergency buses when the other offsite circuit is providing power or capable of supplying power to all four Unit 3 4 kV emergency buses. A Unit 3 offsite circuit is also considered to be inoperable if the Unit 3 4 kV emergency buses being powered or capable of being powered from the two offsite circuits are all the same when at least one of the two circuits does not provide power or is not capable of supplying power to all four Unit 3 4 kV emergency buses. Inoperability of a Unit 2 offsite circuit is the same as described for a Unit 3 offsite circuit, except that the circuit path is to the Unit 2 4 kV emergency buses required to be OPERABLE by LCO 3.8.7, "Distribution Systems - Operating." The Note allows Condition C to provide requirements for the loss of a LOP instrumentation channel without regard to whether an offsite circuit is rendered inoperable. LCO 3.8.1 provides appropriate restriction for an inoperable offsite circuit. Required Action C.1 is applicable when one or more 4 kW emergency buses have one or more required Function 1, 2, or 4 (the Loss of Voltage, the Degraded Voltage Low Setting, and the Degraded Voltage LOCA Functions, respectively) channels inoperable, or when one 4 kV emergency bus has; one required Function 3 (Degraded Voltage High Setting) channel and one required Function 5 (Degraded Voltage Non-LOCA) channel inoperable, or when any combination of three or more required Function 3 and Function 5 channels are inoperable. In this Condition, the affected Function may not be capable (continued) PBAP'; UNIT 3 B 3.3-195 Revision Nlo. 5
LOP Instrumentation B 3.3.8.1 BASES ACTIONS C.1 (continued) of performing the intended function and the potential consequences associated with the inoperable channel(s) are greater than those resulting from Condition A or Condition B. Therefore, only 1 hour is allowed to restore the inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action C.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore design trip capability to the LOP instrumentation, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the channel in trip would result in a DG initiation), Condition D must be entered and its Required Action taken. The Completion Time is based on the potential consequences associated with the inoperable channel(s) and is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. PA If any Required Action and associated Completion Time fire not met, the associated Function is not capable of performing the intended function. Therefore, the associated DG(s) is declared inoperable immediately. This requires entry into applicable Conditions and Required Actions of LCO 3.8.1 and LCO 3.8.2, which provide appropriate actions for the inoperable DG(s). SURVI.ILLANCE As noted at the beginning of the SRs, the SRs for each REQUIREMENTS Unit 3 LOP instrumentation Function are located in the SRs column of Table 3.3.8.1-1. SR 3.3.8.1.5 is applicable only to the Unit 2 LOP instrumentation. The Surveillance are also modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 2 hours provided: (a) for Function 1, the associated Function maintains initiation capability for (continued) PBAPS UNIT 3 B 3.3-196 Revision No. 5
LOP Instrumentation B 3.3.8.1 BASES SURVEILLANCE REQUILREMENTS three DGs; and (b) for Functions 2, 3, 4, 5, the associated (continued) Function maintains undervoltage transfer capability for three 4 kV emergency buses. The loss of function for one DG or undervoltage transfer capability for the 4 kV emergency bus for this short period is appropriate since only three of four DGs are required to start within the required times and because there is no appreciable impact on risk. Also, upon completion of the Surveillance, or expiration of the 2 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. SR 3.3.8.1.1 and SR 3.3.8.1.3 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Frequency of 31 days is based on operating experience with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one degraded voltage channel of a given Function in any 31 day interval is a.rare event. The Frequency of 24 months is based on operating experience with regard to channel OPERABILITY and drift., which demonstrates that failure of the loss of voltage channel in any 24 month interval is a rare event. SR 3.3.8.1.2 A CHANNEL CALIBRATION is a complete check of the relay circuitry and associated time delay relays. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the assumptions of the current plant specific setpoint methodology. The 18 month Frequency for the degraded voltage Functions is based upon the assumption of the magnitude of equipment drift in the setpoint analysis. _continued) PBAP'; UNIT 3 8 3.3-197 Revision N1o. 5
LOP Instrumentation B 3.3.8.1 BASES SURVEILLANCE SR 3.3.8.1.4 REQUIREMENTS (continued) The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required actuation logic for a specific channel. The system functional testing performed in LCO 3.8.1 and LCO 3.8.2 overlaps this Surveillance to provide complete testing of the assumed safety functions. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. SR 3.3.8.1.5 With the exception of this Surveillance, all other Surveillances of this Specification (SR 3.3.8.1.1 through SR 3.3.8.1.4) are applied only to the Unit 3 LOP instrumentation. This Surveillance is provided to direct that the..appropriate Surveillance for the required Unit 2 LOP instrumentation are governed by the Unit 2 Technical Specifications. Performance of the applicable Unit 2 Surveillances will satisfy Unit 2 requirements, as well as satisfying this Unit 3 Surveillance Requirement. The Frequency required by the applicable Unit 2 SR also governs performance of that SR for Unit 3. REFERENCES 1. UFSAR, Chapter 14. PBAPS UNIT 3 B 3.3-198 Revision Lo. 5
RPS Electric Power Monitoring B 3.3.8.2 B 3.3 INSTRUMENTATION B 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring BASES BACKGROUND RPS Electric Power Monitoring System is provided to isolate the RPS bus from the motor generator (MG) set or an alternate power supply in the event of overvoltage, undervoltage, or underfrequency. This system protects; the loads connected to the RPS bus against unacceptable voltage and frequency conditions (Ref. 1) and forms an important part of the primary success path of the essential safety circuits. Some of the essential equipment powered from the RPS buses includes the RPS logic and scram solenoids. RPS electric power monitoring assembly will detect any abnormal high or low voltage or low frequency condition in the outputs of the two MG sets or the alternate power supply and will de-energize its respective RPS bus, thereby causing all safety functions normally powered by this bus to de-energize. In the event of failure of an RPS Electric Power Monitoring System (e.g., both in series electric power monitoring i assemblies), the RPS loads may experience significant effects from-the unregulated power supply. Deviation from the nominal conditions can potentially cause damage to the scram solenoids and other Class lE devices. In the event of a low voltage condition, the scram solenoids can chatter and potentially lose their pneumatic control capability, resulting in a loss of primary scram action. In the event of an overvoltage condition, the RPS logic relays and scram solenoids may experience a voltage higher than their design voltage. If the overvoltage condition persists for an extended time period, it may cause equipment degradation and the loss of plant safety function. Two redundant Class lE circuit breakers are connected in series between each RPS bus and its MG set, and between each RPS bus and its alternate power supply if in service. Each of these circuit breakers has an associated independent set t LDII . I IIMA 5 PBA-PS UNIT 3 B 3.3-199 Revision No. 3
RPS Electric Power Monitoring B 3.3.8.2 BASES BACKGROUND of Class 1E overvoltage, undervoltage, underfrequency (continued) relays, time delay relays (MG sets only), and sensing logic. Together, a circuit breaker, its associated relays, and sensing logic constitute an electric power monitoring assembly. If the output of the MG set or alternate power supply exceeds predetermined limits of overvoltage, Fundervoltage, or underfrequency, a trip coil driven by this logic circuitry opens the circuit breaker, which removes the associated power supply from service. APPLICABLE The RPS electric power monitoring is necessary to meet. the SAFETY ANALYSES assumptions of the safety analyses by ensuring that the equipment powered from the RPS buses can perform its intended function. RPS electric power monitoring provides protection to the RPS components that receive power from the RPS buses, by acting to disconnect the RPS from the power supply under specified conditions that could damage the RPS equipment. RPS electric power monitoring satisfies Criterion 3 o1 the NRC Policy Statement. LCO The OPERABILITY of each RPS electric power monitoring assembly is dependent on the OPERABILITY of the overvoltage, undervoltage, and underfrequency logic, as well as the OPERABILITY of the associated circuit breaker. Two electric power monitoring assemblies are required to be OPERABLE for each inservice power supply. This provides redundant protection against any abnormal voltage or frequency conditions to ensure that no single RPS electric power monitoring assembly failure can preclude the function of RPS components. Each inservice electric power monitoring assembly's trip logic setpoints are required to be within the specified Allowable Value. The actual setpoint i!; calibrated consistent with applicable setpoint methodology assumptions. Allowable Values are specified for each RPS electric power monitoring assembly trip logic (refer to SR 3.3.8.2.2). Trip setpoints are specified in design documents. The trip setpoints are selected based on engineering judgement and operational experience to ensure that the setpoints di) not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setting less conservative than the trip setpoint, but within its Allowable Value, is (continued) PBAPS UNIT 3 B 3.3-200 Revision No. 3
RPS Electric Power Monitoring B 3.3.8.2 BASES LCO acceptable. A channel is inoperable if its actual trip (continued) setting is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., overvoltage), and when the measured output value of the process parameter exceeds the setpoint, the associated device changes state. The overvoltage Allowable Values for the RPS electrical power monitoring assembly trip logic are derived from vendor specified voltage requirements. The underfrequency Allowable Values for the RPS electrical power monitoring assembly trip logic are based on tests performed at Peach Bottom which concluded that the lowest frequency which would be reached was 54.4 Hz in 7.5 to 11.0 seconds depending load. Bench tests were also performed on RPS components (HFA relays, scram contactors, and scram solenoid valves) under conditions more severe than those expected in the plant (53 Hz during 11.0 and 15.0 second intervals). Examination of these components concluded that the components functioned correctly under these conditions. The undervoltage Allowable Values for the RPS electrical power monitoring assembly trip logic were confirmed to be acceptable through testing. Testing has shown the scram pilot solenoid valves can be subjected to voltages below 95 volts with no degradation in their ability to-perform their safety function. It was concluded the RPS logic relays and scram contactors will not be adversely affected by voltage below 95 volts since these components will dropout under these voltage conditions thereby satisfying their safety function. APPLICABILITY The operation of the RPS electric power monitoring assemblies is essential to disconnect the RPS components from the MG set or alternate power supply during abnormal voltage or frequency conditions. Since the degradation of a nonclass 1E source supplying power to the RPS bus can occur as a result of any random single failure, the OPERABIFLITY of the RPS electric power monitoring assemblies is required when the RPS components are required to be OPERABLE. This results in the RPS Electric Power Monitoring System OPERABILITY being required in MODES 1 and 2; and in MDDES 3, 4, and 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies. (continued) PBAPS UNIT 3 B 3.3-201 Revision No. 3
RPS Electric Power Monitoring B 3.3.8.2 BASES (continued) ACTIONS A.1 If one RPS electric power monitoring assembly for an inservice power supply (MG set or alternate) is inoperable, or one RPS electric power monitoring assembly on each inservice power supply is inoperable, the OPERABLE assembly will still provide protection to the RPS components under degraded voltage or frequency conditions. However, the reliability and redundancy of the RPS Electric Power Monitoring System is reduced, and only a limited time (72 hours) is allowed to restore the inoperable assembly to OPERABLE status. If the inoperable assembly cannot be restored to OPERABLE status, the associated power supply(s) must be removed from service (Required Action A.1). This places the RPS bus in a safe condition. An alternate power supply with OPERABLE powering monitoring assemblies may then be used to power the RPS bus. The 72 hour Completion Time takes into account the remaining OPERABLE electric power monitoring assembly and the low probability of an event requiring RPS electric power monitoring protection occurring during this period. It allows time for plant operations personnel to take corrective actions or to place the plant in the required condition in an orderly manner and without challenging plant systems. Alternately, if it is not desired to remove the power supply from service (e.g., as in the case where removing the power supply(s) from service would result in a scram or isolation), Condition C or D, as applicable, must be entered and its Required Actions taken. If both power monitoring assemblies for an inservice power supply (MG set or alternate) are inoperable or both power monitoring assemblies in each inservice power supply are inoperable, the system protective function is lost. In this condition, 1 hour is allowed to restore one assembly to OPERABLE status for each inservice power supply. If one inoperable assembly for each inservice power supply cannot be restored to OPERABLE status, the associated power supply(s) must be removed from service within 1 hour (Required Action B.1). An alternate power supply with OPERABLE assemblies may then be used to power one RPS bus. (continued) PBAPS UNIT 3 vB3.3-202 Revision No. 3
RPS Electric Power Monitoring B 3.3.8.2 BASES ACTIONS B1 (continued) The 1 hour Completion Time is sufficient for the plant operations personnel to take corrective actions and is acceptable because it minimizes risk while allowing time for restoration or removal from service of the electric power monitoring assemblies. Alternately, if it is not desired to remove the power supply(s) from service (e.g., as in the case where removing the power supply(s) from service would result in a scram or isolation), Condition C or D, as applicable, must be entered and its Required Actions taken. C.1 and C.2 If any Required Action and associated Completion Time of Condition A or B are not met in MODE 1 or 2, a plant shutdown must be performed. This places the plant in a condition where minimal equipment, powered through the inoperable RPS electric power monitoring assembly(s), is required and ensures that the safety function of the RPS (e.g., scram of control rods) is not required. The plant shutdown is accomplished by placing the plant in MODE 3 within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. If any Required Action and associated Completion Time of Condition A or B are not met in MODE 3, 4, or 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, the operator must immediately initiate action to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Required Action D.1 results in the least reactive condition for the reactor core and ensures that the safety function of the RPS (e.g., scram of control rods) is not required. (continued) PBAPS UNIT 3 B 3.3-203 Revision No. 3
RPS Electric Power Monitoring B 3.3.8.2 BASES (continued) SURVEILLANCE SR 3.3.8.2.1 REQU IREM ENTS A CHANNEL FUNCTIONAL TEST is performed on each overvoltage, undervoltage, and underfrequency channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with design documents. As noted in the Surveillance, the CHANNEL FUNCTIONAL TEST is only required to be performed while the plant is in a condition in which the loss of the RPS bus will not jeopardize steady state power operation (the design of the system is such that the power source must be removed from service to conduct the Surveillance). As such, this Surveillance is required to be performed when the unit is in MODE 4 for 2 24 hours and the test has not been performed in the previous 184 days. This Surveillance must be performed prior to entering MODE 2 or 3 from MODE 4 if a performance is required. The 24 hours is intended to indicate an outage of sufficient duration to allow for scheduling and proper performance of the Surveillance. The 184 day Frequency and the Note in the Surveillance are based on guidance provided in Generic Letter 91-09 (Ref. 2). SR 3.3.8.2.2 and SR 3.3.8.2.3 CHANNEL CALIBRATION is a complete check of the relay circuitry and applicable time delay relays. This test. verifies that the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted between successive calibrations consistent with the plant design documents. The Frequency is based on the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis. SR 3.3.8.2.4 Performance of a system functional test demonstrates that, with a required system actuation (simulated or actuali signal, the logic of the system will automatically trip open the associated power monitoring assembly. Only one signal {continued) PBAP'S UNIT 3 B 3.3-204 Revision No. 3
RPS Electric Power Monitoring B 3.3.8.2 BASES SURVEILLANCE SR 3.3.8.2.4 (continued) REQU IREMENTS per power monitoring assembly is required to be tested. This Surveillance overlaps with the CHANNEL CALIBRATION to provide complete testing of the safety function. The system functional test of the Class IE circuit breakers is included as part of this test to provide complete testing of the safety function. If the breakers are incapable of operating, the associated electric power monitoring assembly would be inoperable. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a -plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown that these components will pass the Surveillance when performed at the 24 month Frequency. REFERENCES 1. UFSAR, Section 7.2.3.2.
- 2. NRC Generic Letter 91-09, "Modification of Surveillance Interval for the Electrical Protective Assemblies in Power Supplies for the Reactor Protection System."
PBAPS UNIT 3 B 3.3-205 Revision No. 3
PBAPS UNIT 3 - LICENSE NO. DPR 56 TECHNICAL SPECIFICATIONS BASES PAGE REVISION LISTING B TABLE OF CONTENTS page(s) I.. Rev 288.................... page(s) II - ill (Inclusive)............................................................................................. Rev 3 B 2.0 SAFETY LIMITS (SLs) page(s) 2.0-1 ........... Flev 48 2.0-3 .Fev 48 2.0-4 .Rev 48 2.0-6 .Fev 48 B 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY page(s) 3.0-5 ................ Rev 53 3.G-5a ................ Rev 53 3.0-6 ................ Rev 53 3.0-12 ................ Rev 6 3.0-13 ................ Rev 1 3.0-14 ................ Rev 53 3.0-15 ................ Rev 53 B 3.1 REACTIVITY CONTROL SYSTEMS page(s) 3.1-14 ............... Rev 50 3.1 18 (Inclusive) . Rev 2 3.1-23 .Rev 50 3.1 28 (inclusive) .Rev 9 3.1-29. Rev 50 3.1 33 (inclusive) .Rev 2 B 3.2 POWER DISTRIBUTION LIMITS page(s) 3.2 5 (inclusive) .............. Rev 50 3.2-7 .............. Rev 48 3.2-8 .............. Rev 17 3.2 11 (inclusive) .............. Rev 48 3.2-12 .............. R ev 50 3.2-12a .............. Rev 50 3.2-13 .............. Rev 48 B 3.3 INSTRUMENTATION page(s) 3.3 6 (inclusive) ............... Rev 17 3.3-7 ............... Rev 55 3.3-8 ............... Rev 51 3.3-9 ............... Rev 51 3.3-10 ............... Rev 30 3.3-11 ............... Rev 30 3.3-12 ............... Rev 51 3.3-12a ............... Rev 51 3.3-1 2b ............... Rov 51 3.3 19 (inclusive) ............... Rev 45 3.3-23 ............... Rov 30 3.3-24 ............... Rov 51 3.3-25 ............... Rev 51 PBAPS UINIT 3 I Revision No.57
PBAPS UNIT 3 - LICENSE NO. DPR 56 TECHNICAL SPECIFICATIONS BASES PAGE REVISION LISTING B 3.3 INSTRUMENTATION (continued) page(s) 3.3-26 .................. Rev 30 3.3-27 .................. Rev 55 3.3-27a .................. Rev 55 3.3-28 .................. Rev 30 3.3-29 .................. Rev 50 3.3-30 .................. Rev 30 3.3-31 .................. Rev 30 3.3-32 .................. Rev 51 3.3-33 .................. Rev 51 3.3-34 ................... Rev 51 3.3-35 .................. Rev 51 3.3-36 .................. Rev 55 3.3-36a .................. Rev 51 3.3 45 (inclusive)................................................................................. Rev 17 3.3-46 .................. Rev 30 3.3-47 .................. Rev 31 3.3 52 (inclusive) .................. Rev 3 3.3 56 (inclusive) .................. Rev 30 3.3-57 .................. :Rev 3 3.3-58 .................. Rev 30 3.3-59 .................. [Rev 3 3.3-60 .................. Rev 45 3.3-61 .................. Rev 50 3.342 - 67 (inclusive) .................. Rev 3 3.3-68 .................. Rev 7 3.3-69 .................. Rev 3 3.3-70 .................. Rev 3 3.3-71 .................. Rev 56 3.3-72 .................. Rev 53 3.3-73 .................. Rev 3 3.3-74 .................. Rev 3 3.3-75 .................. Rev 56 3.3-76 .................. Rev 56 3.3-77 .................. Rev 3 3.3-78 .................. Rev 3 3.3-79 .................. Raev 53 3.3 92 (inclusive) ......................................................................... ......... Rev 3 3.3-92a .................. Rev 28 3.3-92b .................. Rev 50 3.3-92c .................. Rev 50 3.3-92d - 92e (inclusive) .................. Rev 45 3.3-92f .................. Rev 28 3.3-92g .................. Rev 45 3.3-92h .................. Rev 28 3.3-921 .................. Rev 45 3.3-92) .................. Rev 28 3.3 98 (inclusive) .................. Rev 3 3.3-99 ... : Rev 23 3.3-100 - 149 (inclusive) .. . Rev 3 3.3-150 ... Rev 49 PBAPS UNIT 3 11 Revision No.57
PBAPS UNIT 3 - LICENSE NO. DPR 56 TECHNICAL SPECIFICATIONS BASES PAGE REVISION LISTING B 3.3 INSTRUMENTATION (continued) page(s) 3.3-151 ................... Rev 3 3.3-152 ................... Rev 22 3.3-153 - 155 (inclusive) . ................... Rev 3 3.3-156 ................... Rev 34 3.3-157 - 162 (inclusive) ................... Rev 3 3.3-163 ................... Rev 46 3.3-164 . Rev 3 3.3-165 .Rev 3 3.3-166 .Rev 3 3.3-167 .Rev 22 3.3-168 - 186 (inclusive).Rev 3 3.3-187 .Rev 5 3.3-188 - 190 (inclusive). Rev 32 3.3-191 - 198 (inclusive) .Rev 5 3.3-199 - 205 (inclusive).Rev 3 B 3.4 REACTOR COOLANT SYSTEM (RCS) page(s) 3.4-3 ............... Rev 51 3.4-4 ............... Rev 51 3.4-5 ............... Rev 51 3.4-6 ............... Rev 51 3.4-7 ............... Rev 51 3.4-8 ............... Rev 51 3.4-9 ............... Rev 51 3.4-10 ............... Rev 51 3.4-18 ............... Rev 25 3.4-27 ............... Rev 53 3.4-31 ............... Rev 53 3.4.35............... Rev 53 3.4-39. Rev 1 3.4-52 .Rev 50 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM page(s) 3.5-6 ............... Rev 53 3.5-10 ............... Rov 57 3.5 15 (inclusive) ............... Fev 2 3.5-16 ............... Rev 25 3.5-17 ............... Rev 52 3.5-26 .R....................... R!V 53 3.5-27 .R................ Rov 57 3.5-28 ............... Rowv 43 B 3.6 CONTAINMENT SYSTEMS page(s) 3-6-1 ............... Rev 27 3.6-2 . Rev 21 3.6-3 .Rev 6 3.6 5 (inclusive) .Rev 24 3.6-7 .Rov 53 3.6 12 (inclusive) .Rev 6 3.6-13 .Rev 21 3.6 18 (inclusive). Flev 2 PBAPS UNIT 3 Iii Revision No. 57
PBAPS UNIT 3 - LICENSE NO. DPR 56 TECHNICAL SPECIFICATIONS BASES PAGE REVISION LISTING B 3.6 CONTAINMENT SYSTEMS (continued) page(s) 3.6-27 ............... Rev 2 3.6-28 .. Rev 37 3.6-29 . .Rev 24 3.6-30 .. Rev 16 3.6-31 .. Rev 20 3.6-33 .. Rev 21 3.6-43 .. Rev 44 3.6-47.. . Rev 44 3.6 51 (inclusive) .. Rev 17 3.6-58 . .Rev 1 3.6 66 (inclusive) .. Rev 38 3.6-69 .. Rev 38 3.6 77 (inclusive) .. Rev 26 3.6-90 . .Rev 1 B 3.7 PLANT SYSTEMS page(s) 3.7-1 .. . Rev 19 3.7-6 ... Rev 4 3.7-7 ... Rev11 3.7-8 ... Rev 57 3.7-8a ... Rev 35 3.7-9 ... Rev 57 3.7-12 ... Rev 2 3.7-13 . Rev 1 3.7-15 .Rev 36 3.7-21. Rev 22 3.7-26 .Rev 50 3.7-27 .Rev 50 3.7-29. Rev 33 B 3.8 ELECTRICAL POWER SYSTEMS page(s) 3.8 3 (inclusive) ................. Rev 35 3.8-5 ................. Rev 5 3.8-6 ................. Raev 53 3.8-7 ................. Rev 5 3.8-8 ................. Rev 5 3.8-9 ................. Rev 39 3.8-10-11 (inclusive) ................... Rev5 3.8-12 ................. Rev 1 3.8 23 (inclusive) ................. Rev 34 3.8 30 (inclusive) ................. Rev 1 3.8-31 ................. Rev 54 3.8 37 (inclusive) ................. Rev 10 3.8-42 ................. Rev 35 3.8 47 (inclusive) ................. Rev 18 3.8-55 ................. Rev 38 PBAPS UNIT 3 iv Revision No.57
PBAPS UNIT 3 - LICENSE NO. DPR 56 TECHNICAL SPECIFICATIONS BASES PAGE REVISION LISTING B 3.9 REFUELING OPERATIONS page(s) 3.9-1 .. . Rev 29 3.9-3 ... Rev 29 3.9-8 ... Rev 17 3.9-10 ... Rev 17 3.9-14 ... Rev 17 3.9-15 ... F:ev 2 B 3.10 SPECIAL OPERATIONS page(s) 3.10-1 .. . Flev 1 3.10-5 .... Rev 17 3.10-31 ... Rev 17 3.10-32 ... Rev 30 3.10-35 . Rov 30 3.10-36. Fev 2 All remaining pages are Rev 0 dated 1/18/96. PBAPS UNIT 3 v Revision No. 57
TABLE OF CONTENTS B 2.0 SAFETY LIMITS (SLs) ................. B 2.0-1. B 2.1.1 Reactor Core SLs . . . . . . . . . . . . . . . B 2.0-1. B 2.1.2 Reactor Coolant System (RCS) Pressure SL . . B 2.0-;' B 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY . B 3.0-1. B 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY . . . . . B 3.0-1.0 B 3.1 REACTIVITY CONTROL SYSTEMS . . . . . . . . . . . . . . B 3.1-:L B 3.1.1 SHUTDOWN MARGIN (SDM) . . . . B 3.1-L
.B3.1.2 Reactivity Anomalies . . . . . B 3.1-13 B 3.1.3 Control Rod OPERABILITY . . . B 3.1-:13 B 3.1.4 Control Rod Scram Times ... . B 3.1-22 B 3.1.5 Control Rod Scram Accumulators B 3.1-29 B 3.1.6 Rod Pattern Control . . . . . B 3.1-:34 B 3.1.7 Standby Liquid Control (SLC) S.ystem . . Valves B 3.1-:39 B 3.1.8 Scram Discharge Volume (SDV) Vitent and Drain Valves B 3.1-48 B 3.2 POWER DISTRIBUTION LIMITS . . . . . . . . . . . . . . B 3.2-1 B 3.2.1 AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR) . . B 3.2-1 B 3.2.2 MINIMUM CRITICAL POWER RATIO (MCPR) . . . . . . . B 3.2-5 B 3.2.3 LINEAR HEAT GENERATION RATE (LHGR) . . . B 3.2-11 B 3.3 INSTRUMENTATION . . . . . . . . . . . . . . . . . . . B 3.3-1 B 3.3.1.1 Reactor Protection System (RPS) Instrumentation B 3.3-1 LQ) B 3.3.1.2 Wide Range Neutron Monitor (WRNM) Instrumentation B 3.3-:37 *B 3.3.2.1 Control Rod Block Instrumentation . . . . . . . . B 3.3-46 B 3.3.2.2 Feedwater and Main Turbine High Water Level Trip Instrumentation . . . . . . . . . . . . . . . . B 3.3-59 B 3.3.3.1 Post Accident Monitoring (PAM) Instrumentation . . B 3.3-66 B 3.3.3.2 Remote Shutdown System . . . . . . . . . . . . . . B 3.3-77 B 3.3.4.1 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT) Instrumentation . . . . . B 3.3-B4 B 3.3.4.2 End of Cycle Recirculation Pump Trip (EOC-RPT) Instrumentation . . . B 3.3-92a thru B 3.3-92j B 3.3.5.1 Emergency Core Cooling System (ECCS)
Instrumentation . . . . . . . . . . . . . . . . B 3.3-93 B 3.3.5.2 Reactor Core Isolation Cooling (RCIC) System Instrumentation . . . . . . . . . . . . . . . . B 3.3-131 B 3.3.6.1 Primary Containment Isolation Instrumentation B 3.3-142 B 3.3.6.2 Secondary Containment Isolation Instrumentation B 3.3-169 B 3.3.7.1 Main Control Room Emergency Ventilation (MCREV)
- System Instrumentation . . . . . . . . . . B 3.3-180 B 3.3.8.1 Loss of Power (LOP) Instrumentation . . . . . B 3.3-187 B 3.3.9.2 Reactor Protection System (RPS) Electric Power M~onitoring . . ... . . . ... . . . . . . . . . B 3.3-199 (continued)
PBAPS UNIT 3 i Revision No. 28
TABLE OF CONTENTS (continued) B 3.4 REACTOR COOLANT SYSTEM (RCS) . . . . . . ... . . . . . B 3.4-1 B 3.4.1 Recirculation Loops Operating . . . . . . . . . . B 3.4-1 B 3.4.2 Jet Pumps B 3.4-11 B 3.4.3 Safety Relief Valves (SRVs) and Safety Valves (SVs) B 3.4-15 B 3.4.4 RCS Operational LEAKAGE . . . . . . . . . . . . . B 3.4-19 B 3.4.5 RCS Leakage Detection Instrumentation . . . . . . B 3.4-24 B 3.4.6 RCS Specific Activity . . . . . . . . . . . . . . B 3.4-29 B.3.4.7 Residual Heat Removal (RHR) Shutdown Cooling System-Hot Shutdown . . . . . . . . . . B 3.4-33 B 3.4.8 Residual Heat Removal (RHR) Shutdown Cooling System-Cold Shutdown . . . . . . . . . . . . . B 3.4-38 B 3.4.9 RCS Pressure and Temperature (P/T) Limits . . . . B 3.4-43 B 3.4.10 Reactor Steam Dome Pressure . . . . . . . . . . . B 3.4-52 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM . . . ... . . . . . . B 3.5-1 B 3.5.1 ECCS-Operating . . . . . . . . . . . ... . . . . B 3.5-1 B 3.5.2 ECCS-Shutdown . . . . . . . . . . . . . . . . . . B 3.5-18 B 3.5.3 RCIC System ................... B 3.5-24 B 3.6 CONTAINMENT SYSTEMS ................. B 3.6-1 B 3.6.1.1 Primary Containment . . . . . . . . . . . . B 3.6-1 B 3.6.1.2 Primary Containment Air Lock .. B 3.6-6 B 3.6.1.3 Primary Containment Isolation Valves (PCIVs) B 3.6-14 B 3.6.1.4 Drywell Air Temperature . . . . . .. B 3.6-31 B 3.6.1.5 Reactor Building-to-Suppression Chamber Vacuum
. Breakers ................... B 3.6-34 B 3.6.1.6 Suppression Chamber-to-Drywell Vacuum Breakers . . B 3.6-42 B 3.6.2.1 Suppression Pool Average Temperature . . . . . . . B 3,6-48 B 3.6.2.2 Suppression Pool Water Level . . . . . . . . . B 3.6-53 B 3.6.2.3 Residual Heat Removal (RHR) Suppression Pool Cooling . . . . . . . . . . . . . . . . . . . . B 3.6-56 B 3.6.2.4 Residual Heat Removal (RHR) Suppression Pool Spray B 3.6-60 B 3.6.3.1 Containment Atmospheric Dilution (CAD) System . . B 3.6-64 B 3.6.3.2 Primary Containment Oxygen Concentration . . . . . B 3.6-70 B 3.6.4.1 Secondary Containment . . B 3.6-73 B 3.6.4.2 Secondary Containment Isolation Valves jSCIVs) B 3.6-78 B 3.6.4.3 Standby Gas Treatment (SGT) System . . . . . . . . B 3.6-85 B 3.7 PLANT SYSTEMS . . .................. B 3.7-1 B 3.7.1 High Pressure Service Water (HPSW) System . . . . B 3.7-1 B 3.7.2 Emergency Service Water (ESW) System and Normal Heat Sink . . . . . . . . . . . . . . . ... . B 3.7-6 B 3.7.3 Emergency Heat Sink . . . . . . . . . . . . . . . B 3.7-11 B 3.7.4 Main Control Room Emergency Ventilation (MCREV)
System . . . . . . . . . . . . . . . . . . . . B 3.7-15 B 3.7.5 Main Condenser Offgas . . . . . . . . . . . . . . B 3.7-22 (continued) PBAPS UNIT 3 Revision No. 3 ii
TAELE OF CONTENTS (continued) B 3.7 PLANT SYSTEMS (continued) B 3.7.6 Main Turbine Bypass System . . . . . . . . . . . . B 3.7-25 B 3.7.7 Spent Fuel Storage Pool Water Level . . . . . . . B 3.7-29 B 3.8 ELECTRICAL POWER SYSTEMS . . . . . . . . . . . . . . . B 3.8-1 B 3.8.1 AC Sources-Operating . . . . . . . . . . . . . . B 3.8-1 B 3.8.2 AC Sources-Shutdown . .B 3.8-40 B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air . B 3.8-48 B 3.8.4 DC Sources-Operating . . . . . . . . . . . . . . B 3.8-58 B 3.8.5 DC Sources-Shutdown . . . . . . . . . . . . . B 3.8-72 B 3.8.6 Battery Cell Parameters . . . . . . . . . . . . . B 3.8-77 B 3.8.7 Distribution Systems-Operating . . . . . . . . . B 3.8-83 B 3.8.8 Distribution Systems-Shutdown . . . . . . . . . . B 3.8-94 B 3.9 REFUELING OPERATIONS .B 3.9-1 B 3.9.1 Refueling Equipment Interlocks . . . . . . . . . B 3.9-1 B 3.9.2 Refuel Position One-Rod-Out Interlock . . . . . . B 3.9-5 B 3.9.3 Control Rod Position . . . . . . . . . . . . . . . B 3.9-8 B 3.9.4 Control Rod Position Indication . . . . .. . . B 3.9-10 B 3.9.5 Control Rod OPERABILITY- Refueling . . . . . . . . B 3.9-14 B 3.9.6 Reactor Pressure Vessel (RPV) Water Level . . . . B 3.9-17 B 3.9.7 Residual Heat Removal (RHR)-High Water Level B 3.9-20 B 3.9.8 Residual Heat Removal (RHR)-Low Water Level B 3.9-24 B 3.10 SPECIAL OPERATIONS .B 3.10-1 B 3.10.1 Inservice Leak and Hydrostatic Testing Operation . B 3.10-1 B 3.10.2 Reactor Mode Switch Interlock Testing . . . . . . B .3.10-5 B 3.10.3 Single Control Rod Withdrawal-Hot Shutdown . . . B 3.10-10 B 3.10.4 Single Control Rod Withdrawal-Cold Shutdown . . . B 3.10-14 B 3.10.5 Single Control Rod Drive (CRD) Removal-Refueling .. .B 3.10-19 B 3.10.6 Multiple Control Rod Withdrawal -Refueling. B 3.10-24 B 3.10.7 Control Rod Testing-Operating . . . . . . . . . . B 3.10-27 B 3.10.8 SHUTDOWN MARGIN (SDM) Test- Refueling . . . . . . B 3.10-31 PBAPS UNIT 3 Revision No. 3 iii
Recirculation Loops Operating
- E 3.4..1 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.1 Recirculation Loops Operating BASE:S BACKGROUND The Reactor Coolant Recirculation System is designed.;to provide a forced coolant flow through the core.to -remove heat from the fuel. The forced coolant flow removies miore heat from the fuel than would be possible with just-.ratuiral circulation. The forced flow, therefore, allows:,ope-iation at significantly higher power than would otherwise.be. possible. The recirculation system also controls reactivity over a wide span of reactor power by varying the recirculation flow rate to control the void content of the moderator. The Reactor Coolant Recirculation System consists of two recirculation pump loops external to-the. reactor vessel. These loops provide the piping.path for the driving flow of water to the reactor vessel jet pumps.. Each external loop contains one variable speed motor driver recirculation pump, a motor generator (MG) setto control pump speed and associated piping, jet pumps, valves-;:and instrumentation. The recirculation loops are partkof the reactor coolant pressure boundary and are located inside 'the drywell structure. The jet pumps are reactor vessel internals. The recirculated coolant consists of saturated water from the steam separators and dryers that has been subcooled by incoming feedwater. This water passes down the annulus between the reactor vessel wall and the core shroud. A portion of the coolant flows from the vessel, through the two external recirculation loops, and becomes the driving flow for the jet pumps. Each of the two external recirculation loops discharges high pressure flow intc an external manifold, from which individual recirculation inlet lines are routed to the jet pump risers within the reactor vessel. The remaining portion of the coolant mixture in the annulus becomes the suction flow for the jet pumps. This flow enters the jet pump at suction inlets and is accelerated by the driving flow. The drive flow and suction flow are mixed in the jet pump throat section. The total flow then passes through the jet pump diffuser section into the area below the core (lower plenum), gaining sufficient head in the process to drive the required flow upward through the core. The subcooled water enters the bottom of the fuel channels and contacts the fuel cladding, where heat is transferred to the coolant. As it rises, the coolant {continued) PBAP'; UNIT 3 B 3.4-1 Revision No. 0
Recirculation Loops Operating B 3.4.1 BASES BACKGROUND begins to boil, creating steam voids within the fuel channel (continued) that continue until the coolant exits the-core. Because of reduced moderation, the steam voiding introduces negative reactivity that must be compensated for to maintain or to increase reactor power. The recirculation flow control allows operators to increase recirculation flow and sweep some of the voids from the fuel channel, overcoming the negative reactivity void effect. Thus, the reason for having variable recirculation flow is to compensate for reactivity effects of boiling over a wide range of power generation (i.e., 65 to 100% of RTP) without having to move control rods and disturb desirable flux patterns. Each recirculation loop is manually started from the control room. The MG set provides regulation of individual recirculation loop drive flows. The flow in each loop is manually controlled. APPLICABLE The operation of the Reactor Coolant Recirculation System is SAFETY ANALYSES an initial condition assumed in the design basis loss of coolant accident (LOCA) (Ref. 1). During a LOCA caused by a recirculation loop pipe break, the intact loop is assured to provide coolant flow during the first few seconds of the accident. The initial core flow decrease is rapid because the recirculation pump in the broken loop ceases to purip reactor coolant to the vessel almost immediately. The pump in the intact loop coasts down relatively slowly. This pump coastdown governs the core flow response for the next several seconds until the jet pump suction is uncovered. The analyses assume that both loops are operating at the same flow prior to the accident. However, the LOCA analysis was reviewed for the case with a flow mismatch between the two loops, with the pipe break assumed to be in the loop with the higher flow. While the flow coastdown and core response are potentially more severe in this assumed case (since the intact loop starts at a lower flow rate and the core response is the same as if both loops were operating at a lower flow rate), a small mismatch has been determined to be acceptable based on engineering judgement. The recirculation system is also assumed to have sufficient flow coastdown characteristics to maintain fuel thermal margins during abnormal operational transients, which are analyzed in Chapter 14 of the UFSAR. {continued) PBAP'; UNIT 3 B 3.4-2 Revision No. 0
Recirculation Loops Operating B 3.4.1 BASES APPLICABLE Plant specific LOCA and average power range monitor/rod SAFETY ANALYSES block monitor Technical Specification/maximum extended load (continued) line limit analyses have been performed assuming only cne operating recirculation loop. These analyses demonstrate that, in the event of a LOCA caused by a pipe break in the operating recirculation loop, the Emergency Core Cooling System response will provide adequate core cooling (Refs. 2, 3, and 4). The transient analyses of Chapter 14 of the UFSAR have also been performed for single recirculation loop operation (Ref. 5) and demonstrate sufficient flow coastdown characteristics to maintain fuel thermal margins durincr the abnormal operational transients analyzed provided the MCPR requirements are modified. During single recirculation loop operation, modification to the Reactor Protection System (RPS) average power range monitor (APRM) instrument setpoints is also required to account for the different relationships between recirculation drive flow and reactor core flow. The MCPR limits and APLHGR limits (power-dependent APLHGR multipliers, MAPFACp, and flow-dependent APLHGR multipliers, MAPFACf) for single loop operation are specified in the COLR. The APRM Simulated Thermal Power-High Allowable Value is in LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation." (continued) PBAPS UNIT 3 B 3.4-3 Revision No. 51
Recirculation Loops Operating B 3.4.1 BASES APPLICABLE SAFETY ANALYSES (continued) Recirculation loops operating satisfies Criterion 2 of the NRC Policy Statement. LCO Two recirculation loops are normally required to be in operation with their flows matched within the limits specified in SR 3.4.1.1 to ensure that during a LOCA caused by a break of the piping of one recirculation loop the (continued) PBAP'; UNIT 3 B 3.4-4 Revision No. 51
Recirculation Loops Operating B 3.4.1 BASES LCO assumptions of the LOCA analysis are satisfied. Alternatively, with only one recirculation loop in operation, modifications to the required APLHGR limits (power- and flow-dependent APLHGR multipliers, MAPFACP and MAPFACf, respectively of LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)"), MCPR limits (LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)") and APRM Simulated Thermal Power-High Allowable Value (LCO 3.3.1.1) must be applied to allow continued operation consistent with the assumptions of Reference 5. The LCO is modified by a Note which allows up to 12 hours before having to put in effect the required modifications to required limits after a change in the reactor operating conditions from two recirculation loops operating to single recirculation loop operation. If the required limits are not in compliance with the applicable requirements at the end of this period, the associated equipment must be declared inoperable or the limits "not satisfied," and the ACTIONS required by nonconformance with the applicable specifications implemented. This time is provided due to the need to stabilize operation with one recirculation loop, including the procedural.steps necessary to limit flow in the operating loop, and the complexity and detail required to fully implement and confirm the required limit modifications. APPLICABILITY In MODES 1 and 2, requirements for operation of the Reactor Coolant Recirculation System are necessary since there is considerable energy in the reactor core and the limiting design basis transients and accidents are assumed to occur. In MODES 3, 4, and 5, the consequences of an accident are reduced and the coastdown characteristics of the recirculation loops are not important. (continued) PBAPS UNIT 3 B 3.4-5 Revision No. 51
Recirculation Loops Operating B 3.4.1 BASES THIS PAGE LEFT BLANK INTENTIONALLY (The contents of this page have been deleted) PBAP:; UNIT 3 B 3.4-6 Revision No. 51
Recirculation Loops Operating B 3.4.1 BASES ACTIONS (continued) With the requirements of the LCO not met, the recirculation loops must be restored to operation with matched flows within 24 hours. A recirculation loop is considered not in operation when the pump in that loop is idle or when the mismatch between total jet pump flows of the two loops is greater than required limits. The loop with the lower flow must be considered not in operation. Should a LOCA oci:ur with one recirculation loop not in operation, the core flow coastdown and resultant core response may not be bounded by the LOCA analyses. Therefore, only a limited time is allowed to restore the inoperable loop to operating status. Alternatively, if the single loop requirements of the L.CO are applied to operating limits and RPS setpoints, operation with only one recirculation loop would satisfy the requirements of the LCO and the initial conditions of the accident sequence. The 24 hour Completion Time is based on the low probability of an accident occurring during this time period, on a reasonable time to complete the Required Action, and on frequent core monitoring by operators allowing abrupt changes in core flow conditions to be quickly detected.. (continued) PBAPS UNIT 3 B 3.4- 7 Revision No. 51
Recirculation Loops Operating B 3.4.1 BASES ACTIONS A1 (continued) This Required Action does not require tripping the recirculation pump in the lowest flow loop when the mismatch between total jet pump flows of the two loops is greater than the required limits. However, in cases where large flow mismatches occur, low flow or reverse flow can occur in the low flow loop jet pumps, causing vibration of the jet pumps. If zero or reverse flow is detected, the condition should be alleviated by changing pump speeds to re-establish forward flow or by tripping the pump. With no recirculation loops in operation or the Required Action and associated Completion Time of Condition A not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours. In this condition, the recirculation loops are not required to be operating because of the reduced severity of DBAs and minimal dependence on the recirculation loop coastdown characteristics. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. (continued) PBAPS UNIT 3 B 3.4 -8 Revision No. 51
Recirculation Loops Operating B 3.4.1 BASE.S SURVHILLANCE SR 3.4.1.1 REQUIREMENTS This SR ensures the recirculation loops are within the allowable limits for mismatch. At low core flow (i.e.,
< 71.75 X 106 lbm/hr), the MCPR requirements provide larger margins to the fuel cladding integrity Safety Limit such that the potential adverse effect of early boiling transition during a LOCA is reduced. A larger flow mismatch can therefore be allowed when core flow is < 71.75 X 106 lbm/hr. The recirculation loop jet pump flow, as used in this Surveillance, is the summation of the flows from all of the jet pumps associated with a single recirculation loop.
The mismatch is measured in terms of core flow. (Rated core flow is 102.5 X 106 lbm/hr. The first limit is based on mismatch
- 10% of rated core flow when operating at < 70% of rated core flow. The second limit is based on mismatch
- 5%
of rated core flow when operating at 2 70% of rated core flow.) If the flow mismatch exceeds the specified limits, the loop with the lower flow is considered not in operation. The SR is not required when both loops are not in operation since the mismatch limits are meaningless during single loop or natural circulation operation. The Surveillance must be performed within 24 hours after both loops are in operation.
.The 24 hour Frequency is consistent with the Surveillance Frequency for jet pump OPERABILITY verification and has been shown by operating experience to be adequate to detect off normal jet pump loop flows in a timely manner.
(continued) PBAPS UNIT 3 -B3.4-9 Revision No. 51
Recirculation Loops Operating B 3.4.1 BASES REFERENCES 1. UFSAR, Section 14.6.3.
- 2. NEDC-32163P, "PBAPS Units 2 and 3 SAFER/GESTR-LOCA Loss-of-Coolant Accident Analysis," January 1993.
- 3. NEDC-32162P, "Maximum Extended Load Line Limit and ARTS Improvement Program Analyses for Peach Bottorr Atomic Power Station Unit 2 and 3," Revision 1, February 1993.
- 4. NEDC-32427P, "Peach Bottom Atomic Power Station Unit 3 Cycle 10 ARTS Thermal Limits Analyses," December 1994.
- 5. NEDO-24229-1, "PBAPS Units 2 and 3 Single-Loop Operation," May 1980.
- 6. NEDC-33064P, "Safety Analysis Report for Peach Bottom Atomic Power Station Units 2 & 3 Thermal Power Optimization," May 2002.
PBAPS UNIT 3 B 3.4-10 Revision No. 51
Jet Pumps B 3.4.2 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.2 Jet Pumps BASES BACKGROUND The Reactor Coolant Recirculation System is described in the Background section of the Bases for LCO 3.4.1, Recirculation Loops Operating," which discusses the operating characteristics of the system and how these characteristics affect the Design Basis Accident (DBA) analyses. The jet pumps are reactor vessel internals and in conjunction with the Reactor Coolant Recirculation System are designed to provide forced circulation through the core to remove heat from the fuel. The jet pumps are located in the annular region between the core shroud and the vessel inner wall. Because the jet pump suction elevation is at two-thirds core height, the vessel can be reflooded and coolant level maintained at two-thirds core height even with the complete break of the recirculation loop pipe that is located below the jet pump suction elevation. Each reactor coolant recirculation loop contains ten jet pumps. Recirculated coolant passes down the annulus between the reactor vessel wall and the core shroud. A portion of the coolant flows from the vessel, through the two external recirculation loops, and becomes the driving flow for the jet pumps. Each of the two external recirculation loops discharges high pressure flow into an external manifold from which individual recirculation inlet lines are routed to the jet pump risers within the reactor vessel. The remaining portion of the coolant mixture in the annulus becomes the suction flow for the jet pumps. This flow enters the jet pump at suction inlets and is accelerated by the drivei flow. The drive flow and suction flow are mixed in the jet pump throat section. The total flow then passes through the jet pump diffuser section into the area below the core (lower plenum), gaining sufficient head in the process to drive the required flow upward through the core. APPLICABLE Jet pump OPERABILITY is an implicit assumption in the design SAFETY ANALYSES basis loss of coolant accident (LOCA) analysis evaluated in Reference 1. (continued) PBAPS UNIT 3 B 3.4-11 Revision No. 0
Jet Pumps B 3.4.2 BASES APPLICABLE The capability of reflooding the core to two-thirds core SAFE1Y ANALYSES height is dependent upon the structural integrity of the jet (continued) pumps. If the structural system, including the beam holding a jet pump in place, fails, jet pump displacement and performance degradation could occur, resulting in an increased flow area through the jet pump and a lower core flooding elevation. This could adversely affect the water level in the core during the reflood phase of a LOCA as well as the assumed blowdown flow during a LOCA. Jet pumps satisfy Criterion 2 of the NRC Policy Statement. LCO The structural failure of any of the jet pumps could cause significant degradation in the ability of the jet pumps to allow reflooding to two-thirds core height during a LOCA. OPERABILITY of all jet pumps is required to ensure that operation of the Reactor Coolant Recirculation System will be consistent with the assumptions used in the licensing basis analysis (Ref. 1). APPLHCABILITY In MODES I and 2, the jet pumps are required to be OPERABLE since there is a large amount of energy in the reactor core and since the limiting DBAs are assumed to occur in these MODES. This is consistent with the requirements for operation of the Reactor Coolant Recirculation System (LCO 3.4.1). In MODES 3, 4, and 5, the Reactor Coolant Recirculation System is not required to be in operation, and when not in operation, sufficient flow is not available to evaluate jet pump OPERABILITY. ACTI ONS A. I An inoperable jet pump can increase the blowdown area and reduce the capability of reflooding during a design basis LOCA. If one or more of the jet pumps are inoperable, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours. The Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. (continued) PBAPS UNIT 3 B 3.4-12 Revision No. 0
Jet Pumps 133.4.2 BASES (continued) SURVEILLANCE SR 3.4.2.1 REQUJIREMENTS This SR is designed to detect significant degradation in jet pump performance that precedes jet pump failure (Ref. 2). This SR is required to be performed only when the loop has forced recirculation flow since surveillance checks and measurements can only be performed during jet pump operation. The jet pump failure of concern is a complete mixer displacement due to jet pump beam failure. Jet pump plugging is also of concern since it adds flow resistance to the recirculation loop. Significant degradation is indicated if the specified criteria confirm unacceptable deviations from established patterns or relationships.. The allowable deviations from the established patterns have been developed based on the variations experienced at plants during normal operation and with jet pump assembly failures (Refs. 2 and 3). Each recirculation loop must satisfy one of the performance criteria provided. Since refueling activities (fuel assembly replacement or shuffle, as wiell as any modifications to fuel support orifice size or core plate bypass flow) can affect the relationship between core flow, jet pump flow, and recirculation loop flow, these relationships may need to be re-established each cycle. Similarly, initial entry into extended single loop operation may also require establishment of these relationships. During the initial weeks of operation under such conditions, while baselining new established patterns," engineering judgement of the daily surveillance results is used tc detect significant abnormalities which could indicate a jet pump failure. The recirculation pump speed operating characteristics (pump flow and loop flow versus pump speed) are determined by the flow resistance from the loop suction through the jet pump nozzles. A change in the relationship indicates a plug, flow restriction, loss in pump hydraulic performance, leakage, or new flow path between the recirculation pump discharge and jet pump nozzle. For this criterion, the pump flow and loop flow versus pump speed relationship must be verified. Individual jet pumps in a recirculation loop normally do not have the same flow. The unequal flow is due to the drive flow manifold, which does not distribute flow equally to all risers. The flow (or jet pump diffuser to lower plenum differential pressure) pattern or relationship of one jet fcontinued) PBAP'; UNIT 3 B 3.4-13 Revision No. 0
Jet Pumps B 3.4.2 BASES SURVEILLANCE SR. 3.4.2.1 (continued) REQUIREMENTS pump to the loop average is repeatable. An appreciable change in this relationship is an indication that increased (or reduced) resistance has occurred in one of the jet pumps. This may be indicated by an increase in the relative flow for a jet pump that has experienced beam cracks. The deviations from normal are considered indicative of a potential problem in the recirculation drive flow or jet pump system (Ref. 2). Normal flow ranges and established jet pump flow and differential pressure patterns are established by plotting historical data as discussed in* Reference 2. The 24 hour Frequency has been shown by operating experience to be timely for detecting jet pump degradation and is consistent with the Surveillance Frequency for recirculation loop OPERABILITY verification. This SR is modified by two Notes. Note 1 allows this Surveillance not to be performed until 4 hours after the associated recirculation loop is in operation, since these checks can only be performed during jet pump operation. The 4 hours is an acceptable time to establish conditions appropriate for data collection and evaluation. Note 2 allows this SR not to be performed until 24 hours after THERMAL POWER exceeds 25% of RTP. During low flow conditions, jet pump noise approaches the threshold response of the associated flow instrumentation and precludes the collection of repeatable and meaningful data. The 24 hours is an acceptable time to establish conditions appropriate to perform this SR. REFERENCES 1. UFSAR, Section 14.6.3.
- 2. GE Service Information Letter No. 330, "Jet Pump Beam Cracks," June 9, 1980.
- 3. NUREG/CR-3052, 'Closeout of IE Bulletin 80-07: BWR Jet Pump Assembly Failure,' November 1984.
PBAP'; UNIT 3 B 3.4-14 Revision No. 0
SRVs and SVs B 3.4.3 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.3 Safety Relief Valves (SRVs) and Safety Valves (SVs) BASES BACKGROUND The ASME Boiler and Pressure Vessel Code requires the reactor pressure vessel be protected from overpressure! during upset conditions by self-actuated safety valves. As part of the nuclear pressure relief system, the size and number of SRVs and SVs are selected such that peak pressure in the nuclear system will not exceed the ASME Code limits for the reactor coolant pressure boundary (RCPB). The SRVs and SVs are located on the main steam lines between the reactor vessel and the first isolation valve within the drywell. The SRVs can actuate by either of two modes: the safety mode or the depressurization mode. In the safety mode, the pilot disc opens when steam pressure at the valve inlet expands the bellows to the extent that the hydraulic seating force on the pilot disc is reduced to zero. Opening of the pilot stage allows a pressure differential to develop across the second stage disc which opens the second stage disc, thus venting the chamber over the main valve piston. This causes a pressure differential across the main valve piston which opens the main valve. The SVs are spring loaded valves that actuate when steam pressure at the inlet overcomes the spring force holding the valve disc closed. This satisfies the Code requirement. Each of the 11 SRVs discharge steam through a discharge line to a point below the minimum water level in the suppression pool. The two SVs discharge steam directly to the drywell. In the depressurization mode, the SRV is opened by a pneumatic actuator which opens the second stage disc. The main valve then opens as described above for the safety mode. The depressurization mode provides controlled depressurization of the reactor coolant pressure boundary. All 11 of the SRVs function in the safety mode and have the capability to operate in the depressurization mode via manual actuation from the control room. Five of the SRVs are allocated to the Automatic Depressurization System (ADS). The ADS requirements are specified in LCO 3.5.1,
'ECCS-Operating."
(continued) PBAP'; UNIT 3 B 3.4-15 Revision No. 0
SRVs and SVs E; 3.4.3 BASE:S (continued) APPLICABLE The overpressure protection system must accommodate the most SAFETY ANALYSES severe pressurization transient. Evaluations have determined that the most severe transient is the closure of all main steam isolation valves (MSIVs), followed by reactor scram on high neutron flux (i.e., failure of the direct scram associated with MSIV position) (Ref. 1). For the purpose of the analyses, 11 SRVs and SVs are assumed to operate in the safety mode. The analysis results demonstrate that the design SRV and SV capacity is capable of maintaining reactor pressure below the ASME Code limit of 110% of vessel design pressure (110% x 1250 psig = 1375 psig). This LCO helps to ensure that the acceptance limit of 1375 psig is met during the Design Basis Event. From an overpressure standpoint, the design basis events are bounded by the MSIV closure with flux scram event described above. Reference 2 discusses additional events that are expected to actuate the SRVs and SVs. SRVs and SVs satisfy Criterion 3 of the NRC Policy Statement. LCO The safety function of any combination of 11 SRVs and SVs are required to be OPERABLE to satisfy the assumptions of the safety analysis (Refs. 1 and 2). Regarding the SRVs, the requirements of this LCO are applicable only to their capability to mechanically open to relieve excess pressure when the lift setpoint is exceeded (safety mode). The SRV and SV setpoints are established to ensure that the ASME Code limit on peak reactor pressure is satisfied. The ASME Code specifications require the lowest safety valve setpoint to be at or below vessel design pressure (1250 psig) and the highest safety valve to be set so that the total accumulated pressure does not exceed 110%lof the design pressure for overpressurization conditions. The transient evaluations in the UFSAR are based on these setpoints, but also include the additional uncertainties of
+ 1% of the nominal setpoint to provide an added degree of conservatism.
Operation with fewer valves OPERABLE than specified, or with setpoints outside the ASME limits, could result in a more severe reactor response to a transient than predicted, possibly resulting in the ASME Code limit on reactor pressure being exceeded. (continued) PBAPS UNIT 3 B 3.4-16 Revision No. 0
SRVs and SVs B 3.4.3 BASES (continued) APPLICABILITY In MODES 1, 2, and 3, all required SRVs and SVs must be OPERABLE, since considerable energy may be in the reactor core and the limiting design basis transients are assumed to occur in these MODES. The SRVs and SVs may be required to provide pressure relief to discharge energy from the core until such time that the Residual Heat Removal (RHR) System is capable of dissipating the core heat. In MODE 4, decay heat is low enough for the RHR System to provide adequate cooling, and reactor pressure is low enough that the overpressure limit is unlikely to be approached by assumed operational transients or accidents. In MODE 5, the reactor vessel head is unbolted or removed and the reactor is at atmospheric pressure. The SRV and SV function is not needed during these conditions. ACTIONS A.1 and A.2 With less than the minimum number of required SRVs or SVs OPERABLE, a transient may result in the violation of the ASME Code limit on reactor pressure. If the safety function of one or more required SRVs or SVs is inoperable, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to IMODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach required plant conditions-from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.4.3.1 REQUIREMENTS This Surveillance requires that the required SRVs and SVs will open at the pressures assumed in the safety analyses of References I and 2. The demonstration of the SRV and SV safety lift settings must be performed during shutdown, since this is a bench test, to be done in accordance waith the Inservice Testing Program. The lift setting pressure shall correspond to ambient conditions of the valves at nominal operating temperatures and pressures and be verified with insulation installed simulating the in-plant condition. The SRV and SV setpoint is +/- 1% for OPERABILITY. {continued) PBAPS UNIT 3 B 3.4-17 Revision No. 0
SRVs and SVs 133.4.3 BASES SURVEILLANCE SR 3.4.3.2 REQUIREMENTS 4:continued) The pneumatic actuator of each SRV valve is stroked to verify that the second stage pilot disc rod is mechanically displaced when the actuator strokes. Second stage pilot rod movement is determined by the measurement of actuator rod travel. The total amount of movement of the second stage pilot rod from the valve closed position to the open position shall meet criteria established by the SRV supplier. If the valve fails to actuate due only to the failure of the solenoid, but is capable of opening on overpressure, the safety function of the SRV is considered OPERABLE. Operating experience has shown that these components will pass the SR when performed at the 24 month Frequency, which is based on the refueling outage. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint. REFERENCES 1. NEDC-32183P, "Power Rerate Safety Analysis Report for Peach Bottom 2 & 3," May 1993.
- 2. UFSAR, Chapter 14.
PBAPS UNIT 3 B 3.4-18 Revision No. 25
RCS Operational LEAKAGE E:3.4.4 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.4 RCS Operational LEAKAGE BASES BACKGROUND The RCS includes systems and components that contain or transport the coolant to or from the reactor core. The pressure containing components of the RCS and the portions of connecting systems out to and including the isolation valves define the reactor coolant pressure boundary (B.CPB). The joints of the RCPB components are welded or bolted. During plant life, the joint and valve interfaces can produce varying amounts of reactor coolant LEAKAGE, through either normal operational wear or mechanical deterioration. Limits on RCS operational LEAKAGE are required to ensure appropriate action is taken before the integrity of the RCPB is impaired. This LCO specifies the types and limits of LEAKAGE. This protects the RCS pressure boundary described in 10 CFR 50.2, 10 CFR 50.55a(c), and the UFSAR (Refs. 1, 2, and 3). The safety significance of RCS LEAKAGE from the RCPB varies widely depending on the source, rate, and duration. Therefore, detection of LEAKAGE in the primary containment is necessary. Methods for quickly separating the identified LEAKAGE from the unidentified LEAKAGE are necessary to provide the operators quantitative information to permit them to take corrective action should a leak occur that is detrimental to the safety of the facility or the public. A limited amount of leakage inside primary containment is expected from auxiliary systems that cannot be made 1OD% leaktight. Leakage from these systems should be detected and isolated from the primary containment atmosphere, if possible, so as not to mask RCS operational LEAKAGE detection. This LCO deals with protection of the RCPB from degradation and the core from inadequate cooling, in addition to preventing the accident analyses radiation release assumptions from being exceeded. The consequences of violating this LCO include the possibility of a loss of coolant accident. (continued) PBAPS; UNIT 3 B 3.4-19 Revision No. 0
RCS Operational lEAKAGE B 3.4.4 BASES (continued) APPLICABLE The allowable RCS operational LEAKAGE limits are based on SAFETY ANALYSES the predicted and experimentally observed behavior of pipe cracks. The normally expected background LEAKAGE due to equipment design and the detection capability of the instrumentation for determining system LEAKAGE were also considered. The evidence from experiments suggests that, for LEAKAGE even greater than the specified unidentified LEAKAGE limits, the probability is small that the imperfection or crack associated with such LEAKAGE would grow rapidly. The unidentified LEAKAGE flow limit allows time for corrective action before the RCPB could be significantly compromised. The 5 gpm limit is a small fraction of the calculated flow from a critical crack in the primary system piping. Crack behavior from experimental programs (Refs. 4 and 5) shows that leakage rates of hundreds of gallons per minute will precede crack instability. The low limit on increase in unidentified LEAKAGE assumes a failure mechanism of intergranular stress corrosion cracking (IGSCC) in service sensitive type 304 and type 316 austenitic stainless steel that produces tight cracks. This flow increase limit is capable of providing an early warning of such deterioration. No applicable safety analysis assumes the total LEAKAGE limit. The total LEAKAGE limit considers RCS inventory makeup capability and drywell floor sump capacity. RCS operational LEAKAGE satisfies Criterion 2 of the ARC Policy Statement. LCO RCS operational LEAKAGE shall be limited to:
- a. Pressure Boundary LEAKAGE No pressure boundary LEAKAGE is allowed, since it.is indicative of material degradation. LEAKAGE of this type is unacceptable as the leak itself could cause further deterioration, resulting in higher LEAKAGE.
Violation of this LCO could result in continued degradation of the RCPB. LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE. (continued) PBAPS UNIT 3 B 3.4-20 Revision No. 0
RCS Operational LEAKAGE 133.4.4 BASES LCO b. Unidentified LEAKAGE (continued) The 5 gpm of unidentified LEAKAGE is allowed as a reasonable minimum detectable amount that the containment air monitoring and drywell sump level monitoring equipment can detect within a reasonable time period. Violation of this LCO could result in continued degradation of the RCPB.
- c. Total LEAKAGE The total LEAKAGE limit is based on a reasonable minimum detectable amount. The limit also accounts for LEAKAGE from known sources (identified LEAKAGE).
Violation of this LCO indicates an unexpected amount of LEAKAGE and, therefore, could indicate new. or additional degradation in an RCPB component or system.
- d. Unidentified LEAKAGE Increase An unidentified LEAKAGE increase of > 2 gpm within the previous 24 hour period indicates a potential flaw in the RCPB and must be quickly evaluated to determine the source and extent of the LEAKAGE. The increase is measured relative to the steady state value; temporary changes in LEAKAGE rate as a result of transient conditions (e.g., startup) are not considered. As such, the 2 gpm increase limit is only applicable in MODE I when operating pressures and temperatures are established. Violation of this LCO could result in continued degradation of the RCPB.
APPLICABILITY In MODES 1, 2, and 3, the RCS operational LEAKAGE LCO applies, because the potential for RCPB LEAKAGE is greatest when the reactor is pressurized. In MODES 4 and 5, RCS operational LEAKAGE limits are not required since the reactor is not pressurized and stresses in the RCPB materials and potential for LEAKAGE are reduced. (continued) PBAP'; UNIT 3 B 3.4-21 Revision No. 0
RCS Operational LEAKAGE E 3.4.4 BASES (continued) ACTIONS A.1 With RCS unidentified or total LEAKAGE greater than the limits, actions must be taken to reduce the leak. Because the LEAKAGE limits are conservatively below the LEAKAGE that would constitute a critical crack size, 4 hours is allowed to reduce the LEAKAGE rates before the reactor must be shut down. If an unidentified LEAKAGE has been identified and quantified, it may be reclassified and considered as identified LEAKAGE; however, the total LEAKAGE limit would remain unchanged. B.1 and B.2 An unidentified LEAKAGE increase of > 2 gpm within a 24 hour. period is an indication of a potential flaw in the RCF'B and must be quickly evaluated. Although the increase does not necessarily violate the absolute unidentified LEAKAGE limit, certain susceptible components must be determined not to be the source of the LEAKAGE increase within the required Completion Time. For an unidentified LEAKAGE increase greater than required limits, an alternative to reducing LEAKAGE increase to within limits (i.e., reducing the leakage rate such that the current rate is less than the 02 gpm increase in the previous 24 hours" limit; either by isolating the source or other possible methods) is to evaluate service sensitive type 304 and type 316 austenitic stainless steel piping that is subject to high stress or that contains relatively stagnant or intermittent flow fluids and determine it is not the source of the increased LEAKAGE. This type piping is very susceptible to IGSCC. The 4 hour Completion Time is reasonable to properly reduce the LEAKAGE increase or verify the source before the reactor must be shut down without unduly jeopardizing plant safety. C.1 and C.2 If any Required Action and associated Completion Time of Condition A or B is not met or if pressure boundary LEAKAGE exists, the plant must be brought to a MODE in which the LCO does not; apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours and to MODE 4 withir {continued) PBAPS UNIT 3 B 3.4-22 Revision No. 0
RCS Operational LEAKAGE E 3.4.4 BASES ACTIONS C.1 and C.2 (continued) 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant safety systems. SURVEILLANCE SR 3.4.4.1 REQUIREMENTS The RCS LEAKAGE is monitored by a variety of instruments designed to provide alarms when LEAKAGE is indicated find to quantify the various types of LEAKAGE. Leakage detection instrumentation is discussed in more detail in the Bases for LCO 3.4.5, 'RCS Leakage Detection Instrumentation." sump level and flow rate are typically monitored to determine actual LEAKAGE rates; however, any method may be used to quantify LEAKAGE within the guidelines of Reference 6.. In conjunction with alarms and other administrative controls, a 4 hour Frequency for this Surveillance is appropriate for identifying LEAKAGE and for tracking required trends (Ref. 7). REFERENCES 1. 10 CFR 50.2.
- 2. 10 CFR 50.55a(c).
- 3. UFSAR, Section 4.10.4.
- 4. GEAP-5620, "Failure Behavior in ASTM A106B Pipes Containing Axial Through-Wall Flaws," April 1968..
- 5. NUREG-75/067, "Investigation and Evaluation of Cracking in Austenitic Stainless Steel Piping of Boiling Water Reactors," October 1975.
- 6. Regulatory Guide 1.45, May 1973.
- 7. Generic Letter 88-01, 'NRC Position on IGSCC in 1BWR Austenitic Stainless Steel Piping," January 1988.
PBAPS UNIT 3 B 3.4-23 Revision No. 0
RCS Leakage Detection Instrumentation B 3.4.5 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.5 RCS Leakage Detection Instrumentation BASES BACKGROUND UFSAR Safety Design Basis (Ref. 1) requires means for detecting and, to the extent practical, identifying the location of the source of RCS LEAKAGE. Regulatory Guide 1.45 (Ref. 2) describes acceptable methods for selecting leakage detection systems. Limits on LEAKAGE from .the reactor coolant pressure boundary (RCPB) are required so that appropriate action can be taken before the integrity of the RCPB is impaired (Ref. 2). Leakage detection systems for the RCS are provided to alert the operators when leakage rates above normal background levels are detected and also to supply quantitative measurement of leakage rates. The Bases for LCO 3.4.4, "RCS Operational LEAKAGE," discuss the limits on RCS LEAKAGE rates. Systems for separating the LEAKAGE of an identified source from an unidentified source are necessary to provide prompt and quantitative information to the operators to permit them to take immediate corrective action. LEAKAGE from the RCPB inside the drywell is detected by at least one of two independently monitored variables, such as sump level changes and drywell gaseous radioactivity levels. The primary means of quantifying LEAKAGE in the drywell is the drywell floor drain sump monitoring system. The drywell floor drain sump monitoring system monitors the LEAKAGE collected in the floor drain sump. This unidentified LEAKAGE consists of LEAKAGE from control rod drives, valve flanges or packings, floor drains, the Reactor Building Closed Cooling Water System, and drywell air cooling unit condensate drains, and any LEAKAGE not collected in the drywell equipment drain sump. An alternate to the drywell floor drain sump monitoring system is the drywell equipment drain sump monitoring system, but only if the drywell floor drain sump is overflowing. The drywell equipment drain sump:collects not only all leakage not collected in the drywell floor drain sump, but also any overflow from the drywell floor drain sump. Therefore, if the drywell floor drain sump is (continued) PBAPS UNIT 3 B 3.4-24 Revision No. 0
RCS Leakage Detection Instrumentation B 3.4.5 BASES BACKGROUND overflowing to the drywell equipment drain sump, the drywell (continued) equipment drain sump monitoring system can be used to quantify LEAKAGE. In this condition, all LEAKAGE measured by the drywell equipment drain sump monitoring system is assumed to be unidentified LEAKAGE. The floor drain sump level indicators have switches that start and stop the sump pumps when required. If the sump fills to the high high level setpoint, an alarm sounds in the control room, indicating a LEAKAGE rate into the slump in excess of 50 gpm. A flow transmitter in the discharge line of the drywell floor drain sump pumps provides flow indication in the control room. The pumps can also be started from the control room. The primary containment air monitoring system continuously monitors the primary containment atmosphere for airborne gaseous radioactivity. A sudden increase of radioactivity, which may be attributed to RCPB steam or reactor water LEAKAGE, is annunciated in the control room. The primary containment atmosphere gaseous radioactivity monitoring system is not capable of quantifying LEAKAGE rates, bul: is sensitive enough to indicate increased LEAKAGE rates of 1 gpm within 1 hour. Larger changes in LEAKAGE rates are detected in proportionally shorter times (Ref. 3). APPLICABLE A threat of significant compromise to the RCPB exists if the SAFETY ANALYSES barrier contains a crack that is large enough to propagate rapidly. LEAKAGE rate limits are set low enough to defect the LEAKAGE emitted from a single crack in the RCPB (Refs. 4 and 5). Each of the leakage detection systems inside the drywell is designed with the capability of detecting LEAKAGE less than the established LEAKAGE rate limits. The allowed LEAKAGE rates are well below the rates predicted for critical crack sizes (Ref. 6). Therefore, these actions provide adequate response before a significant break in the RCPB can occur. RCS leakage detection instrumentation satisfies Criterion 1 of the NRC Policy Statement. (continued) PBAPS UNIT 3 B 3.4-25 Revision No. 0
RCS Leakage Detection Instrumentation B 3.4.5 BASES (continued) LCO The drywell sump monitoring system is required to quantify the unidentified LEAKAGE from the RCS. Thus, for the system to be considered OPERABLE, the system must be capable of measuring reactor coolant leakage. This may be accomplished by use of the associated drywell sump flow integrator, flow recorder, or the pump curves and drywell sump pump out time. The system consists of a) the drywell floor drain sump monitoring system, or b) the drywell equipment drain sump monitoring system, but only when the drywell floor drain sump is overflowing. The other monitoring system provides early alarms to the operators so closer examination of other detection systems will be made to determine the extent of any corrective action that may be required. With the leakage detection systems inoperable, monitoring for LEAKAGE in the RCPB is degraded. APPLICABILITY In MODES 1, 2, and 3, leakage detection systems are required to be OPERABLE to support LCO 3.4.4. This Applicability is consistent with that for LCO 3.4.4. ACTIONS A.1 With the drywell sump monitoring system inoperable, no other form of sampling can provide the equivalent information to quantify leakage. However, the primary containment atmospheric radioactivity monitor will provide indication of changes in leakage. With the drywell sump monitoring system inoperable, operation may continue for 24 hours. The 24 hour Completion Time is acceptable, based on operating experience, considering no other method to quantify leakage is available. B.1 and B.2 With the gaseous primary containment atmospheric monitoring channel inoperable, grab samples of the primary containment atmosphere must be taken and analyzed for gaseous radioactivity to provide periodic leakage information. Provided a sample is obtained and analyzed once every 12 hours, the plant may be operated for up to 30 days to allow restoration of the required monitor. (continued) PBAPS UNIT 3 B 3.4-26 Revision No. 0
RCS Leakage Detection Instrumentation B 3.4.5 BASES ACTIONS B.1 and B.2 (continued) The 12 hour interval provides periodic information that is adequate to detect LEAKAGE. The 30 day Completion Time for restoration recognizes that at least one other form of leakage detection is available. C.1 and C.2 If any Required Action and associated Completion Time of Condition A or B cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, tc' perform the actions in an orderly manner and without challenging plant systems. Dj With all required monitors inoperable, no required automatic means of monitoring LEAKAGE are available, and immediate plant shutdown in accordance with LCO 3.0.3 is required. SURVEILLANCE SR 3.4.5.1 REQUIREMENTS This SR is for the performance of a CHANNEL CHECK of the required primary containment atmospheric monitoring system. The check gives reasonable confidence that the channel is operating properly. The Frequency of 12 hours is based on instrument reliability and is reasonable for detecting off normal conditions. (continued) PBAPS UNIT 3 B 3.4-27 B3Revision No. 53
RCS Leakage Detection Instrumentation B 3.4.5 BASES SURVEILLANCE SR 3.4.5.2 REQU'IREMENTS (continued) This SR is for the performance of a CHANNEL FUNCTIONAL TEST of the required RCS leakage detection instrumentation. The test ensures that the monitors can perform their function in the desired manner. The test also verifies the alarm setpoint and relative accuracy of the instrument string. The Frequency of 31 days considers instrument reliability, and operating experience has shown it proper for detecting degradation. SR 3.4.5.3 This SR is for the performance of a CHANNEL CALIBRATION of required leakage detection instrumentation channels. The calibration verifies the accuracy of the instrument string. The Frequency is 92 days and operating experience has proven this Frequency is acceptable. REFERENCES 1. UFSAR, Section 4.10.2.
- 2. Regulatory Guide 1.45, May 1973.
- 3. UFSAR, Section 4.10.3.
- 4. GEAP-5620, "Failure Behavior in ASTM A106B Pipes Containing Axial Through-Wall Flaws," April 1968.
- 5. NUREG-75/067, "Investigation and Evaluation of Cracking in Austenitic Stainless Steel Piping of Boiling Water Reactors," October 1975.
- 6. UFSAR, Section 4.10.4.
= ...
PBAPS UNIT 3 B 3.4-28 Revision No. 0
RCS Specific Activity 1l3.4.6 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.6 RCS Specific Activity BASES BACKGROUND During circulation, the reactor coolant acquires radioactive materials due to release of fission products from fueil leaks into the reactor coolant and activation of corrosion products in the reactor coolant. These radioactive materials in the reactor coolant can plate out in the RCS, and, at times, an accumulation will break away to spike the normal level of radioactivity. The release of coolant during a Design Basis Accident (DBA) could send radioactive materials into the environment. Limits on the maximum allowable level of radioactivity in the reactor coolant are established to ensure that in the event of a release of any radioactive material to the environment during a DBA, radiation doses are maintained within the limits of 10 CFR 100 (Ref. 1). This LCO contains the iodine specific activity limits. The iodine isotopic activities per gram of reactor coolant. are expressed in terms of a DOSE EQUIVALENT I-131. The allowable level is intended to limit the 2 hour radiation dose to an individual at the site boundary to well within the 10 CFR 100 limit. APPLICABLE Analytical methods and assumptions involving radioactive SAFETY ANALYSES material in the primary coolant are presented in the LIFSAR (Ref. 2). The specific activity in the reactor coolant (the source term) is an initial condition for evaluation of the consequences of an accident due to a main steam line treak (MSLB) outside containment. No fuel damage is postulated in the MSLB accident, and the release of radioactive material to the environment is assumed to end when the main steam isolation valves (MSIVs) close completely. This MSLB release forms the basis for determining offsite doses (Ref. 2). The limits on the specific activity cf the primary coolant ensure that the 2 hour thyroid and whale body doses at the site boundary, resulting from an MSLB outside containment during steady state operation, will not exceed the dose guidelines of 10 CFR 100. Ccontinued) PBAPS UNIT 3 B 3.4-29 Revision No. 0
RCS Specific Act ivity B 3.4.6 BASES APPLICABLE The limits on specific activity are values from a parametric SAFETY ANALYSES evaluation of typical site locations. These limits are (continued) conservative because the evaluation considered more restrictive parameters than for a specific site, such as the location of the site boundary and the meteorological conditions of the site. RCS specific activity satisfies Criterion 2 of the NRC Policy Statement. LCO The specific iodine activity is limited to < 0.2 pCi/gmn DOSE EQUIVALENT I-131. This limit ensures the source term assumed in the safety analysis for the MSLB is not exceeded, so any release of radioactivity to the environment during an MSLB is well within the 10 CFR 100 limits. APPLICABILITY In MODE 1, and MODES 2 and 3 with any main steam line not isolated, limits on the primary coolant radioactivity are applicable since there is an escape path for release of radioactive material from the primary coolant to the environment in the event of an MSLB outside of primary containment. In MODES 2 and 3 with the main steam lines isolated, such limits do not apply since an escape path does not exist. In MODES 4 and 5, no limits are required since the reactor is not pressurized and the potential for leakage is reduced. ACTIONS A.1 and A.2 When the reactor coolant specific activity exceeds the LCO DOSE EQUIVALENT 1-131 limit, but is - 4.0 pCi/gm, samples must be analyzed for DOSE EQUIVALENT I-131 at least once every 4 hours. In addition, the specific activity must be restored to the LCO limit within 48 hours. The Completion Time of once every 4 hours is based on the time needed to take and analyze a sample. The 48 hour Completion Tine to restore the activity level provides a reasonable time for temporary coolant activity increases (iodine spikes) t;o be cleaned up with the normal processing systems. {continued) PBAPS UNIT 3 8 3.4-30 -Revision No. 0
RCS Specific Activity B 3.4.6 BASES ACTIONS A.1 and A.2 (continued) A Note permits the use of the provisions of LCO 3.0.4.c. This allowance permits entry into the applicable MODE(S) while relying on the ACTIONS. This allowance is acceptable due to the significant conservatism incorporated into the specific activity limit, the low probability of an event which is limiting due to exceeding this limit, and the ability to restore transient specific activity excursions while the plant remains at, or proceeds to, power operation. B.1. B.2.1. B.2.2.1, and B.2.2.2 If the DOSE EQUIVALENT I-131 cannot be restored to
- 0.2 pCi/gm within 48 hours, or if at any time it is > 4.0 jiCi/gm, it must be determined at least once every 4 hours and all the main steam lines must be isolated within 12 hours. Isolating the main steam lines precludes the possibility of releasing radioactive material to the environment in an-amount that is more than a small fraction of the requirements of 10 CFR 100 during a postulated MSLB accident.
Alternatively, the plant can be placed in MODE 3 within 12 hours and in MODE 4 within 36 hours. This option is provided for those instances when isolation of main steam lines is not desired (e.g., due to the decay heat loads). In MODE 4, the requirements of the LCO are no longer applicable. The Completion Time of once every 4 hours is the time needed to take and analyze a sample. The 12 hour Completion Time is reasonable, based on operating experience, to isolate the main steam lines in an orderly manner and without challenging plant systems. Also, the allowed Completion Times for Required Actions B.2.2.1 and B.2.2.2 for placing the unit in MODES 3 and 4 are reasonable, based on operating experience, to achieve the required plant-conditions from full power conditions in an orderly manner and without challenging plant systems. (continued) PBAPS UNIT 3 B 3.4-31 Revision No. 53
RCS Specific Activity B 3.4.6 BASES (continued) SURVEILLANCE SR 3.4.6.1 REQUIREMENTS This Surveillance is performed to ensure iodine remains within limit during normal operation. The 7 day Frequency is adequate to trend changes in the iodine activity level. This SR is modified by a Note that requires this Surveillance to be performed only in MODE I because the level of fission products generated in other MODES is much less. REFERENCES 1. 10 CFR 100.11, 1973.
- 2. UFSAR, Section 14.6.5.
PBAPS UNIT 3 *B 3.4-32 Revision No. 0
RHR Shutdown Cooling System-Hot Shutdown E; 3.4.7 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.7 Residual Heat Removal (RHR) Shutdown Cooling System-Hot Shutdown BASES BACKGROUND Irradiated fuel in the shutdown reactor core generates heat during the decay of fission products and increases the temperature of the reactor coolant. This decay heat inust be removed to reduce the temperature of the reactor coolant to s 2120F. This decay heat removal is in preparation for performing refueling or maintenance operations, or for keeping the reactor in the Hot Shutdown condition. The RHR System has two loops with each loop consisting of two motor driven pumps, two heat exchangers, and associated piping and valves. There are two RHR shutdown cooling subsystems per RHR System loop. Both loops have a common suction from the same recirculation loop. The four redundant, manually controlled shutdown cooling subsystems of the RHR System provide decay heat removal. Each pump discharges the reactor coolant, after circulation through the respective heat exchanger, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the High Pressure Service Water (HPSW) System. Any one of the four RHR shutdown cooling subsystems can provide the required decay heat removal function. APPLICABLE Decay heat removal by operation of the RHR System in the SAFETY ANALYSES shutdown cooling mode is not required for mitigation of any event or accident evaluated in the safety analyses. Decay heat removal is, however, an important safety function that must be accomplished or core damage could result. The RHR Shutdown Cooling System meets Criterion 4 of the NRC Policy Statement. LCO Two RHR shutdown cooling subsystems are required to be OPERABLE, and when no recirculation pump is in operation, one shutdown cooling subsystem must be in operation. An OPERABLE RHR shutdown cooling subsystem consists of one OPERABLE RHR pump, one heat exchanger, a HPSW pump capable of providing cooling to the heat exchanger, and the associated piping and valves. The two subsystems have a common suction source and are allowed to have common discharge piping. Since piping is a passive component that (continued) PBAPS UNIT 3 B 3.4-33 Revision No. 0
RHR Shutdown Cooling System-Hot Shutdown [3 3.4.7 BASI.S LCO is assumed not to fail, it is allowed to be common to both (continued) subsystems. Each shutdown cooling subsystem is considered OPERABLE if it can be manually aligned (remote or locCl) in the shutdown cooling mode for removal of decay heat. In MODE 3, one RHR shutdown cooling subsystem can provide the required cooling, but two subsystems are required to be OPERABLE to provide redundancy. Operation of one subsystem can maintain or reduce the reactor coolant temperature as required. However, to ensure adequate core flow to allow for accurate average reactor coolant temperature monitoring, nearly continuous operation is required. Note 1 permits both required RHR shutdown cooling subsystems and recirculation pumps to be shut down for a period cf 2 hours in an 8 hour period. Note 2 allows one required RHR shutdown cooling subsystem to be inoperable for up to 2 hours for performance of Surveillance tests. These tests may be on the affected RHR System or on some other plant system or component that necessitates placing the RHR System in an inoperable status during the performance. This is permitted because the core heat generation can be low enough and the heatup rate slow enough to allow some changes to the RHR subsystems or other operations requiring RHR flow interruption and loss of redundancy. APPLICABILITY In MODE 3 with reactor steam dome pressure below the RHR shutdown cooling isolation pressure (i.e., the actual pressure at which the RHR shutdown cooling isolation pressure setpoint clears) the RHR Shutdown Cooling System must be OPERABLE and shall be operated in the shutdown cooling mode to remove decay heat to reduce or maintain coolant temperature. Otherwise, a recirculation pump is required to be in operation. In MODES 1 and 2, and in MODE 3 with reactor steam dome pressure greater than or equal to the RHR shutdown cooling isolation pressure,.this LCO is not applicable. Operation of the RHR System in the shutdown cooling mode is not allowed above this pressure because the RCS pressure may exceed the design pressure of the shutdown cooling piping. Decay heat removal at reactor pressures greater than or equal to the RHR shutdown cooling isolation pressure is typically accomplished by condensing the steam in the main condenser. (continued) PBAPS UNIT 3 B 3.4-34 Revision No. 0
RHR Shutdown Cooling System-Hot Shutdown B 3.4.7 BASES APPLICABILITY Additionally, in MODE 2 below this pressure, the OPERABILITY (continued) requirements for the Emergency Core Cooling Systems (ECCS) (LCO 3.5.1, "ECCS-Operating") do not allow placing the RHR shutdown cooling subsystem into operation. The requirements for decay heat removal in MODES 4 and 5 are discussed in LCO 3.4.8, "Residual Heat Removal (RHR) Shutdown Cooling System-Cold Shutdown"; LCO 3.9.7, "Residual Heat Removal (RHR)-High Water Level"; and LCO 3.9.8, "Residual Heat Removal (RHR)-Low Water Level." ACTIONS A Note has been provided to modify the ACTIONS I related to RHR shutdown cooling subsystems. Section 1.3, Completion Times, specifies once a Condition has been entered, subsequent divisions, subsystems, components or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable shutdown cooling subsystems provide appropriate compensatory measures for separate inoperable shutdown cooling subsystems. As such, a Note has been provided that allows separate Condition entry for each inoperable RHR shutdown cooling subsystem. A.1. A.2. and A.3 With one required RHR shutdown cooling subsystem inoperable for decay heat removal, except as permitted by LCO Note 2, the inoperable subsystem must be restored to OPERABLE status without delay. In this condition, the remaining OPERABLE subsystem can provide the necessary decay heat removal. The (continued) PBAPS UNIT 3 B 3.4 -35 Revision ND. 53
RHR Shutdown Cooling System-Hot Shutdown 133.4.7 BASES ACTIONS A.1. A.2. and A.3 (continued) overall reliability is reduced, however, because a single failure in the OPERABLE subsystem could result in reduced RHR shutdown cooling capability. Therefore, an alternate method of decay heat removal must be provided. With both required RHR shutdown cooling.subsystems inoperable, an alternate method of decay heat removal must be provided in addition to that provided for the initial RHR shutdown cooling subsystem inoperability. This re-establishes backup decay heat removal capabilities, similar to the requirements of the LCO. The 1 hour Completion Time is based on the decay heat removal function and the probability of a loss of the available decay heat removal capabilities. The required cooling capacity of the alternate method should be ensured by verifying (by calculation-or demonstration) its capability to maintain or reduce temperature. Decay heat removal by ambient losses can be considered as, or contributing to, the alternate method capability. Alternate methods that can be used include (but are not limited to) the Condensate/Main Steam Systems and the Reactor Water Cleanup System. However, due to the potentially reduced reliability of the alternate methods of decay heat removal, it is also required to reduce the reactor coolant temperature to the point where MODE 4 is entered. B.1. B.2. and B.3 With no RHR shutdown cooling subsystem and no recirculation pump in operation, except as permitted by LCO Note 1, reactor coolant circulation by the RHR shutdown cooling subsystem or recirculation pump must be restored without delay. Until RHR or recirculation pump operation is re-established, an alternate method of reactor coolant circulation must be placed into service. This will provide the necessary circulation for monitoring coolant temperature. The L hour Completion Time is based on the coolant circulation function and is modified such that the ilhour is applicable separately for each occurrence involving a loss of coolant
,_continued)
PBAPS UNIT 3 B 3.4-36 Revision No. 0
RHR Shutdown Cooling System-Hot Shutdown B 3.4.7 BASES ACTIONS B.I. B.2. and B.3 (continued) circulation. Furthermore, verification of the functioning of the alternate method must be reconfirmed every 12 hours thereafter. This will provide assurance of continued temperature monitoring capability. During the period when the reactor coolant is being circulated by an alternate method (other than by the required RHR shutdown cooling subsystem or recirculation pump), the reactor coolant temperature and pressure must be periodically monitored to ensure proper function of the alternate method. The once per hour Completion Time is deemed appropriate. SURVEILLANCE SR 3.4.7.1 REQUIREMENTS This Surveillance verifies that one required RHR shutdown cooling subsystem or recirculation pump is in operation and circulating reactor coolant. The required flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability. The Frequency of 12 hours is sufficient in view of other visual and audible indications available to the operator for monitoring the RHR subsystem in the control room. This Surveillance is modified by a Note allowing sufficient time to align the RHR System for shutdown cooling operation after clearing the pressure setpoint that isolates the system, or for placing a recirculation pump in operation. The Note takes exception to the requirements of the Surveillance being met (i.e., forced coolant circulation is not required for this initial 2 hour period), which aIso allows entry into the Applicability of this Specification in accordance with SR 3.0.4 since the Surveillance will not be "not met" at the time of entry into the Applicability.. REFERENCES None. PBAPS UNIT 3 B 3.4-37 Revision No. 0
RHR Shutdown Cooling System-Cold Shutdown B 3.4.8 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.8 Residual Heat Removal (RHR) Shutdown Cooling System-Cold Shutdown BASES BACKGROUND Irradiated fuel in the shutdown reactor core generates heat during the decay of fission products and increases the temperature of the reactor coolant. This decay heat must be removed to maintain the temperature of the reactor coolant s 212F. This decay heat removal is in preparation for performing refueling or maintenance operations, or for keeping the reactor in the Cold Shutdown condition. The RHR System has two loops with each loop consisting of two motor driven pumps, two heat exchangers, and associated piping and valves. There are two RHR shutdown cooling subsystems per RHR System loop. Both loops have a comnon suction from the same recirculation loop. The four redundant, manually controlled shutdown cooling subsystems of the RHR System provide decay heat removal. Each pump discharges the reactor coolant, after circulation through the respective heat exchanger, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the High Pressure Service Water (HPSW) System. Any one of the four RHR shutdown cooling subsystems can provide the requested decay heat removal function. APPLICABLE Decay heat removal by operation of the RHR System in the SAFETY ANALYSES shutdown cooling mode is not required for mitigation of any' event or accident evaluated in the safety analyses. Decay heat removal is, however, an important safety function that must be accomplished or core damage could result. The RHR Shutdown Cooling System meets Criterion 4 of the NRC Policy Statement. LCO Two RHR shutdown cooling subsystems are required to be OPERABLE, and when no recirculation pump is in operation, one RHR shutdown cooling subsystem must be in operation. An OPERABLE RHR shutdown cooling subsystem consists of one OPERABLE RHR pump, one heat exchanger, a HPSW pump capable of providing cooling to the heat exchanger, and the associated piping and valves. The two subsystems have a common suction source and are allowed to have common discharge piping. Since piping is a passive component that is assumed not to fail, it is allowed to be common to both (continued) PBAPS UNIT 3 B 3.4-38 Revision No. 0
RHR Shutdown Cooling System-Cold Shutdown E. 3.4.8 BAS ES I LCO subsystems. In MODE 4, the RHR cross tie valve (continued) (MO-3-10-020) may be opened (per LCO 3.5.2) to allow pumps in one loop to discharge through the opposite recirculation loop to make a complete subsystem. In addition, the KPSW cross-tie valve may be opened to allow an HPSW pump in one loop to provide cooling to a heat exchanger in the opposite loop to make a complete subsystem. Additionally, each shutdown cooling subsystem is considered OPERABLE if it can be manually aligned (remote or local) in the shutdown cooling mode for removal of decay heat. In MODE 4, orie RHR shutdown cooling subsystem can provide the required cooling, but two subsystems are required to be OPERABLE to provide redundancy. Operation of one subsystem can maintain or reduce the reactor coolant temperature as required. However, to ensure adequate core flow to allow for accurate average reactor coolant temperature monitoring, nearly continuous operation is required. Note 1 permits both required RHR shutdown cooling subsystems to be shut down for a period of 2 hours in an 8 hour period. Note 2 allows one required RHR shutdown cooling subsystem to be inoperable for up to 2 hours for performance of Surveillance tests. These tests may be on the affected RHR System or on some other plant system or component that necessitates placing the RHR System in an inoperable status during the performance. This is permitted because the core heat generation can be low enough and the heatup rate slow enough to allow some changes to the RHR subsystems or other operations requiring RHR flow interruption and loss of redundancy. APPI.ICABILITY In MODE 4, the RHR Shutdown Cooling System must be OPERABLE and shall be operated in the shutdown cooling mode to remove decay heat to maintain coolant temperature below 2120F. Otherwise, a recirculation pump is required to be in operation. In MODES I and 2, and in MODE 3 with reactor steam done pressure greater than or equal to the RHR shutdown cooling isolation pressure, this LCO is not applicable. Operation of the RHR System in the shutdown cooling mode is not allowed above this pressure because the.RCS pressure may exceed the design pressure of the shutdown cooling piping. Decay heat removal at reactor pressures above the RHR shutdown cooling isolation pressure is typically accomplished by condensing the steam in the main condenser. (continued) PBAPIS UNIT 3 B 3.4-39 Revision No. 1
RHR Shutdown Cooling System-Cold Shutdown E 3.4.8 BASES APPLICABILITY Additionally, in MODE 2 below this pressure, the OPERABILITY (continued) requirements for the Emergency Core Cooling Systems (ECCS) (LCO 3.5.1, FECCS-Operating") do not allow placing the RHR shutdown cooling subsystem into operation. The requirements for decay heat removal in MODE 3 below the RHR shutdown cooling isolation pressure and in MODE 5 are discussed in LCO 3.4.7, "Residual Heat Removal (RHR) Shutdown Cooling System-Hot Shutdown"; LCO 3.9.7, "Residual Heat Removal (RHR)-High Water Level"; and LCO 3.9.8, "Residual Heat Removal (RHR)-Low Water Level.' ACTIONS A Note has been provided to modify the ACTIONS related to RHR shutdown cooling subsystems. Section 1.3, Completion Times, specifies once a Condition has been entered, subsequent divisions, subsystems, components or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable shutdown cooling subsystems provide appropriate compensatory measures for separate inoperable shutdown cooling subsystems. As such, a Note has been provided that allows separate Condition entry for each inoperable RHR shutdown cooling subsystem. A.1 With one of the two required RHR shutdown cooling subsystems inoperable, except as permitted by LCO Note 2, the remaining subsystem is capable of providing the required decay heat removal. However, the overall reliability is reduced. Therefore, an alternate method of decay heat removal must be provided. With both required RHR shutdown cooling subsystems inoperable, an alternate method of decay heat removal must be provided in addition to that provided-for the initial RHR shutdown cooling subsystem inoperability. This re-establishes backup decay heat removal capabilities, similar to the requirements of the LCO. The 1 hour Completion Time is based on the decay heat removal function and the probability of a loss of the available decay heat {continued) PBAPS UNIT 3 B 3.4-40 Revision No. 0
RHR Shutdown Cooling System-Cold Shutdown 133.4.8 BASES ACTIONS A.1 (continued) removal capabilities. Furthermore, verification of the functional availability of these alternate method(s) must be reconfirmed every 24 hours thereafter. This will provide assurance of continued heat removal capability. The required cooling capacity of the alternate method should be ensured by verifying (by calculation or demonstration) its capability to maintain or-reduce temperature. Decay heat removal by ambient losses can be considered as, or contributing to, the alternate method capability. Alternate methods that can be used include (but are not limited to) the Condensate/Main Steam Systems (feed and bleed) and the Reactor Water Cleanup System. B.1 and B.2 With no RHR shutdown cooling subsystem and no recirculation pump in operation, except as permitted by LCO Note 1, and until RHR or recirculation pump operation is re-established, an alternate method of reactor coolant circulation must be placed into service. This will provide the necessary circulation for monitoring coolant temperature. The I hour Completion Time is based on the coolant circulation function and is modified such that the 1 hour is applicable separately for each occurrence involving a loss of coolant circulation. Furthermore, verification of the functioning of the alternate method must be reconfirmed every 12 Ihours thereafter. This will provide assurance of continued temperature monitoring capability. During the period when the reactor coolant is being circulated by an alternate method (other than by the required RHR shutdown cooling subsystem or recirculation pump), the reactor coolant temperature and pressure must be periodically monitored to ensure proper function of the alternate method. The once per hour Completion Time is deemed appropriate. (continued) PBAPS UNIT 3 B 3.4-41 Revision No. 0
RHR Shutdown Cooling System-Cold Shutdown 8 3.4.8 BASES (continued) SURVEILLANCE SR 3.4.8.1 REQUIREMENTS This Surveillance verifies that one required RHR shutdown cooling subsystem or recirculation pump is in operation and circulating reactor coolant. The required flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability. The Frequency of 12 hours is sufficient in view of other visual and audible indications available to the operator for monitoring the RHR subsystem in the control room. REFERENCES None.
= =
PBAPS UNIT 3 B 3.4-42 Revision No. 0
RCS P/T Limits 133.4.9 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.9 RCS Pressure and Temperature (P/T) Limits BASES BACKGROUND All components of the RCS are designed to withstand effects of cyclic loads due to system pressure and temperature changes. These loads are introduced by startup (heatup) and shutdown (cooldown) operations, power transients, and reactor trips. This LCO limits the pressure and temperature changes during RCS heatup and cooldown, within the design assumptions and the stress limits for cyclic operation. The Specification contains P/T limit curves for heatup, cooldown, and inservice leakage and hydrostatic testing, and also limits the maximum rate of change of reactor coolant temperature. The criticality curve provides limits for both heatup and criticality. Each P/T limit curve defines an acceptable region for normal operation. The usual use of the curves is operational guidance during heatup or cooldown maneuvering, when pressure and temperature indications are monitored and compared to the applicable curve to determine that operation is within the allowable region. The LCO establishes operating limits that provide a margin to brittle failure of the reactor vessel and piping of the reactor coolant pressure boundary (RCPB). The vessel is the component most subject to brittle failure. Therefore, the LCO limits apply to the vessel. 10 CFR 50, Appendix G (Ref. 1), requires the establishment of P/T limits for material fracture toughness requirements of the RCPB materials. Reference 1 requires an adequate margin to brittle failure during normal operation, abnormal operational transients, and system hydrostatic tests. It mandates the use of the ASME Code, Section III, Appendix G (Ref. 2). The actual shift in the RT,0T of the vessel material will be established periodically by removing and evaluating the irradiated reactor vessel material specimens, in accordance with the UFSAR (Ref. 3) and Appendix H of 10 CFR 50 (Ref. 4). The operating P/T limit curves will be adjusted, as necessary, based on the evaluation findings and the recommendations of Reference 5. {continued) PBAPS UNIT 3 B 3.4-43 Revision No. 0
RCS P/T Limits B 3.4.9 BASES BACKGROUND The P/T limit curves are composite curves established by (continued) superimposing limits derived from stress-analyses of those portions of the reactor vessel and head that are the most restrictive. At any specific pressure, temperature, and temperature rate of change, one location within the reactor vessel will dictate the most restrictive limit. Across the span of the P/T limit curves, different locations are more restrictive, and, thus, the curves are composites of the most restrictive regions. The heatup curve represents a different set of restrictions than the cooldown curve because the directions of the thermal gradients through the vessel wall are reversed. The thermal gradient reversal alters the location of the tensile stress between the outer and inner walls. The criticality limits include the Reference I requirement that they be at least 40OF above the heatup curve or the cooldown curve and not lower than 60F above the adjusted reference temperature of the reactor vessel material in the region that is controlling (reactor vessel flange region). The consequence of violating the LCO limits is that the RCS has been operated under conditions that can result in brittle failure of the reactor pressure vessel, possibly leading to a nonisolable leak or loss of coolant accident. In the event these limits are exceeded, an evaluation must be performed to determine the effect on the structural integrity of the RCPB components. ASME Code, Section XI, Appendix E (Ref. 6), provides a recommended methodology for evaluating an operating event that causes an excursion outside the limits. APPLICABLE The P/T limits are not derived from Design Basis Accident SAFETY ANALYSES (DBA) analyses. They are prescribed during normal operation to avoid encountering pressure, temperature, and temperature rate of change conditions that might cause undetected flaws to propagate and cause nonductile failure of the reactor pressure vessel, a condition that is unanalyzed. Reference 7 approved the curves and limits specified in this section. Since the P/T limits are not derived from any DBA, there are no acceptance limits related to the P/T limits. Rather, the P/T limits are acceptance limits themselves since they preclude operation in an unanalyzed condition. 4(coni.inued) PBAPS UNIT 3 B 3.4-44 Revision No. 0
RCS P/1 Limits B 3.4.9 BASES APPLICABLE RCS P/T limits satisfy Criterion 2 of the NRC Policy SAFETY ANALYSES Statement. Ircontinued) LCO The elements of this LCO are:
- a. RCS pressure and temperature are within the limits specified in Figures 3.4.9-1 and 3.4.9-2, and heatup and cooldown rates are c 100F during RCS heatup, cooldown, and inservice leak and hydrostatic testing;
- b. The temperature difference between the reactor vessel bottom head coolant and the reactor pressure vessel (RPV) coolant is 5 145F during recirculation pump startup;
- c. The temperature difference between the reactor coolant in the respective recirculation loop and in the reactor vessel is s 50-F during recirculation pump startup;
- d. RCS pressure and temperature are within the criticality limits specified in Figure 3.4.9-3 prior to achieving criticality; and
- e. The reactor vessel flange and the head flange temperatures are > 70F when tensioning the reactor vessel head bolting studs.
These limits define allowable operating regions and permit a large number of operating cycles while also providing a wide margin to nonductile failure. The rate of change of temperature limits controls the thermal gradient through the vessel wall and is used as input for calculating the heatup, cooldown, and inservice leakage and hydrostatic testing P/T limit curves. Thus, the LCO for the rate of change of temperature restricts stresses caused by thermal gradients and also ensures the validity of the P/T limit curves. (continued) PBAPS UNIT 3 B 3.4-45 Revision No. 0
RCS P/T Limits B 3.4.9 BASES LCO Violation of the limits places the reactor vessel outside of (continued) the bounds of the stress analyses and can increase stresses in other RCS components. The consequences depend on several factors, as follows:
- a. The severity of the departure from the allowable operating pressure temperature regime or the severity of the rate of change of temperature;
- b. The length of time the limits were violated (longer violations allow the temperature gradient in the thick vessel walls to become more pronounced); and
- c. The existences, sizes, and orientations of flaws in the vessel material.
APPLICABILITY The potential for violating a P/T limit exists at all times. For example, P/T limit violations could result from anbient temperature conditions that result in the reactor vessel metal temperature being less than the minimum allowed temperature for boltup. Therefore, this LCO is applicable even when fuel is not loaded in the core. ACTI(ONS A.1 and A.2 Operation outside the P/T limits while in MODES 1, 2, and 3 must be corrected so that the RCPB is returned to a condition that has been verified by stress analyses. The 30 minute Completion Time reflects the urgency of restoring the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in this time in a controlled manner. Besides restoring operation within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify the RCPB integrity remains acceptable and must be completed if continued operation is desired. Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, new analyses, or inspection of the components. ASME Code, Section XI, Appendix E (Ref. 6), may be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline. icontinued) PBAPS UNIT 3 B 3.4-46 Revision No. 0
RCS P/T Limits B 3.4.9 BASES ACTIONS A.1 and A.2 (continued) The 72 hour Completion Time is reasonable to accomplish the evaluation of a mild violation. More severe violations may require special, event specific stress analyses or inspections. 'A favorable evaluation must be completed if continued operation is desired. Condition A is modified by a Note requiring Required Action A.2 be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required Action A.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity. B.1 and B.2 If a Required Action and associated Completion Time of Condition A are not met, the plant must be placed in a lower MODE because either the RCS remained in an unacceptable P/T region for an extended period of increased stress, or a sufficiently severe event caused entry into an unacceptable region. Either possibility indicates a need for more careful examination of the event, best accomplished with the RCS at reduced pressure and temperature. With the reduced pressure and temperature conditions, the possibility of propagation of undetected flaws is decreased. Pressure and temperature are reduced by placing the plant in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. - C.1 and C.2 Operation outside the P/T limits in other than MODES 1, 2, and 3 (including defueled conditions) must be corrected so that the RCPB is returned to a condition that has been verified by stress analyses. The Required Action must be initiated without delay and continued until the limits are restored. (cortinued) PBAPS UNIT 3 B 3.4-47 Revision No. 0
RCS P/T Limits 133.4.9 BASES ACTIONS C.1 and C.2 (continued) Besides restoring the P/T limit parameters to within limits, an evaluation is required to determine if RCS operation is allowed. This evaluation must verify that the RCPB integrity is acceptable and must be completed before approaching criticality or heating up to > 212*F. Several methods may be used, including comparison with pre-analyzed transients, new analyses, or inspection of the components. ASME Code, Section XI, Appendix E (Ref. 6), may be used to support the evaluation; however, its use is restricted to evaluation of the beltline. SURYEILLANCE SR 3.4.9.1 REQUIREMENTS Verification that operation is within limits is required every 30 minutes when RCS pressure and temperature conditions are undergoing planned changes. Plant procedures specify the pressure and temperature monitoring points to be used during the performance of this Surveillance. This Frequency is considered reasonable in view of the control room indication available to monitor RCS status. AlSo, since temperature rate of change limits are specified in hourly increments, 30 minutes permits a reasonable time for assessment and correction of minor deviations. Surveillance for heatup, cooldown, or inservice leakage and hydrostatic testing may be discontinued when the criteria given in the relevant plant procedure for ending the activity are satisfied. This SR has been modified with a Note that requires this Surveillance to be performed only during system heatup and cooldown operations and inservice leakage and hydrostatic testing. SR 3.4.9.2 A separate limit is used when the reactor is approaching criticality. Consequently, the RCS pressure and temperature must be verified within the appropriate limits before withdrawing control rods that will make the reactor critical. (continued) PBAPS UNIT 3 B 3.4-48 Revision No. 0
RCS P/T Limits B 3.4.9 BASES SURVEILLANCE SR 3.4.9.2 (continued) REQUIREMENTS Performing the Surveillance within 15 minutes before control rod withdrawal for the purpose of achieving criticality provides adequate assurance that the limits will not be exceeded between the time of the Surveillance and the time of the control rod withdrawal. SR 3.4.9.3 and SR 3.4.9.4 Differential temperatures within the applicable limits ensure that thermal stresses resulting from the startup of an idle recirculation pump will not exceed design allowances. In addition, compliance with these limits ensures that the assumptions of the analysis for the startup of an idle recirculation loop (Ref. 8) are satisfied. Performing the Surveillance within 15 minutes before starting the idle recirculation pump provides adequate assurance that the limits will not be exceeded between the time of the Surveillance and the time of the idle pump start. An acceptable means of demonstrating compliance with the temperature differential requirement in SR 3.4.9.4 is to compare the temperatures of the operating recirculation loop and the idle loop. SR 3.4.9.3 and SR 3.4.9.4 have been modified by a Note that requires the Surveillance to be met only in MODES 1, 2, 3, and 4. In MODE 5, the overall stress on limiting components is lower. Therefore, AT limits are not required. The Note also states the SR is only required to be met during a recirculation pump startup, since this is when the stresses occur. SR 3.4.9.5. SR 3.4.9.6. and SR 3.4.9.7 Limits on the reactor vessel flange and head flange temperatures are generally bounded by the other P/T limits during system heatup and cooldown. However, operations approaching MODE 4 from MODE 5 and in MODE 4 with RCS temperature less than or equal to certain specified values require assurance that these temperatures meet the LCD limits. (continued) PBAPS UNIT 3 B 3.4-49 Revision No. 0
RCS P/T Limits 1B 3.4.9 BASES SURVEILLANCE SR 3.4.9.5. SR 3.4.9.6. and SR 3.4.9.7 (continued, REQUIREMENTS The flange temperatures must be verified to be above the limits 30 minutes before and while tensioning the vessel head bolting studs to ensure that once the head is tensioned the limits are satisfied. When in MODE 4 with RCS temperature s 80'F, 30 minute checks of the flange temperatures are required because of the reduced margin to the limits. When in MODE 4 with RCS temperature :5 1001F, monitoring of the flange temperature is required every 12 hours to ensure the temperature is within the limits specified. The 30 minute Frequency reflects the urgency of maintaining the temperatures within limits, and also limits the time that the temperature limits could be exceeded. The 12 hour Frequency is reasonable based on the rate of temperature change possible at these temperatures. SR 3.4.9.5 is modified by a Note that requires the Surveillance to be performed only when tensioning the reactor vessel head bolting studs. SR 3.4.9.6 is modified by a Note that requires the Surveillance to be initiated 30 minutes after RCS temperature c 80F in MODE 4. SR 3.4.9.7 is modified by a Note that requires the Surveillance to be initiated 12 hours after RCS temperature < lOO1F in MODE 4. The Notes contained in these SRs are necessary to specify when the reactor vessel flange and head flange temperatures are required to be verified to be within the limits specified. REFERENCES 1. 10 CFR 50, Appendix G.
- 2. ASME, Boiler and Pressure Vessel Code, Section I[I, Appendix G.
- 3. UFSAR, Section 4.2.6 and Appendix K.
- 4. 10 CFR 50, Appendix H.
- 5. Regulatory Guide 1.99, Revision 2, May 1988.
(continued) PBAPS UNIT 3 B 3.4-SO Revision No. 0
RCS Pfr Limits B 3.4.9 BASES REFERENCES 6. ASME, Boiler and Pressure Vessel Code, Section XI, (continued) Appendix E.
- 7. R.J. Clark (NRC) letter to G.J. Beck (PECo), Anmndment Nos. 162 and 164 to Facility Operating License Hos.
DPR-44 and DPR-56 for Peach Bottom Atomic Power Station Unit Nos. 2 and 3, dated June 27, 1991. 8.. UFSAR, Section 14.5.6.2. PBAPS UNIT 3 B 3.4-51 Revision No. 0
Reactor Steam Dome Pressure 8 3.4.10 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.10 Reactor Steam Dome Pressure BASES BACKGROUND The reactor steam dome pressure is an assumed value in the determination of compliance with reactor pressure vessel overpressure protection criteria and is also an assumed initial condition of design basis accidents and transients. APPLICABLE The reactor steam dome pressure of
- 1053 psig is an SAFETY ANALYSES initial condition of the vessel overpressure protection analysis of Reference 1. This analysis assumes an initial maximum reactor steam dome pressure and evaluates the response of the pressure relief system, primarily the safety/relief valves, during the limiting pressurization transient. The determination of compliance with the overpressure criteria is dependent on the initial reacLor steam dome pressure; therefore, the limit on this pressure ensures that the assumptions of the overpressure protection analysis are conserved. Reference 2 along with Reference 1 assumes an initial reactor steam dome pressure for the analysis of design basis accidents and transients used to determine the limits .for fuel cladding integrity (see Bases for LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)") and 1%
cladding plastic strain (see Bases for LCO 3.2.3, "LINI1AR HEAT GENERATION RATE (LHGR)"). Reactor steam dome pressure satisfies the requirements of Criterion 2 of the NRC Policy Statement. LCO The specified reactor steam dome pressure limit of
- 1053 psig ensures the plant is operated within the assumptions of the reactor overpressure protection analysis.
Operation above the limit may result in a transient response more severe than analyzed. APPLICABILITY In MODES 1 and 2, the reactor steam dome pressure is required to be less than or equal to the limit. In these MODES, the reactor may be generating significant steam and the events which may challenge the overpressure limits are possible. (conti nued) PBAPS UNIT 3 8 3.4-52 Revision No. 50
Reactor Steam Dome Pressure B 3.4.10 BASES APPLICABILITY In MODES 3, 4, and 5, the limit is not applicable because (continued) the reactor is shut down. In these MODES, the reactor pressure is well below the required limit, and no anticipated events will challenge the overpressure limits. ACTIONS A.1 With the reactor steam dome pressure greater than the limit, prompt action should be taken to reduce pressure to below the limit and return the reactor to operation within the bounds of the analyses. The 15 minute Completion Time is reasonable considering the importance of maintaining the pressure within limits. This Completion Time also ensures that the probability of an accident occurring while pressure is greater than the limit is minimized. B.1 If the reactor steam dome pressure cannot be restored to within the limit within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR: 3.4.10.1 REQUIREMENTS Verification that reactor steam dome pressure is - 1053 psig ensures that the initial conditions of the reactor overpressure protection analysis and design basis accidents are met. Operating experience has shown the 12 hour Frequency to be sufficient for identifying trends and verifying operation within safety analyses assumptions. REFERENCES 1. Letter G94-PEPR-002A, Peach Bottom Rerate Project Overpressure Analysis at LCO Dome Pressure, from G.V. Kumar (GE) to T.E. Shannon (PECo), January 18, 1994.
- 2. UFSAR, Chapter 14.
= . =
PBAP'S UNIT 3 B 3.4-53 Revision No. 0
ECCS-Operating B 3.5.1 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM B 3.5.1 ECCS-Operating BASES BACKGROUND The ECCS are designed, in conjunction with the primary and secondary containment, to limit the release of radioactive materials to the environment following a loss of coolant accident (LOCA). The ECCS uses two independent methods (flooding and spraying) to cool the core during a LOCA. The ECCS network consists of the High Pressure Coolant Injection (HPCI) System, the Core Spray (CS) System,, the low pressure coolant injection (LPCI) mode of the Residual Heat Removal (RHR) System, and the Automatic Depressurization System (ADS). The suppression pool provides the required source of water for the ECCS. Although no credit is taken in the safety analyses for the condensate storage tank (CST), it is capable of providing a source of water for the HPCI and CS systems. On receipt of an initiation signal, ECCS pumps automatically start; simultaneously, the system aligns and the pumps inject water, taken either from the CST or suppression pool, into the Reactor Coolant System (RCS) as RCS pressure is overcome by the discharge pressure of the ECCS pumps. Although the system is initiated, ADS action is delayed, allowing the operator to interrupt the timed sequence if the system is not needed. The HPCI pump discharge pressure almost immediately exceeds that of the RCS, and the pump injects coolant into the vessel to cool the core. If the break is small, the HPCI System will maintain coolant inventory as well as vessel level while the RCS is still pressurized. If HPCI fails, it is backed up by ADS in combination with LPCI and CS. In this event, the ADS timed sequence would be allowed to time out and open the selected safety/relief valves (S/RVs) depressurizing the RCS, thus allowing the LPCI and CS to overcome RCS pressure and inject coolant into the vessel. If the break is large, RCS pressure initially drops rapidly and the LPCI and CS cool the core. Water from the break returns to the suppression pool where it is used again and again. Water in the suppression pool is circulated through an RHR System heat exchanger cooled by the High Pressure Service Water System. Depending on the location and size of the break, portions of the ECCS may be (continued) PBAPS UNIT 3 B 3.5-1 Revision No. 0
ECCS-Operating B 3.5.1 BASES BACKGROUND ineffective; however,the overall design is effective in (continued) cooling the core regardless of the size or location of the piping break. All ECCS subsystems are designed to ensure that no sirgle active component failure will prevent automatic initiation and successful operation of the minimum required ECCS equipment. The CS System (Ref. 1) is composed of two independent subsystems. Each subsystem consists of two 50% capacity motor driven pumps, a spray sparger above the core, and piping and valves to transfer water from the suppression pool to the sparger. The CS System is designed to provide cooling to the reactor core when reactor pressure is low. Upon receipt of an initiation signal, the CS pumps in both subsystems are automatically started (if offsite power is available, A and C pumps in approximately 13 seconds, and B and D pumps in approximately 23 seconds, and if offsite power is not available, all pumps 6 seconds after AC power is available). When the RPV pressure drops sufficiently, CS System flow to the RPV begins. A full flow test line is provided to route water from and to the suppression pool to allow testing of the CS System without spraying water in the RPV. LPCI is an independent operating mode of the RHR System. There are two LPCI subsystems (Ref. 2), each consisting of two motor driven pumps and piping and valves to transfer water from the suppression pool to the RPV via the corresponding recirculation loop. The two LPCI pumps and associated motor operated valves in each LPCI subsystem are powered from separate 4 kV emergency buses. Both pumps in a LPCI subsystem inject water into the reactor vessel through a common inboard injection valve and depend on the closure of the recirculation pump discharge valve following a LPCI injection signal. Therefore, each LPCI subsystems' common inboard injection valve and recirculation pump discharge valve is powered from one of the two 4 kV emergency buses associated with that subsystem (normal source) and has the capability for automatic transfer to the second 4 kV emergency bus associated with that LPCI subsystem. The ability to provide power to the inboard injection valve and the recirculation pump discharge valve from either 4 kV emergency bus associated with the LPCI subsystem ensures that the single failure of a diesel generator (DG) will not result in the failure of both LPCI pumps in one subsystem. (continued) PBAPS UNIT 3. B 3.5-2 Revision No. 0
- ECCS-Operating E 3.5.1 BASES BACKGROUND The two LPCI subsystems can be interconnected via the LPCI (continued) cross tie valve; however, the cross tie valve is maintained closed with its power removed to prevent loss of both LPCI subsystems during a LOCA. The LPCI subsystems are designed to provide core cooling at low RPV pressure. Upon receipt of an initiation signal, all four LPCI pumps are automatically started (if offsite power is available, A and B pumps in approximately 2 seconds and C and D pumps in approximately 8 seconds, and, if offsite power is not available, all pumps immediately after AC power is available). Since one DG supplies power to an RHR punip in both units, the RHR pump breakers are interlocked between units to prevent operation of an RHR pump from both units on one DG and potentially overloading the affected DG. RHR System valves in the LPCI flow path are automatically .
positioned to ensure the proper flow path for water from the suppression pool to inject into the recirculation loops. When the RPV pressure drops sufficiently, the LPCI flow to the RPV, via the corresponding recirculation loop, begins. The water then enters the reactor through the jet pumps. Full flow test lines are provided for the four LPCI pumps to route water to the suppression pool, to allow testing of the LPCI pumps without injecting water into the RPV. These test lines also provide suppression pool cooling capability, as described in LCO 3.6.2.3, 'RHR Suppression Pool Cooling.' The HPCI System (Ref. 3) consists of a steam driven turbine pump unit, piping, and valves to provide'steam to the turbine, as well as piping and valves to transfer water from the suction source to the core via the feedwater system line, where the coolant is distributed within the RPV through the feedwater sparger. Suction piping for the system is provided from the CST and the suppression pool. Pump suction for HPCI is normally aligned to the CST source to minimize injection of suppression pool water into the RPV. However, if the CST water supply is low, or if the suppression pool level is high, an automatic transfer to the suppression pool water source ensures a water supply for continuous operation of the HPCI System. The steam supply to the HPCI turbine is piped from a main steam line upstream of the associated inboard main steam isolation valve. The HPCI System is designed to provide core cooling for a wide range of reactor pressures (150 psig to 1150 psic,). Upon receipt of an initiation signal, the HPCI turbine stop valve and turbine control valve open and the turbine accelerates to a specified speed. As the HPCI flow (continued) PBAPS UNIT 3 B 3.5-3 Revision No. 0
ECCS-Operating B 3.5.1 BASES BACKGROUND increases, the turbine governor valve is automatically (continued) adjusted to maintain design flow. Exhaust steam from the HPCI turbine is discharged to the suppression pool. P full flow test line is provided to route water back to the CST to allow testing of the HPCI System during normal operation without injecting water into the RPV. The ECCS pumps are provided with minimum flow bypass lines, which discharge to the suppression pool. The valves in these lines automatically open to prevent pump damage due to overheating when other discharge line valves are closed. To ensure rapid delivery of water to the RPV and to minimize water hammer effects, all ECCS pump discharge lines are filled with water. The LPCI and CS System discharge lines are kept full of water using a "keep fill" system. The HPCI System is normally aligned to the CST. The height of water in the CST is sufficient to maintain the piping full of water up to the first isolation valve. The relative height of the feedwater line connection for HPCI is such that the water in the feedwater lines keeps the remaining port-ion of the HPCI discharge line full of water. Therefore, HPCI does not require a 'keep fill' system. The Nuclear System Pressure Relief System consists of 2 safety valves (SVs) and U1 safety/relief valves (S/RVs;). The ADS (Ref. 4) consists of 5 of the 11 S/RVs. It is designed to provide depressurization of the RCS during a small break LOCA if HPCI fails or is unable to maintain required water level in the RPV. ADS operation reduces the RPV pressure to within the operating pressure range oF the low pressure ECCS subsystems (CS and LPCI), so that these subsystems can provide coolant inventory makeup. Each of the S/RVs used for automatic depressurization is equipped with one nitrogen accumulator and associated inlet check valves. The accumulator provides the pneumatic power to actuate the valves. APPLICABLE The ECCS performance is evaluated for the entire spectrum of SAFETY ANALYSES break sizes for a postulated LOCA. The accidents for which ECCS operation is required are presented in Reference 5. The required analyses and assumptions are defined in Reference 6. The results of these analyses are described in Reference 7. (continued) PBAFIS UNIT 3 B 3.5-4 Revision No. 0
ECCS-Operating B 3.5.1 BASES APPLICABLE This LCO helps to ensure that the following acceptance SAFETY ANALYSES criteria for the ECCS, established by lo CFR 50.46 (Ref. 8), (continued) will be met following a LOCA, assuming the worst case single active component failure in the ECCS:
- a. Maximum fuel element cladding temperature is < 2200-F;
- b. Maximum cladding oxidation is < 0.17 times the total cladding thickness before oxidation;
- c. Maximum hydrogen generation from a zirconium water reaction is S 0.01 times the hypothetical amount that would be generated if all of the metal in the cladding surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react;
- d. The core is maintained in a coolable geometry; arid
- e. Adequate long term cooling capability is maintaired.
The limiting single failures are discussed in Reference 7. The remaining OPERABLE ECCS subsystems provide the capability to adequately cool the core and prevent excessive fuel damage. The ECCS satisfy Criterion 3 of the NRC Policy Statement. LCO Each ECCS injection/spray subsystem and five ADS valves are required to be OPERABLE. The ECCS injection/spray subsystems are defined as the two CS subsystems, the two LPCI subsystems, and one HPCI System. The low pressure ECCS injection/spray subsystems are defined as the two CS subsystems and the two LPCI subsystems. With less than the required number of ECCS subsystems OPERABLE, the potential exists that during a limiting design basis LOCA concurrent with the worst case single failure, the limits specified in Reference 8 could be exceeded. All ECCS subsystems must therefore be OPERABLE to satisfy the single failure criterion required by Reference 8. LPCI subsystems' may be considered OPERABLE during alignment and operation for decay heat removal when below the actual RHR shutdown cooling isolation pressure in MODE 3, if capable of being manually realigned (remote or local) to the (continued) PBAPS UNIT 3 B 3.5-5 Revision No. 0
ECCS-Operati ng B 3.5.1 BASES LCO LPCI mode and not otherwise inoperable. At these low (continued) pressures and decay heat levels, a reduced complement of ECCS subsystems should provide the required core cooling, thereby allowing operation of RHR shutdown cooling when necessary. One LPCI subsystem shall be considered inoperable during alignment and operation for Suppression Pool Cooling (one or both loops) to ensure compliance to Reference 7 single failure analyses (Ref. 11). APPLICABILITY All ECCS subsystems are required to be OPERABLE during MODES 1, 2, and 3, when there is considerable energy in the reactor core and core cooling would be required to prevent fuel damage in the event of a break in the primary system piping. In MODES 2 and 3, when reactor steam dome pressure is
- 150 psig, HPCI is not required to be OPERABLE because the low pressure ECCS subsystems can provide sufficient flow below this pressure. In MODES 2 and 3, when reactor steam dome pressure is
- 100 psig, ADS is not required to be OPERABLE because the low pressure ECCS subsystems can provide sufficient flow below this pressure. ECCS requirements for MODES 4 and 5 are specified in LCO 3.5.2, "ECCS-Shutdown."
ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable HPCI subsystem. There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable HPCI subsystem and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance. Al1 If any one low pressure ECCS injection/spray subsystem is inoperable, or if one LPCI pump in each subsystem is inoperable, all inoperable subsystems must be restored to OPERABLE status within 7 days (e.g., if one LPCI pump in each subsystem is inoperable, both must be restored within 7 days). In this Condition, the remaining OPERABLE subsystems provide adequate core cooling during a LOCA. However, overall ECCS reliability is reduced, because a single failure in one of the remaining OPERABLE subsystems, concurrent with a LOCA, may result in the ECCS not, being able to perform its intended safety function. The 7 day Completion Time is based on a reliability study (Ref. 9) that evaluated the impact on ECCS availability, assuming various components and subsystems were taken out of service. The results were used to calculate the average availability of ECCS equipment needed to mitigate the consequences of a LOCA as a function of allowed outage times (i.e., Completion Times). (continued) PBAP'i UNIT 3 .B3.5-6 Revision No. 53
ECCS-Operating B 3.5.1 BASES ACTIONS B.1 and B.2 (continued) If the inoperable low pressure ECCS subsystem cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. C.1 and C.2 If the HPCI System is inoperable and the RCIC System is immediately verified to be OPERABLE, the HPCI System oust be restored to OPERABLE status within 14 days. In this Condition, adequate core cooling is ensured by the OPERABILITY of the redundant and diverse low pressure ECCS injection/spray subsystems in conjunction with ADS. Also, the RCIC System will automatically provide makeup water at most reactor operating pressures. Immediate verification of RCIC OPERABILITY is therefore required when HPCI is inoperable. This may be performed as an administrative check by examining logs or other information to determine if RCIC is out of service for maintenance or other reasons. It does not mean to perform the Surveillances needed to demonstrate the OPERABILITY of the RCIC System. If the OPERABILITY of the RCIC System cannot be verified immediately, however, Condition E must be immediately entered. If a single active component fails concurrent with a design basis LOCA, there is a potential, depending on the specific failure, that the minimum required ECCS equipment will not be available. A 14 day Completion Time is based on a reliability study cited in Reference 9 and has been found to be acceptable through operating experience. D.1 and D.2 If any one low pressure ECCS injection/spray subsystem is inoperable in addition to an inoperable HPCI System, the inoperable low pressure ECCS injection/spray subsystem or the HPCI System must be restored to OPERABLE status within 72 hours. In this Condition, adequate core cooling is (continued) PBAP'S UNIT 3 B 3.5-7 Revision No. 0
ECCS- Oprating B 3.5.1 BASES ACTIONS D.1 and D.2 (continued) ensured by the OPERABILITY of the ADS and the remaining low pressure ECCS subsystems. However, the overall ECCS reliability is significantly reduced because a single failure in one of the remaining OPERABLE subsystems concurrent with a design basis LOCA may result in the ECCS not being able to perform its intended safety function. Since both a high pressure system (HPCI) and a low pressure subsystem are inoperable, a.more restrictive Completion Time of 72 hours is required to restore either the HPCI System or the low pressure ECCS injection/spray subsystem to OPERABLE status. This Completion Time is based on a reliability study cited in Reference 9 and has been found to be acceptable through operating experience. E.1 and E.2 If any Required Action and associated Completion Time of Condition C or D is not met, the plant must be brought to a condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and reactor steam dome pressure reduced to
< 150 psig within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
F.1 The LCO requires five ADS valves to be OPERABLE in order to provide the ADS function. Reference 7 contains the results of an analysis that evaluated the effect of one ADS valve being out of service. Per this analysis, operation of only four ADS valves will provide the required depressurization. However, overall reliability of the ADS is reduced, because a single failure in the OPERABLE ADS valves could result in a reduction in depressurization capability. Therefore, operation is only allowed for a limited time. The 14 day Completion Time is based on a reliability study cited in Reference 9 and has been found to be acceptable through operating experience. _continued) PBAPS UNIT 3 B 3.5-8 Revision No. 0
ECCS -Operating B 3.5.1 BASES ACTIONS G.1 and G.2 (continued) If any one low pressure ECCS injection/spray subsystem is inoperable in addition to one inoperable ADS valve, adequate core cooling is ensured by the OPERABILITY of HPCI and the remaining low pressure ECCS injection/spray subsystem. However, overall ECCS reliability is reduced because < single active component failure concurrent with a design basis LOCA could result in the minimum required ECCS equipment not being available. Since both a high pressure system (ADS) and a low pressure subsystem are inoperable, a more restrictive Completion Time of 72 hours is required to restore either the low pressure ECCS subsystem or the ADS valve to OPERABLE status. This Completion Time is based on a reliability study cited in Reference 9 and has been found to be acceptable through operating experience. H.1 and H.2 If any Required Action and associated Completion Time of Condition F or G is not met, or if two or more ADS valves are inoperable, the plant must be brought to a condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and reactor steam dome pressure reduced to < 100 psig within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. 1.1 When multiple ECCS subsystems are inoperable (for reasons other than the second Condition of Condition A), as stated in Condition I, the plant is in a condition outside of the accident analyses. Therefore, LCO 3.0.3 must be entered immediately. SURVEILLANCE SR 3.5.1.1 REQUIIREMENTS The flow path piping has the potential to develop voids and pockets of entrained air. Maintaining the pump discharge lines of the HPCI System, CS System, and LPCI subsystems full of water ensures that the ECCS will perform properly, (continued) PBAPS UNIT 3 B 3.5-9 Revision No. 0
ECCS-Operating B 3.5.1 BASE'S SURVEILLANCE SR 3.5.1.1 (continued) REQUIREMENTS injecting its full capacity into the RCS upon demand. This will also prevent a water hammer following an ECCS initiation signal. An acceptable method of ensuring that the lines are full is to vent at the high points. An acceptable method of ensuring the LPCI and CS System discharge lines are full is to verify the absence of the associated "keep fill" system accumulator alarms. The 31 day Frequency is based on the gradual nature of void buildup in the ECCS piping, the procedural controls governing system operation, and operating experience. SR 3.5.1.2 Verifying the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths provides assurance that the proper flow paths will exist for ECCS operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an initiation signal is allowed to be in a nonaccident position provided the valve will automatically reposition in the proper stroke time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves
- that cannot be inadvertently misaligned, such as check valves. For the HPCI System, this SR also includes the steam flow path for the turbine and the flow controller position.
The 31 day Frequency of this SR was derived from the Inservice Testing Program requirements for performing valve testing at least once every 92 days. The Frequency of 31 days is further justified because the valves are operated under procedural control and because improper valve position would only affect a single subsystem. This Frequency has been shown to be acceptable through operating experience. (contiqued) PBAP~'UNIT 3 B 3.5-10 Revision No. 57
ECCS-Operating B 3.5.1 BASES SURVEILLANCE SR 3.5.1.2 (continued) REQUIREMENTS This SR is modified by a Note that allows LPCI subsystems to be considered OPERABLE during alignment and operation for decay heat removal with reactor steam dome pressure less than the RHR shutdown cooling isolation pressure in MODE 3, if capable of being manually realigned (remote or local) to the LPCI mode and not otherwise inoperable. Manual realignment to the LPCI mode may also include opening the drag valve to establish the required LPCI subsystem flow rates. This allows operation in the RHR shutdown cooling mode during MODE 3, if necessary. SR 3.5.1.3 Verification every 31 days that ADS nitrogen supply header pressure is 2 85 psig ensures adequate air pressure for reliable ADS operation. The accumulator on each ADS valve provides pneumatic pressure for valve actuation. The design pneumatic supply pressure requirements for the accumulator are such that, following a failure of the pneumatic supply to the accumulator, at least two valve actuations can occur with the drywell at 70% of design pressure (Ref. 10). The ECCS safety analysis assumes only one actuation to achieve the depressurization required for operation of the low pressure ECCS. This minimum required pressure of 2 85 psig is provided by the ADS instrument air supply. The 31 djay Frequency takes into consideration administrative controls over operation of the air system and alarms for low air pressure. SR 3.5.1.4 Verification every 31 days that the LPCI cross tie valve is closed and power to its operator is disconnected ensures that each LPCI subsystem remains independent and a failure of the flow path in one subsystem will not affect the Flow path of the other LPCI subsystem. Acceptable methods Of removing power to the operator include de-energizing breaker control power or racking out or removing the breaker. If the LPCI cross tie valve is open or power has not been removed from the valve operator, both LPCI subsystems must be considered inoperable. The 31 day Frequency has been {continued) PBAPS UNIT 3 B 3.5-11 Revision No. 0
ECCS-Operating 133.5.1 BASES SURVEILLANCE SR 3.5.1.4 (continued) REQUIREMENTS found acceptable, considering that these valves are .under strict administrative controls that will ensure the valves continue to remain closed with either control or motive power removed.' SR 3.5.1.5 Cycling the recirculation pump discharge valves through one complete cycle of full travel demonstrates that the valves are mechanically OPERABLE and will close when required. Upon initiation of an automatic LPCI subsystem injection signal, these valves are required to be closed to ensure full LPCI subsystem flow injection in the reactor via the recirculation jet pumps. De-energizing the valve in the closed position will also ensure the proper flow path for the LPCI subsystem. Acceptable methods of de-energizing the valve include de-energizing breaker control power, racking out the breaker or removing the breaker. The specified Frequency is once during reactor startup before THERMAL POWER is > 25% RTP. However, this SR is modified by a Note that states the Surveillance is only required to be performed if the last performance was more than 31 days ago. Verification during reactor startup prior to reaching > 25% RTP is an exception to the normal Inservice Testing Program generic valve cycling Frequency of 92 days, but is considered acceptable due to the demonstrated reliability of these valves. If the valve is inoperable and in the open position, the associated LPCI subsystem must be declared inoperable. SR 3.5.1.6 Verification every 61 days of the automatic transfer between the normal and the alternate power source (4 kV emergency bus) for each LPCI subsystem inboard injection valve and each recirculation pump discharge valve demonstrates that AC electrical power will be available to operate these valves following loss of power to one of the 4 kV emergency buses. The ability to provide power to the inboard injection valve and the recirculation pump discharge valve from either 4 kV emergency bus associated with the LPCI subsystem ensures that the single failure of an DG will not result in the (continued) PBAPS UNIT 3 B 3.5-12 Revision No. 0
ECCS-Operating B 3.5.1 BASES SURVEILLANCE SR 3.5.1.6 (continued) REQUIREMENTS failure of both LPCI pumps in one subsystem. Therefore, failure of the automatic transfer capability will result in the inoperability of the affected LPCI subsystem. The 61 day Frequency has been found acceptable based on engineering judgment and operating experience. SR 3.5.1.7. SR 3.5.1.8. and SR 3.5.1.9 The performance requirements of the low pressure ECCS pumps are determined through application of the 10 CFR 50, Appendix K criteria (Ref. 6). This periodic Surveillance is performed to verify that the ECCS pumps will develop the flow rates required by the respective analyses. The low pressure ECCS pump flow rates ensure that adequate core cooling is provided to satisfy the acceptance criteria of Reference 8. The pump flow rates are verified against a system head equivalent to the RPV pressure expected during a LOCA. The total system pump outlet pressure is adequate to overcome the elevation head pressure between the pump suction and the vessel discharge, the piping friction losses, and RPV pressure present during a LOCA. These values may be established by testing or analysis or during preoperational testing. To avoid damaging CS System valves during testing, throttling is not normally performed to obtain a system head corresponding to a reactor pressure of 2 105 psig. As such, SR 3.5.1.7 is modified by a Note to allow use of pump curves to determine equivalent values for flow rate and test pressure for the CS pumps in order to meet the Surveillance Requirement. The Note allows baseline testing at a system head corresponding to a reactor pressure of > 105 psig to be used to determine an equivalent flow value at the normal test pressure. This baseline testing is performed after any modification or repair that could affect system flow characteristics. The flow tests for the HPCI System are performed at two different pressure ranges such that system capability to provide rated flow is tested at both the higher and lower operating ranges of the system. Additionally, adequate steam flow must be passing through the main turbine or turbine bypass valves to continue to control reactor (continued) PBAPS UNIT 3 B 3.5-13 Revision No. 0
ECCS - Operating ES3.5.1 BASES SURVEILLANCE SR 3.5.1.7. SR 3.5.1.8. and SR 3.5.1.9 (continued). REQUIREMENTS pressure when the HPCI System diverts steam flow. Reactor steam pressure must be s 1053 and 2 940 psig to perform SR 3.5.1.8 and greater than or equal to the Electro-Hydraulic Control (EHC) System minimum pressure set with the EHC System controlling pressure (EHC System begins controlling pressure at a nominal 150 psig) and s 175 psig to perform SR 3.5.1.9. Adequate steam flow is represented by at least 2 turbine bypass valves open. Therefore, sufficient time is allowed after adequate pressure and flow are achieved to perform these tests. Reactor startup is allowed prior to performing the low pressure Surveillance test because the reactor pressure is low and the time allowed to satisfactorily perform the Surveillance test is short. The reactor pressure is allowed to be increased to normal operating pressure since it is assumed that the low pressure test has been satisfactorily completed and there is no indication or reason to believe that HPCI is inoperable. Therefore, SR 3.5.1.8 and SR 3.5.1.9 are modified by Notes that state the Surveillances are not required to be performed until 12 hours after the reactor steam pressure and flow are adequate to perform the test. The 92 day Frequency for SR 3.5.1.7 and SR 3.5.1.8 is consistent with the Inservice Testing Program requiremients. The 24 month Frequency for SR 3.5.1.9 is based on the need to perform the Surveillance under the conditions that apply just prior to or during a startup from a plant outage. Operating experience has shown that these components swill pass the SR when performed at the 24 month Frequency, which is based on the refueling cycle. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint. SR 3.5.1.10 The ECCS subsystems are required to actuate automatically to perform their design functions. This Surveillance verifies that, with a required system initiation signal (actual or simulated), the automatic initiation logic of HPCI, CS, and LPCI will cause the systems or subsystems to operate as designed, including actuation of the system throughout its emergency operating sequence, automatic pump startup and actuation of all automatic valves to their required positions. This SR also ensures that either the HPCI System (continued) PBAPS UNIT 3 B 3.5-14 Revision No. 2
ECCS - Operating B 3.5.1 BASES SURVEILLANCE SR 3.5.1.10 (continued) REQUIJIREM ENTS will automatically restart on an RPV low water level (Level
- 2) signal received subsequent to an RPV high water level (Level 8) trip or, if the initial RPV low water level (Level
- 2) signal was not manually reset, then the HPCI System will restart when the RPV high water level (Level 8) trip automatically clears, and that the suction is automatically transferred from the CST to the suppression pool. The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 overlaps this Surveillance to provide complete testing of the assumed safety function.
The 24 month Frequency is based on the need to perform the Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown that these components will pass the SR when performed at the 24 month Frequency, which is based on the refueling cycle. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint. This SR is modified by a Note that excludes vessel injection/spray during the Surveillance. Since all active components are testable and full flow can be demonstrated by recirculation through the test line, coolant injection into the RPV is not required during the Surveillance. SR 3.5.1.11 The ADS designated S/RVs are required to actuate automatically upon receipt of specific initiation signals. A system functional test is performed to demonstrate that the mechanical portions of the ADS function (i.e., solenoids) operate as designed when initiated either ty an actual or simulated initiation signal, causing proper actuation of all the required components. SR 3.5.1.12 and the LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 overlap this Surveillance to provide complete testing of the assumed safety function. The 24 month Frequency is based on the need to perform the Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown that these components will icontinued) PBAPS UNIT 3 B 3.5-15 Revision No. 2
ECCS -Operating B 3.5.1 BASES SURVEILLANCE SR 3.5.1.11 (continued) REQUIJIREMENTS pass the SR when performed at the 24 month Frequency, which is based on the refueling cycle. Therefore, the Frequency was concluded to be-acceptable from a reliability standpoint. This SR is modified by a Note that excludes valve actuation. This prevents an RPV pressure blowdown. SR 3.5.1.12 The pneumatic actuator of each ADS valve is stroked to verify that the second stage pilot disc rod is mechanically displaced when the actuator strokes. Second stage pilot rod movement is determined by the measurement of actuator rod travel. The total amount of movement of the second stage pilot rod from the valve closed position to the open position shall meet criteria established by the S/RV supplier. SRs 3.3.5.1.5 and 3.5.1.11 overlap this Surveillance to provide testing of the SRV depressurization mode function. Operating experience has shown that these components will pass the SR when performed at the 24 month Frequency, which is based on the refueling cycle. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint. (continued) PBAPS UNIT 3 B 3.5-16 Revision ND. 25
ECCS-Operating B 3.5.1 BASES (continued) REFERENCES 1. UFSAR, Section 6.4.3.
- 2. UFSAR, Section 6.4.4.
- 3. UFSAR, Section 6.4.1.
- 4. UFSAR, Sections 4.4.5 and 6.4.2.
- 5. UFSAR, Section 14.6.
- 6. 10 CFR 50, Appendix K.
- 7. NEDC-32163P, "Peach Bottom Atomic Power Station Units 2 and 3 SAFER/GESTR-LOCA Loss of Coolant Accident Analysis," January 1993.
- 8. 10 CFR 50.46.
- 9. Memorandum from R.L. Baer (NRC) to V. Stello, Jr.
(NRC), "Recommended Interim Revisions to LCOs for ECCS Components," December 1, 1975.
- 10. UFSAR, Section 10.17.6.
- 11. Issue Report 189167, Operability of RHR while in lest Modes/Torus Cooling.
PBAK UNIT 3 B 3.5-17 Revision No. 52
ECCS -SShutdown 13 3.5.2 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM B 3.5.2 ECCS-Shutdown BASES BACKGROUND A description of the Core Spray (CS) System and the low pressure coolant injection (LPCI) mode of the Residual Heat Removal (RHR) System is provided in the Bases for LCO 3.5.1, "ECCS-Operating." APPLICABLE The ECCS performance is evaluated for the entire spectrum SAFETY ANALYSES of break sizes for a postulated loss of coolant accident (LOCA). The long term cooling analysis following a design basis LOCA (Ref. 1) demonstrates that only one low pressure ECCS injection/spray subsystem is required, post LOCA, to maintain adequate reactor vessel water level in the event of an inadvertent vessel draindown. It is reasonable to assume, based on engineering judgement, that while in MODES 4 and 5 one low pressure ECCS injection/spray subsystem can maintain adequate reactor vessel water level. To provide redundancy, a minimum of two low pressure ECCS injection/ spray subsystems are required to be OPERABLE in MODES 4 and 5. The low pressure ECCS subsystems satisfy Criterion 3 of the NRC Policy Statement. ' LCO Two low pressure ECCS injection/spray subsystems are required to be OPERABLE. A low pressure ECCS injection/ spray subsystem consists of a CS subsystem or a LPCI subsystem. Each CS subsystem consists of two motor driven pumps, piping, and valves to transfer water from the suppression pool or condensate storage tank (CST) to the reactor pressure vessel (RPV). Each LPCI subsystem consists of one motor driven pump, piping, and valves to transfer water from the suppression pool to the RPV. Only a single LPCI pump is required per subsystem because of the larger injection capacity in relation to a CS subsystem. In MODES 4 and 5, the LPCI cross tie valve is not required to be closed. The necessary portions of the Emergency Service Water System are also required to provide appropriate cooling to each required ECCS subsystem. (continued) PBAPS UNIT 3 B 3.5-18 Revision No. 0
ECCS-Shutdown E;3.5.2 BASES LCO One LPCI subsystem may be aligned for decay heat removal and (continued) considered OPERABLE for the ECCS function, if it can be manually realigned (remote or local) to the LPCI mode and is not otherwise inoperable. Because of low pressure and low temperature conditions in MODES 4 and 5, sufficient time will be available to manually align and initiate LPCI subsystem operation to provide core cooling prior to postulated fuel uncovery. APPI.ICABILITY OPERABILITY of the low pressure ECCS injection/spray subsystems is required in MODES 4 and 5 to ensure adequate coolant inventory and sufficient heat removal capability for the irradiated fuel in the core in case of an inadvertent draindown of the vessel. Requirements for ECCS OPERAI3ILITY during MODES 1, 2, and 3 are discussed in the Applicability section of the Bases for LCO 3.5.1. ECCS subsystems are not required to be OPERABLE during MODE 5 with the spent fuel storage pool gates removed, the water level maintained at 2 458 inches above reactor pressure vessel instrument zero (20 ft 11 inches above the RPV flange), and no operations with a potential for draining the reactor vessel (OPDRVs) in progress. This provides sufficient coolant inventory to allow operator action to terminate the inventory loss prior to fuel uncovery in case of an inadvertent draindown. The Automatic Depressurization System is not required to be OPERABLE during MODES 4 and 5 because the RPV pressure is c 100 psig, and the CS System and the LPCI subsystems can provide core cooling without any depressurization of the primary system. The High Pressure Coolant Injection System is not required to be OPERABLE during MODES 4 and 5 since the low pressure ECCS injection/spray subsystems can provide sufficient flow to the vessel. ACTIONS A.1 and B.1 If any one required low pressure ECCS injection/spray subsystem is inoperable, an inoperable subsystem must be restored to OPERABLE status in 4 hours. In this Condition, the remaining OPERABLE subsystem can provide sufficient vessel flooding capability to recover from an inadvertent vessel draindown. However, overall system reliability is reduced because a single failure in the remaining OPERABLE (continued) PBAPS UNIT 3 B 3.5-19 Revision No. 0
ECCS-Shutdown B 3.5.2 BASES ACTIONS A.1 and B.1 (continued) subsystem concurrent with a vessel draindown could result in the ECCS not being able to perform its intended function. The 4 hour Completion Time for restoring the required low pressure ECCS injection/spray subsystem to OPERABLE status is based on engineering judgment that considered the remaining available subsystem and the low probability of a vessel draindown event. With the inoperable subsystem not restored to OPERABLE status in the required Completion Time, action must be immediately initiated to suspend OPDRVs to minimize the probability of a vessel draindown and the subsequent potential for fission product release. Actions must continue until OPDRVs are suspended. C.I. C.2. D.1. D.2. and D.3 With both of the required ECCS injection/spray subsystems inoperable, all coolant inventory makeup capability may be unavailable. Therefore, actions must immediately be initiated to suspend OPDRVs to minimize the probability of a vessel draindown and the subsequent potential for fission product release. Actions must continue until OPDRVs are suspended. One ECCS injection/spray subsystem must also be restored to OPERABLE status within 4 hours. If at least one low pressure ECCS injection/spray subsystem is not restored to OPERABLE status within the 4 hour Completion Time, additional actions are required to minimize any potential fission product release to the environment. This includes ensuring secondary containment is OPERAEBLE; one standby gas treatment subsystem for Unit 3 is OPERABLE; and secondary containment isolation capability (i.e., one isolation valve and associated instrumentation are OPERABLE or other acceptable administrative controls to assure isolation capability) in each associated secondary containment penetration flow path not isolated that is assumed to be isolated to mitigate radioactivity releases. OPERABILITY may be verified by an administrative check, or by examining logs or other information, to determine whether the components are out of service for maintenance or other reasons. It is not necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the components. (continued) PBAPS UNIT 3 B 3.5-20 Revision No. 0
ECCS-Shutdown E,3.5.2 BASES ACTIONS C.1. C.2. D.1. D.2. and D.3 (continued) If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, the Surveillance may need to be performed to restore the component to OPERABLE status. Actions must continue until all required components are OPERABLE. The 4 hour Completion Time to restore at least one low pressure ECCS injection/spray subsystem to OPERABLE status ensures that prompt action will be taken to provide the required cooling capacity or to initiate actions to place the plant in a condition that minimizes any potential fission product release to the environment. SURVEILLANCE SR 3.5.2.1 and SR 3.5.2.2 REQUIREMENTS The minimum water level of 11.0 feet required for the suppression pool is periodically verified to ensure that the suppression pool will provide adequate net positive suction head (NPSH) for the CS System and LPCI subsystem pumps, recirculation volume, and vortex prevention. With the suppression pool water level less than the required limit, all ECCS injection/spray subsystems are inoperable unless they are aligned to an OPERABLE CST. When suppression pool level is < 11.0 feet, the CS System is considered OPERABLE only if it can take suction from the CST, and the CST water level is sufficient to provide the required NPSH for the CS pump. Therefore, a verification that either the suppression pool water level is 2 11.1) feet or that CS is aligned to take suction from the CST and the CST contains ! 17.3 feet of water, equivalent to
> 90,976 gallons of water, ensures that the CS System can supply at least 50,000 gallons of makeup water to the RPV.
The unavailable volume of the CST for CS is at the 40,976 gallon level. However, as noted, only one required CS subsystem may take credit for the CST option during OPDRVs. During OPDRVs, the volume in the CST may not provide adequate makeup if the RPV were completely drained. Therefore, only one CS subsystem is allowed to use the CST. This ensures the other required ECCS subsystem has adequate makeup volume. (continued) PBAPS UNIT 3 B 3.5-21 Revision No. 0
ECCS -Shutdown E 3.5.2 BASE-S SURVEILLANCE SR 3.5.2.1 and SR 3.5.2.2 (continued) REQUIREMENTS The 12 hour Frequency of these SRs was developed considering operating experience related to suppression pool water level and CST water level variations and instrument drift during the applicable MODES. Furthermore, the 12 hour Frequency is considered adequate in view of other indications available in the control room to alert the operator to an abnormal suppression pool or CST water level condition. SR 3.5.2.3. SR 3.5.2.5. and SR 3.5.2.6 The Bases provided for SR 3.5.1.1, SR 3.5.1.7, and SR 3.5.1.10 are applicable to SR 3.5.2.3, SR 3.5.2.5, and SR 3.5.2.6, respectively. SR 3.5.2.4 Verifying the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths provides assurance that the proper flow paths will exist for ECCS operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an initiation signal is allowed to be in a nonaccident position provided the valve will automatically reposition in the proper stroke time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. The 31 day Frequency is appropriate because the valves are operated under procedural control and the probability of their being mispositioned during this time period is low. In MODES 4 and 5, the RHR System may operate in the shutdown cooling mode to remove decay heat and sensible heat from the reactor. Therefore, RHR valves that are required for LPCI subsystem operation may be aligned for decay heat removal. Therefore, this SR is modified by a Note that allows one LPCI subsystem of the RHR System to be considered OPERABLE {continued) PBAP'S UNIT 3 B 3.5-22 Revision No. 0
ECCS-Shutdown E,3.5.2 BASES SURVEILLANCE SR 3.5.2.4 (continued) REQUIREMENTS for the ECCS function if all the required valves in the LPCI flow path can be manually realigned (remote or local) to allow injection into the RPV, and the system is not otherwise inoperable. Manual realignment to allow injection into the RPV in the LPCI mode may also include opening the drag valve to establish the required LPCI subsystem flow rate. This will ensure adequate core cooling if an inadvertent RPV draindown should occur. REFERENCES 1. NEDO-20566A, 'General Electric Company Analytical Model for Loss-of-Coolant Accident Analysis in Accordance with 10 CFR 50 Appendix K," September 1986. e PBAP'S UNIT 3 B 3.5-23 Revision No. 0
RCIC System [l3.5.3 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM B 3.5.3 RCIC System BASES BACKGROUND The RCIC System is not part of the ECCS; however, the RCIC System is included with the ECCS section because of their similar functions. The RCIC System is designed to operate either automatically or manually following reactor pressure vessel (RPV) isolation accompanied by a loss of coolant flow from the feedwater system to provide adequate core cooling and control of the RPV water level. Under these conditions, the High Pressure Coolant Injection (HPCI) and RCIC systems perform similar functions. The RCIC System design requirements ensure that the criteria of Reference 1 are satisfied. The RCIC System (Ref. 2) consists of a steam driven turbine pump unit, piping, and valves to provide steam to the
.turbine, as well as piping and valves to transfer water from the suction source to the core via the feedwater system line, where the coolant is distributed within the RPV through the feedwater sparger. Suction piping is provided from the condensate storage tank (CST) and the suppression pool. Pump suction is normally aligned to the CST to minimize injection of suppression pool water into the RPV.
However, if the CST water supply is low, an automatic transfer to the suppression pool water source ensures a water supply for continuous operation of the RCIC System. The steam supply to the turbine is piped from a main steam line upstream of the associated inboard main steam line isolation valve. The RCIC System is designed to provide core cooling for a wide range of reactor pressures 150 psig to 1150 psig. Upon receipt of an initiation signal, the RCIC turbine accelerates to a specified speed. As the RCIC flow increases, the turbine governor valve is automatically adjusted to maintain design flow. Exhaust steam from the RCIC turbine is discharged to the suppression pool. A full flow test line is provided to route water back to the CST to allow testing of the RCIC System during normal operation without injecting water into the RPV. _continued) PBAPS UNIT 3 B 3.5-24 Revision No. 0
RCIC System E;3.5.3 BASSES BACKGROUND The RCIC pump is provided with a minimum flow bypass line, (continued) which discharges to the suppression pool. The valve in this line automatically opens when the discharge line valves -are closed. To ensure rapid delivery of water to the RPV and to minimize water hammer effects, the RCIC System discharge piping is kept full of water. The RCIC System is normally aligned to the CST. The height of water in the CST is sufficient to maintain the piping full of water up to the first isolation valve. The relative height of the feedwater line connection for RCIC is such that the water in the feedwater lines keeps the remaining portion of the RC[C discharge line full of water. Therefore, RCIC does not require a 'keep fill' system. APPLICABLE The function of the RCIC System is to respond to transient SAFETY ANALYSES events by providing makeup coolant to the reactor. The RCIC System is not an Engineered Safeguard System and no credit is taken in the safety analyses for RCIC System operation. Based on its contribution to the reduction of overall plant risk, however, the system satisfies Criterion 4 of the NRC Policy Statement. LCO The OPERABILITY of the RCIC System provides adequate core cooling such that actuation of any of the low pressure ECCS subsystems is not required in the event of RPV isolation accompanied by a loss of feedwater flow. The RCIC System has sufficient capacity for maintaining RPV inventory during an isolation event. APPLICABILITY The RCIC System is required to be OPERABLE during MODE 1, and MODES 2 and 3 with reactor steam dome pressure
> 150 psig, since RCIC is the primary non-ECCS water source for core cooling when the reactor is isolated and pressurized. In MODES 2 and 3 with reactor steam dome pressure < 150 psig, and in MODES 4 and 5, RCIC is not required to be OPERABLE since the low pressure ECCS injection/spray subsystems can provide sufficient flow to the RPV.
(continued) PBAPS UNIT 3 B 3.5-25 Revision No. 0
RCIC System B 3.5.3 BASES (continued) ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable RCIC system. There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable RCIC system and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance. A.1 and A.2 If the RCIC System is inoperable during MODE 1, or MODE 2 or 3 with reactor steam dome pressure > 150 psig, and the HPCI System is immediately verified to be OPERABLE, the RCIC System must be restored to OPERABLE status within 14 days. In this Condition, loss of the RCIC System will not affect the overall plant capability to provide makeup inventory at high reactor pressure since the HPCI System is the only high pressure system assumed to function during a loss of coolant accident (LOCA). OPERABILITY of HPCI is therefore immediately verified when the RCIC System is inoperable. This may be performed as an administrative check, by examining logs or other information, to determine if HPCI is out of service for maintenance or other reasons. It does not mean it is necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the HPCI System. If the OPERABILITY of the HPCI System cannot be verified immediately, however, Condition B must be immediately entered. For certain transients and abnormal events with no LOCA, RCIC (as opposed to HPCI) is the preferred source of makeup coolant because of its relatively small capacity, which allows easier control of the RPV water level. Therefore, a limited time is allowed to restore the inoperable RCIC to OPERABLE status. The 14 day Completion Time is based on a reliability study (Ref. 3) that evaluated the impact on ECCS availability, assuming various components and subsystems were taken out of service. The results were used to calculate the average availability of ECCS equipment needed to mitigate the consequences of a LOCA as a function of allowed outage times (AOTs). Because of similar functions of HPCI and RCIC, the AOTs (i.e., Completion Times) determined for HPCI are also applied to RCIC. B.1 and B.2 If the RCIC System cannot be restored to OPERABLE status within the associated Completion Time, or if the HPCI System is simultaneously inoperable, the plant must be brought to a condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and reactor steam dome pressure reduced to
- 150 psig within 36 hours. The allowed Completion Times (continued)
PBAPR UNIT 3 B 3.5-26 Revision No. 53
RCIC S'ystem B 3.5.3 BASES ACTIONS B.1 and B.2 (continued) are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.5.3.1 REQU[REMENTS The flow path piping has the potential to develop voids and pockets of entrained air. Maintaining the pump discharge line of the RCIC System full of water ensures that the system will perform properly, injecting its full capacity into the Reactor Coolant System upon demand. This will also prevent a water hammer following an initiation signal. An acceptable method of ensuring the line is full is to vent at the high points. The 31 day Frequency is based on the gradual nature of void buildup in the RCIC piping, the procedural controls governing system operation, and operating experience. SR 3.5.3.2 Verifying the correct alignment for manual, power operated, and automatic valves in the RCIC flow path provides assurance that the proper flow path will exist for RCIC operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these valves were verified to be in the correct position prio" to locking, sealing, or securing. A valve that receives an initiation signal is allowed to be in a nonaccident position provided the valve will automatically reposition in the proper stroke time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. For the RCIC System, this SR also includes the steam flow path for the turbine and the flow controller position. (continued) PBAPS UNIT 3 B 3.5-27 Revision No. '57
RCIC system B 3.5.3 BASES. SURVEILLANCE SR 3.5.3.2 (continued) REQUIREMENTS The 31 day Frequency of this SR was derived from the Inservice Testing Program requirements for performing valve testing at least once every 92 days. The Frequency of 31 days is further justified because the valves are operated under procedural control and because improper valve po:;ition would affect only the RCIC System. This Frequency has been shown to be acceptable through operating experience. SR 3.5.3.3 and SR 3.5.3.4 The RCIC pump flow rates ensure that the system can maintain reactor coolant inventory during pressurized conditions with the RPV isolated. The flow tests for the RCIC System are performed at two different pressure ranges such that system capability to provide rated flow is tested both at the higher and lower operating ranges of the system. Additionally, adequate steam flow must be passing through the main turbine or turbine bypass valves to continue to control reactor pressure when the RCIC System diverts steam flow. Reactor steam pressure must be
- 1053 and 2 940 psig to perform SR 3.5.3.3 and greater than or equal to the Electro-Hydraulic Control (EHC) System minimum pressure set with the EHC System controlling pressure (the EHC System begins controlling pressure at a nominal 150 psig) and s 175 psig to perform SR 3.5.3.4. Alternately, auxiliary steam can be used to perform SR 3.5.3.4. Adequate steam flow is represented by at least 2 turbine bypass valves open. Therefore, sufficient time is allowed after adequate.
pressure and flow are achieved to perform these SRs. Reactor startup is allowed prior to performing the low pressure Surveillance because the reactor pressure is low and the time allowed to satisfactorily perform the Surveillance is short. Alternately, the low pressure Surveillance test may be performed prior to startup using an auxiliary steam supply. The reactor pressure is allowed to be increased to normal operating pressure since it is assumed that the low pressure Surveillance has been satisfactorily completed and there is no indication or reason to believe that RCIC is inoperable. Therefore, these SRs are modified by Notes that state the Surveillances are not required to be performed until 12 hours after the reactor steam pressure and flow are adequate to perform the test. (conti nued) PBAPS UNIT 3 8 3.5-28 Revision No. 43
RCIC System B 3.5.3 BASES SURVEILLANCE SR 3.5.3.3 and SR 3.5.3.4 (continued) REQUIREMENTS A 92 day Frequency for SR 3.5.3.3 is consistent with the Inservice Testing Program requirements. The 24 month Frequency for SR 3.5.3.4 is based on the need to perform the Surveillance under conditions that apply just prior to or during startup from a plant outage. Operating experience has shown that these components will pass the SR when performed at the 24 month Frequency, which is based on the refueling cycle. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint. SR 3.5.3.5 The RCIC System is required to actuate automatically in order to verify its design function satisfactorily. This Surveillance verifies that, with a required system initiation signal (actual or simulated), the automatic initiation logic of the RCIC System will cause the system to operate as designed, including actuation of the system throughout its emergency operating sequence; that is, automatic pump startup and actuation of all automatic valves to their required-positions.. This test also ensures the RCIC System will automatically restart on an RPV low water level (Level 2) signal received subsequent to an RPV high water level (Level 8) trip and that the suction is automatically transferred from the CST to the suppression pool on low CST level. The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.2 overlaps this Surveillance to provide complete testing of the assumed safety function. The 24 month Frequency is based on the need to perform the Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown that these components will pass the SR when performed at the 24 month Frequency, which is based on the refueling cycle. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint. This SR is modified by a Note that excludes vessel injection during the Surveillance. Since all active components are testable and full flow can be demonstrated by recirculation through the test line, coolant injection into the RPV is not required during the Surveillance. (continued) PBAPS UNIT 3 B 3.5-29 Revision No. 0
RCIC System 133.5.3 BASES (continued) REFERENCES 1. UFSAR, Section 1.5.
- 2. UFSAR, Section 4.7.
- 3. Memorandum from R.L. Baer (NRC) to V. Stello, Jr.
(NRC), Recommended Interim Revisions to LCOs for ECCS Components," December 1, 1975.
= =
PBAPS UNIT 3 B 3.5-30 Revision No. 0
Primary Containment B 3.6.1.1 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.1 Primary Containment BASES BACKGROUND The function of the primary containment is to isolate and contain fission products released from the Reactor Primary System following a Design Basis Accident (DBA) and to confine the postulated release of radioactive material. The I primary containment consists of a steel vessel, which surrounds the Reactor Primary System and provides an essentially leak tight barrier against an uncontrolled release of radioactive material to the environment. Portions of the steel vessel are surrounded by reinforced concrete for shielding purposes. The isolation devices for the penetrations in the primary containment boundary are a part of the containment leak tight barrier. To maintain this leak tight barrier:
- a. All penetrations required to be closed during accident conditions are either:
- 1. capable of being closed by an OPERABLE automatic Containment Isolation System, or
- 2. closed by manual valves, blind flanges, or de-activated automatic valves secured in their closed positions, except as provided in LCO 3.6.1.3, "Primary Containment Isolation Valves (PCIVs)";
- b. The primary containment air lock is OPERABLE, except as provided in LCO 3.6.1.2, "Primary Containment Air Lock"; and
- c. All equipment hatches are closed.
This Specification ensures that the performance of the primary containment, in the event of a DBA, meets the assumptions used in the safety analyses of Reference 1. SR 3.6.1.1.1 leakage rate requirements are in conformance with 10 CFR 50, Appendix J Option B (Ref. 3), as modified by approved exemptions. (continued) PBAPS UNIT 3 B 3.6-1 Revision No.27
Primary Containment B 3.6.1.1 BASES (continued) APPLICABLE The safety design basis for the primary containment is that SAFETY ANALYSES it must withstand the pressures and temperatures of the limiting DBA without exceeding the design leakage rate. The DBA that postulates the maximum release of radioactive material within primary containment is a LOCA. In the analysis of this accident, it is assumed that primary containment is OPERABLE such that release of fission products to the environment is controlled by the rate of primary containment leakage. Analytical methods and assumptions involving the primary containment are presented in Reference 1. The safety analyses assume a nonmechanistic fission product release following a DBA, which forms the basis for determination of offsite doses. The fission product release is, in turn, based on an assumed leakage rate from the primary containment. OPERABILITY of the primary containment ensures that the leakage rate assumed in the safety analyses is not exceeded. The maximum allowable leakage rate for the primary containment (L.) is 0.5% by weight of the containment air per 24 hours at the design basis LOCA maximum peak containment pressure (P.) of 49.1 psig. The value of P. (49.1 psig) is conservative with respect to the current calculated peak drywell pressure of 47.2 psig (Ref. 2). This value is 47.8 psig for operation with 90'F Final Feedwater Temperature Reduction (Ref. 7). Primary containment satisfies Criterion 3 of the NRC Policy Statement. LCO Primary containment OPERABILITY is maintained by limiting leakage to & 1.0 L., except prior to the first startup after performing a required Primary Containment Leakage Rate Testing Program leakage test. At this time, applicable leakage limits must be met. In addition, the leakage from the drywell to the suppression chamber must be limited to ensure the pressure suppression function is accomplished and the suppression chamber pressure does not exceed design limits. Compliance with this LCO will ensure a primary containment configuration, including equipment hatches, that is structurally sound and that will limit leakage to those leakage rates assumed in the safety analyses. (continued) PBAPS UNIT 3 B 3.6-2 Revision No. 21
Primary Containment B 3.6.1.1 BASIE.S LCO Individual leakage rates specified for the primary (continued) containment air lock are addressed in LCO 3.6.1.2. APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, primary containment is not required to be OPERABLE in MODES 4 and 5 to prevent leakage of radioactive material from primary containment. ACTIONS A.1 In the event primary containment is inoperable, primary containment must be restored to OPERABLE status within 1 hour. The 1 hour Completion Time provides a period of time to correct the problem commensurate with the importance of maintaining primary containment OPERABILITY during MODES 1, 2, and 3. This time period a!so ensures that the probability of an accident (requiring primary containment OPERABILITY) occurring during periods where primary containment is inoperable is minimal. B.1 and B.2 If primary containment cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. TD achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed-Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner 2nd without challenging plant systems. SURVEILLANCE SR 3.6.1.1.1 REQUIREMENTS Maintaining the primary containment OPERABLE requires compliance with the visual examinations and leakage rate test requirements of the Primary Containment Leakage Rate I Testing Program. Failure to meet air lock leakage testing (SR 3.6.1.2.1), or main steam isolation (continued) PBAPS UNIT 3 B 3.6-3 Revision No. 6
Primary Containment B 3.6.1.1 BASES SURVEILLANCE SR 3.6.1.1.1 (continued) REQUIREMENTS valve leakage (SR 3.6.1.3.14), does not necessarily result in a failure of this SR. The impact of the failure to meet these SRs must be evaluated against the Type A, B, and C acceptance criteria of the Primary Containment Leakage Rate Testing Program. At s 1.0 L.the offsite dose consequences are bounded by the assumptions of the safety analysis. The Frequency is required by the Primary Containment Leakage Rate Testing Program. SR 3.6.1.1.2 Maintaining the pressure suppression function of primary containment requires limiting the leakage from the drymell to the suppression chamber. Thus, if an event were to occur that pressurized the drywell, the steam would be directed through the downcomers into the suppression pool. This SR is a leak test that confirms that the bypass area between the drywell and the suppression chamber is less than or equivalent to a one-inch diameter hole (Ref. 4). This ensures that the leakage paths that would bypass the suppression pool are within allowable limits. The leakage test is performed every 24 months. The 24 month Frequency was developed considering that component failures that might have affected this test are identified by other primary containment SRs. Two consecutive test failures, however, would indicate unexpected primary containment degradation; in this event, as the Note indicates, a test shall be performed at a Frequency of once every 12 months until two consecutive tests pass, at which time the 24 month test Frequency may be resumed. (continued) PBAPS UNIT 3 8 3.6-4 Revision No. 24
Primary Containment B 3.6.1.1 BASES (continued) l REFERENCES 1. UFSAR, Section 14.9.
- 2. Letter G94-PEPR-183, Peach Bottom Improved Technical Specification Project Increased Drywell and Suppression Chamber Pressure Analytical Limits, from G.V. Kumar (GE) to A.A. Winter (PECO), August 23, 1994.
- 3. 10 CFR 50, Appendix J, Option B.
- 4. Safety Evaluation by the Office of Nuclear Reactor Regulation Supporting Amendment Nos. 127 and 130 to Facility Operating License Nos. DPR-44 and DPR-56, dated February 18, 1988.
- 5. NEI 94-01, Revision 0, "Industry Guideline for Implementing Performance-Based Option of 10 CFR Fart 50, Appendix J."
- 6. ANSI/ANS-56.8-1994, 'Containment System Leakage Testing Requirements."
- 7. Peach Bottom Atomic Power Station Evaluation for Extended Final Feedwater Reduction, NEDC-32707P, Supplement 1, Revision 0, May, 1998.
PBAPS UNIT 3 B 3.-6-5 Revision 11o. 24
Primary Containment Air Lock B 1..6.1.2 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.2 Primary Containment Air Lock BASES
=
BACKGROUND One double door primary containment air lock has been built into the primary containment to provide personnel access to the drywell and to provide primary containment isolation during the process of personnel entering and exiting the drywell. The air lock is designed to withstand the same loads, temperatures, and peak design internal and external pressures as the primary containment (Ref. 1). As part of the primary containment, the air lock limits the release of radioactive material to the environment during normal unit operation and through a range of transients and accidents up to and including postulated Design Basis Accidents (DBAs). Each air lock door has been designed and tested to certify its ability to withstand a pressure in excess of the riaximum expected pressure following a DBA in primary containment. Each of the doors contains a gasket seal to ensure pressure integrity. To effect a leak tight seal, the air lock design uses pressure seated doors (i.e., an increase in primary containment internal pressure results in increased sealing force on each door). Each air lock is nominally a right circular cylinder, 12 ft in diameter, with doors at each end that are interlocked to prevent simultaneous opening. During periods when primary containment is not required to be OPERABLE, the air lock interlock mechanism may be disabled, allowing both doors of an air lock to remain open for extended periods when frequent primary containment entry is necessary. Under some conditions as allowed by this LCO, the primary containment may be accessed through the air lock, when the interlock mechanism has failed, by manually performing the interlock function. The primary containment air lock forms part of the priimary containment pressure boundary. As such, air lock integrity and leak tightness are essential for maintaining primary containment leakage rate to within limits in the event of a DBA. Not maintaining air lock integrity or leak tightness may result in a leakage rate in excess of that assumed in the unit safety analysis. (continued) PBAPS-UNIT 3 B 3.6-6 Revision No. 0
Primary Containment Air Lock B 3.6.1.2 BASES (continued) APPLICABLE The DBA that postulates the maximum release of radioactive SAFETY ANALYSES material within primary containment is a LOCA. In the analysis of this accident, it is assumed that primary containment is OPERABLE, such that release of fission products to the environment is controlled by the rate cf primary containment leakage. The primary containment is designed with a maximum allowable leakage rate (L.) of 0.5% by weight of the containment air per 24 hours at the maximum peak containment pressure (P.) of 49.1 psig. The value of P. (49.1 psig) is conservative with respect to the current; calculated peak drywell pressure of 47.2 psig (Ref. 3). I This value is 47.8 psig for operation with 90*F Final Feedwater Temperature Reduction (Ref. 4). This allowable leakage rate forms the basis for the acceptance criteria imposed on the SRs associated with the air lock. Primary containment air lock OPERABILITY is also required to minimize the amount of fission product gases that may escape primary containment through the air lock and contaminate and pressurize the secondary containment. The primary containment air lock satisfies Criterion 3 of the NRC Policy Statement. LCO As part of primary containment, the air lock's safety function is related to control of containment leakage rates following a DBA. Thus, the air lock's structural integrity and leak tightness are essential to the successful mitigation of such an event. The primary containment air lock is required to be OPERABLE. For the air lock to be considered OPERABLE, the air lock interlock mechanism must be OPERABLE, the air lock must be in compliance with the Type B air lock leakage test, and both air lock doors must be OPERABLE. The interlock allows only one air lock door to be opened at a time. This provision ensures that a gross breach of primary containment does not exist when primary containment is required to be OPERABLE. Closure of a single door in each air lock is sufficient to provide a leak tight barrier following postulated events. Nevertheless, both doors are kept closed when the air lock is not being used for normal entry and exit from primary containment. (continued) PBAPS UNIT 3 B 3.6-7 Revision Nlo. 21
Primary Containment Air Lock B 3.6.1.2 BASES (continued) APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, the primary containment air lock is not required to be OPERABLE in MODES 4 and 5 to prevent leakage of radioactive material from primary containment. ACTIONS The ACTIONS are modified by Note 1, which allows entry and exit to perform repairs of the affected air lock component. If the outer door is inoperable, then it may be easily accessed to repair. If the inner door is the one that is inoperable, however, then a short time exists when the containment boundary is not intact (during access through the outer door). The ability to open the OPERABLE door, even if it means the primary containment boundary is temporarily not intact, is acceptable due to the low probability of an event that could pressurize the primary containment during the short time in which the OPERABLE door is expected to be open. The OPERABLE door must be immediately closed after each entry and exit. The ACTIONS are modified by a second Note, which ensures appropriate remedial measures are taken when necessary. Pursuant to LCO 3.0.6, actions are not required, even if primary containment leakage is exceeding L.. Therefore, the Note is added to require ACTIONS for LCO 3.6.1.1, 'Primary Containment," to be taken in this event. A.I. A.2. and A.3 With one primary containment air lock door inoperable, the OPERABLE door must be verified closed (Required Action A.1) in the air lock. This ensures that a leak tight primary containment barrier is maintained by the use of an OPERABLE air lock door. This action must be completed within 1 hour. The 1 hour Completion Time is consistent with the ACTIONS of LCO 3.6.1.1, which requires that primary containment be restored to OPERABLE status within 1 hour. In addition, the air lock penetration must be isolated by locking closed the OPERABLE air lock door within the 24 hour Completion Time. The 24 hour Completion Time is considered (continued) PBAPS UNIT 3 B 3.6-8 Revision No. 0
Primary Containment Air Lock B 3.6.1.2 BASES ACTIONS A.1. A.2. and A.3 (continued) reasonable for locking the OPERABLE air lock door, considering that the OPERABLE door is being maintained closed. Required Action A.3 ensures that the air lock with an inoperable door has been isolated by the use of a locked closed OPERABLE air lock door. This ensures that an acceptable primary containment leakage boundary is maintained. The Completion Time of once per 31 days is based on engineering judgment and is considered adequate in view of the low likelihood of a locked door being mispositioned and other administrative controls. Required Action A.3 is modified by a Note that applies to air lock doors located in high radiation areas or areas with limited access due to inerting and allows these doors to be verified locked closed by use of administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small. The Required Actions have been modified by two Notes. Note 1 ensures that only the Required Actions and associated Completion Times of Condition C are required if both doors in the air lock are inoperable. With both doors in the air lock inoperable, an OPERABLE door is not available to be closed. Required Actions C.1 and C.2 are the appropriate remedial actions. The exception of Note 1 does not affect tracking the Completion Time from the initial entry into Condition A; only the requirement to comply with the Required Actions. Note 2 allows use of the air lock for entry and exit for 7 days under administrative controls. Primary containment entry may be required to perform Technical Specifications (TS) Surveillances and Required Actions, as well as other activities on TS-required equipment or activities on equipment that support TS-required equipment. This Note is not intended to preclude performing other activities (i.e., non-TS-related activities) if the primary containment was entered, using the inoperable air lock, to perform an allowed activity listed above. The administrative controls required consist of the stationing of a dedicated individual to assure closure of the OPERABLE door except during the entry and exit, and assuring the OPERABLE door is relocked after (continued) - PBAPS UNIT 3 B 3.6-9 Revision No. 0
Primary Containment Air Lock B 3.6.1.2 BASES ACTIONS A.1. A.2. and A.3 (continued) completion of the containment entry and exit. This allowance is acceptable due to the low probability of an event that could pressurize the primary containment during the short time that the OPERABLE door is expected to be open. B.1. B.2. and B.3 With an air lock interlock mechanism inoperable, the Required Actions and associated Completion Times are consistent with those specified in Condition A. The Required Actions have been modified by two Notes. Note 1 ensures that only the Required Actions and associated Completion Times of Condition C are required if both doors in the air lock are inoperable. With both doors in the air lock inoperable, an OPERABLE door is not available to be closed. Required Actions C.1 and C.2 are the appropriate remedial actions. Note 2 allows entry into and exit from the primary containment under the control of a dedicated individual stationed at the air lock to ensure that only one door is opened at a time (i.e., the individual performs the function of the interlock). Required Action B.3 is modified by a Note that applies to air lock doors located in high radiation areas or areas with limited access due to inerting and that allows these *doors to be verified locked closed by use of administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small. C.1. C.2. and C.3 If the air lock is inoperable for reasons other than those described in Condition A or B, Required Action C.1 requires action to be immediately initiated to evaluate containment overall leakage rates using current air lock leakage test results. An evaluation is acceptable since it is overly conservative to immediately declare the primary containment inoperable if the overall air lock leakage is not within
. __.. -- __ I PBAP'S UNIT 3 B 3.6-10 Revision No. 0
Primary Containment Airm Lock B 3.6.1.2 BASES ACTIONS C.1. C.2. and C.3 (continued) limits. In many instances (e.g., only one seal per door has failed), primary containment remains OPERABLE, yet only 1 hour (according to LCO 3.6.1.1) would be provided to restore the air lock door to OPERABLE status prior to requiring a plant shutdown. In addition, even with the overall air lock leakage not within limits, the overall containment leakage rate can still be within limits. Required Action C.2 requires that one door in the primary containment air lock must be verified closed. This action must be completed within the 1 hour Completion Time. This specified time period is consistent with the ACTIONS (if LCO 3.6.1.1, which require that primary containment be restored to OPERABLE status within 1 hour. Additionally, the air lock must be restored to OPERABLE status within 24 hours. The 24 hour Completion Time is reasonable for restoring an inoperable air lock to OPERABLE status considering that at least one door is maintained closed in the air lock. 0.1 and D.2 If the inoperable primary containment air lock cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.1.2.1 REQUUIREMENTS Maintaining primary containment air locks OPERABLE requires compliance with the leakage rate test requirements of the Primary Containment Leakage Rate Testing Program. This SR reflects the leakage rate testing requirements with respect to air lock leakage (Type B leakage tests). The acceptance criteria were established during initial air lock and primary containment OPERABILITY icontinued) . PBAPS UNIT 3 B 3.6-11 Revisicon No. 6
Primary Containment Air Lock B 3.6.1.2 BASES SURVEILLANCE SR 3.6.1.2.1 (continued) REQUIREMENTS testing. The periodic testing requirements verify that. the air lock leakage -does not exceed the allowed fraction cf the overall primary containment leakage rate. The Frequency is required by the Primary Containment Leakage Rate Testing Program. The SR has been modified by two Notes. Note I states..that an inoperable air lock door does not invalidate the previous successful performance of the overall air lock leakage test. This is considered reasonable since either air lock door is capable of providing a fission product barrier in the event of a DBA. Note 2 requires the results of air lock leakage tests to be evaluated against the acceptance criteria of the Primary Containment Leakage Rate Testing Program, 5.5.12. This ensures that the air lock leakage is properly accounted for in determining the combined Type B and C primary containment leakage. SR 3.6.1.2.2 The air lock interlock mechanism is designed to prevent simultaneous opening of both doors in the air lock. Since both the inner and outer doors of an air lock are designed to withstand the maximum expected post accident primary containment pressure, closure of either door will support primary containment OPERABILITY. Thus, the interlock feature supports primary containment OPERABILITY while the air lock is being used for personnel transit in and out of the containment. Periodic testing of this interlock demonstrates that the interlock will function as designed and that simultaneous inner and outer door opening will not inadvertently occur. Due to the purely mechanical nature of this interlock, and given that the interlock mechanism is only challenged when primary containment is entered, this test is only required to be performed upon entering primary containment, but is not required more frequently than 184 days when primary containment is de-inerted. The 184 day Frequency is based on engineering judgment and is considered adequate in view of other administrative controls available to operations personnel. (continued) PBAPS UNIT 3 B 3.6i-12 Revision No. 6
Primary Containment Air Lock B 3.6.1.2 BASES (continued) REFERENCES 1. UFSAR, Section 5.2.3.4.5.
- 2. 10 CFR 50, Appendix J, Option B.
- 3. Letter G94-PEPR-183,. Peach Bottom Improved Technical Specification Project Increased Drywell and Suppression Chamber Pressure Analytical Limits, from G.V. Kumar (GE) to A.A. Winter (PECo), August 23, 1994.
- 4. Peach Bottom Atomic Power Station Evaluation for Extended Final Feedwater Reduction, NEDC-32707P, Supplement 1, Revision 0, May, 1998.
PBAPS UNIT 3 B 3.6-13 Revision No. 21
PCIVs B :3.6.1.3 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.3 Primary Containment Isolation Valves (PCIVs) BAS ES BACKGROUND The function of the PCIVs, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs) to within limits. Primary containment isolation within the time limits specified for those isolation valves designed to close automatically ensures that the release of radioactive material to the environment will be consistent with the assumptions used in the analyses for a DBA. The OPERABILITY requirements for PCIVs help ensure that an adequate primary containment boundary is maintained during and after an accident by minimizing potential paths to the environment. Therefore, the OPERABILITY requirements provide assurance that primary containment function assumed in the safety analyses will be maintained. These isolation devices are either passive or active (automatic). Closed manual valves, de-activated automatic valves secured *in their closed position (including check valves with flow through the valve secured), blind flanges, and closed systems are considered passive devices. Check valves and other automatic valves designed to close without operator action following an accident, are considered active devices. Two barriers in series are provided for each penetration so that no single credible failure or malfunction of an active component can result in a loss of isolation or leakagei that exceeds limits assumed in the safety analyses. One of these barriers may be a closed system. The reactor building-to-suppression chamber vacuum breakers and the scram discharge volume vent and drain valves each serve a dual function, one of which is primary containment isolation. However, since the other safety functions of the vacuum breakers and the scram discharge volume vent and drain valves would not be available if the normal PCIII actions were taken, the PCIV OPERABILITY requirements are not applicable to the reactor building-to-suppression chamber vacuum breaker valves and the scram discharge volume vent and drain valves. Similar Surveillance Requirements in the LCO for the reactor building-to-suppression chamber vacuum breakers and the LCO for the scram discharge volume (continued) PBAFS UNIT 3 B 3.6-14 Revision No. 0
PCIVs B 3.6.1.3 BASES BACKGROUND vent and drain valves provide assurance that the isolation (continued) capability is available without conflicting with the vacuum relief or scram discharge volume vent and drain functions. The primary containment purge lines are 18 inches in diameter; exhaust lines are 18 inches in diameter. In addition, a 6 inch line from the Containment Atmospheric Control (CAC) System is also provided to purge primary containment. The 6 and 18 inch primary containment purge valves and the 18 inch primary containment exhaust valves are normally maintained closed in MODES 1, 2, and 3 to ensure the primary containment boundary is maintained. However, containment purging with the 18 inch purge and exhaust valves is permitted for inerting, de-inerting., and pressure control. Included in the scope of the de-inerting is the need to purge containment to ensure personnel safety during the performance of inspections beneficial to nuclear safety; e.g., inspection of primary coolant integrity during plant startups and shutdowns. Adjustments in primary containment pressure to perform tests such as the drywell-to-suppression chamber bypass leakage test are included within the scope of pressure control purging. Purging for humidity and temperature control using the 18 inch valves is excluded. The isolation valves on the 18 inch vent lines have 2 inch bypass lines around them for use during normal reactor operation when the 18 inch valves cannot be opened. Two additional redundant Standby Gas Treatment (SGT) isolation valves are, provided on the vent line upstream of the SGT System filter trains. These isolation valves, together with the PCIVs, will prevent high pressure from reaching the SGT System filter trains in the unlikely event of a loss of coolant accident (LOCA) during venting. The Safety Grade Instrument Gas (SGIG) System supplies pressurized nitrogen gas (from the Containment Atmospheric Dilution (CAD) System liquid nitrogen storage tank) as a safety grade pneumatic source to the CAC System purge and exhaust isolation valve inflatable seals, the reactor building-to-suppression chamber vacuum breaker air operated isolation valves and inflatable seal, and the CAC and CAD Systems vent control air operated valves. The SGIG System thus performs two distinct post-LOCA functions: (1) supports containment isolation and (2) supports CAD System vent operation. SGIG System requirements are addressed for fcontinued) PBAPS UNIT 3 B 3.6-15 Revision No. 0
PCIVs B :3.6.1.3 BASES BACKGROUND each of the supported system and components in LCO 3.6.1.3, (continued) "Primary Containment Isolation Valves (PCIVs)," LCO 3.6.1.5,
'Reactor Building-to-Suppression Chamber Vacuum Breakers,"
and LCO 3.6.3.1, "Containment Atmospheric Dilution (CAD) System." For the SGIG System, liquid nitrogen from the CAD System liquid nitrogen storage tank passes through the CAD System liquid nitrogen vaporizer where it is converted to a gas. The gas then flows into a Unit 2 header and a Unit 3 header separated by two manual globe valves. From each header, the gas then branches to each valve operator or valve seal supplied by the SGIG System. Each branch *is separated from the header by a manual globe valve and a check valve. To support SGIG System functions, the CAD System liquid nitrogen storage tank minimum required level is a 16 inches water column and a minimum required SGIG System header pressure of 80 psig. Minimum requirements for the CAI) System liquid nitrogen storage tank to support CAD System OPERABILITY are specified in LCO 3.6.3.1, "Containment: Atmospheric Dilution (CAD) System." APPLICABLE The PC1Vs LCO was derived from the assumptions related to SAFETY ANALYSES minimizing the loss of reactor coolant inventory, and establishing the primary containment boundary during major accidents. As part of the primary containment boundary, PCIV OPERABILITY supports leak tightness of primary containment. Therefore, the safety analysis of any event requiring isolation of primary containment is applicable to this LCO. The DBAs that result in a release of radioactive material and are mitigated by PCIVs are a LOCA and a main steani line break (MSLB). In the analysis for each of these accidents, it is assumed that PCIVs are either closed or close within the required isolation times following event initiation. This ensures that potential paths to the environment through PCIVs (including primary containment purge valves) are minimized. Of the events analyzed in Reference 1, the LOCA is a limiting event due to radiological consequences. The closure time of the main steam isolation valves (MSIV;) is the most significant variable from a radiological standpoint. The MSIVs are required to close within 3 to 5 seconds after signal generation. Likewise, it is assumed that the primary containment is isolated such that release of fission products to the environment is controlled. (continued) PBAPS UNIT 3 B 3.6-16 Revision No. 0
PCIVs B ;.6.1.3 BASES APPLICABLE The DBA analysis assumes that within 60 -seconds of the SAFETY ANALYSES accident, isolation of the primary containment is complete (continued) and leakage is terminated, except for the maximum allowable leakage rate, L . The primary containment isolation total response time ot 60 seconds includes signal delay, diesel generator startup (for loss of offsite power), and PCIV stroke times. The single failure criterion required to be imposed in the conduct of unit safety analyses was considered in the original design of the primary containment purge and exhaust valves. Two valves in series on each purge and exhau;t line provide assurance that both the supply and exhaust lines could be isolated even if a single failure occurred. PCIVs satisfy Criterion 3 of the NRC Policy Statement.. LCO PCIVs form a part of the primary containment boundary. The PCIV safety function is related to minimizing the loss of the reactor coolant inventory and establishing the primary containment boundary during a DBA. The power operated, automatic isolation valves are required to have isolation times within limits and actuate on ain automatic isolation signal. In addition, for the CAC System purge and exhaust isolation valves to be considered OPERABLE, the SGIG System supplying nitrogen gas to the inflatable seals of the valves must be OPERABLE. While the reactor building-to-suppression chamber vacuum breakers and the scram discharge volume vent and drain valves isolate primary containment penetrations, they are excluded from this Specification. Controls on their isolation function are adequately addressed in LCO 3.1.8, "Scram Discharge Volume (SDV) Vent and Drain Valves," and LCO 3.6.1.5,
'Reactor Building-to-Suppression Chamber Vacuum Breakers.'
The valves covered by this LCO are listed with their associated stroke times in Reference 2. The required stroke time is the stroke time listed in Reference 2, or the Inservice Testing Program which ever is more conservative. The normally closed PCIVs are considered OPERABLE when manual valves are closed or open in accordance with appropriate administrative controls, automatic valves are (continued) PBAPS UNIT 3 B 3.6-17 Revision No. 2
PCIVs B 3.6.1.3 BASES LCO de-activated and secured in their closed position, blind (continued) flanges are in place, and closed systems are intact. These passive isolation valves and devices are those listed in I Reference 2 and Reference 5. MSIVs must meet additional leakage rate requirements. Other PCIV leakage rates are addressed by LCO 3.6.1.1, Primary Containment,' as Type B or C testing. This LCO provides assurance that the PCIVs will perform their designed safety functions to minimize the loss of reactor coolant inventory and establish the primary containment boundary during accidents. APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, most PCIVs are not required to be OPERABLE and the primary containment purge and exhaust valves are not required to be normally closed in MODES 4 and 5. Certain valves, however, are required to be OPERABLE to prevent inadvertent reactor vessel draindown. These valves are those whose associated instrumentation is required to be OPERABLE per LCO 3.3.6.1, "Primary Containment Isolation Instrumentation." (This does not include the valves that isolate the associated instrumentation.) ACTHONS The ACTIONS are modified by a Note allowing penetration flow path(s) except for purge or exhaust valve flow path(s) to be unisolated intermittently under administrative controls. These controls consist of stationing a dedicated operator at the controls of the valve, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for primary containment isolation is indicated. Due to the size Of the primary containment purge line penetration and the fact that those penetrations exhaust directly from the containment atmosphere to the environment, the penetration flow path containing these valves is not allowed to be operated under administrative controls. (continued) PBAPS UNIT 3 B 3.6-18 Revision No. 2
PCIVs B 3.6.1.3 BASES ACTIONS A second Note has been added to provide clarification that, (continued) for the purpose of this LCO, separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable F'CIV. Complying with the Required Actions may allow for continued operation, and subsequent inoperable PCIVs are governed by subsequent Condition entry and application of associated Required Actions. The ACTIONS are modified by Notes 3 and 4. Note 3 ensures that appropriate remedial actions are taken, if necessary, if the affected system(s) are rendered inoperable by an inoperable PCIV (e.g., an Emergency Core Cooling Systems subsystem is inoperable due to a failed open test return valve). Note 4 ensures appropriate remedial actions are taken when the primary containment leakage limits are exceeded. Pursuant to LCO 3.0.6, these actions would not be required even when the associated LCO is not met. Therefore, Notes 3 and 4 are added to require the proper actions be taken. A.1 and A.2 With one or more penetration flow paths with one PCIV inoperable except for MSIV leakage not within limit, the affected penetration flow paths must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, a blind flange, and a check valve with flow through the valve secured. For a penetration isolated in accordance with Required Action A.1, the device used to isolate the penetration should be the closest available valve to the primary containment. The Required Action must be completed within the 4 hour Completion Time (8 hours for main steam lines). The Completion Time of 4 hours is reasonable considering the time required to isolate the penetration and the relative importance of supporting primary containment OPERABILITY during MODES 1, 2, and 3. For main steam lines, an 8 hour Completion Time is allowed. The Completion Time of 8 hours for the main steam lines (continued) PBAPS UNIT 3 B 3.6-19 Revision No. 0
PCIVs B 3.6.1.3 BASEIS ACTIONS A.1 and A.2 (continued) allows a period of time to restore the MSIVs to OPERAELE status given the fact that MSIV closure will result in isolation of the main steam line(s) and a potential for plant shutdown. For affected penetrations that have been isolated in accordance with Required Action A.1, the affected penetration flow path(s) must be verified to be isolated on a periodic basis. This is necessary to ensure that primary containment penetrations required to be isolated following an accident, and no longer capable of being automatically isolated, will be in the isolation position should an event occur. This Required Action does not require any testing or device manipulation. Rather, it involves verification that those devices outside containment and capable of potertially being mispositioned are in the correct position. The Completion Time of "once per 31 days for isolation devices outside primary containment" is appropriate because the devices are operated under administrative controls and the probability of their misalignment is low. For the devices inside primary containment, the time period specified "prior to entering MODE 2 or 3 from MODE 4, if primary containment was de-inerted while in MODE 4, if not performed within the previous 92 days" is based on engineering judgment and is considered reasonable in view of the inaccessibility cf the devices and other administrative controls ensuring that device misalignment is an unlikely possibility. Condition A is modified by a Note indicating that this Condition is only applicable to those penetration flow paths with two PCIVs. For penetration flow-paths with one FCIV, Condition C provides the appropriate Required Actions. Required Action A.2 is modified by a Note that applies to isolation devices located in high radiation areas, and allows them to be verified by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment, once they have been verified to be in the proper position, is low. (continued) PBAPS UNIT 3 B 3.6-20 Revision No. 0
PCIVs B .3.6.1.3 BAS ES ACT[ONS B.I (continued) With one or more penetration flow paths with two PCIV; inoperable except due to MSIV leakage not within limit, either the inoperable PCIVs must be restored to OPERA13LE status or the affected penetration flow path must be isolated within 1 hour. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. The 1 hour Completion Time is consistent with the ACTIONS of LCO 3.6.1.1. Condition B is modified by a Note indicating this Condition is only applicable to penetration flow paths with two PCIVs. For penetration flow paths with one PCIV, Condition C provides the appropriate Required Actions. C.1 and C.2 With one or more penetration flow paths with one PCIV inoperable, the inoperable valve must be restored to OPERABLE status or the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange.- A check valve may not be used to isolate the affected penetration. Required Action C.1 must be completed within 4 hours for lines other than excess flow check valve (EFCV) lines and 12 hours for EFCV lines. The Completion Time of 4 hours is reasonable considering the relative stability of the closed system (hence, reliability) to act as a penetration isolation boundary and the relative importance of supporting primary containment OPERABILITY during MODES 1, 2, and 3. The Completion Time of 12 hours is reasonable considering the instrument and the small pipe diameter of penetration (hence, reliability) to act as a penetration isolation boundary and the small pipe diameter of the affected penetrations. For affected penetrations that have been isolated in accordance with Required Action C.1, the affected penetration flow path(s) must be verified to be isolated on I LulI ua PBAPS UNIT 3 B 3.6-21 Revision No. 0
PCIVs B 3.6.1.3 BASES ACTIONS C.1 and C.2 (continued) a periodic basis. This is necessary to ensure that primary containment penetrations required to be isolated following an accident, and no longer capable of being automatically isolated, will be in the isolation position should an event occur. This Required Action does not require any testing or valve manipulation. Rather, it involves verification, through a system walkdown, that those valves outside containment and capable of potentially being mispositioned are in the correct position. The Completion Time of "once per 31 days for isolation devices outside primary containment' is appropriate because the valves are operated under administrative controls and the probability of their misalignment is low. For the valves inside primary containment, the time period specified "prior to entering MODE 2 or 3 from MODE 4, if primary containment was de-inerted while in MODE 4, if not performed within the previous 92 days" is based on engineering judgment and is considered reasonable in view of the inaccessibility cf the valves and other administrative controls ensuring that. valve misalignment is an unlikely possibility. Condition C is modified by a Note indicating that this Condition is only applicable to penetration flow paths with only one PCIV. For penetration flow paths with two PCIVs, Conditions A and B provide the appropriate Required Actions. Required Action C.2 is modified by a Note that applies to valves and blind flanges located in high radiation areas and allows them to be verified by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of these valves, once they have been verified to be in the proper position, is low. D.1 With any MSIV leakage rate not within limit, the assumptions of the safety analysis are not met. Therefore, the leakage must be restored to within limit within 8 hours. Restoration can be accomplished by isolating the penetration that caused the limit to be exceeded by use of one closed and de-activated automatic valve, closed manual valve, or blind flange. When a penetration is isolated, the leakage (continued) PBAPS UNIT 3 B 3.6-22 Revision No. 0
PCIVs B S.6.1.3 BASIES ACTiONS D.1 (continued) rate for the isolated penetration is assumed to be the actual pathway leakage through the isolation device. If two isolation devices are used to isolate the penetration, the leakage rate is assumed to be the lesser actual pathway leakage of the two devices. The 8 hour Completion Titie is reasonable considering the time required to restore the leakage by isolating the penetration, the fact that MSIV closure will result in isolation of the main steam line and a potential for plant shutdown, and the relative importance of MSIV leakage to the overall containment function. E.1 and E.2 If any Required Action and associated Completion Time cannot be met in MODE 1, 2, or 3, the plant must be brought to a MODE in which the LCO does not apply. To achieve thi; status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. F.I and F.2 If any Required Action and associated Completion Time cannot be met for PCIV(s) required to be OPERABLE during MODE 4 or 5, the unit must be placed in a condition in which the LCO does not apply. Action must be immediately initiated to suspend operations with a potential for draining the reactor vessel (OPDRVs) to minimize the probability of a vessel draindown and subsequent potential for fission product release. Actions must continue until OPDRVs are suspended and valve(s) are restored to OPERABLE status. If suspending an OPDRV would result in closing the residual heat removal (RHR) shutdown cooling isolation valves, an alternative Required Action is provided to imnediately initiate action to restore the valve(s) to OPERABLE status. This allows RHR to remain in service while actions are being taken to restore the valve. (continued) PBAPS UNIT 3 B 3.6i-23 Revision No. 0
PCIVs B 3.6.1.3 BASES (continued) SURVEILLANCE SR 3.6.1.3.1 REQUIREMENTS Verifying that the level in the CAD liquid nitrogen tank is 2 16 inches water column will ensure at least 7 days of post-LOCA SGIG System operation. This minimum volume of liquid nitrogen allows sufficient time after an accident to replenish the nitrogen supply in order to maintain the containment isolation function. The level is verified every 24 hours to ensure that the system is capable of performing its intended isolation function when required. The 24 hour Frequency is based on operating experience, which has shown to be an acceptable period to verify liquid nitrogen supply. The 24 hour Frequency also signifies the importance of the SGIG System for maintaining the containment isolation function of the primary containment purge and exhaust valves. SR 3.6.1.3.2 This SR ensures that the pressure in the SGIG System header is 2 80 psig. This ensures that the post-LOCA nitrogen pressure provided to the valve operators and valve seals is adequate for the SGIG System to perform its design function. The 24 hour Frequency was developed considering the importance of the SGIG System for maintaining the containment isolation function. The 24 hour frequency is also considered to be adequate to ensure timely detection of any breach in the SGIG System which would render the system incapable of performing its isolation function. SR 3.6.1.3.3 This SR ensures that the primary containment purge and exhaust valves are closed as required or, if open, open for an allowable reason. If a purge valve is open in violation of this SR, the valve is considered inoperable (Condition A applies). The SR is modified by a Note stating that the SR is not required to be met when the purge and exhaust valves are open for the stated reasons. The Note states that these valves may be opened for inerting, de-inerting, pressure control, ALARA or air quality considerations for personnel entry, or Surveillances that require the valves to be open. The 6 inch and 18 inch purge valves and 18 inch exhaust (continued) PBAPS UNIT 3 B 3.6-24 Revision No. 0
PCIVs B 3.6.1.3 BASES SURVEILLANCE SR 3.6.1.3.3 (continued) REQUIREMENTS valves are capable of closing in the environment following a LOCA. Therefore, these valves are allowed to be open For limited periods of time. The 31 day Frequency is consistent with other PCIV requirements discussed in SR 3.6.1.3.4. SR 3.6.1.3.4 This SR verifies that each primary containment isolation manual valve and blind flange that is located outside primary containment and is required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside the primary containment boundary is within design limits. This SR does not require any testing or valve manipulation. Rather, it involves verification that those PCIVs outside primary containment, and capable of being mispositioned, are in the correct position. Since verification of valve position for PCIVs outside primary containment is relatively easy, the 31 day Frequency was chosen to provide added assurance that the PCIVs are in the correct positions. Three Notes have been added to this SR. The first Note allows valves and blind flanges located in high radiation areas to be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable since the primary containment is inerted and access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA reasons. Therefore, the probability of misalignment of these PCIVs, once they have been verified to be in the proper position, is low. A second Note has been included to clarify that PCIVs that are open under administrative controls are not required to meet the SR during the time that the PCIVs are open. A third Note states that performance of the SR is not required for test taps with a diameter < 1 inch. It is the intent that this SR must still be met, but actual performance is riot required for test taps with a diameter < 1 inch. The Note 3 allowance is consistent with the original plant licensing basis. (continued) PBAPS UNIT 3 B 3.6-25 Revision No. 0
PCIVs B 3.6.1.3 BAS ES SURVEI LLANCE SR 3.6.1.3.5 REQUIREMENTS (continued) This SR verifies that each primary containment manual isolation valve and blind flange that is located inside primary containment and is required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside the primary containment boundary is within design limits. For PCIVs inside primary containment, the Frequency defined as "prior to entering MODE 2 or 3 from MODE 4 if primary containment was de-inerted while in MODE 4, if not performed within the previous 92 days" is appropriate since these PCIVs are operated under administrative controls and the probability of their misalignment is low. Two Notes have been added to this SR. The first Note allows valves and blind flanges located in high radiation areas to be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable since the primary containment is inerted and access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA reasons. Therefore, the probability of misalignment of these PCIVs, once they have been verified to be in their proper position, is low. A second Note has been included to clarify that PCIVs that are open under administrative controls are not required to meet the SR during the time that the PCIVs are open. SR 3.6.1.3.6 The traversing incore probe (TIP) shear isolation valves are actuated by explosive charges. Surveillance of explosive charge continuity provides assurance that TIP valves will actuate when required. Other administrative controls, such as those that limit the shelf life of the explosive charges, must be followed. The 31 day Frequency is based on operating experience that has demonstrated the reliability of the explosive charge continuity. SR' 3.6.1.3.7 Verifying the correct alignment for each manual valve in the SGIG System required flow paths provides assurance that. the proper flow paths exist for system operation. This SR does not apply to valves that are locked or otherwise secured in (continued) PBAP'; UNIT 3 B 3.6-26 Revision No. 0
PCIVs B 3.6.1.3 BASES SURVEILLANCE SR 3.6.1.3.7 (continued) REQUIREMENTS position, since these valves were verified to be in the correct position prior to locking or securing. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions. SR 3.6.1.3.8 Verifying the isolation time of each power operated and each automatic PCIV is within limits is required to demonstrate OPERABILITY. MSIVs may be excluded from this SR since MSIV full closure isolation time is demonstrated by SR 3.6.1.3.9. The isolation time test ensures that the valve will isolate in a time period less than or equal to that assumed in the safety analyses. The isolation time is in accordance with Reference 2 or the requirements of the Inservice Testing Program which ever is more conservative. The Frequency of this SR is in accordance with the requirements of the Inservice Testing Program. SR 3.6.1.3.9 Verifying that the isolation time of each MSIV is within the specified limits is required to demonstrate OPERABILITY. The isolation time test ensures that the MSIV will isolate in a time period that does not exceed the times assumed in the DBA analyses. This ensures that the calculated radiological consequences of these events remain within 10 CFR 100 limits. The Frequency of this SR is in accordance with the requirements of the Inservice Testing Program. SR 3.6.1.3.10 Automatic PCIVs close on a primary containment isolation signal to prevent leakage of radioactive material from primary containment following a DBA. This SR ensures that each automatic PCIV will actuate to its isolation position on a primary containment isolation signal. The LOGIC SYSTEM (continued} PBAP'; UNIT 3 B 3.6-27 Revision No. 2
PCIVs B 3.6.1.3 BASES SURVEILLANCE SR 3.6.1.3.10 (continued) REQUIREMENTS FUNCTIONAL TEST in LCO 3.3.6.1 overlaps this SR to provide complete testing of the safety function. The 24 month Frequency was developed considering it is prudent that this Surveillance be performed only during a unit outage since isolation of penetrations would eliminate cooling water flow and disrupt the normal operation of many critical components. Operating experience has shown that these components will usually pass this Surveillance when performed at the 24 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint. SR 3.6.1.3.11 This SR requires a demonstration that a representative sample of reactor instrumentation line excess flow check valves (EFCVs) is OPERABLE by verifying that the valve actuates to the isolation position on a simulated instrument line break signal. The representative sample consists of an approximately equal number of EFCVs, such that each EFCV is tested at least once every 10 years (nominal). In addition, the EFCVs in the sample are representative of the various plant configurations, models sizes and operating environments. This ensures that any potentiall common problem with a specific type or application of GFCV is detected at the earliest possible time. This SR provides assurance that the instrumentation line EFCVs will oerform so that predicted radiological consequences will not be exceeded during a postulated instrument line break event. The nominal 10 year interval is based on other performance-based testing programs, such as Inservice Testing (snubbers) and Option B to 10 CFR 50 Appendix J. Furthermore, any EFCV failures will be evaluated to determine if additional testing in that test interval is warranted to ensure overall reliability is maintained. Operating experience has demonstrated that these components are highly reliable and that failures to isolate are very infrequent. Therefore, testing of a representative sample was concluded to be acceptable from a reliability standpoint. For some EFCVs, this Surveillance can be performed with the reactor at power. SR 3.6.1.3.12 The TIP shear isolation valves are actuated by explosive charges. An in place functional test is not possible with this design. The explosive squib is removed and tested to provide assurance that the valves will actuate when required. The replacement charge for the explosive squib shall be from the same manufactured batch as the one fired or from another batch that has been certified by having one of the batch successfully fired. The Frequency of 24 months on a STAGGERED TEST BASIS is considered adequate given the administrative controls on replacement charges and the frequent checks of circuit continuity (SR 3.6.1.3.6). (continued) PBAPS UNIT 3 B 3.6-28 Revision No. 37
PCIVs 8 3.6.1.3 13ASES SURVEILLANCE SR 3.6.1.3.13 REQUIREMENTS (continued) This SR ensures that in case the non-safety grade instrument air system is unavailable, the SGIG System will perform its design function to supply nitrogen gas at the required pressure for valve operators and valve seals supported by the SGIG System. The 24 month Frequency was developed considering it is prudent that this Surveillance be performed only during a plant outage. Operating experience has shown that these components will usually pass this Surveillance when performed at the 24 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint. SR 3.6.1.3.14 Leakage through each MSIV must be s 11.5 scfh when tested at 2 P, (25 psig). The analyses in Reference 1 are based-on treatment of MSIV leakage as a secondary containment bypass leakage, independent of a primary to secondary containment leakage analyzed at 1.27 L.. In the Reference 1 analysis all 4 steam lines are assumed to leak at the TS Limit. This ensures that MSIV leakage is properly accounted for in determining the overall impacts of primary containmert leakage. The Frequency is required by the Primary Containment Leakage Rate Testing Program. SR 3.6.1.3.15 Verifying the opening of each 6 inch and 18 inch primary containment purge valve and each 18 inch primary containment exhaust valve is restricted by a blocking device to less than or equal to the required maximum opening angle specified in the UFSAR (Ref. 4) is required to ensure that the valves can close under DBA conditions within the times in the analysis of Reference 1. If a LOCA occurs, the purge and exhaust valves must close to maintain primary containment leakage within the values assumed in the accident analysis. At other times pressurization concerns are not present, thus the purge and exhaust valves caln be fully open. The 24 month Frequency is appropriate because the blocking devices may be removed during a refueling outage.
-conl:inued)
PBAPS UNIT 3 B 3.6-29 Revision No. 24
PCI Vs 1I3.6.1.3 BASES SURVEILLANCE SR 3.6.1.3.16 REQUIREMENTS (continued) The inflatable seal of each 6 inch and 18 inch primary containment purge valve and each 18 inch primary containment I exhaust valve must be replaced every 96 months. This will allow the opportunity for replacement before gross leakage failure occurs. REFERENCES 1. UFSAR, Chapter 14.
- 2. UFSAR, Table 7.3.1.
- 3. 30 CFR 50, Appendix 3, Option B.
- 4. UFSAR, Table 7.3.1, Note 17.
- 5. UFSAR, Table 5.2.2.
PBAPS UNIT 3 B 3.6-30 Revision No. 16 Anernment No. 223
Drywell Air Temperature B 3.6.1.4 B ;3.6 CONTAINMENT SYSTEMS B :3.6.1.4 Drywell Air Temperature BASES BACKGROUND The drywell contains the reactor vessel and piping, which add heat to the airspace. Drywell coolers remove heat and maintain a suitable environment. The average airspace temperature affects the calculated response to postulated Design Basis Accidents (DBAs). The limitation on the drywell average air temperature was developed as reasonable, based on operating experience. The limitation on drywell air temperature is used in the Reference 1 safety analyses. APPLICABLE Primary containment performance is evaluated for a SAfETY ANALYSES spectrum of break sizes for postulated loss of coolant accidents (LOCAs) (Ref. 1). Among the inputs to the design basis analysis is the initial drywell average air temperature {Ref. 1). Analyses assume an initial average drywell air temperature of 145 0F. This limitation ensures that the safety analysis remains valid by maintaining the expected initial conditions and ensures that the peak LOCA drywell temperature does not exceed the maximum allowable temperature of 281'F (Ref. 2) except for a brief periDd of less than 20 seconds which was determined to be acceptable I in References 1 and 3. Exceeding this design temperature may result in the degradation of the primary containment structure under accident loads. Equipment inside primary containment required to mitigate the effects of a DBA is designed to operate and be capable of operating under environmental conditions expected for the accident. Drywell air temperature satisfies Criterion 2 of the NRC Policy Statement. LCO In the event of a DBA, with an initial drywell average air temperature less than or equal to the LCO temperature limit, the resultant peak accident temperature is maintained within acceptable limits for the drywell. As a result, the ability of primary containment to perform its design function is ensured.
. (continued)
PBARS UNIT 3 B 3.6-31 Revision No. 20
Drywell Air Temperature B 3.6.1.4 BASES (continued) APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, maintaining drywell average air temperature within the limit is not required in MODE 4 or S. ACTIONS A.1 With drywell average air temperature not within the limit of the LCO, drywell average air temperature must be restored within 8 hours. The Required Action is necessary to return operation to within the bounds of the primary containment analysis. The 8 hour Completion Time is acceptable, considering the sensitivity of the analysis to variations in this parameter, and provides sufficient time to correct: minor problems. B.1 and B.2 If the drywell average air temperature cannot be restored to within the limit within the required Completion Time, the plant must be brought to a MODE in which the LCO does riot apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly mariner and without challenging plant systems. SURVEILLANCE SR 3.6.1.4.1 REQUIREMENTS Verifying that the drywell average air temperature is within the LCO limit ensures that operation remains within the limits assumed for the primary containment analyses. Drywell air temperature is monitored in various quadrants and at various elevations. Due to the shape of the drywell, a volumetric average is used to determine an accurate representation of the actual average temperature. {continued) PBAPS UNIT 3 B 3.6-32 Revision No. 0
Drywell Air Temperature B 3.6.1.4 BASES SURVEILLANCE SR 3.6.1.4.1 (continued) REQUIREMENTS The 24 hour Frequency of the SR was developed based on operating experience related to drywell average air temperature variations and temperature dependent drift of instrumentation located in the drywell during the applicable MODES and the low probability of a DBA occurring between surveillances. Furthermore, the 24 hour Frequency is considered adequate in view of other indications available in the control room, to alert the operator to an abnormal drywell air temperature condition. REFERENCES 1. Letter G94-PEPR-183, Peach Bottom Improved Technical Specification Project Increased Drywell and Suppression Chamber Pressure Analytical Limits, from G.V. Kumar (GE) to A.A. Winter (PECO), August 23, 1994.
- 2. UFSAR, Section 5.2.3.1.
- 3. Peach Bottom Atomic Power Station Evaluation for Extended Final Feedwater Reduction, NEDC-32707P, Supplement 1, Revision 0, May, 1998.
PBAPS UNIT 3 B 3.6-33 Revision Ho. 21
Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.5 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.5 Reactor Building-to-Suppression Chamber Vacuum Breakers BASES BACKGROUND The function of the reactor building-to-suppression chamber vacuum breakers is to relieve vacuum when primary containment depressurizes below reactor building pressure. If the drywell depressurizes below reactor building pressure, the negative differential pressure is mitigated by flow through the reactor building-to-suppression chamber vacuum breakers and through the suppression-chamber-to-drywell vacuum breakers. The design of the external (reactor building-to-suppression chamber) vacuum relief provisions consists of two vacuum breakers (a check valve and an air operated butterfly valve), located in series in each of two lines from the reactor building to the suppression chamber airspace. The butterfly valve is actuated by a differential pressure signal. The check valve is self actuating and can be manually operated for testing purposes. The two vacuum breakers in series must be closed to maintain a leak tight primary containment boundary. A negative differential pressure across the drywell wall is caused by rapid depressurization of the drywell. Events that cause this rapid depressurization are cooling cycles, primary containment spray actuation, and steam condensation in the event of a primary system rupture. Reactor building-to-suppression chamber vacuum breakers prevent an excessive negative differential pressure across the primary-containment boundary. Cooling cycles result in minor pressure transients in the drywell, which occur slowly and are normally controlled by heating and ventilation equipment. Inadvertent spray actuation results in a significant negative pressure transient and is the design basis event postulated in sizing the external (reactor building-to-suppression chamber) vacuum breakers. The external vacuum breakers are sized on the basis of the air flow from the secondary containment that is required to mitigate the depressurization transient and limit the maximum negative containment (suppression chamber) pressure to within design limits. The maximum depressurization rate is a function of the primary containment spray flow rate and temperature and the assumed initial conditions of the (continued) PBAP'; UNIT 3 B.3.6-34 Revision No. 0
Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.5 BASES BACKGROUND suppression chamber atmosphere. Low spray temperatures and (continued) atmospheric conditions that yield the minimum amount of contained noncondensible gases are assumed for conservatism. The Safety Grade Instrument Gas (SGIG) System supplies pressurized nitrogen gas (from the Containment Atmospheric Dilution (CAD) System liquid nitrogen storage tank) as a safety grade pneumatic source to the CAC System purge and exhaust isolation valve inflatable seals, the reactor building-to-suppression chamber vacuum breaker air operated isolation butterfly valves and inflatable seal, and the CAC and CA[) Systems vent control air operated valves. The SGIG System thus performs two distinct post-LOCA functions: (1) supports containment isolation and (2) supports CAD System vent operation. SGIG System requirements are addressed for each of the supported system and components in LCO 3.16.1.3, "Primary Containment Isolation Valves (PCIVs)," LCO 3.6.1.5,
'Reactor Building-to-Suppression Chamber Vacuum Breakers,"
and LCO 3.6.3.1, "Containment Atmospheric Dilution (CAD) System." For the SGIG System, liquid nitrogen from the CAD System liquid nitrogen storage tank passes through the CAD System liquid nitrogen vaporizer where it is converted to a gas. The gas then flows into a Unit 2 header and a Unit 3 header separated by two manual globe valves. From each header, the gas then branches to each valve operator or valve seal supplied by the SGIG System. Each branch is separated from the header by a manual globe valve and a check valve. To support SGIG System functions, the CAD System liquid nitrogen storage tank minimum required level is a 16 inches water column and a minimum required SGIG System header pressure of 80 psig. Minimum requirements for the CAI) System liquid nitrogen storage tank to support CAD System OPERABILITY are specified in LCO 3.6.3.1, "Containment Atmospheric Dilution (CAD) System." APPLICABLE Analytical methods and assumptions involving the reactor SAFETY ANALYSES building-to-suppression chamber vacuum breakers are used as part of the accident response of the containment systems. Internal (suppression-chamber-to-drywell) and external {reactor building-to-suppression chamber) vacuum breakers (continued) PBAPS UNIT 3 B 3.6-35 Revision No. 0
Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.5 BASES APPLICABLE are provided as part of the primary containment to limit the SAFETY ANALYSES negative differential pressure across the drywell and (continued) suppression chamber walls, which form part of the primary containment boundary. The safety analyses assume the external vacuum breakers to be closed initially and to be fully open at 0.75 psid. Additionally, of the four reactor building-to-suppression chamber vacuum breakers (two in each of the two lines from the reactor building-to-suppression chamber airspace), one is assumed to fail in a closed position to satisfy the single active failure criterion. Design Basis Accident (DBA) analyses require the vacuum breakers to be closed initially and to remain closed and leak tight with positive primary containment pressure. Three cases were considered in the safety analyses to determine the adequacy of the external vacuum breakers:
- a. A small break loss of coolant accident followed by actuation of both drywell spray loops;
- b. Inadvertent actuation of one drywell spray loop during normal operation; and
- c. A postulated DBA assuming low pressure coolant injection flow out the loss of coolant accident break, which condenses the drywell steam.
The results of these three cases show that the external vacuum breakers, with an opening setpoint of 0.75 psid, are capable of maintaining the differential pressure within design limits. The reactor building-to-suppression chamber vacuum breakers satisfy Criterion 3 of the NRC Policy Statement. i LCO All reactor building-to-suppression chamber vacuum breakers are required to be OPERABLE to satisfy the'assumptions used in the safety analyses. The requirement ensures that the two vacuum breakers (check valve and air operated butterfly valve) in each of the two lines from the reactor building to (continued) PBAPS UNIT 3 B 3.6-36 Revision No. 0
Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.5 BASES LCO the suppression chamber airspace are closed. Also, the (continued) requirement ensures both vacuum breakers in each line will open to relieve a negative pressure in the suppression chamber (except during testing or when performing their intended function). In addition, for the reactor building-to-suppression chamber vacuum breakers to be considered OPERABLE and closed, the SGIG System supplying nitrogen gas to the air operated valves and inflatable seal of the vacuum breakers must. be OPERABLE. APPLICABILITY In MODES 1, 2, and 3, a DBA could result in excessive negative differential pressure across the drywell wall caused by the rapid depressurization of the drywell. The event that results in the limiting rapid depressurization of the drywell is the primary system rupture, which purges the drywell of air and fills the drywell free airspace with steam. Subsequent condensation of the steam would result in depressurization of the drywell. The limiting pressure and temperature of the primary system prior to a DBA occur in MODES 1, 2, and 3. Excessive negative pressure inside primary containment could also occur due to inadvertent initiation of the Drywell Spray System.
-InMODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining reactor building-to-suppression chamber vacuum breakers OPERABLE is.
not required in MODE 4 or 5. ACTIONS A Note has been added to provide clarification that, for the purpose of this LCO, separate Condition entry is allowed for each penetration flow path. A.1 With one or more lines with one vacuum breaker not closed, the leak tight primary containment boundary may be threatened. Therefore, the inoperable vacuum breaker; must be restored to OPERABLE status or the open vacuum breaker closed within 72 hours. The 72 hour Completion Time is consistent with requirements for inoperable suppression chamber-to-drywell vacuum breakers in LCO 3.6.1.6, (continued) PBAFIS UNIT 3 B 3.6-37 Revision No. 0
Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.5 BASES ACTI[ONS A.1. (continued)
"Suppression Chamber-to-Drywell Vacuum Breakers." The 72 hour Completion Time takes into account the redundant capability afforded by the remaining breakers, the fact that the OPERABLE breaker in each of the lines is closed, and the low probability of an event occurring that would require the vacuum breakers to be OPERABLE during this period.
B.1 With one or more lines with two vacuum breakers not closed, primary containment integrity is not maintained. Therefore, one open vacuum breaker must be closed within 1 hour. This Completion Time is consistent with the ACTIONS of LCO 3.6.1.1, "Primary Containment," which requires that primary containment be restored to OPERABLE status within 1 hour. C. 1 With one line with one or more vacuum breakers inoperable for opening, the leak tight primary containment boundary is intact. The ability to mitigate an event that causes a containment depressurization is threatened if one or more vacuum breakers in at least one vacuum breaker penetration are not OPERABLE. Therefore, the inoperable vacuum breaker must be restored to OPERABLE status within 72 hours. This is consistent with the Completion Time for Condition A and the fact that the leak tight primary containment boundary is being maintained. D.1 With two lines with one or more vacuum breakers inoperable for opening, the primary containment boundary is intact. However, in the event of a containment depressurization, the function of the vacuum breakers is lost. Therefore, all vacuum breakers in one line must be restored to OPERABLE status within 1 hour. This Completion Time is consistent with the ACTIONS of LCO 3.6.1.1, which' requires that primary containment be restored to OPERABLE status within 1 hour. tcontinued) PBAP'; UNIT 3 B.3.6-38 Revision No. 0
Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.5 BASES ACTIONS E.1 and E.2 (continued) If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.1.5.1 REQUIREMENTS Verifying that the level in the. CAD liquid nitrogen tank is
> 16 inches water column will ensure at least 7 days of post-LOCA SGIG System operation. This minimum volume (if liquid nitrogen allows sufficient time after an accident to replenish the nitrogen supply in order to maintain the design function of the reactor building-to-suppression vacuum breakers. The level is verified every 24 hours to ensure that the system is capable of performing its intended isolation function when required. The 24 hour Frequency is based on operating experience, which has shown to be an acceptable period to verify liquid nitrogen supply. The 24 hour Frequency also signifies the importance of the SG[G System for maintaining the design function of the reactor building-to-suppression chamber vacuum breakers.
SR 3.6.1.5.2 This SR ensures that the pressure in the SGIG System header is> 80 psig. This ensures that the post-LOCA nitrogen pressure provided to the valve operators and valve seals that is adequate for the SGIG to perform its design function. The 24 hour Frequency was developed considering the importance of the SGIG System for maintaining the design function of the reactor building-to-suppression chamber vacuum breakers. The 24 hour Frequency is also considered to be adequate to ensure timely detection of any breach in the SGIG System which would render the system incapable of performing its function. (continued) PBAPS UNIT 3 B 3.6-39 Revision No. 0
Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.5 BASES SURVEILLANCE SR 3.6.1.5.3 REQUIREMENTS (continued) Each vacuum breaker is verified to be closed to ensure that a potential breach in the primary containment boundary is not present. This Surveillance is performed by observing local or control room indications of vacuum breaker position or by verifying a differential pressure of 0.75 psid is maintained between the reactor building and suppression chamber. The 14 day Frequency is based on engineering judgment, is considered adequate in view of other indications of vacuum breaker status available to operations personnel, and has been shown to be acceptable through operating experience. Two Notes are added to this SR. The first Note allows reactor building-to-suppression chamber vacuum breakers opened in conjunction with the performance of a Surveillance to not be considered as failing this SR. These periods of opening vacuum breakers are controlled by plant procedures and do not represent inoperable vacuum breakers. A second Note is included to clarify that vacuum breakers open due to an actual differential pressure, are not considered as failing this SR. SR 3.6.1.5.4 Verifying the correct alignment for each manual valve in the SGIG System required flow paths provides assurance that the proper flow paths exist for system operation. This SR does-not apply to valves that are locked or otherwise secured in position, since these valves were verified to be in the correct position prior to locking or securing. This CR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR dces not apply to valves that cannot be inadvertently misaligned, such as check valves. The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions. (continued) PBAPS UNIT 3 B 3.6-40 Revision No. 0
Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.5 BASES SURVEILLANCE SR 3.6.1.5.5 REQUIREMENTS (continued) Each vacuum breaker must be cycled to ensure that it o:pens properly to perform its design function and returns to its fully closed position. This ensures that the safety analysis assumptions are valid. The 92 day Frequency of this SR was developed based upon Inservice Testing Program requirements to perform valve testing at least once every 92 days. SR 3.6.1.5.6 Demonstration of air operated vacuum breaker opening setpoint is necessary to ensure that the safety analysis assumption regarding vacuum breaker full open differertial pressure of s 0.75 psid is valid. The 18 month Frequency is based on requirements associated with the instruments that monitor differential pressure between the reactor building and suppression chamber and that this Surveillance can be performed while the plant is operating. For this unit, the 18 month Frequency has been shown to be acceptable, based on operating experience. Operating experience has shown that these components usually pass the surveillance when performed at an 18 month frequency, and is further justified because of other surveillances performed at shorter Frequencies that convey the proper functioning status of each vacuum breaker. SR 3.6.1.5.7 This SR ensures that in case the non-safety grade instrument air system is unavailable, the SGIG System will perform its design function to supply nitrogen gas at the required pressure for valve operators and valve seals supported by the SGIG System. The 24 month Frequency was developed considering it is prudent that this Surveillance be performed only during a plant outage. Operating experience has shown that these components will usually pass this Surveillance when performed at the 24 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint. REFERENCES None
=
PBAPS UNIT 3 B 3.6-41 Revisicn No. 0
Suppression Chamber-to-Drywe11 Vacuum Breakers B ..6.1.6 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.6 Suppression Chamber-to-Drywell Vacuum Breakers BASES BACKGROUND The function of the suppression chamber-to-drywell vacuum breakers is to relieve vacuum in the drywell. There are 12 internal vacuum breakers located on the vent header of the vent system between the drywell and the suppression chamber, which allow air and steam flow from the suppression chamber to the drywell when the drywell is at a negative pressure with respect to the suppression chamber. Therefore, suppression chamber-to-drywell vacuum breakers prevent an excessive negative differential pressure across the wetwell drywell boundary. Each vacuum breaker is a self actuating valve, similar to a check valve, which can be remotely operated for testing purposes. A negative differential pressure across the drywell wall is caused by rapid depressurization of the drywell. Events that cause this rapid depressurization are cooling cycles, drywell spray actuation, and steam condensation from sprays or subcooled water reflood of a break in the event of a primary system rupture. Cooling cycles result in mincr pressure transients in the drywell that occur slowly and are normally controlled by heating and ventilation equipment. Spray actuation or spill of subcooled water out of a break results in more significant pressure transients and becomes important in sizing the internal vacuum breakers. In the event of a primary system rupture, steam condensation within the drywell results in the most severe pressure transient. Following a primary system rupture, air in the drywell is purged into the suppression chamber free airspace, leaving the drywell full of steam. Subsequent condensation of the steam can be caused in two possible ways, namely, Emergency Core Cooling Systems flow from a recirculation line break, or drywell spray actuation following a loss of coolant accident (LOCA). These two cases determine the maximum depressurization rate of the drywell. In addition, the waterleg in the Mark I Vent System downcomer is controlled by the drywell-to-suppression chamber differential pressure. If the drywell pressure is less than the suppression chamber pressure, there will be an increase in the vent waterleg. This will result in an (continued) PBAPS UNIT 3 B 3.fi-42 Revision No. 0
Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.6 BASES BACKGROUND increase in the water clearing inertia in the event of a (continued) postulated LOCA, resulting in an increase in the peak drywell pressure. This in turn will result in an increase in the pool swell dynamic loads. The internal vacuum breakers limit the height of the waterleg in the vent system during normal operation. APPLICABLE Analytical methods and assumptions involving the SAFETY ANALYSES suppression chamber-to-drywell vacuum breakers are used as part of the accident response of the primary containment systems. Internal (suppression chamber-to-drywell) and external (reactor building- to-suppression chamber) vacuum breakers are provided as part of the primary containmert to limit the negative differential pressure across the drywell and suppression chamber walls that form part of the primary containment boundary. The safety analyses assume that the internal vacuum breakers are closed initially and are fully open at a differential pressure of 0.5 psid. Additionally, 1 of the 9 internal vacuum breakers required to open is assumed to fail in a closed position. The results of the analyses show that the design pressure is not exceeded even under the worst case accident scenario. The vacuum breaker opening differential pressure setpoint and the requirement that 9 of 12 vacuum breakers be OPERABLE are a result of the requirement placed on the vacuum breakers to limit the vent system waterleg height. The total cross sectional area of the main vent system between the drywell and suppression chamber needed to fulfill this requirement has been established as a minimum of 51.5 times the total break area. In turn, the vacuum relief capacity between the drywell and suppression chamber should be 1/16 of the total main vent cross sectional area, with the valves set to operate at 0.5 psid differential pressure. This was the original design basis for Peach Bottom, which required 10 18" vacuum breakers to meet the 1/16 of the total main vent cross sectional area. However, the current design basis requirement for 9 vacuum breakers required to be operable, one of which is assumed to fail to open (single active failure), is found in Reference 2. Design Basis Accident (DBA) analyses require the vacuum breakers to be closed initially and to remain closed and leak tight, until the suppression pool is at a positive pressure relative to the drywell. All suppression chamber-to-drywell vacuum breakers are considered closed if a leak test confirms that the bypass area between the drywell and suppression chamber is less than or equivalent to a one-inch diameter hole (Ref. 1). The suppression chamber-to-drywell vacuum breakers satisfy Criterion 3 of the NRC Policy Statement. (continued) PBAPS UNIT 3 B 3.6-43 Revision ND. 44
Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.6 BASES (continued) LCO Only 9 of the 12 vacuum breakers must be OPERABLE for opening. All suppression chamber-to-drywell vacuum breakers are required to be closed (except when the vacuum breakers are performing their intended design function). All suppression chamber-to-drywell vacuum breakers are considered closed, even if position indication shows that one or more vacuum breakers is not fully seated, if a leak test confirms that the bypass area between the drywell and suppression chamber is less than or equivalent to a one-inch diameter hole. The vacuum breaker OPERABILITY requirement provides assurance that the drywell-to-suppression chamber negative differential pressure remains below the design value. The requirement that the vacuum breakers be closed ensures that there is no excessive bypass leakage should a LOCA occur. APPLICABILITY In MODES 1, 2, and 3, a DBA could result in excessive negative differential pressure across the drywell wall, caused by the rapid depressurization of the drywell. The event that results in the limiting rapid depressurization of the drywell is the primary system rupture that purges the drywell of air and fills the drywell free airspace with steam. Subsequent condensation of the steam would result in depressurization of the drywell. The limiting pressure and temperature of the primary system prior to a DBA occur in MODES 1, 2, and 3. Excessive negative pressure inside the drywell could also occur due to inadvertent actuation of the Drywell Spray System. In MODES 4 and 5, the probability and consequences of these events are reduced by the pressure and temperature limitations in these MODES; therefore, maintaining suppression chamber-to-drywell vacuum breakers OPERABLE is not required in MODE 4 or 5. ACTIONS A.1 With one of the required vacuum breakers inoperable for opening (e.g., the vacuum breaker is not open and may be stuck closed or not within its opening setpoint limit, so that it would not function as designed during an event that depressurized the drywell), the remaining eight OPERABLE vacuum breakers are capable of providing the vacuum relief function. However, overall system reliability is reduced (continued) PBAP'; UNIT 3 B 3.6-44 Revision No. 0
Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.6 BASES ACTIONS A.f (continued) because a single failure in one of the remaining vacuur breakers could result in an excessive suppression chamber-to-drywell differential pressure during a DBA. Therefore, with one of the nine required vacuum breakers inoperable, 72 hours is allowed to restore the inoperable vacuum breaker to OPERABLE status so that plant conditions are consistent with those assumed for the design basis analysis. The 72 hour Completion Time is considered acceptable due to the low probability of an event in which the remaining vacuum breaker capability would not be adequate. B.1 An open vacuum breaker allows communication between the drywell and suppression chamber airspace, and, as a result, there is the potential for suppression chamber overpressurization due to this bypass leakage if a LOCA were to occur. Therefore, the open vacuum breaker must be closed. A short time is allowed to close the vacuum breaker due to the low probability of an event that would pressurize primary containment. If vacuum breaker position indication is not reliable, an alternate method of verifying that the vacuum breakers are closed must be performed within 10 hours. All suppression chamber-to-drywell vacuum breakers are considered closed, even if the "not fully seated" indication is shown, if a leak test confirms that the bypass area between the drywell and suppression chamber is less than or equivalent to a one-inch diameter hole (Ref. 1). The required 10 hour Completion Time is considered adequate to perform this test. If the leak test fails, not only must the Actions be taken (close the open vacuum breaker within 10 hours), but also the appropriate Condition and Required Actions of LCO 3.6.1.1, Primary Containment, must be entered. C.1 and C.2 If the inoperable suppression chamber-to-drywell vacuum breaker cannot be closed or restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least {continued) PBAP'; UNIT 3 B 3.-6-45 Revision No. 0
Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.6 BASES ACTIONS C.1 and C.2 (continued) MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.1.6.1 REQUIREMENTS Each vacuum breaker is verified closed to ensure that this potential large bypass leakage path is not present. This Surveillance is performed by observing the vacuum breaker position indication or by performing a leak test that confirms that the bypass area between the drywell and suppression chamber is less than or equivalent to a one-inch diameter hole. If the bypass test fails, not only must the vacuum breaker(s) be considered open and the appropriate Conditions and Required Actions of this LCO be entered, but also the appropriate Condition and Required Action of LCO 3.6.1.1 must be entered. The 14 day Frequency is based on engineering judgment, is considered adequate in view of other indications of vacuum breaker status available to operations personnel, and has been shown to be acceptable through operating experience. A Note is added to this SR which allows suppression chamber-to-drywell vacuum breakers opened in conjunction with the performance of a Surveillance to not be considered as failing this SR. These periods of opening vacuum breakers are controlled by plant procedures and do not represent inoperable vacuum breakers. SR 3.6.1.6.2 Each required vacuum breaker must be cycled to ensure that it opens adequately to perform its design function and returns to the fully closed position. This ensures that the safety analysis assumptions are valid. The 31 day Frequency of-this SR was developed, based on Inservice Testing Program requirements to perform valve testing at least once every 92 days. A 31 day Frequency was chosen to provide additional assurance that the vacuum breakers are OPERABLE, since they are located in a harsh environment (the suppression chamber airspace). (continued) PBAPS UNIT 3 B 3.fi-46 Revision No. 0
Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.6 BASES SURVEILLANCE SR 3.6.1.6.3 REQUIREMENTS (continued) Verification of the vacuum breaker setpoint for full opening is necessary to ensure that the safety analysis assumption regarding vacuum breaker full open differential pressure of 0.5 psid is valid. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. For this facility, the 24 month Frequency has been shown to be acceptable, based on operating experience, and is further justified because of other surveillances performed at shorter Frequencies that convey the proper functioning status of each vacuum breaker. REFERENCES 1. Safety Evaluation by the Office of Nuclear Reactor Regulation Supporting Amendment Nos. 127 and 130 to Facility Operating License Nos. DPR-44 and DPR-56, dated February 18, 1988.
- 2. ME-0161, "Det. Actual # Wetwell to Drywell Vacuum Breakers Reqd" I PBAPS UNIT 3 B 3.6-47 Revision ND. 44
Suppression Pool Average Temperature B 3.6.2.1 B 3.6 CONTAINMENT SYSTEMS B 3.6.2.1 Suppression Pool Average Temperature BASEIS BACK~GROUND The suppression chamber is a toroidal shaped, steel pressure vessel containing a volume of water called the suppression pool. The suppression pool is designed to absorb the decay heat and sensible energy released during a reactor blowdown from safety/relief valve discharges or from Design Basis Accidents (DBAs). The suppression pool must quench all the steam released through the downcomer lines during a loss of coolant accident (LOCA). This is.the essential mitigative feature of a pressure suppression containment that ensures that the peak containment pressure is maintained below the maximum allowable pressure for DBAs (56 psig). The suppression pool must also condense steam from steam exhaust lines in the turbine driven systems (i.e., the High Pressure Coolant Injection System and Reactor Core Isolation Cooling System). Suppression pool average temperature (along with LCO 3.6.2.2, "Suppression Pool Water Level") is a key indication of the capacity of the suppression pool to fulfill these requirements. The technical concerns that lead to the development of suppression pool average temperature limits are as follows:
- a. Complete steam condensation-the original limit for the end of a LOCA blowdown was 170-F, based on the Bodega Bay and Humboldt Bay Tests;
- b. Primary containment peak pressure and temperature-
.design pressure is 56 psig and design temperature is 281'F (Ref. 1);
- c. Condensation oscillation loads-maximum allowable initial temperature is 110*F.
APPLICABLE The postulated DBA against which the primary containment SAFETY ANALYSES performance is evaluated is the entire spectrum of postulated pipe breaks within the primary containment. Inputs to the safety analyses include initial suppression pool water volume and suppression pool temperature (Ref. 2). An initial pool temperature of 95*F is assumed for the (continued) PBAIIS UNIT 3 B 3.6-48 Revision No. 0
Suppression Pool Average Temperature B 3.15.2.1 BASES APPLICABLE Reference 1 and Reference 2 analyses. Reactor shutdown at a SAFETY ANALYSES pool temperature of 1100 F and vessel depressurization at a (continued) pool temperature of 120'F are assumed for the Reference 2 analyses. The limit of 105 0 F, at which testing is terminated, is not used in the safety analyses because DBAs are assumed to not initiate during unit testing. Suppression pool average temperature satisfies Criteria 2 and 3 of the NRC Policy Statement. LCO A limitation on the suppression pool average temperature is required to provide assurance that the containment conditions assumed for the safety analyses are met. This limitation subsequently ensures that peak primary containment pressures and temperatures do not exceed maximum allowable values during a postulated DBA or any transient resulting in heatup of the suppression pool. The LCO requirements are:
- a. Average temperature s 950 F when any OPERABLE wide range neutron monitor (WRNM) channel is at 1.00EO %
power or above and no testing that adds heat to the suppression pool is being performed. This requirement ensures that licensing bases initial conditions are met.
- b. Average temperature s 1050F when any OPERABLE WRNI1 channel is at 1.00EO % power or above and testing that adds heat to the suppression pool is being performed.
This required value ensures that the unit has testing flexibility, and was selected to provide margin below the 110 0 F limit at which reactor shutdown is required. When testing ends, temperature must be restored to
& 950 F within 24 hours according to Required Action A.2. Therefore, the time period that the temperature is > 95°F is short enough not to cause a significant increase in unit risk.
- c. Average temperature s 110°F when all OPERABLE WRNM channels are below 1.00EO % power. This requirement ensures that the unit will be shut down at > 110 0F.
The pool is designed to absorb decay heat and sensible heat but could be heated beyond design limits by the steam generated if the reactor is not shut down. (continued) PBAFIS UNIT 3 B 3.6-49 Revision No. 17
Suppression Pool Average Temperature B 3.6.2.1 BASES I LCO Note that WRNM indication at 1.OOEO % power is a (continued) convenient measure of when the reactor is producing power essentially equivalent to 1% RTP. At this power level, heat input is approximately equal to normal system heat losses. APPLICABILITY In MODES 1, 2, and 3, a DBA could cause significant heatup of the suppression pool. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining suppression pool average temperature within limits is not required in MODE 4-or 5. ACTIONS A.1 and A.2 With the suppression pool average temperature above the specified limit when not performing testing that adds heat to the suppression pool and when above the specified power indication, the initial conditions exceed the conditions assumed for the Reference 1, 2, and 3 analyses. However, primary containment cooling capability still exists, and the primary containment pressure suppression function will occur at temperatures well above those assumed for safety analyses. Therefore, continued operation is allowed for a limited time. The 24 hour Completion Time is adequate to allow the suppression pool average temperature to be restored below the limit. Additionally, when suppression pool temperature is > 95°F, increased monitoring of the: suppression pool temperature is required to ensure that. it remains 5 110 0F. The once per hour Completion Time is adequate based on past experience, which has shown that. pool temperature increases relatively slowly except when testing that adds heat to the suppression pool is being performed. Furthermore, the once per hour Completion Time is considered adequate in view of other indications in the control room, including alarms, to alert the operator to an abnormal suppression pool average temperature condition. B.1 If the suppression pool average temperature cannot be restored to within limits within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the power must be I reduced to below 1.00EO % power for all OPERABLE WRNMs within (continued) PBAPS UNIT 3 B 3.6-50 Revision No. 17
Suppression Pool Average Temperature B 3.6.2.1 BASES ACTIONS B.1I (continued) 12 hours. The 12 hour Completion Time is reasonable, based on operating experience, to reduce power from full power conditions in an orderly manner and without challenging plant systems. C.1 Suppression pool average temperature is allowed to be > 95°F when any OPERABLE WRNM channel is at 1.OOEO % power or above, and when testing that adds heat to the suppression pool is being performed. However, if temperature is
> 105 0F, all testing must be immediately suspended to preserve the heat absorption capability of the suppression pool. With the testing suspended, Condition A is entered and the Required Actions and associated Completion Times are applicable.
D.1. D.2. and D.3 Suppression pool average temperature > 1100F requires that the reactor be shut down immediately. This is accomplished by placing the reactor mode switch in the shutdown position. Further cooldown to MODE 4 is required at normal cooldown rates (provided pool temperature remains & 120'F). Additionally, when suppression pool temperature is > 130 0 F, increased monitoring of pool temperature is required to ensure that it remains s 120'F. The once per 30 minute Completion Time is adequate, based on operating experience. Given the high suppression pool average temperature in this Condition, the monitoring Frequency is increased to twiice that of Condition A. Furthermore, the 30 minute Completion Time is considered adequate in view of other indications available in the control room, including alarms, to alert the operator to an abnormal suppression pool average temperature condition. E.1 and E.2 If suppression pool average temperature cannot be maintained at s 120'F, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the reactor pressure must be reduced to < 200 psig within 12 hours, and the plant must be brought to at least MODE 4 within (continued) PBAPS UNIT 3 B 3.6-51 Revision No. 17
Suppression Pool Average Temperature B 3.6.2.1 BASE.S ACTIONS E.1 and E.2 (continued) 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. Continued addition of heat to the suppression pool with suppression pool temperature > 120F could result in exceeding the design basis maximum allowable values for primary containment temperature or pressure. Furthermore, if a blowdown were to occur when the temperature was
> 120F, the maximum allowable bulk and local temperatures could be exceeded very quickly.
SURVEILLANCE SR 3.6.2.1.1 REQUIREMENTS The suppression pool average temperature is regularly monitored to ensure that the required limits are satisfied. The average temperature is determined by taking an arithmetic average of OPERABLE suppression pool water temperature channels. The 24 hour Frequency has been shown, based on operating experience, to be acceptable. When heat is being added to the suppression pool by testing, however, it is necessary to monitor suppression pool temperature more frequently. The 5 minute Frequency during testing is justified by the rates at which tests will heat up the suppression pool, has been shown to be acceptable based on operating experience, and provides assurance that allowable pool temperatures are not exceeded. The Frequencies are further justified in view of other indications available in the control room, including alarms, to alert the operator to an abnormal suppression pool average temperature condition. REFERENCES 1. UFSAR, Section 5.2.
- 2. NEDC-32183P, wPower Rerate Safety Analysis Report for Peach Bottom 2 & 3," May 1993.
- 3. NUREG-0783.
PBAPS UNIT 3 B 3.6-52 Revision No. 0
Suppression Pool Water Level B 3.6.2.2 B 3.13 CONTAINMENT SYSTEMS B 3.1;.2.2 Suppression Pool Water Level BASES BACKGROUND The suppression chamber is a toroidal shaped, steel pressure vessel containing a volume of water called the suppression pool. The suppression pool is designed to absorb the energy associated with decay heat and sensible heat released during a reactor blowdown from safety/relief valve (S/RV) discharges or from a Design Basis Accident (DBA). The suppression pool must quench all the steam released through the downcomer lines during a loss of coolant accident (LOCA). This is the essential mitigative feature of a pressure suppression containment, which ensures that the peak containment pressure is maintained below the maximum allowable pressure for DBAs (56 psig). The suppression pool must also condense steam from the steam exhaust lines in the turbine driven systems (i.e., High Pressure Coolant Injection (HPCI) System and Reactor Core Isolation Cooling (RCIC) System) and provides the main emergency water supply source for the reactor vessel. The suppression pool volume ranges between 122,900 ft3 at the low water level limit of 14.5 feet and 127,300 ft3 at the high water level limit of 14.9 feet. If the suppression pool water level is too low, an insufficient amount of water would be available to adequately condense the steam from the S/RV quenchers, main vents, or HPCI and RCIC turbine exhaust lines. Low suppression pool water level could also result in an inadequate emergency makeup water source to the Emergency Core Cooling System. The lower volume would also abscrb less steam energy before heating up excessively. Therefore, a minimum suppression pool water level is specified. If the suppression pool water level is too high, it could result in excessive clearing loads from S/RV discharges and excessive pool swell loads during a DBA LOCA. Therefore, a maximum pool water level is specified. This LCO specifies an acceptable range to prevent the suppression pool water level from being either too high or too low. (continued) PBAPS UNIT 3 B 3.6-53 Revision No. 0
Suppression Pool Water Level B 3.5.2.2 BASES (continued) APPLICABLE Initial suppression pool water level affects suppression SAFElY ANALYSES pool temperature response calculations, calculated drywell pressure during vent clearing for a DBA, calculated pool swell loads for a DBA LOCA, and calculated loads due to S/RV discharges. Suppression pool water level must be maintained within the limits specified so that the safety analysis of Reference 1 remains valid. Suppression pool water level satisfies Criteria 2 and 3 of the NRC Policy Statement. LCO A limit that suppression pool water level be > 14.5 feet and s 14.9 feet is required to ensure that the primary containment conditions assumed for the safety analyses are met. Either the high or low water level limits were used in the safety analyses, depending upon which is more conservative for a particular calculation. APPLICABILITY In MODES 1, 2, and 3, a DBA would cause significant loads on the primary-containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. The requirement for maintaining suppression pool water level within limits in MODE 4 or 5 is addressed in LCO 3.5.21, "ECCS-Shutdown". ACTIONS A.1 With suppression pool water level outside the limits, the conditions assumed for the safety analyses are not met.. If water level is below the minimum level, the pressure suppression function still exists as long as main vents are covered, HPCI and RCIC turbine exhausts are covered, and S/RV quenchers are covered. If suppression pool water level is above the maximum level, protection against overpressurization still exists due to the margin in the peak containment pressure analysis and the capability of the Drywell Spray System. Therefore, continued operation For a limited time is allowed. The 2 hour Completion Time is sufficient to restore suppression pool water level to within limits. Also, it takes into account the low probability of an event impacting the suppression pool water level occurring during this interval. (continued) PBAP'; UNIT 3 B 3.6-54 Revision No. 0
Suppression Pool Water Level B 3.6.2.2 BASE:S ACTIONS B.1 and B.2 (Continued) If suppression pool water level cannot be restored to within limits within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.2.2.1 REQUIREMENTS Verification of the suppression pool water level is to ensure that the required limits are satisfied. The 24 hour Frequency of this SR was developed considering operating experience related to trending variations in suppression pool water level and water level instrument drift dur-ing the applicable MODES and to assessing the proximity to the specified LCO level limits. Furthermore, the 24 hour Frequency is considered adequate in view of other indications available in the control room, including alarms, to alert the operator to an abnormal suppression pool water level condition. REFERENCES 1. UFSAR, Sections 5.2 and 14.6.3.
=
PBAPS UNIT 3 B 3.6-55 Revision No. 0
RHR Suppression Pool Cooling B 3.6.2.3 B 3.6 CONTAINMENT SYSTEMS B 3.6.2.3 Residual Heat Removal (RHR) Suppression Pool Cooling BASES = BACKGROUND Following a Design Basis Accident (DBA), the RHR Suppression Pool Cooling System removes heat from the suppression pool. The suppression pool is designed to absorb the sudden input of heat from the primary system. In the long term, the pool continues to absorb residual heat generated by fuel in the reactor core. Some means must be provided to remove heat from the suppression pool so that the temperature inside the primary containment remains within design limits. This function is provided by two redundant RHR suppression pool cooling subsystems. The purpose of this LCO is to ensure that both subsystems are OPERABLE in applicable MODES. The RHR System has two loops with each loop consisting of two motor driven pumps, two heat exchangers, and associated piping and valves. There are two RHR suppression pool cooling subsystems per RHR System loop. The four RHR suppression pool cooling subsystems are manually initiated and independently controlled. The four RHR suppression pool cooling subsystems perform the suppression pool cooling function by circulating water from the suppression pool through the RHR heat exchangers and returning it to the suppression pool via the full flow test lines. Each full flow test line is common to the two RHR suppression pcol cooling subsystems in an RHR System loop. The High Pressure Service Water (HPSW) System circulating through the tube side of the heat exchangers, exchanges heat with the suppression pool water and discharges this heat to the external heat sink. The heat removal capability of one RHR pump and one heat exchanger in one subsystem is sufficient to meet the overall DBA pool cooling requirement for loss of coolant accidents (LOCAs) and transient events such as a turbine trip or stuck open safety/relief valve (S/RV). As a result, any one of the four RHR suppression pool cooling subsystems can provide the required suppression pool cooling function. S/RV leakage and High Pressure Coolant Injection System and Reactor Core Isolation Cooling System testing increase suppression pool temperature more slowly. !The RHR Suppression Pool Cooling System is also used to lower the suppression pool water bulk temperature following such events. (continued) PBAPS UNIT 3 B 3.6-56 Revision No. 0
RHR Suppression Pool Cooling B 3.6.2.3 BASES (continued) APPLICABLE Reference I contains the results of analyses used to predict SAFETY ANALYSES primary containment pressure and temperature following large and small break LOCAs. The intent of the analyses is to demonstrate that the heat removal capacity of the RHR Suppression Pool Cooling System is adequate to maintain the primary containment conditions within design limits. The suppression pool temperature is calculated to remain below the design limit. The RHR Suppression Pool Cooling System satisfies Criterion 3 of the NRC Policy Statement. LCO During a DBA, a minimum of one RHR suppression pool cooling subsystem is required to maintain the primary containment peak pressure and temperature below design limits (Ref. 1). To ensure that these requirements are met, two RHR suppression pool cooling subsystems (one in each loop) must be OPERABLE with power from two safety related independent power supplies. (The two subsystems must be in separate loops since the full flow test line valves are common to both subsystems in a loop.) Therefore, in the event of an accident, at least one subsystem is OPERABLE assuming the worst case single active failure. An RHR suppression pool cooling subsystem is OPERABLE when one of the pumps, the associated heat exchanger, a HPSW System pump capable of providing cooling to the heat exchanger and associated piping, valves, instrumentation, and controls are OPERABLE. APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment and cause a heatup and pressurization of primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, the RHR Suppression Pool Cooling System is not required to be OPERABLE in MODE 4 or 5. ACTIONS A.1 With one RHR suppression pool cooling subsystem inoperable, the inoperable subsystem must be restored to OPERABLE status within 7 days. In this Condition, the remaining RHR suppression pool cooling subsystem is adequate to perform the primary containment cooling function. However, the (conltinued) PBAPS UNIT 3 B 3.6-57 Revision No. 0
RHR Suppression Pool Cooling B 3.6.2.3 i BASES ACTIONS A.I (continued) overall reliability is reduced because a single failure in the OPERABLE subsystem could result in reduced primary containment cooling capability. The 7 day Completion Time is acceptable in light of the redundant RHR suppression pool cooling capabilities afforded by the OPERABLE subsystem and the low probability of a DBA occurring during this period. With two RHR suppression pool cooling subsystems inoperable, one subsystem must be restored to OPERABLE status within 8 hours. In this condition, there is a substantial loss of the primary containment pressure and temperature mitigation function. The 8 hour Completion Time is based on this loss of function and is considered acceptable due to the lone probability of a DBA and because alternative methods to remove heat from primary containment are available. C.1 and C.2 If any Required Action and associated Completion Time cannot be met within the required Completion Time, the. plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at. least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.2.3.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the RHR suppression pool cooling mode flow path provides assurance that the proper flow path exists for system operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position provided it can be aligned to the accident position within (continued) PBAPS; UNIT 3 B 3.6-58 Revision No. 1
RHR Suppression Pool Cooling B 3.6.2.3 BASES SURVEILLANCE SR 3.6.2.3.1 (continued) REQUIREMENTS the time assumed in the accident analysis. This is acceptable since the RHR suppression pool cooling mode is manually initiated. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. The Frequency of 31 days is justified because the valves are operated under procedural control, improper valve position would affect only a single subsystem, the probability of an event requiring initiation of the system is low, and the subsystem is a manually initiated system. This Frequency has been shown to be acceptable based on operating experience. SR 3.6.2.3.2 Verifying that each required RHR pump develops a flow rate
- 10,000 gpm while operating in the suppression pool cooling mode with flow through the associated heat exchanger ensures that pump performance has not degraded during the cycle.
Flow is a normal test of centrifugal pump performance required by ASME Code, Section XI (Ref. 2). This test. confirms one point on the pump design curve, and the results are indicative of overall performance. Such inservice inspections confirm component OPERABILITY, trend performance, and detect incipient failures by indicating abnormal performance. The Frequency of this SR is in accordance with the Inservice Testing Program. REFERENCES 1. UFSAR, Section 14.6.3.
- 2. ASME, Boiler and Pressure Vessel Code, Section XI[.
PBAPIS UNIT 3 B 3.6-59 Revision No. 0
RHR Suppression Pool Spray B 3.6.2.4 B 3.6 CONTAINMENT SYSTEMS B 3.6.2.4 Residual Heat Removal (RHR) Suppression Pool Spray BASES
=
BACKGROUND Following a Design Basis Accident (DBA), the RHR Suppression Pool Spray System removes heat from the suppression chamber airspace. The suppression pool is designed to absorb the sudden input of heat from the primary system from a DBA or a rapid depressurization of the reactor pressure vessel (RPV) through safety/relief valves. The heat addition to the suppression pool results in increased steam in the suppression chamber, which increases primary containment pressure. Steam blowdown from a DBA can also bypass the suppression pool and end up in the suppression chamber airspace. Some means must be provided to remove heat from the suppression chamber so that the pressure and temperature inside primary containment remain within analyzed design limits. This function is provided by two redundant RHR suppression pool spray subsystems. The purpose of this LCO is to ensure that both subsystems are OPERABLE in applicable MODES. The RHR System has two loops with each loop consistincr of two motor driven pumps, two heat exchangers, and associated piping and valves. There are two RHR suppression pool spray subsystems per RHR System loop. The four RHR suppression pool spray subsystems are manually, initiated and independently controlled. The four RHR'suppression pool spray subsystems perform the suppression pool spray function by circulating water from the suppression pool through the RHR heat exchangers and returning it to the suppression pool spray spargers. Each suppression pool spray sparger line is common to the two RHR suppression pool spray subsystems in an RHR System loop. The spargers only accommodate a small portion of the total RHR pump flow; the remainder of the flow returns to the suppression pool through the suppression pool cooling return line. Thus, both suppression pool cooling and suppression pool spray functions are performed when the Suppression Pool Spray System is initiated. High Pressure Service Water, circulating through the tube side of the heat exchangers, exchanges heat with the suppression pool water and discharges this heat to the external heat (continued) PBAPS UNIT 3 B 3.fi-60 Revision No. 0
RHR Suppression Pool Spray B 3.6.2.4 BASES BACKGROUND sink. Any one of the four RHR suppression pool spray (continued) subsystems is sufficient to condense the steam from small bypass leaks from the drywell to the suppression chamber airspace during the postulated DBA. APPLICABLE. Reference I contains the results of analyses used to predict SAFETY ANALYSES primary containment pressure and temperature following large and small break loss of coolant accidents. The intent of the analyses is to demonstrate that the pressure reduction capacity of the RHR Suppression Pool Spray System is adequate to maintain the primary containment conditions within design limits. The time history for primary containment pressure is calculated to demonstrate that the maximum pressure remains below the design limit. The RHR Suppression Pool Spray System satisfies Criterion 3 of the NRC Policy Statement. LCO In the event of a DBA, a minimum of one RHR suppression pool spray subsystem is required to mitigate potential bypass leakage paths and maintain the primary containment peak pressure below the design limits (Ref. 1). To ensure that these requirements are met, two RHR suppression pool spray subsystems (one in each loop) must be OPERABLE with pcwer from two safety related independent power supplies. (The two subsystems must be in separate loops since the suppression pool spray sparger line valves are common to both subsystems in a loop.) Therefore, in the event cf an accident, at least one subsystem is OPERABLE assuming the worst case single active failure. An RHR suppression pool spray subsystem is OPERABLE when one of the pumps, the associated heat exchanger, a HPSW System pump capable of providing cooling to the heat exchanger and associated piping, valves, instrumentation, and controls are OPEftABLE. APPLICABILITY In MODES 1, 2, and 3, a DBA could cause pressurization of primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining RHR suppression pool spray subsystems OPERABLE is not required in MODE 4 or 5. (continued) PBAP'S UNIT 3 B 3.6-61 B3Revision No. 0
RHR Suppression Pool Spray B 3.6.2.4 BASES (continued) ACTIONS A.1 With one RHR suppression pool spray subsystem inoperable, the inoperable subsystem must be restored to OPERABLE status within 7 days. In this Condition, the remaining OPERABLE RHR suppression pool spray subsystem is adequate to perform the primary containment bypass leakage mitigation function. However, the overall reliability is reduced because a single failure in the OPERABLE subsystem could result in reduced primary containment bypass mitigation capability. The 7 day Completion Time was chosen in light of the redundant RHR suppression pool spray capabilities afforded by the OPERABLE subsystem and the low probability of a DBA occurring during this period. B.1 With both RHR suppression pool spray subsystems inoperable, at least one subsystem must be restored to OPERABLE status within 8 hours. In this Condition, there is a substantial loss of the primary containment bypass leakage mitigation function. The 8 hour Completion Time is based on this loss of function and is considered acceptable due to the low probability of a DBA and because alternative methods to remove heat from primary containment are available. C.1 and C.2 If the inoperable RHR suppression pool spray subsystem cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status., the plant must be brought to at least MODE 3 within 12 hours and MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.2.4.1 REQIJIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the RHR suppression pool spray mode flow path provides assurance that the proper flow paths will (continued) PBAPS UNIT 3 B 3.6-62 Revisicn No. 0
RHR Suppression Pool Spray B 3.6.2.4 BASES SURVEILLANCE SR 3.6.2.4.1 (continued) REQUIREMENTS exist for system operation. This SR does not apply to valves that are locked, sealed, or otherwise secured ill position since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position provided it can be aligned to the accident position within the time assumed in the accident analysis. This is acceptable since the RHR suppression pool cooling mode is manually initiated. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. The Frequency of 31 days is justified because the valves are operated under procedural control, improper valve position would affect only a single subsystem, the probability of an event requiring initiation of the system is low, and the subsystem is a manually initiated system. This Frequency has been shown to be acceptable based on operating experience. SR 3.6.2.4.2 This Surveillance is performed every 10 years to verify that the spray nozzles are not obstructed and that flow will be provided when required. The 10 year Frequency is adequate to detect degradation in performance due to the passive nozzle design and its normally dry state and has been shown to be acceptable through operating experience. REFERENCES 1. UFSAR, Sections 5.2 and 14.6.3. PBAPS UNIT 3 B 3.6-63 Revision No. 0
CAD System B 3.6.3.1 B 3.6 CONTAINMENT SYSTEMS B 3.6.3.1 Containment Atmospheric Dilution (CAD) System BASES BACKGROUND The CAD System functions to maintain combustible gas concentrations within the primary containment at or below the flammability limits following a postulated loss of coolant accident (LOCA) by purging hydrogen and oxygen with nitrogen. To ensure that a combustible gas mixture does not occur, oxygen concentration is kept < 5.0 volume percent. (v/o). The CAD System is manually initiated and consists of two 100% capacity subsystems. Each subsystem consists of the liquid nitrogen supply tank, the atmospheric vaporizer, an electric vaporizer, and connected piping to supply the drywell and suppression chamber volumes. The liquid nitrogen tank, the atmospheric vaporizer and electric vaporizer are common components which are shared between the CAD subsystems of the two units. Piping from the liquid
-nitrogen tank downstream of the vaporizers is routed into a common header where it is split and routed to each unit.
Two pipes are routed to each unit. Each of the two pipes to a particular unit divides to supply nitrogen to both the drywell and suppression chamber. The intent of this arrangement is to provide redundant nitrogen supplies to both the drywell and suppression chamber to satisfy single failure criteria. In order to purge primary containment: of combustible gases, the original CAD System design provided two vents for each unit. One is to allow venting from the drywell and the other is to allow venting from the suppression chamber. The nitrogen storage tank contains 2 3841 gallons (which corresponds to a level of 33 inches water column), which is adequate for 7 days of CAD System and Safety Grade Instrument Gas (SGIG) System operation for both units. The SGIG System supplies pressurized nitrogen gas (from the CAD System liquid nitrogen storage tank) as a safety grade pneumatic source to the Containment Atmospheric Control (CAC) System purge and exhaust isolation valve inflatable seals, the reactor building-to-suppression chamber vacuum breaker air operated isolation valves and inflatable seal, and the CAC and CAD Systems vent control air operated valves. The SGIG System thus performs two distinct post:- (continued) PBAPS UNIT 3 B 3.6-64 Revision No. 38
CAD System B 3.6.3.1 BASES BACKGROUND LOCA functions: (1) supports containment isolation and (2) (continued) supports CAD System vent operation. SGIG System requirements are addressed for each of the supported system and components in LCO 3.6.1.3, "Primary Containment Isolation Valves (PCIVs)," LCO 3.6.1.5, "Reactor Building-to-Suppression Chamber Vacuum Breakers," and LCO 3.6.3.1, "Containment Atmospheric Dilution (CAD) System." For the SGIG System, liquid nitrogen from the CAD System liquid nitrogen storage tank passes through the CAD System liqt.id nitrogen vaporizer where it is converted to a gas. The gas then flows into a Unit 2 header and a Unit 3 header separated by two manual globe valves. From each header, the gas then branches to each valve operator or valve seal supplied by the SGIG System. Each branch is separated from the header by a manual globe valve and a check valve. The CAD System operates as directed in the emergency operating procedures to remove combustible gases from primary containment. APPLICABLE The CAD System is manually initiated from the main control SAFETY ANALYSES room in the purge mode as directed by the emergency operating procedures (EOPs), if it is determined that the concentration of combustible gases in primary containment exceeds the action levels specified in the EOPs. The CAD System is used as directed in the EOPs, and when oxygen generation rates exceed the design basis assumptions. The CAD System was originally designed to dilute contairment oxygen by repressurizing primary containment with nitrogen to approximately 50% of the containment design pressure. Above this pressure, containment would be vented to maintain this pressure while CAD continued to supply diluting nitrogen. The original design calculations demonstrated that, with oxygen generation rates specified in Regulatory Guide 1.7, Table 1 (Reference 3), and the CAD system operated per its original design mode (i.e., repressurization), oxygen concentrations would be maintained < 5 v/o and offsite coses would be maintained less than the requirements of 10 CFR50.44. The PBAPS combustible gas control system has since been reevaluated with oxygen generation rates based on experimentally and analytically determined parameters as permitted in Regulatory Guide 1.7, and documented in NEDO-22155 and Reference 1. As a result it was found that the primary containment inerting alone is sufficient to maintain oxygen concentrations < 5 v/o and that CAD system operation would not be required to control combustible gases. Therefore, the CAD system, and in particular containment.. venting, is no longer considered the primary means of combustible gas control. As a result, no releases or oftsite doses are anticipated to result from design basis combustible gas control. (contirnued) Revision Nc'. 38 PBAPS PBAPS UNIT 3 UNIT 3 B 3.6-65 B 3.6-65 'Revision No. 38
CAD System B 3.6.3.1 BASES (continued) APPLICABLE Nevertheless, Reference 1 did direct that the CAD System be SAFEIY ANALYSES maintained as it was originally designed to comply with the (continued) requirements of criteria 41, 42, and 43 of Appendix A o:f 10 CFR Part 50 and installed in accordance with 10CFR50.44 (Reference 2). The CAD System satisfies the requirements of NRC Policy Statement (Reference 5) because through Reference 1 review, the CAD System has been determined to be important to public health and safety. Thus, it is retained in the Technical Specifications. LCO Two CAD subsystems must be OPERABLE. This ensures operation of at least one CAD subsystem in the event of a worst case single active failure. Operation of at least one CAD subsystem is designed to maintain primary containment post-LOCA oxygen concentration < 5.0 v/o for 7 days. For the CAD System vent control air operated valves and the CAC System vent control air operated valves which support CAD System operation to be considered OPERABLE, the SGIG3 System supplying nitrogen gas to the air operators of these valves must be OPERABLE. APPLICABILITY In MODES 1 and 2, the CAD System is required to maintain the oxygen concentration within primary containment below the flammability limit of 5.0 v/o following a LOCA. This ensures that the relative leak tightness of primary containment is adequate and prevents damage to safety related equipment and instruments located within primary containment. In MODE 3, both the hydrogen and oxygen production rates and the total amounts produced after a LOCA would be less than those calculated for the Design Basis Accident LOCA. Thus, if the analysis were to be performed starting with a LOCA in MODE 3, the time to reach a flammable concentration would be extended beyond the time conservatively calculated for MODES 1 and 2. The extended time would allow hydrogen removal from the primary containment atmosphere by other means and also allow repair of an inoperable CAD subsystem, if CAD were not available. Therefore, the CAD System is not required to be OPERABLE in MODE 3. In MODES 4 and 5, the probability and consequences of a LOCA are reduced due to the pressure and temperature limitations of these MODES. Therefore, the CAD System is not required to be OPERABLE in MODES 4 and 5. ACTIONS A.1 If one or both CAD subsystems (or one or more supply and vent paths) are inoperable, both subsystems must be restored to OPERABLE status within 30 days. In this Condition, the oxygen control function of the CAD System may be lost. However, alternate oxygen control capabilities may be provided by the Primary Containment Inerting System. The (continued) PBAPS UNIT 3 B 3.6-66 Revision No. 38
CAD System B 3.*).3.1 BASES ACTIONS A.1 (continued) 30 day Completion Time is based on the low probability of the occurrence of a LOCA that would generate hydrogen and oxygen in amounts capable of exceeding the flammability limit, the amount of time available after the event for operator action to prevent exceeding this limit, and the availability of other hydrogen mitigating systems. If any Required Action cannot be met within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, Dased on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.3.1.1 REQUIREMENTS This SR ensures that the pressure in the SGIG System header is 2 80 psig. This ensures that the post-LOCA nitrogen pressure provided to the valve operators and valve seals is adequate for the SGIG System to perform its design function. The 24 hour Frequency was developed considering the importance of the SGIG System for maintaining the containment isolation function and combustible gas control function of valves supplied by the SGIG System. The 24 hour Frequency is also considered to be adequate to ensure timely detection of any breach in the SGIG System which would render the system incapable of performing its function. (continued) PBAPS UNIT 3 B 3.6-67 Revision ND. 53
CAD System B 3.6.3.1 BASEB SURVEILLANCE SR 3.6.3.1.2 REQUH(REMENTS (continued) Verifying that the level in the CAD liquid nitrogen tank is
; 33 inches water column will ensure at least 7 days ol post-LOCA CAD System and SGIG System operation for both units. This minimum volume of liquid nitrogen allows sufficient time after an accident to replenish the nitrogen supply for long term inerting. This is verified every 24 hours to ensure that the system is capable of performing its intended function when required. The 24 hour Frequency is based on operating experience, which has shown 24 hours to be an acceptable period to verify the liquid nitrogen supply and on the availability of other hydrogen mitigating systems.
SR 3.6.3.1.3 Verifying the correct alignment for manual, power operated, and automatic valves in each of the CAD subsystem flow paths provides assurance that the proper flow paths exist for system operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since I these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position provided it can be aligned to the accident position within the time assumed in the accident analysis. This is acceptable because the CAD System is manually initiated. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. The 31 day Frequency is appropriate because the valves are operated under procedural control, improper valve position would only affect a single subsystem, the probability of an event requiring initiation of the system is low, and the systemi is a manually initiated system.
--. a-PBAP!; UNIT 3 B 3.6-68 Revision No. 0
CAD System B 3.6.3.1 BASES SURVEILLANCE SR 3.6.3.1.4 REQUIREMENTS (continued) Verifying the correct alignment for each manual valve in the SGIG System required flow paths provides assurance that the proper flow paths exist for system operation. This SR &oes not apply to valves that are locked or otherwise securecL in position, since these valves were verified to be in the correct position prior to locking or securing. A valve is also allowed to be in the nonaccident position provided it can be aligned to the accident position within the time assumed in the accident analysis. This is acceptable because the CAD System is manually initiated. This SR does not apply to valves that cannot be inadvertently misaligned such as check valves. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions. SR 3.6.3.1.5 This SR ensures that in case the non-safety grade instrument air system is unavailable, the SGIG System will perform its
*design function to supply nitrogen gas at the required pressure for valve operators and valve seals supported by the SGIG System. The 24 month Frequency was developed considering it is prudent that this Surveillance be performed only during a plant outage. Operating experience has shown that these components will usually pass this Surveillance when performed at the 24 month Frequency.
Thus, the Frequency was concluded to be acceptable from a reliability standpoint. REFERENCES 1. Nuclear Regulatory Commission (NRC) Letter (SER) fi:om John E. Stolz (Chief, Operating Reactors Branch (Division of Licensing)) to Edward G. Bauer, Jr., Vice President and General Counsel, Philadelphia Electric Company "Recombiner Capability Requirements of 10CFR50.44(c)(3)(ii) Generic Letter 84-09" dated 6/26/85. I 2. 10 CFR Part 50. I 3. Regulatory Guide 1.7, Revision 0. I 4. UFSAR, Section 5.2.3.9. ri I 5. Final Policy statement on Technical Specification Improvements July 22, 1993 (58 FR3913) PBAPS UNIT 3 B 3. 6-69 Revision No. 38
Primary Containment Oxygen Concentration B 3.6.3.2 B 3.6 CONTAINMENT SYSTEMS B 3.6.3.2 Primary Containment Oxygen Concentration BASES BACKGROUND All nuclear reactors must be designed to withstand events that generate hydrogen either due to the zirconium metal water reaction in the core or due to radiolysis. The primary method to control hydrogen is to inert the pririary containment. With the primary containment inert, that is, oxygen concentration < 4.0 volume percent (v/o), a combustible mixture cannot be present in the primary containment for any hydrogen concentration. The capability to inert the primary containment and maintain oxygen
< 4.0 v/o works together with the Containment Atmospheric Dilution System (LCO 3.6.3.1, 'Containment Atmospheric Dilution (CAD) System) to provide redundant and diverse methods to mitigate events that produce hydrogen. For example, an event that rapidly generates hydrogen from zirconium metal water reaction will result in excessive hydrogen in primary containment, but oxygen concentration will remain < 4.0 v/o and no combustion can occur. Long term generation of both hydrogen and oxygen from radiolytic decomposition of water may eventually result in a combustible mixture in primary containment, except that the CAD System dilutes and removes hydrogen and oxygen gases faster than they can be produced from radiolysis and again no combustion can occur. This LCO ensures that oxygen concentration does not exceed 4.0 v/o during operation in the applicable conditions.
APPLICABLE The Reference 1 calculations assume that the primary SAFElY ANALYSES containment is inerted when a Design Basis Accident loss of coolant accident occurs. Thus, the hydrogen assumed to be released to the primary containment as a result of metal water reaction in the reactor core will not produce combustible gas mixtures in the primary containment. Oxygen, which is subsequently generated by radiolytic decomposition of water, is diluted and removed by the CAD System more rapidly than it is produced. Primary containment oxygen concentration satisfies Criterion 2 of the NRC Policy Statement. (continued) PBAP'i UNIT 3 B 3.6-70 Revision No. 0
Primary Containment Oxygen Concentration B 3.6.3.2 BASES; (continued) LCO The primary containment oxygen concentration is maintained
< 4.0 v/o to ensure that an event that produces any amount of hydrogen does not result in a combustible mixture inside primary containment.
APPLICABILITY The primary containment oxygen concentration must be within the specified limit when primary containment is inerted, except as allowed by the relaxations during startup and shutdown addressed below. The primary containment must be inert in MODE 1, since this is the condition with the highest probability of an event that could produce hydrogen. Inerting the primary containment is an operational problem because it prevents containment access without an appropriate breathing apparatus. Therefore, the primary containment is inerted as late as possible in the plart startup and de-inerted as soon as possible in the plant shutdown. As long as reactor power is < 15% RTP, the potential for an event that generates significant hydrogen is low and the primary containment need not be inert. Furthermore, the probability of an event that generates hydrogen occurring within the first 24 hours of a startup, or within the last 24 hours before a shutdown, is low enough that these 'windows,' when the primary containment is not inerted, are also justified. The 24 hour time period is a reasonable amount of time to allow plant personnel to perform inerting or de-inerting. ACT:IONS A.1 If oxygen concentration is 2 4.0 v/o at any time while operating in MODE 1, with the exception of the relaxations allowed during startup and shutdown, oxygen concentration must be restored to < 4.0 v/o within 24 hours. The 24 hour Completion Time is allowed when oxygen concentration is
> 4.0 v/o because of the availability of other hydrogen mitigating systems (e.g., the CAD System) and the low probability and long duration of an event that would generate significant amounts of hydrogen occurring during this period.
(continued) PBAPS UNIT 3 B 3.6-71 Revision No. 0
Primary Containment Oxygen Concentration B 3.6.3.2 BASE'i ACTIONS B.1 (continued) If oxygen concentration cannot be restored to within limits within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, power must be reduced to 5 15% RTI' within 8 hours. The 8 hour Completion Time is reasonable, based on operating experience, to reduce reactor power from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.3.2.1 REQUIREMENTS The primary containment (drywell and suppression chamber) must be determined to be inert by verifying that oxygen concentration is < 4.0 v/o. The 7 day Frequency is based on the slow rate at which oxygen concentration can change and on other indications of abnormal conditions (which would lead to more frequent checking by operators in accordance with plant procedures). Also, this Frequency has been shown to be acceptable through operating experience. REFERENCES 1. UFSAR, Section 5.2.3.9.5. PBAPS UNIT 3 B 3.6-72 Revision No. 0
Secondary Containment B 3.6.4.1 B 3.6 CONTAINMENT SYSTEMS B 3.6.4.1 Secondary Containment BASES BACKGROUND The function of the secondary containment is to contain and hold up fission products that may leak from primary containment following a Design Basis Accident (DBA). In conjunction with operation of the Standby Gas Treatment (SGT) System and closure of certain valves whose lines penetrate the secondary containment, the secondary containment is designed to reduce the activity level If the fission products prior to release to the environment aind to isolate and contain fission products that are released during certain operations that take place inside primary containment, when primary containment is not required to be OPERABLE, or that take place outside primary containment. The secondary containment is a structure that completely encloses the primary containment and those components that may be postulated to contain primary system fluid. This structure forms a control volume that serves to hold tip and dilute the fission products. It is possible for the pressure in the control volume to rise relative to the environmental pressure (e.g., due to pump and motor heat load additions). To prevent ground level exfiltration while allowing the secondary containment to be designed as a conventional structure, the secondary containment requires support systems to maintain the control volume pressure at less than the external pressure. Requirements for these systems are specified separately in LCO 3.6.4.2, "Secondary Containment Isolation Valves (SCIVs)," and LCO 3.6.4.3, "Standby Gas Treatment (SGT) System." APPLICABLE There are two principal accidents for which credit is taken SAFETY ANALYSES for secondary containment OPERABILITY. These are a loss of coolant accident (LOCA) (Ref. 1) and a fuel handling accident inside secondary containment (Ref. 2). The secondary containment performs no active function in response to each of these limiting events; however, its leak _continued) PBAPS UNIT 3 B 3.6-73 Revision No. 0
Secondary Containment B 3.6.4.1 BASES APPL[CABLE tightness is required to ensure that fission products SAFETY ANALYSES entrapped within the secondary containment structure will be (continued) treated by the SGT System prior to discharge to the environment. Secondary containment satisfies Criterion 3 of the NRC Policy Statement. LCO An OPERABLE secondary containment provides a control volume into which fission products that leak from primary containment, or are released from the reactor coolant pressure boundary components located in secondary containment, can be processed prior to release to the environment. For the secondary containment to be considered OPERABLE, it must have adequate leak tightness to ensure that the required vacuum can be established and maintained. APPLICABILITY In MODES 1, 2, and 3, a LOCA could lead to a fission product release to primary containment that leaks to secondary containment. Therefore, secondary containment OPERABILITY is required during the same operating conditions that require primary containment OPERABILITY. In MODES 4 and 5, the probability and consequences of the LOCA are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining secondary containment OPERABLE is not required in MODE 4 or 5 to ensure a control volume, except for other situations for which significant releases of radioactive material can be postulated, such as during operations with a potential for draining the reactor vessel (OPDRVs), during CORE ALTERATIONS, or during movement of irradiated fuel assemblies in the secondary containment. ACTIONS A.l If secondary containment is inoperable, it must be restored to OPERABLE status within 4 hours. The 4 hour Completion Time provides a period of time to correct the problem that is commensurate with the importance of maintaining secondary containment during MODES 1, 2, and 3. This time period also ensures that the probability of an accident (requiring secondary containment OPERABILITY) occurring during periods where secondary containment is inoperable is minimal. (continued) P8AP'S UNIT 3 B 3.6-74 Revision No. 0
Secondary Containment B 3.6.4.1 BASES ACTIONS 8.1 and B.2 (continued) If secondary containment cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. C.1, C.2. and C.3 Movement of irradiated fuel assemblies in the secondary containment, CORE ALTERATIONS, and OPDRVs can be postulated to cause fission product release to the secondary containment. In such cases, the secondary containment is the only barrier to release of fission products to the environment. CORE ALTERATIONS and movement of irradiated fuel assemblies must be immediately suspended if the secondary containment is inoperable. Suspension of these activities shall not preclude completing an action that involves moving a component to a safe position. Also, action must be immediately initiated to suspend OPDRVs to minimize the probability of a vessel draindown and subsequent potential for fission product. release. Actions must continue until OPDRVs are suspended. Required Action C.1 has been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel
- assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason to require a reactor shutdown.
(continued) PBAPS UNIT 3 B 3.6-75 Revision No. 0
Secondary Containment B 3.6.4.1 BASES (continued) SURVEILLANCE SR 3.6.4.1.1 and SR 3.6.4.1.2 REQUI REMENTS Verifying that secondary containment equipment hatches and one access door in each access opening are closed ensures that the infiltration of outside air of such a magnitude as to prevent maintaining the desired negative pressure does not occur. Verifying that all, such openings are closed provides adequate assurance that exfiltration from the secondary containment will not occur. In this application, the term "sealed" has no connotation of leak tightness. Maintaining secondary containment OPERABILITY requires verifying one door in the access opening is closed. An access opening contains one inner and one outer door. In some cases, secondary containment access openings are shared such that a secondary containment barrier may have multiple inner or multiple outer doors. The intent is to not breach secondary containment at any time when secondary containment is required. This is achieved by maintaining the inner or outer portion of the barrier closed at all times. However, all secondary containment access doors are normally kept closed, except when the access opening is being used fcr entry and exit or when maintenance is being performed cn an access opening. The 31 day Frequency for these SRs has been shown to be adequate, based on operating experience, and is considered adequate in view of the other indications of door and hatch status that are available to the operator. SR 3.6.4.1.3 and SR 3.6.4.1.4 The SGT System exhausts the secondary containment atmosphere to the environment through appropriate treatment equipment. To ensure that fission products are treated, SR 3.6.4.1.3 verifies that the SGT System will rapidly establish and maintain a pressure in the secondary containment that is less than the pressure external to the secondary containment boundary. This is confirmed by demonstrating that one SGT subsystem will draw down the secondary containment to 2 0.25 inches of vacuum water gauge in s 120 seconds. This cannot be accomplished if the secondary containment boundary is not intact. SR 3.6.4.1.4 demonstrates that one SGT subsystem can maintain 2 0.25 inches of vacuum water gauge for 1 hour at a flow rate s 10,500 cfm. The 1 hour test period allows secondary containment to be in thermal equilibrium at steady (continued) PBAPS UNIT,3 B 3.6-76 Revision No. 26
Secondary Containment B 3.1i.4.1 BASES SURVEILLANCE SR 3.6.4.1.3 and SR 3.6.4.1.4 (continued) REQUIREMENTS state conditions. Therefore, these two tests are used to ensure secondary containment boundary integrity. Since these SRs are secondary containment tests, they need not be performed with each SGT subsystem. The SGT subsystems are tested on a STAGGERED TEST BASIS, however, to ensure that in addition to the requirements of LCO 3.6.4.3, either SGT subsystem will perform this test. Operating experience has shown these components will usually pass the Surveillance when performed at the 24 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint. REFERENCES 1. UFSAR, Section 14.6.3.
- 2. UFSAR, Section 14.6.4.
PBAPS UNIT 3 B 3.6-77 Revision No. 26
SCIVs B 3.6.4.2 B 3.15 CONTAINMENT SYSTEMS B 3.5.4.2 Secondary Containment Isolation Valves (SCIVs) BASES = BACKGROUND The function of the SCIVs, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs) (Refs. I and 2). Secondary containment isolation within the time limits specified for those isolation valves designed to close automatically ensures that fission products that leak from primary containment following a DBA, or that are released during certain operations when primary containment is not required to be OPERABLE or take place outside primary containment, are maintained within the secondary containment boundary. The OPERABILITY requirements for SCIVs help ensure that an adequate secondary containment boundary is maintained during and after an accident by minimizing potential paths to the environment. These isolation devices consist of either passive devices or active (automatic) devices. Manual valves, de-activated automatic valves secured in their closed position (including check valves with flow through the valve secured), and blind flanges are considered passive devices. Automatic SCIVs close on a secondary containment isolation signal to establish a boundary for untreated radioactive material within secondary containment following a DBA or other accidents. Other penetrations are isolated by the use of valves in the closed position or blind flanges. APPLICABLE The SCIVs must be OPERABLE to ensure the secondary SAFETY ANALYSES containment barrier to fission product releases is established. The principal accidents for which the secondary containment boundary is required are a loss of coolant accident (Ref. 1) and a fuel handling accident inside secondary containment (Ref. 2). The secondary containment performs no active function in response to either of these limiting events, but the boundary (continued) PBAPS UNIT 3 B 3.6-78 Revisior; No. 0
SCIVs B 3.6.4.2 BASES; APPLICABLE established by SCIVs is required to ensure that leakage from SAFETY ANALYSES the primary containment is processed by the Standby Gas. (continued) Treatment (SGT) System before being released to the environment. Maintaining SCIVs OPERABLE with isolation times within limits ensures that fission products will remain trapped inside secondary containment so that they can be treated by the SGT System prior to discharge to the environment. SCIVs satisfy Criterion 3 of the NRC Policy Statement. LCO SCIVs form a part of the secondary containment boundary. The SCIV safety function is related to control of offsite radiation releases resulting from DBAs. The power operated isolation valves are considered OPERABLE when their isolation times are within limits and the valves actuate on an automatic isolation signal. The valves covered by this LCO, along with their associated stroke times, are listed in Reference 3. The normally closed isolation valves or blind flanges are considered OPERABLE when manual valves are closed or open in accordance with appropriate administrative controls, automatic SCIVs are de-activated and secured in their closed position, and blind flanges are in place. These passive isolation valves or devices are listed in Reference 3. APPLICABILITY In MODES 1, 2, and 3, a DBA could lead to a fission product release to the primary containment that leaks to the secondary containment. Therefore, the OPERABILITY of SCIVs is required. In MODES 4 and 5, the probability and consequences of these events are reduced due to pressure and temperature limitations in these MODES. Therefore, maintaining SCIVs OPERABLE is not required in MODE 4 or 5, except for other situations under which significant radioactive releases can be postulated, such as during operations with a potential for draining the reactor vessel (OPDRVs), during CORE ALTERATIONS, or during movement of irradiated fuel assemblies in the secondary containment. Moving irradiated fuel assemblies in the secondary containment may also occur in MODES 1, 2, and 3. (conti nued) PBAPS UNIT 3 B 3.6-79 Revision No. 0
- SCIVs B 3.6.4.2 BASES (continued)
ACTICNS The ACTIONS are modified by three Notes. The first Note allows penetration flow paths to be unisolated intermittently under administrative controls. These controls consist of stationing a dedicated operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated. The second Note provides clarification that for the purpose of this LCO separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable SCIV. Complying with the Required Actions may allow for continued operation, and subsequent inoperable SCIVs are governed by subsequent Condition entry and application of associated Required Actions. The third Note ensures appropriate remedial actions are taken, if necessary, if the affected system(s) are rendered inoperable by an inoperable SCIV. A.1 and A.2 In the event that there are one or more penetration flow paths with one SCIV inoperable, the affected penetration flow path(s) must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic SCIV, a closed manual valve, an'! a blind flange. For penetrations isolated in accordance with Required Action A.1, the device used to isolate the penetration should be the closest available device to secondary containment. The Required Action must be completed within the 8 hour Completion Time. The specified time period is reasonable considering the time required to isolate the penetration, and the probability of a DBA, which requires the SCIVs to close, occurring during this short time is very low. For affected penetrations that have been isolated in accordance with Required Action A.1, the affected penetration must be verified to be isolated on a periodic basis. This is necessary to ensure that secondary (continued) PBAPS UNIT 3 B 3.6-80 Revision No. 0
SCIVs B 3.6.4.2 BASES. ACTIODNS A.1 and A.2 (continued) containment penetrations required to be isolated following an accident, but no longer capable of being automatically isolated, will be in the isolation position should an event occur. The Completion Time of once per 31 days is appropriate because the isolation devices are operated under administrative controls and the probability of their misalignment is low. This Required Action does not require any testing or device manipulation. Rather, it involves verification that the affected penetration remains isolated. Required Action A.2 is modified by a Note that applies to devices located in high radiation areas and allows them to be verified closed by use of administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment, once they have been verified to be in the proper position, is low. B.1 With two SCIVs in one or more penetration flow paths inoperable, the affected penetration flow path must be isolated within 4 hours. The method of isolation must. include the use of at least one isolation barrier that. cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. The 4 hour Completion Time is reasonable considering the time required to isolate the penetration and the probability of a DBA, which requires the SCIVs to close, occurring during this short time, is very low. The Condition has been modified by a Note stating thaat Condition B is only applicable to penetration flow paths with two isolation valves. This clarifies that only Condition A is entered if one SCIV is inoperable in each of two penetrations. _(continued) PBAPS UNIT 3 B 3.6-81 Revision No. 0
SCIVs B 3.6.4.2 BASES ACTIONS C.1 and C.2 (continued) If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. D.I. D.2. and D.3 If any Required Action and associated Completion Time are not met, the plant must be placed in a condition in which the LCO does not apply. If applicable, CORE ALTERATIONS and the movement of irradiated fuel assemblies in the secondary containment must be immediately suspended. Suspension of these activities shall not preclude completion of movement of a component to a safe position. Also, if applicable, actions must be immediately initiated to suspend OPDRVs in order to minimize the probability of a vessel draindown and the subsequent potential for fission product release. Actions must continue until OPDRVs are suspended. Required Action D.1 has been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving fuel while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason
-, to require a reactor shutdown.
SURVEILLANCE SR 3.6.4.2.1 REQUIREMENTS This SR verifies that each secondary containment manual isolation valve and blind flange that is required to tie closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside of the secondary containment boundary is within design limits. This SR does not require any testing or valve manipulation. Rather, it involves verification that those SCIVs in secondary containment that are capable of being mispositioned are in the correct position. (continued) PBAPS UNIT 3 B 3.6-82 Revision No. 0
SCIVs B 3.6.4.2 BASES SURVEILLANCE SR 3.6.4.2.1 (continued) REQUIREMENTS Since these SCIVs are readily accessible to personnel during normal operation and verification of their position is relatively easy, the 31 day Frequency was chosen to provide added assurance that the SCIVs are in the correct positions. Two Notes have been added to this SR. The first Note applies to valves and blind flanges located in high radiation areas and allows them to be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA reasons. Therefore, the probability of misalignment of these SCIVs, once they have been verified to be in the proper position, is low. A second Note has been included to clarify that SCIVs that are. open under administrative controls are not required to meet the SR during the time the SCIVs are open. SR 3.6.4.2.2 Verifying that the isolation time of each power operated and each automatic SCIV is within limits is required to demonstrate OPERABILITY. The isolation time test ensures that the SCIV will isolate in a time period less than or equal to that assumed in the safety analyses. The Frequency of this SR is in accordance with the Inservice Testing Program. SR 3.6.4.2.3 Verifying that each automatic SCIV closes on a secondary containment isolation signal is required to prevent leakage of radioactive material from secondary containment following a DBA or other accidents. This SR ensures that each automatic SCIV will actuate to the isolation position on a secondary containment isolation signal. The LOGIC SYSTEM FUNCTIONAL TEST in LCO 3.3.6.2, "Secondary Containment Isolation Instrumentation," overlaps this SR to provide complete testing of the safety function. The 24 month Frequency is based on the need tolperform this Surveillance (cortinued) PBAPS UNIT 3 B 3.6-83 Revision No. 0
SCIVs B 3.6.4.2 BASES SURVEILLANCE SR 3.6.4.2.3 (continued) REQUIREMENTS under the conditions that apply during a plant outage. and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components will usually pass the Surveillance when performed at the 24 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint. REFERENCES 1. UFSAR, Section 14.6.3.
- 2. UFSAR, Section 14.6.4.
- 3. Technical Requirements Manual.
= = .
PBAPS UNIT 3 B 3.6-84 Revision No. 0
SGT System B 8.6.4.3 B 3.6 CONTAINMENT SYSTEMS B 3.6.4.3 Standby Gas Treatment (SGT) System BASIES BACKGROUND The SGT System is required by UFSAR design criteria (Ref. 1). The function of the SGT System is to ensure that radioactive materials that leak from the primary containment into the secondary containment following a Design Basis Accident (DBA) are filtered and adsorbed prior to exhausting to the environment. A single SGT System is common to both Unit 2 and Unit 3 and consists of two fully redundant subsystems, each with its own set of ductwork, dampers, valves, charcoal filter train, and controls. Both SGT subsystems share a common inlet plenum. This inlet plenum is connected to the refueling floor ventilation exhaust duct for each Unit and to the suppression chamber and drywell of each Unit. Both S1GT subsystems exhaust to the plant offgas stack through a common exhaust duct served by three 100% capacity system fans. SGT System fans OAV020 and OBV020 automatically start on Unit 2 secondary. containment isolation signals. SGT System fans OCV020 and OBV020 automatically start on IJnit 3 secondary containment isolation signals. Each charcoal filter train consists of (components listed in order of the direction of the air flow):
- a. A demister or moisture separator;
- b. An electric heater;
- c. A prefilter;
- d. A high efficiency particulate air (HEPA) filter;
- e. A charcoal adsorber; and
- f. A second HEPA filter.
The SGT System is sized such that each 100%/e capacity fan will provide a flow rate of 10,500 cfm at 20 inches water gauge static pressure to support the control of fission product releases. The SGT System is designed to restore and maintain secondary containment at a negative pressure of 0.25 inches water gauge relative to the atmosphere following {continued) PBAIPS UNIT 3 B 3.6-85 Revision No. 0
SGT System B 3.6.4.3 BASES BACKGROUND the receipt of a secondary containment isolation signal. (continued) Maintaining this negative pressure is based upon the existence of calm wind conditions (up to 5 mph), a maximum SGT System flow rate of 10,500 cfm, outside air temperature of 95'F and a temperature of 150F for air entering the SGT System from inside secondary containment. The demister is provided to remove entrained water in the air, while the electric heater reduces the relative humidity of the airstream to less than. 70% (Ref. 2). The prefilter removes large particulate matter, while the HEPA filter removes fine particulate matter and protects the charcoal from fouling. The charcoal adsorber removes gaseous elemental iodine and organic iodides, and the final HEPA filter collects any carbon fines exhausted from the charcoal adsorber. The SGT System automatically starts and operates in response to actuation signals indicative of conditions or an accident-that could require operation of the system. Following initiation, two charcoal filter train fans (OCV020 and OBV020) start. Upon verification that both subsystems are operating, the redundant subsystem is normally shut down. APPLICABLE The design basis for the SGT System is to mitigate the SAFETY ANALYSES consequences of a loss of coolant accident and fuel handling accidents (Ref. 2). For all events analyzed, the SGT System is shown to be automatically initiated to reduce, via filtration and adsorption, the radioactive material released to the environment. The SGT System satisfies Criterion 3 of the NRC Policy Statement. LCO Following a DBA, a minimum of one SGT subsystem is required to maintain the secondary containment at a negative pressure with respect to the environment and to process gaseous releases. Meeting the LCO requirements for two OPERABLE subsystems ensures operation of at least one SGT subsystem in the event of a single active failure. (continued) PBAPS UNIT 3 B 3.6-86 Revision No. 0
SG1 System B 3.6.4.3 BASES LCO For Unit 3, one SGT subsystem is OPERABLE when one charcoal (continued) filter train, one fan (OCV020) and associated ductwork, dampers, valves, and controls are OPERABLE. The second SGT subsystem is OPERABLE when the other charcoal filter train, one fan (OBV020) and associated ductwork, damper, valves, and controls are OPERABLE. APPLICABILITY In MODES 1, 2, and 3, a DBA could lead to a fission product release to primary containment that leaks to secondary containment. Therefore, SGT System OPERABILITY is required during these MODES. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining the SGT System in OPERABLE status is not required in MODE 4 cr 5, except for other situations under which significant releases of radioactive material can be postulated, such as during operations with a potential for draining the reactor vessel (OPDRVs), during CORE ALTERATIONS, or during movement of irradiated fuel assemblies in the secondary containment. ACTIONS A.1 With one SGT subsystem inoperable, the inoperable subsystem must be restored to OPERABLE status in 7 days. In this Condition, the remaining OPERABLE SGT subsystem is adequate to perform the required radioactivity release control function. However, the overall system reliability is reduced because a single failure in the OPERABLE subsystem could result in the radioactivity release control function not being adequately performed. The 7 day Completion Time is based on consideration of such factors as the availability of the OPERABLE redundant SGT subsystem and the low probability of a DBA occurring during this period. B.1 and B.2 If the SGT subsystem cannot be restored to OPERABLE status within the required Completion Time in MODE 1, 2, or 3, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within _continued) PBAP'S UNIT 3 B 3.6-87 Revision No. 0
SST System B 3.6.4.3 BASES ACTIONS B.1 and B.2 (continued) 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. C.1. C.2.1. C.2.2. and C.2.3 During movement of irradiated fuel assemblies, in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, when Required Action A.1 cannot be completed within the required Completion Time, the OPERABLE SGT subsystem should immediately be placed in operation. This action ensures that the remaining subsystem is OPERABLE, that no failures that could prevent automatic actuation have occurred, and that any other failure would be readily detected. An alternative to Required Action C.1 is to immediately suspend activities that represent a potential for releasing radioactive material to the secondary containment, thus placing the plant in a condition that minimizes risk. If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies must immediately be suspended. Suspension of these activities must not preclude completion of movement of a component to a safe position. Also, if applicable, actions must immediately be initiated to suspend OPDRV; in order to minimize the probability of a vessel draindowin and. subsequent potential for fission product release. Actions must continue until OPDRVs are suspended. The Required Actions of Condition C have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason to require a reactor shutdown. (continued) PBAPS UNIT 3 B 3.6-88 Revision No. 0
SGT System B 3.6.4.3 BASES ACTIONS D.1 (continued) If both SGT subsystems are inoperable in MODE 1, 2, or 3, the SGT System may not be capable of supporting the required radioactivity release control function. Therefore, actions are required to enter LCO 3.0.3 immediately. E.1. E.2. and E.3 When two SGT subsystems are inoperable, if applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in secondary containment must immediately be suspended. Suspension of these activities shall not preclude completion of movement of a component to a safe position. Also, if applicable, actions must immediately be initiated to suspend OPDRVs in order to minimize the probability of a vessel draindown and subsequent potential for fission product release. Actions must continue until OPDRVs are suspended. Required Action E.1 has been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason to require a reactor shutdown. SURVEILLANCE SR 3.6.4.3.1 REQUIREMENTS Operating each SGT subsystem (including each filter train fan) for - 15 minutes ensures that both subsystems are OPERABLE and that all associated controls are functioning properly. It also ensures that blockage, fan or motor failure, or excessive vibration can be detected for corrective action. Operation with the heaters on (automatic heater cycling to maintain temperature) for 2 15 minutes every 31 days is sufficient to eliminate moisture on the adsorbers and HEPA filters since during idle periods instrument air is injected into the filter plenum to keep the filters dry. The 31 day Frequency was developed in consideration of the known reliability of fan motors e.nd controls and the redundancy available in the system. (continued) PBAPS UNIT 3 B 3.6-89 Revision No. 0
SGT System B 3.6.4.3 kth,.,,^, BASES SURVEILLANCE SR 3.6.4.3.2 REQUIREMENTS (continued) This SR verifies that the required SGT filter testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing HEPA filter performance, charcoal adsorbe-r efficiency, minimum system flow rate, and the physical properties of the activated charcoal (general use and following specific operations:. Specific test frequencies and additional information are discussed in detail in the VFTP. SR 3.6.4.3.3 This SR verifies that each SGT subsystem starts on receipt of an actual or simulated initiation signal. While this Surveillance can be performed with the reactor at power, operating experience has shown that these components will usually pass the Surveillance when performed at the 24 month Frequency. The LOGIC SYSTEM FUNCTIONAL TEST in LCO 3.3.6.2, "Secondary Containment Isolation Instrumentation," overlaps this SR to provide complete testing of the safety function. Therefore, the Frequency was found to be acceptable from a reliability standpoint. REFERENCES 1. UFSAR, Section 1.5.1.6.
- 2. UFSAR, Section 14.9. I PBAPS UNIT 3 B 3.6-90 Revision No. 1
HPSW system B 3.7.1 B 3.7 PLANT SYSTEMS B 3.7.1 High Pressure Service Water (HPSW) System BASES BACKGROUND The HPSW System is'designed to provide cooling water for the Residual Heat Removal (RHR) System heat exchangers, required for a safe reactor shutdown following a Design Basis Accident (DBA) or transient. The HPSW System is operated whenever the RHR heat exchangers are required to operate in the shutdown cooling mode or in the suppression pool cooling or spray mode of the RHR System. The HPSW System consists of two independent and redundant loops. Each loop is made up of a header, two 4500 gpm pumps, a suction source, valves, piping and associated instrumentation. Either of the two loops is capable of providing the required cooling capacity with one pump operating to maintain safe shutdown-conditions. Therefore, there are two HPSW subsystems with each subsystem consisting of a HPSW loop with one OPERABLE HPSW pump in the loop. The two subsystems are separated from each other by normally closed motor operated cross tie valves, so that failure of one subsystem will not affect the OPERABILITY of the other subsystem. A line connecting the HPSW System of each unit is also provided. Separation of the two units HPSW Systems is provided by a series of two locked closed, manually operated valves. The HPSW System is designed with sufficient redundancy so that no single active component failure can prevent it from achieving its design function. The HPS1W System is described in the UFSAR, Section 10.7, Reference 1. Normal cooling water is pumped by the HPSW pumps from the Conowingo Pond through the tube side of the RHR heat exchangers, and discharges to the discharge pond. The required level for the HPSW pumps in the pump bay of the pump structure is a 89.5 ft Conowingo Datum (CD) and S 113 ft CD. The minimum level ensures net positive suction head and the maximum level corresponds to the level in the pump bay with water solid up to the motor baseplate. An alternate supply and discharge path (from the emergency heat sink) is available in the unlikely event the Conowingo dam fails or the pond floods. This lineup, however, has to be manually aligned. (continued) PBAPS UNIT 3 B 3.7-1 Revision No. 19
HPSW system B 3.7.1 BASES BACKGROUND The system is initiated manually from the control room. If (continued) operating during a loss of coolant accident (LOCA), the system is automatically tripped to allow the diesel generators to automatically power only that equipment necessary to reflood the core. The system is assumed in the analysis to be manually started 10 minutes after the LOCA. The RHR System design permits the system to be initiated as early as 5 minutes after LPCI initiation. APPLICABLE The HPSW1 System removes heat from the suppression pool to SAFETY ANALYSES limit the suppression pool temperature and primary containment pressure following a LOCA. This ensures that the primary containment can perform its function of limiting the release of radioactive materials to the environment following a LOCA. The ability of the HPSW System to support long term cooling of the reactor or primary containment is discussed in References 2 and 3. These analyses explicitly assume that the HPSW System will provide adequate cooling support to the equipment required for safe shutdown. These analyses include the evaluation of the long term primary containment response after a design basis LOCA. The safety analyses for long term cooling were performed for various combinations of RHR System failures. The worst case single failure that would affect the performance of the HPSW System is any failure that would disable one loop of the HPSW System. As discussed in the UFSAR, Section 14.6.3 (Ref. 4) for these analyses, manual initiation of the OPERABLE HPSW subsystem and the associated RHR System is assumed to occur 10 minutes after a DBA. The HPSW flcw assumed in the analyses. is 4500 gpm with one pump operating in one loop, providing flow through one RHR heat exchanger. In this case, the maximum suppression chamber water temperature and pressure are 206*F and approximately 33 psig, respectively, well below the design temperature of 281F and maximum allowable pressure of 56 psig. The HPSW System satisfies Criterion 3 of the NRC Policy Statement. LCO Two HPS1 subsystems are required to be OPERABLE to provide the required redundancy to ensure that the system functions to remove post accident heat loads, assuming the worst case single active failure occurs coincident with the loss of offsite power. (conltinued) PBAPS UNIT 3 B 3.7-2 Revision No. 0
HPSW System B 3.7.1 BASES LCO A HPSW subsystem is considered OPERABLE when: (continued)
- a. One pump is OPERABLE; and
- b. An OPERABLE flow path is capable of taking suction from the pump structure and transferring the water to the required RHR heat exchanger at the assumed flow rate.
An adequate suction source is not addressed in this LCO since the minimum net positive suction head (89.5 ft Conowingo Datum (CD) in the pump bay) and normal heat sink temperature requirements are bounded by the emergency service water pump and normal heat sink requirements (LCO 3.7.2, "Emergency Service Water (ESW) System and Normal Heat Sink"). APPLICABILITY In MODES 1, 2, and 3, the HPSW System is required to be OPERABLE to support the OPERABILITY of the RHR System for primary containment cooling (LCO 3.6.2.3, "Residual Heat Removal (RHR) Suppression Pool Cooling," and LCO 3.6.2.4, "Residual Heat Removal (RHR) Suppression Pool Spray") and decay heat removal (LCO 3.4.7, "Residual Heat Removal (RHR) Shutdown Cooling System-Hot Shutdown"). The Applicability is therefore consistent with the requirements of these systems. In MODES 4 and 5, the OPERABILITY requirements of the HPSW System are determined by the systems it supports, and therefore, the requirements are not the same for all facets of operation in MODES 4 and 5. Thus, the LCOs of the RHR shutdown cooling system, which requires portions of the HPSW System to be OPERABLE, will govern HPSW System operation in MODES 4 and 5. ACTIONS A.1 With one HPSW subsystem inoperable, the inoperable HPSW subsystem must be restored to OPERABLE status within 7 days. With the unit in this condition, the remaining OPERABLE HPSW subsystem is adequate to perform the HPSW heat removal function. However, the overall reliability is reduced because a single failure in the OPERABLE HPSW subsystem (continued) PBARS UNIT 3 B 3.7-3 Revision No. 0
HPSW System B 3.7.1 BASES; ACTIONS A.1 (continued) could result in loss of HPSW function. The Completion Time is based on the redundant HPSW capabilities afforded by the OPERABLE subsystem and the low probability of an event occurring requiring HPSW during this period. The Required Action is modified by a Note indicating that the applicable Conditions of LCO 3.4.7, be entered and Required Actions taken if an inoperable HPSW subsystem results in an inoperable RHR shutdown cooling subsystem. This is an exception to LCO 3.0.6 and ensures the proper actions are taken for these components. B.1 With both HPSW subsystems inoperable, the HPSW System is not capable of performing its intended function. At least one subsystem must be restored to OPERABLE status within 8 hours. The 8 hour Completion Time for restoring one HPSW subsystem to OPERABLE status, is based on the CompletiDn Times provided for the RHR suppression pool cooling and spray functions. The Required Action is modified by a Note indicating that the applicable Conditions of LCO 3.4.7, be entered and Required Actions taken if an inoperable HPSW subsystem results in an inoperable RHR shutdown cooling subsystem. This is an exception to LCO 3.0.6 and ensures the proper actions are taken for these components. C.1 and C.2 If the HPSW subsystems cannot be restored to OPERABLE status within the associated Completion Times, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions frora full power conditions in an orderly manner and without challenging unit systems. (conltinued) PBAFIS UNIT 3 B 3.7-4 Revision No. 0
HPSW System B 3.7.1 BASES (continued) SURVEILLANCE SR 3.7.1.1 REQUIREMENTS Verifying the correct alignment for each manual and power operated valve in each HPSW subsystem flow path provides assurance that the proper flow paths will exist for HPSW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves are verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position, and yet considered in the correct position, provided it can be realigned to its accident position. This is acceptable because the HPSW System is a manually initiated system. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions. REFERENCES 1. UFSAR, Section 10.7.
- 2. UFSAR, Chapter 14.
- 3. NEDC-32183P, "Power Rerate Safety Analysis Report For Peach Bottom 2 & 3," May 1993.
- 4. UFSAR, Section 14.6.3.
= .
PBAPS UNIT 3 B 3.7-5 Revision No. 0
ESW System and Normal Heat Sink B 3.7.2 B 3.7 PLANT SYSTEMS B 3.7.2 Emergency Service Water (ESW) System and Normal Heat Sink BASES BACKGROUND The ESW System is a standby system which is shared between Units 2 and 3. It is designed to provide cooling water for the removal of heat from equipment, such as the diesel generators (DGs) and room coolers for Emergency Core Cooling System equipment, required for a safe reactor shutdown following a Design Basis Accident (DBA) or transient. Upon receipt of a loss of offsite power signal, or whenever arny diesel generator is in operation, the ESW System will provide cooling water to its required loads. The ESW System consists of two redundant subsystems. Each of the two ESW subsystems consist of a 100% capacity 8000 gpm pump, a suction source, valves, piping and associated instrumentation. Either of the two subsystems is capable of providing the required cooling capacity to support the required systems for both units. Each subsystem provides coolant in separate piping to common headers; one each for the DG coolers, Unit 2 safeguard equipment coolers, and Unit 3 safeguard equipment coolers. The design is such that any single. active failure will not affect the ESW System from providing coolant to the required loads. Cooling water is pumped from the normal heat sink (Conowingo Pond) via the pump structure bay by the ESW pumps to the essential components. After removing heat from the components, the water is discharged to the discharge pond, I. or the emergency cooling tower in certain test alignments. An alternate suction supply and discharge path (from the emergency heat sink) is available in the unlikely event the Conowingo dam fails or the pond floods. This lineup, however, has to be manually aligned. APPLICABLE Sufficient water inventory is available for all ESW System SAFElY ANALYSES post LOCA cooling requirements for a 30 day period with no additional makeup water source available. The ability of the ESW System to support long term cooling of the reactor containment is assumed in evaluations of the equipment required for safe reactor shutdown presented in the UFSAR, Chapter 14 (Ref. 1). These analyses include the evaluation of the long term primary containment response after a design basis LOCA. continued) PBAPS UNIT 3 B 3.7-6 Revision Mo. 4
ESW System and Normal Heat Sink B 3.7.2 BASES APPLICABLE The ability of the ESW System to provide adequate cooling to SAFETY ANALYSES the identified safety equipment is an implicit assumption (continued) for the safety analyses evaluated in Reference 1. The ability to provide onsite emergency AC power is dependent on the ability of the ESW System to cool the DGs. The long term cooling capability of the RHR and core spray pumps is also dependent on the cooling provided by the ESW System. ESW provides cooling to the HPCI and RCIC room coolers; however, cooling function is not required to support HPCI or RCIC System operability. The ESW System, together with the Normal Heat Sink, satisfy Criterion 3 of the NRC Policy Statement. LCO The ESW subsystems are independent to the degree that each ESW pump has separate controls, power supplies, and the operation of one does not depend on the other. In the event of a DBA, one subsystem of ESW is required to provide the minimum heat removal capability assumed in the safety analysis for the system to which it supplies cooling water. To ensure this requirement is met, two subsystems of ESW must be OPERABLE. At least one subsystem will operate, if the worst single active failure occurs coincident with the loss of offsite power. A subsystem is considered OPERABLE when it has an OPERABLE normal heat sink, one OPERABLE pump, and an OPERABLE flow path capable of taking suction from the pump structure and transferring the water to the appropriate equipment. The OPERABILITY of the normal heat sink is based on having a minimum and maximum water level in the pump bay of 98.5 ft Conowingo Datum (CD) and 113 ft CD respectively and a maximum water temperature of 900F. The isolation of the ESW System to components or systems may render those components or systems inoperable, but does not affect the OPERABILITY of the ESW System. APPLICABILITY In MODES 1, 2, and 3, the ESW System and normal heat sink are required to be OPERABLE to support OPERABILITY of the equipment serviced by the ESW System. Therefore, the ESW System and normal heat sink are required to be OPERABLE in these MODES. {continued) PBAPS UNIT 3 B 3.7-7 Revision No. 11
ESW Syst-em and Normal Heat Sink B 2.7.2 BASES APPLICABILITY In MODES 4 and 5, the OPERABILITY requirements of the ESW (continued) System and normal heat sink are determined by the systems they support, and therefore the requirements are not the same for all facets of operation in MODES 4 and 5. Thus, the LCOs of the systems supported by the ESW System and normal heat sink will govern ESW System and normal heat sink OPERABILITY requirements in MODES 4 and 5. ACTICNS LI. With one ESW subsystem inoperable, the ESW subsystem must be restored to OPERABLE status within 7 days. With the unit in this condition, the remaining OPERABLE ESW subsystem is adequate to perform the heat removal function. However, the overall reliability is reduced because a single failure in the OPERABLE ESW subsystem could result in loss of ESW function. The 7 day Completion Time is based on the redundant ESW System capabilities afforded by the OPERABLE subsystem, the low probability of an event occurring during this time period, and is consistent with the allowed Completion Time for restoring an inoperable 0G. With water temperature of the normal heat sink > 900 F and
- 920F, the design basis assumptions associated with the initial normal heat sink temperature are bounded provided the temperature of the normal heat sink when averaged over the previous 24 hour period is s 900F. To ensure that the 920F normal heat sink temperature limit is not exceeded, Required Action B.1 is provided to more frequently monitor the temperature of the normal heat sink. The Unit 3 normal heat sink temperature is measured from the Unit 3 intake canal. The once per hour completion time takes into consideration normal heat sink temperature variations arid the increased monitoring frequency needed to ensure design basis assumptions and equipment limitations are not exceeded in this condition. If the water temperature of the normal heat sink exceeds 900F when averaged over the previous 24 hour period or the water temperature of the normal heat sink exceeds 920F, Condition C must be entered immediately.
(contirued) PBAPS UNIT 3 B 3.7-8 Revision Nc. 57
ESW System and Normal MHeat Sink B 3.7.2 BASES ACTIONS C.1 and C.2 I
-(continued)
If the ESW System cannot be restored to OPERABLE status within the associated Completion Time, or both ESW subsystems are inoperable, or the normal heat sink is inoperable, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. SURVEILLANCE SR 3.7.2.1 REQUIREMENTS This SR verifies the water level in the pump bay of the pump structure to be sufficient for the proper operation of the ESW pumps (the pump's ability to meet the minimum flow rate and anticipatory actions required for flood conditions are (continued) PBAPS UNIT 3 -B3.7-8a Revision No,. 35 l
ESW System and Normal Heat Sink B 2.7.2 BASES SURVEILLANCE SR 3.7.2.1 (continued) REQUIREMENTS considered in determining these limits). The 24 hour Frequency is based on operating experience related to trending of the parameter variations during the applicable MODES. SR 3.7.2.2 Verification of the normal heat sink temperature ensures that the heat removal capability of the ESW and HPSW systems is within the DBA analysis. The Unit 3 normal heat sink temperature is measured from the Unit 3 intake canal. 7he 24 hour Frequency is based on operating experience related to trending of the parameter variations during the applicable MODES. SR 3.7.23 Verifying the correct alignment for each manual and power operated valve in each ESW subsystem flow path provides assurance that the proper flow paths will exist for ESW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these-valves were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position, and yet considered in the correct-position, provided it can be automatically realigned to its accident position within the required time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valve;. This SR is modified by a Note indicating that isolation of the ESW System to components or systems may render those components or systems inoperable, but does not affect the OPERABILITY of the ESW System. As such, when all ESW pumps, valves, and piping are OPERABLE, but a branch connection off the main header is isolated, the ESW System is still OPERABLE. The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions. _(co nt inued) PBAPS UNIT 3 B 3.7-9 Revision No. 57
ESW System and Normal Heat Sink B 3.7.2 BASE'S SURVEILLANCE SR 3.7.2.4 REQUIREMENTS (continued) This SR verifies that the ESW System pumps will automatically start to provide cooling water to the required safety related equipment during an accident event. This is demonstrated by the use of an' actual or simulated initiation signal. Operating experience has shown that these components will usually pass the SR when performed at the 24 month Frequency. Therefore, this Frequency is concluded to be acceptable from a reliability standpoint. REFERENCES 1. UFSAR, Chapter 14. PBAPS UNIT 3 B 3.7-10 Revision No. 0
Emergency Hez.t Sink E,3.7.3 B 3.7 PLANT SYSTEMS B 3.7.3 Emergency Heat Sink BASES BACKGROUND The function of the emergency heat sink is to provide heat removal capability so that the Unit 2 and 3 reactors can be safely shutdown in the event of the unavailability of the normal heat sink (Conowingo Pond). The emergency heal; sink supports the dissipation of sensible and decay heat so that the two reactors can be shutdown when the normal heat sink is unavailable due to flooding or failure of the Conouingo dam. This function is provided via the Emergency Service Water (ESW) System and the High Pressure Service Water System (HPSW). The emergency heat sink consists of an induced draft three cell cooling tower with an integral storage reservoir,, three emergency cooling tower fans, two ESW booster pumps, valves, piping, and associated instrumentation. The emergency cooling tower, equipment, valves, and piping of the emergency heat sink are designed in accordance with seismic Class I criteria. Standby power is provided to ensure the emergency heat sink is capable of operating during a loss of offsite power. When the normal heat sink (Conowingo Pond) is lost or when flooding occurs, sluice gates in the pump structure housing the ESW pumps and HPSW pumps are closed. Water is then provided through two gravity fed lines from the emergency heat sink reservoir into the pump structure pump bays.. The ESW and HPSW pumps then pump cooling water to heat exchangers required to bring the Unit 2 and 3 reactors to safe shutdown conditions. Return water from the HPSW System flows directly to two of the three cells of the emergency cooling tower. Return water from the ESW System flows through one of the two ESW booster pumps and is pumped into one of the emergency cooling tower cells used by the HPSW System. This configuration allows for closed cycle operation of the ESW and HPSW Systems. Sufficient capacity (3.7 million gallons of water) is available, when the minimum water level is 17 feet above the bottom of the emergency heat sink reservoir, to support simultaneous shutdown of Units 2 and 3 for 7 days without makeup water. After 7 days, makeup water will be provided from the Susquehanna River or from tank trucks. (continued) PBAF'S UNIT 3 B 3.7-11 Revision No. 0
Emergency Heat Sink B 3.7.3 BASES (continued) APPLICABLE The emergency heat sink is required to support removal of SAFETY ANALYSES heat from the Unit 2 and 3 reactors, primary containments, and other safety related equipment by providing a seisffic Class I heat sink for the ESW and HPSW Systems for shutdown of the reactors when the normal non-safety grade heat sink (Conowingo Pond) is unavailable. Sufficient water inventory is available to supply all the ESW and HPSW System cooling requirements of both units during shutdown with a concurrent loss of offsite power for a 7 day period with no additional makeup water available. The ability of the emergency heat sink to support the shutdown of both Units 2 and 3 in the event of the loss of the normal heat sink is presented in the UFSAR (Ref. 1). The Emergency Heat Sink satisfies Criterion 3 of the NR1C Policy Statement. LCO In the event the normal heat sink is unavailable and oFfsite power is lost, the emergency heat sink is required to provide the minimum heat removal capability for the ES' and HPSW Systems to safely shutdown both units. To ensure this requirement is met, the emergency heat sink must be OPERABLE. The emergency heat sink is considered OPERABLE when it has an OPERABLE flow path from the ESW System with one OPERABLE ESW booster pump, an OPERABLE flow path from both the Unit 2 and Unit 3 HPSW Systems, two of the three cooling tower cells and two of the three associated fans OPERABLE, cne OPERABLE gravity feed line from the emergency heat sink .I reservoir into the pump structure bays with the capability to connect the Unit 2 and 3 pump structure bays or one OPERABLE gravity feed line from the emergency heat sink to the Unit 3 pump structure bay with the Unit 2 and 3 pump structure bays not connected, and the capability exists to manually isolate the ESW and HPSW pump structure bays from the Conowingo Pond. Valves in the required flow paths are considered OPERABLE if they can be manually aligned to their correct position. The OPERABILITY of the emergency heat sink also requires a minimum water level in the emergency heat sink reservoir of 17 feet. (continued) PBAPS UNIT 3 B 3.7-12 Revision No. 2
Emergency Heat sink B 3.7.3 BASES LCO Emergency heat sink water temperature is not addressed in (continued) this LCO since the maximum water temperature of the emergency cooling tower reservoir has been demonstrated, based on historical data, to be bounded by the normal heat sink requirements (LCO 3.7.2, "Emergency Service Water (ESW) System and Normal Heat Sink"). APPLICABILITY In MODES 1, 2, and 3, the emergency heat sink is required to be OPERABLE to provide a seismic Class I source of cooling water to the ESW and HPSW Systems when the normal heat sink is unavailable. Therefore, the emergency heat sink is required to be OPERABLE in these MODES. In MODES 4 and 5, the OPERABILITY requirements of the emergency heat sink are determined by the systems it supports in the event the normal heat sink is unavailable. ACTIONS A.1 With one required emergency cooling tower fan inoperable, action must be taken to restore the required emergency cooling tower fan to OPERABLE status within 14 days. The 14 day Completion Time is based on the remaining heat removal capability, the low probability of an event occurring requiring the inoperable emergency cooing tower fan to function, and the capability of the remaining emergency cooling tower fan. B.1 With the emergency heat sink inoperable for reasons other than Condition A, the emergency heat sink must be restored to OPERABLE status within 7 days. With the unit in this condition, the normal heat sink (Conowingo Pond) is adequate to perform the heat removal function; however, the overall reliability is reduced. The 7 day Completion Time is based on the remaining heat removal capability and the low probability of an event occurring requiring the emergency heat sink to be OPERABLE during this time period. (continued) PBAPS UNIT 3 B 3.7-13 Revision No. 1
Emergency Heat. Sink B 3.7.3 BASES ACTIONS C.1 and C.2 (continued) If the emergency heat sink cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. SURVEILLANCE SR 3.7.3.1 REQUIREMENTS This SR ensures adequate long term (7 days) cooling can be maintained in the event of flooding or loss of the Conowingo Pond. With the emergency heat sink water source below the minimum level, the emergency heat sink must be declared inoperable. The 31 day Frequency is based on operating experience related to trending of the parameter variations during the applicable MODES. SR 3.7.3.2 Operating each required emergency cooling tower fan for
> 15 minutes ensures that all required fans are OPERABIE and that all associated controls are functioning properly. It also ensures that fan or motor failure, or excessive vibration, can be detected for corrective action. The 92 day Frequency is based on operating experience, the known reliability of the fan units, and the low probability of significant degradation of the required emergency cooling tower fans occurring between surveillances.
REFERENCES 1. UFSAR, Section 10.24.
.. .=
PBAPS UNIT 3 B 3.7-14 Revision No. 0
MCREV System B .3.7.4 B 3.7 PLANT SYSTEMS B 3.'.4 Main Control Room Emergency Ventilation (MCREV) System BASES BACKGROUND The MCREV System limits the maximum temperature of the Main Control Room and provides a radiologically controlled environment from which the unit can be safely operated following a Design Basis Accident (DBA). The safety related function of MCREV System includes two independent and redundant high efficiency air filtration subsystems and two 100% capacity emergency ventilation supply fans which supply and provide emergency treatment: of outside supply air. Each filtration subsystem consists of a high efficiency particulate air (HEPA) filter, an activated charcoal adsorber section, a second HEPA filter, and the associated ductwork and dampers. Either emergency ventilation supply fan can operate in conjunction with either filtration subsystem. Each filtration subsystem receives outside air through the normal ventilation prefilter and air handling unit. Prefilters and HEPA filters remove particulate matter, which may be radioactive. The charcoal adsorbers provide a holdup period for gaseous iodine, allowing time for decay. A dry gas purge is provided to each. MCREV subsystem during idle periods to prevent moisture accumulation in the filters. The MCREV System is a standby system that is common to both Unit 2 and Unit 3. The two MCREV subsystems must be OPERABLE if conditions requiring MCREV System OPERABILITY exist in either Unit 2 or Unit 3. Upon receipt of the initiation signal(s) (indicative of conditions that could result in radiation exposure to control room personnel), the MCREV System automatically starts and pressurizes the control room to prevent infiltration of contaminated air into the control room. A system of dampers isolates the control room, and outside air, taken in at the normal ventilation intake, is passed through one of the charcoal adsorber filter subsystems for removal of airborne radioactive particles. During normal control room ventilation system restoration following operation of the MCREV system, the automatic initiation function of MCREV will briefly be satisfied by operator actions and controlled procedural steps. The MCREV System is designed to limit the maximum space temperature of the Control Room to 114 0 F dry-bulb with ventilation flow, but without air conditioning during a loss of offsite power (LOOP). If all normal ventilation and air conditioning were lost, the control room operator would (continued) PBAPS UNIT 3 B 3.7-15 Revision No. 36
MCREV System B 3.7.4 BASES BACKGROUND initiate an emergency shutdown of non-essential equipment (continued) and lighting to reduce the heat generation to a minimum. Heat removal would be accomplished by conduction through the floors, ceilings, and walls to adjacent rooms and to the environment. Additionally, the MCREV System is designed to maintain the control room environment for a 30 day continuous occupancy after a DBA without exceeding 5 rem whole body dose. A single MCREV subsystem will pressurize the control room to prevent infiltration of air from surrounding buildings. MCREV System operation in maintaining control room habitability is discussed in the UFSAR, Chapters 7, 10, and 12, (Refs. 1, 2, and 3, respectively). APPLICABLE The ability of the MCREV System to maintain the SAFETY ANALYSES habitability of the control room is an explicit assumption for the safety analyses presented in the UFSAR, Chapters 10 and 12 (Refs. 2 and 3, respectively). The MCREV System is assumed to operate following a loss of coolant accident, fuel handling accident, main steam line break, and control rod drop accident, as discussed in the UFSAR, Section 14.9.1.5 (Ref. 4). The radiological doses to control room personnel as a result of the various DBAs are summarized in Reference 4. No single active or passive failure will cause the loss of outside or recirculated air from the control room. The MCREV System satisfies Criterion 3 of the NRC Policy Statement. LCO Two redundant subsystems of the MCREV System are required to be OPERABLE to ensure that at least one is available, assuming a single failure disables the other subsystem. Total system failure could result in exceeding a dose of 5 rem to the control room operators in the event of a DBA. The MCREV System is considered OPERABLE when the individual components necessary to control operator exposure are. OPERABLE in both subsystems. A subsystem is considered OPERABLE when its associated:
- a. Fan is OPERABLE; (continued)
PBAP'; UNIT 3 B 3.7-16 Revision No. 0
MCREV System (l 3.7.4 BASES LCO b. HEPA filter and charcoal adsorbers are not excessively (continued) restricting flow and are capable of performing their filtration functions; and
- c. Ductwork, valves, and dampers are OPERABLE, and air flow can be maintained.
In addition, the control room boundary must be maintained, including the integrity of the walls, floors, ceilings, and ductwork. Temporary seals may be used to maintain the boundary. In addition, an access door may be opened provided the ability to pressurize the control room is maintained and the capability exists to close the affected door in an expeditious manner. APPLICABILITY In MODES 1, 2, and 3, the MCREV System must be OPERABIE to control operator exposure during and following a DBA, since the DBA could lead to a fission product release. In MODES 4 and 5, the probability and consequences of a DBA are reduced because of the pressure and temperature limitations in these MODES. Therefore, maintaining the MCREV System OPERABLE is not required in MODE 4 or 5, except for the following situations under which significant radioactive releases can be postulated:
- a. During operations with potential for draining the reactor vessel (OPDRVs);
- b. During CORE ALTERATIONS; and
- c. During movement of irradiated fuel assemblies in the secondary containment.
ACTIONS A.1I With one MCREV subsystem inoperable, the inoperable MCREV subsystem must be restored to OPERABLE status within 7 days. With the unit in this condition, the remaining OPERABLE MCREV subsystem is adequate to maintain control room temperature and to perform control room radiation protection. However, the overall reliability is reduced because a single failure in the OPERABLE subsystem could (continued) PBAPS UNIT 3 B 3.7-17 Revision No. 0
MCREV system B 3.7.4 BASES ACTIONS A.1 (continued) result in reduced MCREV System capability. The 7 day Completion Time is based on the low probability of a DE;A occurring during this time period, and that the remaining subsystem can provide the required capabilities. B.1 and B.2 In MODE 1, 2, or 3, if the inoperable MCREV subsystem cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE that minimizes risk. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. C.I C.2.1. C.2.2. and C.2.3 The Required Actions of Condition C are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require a reactor shutdown. During movement of irradiated fuel assemblies in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, if the inoperable MCREV subsystem cannot be restored to OPERABLE status within the required Completion Time, the OPERABLE MCREV subsystem may be placed in operation. This action ensures that the remaining subsystem is OPERABLE, that no failures that would prevent automatic actuation will occur, and that any active failure will be readily detected. An alternative to Required Action C.1 is to immediately suspend activities that present a potential for releasing radioactivity that might require isolation of the control room. This places the unit in a condition that minimizes risk. {continued) PBAPS UNIT 3 B 3.7-18 Revision No. 0
MCREV System B 3.7.4 BASES ACTIONS C.I. C.2.1. C.2.2. and C.2.3 (continued) If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position. Also, if applicable, actions must be initiated immediately to suspend OPDRVs to minimize the probability of a vessel draindown and the subsequent potential for fission product release. Actions must continue until the OPDRVs are suspended. D.1 If both MCREV subsystems are inoperable in MODE 1, 2, or 3, the MCREV System may not be capable of performing the intended function and the unit is in a condition outside the accident analyses. Therefore, LCO 3.0.3 must be entered immediately. E.1. E.2. and E.3 The Required Actions of Condition E are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require a reactor shutdown. During movement of irradiated fuel assemblies in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, with two MCREV subsystems inoperable, action must be taken immediately to suspend activities that present a potential for releasing radioactivity that might require isolation of the control room. This places the unit *ina condition that minimizes risk. If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position. If applicable, actions must be initiated (continued) PBAPS UNIT 3 B 3.7-19 Revision No. 0
MCREV system B 3.7.4 BASES ACTIONS E.1. E.2. and E.3 (continued) immediately to suspend OPDRVs to minimize the probability of a vessel draindown and subsequent potential for fission product release. Actions must continue until the OPDRVs are suspended. SURVEILLANCE SR 3.7.4.1 REQUIREMENTS This SR verifies that a subsystem in a standby mode starts on demand and continues to operate for : 15 minutes. Standby systems should be checked periodically to ensure that they start and function properly. As the environmental and normal operating conditions of this system are not severe, testing each subsystem once every month providers an adequate check on this system. Furthermore, the 31 day Frequency is based on the known reliability of the equipment and the two subsystem redundancy available. SR 3.7.4.2 This SR verifies that the required MCREV testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing HEPA filter performance, charcoal adsorber efficiency, minimum system flow rate, and the physical properties of the activated charcoal (general use and following specific operations). Specific test frequencies and additional information are discussed in detail in the VFTP. SR 3.7.4.3 This SR verifies that on an actual or simulated initiation signal, each MCREV subsystem starts and operates. The LOGIC SYSTEM FUNCTIONAL TEST in SR 3.3.7.1.4 overlaps this SlIto provide complete testing of the safety function. Operating experience has shown that these components will usuall.y pass the SR when performed at the 24 month Frequency. Therefore, this Frequency is concluded to be acceptable from a reliability standpoint. lcontinued) PBAP'; UNIT 3 B 3.7-20 Revision No. 0
MCREV System B 3.7.4 BASES SURVEILLANCE SR 3.7.4.4 REQUIREMENTS (continued) This SR verifies the integrity of the control room enclosure, and the assumed inleakage rates of potentially I contaminated air. The control room positive pressure, waith respect to potentially contaminated adjacent areas (the turbine building), is periodically tested to verify proper function of the MCREV System. During operation, the MCREV System is designed to slightly pressurize the control room 2 0.1 inches water gauge positive pressure with respect to the turbine building to prevent unfiltered inleakage. [he MCREV System is designed to provide this positive pressure at a flow rate of 2 2700 cfm -and s 3300 cfm to the control l room when in operation. Manual adjustment of the MCREV System may be required to establish the flow rate of 2:2700 cfm and s 3300 cfm during SR performance. The Frequency of 24 months on a STAGGERED TEST BASIS is consistent with Other filtration systems SRs. REFERENCES 1. UFSAR, Section 7.19.
- 2. UFSAR, Section 10.13.
- 3. UFSAR, Section 12.3.4.
- 4. UFSAR, Section 14.9.1.5.
PBAP!; UNIT 3 B 3.7-21 Revision No. 22
Main Condenser Offgas B 3.7.5 B 3.7 PLANT SYSTEMS B 3.7.5 Main Condenser Offgas BASES
=
BACKGROUND During unit operation, steam from the low pressure turbine is exhausted directly into the condenser. Air and noncondensible gases are collected in the condenser, then exhausted through the steam jet air ejectors (SJAEs) to the Main Condenser Offgas System. The offgas from the main condenser normally includes radioactive gases. The Main Condenser Offgas System has been incorporated into the unit design to reduce the gaseous radwaste emission. This system uses a catalytic recombiner to recombine radiolytically dissociated hydrogen and oxygen. The gaseous-mixture is cooled and water vapor removed by the offgas recombiner condenser; the remaining water and condensibles are stripped out by the cooler condenser and moisture separator. The remaining gaseous mixture (i.e., the cffgas recombiner effluent) is then processed by a charcoal adsorber bed prior to release. APPLICABLE The main condenser offgas gross gamma activity rate is an SAFETY ANALYSES initial condition of the Main Condenser Offgas System failure event, discussed in the UFSAR, Section 9.4.5 (Ref. 1). The analysis assumes a gross failure in the Main Condenser Offgas System that results in the rupture of the Main Condenser Offgas System pressure boundary. The gross gamma activity rate is controlled to ensure that, during the event, the calculated offsite doses will be well within the limits of 10 CFR 100 (Ref. 2) or the NRC staff approved licensing basis. The main condenser offgas limits satisfy Criterion 2 cf the NRC Policy Statement. LCO To ensure compliance with the assumptions of the Main Condenser Offgas System failure event (Ref. 1), the fission product release rate should be consistent with a noble gas release to the reactor coolant of 100 pAi/MWt-second after decay of 30 minutes. The LCO is established consistent (continued) PBAPS UNIT 3 B 3.7-22 Revision No. 0
Main Condenser Offgas B 3.7.5 BASES LCO with this requirement (3293 MWt x 100 pCi/MWt-second = (continued) 320,000, pCi/second) and is based on the original licensed rated thermal power. APPLICABILITY The LCO is applicable when steam is being exhausted to the main condenser and the resulting noncondensibles are being processed via the Main Condenser Offgas System. This occurs during MODE 1, and during MODES 2 and 3 with any main steam line not isolated and the SJAE in operation. In MODES 4 and 5, steam is not being exhausted to the main condenser and the requirements are not applicable. ACTIONS A.1 If the offgas radioactivity rate limit is exceeded, 72 hours is allowed to restore the gross gamma activity rate to within the limit. The 72 hour Completion Time is reasonable, based on engineering judgment, the time required to complete the Required Action, the large margins associated with permissible dose and exposure limits, and the low probability of a Main Condenser Offgas System rupture. B.1. B.2. B.3.1. and B.3.2 If the gross gamma activity rate is not restored to within the limits in the associated Completion Time, all main steam lines or the SJAE must be isolated. This isolates the Main Condenser Offgas System from the source of the radioactive steam. The main steam lines are considered isolated if at least one main steam isolation valve in each main steam line is closed, and at least one main steam line drain valve in each drain line inboard of the main steam isolation valves is closed. The 12 hour Completion Time is reasonable, based on operating experience, to perform the actions from full power conditions in an orderly manner and without challenging unit systems. An alternative to Required Actions B.1 and B.2 is to place the unit in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating (continued) PBAPS UNIT 3 B 3.7-23 Revision No. 0
Main Condenser Offgas E 3.7.5 BASES ACTIONS B.1. B.2. B.3.1. and B.3.2 (continued) experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. SURVEILLANCE SR 3.7.5.1 REQUIREMENTS This SR, on a 31 day Frequency, requires an isotopic analysis of an offgas sample to ensure that the required limits are satisfied. The noble gases to be sampled are Xe-133, Xe-135, Xe-138, Kr-85m, Kr-87, and Kr-88. If the measured rate of radioactivity increases significantly (by 2 50% after correcting for expected increases due to changes in THERMAL POWER), an isotopic analysis is also performed within 4 hours after the increase is noted, to ensure that the increase is not indicative of a sustained increase in the radioactivity rate. The 31 day Frequency is adequate in view of other instrumentation that continuously monitor the offgas, and is acceptable, based on operating experience. This SR is modified by a Note indicating that the SR is not required to be performed until 31 days after any main steam line is not isolated and the SJAE is in operation. Only in this condition can radioactive fission gases be in the Main Condenser Offgas System at significant rates. REFERENCES 1. UFSAR, Section 9.4.5.
- 2. 10 CFR 100.
PBAP'S UNIT 3 B 3.7-24 Revision No. 0
Main Turbine Bypass System B 3.7.6 B 3.7 Plant SYSTEMS B 3.7.6 Main Turbine Bypass System BASES
= =
BACKGROUND The Main Turbine Bypass System is designed to control steam pressure when reactor steam generation exceeds turbine requirements during unit startup, sudden load reduction, and cooldown. It allows excess steam flow from the reactor to the condenser without going through the turbine. The bypass capacity of the system is 25% of the Nuclear Steam Supply System rated steam flow. Sudden load reductions within the capacity of the steam bypass can be accommodated without safety relief valves opening or a reactor scram. The Main Turbine Bypass System consists of nine modulating type hydraulically actuated bypass valves mounted on a valve manifold. The manifold is connected with two steam lines to the four main steam lines upstream of the turbine stop valves. The bypass valves are controlled by the bypass control unit of the Pressure Regulator and Turbine Generator Control System, as discussed in the UFSAR, Section 7.11.3 (Ref. 1). The bypass valves are normally closed. However, if the total steam flow signal exceeds the turbine control valve flow signal of the Pressure Regulator and Turbine Generator Control System, the bypass control unit processes these signals and will output a bypass flow signal to the bypass valves. The bypass valves will then open sequentially to bypass the excess flow through connecting piping and a pressure reducing orifice to the condenser. APPLICABLE The Main Turbine Bypass System is expected to function SAFETY ANALYSES during the electrical load rejection transient, the turbine trip transient, and the feedwater controller failure maximum demand transient, as described in the UFSAR, Section 14.5.1.1 (Ref. 2), Section 14.5.1.2.1 (Ref. 3), and Section 14.5.2.2 (Ref. 4). However, the feedwater controller maximum demand transient is the limiting licensing basis transient which defines the MCPR operating limit if the Main Turbine Bypass System is inoperable. Opening the bypass valves during the pressurization events mitigates the increase in reactor vessel pressure, which affects the MCPR during the event. The Main Turbine Bypass System satisfies Criterion 3 of the NRC Policy Statement. (continued) PBAPS UNIT 3 B 3.7-25 Revision No. 0
Main Turbine Bypass System B 3.7.6 BASES (continued) LCO The Main Turbine Bypass System is required to be OPERABLE to limit peak pressure in the main steam lines and maintain reactor pressure within acceptable limits during events that cause rapid pressurization, so that the Safety Limit MCPR is not exceeded. With the Main Turbine Bypass System inoperable, modifications to the APLHGR operating limits (LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)"), the MCPR operating limits (LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)"), and the LHGR operating limits (LCO 3.2.3, "LINEAR HEAT GENERATION RATE (LHGR)") may be applied to allow this LCO to be met. The operating limits for the inoperable Main Turbine Bypass System are specified in the COLR. An OPERABLE Main Turbine Bypass System requires the minimum number of bypass valves, specified in the COLR, to open in response to increasing main steam line pressure. This response is within the assumptions of the applicable analyses (Refs. 2, 3, and 4). APPLICABILITY The Main Turbine Bypass System is required to be OPERABLE at 2 25% RTP to ensure that the fuel cladding integrity Safety Limit and the cladding 1Z plastic strain limit are not violated during the applicable safety analyses transients. As discussed in the Bases for LCO 3.2.3, "LINEAR HEAT GENERATION RATE (LHGR),' and LCO 3.2.2, sufficient margin to these limits exists at < 25% RTP. Therefore, these I. requirements are only necessary when operating at or above this power level. ACTIONS A.1 If the Main Turbine Bypass System is inoperable (one or more required bypass valves as specified in the COLR inoperable), or the required thermal operating limits for an inoperable Main Turbine Bypass System, as specified in the COLR, are not applied, the assumptions of the design basis transient analyses may not be met. Under such circumstances, prompt action should be taken to restore the Main Turbine Bypass System to OPERABLE status or adjust the thermal operatirg limits accordingly. The 2 hour Completion Time is reasonable, based on the time to complete the Required Action and the low probability of an event occurring during this period requiring the Main Turbine Bypass System. (contirued) PBAPS UNIT 3 B 3.7-26 Revision No. 50
Main Turbine Bypass System B 3.7.6 BASES ACTIONS B.1 (continued) If the Main Turbine Bypass System cannot be restored to OPERABLE status or the required thermal operating .limiits for an inoperable Main Turbine Bypass System-are not applied, THERMAL POWER must be reduced to < 25% RTP. As discussed in the Applicability section, operation at < 25% RTP results in sufficient margin to the required limits, and the Main Turbine Bypass System is not required to protect fuel integrity during the applicable safety analyses transients. The 4 hour Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner without challenging unit systems. SURVEILLANCE SR 3.7.6.1 REQU;'REMENTS Cycling each main turbine bypass valve through one complete cycle of full travel demonstrates that the valves are mechanically OPERABLE and will function when required. The 31 day Frequency is based on manufacturer's recommendations (Ref. 5), is consistent with the procedural contrels governing valve operation, and ensures correct valve positions. Operating experience has shown that these components usually pass the SR when performed at the 31 day Frequency. Therefore, the Frequency is acceptable frofr a reliability standpoint. SR 3.7.6.2 The Main Turbine Bypass System is required to actuate automatically to perform its design function. This SR demonstrates that, with the required system initiation signals, the valves will actuate to their required position. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a unit outage and because of the potential for an unplanned transient if the Surveillance were performed with the reactor at power. {continued) PBAPS UNIT 3 B 3.7-27 Revision No. 50
Main Turbine Bypass System B 3.7.6 BASES ACTIONS B.1 (continued) If the Main Turbine Bypass System cannot be restored to OPERABLE status or MAPFAC , MCPRp, and the MCPR operating limits for an inoperable Aain Turbine Bypass System are not applied, THERMAL POWER must be reduced to < 25% RTP. As discussed in the Applicability section, operation at < 25% RTP results in sufficient margin to the required limits, and the Main Turbine Bypass System is not required to protect fuel integrity during the applicable safety analyses transients. The 4 hour Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner without challenging unit systems. SURVEILLANCE SR 3.7.6.1 REQUIREMENTS Cycling each main turbine bypass valve through one complete cycle of full travel demonstrates that the valves are mechanically OPERABLE and will function when required. The 31 day Frequency is based on manufacturer's recommendations (Ref. 5), is consistent with the procedural controls governing valve operation, and ensures correct valve positions. Operating experience has shown that these components usually pass the SR when performed at the 31 day Frequency. Therefore, the Frequency is acceptable from a reliability standpoint. SR 3.7.6.2 The Main Turbine Bypass System is required to actuate automatically to perform its design function. This SR demonstrates that, with the required system initiation signals, the valves will actuate to their required position. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a unit outage and because of the potential for an unplanned transient if the Surveillance were performed with the reactor at power. (continued) PBAP'; UNIT 3 B 3.7-27 Revision No. 0
Main Turbine Bypass System B 3.7.6 BASES SURVEILLANCE SR 3.7.6.3 REQUIREMENTS (continued) This SR ensures that the TURBINE BYPASS SYSTEM RESPONSE TIME is in compliance with the assumptions of the appropriate safety analyses. The response time limits are specifier in COLR. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a unit outage and because of the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown the 24 month Frequency, which is based on the refueling cycle, is acceptable from a reliability standpoint. REFERENCES 1. UFSAR, Section 7.11.3.
- 2. UFSAR, Section 14.5.1.1.
- 3. UFSAR, Section 14.5.1.2.1.
- 4. UFSAR, Section 14.5.2.2.
- 5. GE Service Information Letter No. 413, "Main Steam Bypass Valve Testing," October 4, 1984.
PBAPS UNIT 3 B 3.7-28 Revision No. 0
Spent Fuel Storage Pool Water Level { 3.7.7 B 3.7 PLANT SYSTEMS B 3.7.7 Spent Fuel Storage Pool Water Level BASES BACKGROUND The minimum water level in the spent fuel storage pool meets the assumptions of iodine decontamination factors following a fuel handling accident. A general description of the spent fuel storage pool design is found in the UFSAR, Section 10.3 (Ref. 1). The assumptions of the fuel handling accident are found in the UFSAR, Section 14.6.4 (Ref. 2). APPLICABLE The water level above the irradiated fuel assemblies is an SAF1:TY ANALYSES implicit assumption of the fuel handling accident. A fuel handling accident is evaluated to ensure that the radiological consequences (calculated whole body and thyroid doses at the site boundary) are well below the guidelines set forth in 10 CFR 100 (Ref. 3). A fuel handling accident could release a fraction of the fission product inventory by breaching the fuel rod cladding as discussed in Reference 2. The fuel handling accident is evaluated for the dropping of an irradiated fuel assembly onto the reactor core. The consequences of a fuel handling accident over the spent fuel storage pool are no more severe than those of the fuel handling accident over the reactor core. The water level in the spent fuel storage pool provides for absorption of water soluble fission product gases and transport delays of soluble and insoluble gases that must pass through the water before being released to the secondary containment atmosphere. This absorption and transport delay reduces the potential radioactivity of the release during a fuel handling accident. The spent fuel storage pool water level satisfies Criteria 2 and 3 of the NRC Policy Statement. LCO The specified water level (232 ft 3 inches plant elevatlion, which is equivalent to 22 ft over the top of irradiated fuel assemblies seated in the spent fuel storage pool racks) preserves the assumptions of the fuel handling accident analysis (Ref. 2). As such, it is the minimum required for fuel movement within the spent fuel storage pool. (continued) PBAPS UNIT 3 B 3.7-29 Revision No. 33
Spent Fuel Storage Pool Water Level B 3.7.7 BASES (continued) APPLICABILITY This LCO applies during movement of fuel assemblies in the spent fuel storage pool since the potential for a release of fission products exists. ACT] ONS A.1 Required Action A.1 is modified by a Note indicating that LCO 3.0.3 does not apply. If moving fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent Of reactor operations. Therefore, inability to suspend movement of fuel assemblies is not a sufficient reason to require a reactor shutdown. When the initial conditions for an accident cannot be met, action must be taken to preclude the accident from occurring. If the spent fuel storage pool level is less than required, the movement of fuel assemblies in the spent fuel storage pool is suspended immediately. Suspension of this activity shall not preclude completion of movement of a fuel assembly to a safe position. This effectively precludes a spent fuel handling accident from occurring. SURVEILLANCE SR 3.7.7.1 REQUIREMENTS This SR verifies that sufficient water is available ir,the event of a fuel handling accident. The water level ir,the spent fuel storage pool must be checked periodically. The 7 day Frequency is acceptable, based on operating experience, considering that the water volume in the pool is normally stable, and all water level changes are controlled by unit procedures. REFERENCES 1. UFSAR, Section 10.3.
- 2. UFSAR, Section 14.6.4.
- 3. 10 CFR 100.
PBAPS UNIT 3 B 3.7-30 Revision No. 0
AC Sources-Operating B 3.8.1 B 3.£, ELECTRICAL POWER SYSTEMS B 3.J.1 AC Sources -Operating BASE'; BACKGROUND The unit AC sources for the Class 1E AC Electrical Power Distribution System consist of the offsite power sources, and the onsite standby power sources (diesel generators (DGs)). As required by UFSAR Sections 1.5 and 8.4.2 (Ref. 1), the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Feature (ESF) systems. The Class 1E AC distribution system is divided into redundant load groups, so loss of any one group does not prevent the minimum safety functions from being performed. Each load group has connections to two qualified circuits that connect the unit to multiple offsite power supplies and a single DG. The two qualified circuits between the offsite transmission network and the onsite Class 1E AC Electrical Power Distribution System are supported by multiple, independent offsite power sources. One of these qualified circuits can be connected to either of two offsite sources: the preferred offsite source is the 230 kV Nottingham-Graceton line which supplies the plant through the 230/13.8 kV startup and emergency auxiliary transformer no. 2; the alternate offsite source is the auto-transformer (500/230 kV) at North Substation which feeds a 230/13.8 kV regulating transformer (startup and emergency auxiliary transformer no. 3), the 3SU regulating transformer switchgear, and the 2SUA switchgear. The aligned source is further stepped down via the 2SU startup transformer switchgear through the 13.2/4.16 kV emergency auxiliary transformer no. 2. The other qualified circuit can be connected to either of two offsite sources: the preferred offsite source is the 230 kV Peach Bottom-Newlinville line which supplies a 230/13.8 kV transformer (startup transformer no. 343); the alternate offsite source is the auto-transformer (500/230 kV) at North Substation which feeds a 230/13.8 kV regulating transformer (startup and emergency auxiliary transformer no. 3) and the 3SU regulating transformer switchgear. The aligned source is further stepped down via the 343SU transformer switchgear (continued) PBAPS UNIT 3 B 3.8-1 Revision No. 0
AC Sources -Operating B 3.8.1 BASES BACKGROUND through the 13.2/4.16 kV emergency auxiliary transformer (continued) no. 3. In addition, the alternate source can only be used to meet the requirements of one offsite circuit. A detailed description of the offsite power network and circuits to the onsite Class IE ESF buses is found in the UFSAR, Sections 8.3 and 8.4 (Ref. 2). A qualified offsite circuit consists of all breakers, transformers, switches, interrupting devices, cabling, and controls required to transmit power from the offsite transmission network to the onsite Class IE emergency bus or buses. The determination of the operability of a qualified source of offsite power can be made using three factors, that when taken together, describe the design basis calculation requirements for voltage regulation. The combination of these factors ensures that the offsite source(s), which provide power to the plant emergency buses, will be fully capable of supporting the equipment required to achieve and maintain safe shutdown during postulated accidents and transients. a) An offsite source of electrical power is considered operable if it is within the bounds of analyzed conditions. The most limiting analysis provides the following bounds: i) The Startup Transformer Load Tap Changer (LTIC) is functional; ii) Offsite source grid voltages are maintained above 218.5 kV on the 230 kV system and 498 kV on the 525 kV networks; iii) Electrical buses and breaker alignments are maintained within the bounds of approved plant procedures. b) Based on specific design analysis, variations to any of these parameters is permissible, usually at the sacrifice of another parameter, based on plant conditions. Specifics regarding these variations are controlled by plant procedures or by condition specific design calculations. A description of the Unit 2 offsite power sources is provided in the Bases for Unit 2 LCO 3.8.1, "AC Sources - Operating." The description is identical with the exception that the two offsite circuits provide power to the Unit 2 4 kV emergency buses (i.e., each Unit 3 offsite circuit is common to its respective Unit 2 offsite circuit except for the 4 kV emergency bus feeder breakers). (continued) PBAPS UNIT 3 B 3.8-2 Revision No. 35
AC Sources -Operating B 3.8.1 BASES BACKGROUND The onsite standby power source for the four 4 kV emergency (continued) buses in each unit consists of four DGs. The four DGs provide onsite standby power for both Unit 2 and Unit i. Each DG provides standby power to two 4 kV emergency buses-one associated with Unit 2 and one associated with Unit 3. A DG starts automatically on a loss of coolant accident. (LOCA) signal (i.e., low reactor water level signal or high drywell pressure signal) from either Unit 2 or Unit 3 or on an emergency bus degraded voltage or undervoltage signal. After the DG has started, it automatically ties to its respective bus after offsite power is tripped as a consequence of emergency bus undervoltage or degraded voltage, independent of or coincident with a LOCA signal. The DGs also start and operate in the standby mode without tying to the emergency bus on a LOCA signal alone. Following the trip of offsite power, all loads are stripped from the emergency bus. When the DG is tied to the emergency bus, loads are then sequentially connected to its respective emergency bus by individual timers associated with each auto-connected load following a permissive from a voltage relay monitoring each emergency bus. In the event of a loss of both offsite power sources, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown of both units and to mitigate the consequences of a Design Basis Accident (DBA) such as a LOCA. Within 59 second; after the initiating signal is received, all automatically connected loads needed to recover the unit or maintain it in a safe condition are returned to service. The failure of any one DG does not impair safe shutdown because each D)G serves an independent, redundant 4 kV emergency bus for each unit. The remaining DGs and emergency buses have sufficient capability to mitigate the consequences of a DBA, support the shutdown of the other unit, and maintain both units in a safe condition. Ratings for the DGs satisfy the requirements of Regulatory Guide 1.9 (Ref. 3) except that the loading of DG E2 maly exceed the 2000 hour rating during the first 10 minutes; of a DBA LOCA. Each of the four DGs have the following ratings:
- a. 2600 kW- continuous,
- b. 3000 kW -2000 hours,
- c. 3100 kW- 200 hours,
- d. 3250 kW -30 minutes.
(continued) PBAPS UNIT 3 8 3.8-3 Revision lo. 35
AC Sources-Operating B 3.8.1 BASES (continued) APPLICABLE The initial conditions of DBA and transient analyses in the SAFETY ANALYSES UFSAR, Chapter 14 (Ref. 4), assume ESF systems are OPERABLE. The AC electrical power sources are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.5, Emergency Core Cooling Systems (ECCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6, Containment Systems. The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining the onsite or offsite AC sources OPERABLE during accident conditions in the event of:
- a. An assumed loss of all offsite power or all onsite AC power; and
- b. A worst case single failure.
AC sources satisfy Criterion 3 of the NRC Policy Statement. LCO Two qualified circuits between the offsite transmission network and the onsite Class IE Distribution System and four separate and independent DGs ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an abnormal operational transient or a postulated DBA. In addition, since sore equipment required by Unit 3 is powered from Unit 2 sources (i.e., Containment Atmospheric Dilution System, Standby Gas Treatment System, Emergency Service Water System, Main Control Room Emergency Ventilation System, and Unit 2 125 VDC battery chargers), qualified circuit(s) between the offsite transmission network and the Unit 2 onsite Class 1E distribution subsystem(s) needed to support this equipment must also be OPERABLE. An OPERABLE qualified Unit 3 offsite circuit consists of the incoming breaker and disconnect to the startup and emergency auxiliary transformer, the respective circuit path to the emergency auxiliary transformer, and the circuit path to at least three Unit 3 4 kV emergency buses including feeder _continued) PBARS UNIT 3 B 3.8-4 Revision No. 0
AC Sources -Operating B 3.8.1 BASES LCO breakers to the three Unit 3 4 kV emergency buses. If at (continued) least one of the two circuits does not provide power or is not capable of providing power to all four Unit 3 4 kV emergency buses, then the Unit 3 4 kV emergency buses that each circuit powers or is capable of powering cannot all be the same (i.e., two feeder breakers on one Unit 3 4 kV emergency bus cannot be inoperable). An OPERABLE qualified Unit 2 offsite circuit's requirements are the same as the Unit 3 circuit's requirements, except that the circuit path, including the feeder breakers, is to the Unit 2 4 kV emergency buses required to be OPERABLE by LCO 3.8.7,
'Distribution Systems -Operating." Each offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while connected to the emergency buses.
Each DG has two ventilation supply fans; a main supply fan and a supplemental supply fan. The supplemental supply fan provides additional air cooling to the generator area. Whenever outside air temperature is greater than or equal to 80- F, each DG's main supply fan and supplemental supply fan are required to be OPERABLE for the associated DG to be OPERABLE. Whenever, outside air temperature is less than 80 F, the supplemental supply fan is not required to be OPERABLE for the associated DG to be OPERABLE, however, the main supply fan is required to be OPERABLE for the associated DG to be OPERABLE. Each DG must be capable of starting, accelerating to rated speed and voltage, and connecting to its respective Unit 3 4 kV emergency bus on detection of bus undervoltage. This sequence must be accomplished within 10 seconds. Each D& must also be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the emergency buses. These capabilities are required to be met from a variety of initial conditions, such as DG in standby with the engine hot and DG in standby with the engine at ambient condition. Additional DG capabilities must be demonstrated to meet required Surveillances, e.g., capability of the DG to revert to standby status on an ECCS signal while operating in parallel test mode. Proper sequencing of loads, including tripping of all loads, is a required function for DG OPERABILITY. (continued) PBAP'i UNIT 3 B 3.8-5 Revision No. 5
AC Sources-Operating B 3.8.1 BASES LCO In addition, since some equipment required by Unit 3 is (continued) powered from Unit 2 sources, the DG(s) capable of supplying the Unit 2 onsite Class 1E AC electrical power distribution subsystem(s) needed to support this equipment must be OPERABLE. The OPERABILITY requirements for these DGs are the same as described above, except that each required DG must be capable of connecting to its respective Unit 2 4 kV emergency bus. (In addition, the Unit 2 ECCS initiation logic SRs are not applicable, as described in SR 3.8.1.21 Bases.) The AC sources must be separate and independent (to the extent possible) of other AC sources. For the DGs, the separation and independence are complete. For the offsite AC sources, the separation and independence are to the extent practical. A circuit may be connected to more than one 4 kV emergency bus division, with automatic transfer capability to the other circuit OPERABLE, and not violate separation criteria. A circuit that is not connected to at least three 4 kV emergency buses is required to have OPERABLE automatic transfer interlock mechanisms such that it can provide power to at least three 4 kV emergency buses to support OPERABILITY of that circuit. APPLI:CABILITY The AC sources are required to be OPERABLE in MODES 1, 2, and 3 to ensure that:
- a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of abnormal operational transients; and
- b. Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.
The AC power requirements for MODES 4 and 5 are covered in LCO 3.8.2, "AC Sources-Shutdown." ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable DG. There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable DG and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance. To ensure a highly reliable power source remains with one offsite circuit inoperable, it is necessary to verify the availability of the remaining offsite circuits on a more frequent basis. Since the Required Action only specifiers "perform," a failure of SR 3.8.1.1 acceptance criteria does (continued) PBAPS UNIT 3 B 3.8-6 Revision No. 53
AC Sources -Operating B 3:.8.1 BASES ACTICMiS A.1 (continued) not result in a Required Action not met. However, if a second circuit fails SR 3.8.1.1, the second offsite circuit is inoperable, and Condition D, for two offsite circuits inoperable, is entered. Required Action A.2, which only applies if one 4 kV emergency bus cannot be powered from any offsite source:, is intended to provide assurance that an event with a coincident single failure of the associated DG does not result in a complete loss of safety function of critical systems. These features (e.g., system, subsystem, division, component, or device) are designed to be powered from redundant safety related 4 kV emergency buses. Redundant required features failures consist of inoperable features associated with an emergency bus redundant to the emergency bus that has no offsite power. The Completion Time for Required Action A.2 is intended to allow time for the operator to evaluate and repair any discovered inoperabilities. This Completion Time also allows an exception to the normal "time zero" for beginning the allowed outage time "clock." In this.Required Action the Completion Time only begins on discovery that both:
- a. A 4 kV emergency bus has no offsite power supplying its loads; and
- b. A redundant required feature on another 4 kV emergency bus is inoperable.
If, at any time during the existence of this Condition (one offsite circuit inoperable) a required feature subsequently becomes inoperable, this Completion Time would begin to be tracked. Discovering no offsite power to one 4 kV emergency bus of the onsite Class 1E Power Distribution System coincident with one or more inoperable required support or supported features, or both, that are associated with any other emergency bus that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours is acceptable because it minimizes risk while allowing time for restoration before the unit is subjected to transients associated with shutdown. (continued) PBAPS UNIT 3 B 3.8-7 Revision No. 5
AC Sources -Operating B :3.8.1 BASES ACTIONS A.2 (continued) The remaining OPERABLE offsite circuits and DGs are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection may have been lost for the required feature's function; however, function is not lost. The 24 hour Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 24 hour Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period. A.3 The 4 kV emergency bus design and loading is sufficient to allow operation to continue in Condition A for a period not to exceed 7 days. With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the plant safety systems. In this condition, however, the remaining OPERABLE offsite circuits and the four DGs are adequate to supply electrical power to the onsite Class lE Distribution System. The 7 day Completion Time takes into account the redundancy, capacity, and capability of the remaining AC sources, reasonable time for repairs, and the low probability of a DBA occurring during this period. The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet LCO 3.8.1.a or b. If Condition A is entered while, for instance, a DG is inoperable, and that DG is subsequently returned OPERABLE, the LCO may already have been not met for up to 7 days. This situation could lead to a total of 14 days, since initial failure to meet LCO 3.8.1.a or b, to restore the offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional 7 days (for a total of 21 days) allowed prior to complete restoration of the LCO. The 14 day Completion Time provides a limit on the time allowed in a specified Condition after discovery of failure to meet LCO 3.8.1.a or
- b. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The (continued)
PBAPS; UNIT 3 B 3.8-8 Revision No. 5
AC Sources-Operating B 3.8.1 BASES ACTIONS A.3 (continued)
"AND" connector between the 7 day and 14 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.
As in Required Action A.2, the Completion Time allows fcr an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time the LCO was initially not met, instead of at the time that Condition. A was entered. B.1 The 33 kV Conowingo Tie-Line, using a separate 33/13.8 kV transformer, can be used to supply the circuit normally supplied by startup and emergency auxiliary transformer no.
- 2. While not a qualified circuit, this alternate source is a direct tie to the Conowingo Hydro Station that provides a highly reliable source of power because: the line and transformers at both ends of the line are dedicated to the support of PBAPS; the tie line is not subject to damage from adverse weather conditions; and, the tie line can be
'e. 'isolated from other parts of the grid when necessary to ensure its availability and stability to support PBAPS. The availability of this highly reliable source of offsite power permits an extension of the allowable out of service time for a DG to 14 days from the discovery of failure to meet LCO 3.8.1.a or b (per Required Action B.5). Therefore, when a DG is inoperable, it is necessary to verify the availability of the Conowingo Tie-Line immediately and cnce per 12 hours thereafter. The Completion Time of "Immediately" reflects the fact that in order to ensure that the full 14 day Completion Time of Required Action B.5 is available for completing preplanned maintenance of a DG, prudent plant practice at PBAPS dictates that the availability of the Conowingo Tie-Line be verified prior to making a DG inoperable for preplanned maintenance. The Conowingo Tie-Line is available and satisfies the requirements of Required Action B.1 if: 1) the Conowinco line is supplying power to the 13.8kV SBO Switchgear 001,306;
- 2) all equipment required, per SE-li, to connect power from the Conowingo Tie-Line to the emergency 4kV buses and to isolate all non-SBO loads from the Conowingo Tie-Line is available and accessible; and 3) communications with the Conowingo control room indicate that required equipment at Conowingo is available. If Required Action B.1 is not met or the (continued)
PBAPS UNIT 3 B 3.8-9 Revision Nc. 39 l
AC Sources -Operating B 3.8.1 BASES ACTIONS E.1 (continued) status of the Conowingo Tie-Line changes after Required Action B.1 is initially met, Condition C must be immediately entered. B.2 To ensure a highly reliable power source remains with one DG inoperable, it is necessary to verify the availability olF the required offsite circuits on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions must then be entered. B.3 Required Action B.3 is intended to provide assurance that a loss of offsite power, during the period that a DG is inoperable, does not result in a complete loss of safety function of critical systems. These features are designed to be powered from redundant safety related 4 kV emergency buses. Redundant required features failures consist of inoperable features associated with an emergency bus redundant to the emergency bus that has an inoperable DG. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins an discovery that both:
- a. An inoperable DG exists; and
- b. A redundant required feature on another 4 kV emergency bus is inoperable.
If, at any time during the existence of this Condition (one DG inoperable), a required feature subsequently becomes inoperable, this Completion Time begins to be tracked. Discovering one DG inoperable coincident with one or more inoperable required support or supported features, or both, that are associated with the OPERABLE DGs results in (continued) PBAPS UNIT 3 B 3.8-10 Revision No. 5
AC Sources -Operating B 3l.8.1 BASES; ACTIONS B.3 (continued) starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown. The remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single' failure protection for the required feature's function inay have been lost; however, function has not been lost. The 4 hour Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour Completion 'rime takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period. B.4.1 and B.4.2 Required Action B.4.1 provides an allowance to avoid unnecessary testing of OPERABLE DGs. If it can be determined that the cause of the inoperable DG does not exist on the OPERABLE DGs, SR 3.8.1.2 does not have to be performed. If the cause of inoperability exists on other DG(s), they are declared inoperable upon discovery, and Condition F or H of LCO 3.8.1 is entered, as applicable. Once the failure is repaired, and the common cause failure no longer exists, Required Action B.4.1 is satisfied. If the cause of the initial inoperable DG cannot be confirmed not to exist on the remaining DGs, performance of SR 3.13.1.2 suffices to provide assurance of continued OPERABILITY of those DGs. In the event the inoperable DG is restored to OPERABLE status prior to completing either B.4.1 or B.4.2, the PFBAPS Performance Enhancement Program will continue to evaluate the common cause possibility. This continued evaluation, however, is no longer required under the 24 hour constraint imposed while in Condition B. According to Generic Letter 84-15 (Ref. 5), 24 hours is a reasonable time to confirm that the OPERABLE DGs are not affected by the same problem as the inoperable DG. (continued) PBAPS UNIT 3 B 3.8-11 Revision No. 5
AC Sources -Operating B 3.8.1 BASES ACTIONS B.5 (continued) The availability of the Conowingo Tie-Line provides an additional source which permits operation to continue in Condition B for a period that should not exceed 14 days from discovery of the failure to meet LCO 3.8.1.a or b. In Condition B, the remaining OPERABLE DGs and the normal offsite circuits are adequate to supply electrical power to the onsite Class IE Distribution System. The Completion Time of Required Action B.5 takes into account the enhanced reliability and availability of offsite sources due to the Conowingo Tie-Line, the redundancy, capacity, and capability of the other remaining AC sources, reasonable time for repairs of the affected DG, and low probability of a DBA occurring during this period. The Completion Time for Required Action B.5 also establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet LCO 3.8.1.a or b. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently restored OPERABLE, the LCO may already have been not met for up to 7 days. This situation could lead to a total of 14 days, since initial failure of LCO 3.8.1.a or b, to restore the DG. At this time, an offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 7 days (for a total of 21 days) allowed prior to complete restoration of the LCO. The 14 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet LCO 3.8.1.a or
- b. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The 14 day Completion Time would also limit the maximum time a DG is inoperable if the status of the Conowingo Tie-Line changes from being available to being not available (this is discussed in Required Action C.1 Bases discussion).
As in Required Action B.3, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time that the LCO was initially not met, instead of the time that Condition B was entered. (continued) PBAPS UNIT 3 B 3.8-12 Revision NO. 1
AC Sources -Operating B 3.8.1 BASES ACTIONS B.5 (continued) The extended Completion Time for restoration of an inoperable DG afforded by the availability of the Conowingo Tie-Line is intended to allow completion of a diesel generator overhaul; however, subject to the diesel generator reliability program, INPO performance criteria, and good operating practices, using the extended Completion Time is permitted for other reasons. Activities or conditions that increase the probability of a loss of offsite power (i.e., switchyard maintenance or severe weather) should be considered when scheduling a diesel generator outage. In addition, the effect of other inoperable plant equipment should be considered when scheduling a diesel generator outage. C. C-If the availability of the Conowingo Tie-Line is not verified within the Completion Time of Required Actior B.1, or if the status of the Conowingo Tie-Line changes after Required Action B.1 is initially met, the DG must be restored-to OPERABLE status within 7 days. The 7 day Completion Time begins upon entry into Condition C (i.e., upon discovery of failure to meet Required Action B.1). However, the total time to restore an inoperable DG cannot exceed 14 days (per the Completion Time of Required Action B.5). The 4 kV emergency bus design and loading is sufficient to allow operation to continue in Condition B for a period that should not exceed 7 days, if the Conowingo Tie-Line is not available (refer to Required Action B.1 Bases discussion). In Condition C, the remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class IE Distribution System. The 7 day Completion Time takes into account the redundancy, capacity, and capability of the remaining AC sources, reasonable tine for repairs, and low probability of a DBA occurring during this period. (continued) PBAPS UNIT 3 B 3.8-13 Revision No. 0
AC Sources-Operating B 3.8.1 BASES ACTIONS D.1 and D.2 (continued) Required Action D.1 addresses actions to be taken in the event of inoperability of redundant required features concurrent with inoperability of two or more offsite circuits. Required Action D.1 reduces the vulnerability to a loss of function. The Completion Time for taking these actions is reduced to 12 hours from that allowed with one 4 kV emergency bus without offsite power (Required Action A.2). The rationale for the reduction to 12 hours is that Regulatory Guide 1.93 (Ref. 6) allows a Completion Time of 24 hours for two offsite circuits inoperable, based upon the assumption that two complete safety divisions are OPERABLE. (While this Action allows more than two circuits to be inoperable, Regulatory Guide 1.93 assumed two circuits were all that were required by the LCO, and a loss of those two circuits resulted in a loss of all offsite power to the Class 1E AC Electrical Power Distribution System. ThLIs, with the Peach Bottom Atomic Power Station design, a loss of more than two offsite circuits results in the same conditions assumed in Regulatory Guide 1.93.) When a concurrent redundant required feature failure exists, this assumption is not the case, and a shorter Completion Time of 12 hours is appropriate. These features are designed with redundant safety related 4 kV emergency buses. Redundant required features failures consist of any of these features that are inoperable because any inoperability is on an emergency bus redundant to an emergency bus with inoperable offsite circuits. The Completion Time for Required Action D.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal 'time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:
- a. Two or more offsite circuits are inoperable; and
- b. A required feature is inoperable.
(continued) PBAPS UNIT 3 B 3.8-14 Revision No. 0
AC Sources-Operating 1H 3.8.1 BASES ACTIONS D.1 and D.2 (continued) If, at any time during the existence of this Condition (two or more offsite circuits inoperable i.e., any combination of Unit 2 and Unit 3 offsite circuits inoperable), a required feature subsequently becomes inoperable, this Completion Time begins to be tracked. According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition D for a period that should not exceed 24 hours. This level of degradation means that the oFfsite electrical power system may not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded. This level of degradation generally corresponds to a total loss of the immediately accessible offsite power sources. Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more DGs inoperable. However, two factors tend to decrease the severity of this degradation level:
- a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure; and
- b. The time required to detect and restore an unavailable-offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source.
With two or more of the offsite circuits inoperable, sufficient onsite AC sources are available to maintain the unit in a safe shutdown condition in the event of a D3A or transient. In fact, a simultaneous loss of offsite Al: sources, a LOCA, and a worst case single failure were postulated as a part of the design basis in the safety analysis. Thus, the 24 hour Completion Time provides a period of time to effect restoration of all but one of the offsite circuits commensurate with the importance of maintaining an AC electrical power system capable of meeting its design criteria. _continued) PBAPS UNIT 3 B 3.8-15 Revision No. 0
AC Sources -Operating B 3.8.1 BASES ACTIONS D.1 and D.2 (continued) According to Regulatory Guide 1.93 (Ref. 6), with the available offsite AC sources two less than required by the LCO, operation may continue for 24 hours. If all offsite sources are restored within 24 hours, unrestricted operation may continue. If all but one offsite source is restored within 24 hours, power operation continues in accordance with Condition A. E.1 and E.2 Pursuant to LCO 3.0.6, the Distribution Systems-Operating ACTIONS would not be entered even if all AC sources to it were inoperable, resulting in de-energization. Therefore, the Required Actions of Condition E are modified by a Note to indicate that when Condition E is entered with no AC source to any 4 kV emergency bus, ACTIONS for LCO 3.8.7, "Distribution Systems-Operating," must be immediately entered. This allows Condition E to provide requirements for the loss of the offsite circuit and one DG without regard to whether a 4 kV emergency bus is de-energized. LCO 3.8.7 provides the appropriate restrictions for a de-energized 4 kV emergency bus. According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition E for a period that should not exceed 12 hours. In Condition E, individual redundancy is lcst in both the offsite electrical power system and the onsite AC electrical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of the power systems in this Condition ma) appear higher than that in Condition D (loss of two or more offsite circuits). This difference in reliability is offset by the susceptibility of this power system configuration to a single bus or switching failure. The 12 hour Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and the low probability of a DBA occurring during this period. _continued) PBAPS UNIT 3 B 3.8-16 Revision No. 0
AC Sources-Operating B 3.8.1 BASES ACTIONS F.1 (continued) With two or more DGs inoperable, with an assumed loss of offsite electrical power, insufficient standby AC sources are available to power the minimum required ESF functions. Since the offsite electrical power system is the only source of AC power for the majority of ESF equipment at this level of degradation, the risk associated with continued operation for a very short time could be less than that associated with an immediate controlled shutdown. (The immediate shutdown could cause grid instability, which could result in a total loss of AC power.) Since any inadvertent unit generator trip could also result in a total loss of offsite AC power, however, the time allowed for continued operation is severely restricted. The intent here is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation. According to Regulatory Guide 1.93 (Ref. 6), with two or more DGs inoperable, operation may continue for a period that should not exceed 2 hours. (Regulatory Guide 1.93 assumed the unit has two DGs. Thus, a loss of both DGs results in a total loss of onsite power. Therefore, a loss of more than two DGs, in the Peach Bottom Atomic Power Station design, results in degradation no worse than that assumed in Regulatory Guide 1.93.) G.1 and G.2 If the inoperable AC electrical power source(s) cannot be restored.to OPERABLE status within the associated Completion Time (Required Action and associated Completion Time of Condition A, C, D, E, or F not met; or Required Action B.2, B.3, B.4.1, B.4.2, or B.5 and associated Completion Time not met), the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. {continued) PBAP'S UNIT 3 B 3.8-17 Revision No. 0
AC Sources-Opeirating B 3.8.1 BASES ACTIONS H.1 (continued) Condition H corresponds to a level of degradation in which redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system may cause a loss of function. Therefore, no additional time is justified For continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown. SURVEILLANCE The AC sources are designed to permit inspection and REQUIREMENTS testing of all important areas and features, especially those that have a standby function, in accordance with UFSAR, Section 1.5.1 (Ref. 7). Periodic component tests are supplemented by extensive functional tests during refueling outages (under simulated accident conditions). The SRs for demonstrating the OPERABILITY of the DGs are consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3), Regulatory Guide 1.108 (Ref. 8), and Regulatory Guide 1.137 (Ref. 9). As Noted at the beginning of the SRs, SR 3.8.1.1 through SR 3.8.1.20 are applicable only to the Unit 3 AC sources and SR 3.8.1.21 is applicable only to the Unit 2 AC sources. Where the SRs discussed herein specify voltage and frequency tolerances, the following summary is applicable. The minimum steady state output voltage of 4160 V corresponds to the minimum steady state voltage analyzed in the PBAPS emergency DG voltage regulation study. This value allows for voltage drops to motors and other equipment down through the 120 V level. The specified maximum steady state output voltage of 4400 V is equal to the maximum steady state operating voltage specified for 4000 V motors. It ensures that for a lightly loaded distribution system, the voltage at the terminals of 4000 V motors is no more than the maximum rated steady state operating voltages. The specified minimum and maximum frequencies of the DG are 58.8 Hz and'61.2 Hz, respectively. These values are equal to +/- 2% of the 60 Hz nominal frequency and are derived from the recommendations found in Regulatory Guide 1.9 (Ref. 3). (continued) PBAPS UNIT 3 B 3.8-18 Revision No. 0
AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.1 REQUIREMENTS (continued) This SR ensures proper. circuit continuity for the offsite AC electrical power supply to the onsite distribution network and availability of offsite AC electrical power. The breaker alignment verifies that each breaker is in its correct position to ensure that distribution buses and loads are connected to their preferred power source and that appropriate independence of offsite circuits is maintained. The 7 day Frequency is adequate since breaker position is not likely to change without the operator being aware of it and because its status is displayed in the control room. SR 3.8.1.2 and SR 3.8.1.7 These SRs help to ensure the availability of the standby electrical power supply to mitigate DBAs and transients and maintain the unit in a safe shutdown condition. To minimize the wear on moving parts that do not get lubricated when the engine is not running, these SRs have been modified by a Note (Note 2 for SR 3.8.1.2 and Note 1 for SR 3.8.1.7) to indicate that all DG starts for these Surveillances may be preceded by an engine prelube period and followed by a warmup prior to loading. For the purposes of this testing, the DGs are started from standby conditions. Standby conditions for a DG mean that. the diesel engine coolant and oil are being continuously circulated and temperature is being maintained consistent with manufacturer recommendations. In order to reduce stress and wear on diesel engines, the manufacturer recommends a modified start in which the starting speed of DGs is limited, warmup is limited to this lower speed, and the DGs are gradually accelerated to synchronous speed prior to loading. These start procedures are the intent of Note 3 to SR 3.8.1.2, which is only applicable when such modified start procedures are recommended by the manufacturer. SR 3.8.1.7 requires that, at a 184 day Frequency, the DG starts from standby conditions and achieves required voltage and frequency within 10 seconds. The minimum-voltage and frequency stated in the SR are those necessary to ensure the conntinued) PBAPS UNIT 3 B 3.8-19 Revision No. 0
AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.2 and SR 3.8.1.7 (continued) REQUIREMENTS DG can accept DBA loading while maintaining acceptable voltage and frequency levels. Stable operation at the nominal voltage and frequency values is also essential to establishing DG OPERABILITY, but a time constraint is not imposed. This is because a typical DG will experience a period of voltage and frequency oscillations prior to reaching steady state operation if these oscillations are not damped out by load application. This period may extend beyond the 10 second acceptance criteria and could be a cause for failing the SR. In lieu of a time constraint in the SR, PBAPS will monitor and trend the actual time to reach steady state operation as a means of ensuring there is no voltage regulator or governor degradation which could cause a DG to become inoperable. The 10 second start requirement supports the assumptions in the design basis LOCA analysis of UFSAR, Section 8.5 (Ref. 10). The 10 second start requirement is not applicable to SR 3.13.1.2 (see Note 3 of SR 3.8.1.2), when a modified start procedure as described above is used. If a modified start is not used, the 10 second start requirement of SR 3.8.1.7 applies. Since SR 3.8.1.7 requires a 10 second start, it is more restrictive than SR 3.8.1.2, and it may be performed in lieu of SR 3.8.1.2. This procedure is the intent of Note 1 of SR 3.8.1.2. To minimize testing of the DGs, Note 4 to SR 3.8.1.2 and Note 2 to SR 3.8.1.7 allow a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit. If the DG fails one of-these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit. The normal 31 day Frequency for SR 3.8.1.2 is consistent with Regulatory Guide 1.9 (Ref. 3). The 184 day Frequency for SR 3.8.1.7 is a reduction in cold testing consistent with Generic Letter 84-15 (Ref. 5). These Frequencies provide adequate assurance of DG OPERABILITY, while minimizing degradation resulting from testing. (continued) PBAPS UNIT 3 B .3.8-20 Revision No. 0
AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.3 REQUIREMENTS (continued) This Surveillance verifies that the DGs are capable of synchronizing and accepting a load approximately equivalent to that corresponding to the continuous rating. A minimum run time of 60 minutes is required to stabilize engine temperatures, while minimizing the time that the DG is connected to the offsite source. This Surveillance verifies, indirectly, that the DGs are capable of synchronizing and accepting loads equivalent to post accident loads. The DGs are tested at a load approximately equivalent to their continuous duty rating, even though the post accident loads exceed the continuous rating. This is acceptable because regular surveillance testing at post accident loads is injurious to the DG, and imprudent because the same level of assurance in the ability of the DG to provide post accident loads can be developed by monitoring engine parameters during surveillance testing. The values of the testing parameters can then be qualitatively compared to expected values at post accident engine loads. In making this comparison it is necessary to consider the engine parameters as interrelated indicators of remaining DG capacity, rather than independent indicators. The important engine parameters to be considered in making this comparison include, fuel rack position, scavenging air pressure, exhaust temperature and pressure, engine output, jacket water temperature, and lube oil temperature. With the DG operating at or near continuous rating and the observed values of the above parameters less than expected post accident values, a qualitative extrapolation which shows the DG is capable of accepting post accident loads can be made without requiring detrimental testing. Although no power factor requirements are established by this SR, the DG is normally operated at a power factor between 0.8 lagging and 1.0. The 0.8 value is the design rating of the machine, while 1.0 is an operational limitation. The load band is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY. The normal 31 day Frequency for this Surveillance is consistent with Regulatory Guide 1.9 (Ref. 3). (continued) PBAP'S UNIT 3 B 3.8-21 Revision No. 0
AC Sources -Operating 1B 3.8.1 BASES SURVEILLANCE SR 3.8.1.3 (continued) REQUIREMENTS Note I modifies this Surveillance to indicate that diesel engine runs for this Surveillance may include gradual loading, as recommended by the manufacturer, so that mechanical stress and wear on the diesel engine are minimized. Note 2 modifies this Surveillance by stating that momentary transients because of changing bus loads do not invalidate this test. Similarly, momentary power factor transients above the limit do not invalidate the test. Note 3 indicates that this Surveillance should be conducted on only one DG at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations. Note 4 stipulates a prerequisite requirement for performance of this SR. A successful DG start must precede this test to credit satisfactory performance. To minimize testing of the DGs, Note 5 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units, with the DG synchronized to the 4 kV emergency bus of Unit 3 for one periodic test and synchronized to the 4 kV emergency bus of Unit 2 during the next periodic test. This is allowed since the main purpose of the Surveillance, to ensure DG OPERABILITY, is still being verified on the proper frequency, and each unit's breaker control circuitry, which is only being tested every second test (due to the staggering of the tests), historically have a very low failure rate. Note 5 modifies the specified frequency for each unit's breaker control circuitry to be 62 days. If the DG fails one of these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit. In addition, if the test i<; scheduled to be performed on Unit 2, and the Unit 2 TS allowance that provides, an exception to performing the test is used (i.e., when Unit 2 is in MODE 4 or 5, or movirg irradiated fuel assemblies in the secondary containmert, the Note to Unit 2 SR 3.8.2.1 provides an exception to performing this test) or if it is not preferable to perform the test on a unit due to operational concerns (however time is not to exceed 62 days plus grace), then the test shall be performed synchronized to the Unit 3 4 kV emergency bus. (continued) PBAPS UNIT 3 B 3.8-22 Revision No. 34
AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.4 REQUIREMENTS (continued) This allowance is acceptable provided that the associated unit's breaker control circuitry-portion of the Surveillance is performed within the SR frequency of 62 days plus SR 3.0.2 allowed grace period or the next scheduled Surveillance after the Technical Specification allowance is no longer applicable. This SR provides verification that the level of fuel oil in the day tank is adequate for a minimum of 1 hour of DG operation at full load. The level, which includes margin to account for the unusable volume of oil, is expressed as an equivalent volume in gallons. The 31 day Frequency is adequate to ensure that a sufficient supply of fuel oil is available, since low level alarrms are provided and facility operators would be aware of any large uses of fuel oil during this period. SR 3.8.1.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel oil day tanks once every 31 days eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of tie fuel oil system. The Surveillance Frequencies are consistent with Regulatory Guide 1.137 (Ref. 9). This SR is for preventive maintenance. The presence of water does not necessarily represent a failure of this SR provided that accumulated water is removed during performance of this Surveillance. SR 3.8.1.6 This Surveillance demonstrates that each required fuel oil transfer pump operates and automatically transfers fuel oil from its associated storage tank to its associated day tank. It is required to support continuous operation of standby power sources. This Surveillance provides assurance that {continued) PBAPS UNIT 3 B 3.8-23 Revision No. 34
AC Sources -Operating 8 3.8.1 BASES SURVEILLANCE SR 3.8.1.6 (continued) REQUIREMENTS the fuel oil transfer pump is OPERABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the controls and control systems for automatic fuel transfer systems are OPERABLE. Manual operator action may be used during performance of surveillance testing, in lieu of automatic action and will maintain the automatic transfer system operable. The operator actions will be administratively controlled by the procedures. The Frequency for this SR is 31 days because the design of the fuel transfer system is such that pumps operate automatically in order to maintain an adequate volume of fuel oil in the day tanks during or following DG testing and proper operation of fuel transfer systems is an inherent part of DG OPERABILITY. SR 3.8.1.8 Transfer of each 4 kV emergency bus power supply from the normal offsite circuit to the alternate offsite circuit demonstrates the OPERABILITY of the alternate circuit distribution network to power the shutdown loads. The 24 month Frequency of the Surveillance is based on engineering judgment taking into consideration the plant conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths. Operating experience has shown that these components will pass the SR when performed on the 24 month Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint. This SR is modified by a Note. The reason for the Note is that, during operation with the reactor critical, performance of this SR could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, plant safety systems. This Surveillance tests the applicable logic associated with Unit 3. The comparable test specified in Unit 2 Technical Specifications tests the applicable logic associated with Unit 2. Consequently, a test must be performed within the specified Frequency for each unit. As the Surveillance represents separate tests, the Note (continued) PBRPS UNIT 3 .B3.8-24 RevisiDn No. I
AC Sources -Operating B :3.8.1 BASES SURVEILLANCE SR 3.8.1.8 (continued) REQU[REMENTS specifying the restriction for not performing the test while the unit is in MODE 1 or 2 does not have applicability to Unit 2. The Note only applies to Unit 3, thus the Unit 3 Surveillance shall not be performed with Unit 3 in MODE. 1 or
- 2. Credit may be taken for unplanned events that satisfy this SR.
SR 3.8.1.9 Each DG is provided with an engine overspeed trip to prevent damage to the engine. Recovery from the transient caused by the loss of a large load could cause diesel engine overspeed, which, if excessive, might result in a trip of the engine. This Surveillance demonstrates the DG load response characteristics and capability to reject the largest single load without exceeding.predetermined voltage and frequency and while maintaining a specified margin to the overspeed trip. The largest single load for each DG is a residual heat removal pump (2000 bhp). This Surveillance may be accomplished by: 1) tripping the DG output breakers with the DG carrying greater than or equal to its associated single largest post-accident load while paralleled to offsite power, or while solely supplying the bus, or 2) tripping its associated single largest post-accident load with the DG solely supplying the bus. Currently, the second option is the method PBAPS utilizes because the first method will result in steady state operation outside the allowable voltage and frequency limits. Consistent with Regulatory Guide 1.9 (Ref. 3), the load rejection test is acceptable if the diesel speed does not exceed the nominal (synchronous) speed plus 75% of the difference between nominal speed and the overspeed trip setpoint, or 115% of nominal speed, whichever is lower. The time, voltage, and frequency tolerances specified in this SR are derived from Regulatory Guide 1.9 (Ref. 3) recommendations for response during load sequence intervals. The 1.8 seconds specified for voltage and the 2.4 seconds specified for frequency are equal to 60% and 80%, respectively, of the 3 second load sequence interval associated with sequencing the next load following the residual heat removal (RHR) pumps during an undervoltage on the bus concurrent with a LOCA. The voltage and frequency specified are consistent with the design range of the (coni:inued) PBAPS UNIT 3 B 3.8-25 Revision No. 1
AC Sources -Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.9 (continued) REQUIREMENTS equipment powered by the DG. SR 3.8.1.9.a corresponds to the maximum frequency excursion, while SR 3.8.1.9.b and SR 3.8.1.9.c provide steady state voltage and frequency values to which the system must recover following load rejection. The 24 month Frequency takes into consideration plant conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths. This SR is modified by two Notes. In order to ensure that the DG is tested under load conditions that are as close to design basis conditions as possible, Note 1 requires that if synchronized to offsite power, testing must be performed using a power factor < 0.89. This power factor is chosen to be representative of the actual design basis inductive loading that the DG would experience. To minimize testing of the DGs, Note 2 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit. If the DG fails one of these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit. SR 3.8.1.10 Consistent with Regulatory Guide 1.9 (Ref. 3), paragraph C.2.2.8, this Surveillance demonstrates the DG capability to reject a full load without overspeed tripping or exceeding the predetermined voltage limits. The DG full load rejection may occur because of a system fault or inadvertent breaker tripping. This Surveillance ensures proper engine generator load response under the simulated test conditions. This test simulates the loss of the total connected load that the DG experiences following a full load rejection and verifies that the DG does not trip upon loss of the load. These acceptance criteria provide DG damage protection. While the DG is not expected to experience this transient during an event, and continue to be available, this response ensures that the DG is not degraded for future application, including reconnection to the bus if the trip initiator can be corrected or isolated. (continued) PBAPS UNIT 3 B 3.8-26 Revision No. 1
AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.10 (continued) REQUIREMENTS In order to ensure that the DG is tested under load conditions that are as close to design basis conditions. as possible, testing must be performed using a power factor
< 0.89. This power factor is chosen to be representative of the actual design basis inductive loading that the DG would experience.
The 24 month Frequency takes into consideration plant conditions required to perform the Surveillance, and i; intended to be consistent with expected fuel cycle lengths. This SR is modified by a Note. To minimize testing of the DGs, the Note allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit. If the DG fails one of these Surveillances, the OG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit. SR 3.8.1.11 Consistent with Regulatory Guide 1.9 (Ref..3), paragraph C.2.2.4, this Surveillance demonstrates the as designed operation of the standby power sources during loss of the offsite source. This test verifies all actions encountered from the loss of offsite power, including shedding of all loads and energization of the emergency buses and respective loads from the DG. It further demonstrates the capability of the DG to automatically achieve the required voltage and frequency within the specified time. The DG auto-start and energization of the associated 4 kV emergency bus time of 10 seconds is derived from requirements of the accident analysis for responding to a design basis large break LOCA. The Surveillance should be continued for a minimum of 5 minutes in order to demonstrate that all starting transients have decayed and stabililty has been achieved. (continued) PBAPS UNIT 3 B 3.8-27 Revision No. 1
AC Sources -Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.11 (continued) REQUIREMENTS The requirement to verify the connection and power supply of auto-connected loads is intended to satisfactorily show the relationship of these loads to the DG loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, Emergency Core Cooling Systems (ECCS) injection valves are not desired to be stroked open, or systems are not capable of being operated at full flow, or RHR systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of the connection and loading of these loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified. The Frequency of 24 months takes into consideration plant conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths. This SR is modified by two Notes. The reason for Note I is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs shall be started from standby conditions, that is, with the engine coolant and oil being continuously circulated and temperature maintained consistent with manufacturer recommendations. The reason for Note 2 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This Surveillance tests the applicable logic: associated with Unit 3. The comparable test specified in the Unit 2 Technical Specifications tests the applicable logic associated with Unit 2. Consequently, a test must be performed within the specified Frequency for each unit;. As the Surveillance represents separate tests, the Note specifying the restriction for not performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 2. The Note only applies to Unit 3, thus the Unit 3 Surveillances shall not be performed with Unit 3 in MODE 1, 2, or 3. Credit may be taken for unplanned events that satisfy this SR. (continued) PBAPS UNIT 3 B 3.8-28 Revision No. 1
AC Sources -Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS SR 3.8.1.12 (ccnti nued) Consistent with Regulatory Guide 1.9 (Ref. 3), paragraph C.2.2.5, this Surveillance demonstrates that the DG automatically starts and achieves the required voltage and frequency within the specified time (10 seconds) from the design basis actuation signal (LOCA signal) and operates for > 5 minutes. The minimum voltage and frequency stated in the SR are those necessary to ensure the DG can accept DBA loading while maintaining acceptable voltage and frequency levels. Stable operation at the nominal voltage and frequency values is also essential to establishing DG OPERABILITY, but a time constraint is not imposed. This is because a typical DG will experience a period of voltage and frequency oscillations prior to reaching steady state operation if these oscillations are not damped out by load application. This period may extend beyond the 10 second acceptance criteria and could be a cause for failing the SR. In lieu of a time constraint in the SR, PBAPS will monitor and trend the actual time to reach steady state operation as a means of ensuring there is no voltage regulator or governor degradation which could cause a DG to become inoperable. The 5 minute period provides sufficient time to demonstrate stability. SR 3.8.1.12.d and SR 3.8.1.12.e ensure that permanently connected loads and emergency loads are energized from the offsite electrical power system on a LOCA signal without loss of offsite power. The requirement to verify the connection and power supply of permanent and autoconnected loads is intended to satisfactorily show the relationship of these loads to the loading logic for loading onto offsite power. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, ECCS injection valves are not desired to be stroked open, ECCS systems are not capable of being operated at full flow, or RHR systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu oaf actual demonstration of the connection and loading of these loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified. (continued) PBAPS UNIT 3 B 3.8-29 Revision No. 1
AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.12 (continued) REQUIREMENTS The Frequency of 24 months takes into consideration plant conditions required to perform the Surveillance and is intended to be consistent with the expected fuel cycle lengths. This SR is modified by a Note. The reason for the Note is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil being continuously circulated and temperature maintained consistent with manufacturer recommendations. SR 3.8.1.13 Consistent with Regulatory Guide 1.9 (Ref. 3), paragraph C.2.2.12, this Surveillance demonstrates that DG non-critical protective functions (e.g., high jacket wiater temperature) are bypassed on an ECCS initiation test signal and critical protective functions (engine overspeed, generator differential overcurrent, generator ground neutral overcurrent, and manual cardox initiation) trip the DG to avert substantial damage to the DG unit. The non-critical trips are bypassed during DBAs and continue to provide an alarm on an abnormal engine condition. This alarm provides the operator with sufficient time to react appropriately. The DG availability to mitigate the DBA is more critical than protecting the engine against minor problems that are not immediately detrimental to emergency operation of the DG. The 24 month Frequency is based on engineering judgment, takes into consideration plant conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths. To minimize testing of the DGs, the Note to this SR allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allDwed since the main purpose of the Surveillance can be met by performing the test on either unit. If the DG fails one of these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit. {continued) PBA.PS UNIT 3 B 3.8-30 Revision No. 1
AC Sources-Operating B 3.8.1 BASE; SURVEILLANCE SR 3.8.1.14 REQUIREMENTS (continued) Consistent with Regulatory Guide 1.9 (Ref. 3), paragraph C.2.2.9, this Surveillance requires demonstration that the DGs can start and run continuously at full load capability for an interval of not less than 24 hours; However, load values may deviate from the Regulatory Guide such that the DG operates for 22 hours at a load approximately equivalent to 92Z to 108% of the continuous duty rating of the DG, and 2 hours of which is at a load approximately equivalent to 108% to 115% of the continuous duty rating of the DG. The DG starts for this Surveillance can be performed either from standby or hot conditions. The provisions for prelube and warmup, discussed in SR 3.8.1.2, and for gradual loading, discussed in SR 3.8.1.3, are applicable to this SR. This Surveillance verifies, indirectly, that the OGs are capable of synchronizing and accepting loads equivalent to post accident loads. The DGs are tested at a load approximately equivalent to their continuous duty rating, even though the post accident loads exceed the continuous rating. This is acceptable because regular surveillance testing at post accident loads is injurious to the DG, and imprudent because the same level of assurance in the ability of the DG to provide post accident loads can be developed by monitoring engine parameters during surveillance-testing. The values of the testing parameters can then be qualitatively compared to expected values at post accident engine loads. In making this comparison it is necessary to consider the engine parameters as interrelated indicators of remaining DG capacity,-rather than independent indicators. The important engine parameters to be considered in making this comparison include, fuel rack position, scavenging air pressure, exhaust temperature and pressure, engine output, jacket water temperature, and lube oil temperature. With the DG operating at or near continuous rating and the observed values of the above parameters less than expected post accident values, a qualitative extrapolation which shows the DG is capable of accepting post accident loads can be made without requiring detrimental testing. In order to ensure that the DG is tested under load conditions that are as close to design conditions as possible, testing must be performed using a power factor
- 0.89. This power factor is chosen to be representative of the actual design basis inductive'loading that the DG could (continued)
PBAPS UNIT 3 B 3.8-31 Revision ND. 54
AC Sources-Operating E,3.8.1 BASES SURVEILLANCE SR 3.8.1.14 (continued) REQUIREMENTS experience. A load band is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY. The 24 month Frequency takes into consideration plant conditions required to perform the Surveillance; and is intended to be consistent with expected fuel cycle lengths, This Surveillance has been modified by three Notes. Note 1 states that momentary transients due to changing bus loads do not invalidate this test. Similarly, momentary power factor transients above the limit do not invalidate the test. Note 2 is provided in recognition that if the offsite electrical power distribution system voltage is high, it may not be possible to raise DG output voltage without creating an overvoltage condition on the emergency bus. ThereFore, to ensure the bus voltage and supplied loads, and DG are not placed in an unsafe condition during this test, the power factor limit does not have to be met if grid voltage Or emergency bus loading does not permit the power factor limit to be met when the DG is tied to the grid. When this occurs, the power factor should be maintained as close to the limit as practicable. To minimize testing of the DGs, Note 3 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit. If the DG fails-one of these Surveillances, the -DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit. SR 3.8.1.15 This Surveillance demonstrates that the diesel engine can restart from a hot condition, such as subsequent to shutdown from normal Surveillances, and achieve the required voltage and frequency within 10 seconds. The minimum voltage and frequency stated in the SR are those necessary to ensure the DG can accept DBA loading while maintaining acceptable voltage and frequency levels. Stable operation at the nominal voltage and frequency values is also essential to establishing DG OPERABILITY, but a time constraint is not imposed. This is because a typical DG will experience a (continued) PBAPS UNIT 3 B 3.8-32 Revisicn No. 0
AC Sources-Operating B :3.8.1 BASES SURVEILLANCE SR 3.8.1.15 (continued) REQUIREMENTS period of voltage and frequency oscillations prior to reaching steady state operation if these oscillations are not damped out by load application. This period may extend beyond the 10 second acceptance criteria and could be a cause for failing the SR. In lieu of a time constraint in the SR, PBAPS will monitor and trend the actual time to reach steady state operation as a means of ensuring there is no voltage regulator or governor degradation which could cause a DG to become inoperable. The 10 second time is derived from the requirements of the accident analysis to respond to a design basis large break LOCA. The 24 month Frequency takes into consideration plant conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths. This SR is modified by three Notes. Note 1 ensures that the test is performed with the diesel sufficiently hot. The requirement that the diesel has operated for at least 2 hours at full load conditions prior to performance of this Surveillance is based on manufacturer recommendations for achieving hot conditions. The load band is provided to avoid routine overloading of the DG. Routine overloads. may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY. Momentary transients due to changing bus loads do not invalidate this test. Note 2 allows all DG starts to be preceded by an engine prelube period to minimize wear and tear on the diesel during testing. To minimize testing of - the DGs, Note 3 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit. If the DG fails one of these Surveillances, the DOG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit. SR 3.8.1.16 Consistent with Regulatory Guide 1.9 (Ref. 3), paragraph C.2.2.11, this Surveillance ensures that the manual synchronization and load transfer from the DG tD the offsite source can be made and that the DG can be returned (continued) PBAP!; UNIT 3 B 3.8-33 Revision No. 0
AC Sources-Operating 133.8.1 BASES SURVEILLANCE SR 3.8.1.16 (continued) REQUIREMENTS to ready-to-load status when offsite power is restored. It also ensures that the auto-start logic is reset to allow the DG to reload if a subsequent loss of offsite power occurs. The DG is considered to be in ready-to-load status when the DG is at rated speed and voltage, the output breaker is open and can receive an auto-close signal on bus undervoltage, and individual load timers are reset. The Frequency of 24 months takes into consideration plant conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths. This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This Surveillance tests the applicable logic associated with Unit 3. The comparable test specified in the Unit 2 Technical Specifications tests the applicable logic associated with Unit 2. Consequently, a test must be performed within the specified Frequency for each unit. As the Surveillance represents separate tests, the Note specifying the restriction for not performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 2. The Note only applies to Unit 3, thus the Unit 3 Surveillances shall not be performed with Unit 3 in MODE 1, 2, or 3. Credit may be taken for unplanned events that satisfy this SR. SR 3.8.1.17 Consistent with Regulatory Guide 1.9 (Ref 3), paragraph C.2.2.13, demonstration of the test mode override ensures that the DG availability under accident conditions is not compromised as the result of testing. Interlocks to the LOCA sensing circuits cause the DG to automatically reset to ready-to-load operation if a Unit 3 ECCS initiation signal is received during operation in the test mode while synchronized to either Unit 2 or a Unit 3 4 kV emergency bus. Ready-to-load operation is defined as the DG running at rated speed and voltage with the DG output breaker open. (continued) PBAPS UNIT 3 B 3.8-34 Revision No. 0
AC Sources -Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.17 (continued) REQUIREMENTS The requirement to automatically energize the emergency loads with offsite power ensures that the emergency loads will connect to an offsite source. This is performed by ensuring that the affected 4 kV bus remains energized following a simulated LOCA trip of the DG output breaker, and ensuring 4kV and ECCS logic performs as designed to connect all emergency loads to an offsite source. The requirement for 4kV bus loading is covered by overlapping SRs specified in Specification 3.8.1, "AC Sources-Operating and 3.3.5.1 "ECCS Instrumentation". In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the emergency loads to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading is verified. The 24 month Frequency takes into consideration plant conditions required to perform the Surveillance and is intended to be consistent with expected fuel cycle length. To minimize testing of the DGs, the Note allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit. If the DG fails one of these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit. SR 3.8.1.18 Under accident and loss of offsite power conditions, loads are sequentially connected to the bus by individual load timers. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading of the DGs due to high motor starting currents. The 10% load sequence time interval tolerance ensures that sufficient time exists for the DG to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding ESF equipment time delays are not violated. Reference 10 provides a summary of the automatic loading of emergency buses. {continued) PBAPS UNIT 3 B 3.8-35 Revision No. 10
AC Sources -Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.18 (continued) REQUIREMENTS The Frequency of 24 months takes into consideration plant conditions required to perform the Surveillance, and in intended to be consistent with expected fuel cycle lengths. This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This Surveillance tests the applicable logic associated with Unit 3. The comparable test specified in the Unit 2 Technical Specifications tests the applicable logic associated with Unit 2. Consequently, a test must be performed within the specified Frequency for each unit. As the Surveillance represents separate tests, the Note specifying the restriction for not performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 3. The Note only applies to Unit 3, thus the Unit 3 Surveillances shall not be performed with Unit 3 in MOI)E 1, 2, or 3. Credit may be taken for unplanned events that satisfy this SR. SR 3.8.1.19 In the event of a DBA coincident with a loss of offsite power, the DGs are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded. This Surveillance demonstrates DG operation, as discussed in the Bases for SR 3.8.1.11, during a loss of offsite power actuation test signal in conjunction with an ECCS initiation signal. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified. The Frequency of 24 months takes into consideration plant conditions required to perform the Surveillance and is intended to be consistent with an expected fuel cycle length of 24 months. {continued) PBAPS UNIT 3 B 3.8-36 Revision -No. 10
AC Sources - Operating B .3.8.1 BASES SURVEILLANCE SR 3.8.1.19 (continued) REQUHREMENTS This SR is modified by two Notes. The reason for Note'1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil being continuously circulated and temperature maintained consistent with manufacturer recommendations. The reason for Note 2 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This Surveillance tests the applicable logic associated with Unit 3. The comparable test specified in the Unit 2 Technical Specifications tests the applicable logic associated with Unit 2. Consequently, a test must be performed within the specified Frequency for each unit. As the Surveillance represents separate tests, the Note specifying the restriction for not performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 2. The Note only applies to Unit 3, thus the Unit 3 Surveillances shall not be performed with Unit 3 in MODE 1, 2, or 3. Credit may be taken for unplanned events that satisfy this SR. SR 3.8.1.20 This Surveillance demonstrates that the DG starting independence has not been compromised. Also, this Surveillance demonstrates that each engine can achieve proper speed within the specified time when the DGs are started simultaneously. The minimum voltage and frequency stated in the SR are those necessary to ensure the DG can accept DBA loading while maintaining acceptable voltage and frequency levels. Stable operation at the nominal voltage and frequency values iis also essential to establishing DG OPERABILITY, but a time constraint is not imposed. This is because a typical DG will experience a period of voltage and frequency oscillations prior to reaching steady state operation if these oscillations are not damped out by load application. This period may extend beyond the 10 second acceptance criteria and could be a cause for failing the SR. In lieu of a time constraint in the SR, PBAPS will monitor and trend the actual time to reach steady state operation as a means of ensuring there is no voltage regulator or governor degradation which could cause a DG to become inoperable. (continued) PBAP!; UNIT 3 B 3.8-37 Revision llo. 10
AC Sources-Operating IN3.8.1 BASES SURVEILLANCE SR 3.8.1.20 (continued) REQUIREMENTS The 10 year Frequency is consistent with the recommendations of Regulatory Guide 1.108 (Ref. 8). This SR is modified by two Notes. The reason for Note I is to minimize wear on the DG during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations. To minimize testing of the DGs, Note 2 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit. If a DG fails one of these Surveillances, a DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit. SR 3.8.1.21 With the exception of this Surveillance,.all other Surveillances of this Specification (SR 3.8.1.1 through SR 3.8.1.20) are applied only to the Unit 3 AC sources;. This Surveillance is provided to direct that the appropriate Surveillances for the required Unit 2 AC sources are governed by the applicable Unit 2 Technical Specifications. Performance of the applicable Unit 2 Surveillances will satisfy Unit 2 requirements, as well as satisfying this Unit 3 Surveillance Requirement. Six exceptions are noted to the Unit 2 SRs of LCO 3.8.1. SR 3.8.1.8 is excepted when only one Unit 2 offsite circuit is required by the Uniit 3 Specification, since there is not a second circuit to transfer to. SR 3.8.1.12, SR 3.8.1.13, SR 3.8.1.17, SR 3.8.1.18 (ECCS load block requirements only), and SR 3.8.1.19 are excepted since these SRs test the Unit 2. ECCS initiation signal, which is not needed for the AC; sources to be OPERABLE on Unit 3. The Frequency required by the applicable Unit 2 SR also governs performance of that SR for Unit 3.. As Noted, if Unit 2 is in MODE 4 or 5, or moving irradiated fuel assemblies in the secondary containment, the Note to Unit 2 SR 3.8.2.1 is applicable. This ensures that a Unit 3 SR will not require a Unit 2 SR to be performed, when the {contiinued) PBAPS UNIT 3 B 3.8-38 Revision No. 0
AC Sources-Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.21 (continued) REQUIREMENTS Unit 2 Technical Specifications exempts performance of a Unit 2 SR (However, as stated in the Unit 2 SR 3.8.2.1 Note, while performance of an SR is exempted, the SR still must be met). REFERENCES 1. UFSAR, Sections 1.5 and 8.4.2.
- 2. UFSAR, Sections 8.3 and 8.4.
- 3. Regulatory Guide 1.9, July 1993.
- 4. UFSAR, Chapter 14.
- 5. Generic Letter 84-15.
- 6. Regulatory Guide 1.93, December 1974.
- 7. UFSAR, Section 1.5.1.
- 8. Regulatory Guide 1.108, August 1!977.
- 9. Regulatory Guide 1.137, October 1979.
'10. UFSAR, Section 8.5.
PBAP'; UNIT 3 B .3.8-39 Revision No. 0
AC Sources-Shutdown 1I3.8.2 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.2 AC Sources-Shutdown BASES BACKGROUND A description of the AC sources is provided in the Bases for LCO 3.81.1, "AC Sources-Operating." APPLICABLE The OPERABILITY of the minimum AC sources during MODES 4 SAFETY ANALYSES and 5 and during movement of irradiated fuel assemblies in secondary containment ensures that:
- a. The facility can be maintained in the shutdown or refueling condition for extended periods;
- b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and
- c. Adequate AC electrical power is provided to mitigate events postulated during shutdown, such as an inadvertent draindown of the vessel or a fuel handling accident.
In general, when the unit is shut down the Technical Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or loss of all onsite power is not required. The rationale for this is based on the fact that many Design Basis Accidents (DBAs) that are analyzed in MODES 1, 2, and 3 have no specific analyses in MODES 4 and 5. Worst case bounding events are deemed not credible in MODES 4 and 5 because the energy contained within the reactor pressure boundary, reactor coolant temperature and pressure, and corresponding stresses result in the probabilities of occurrences significantly reduced or eliminated, and minimal consequences. These deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems. During MODES 1, 2, and 3, various deviations from the! analysis assumptions and design requirements are allowed within the ACTIONS. This allowance is in recognition that (continued) PBAPS UNIT 3 B 3.8-40 Revision No. 0
AC Sources-Shutdown E;3.8.2 BASES APPLICABLE certain testing and maintenance activities must be SAFETY ANALYSES conducted, provided an acceptable level of risk is not (continued) exceeded. During MODES 4 and 5, performance of a significant number of required testing and maintenance activities is also required. In MODES 4 and 5, the activities are generally planned and administratively controlled. Relaxations from typical MODES 1, 2, and 3 LCO requirements are acceptable during shutdown MODES, based on:
- a. The fact that time in an outage is limited. This is a risk prudent goal as well as a utility economic consideration.
- b. Requiring appropriate compensatory measures for certain conditions. These may include administrative controls, reliance on systems that do not necessarily meet typical design requirements applied to systems credited in operation MODE analyses, or both.
- c. Prudent utility consideration of the risk associated with multiple activities that could affect multiple systems.
- d. Maintaining, to the extent practical, the ability to perform required functions (even if not meeting MODES 1, 2, and 3 OPERABILITY requirements) with systems assumed to function during an event.
In the event of an accident during shutdown, this LCO ensures the capability of supporting systems necessary for avoiding immediate difficulty, assuming either a loss of all offsite power or a loss of all onsite (diesel generator (DG)) power. The AC sources satisfy Criterion 3 of the NRC Policy Statement. LCO One offsite circuit supplying the Unit 3 onsite Class IE power distribution subsystem(s) of LCO 3.8.8, 'Distribution Systems-Shutdown," ensures that all required Unit 3 powered loads are powered from offsite power. Two OPERABLE D{;s, associated with the Unit 3 onsite Class IE power distribution subsystem(s) required OPERABLE by LCO 3.d.8, ensures that a diverse power source is available for providing electrical power support assuming a loss of the Icontinued) PBAP.; UNIT 3 B 3.8-41 Revision Now 0
AC Sources -Shutdown El3.8.2 BASES LCO offsite circuit. In addition some equipment that may be (continued) required by Unit 3 is powered from Unit 2 sources (e.g., Containment Atmospheric Dilution System, Standby Gas Treatment System, Emergency Service Water System, and Main Control Room Emergency Ventilation System). Therefore, qualified circuits between the offsite transmission network and the Unit 2 onsite Class 1E AC electrical power distribution subsystem(s), and the DG(s) (not necessarily different DG(s) from those being used to meet LCO 3.8.2.b requirements) capable of supplying power to the required Unit 2 subsystems of each of the required components must also be OPERABLE. Together, OPERABILITY of the required offsite circuit(s) and required DG(s) ensures the availability of sufficient AC sources to operate the plant in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents and reactor vessel draindown). The qualified Unit 3 offsite circuit must be capable of maintaining rated frequency and voltage while connected to the respective Unit 3 4 kV emergency bus(es), and of accepting required loads during an accident. Qualified offsite circuits are those that are described in the UFSAR, Technical Specification Bases Section 3.8.1 and are part of the licensing basis for the unit. A Unit 3 offsite circuit consists of the incoming breaker and disconnect to the startup and emergency auxiliary transformer, the respective circuit path to the emergency auxiliary transformer and the circuit path to the Unit 3 4 kV emergency buses required by LCO 3.8.8, including feeder breakers to the required Unit 3 4 kV emergency buses. A qualified Unit 2 offsite circuit's requirements are the same as the Unit 3 circuit's requirements, except that the circuit path, including the feeder breakers, is to the Unit 2 4 kV emergency buses required to be OPERABLE by LCO 3.8.8. The required DGs must be capable of starting, accelerating to rated speed and voltage, and connecting to their respective Unit 3 emergency bus on detection of bus undervoltage. This sequence must be accomplished within 10 seconds. Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the 4 kV emergency buses. These capabilities are required to be met from a variety of initial conditions such as DG in standby with engine hot and DG in standby with engine at ambient conditions. Additional (continued) PBAPS UNIT 3 B 3.8-42 Revision Mo. 35
AC Sources-Shutdown B 3.8.2 BASES LCO DG capabilities must be demonstrated to meet required (continued) Surveillances, e.g., capability of the DG to revert to standby status on an ECCS signal while operating in parallel test mode. Proper sequencing of loads is a required function for DG OPERABILITY. The necessary portions of the Emergency Service Water System are also required to provide appropriate cooling to each required DG. The OPERABILITY requirements for the DG capable of supplying power to the Unit 2 powered equipment are the same as described above, except that the required DG must be capable of connecting to its respective Unit 2 4 kV emergency bus. (In addition, the Unit 2 ECCS initiation logic SRs are not applicable, as described in SR 3.8.2.2 Bases.) It is acceptable for 4 kV emergency buses to be cross tied during shutdown conditions, permitting a single offsite power circuit to supply all required buses. No automatic transfer capability is required for offsite circuits to be considered OPERABLE. APPLICABILITY The AC sources are required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment to provide assurance that:
- a. Systems providing adequate coolant inventory makeup are available for the irradiated fuel assemblies in the core in case of an inadvertent draindown of the reactor vessel;
- b. Systems needed to mitigate a fuel handling accident are available;
- c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and
- d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.
AC power requirements for MODES 1, 2, and 3 are covered in LCO 3.8.1. (continued) PBAP'; UNIT 3 B 3.8-43 Revision No. 0
AC Sources -Shutdown B 3.8.2 BASES (continued) ACTIONS LCO 3.0.3 is not applicable while in MODE 4 or 5. However, since irradiated fuel assembly movement-can occur in MDDE 1, 2, or 3, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be sufficient reason to require a reactor shutdown. A.1 and B.1 With one or more required offsite circuits inoperable, or with one DG inoperable, the remaining required sources may be capable of supporting sufficient required features (e.g., system, subsystem, division, component, or device) to allow continuation of CORE ALTERATIONS, fuel movement, and operations with a potential for draining the reactor vessel. For example, if two or more 4 kV emergency buses are required per LCO 3.8.8, one 4 kV emergency bus with offsite power available may be capable of supplying sufficient required features. By the allowance of the option to declare required features inoperable that are not powered from offsite power (Required Action A.1) or capable of being powered by the required DG (Required Action B.1), appropriate restrictions can be implemented in accordance with the affected feature(s) LCOs' ACTIONS. Required features remaining powered from a qualified offsite power circuit, even if that circuit is considered inoperable because it is not powering other required features, are not declared inoperable by this Required Action. If a single DG is credited with meeting both LCO 3.8.2.d and one of the DG requirements of LCO 3.8.2.b, then the required features remaining capable of being powered by the DG are not declared inoperable by this Required Action, even if the DG is considered inoperable because it is not capable of powering other required features. A.2.1. A.2.2. A.2.3. A.2.4. B.2.1. B.2.2. B.2.3. B.2.4. C.I. C.2. C.3. and C.4 With an offsite circuit not available to all required 4 kV emergency buses or one required DG inoperable, the option still exists to declare all required features inoperable (continued) PBAPS UNIT 3 B 3.8-44 Revision No. 0
AC Sources-Shutdown B 3.8.2 BASES ACTIONS A.2.1. A.2.2. A.2.3. A.2.4. B.2.1. B.2.2. B.2.3. B.2.4. C.1. C.2. C.3. and C.4 (continued) (per Required Actions A.1 and B.1). Since this option may involve undesired administrative efforts, the allowance for sufficiently conservative actions is-made. With two or more required DGs inoperable, the minimum required diversity of AC power sources may not be available. It is, therefore, required to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies in the secondary containment, and activities that could result in inadvertent draining of the reactor vessel. Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC sources and to continue this action until restoration is accomplished in order to provide the necessary AC power to the plant safety systems. The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required AC electrical power sources should be completed as quickly as possible in order tc minimize the time during which the plant safety systems may be without sufficient power. Pursuant to LCO 3.0.6, the Distribution System ACTIONS would not be entered even if all AC sources to it are inoperable, resulting in de-energization. Therefore, the Required Actions of Condition A have been modified by a Note to indicate that when Condition A is entered with-no AC power to any required 4 kV emergency bus, ACTIONS for LCO 3.8.8 must be immediately entered. This Note allows Condition A to provide requirements for the loss of the offsite circuit whether or not a required bus is de-energized. LCO 3.8.8 provides the appropriate restrictions for the situation involving a de-energized bus. SURVEILLANCE SR 3.8.2.1 REQUIREMENTS SR 3.8.2.1 requires the SRs from LCO 3.8.1 that are necessary for ensuring the OPERABILITY of the Unit 3 AC sources in other than MODES 1, 2, and 3. SR 3.8.1.8 1is not (continued) PBAFS UNIT 3 B 3.8-45 Revision No. 0
AC Sources -Shutdown El 3.8.2 BASES SURVEILLANCE SR 3.8.2.1 (continued) REQUIREMENTS required to be met since only one offsite circuit is required to be OPERABLE. SR 3.8.1.17 is not required to be met because the required OPERABLE DG(s) is not required to undergo periods of being synchronized to the offsite circuit. SR 3.8.1.20 is excepted because starting independence is not required with the DG(s) that is not required to be OPERABLE. Refer to the corresponding Bases for LCO 3.8.1 for a discussion of each SR. This SR is modified by a Note. The reason for the Note is to preclude requiring the OPERABLE DG(s) from being paralleled with the offsite power network or otherwise rendered inoperable during the performance of SRs, and to preclude de-energizing a required 4 kV emergency bus or disconnecting a required offsite circuit during performance of SRs. With limited AC sources available, a single event could compromise both the required circuit and the DG.. It is the intent that these SRs must still be capable of being met, but actual performance is not required during periods when the DG and offsite circuit are required to be OPERABLE. This SR is modified by a second Note. The reason for the Note is to preclude requiring the automatic functions of the DG(s) on an ECCS initiation to be functional during periods when ECCS are not required. Periods in which ECCS are not required are specified in LCO 3.5.2, 'ECCS - Shutdown". SR 3.8.2.2 This Surveillance is provided to direct that the appropriate Surveillances for the required Unit 2 AC sources are governed by the Unit 2 Technical Specifications. Performance of the applicable Unit 2 Surveillances will satisfy Unit 2 requirements, as well as satisfying this Unit 3 Surveillance Requirement. Seven exceptions are noted to the Unit 2 SRs of LCO 3.8.1. SR 3.8.1.8 is excepted when only one Unit 2 offsite circuit is required by the Unit 3 Specification, since there is not a second circuit to transfer to. SR 3.8.1.12, SR 3.8.1.13, SR 3.8.1.17, SR 3.8.1.18 (ECCS load block requirements only), and SR 3.8.1.19 are excepted since these SRs test the Unit 2 ECCS initiation signal, which is not needed for the AC sources to be OPERABLE on Unit 3. SR 3.8.1.20 is excepted since starting independence is not required with the D)G(s) that is not required to be OPERABLE. (continued) PBAPS UNIT 3 B 3.8-46 Revision No.i. Amendment No. 26
AC Sources -Shutdown B 3.8.2 BASES; SURVEILLANCE SR 3.8.2.2 (continued) REQUIREMENTS The Frequency required by the applicable Unit 2 SR also governs performance of that SR for Unit 3. As Noted, if Unit 2 is not in MODE 1, 2, or 3, the Note to Unit 2 SR 3.8.2.1 is applicable. This ensures that a Unit 3 SR will not require a Unit 2 SR to be performed, when the Unit 2 Technical Specifications exempts performance of a Unit 2 SR or when Unit 2 is defueled. (However, as stated in the Unit 2 SR 3.8.2.1 Note,. while performance of an SR is exempted, the SR still must be met). REFERENCES None. PBAPS UNIT 3 B 3.8-47 Revision No. 18 Amendment No. 226
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 B 3.1 ELECTRICAL POWER SYSTEMS B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air BASES BACK1ROUND Each of the four diesel generators (DGs) is provided with an associated storage tank which collectively have a fuel oil capacity sufficient to operate all four DGs for a period of 7 days while the DG is supplying maximum post loss of coolant accident (LOCA) load demand discussed in UFSAR., Section 8.5.2 (Ref. 1). The maximum load demand is calculated using the time dependent loading of each DG and the assumption that all four DGs are available. This onsite fuel oil capacity is sufficient to operate the DGs for longer than the time to replenish the onsite supply from outside sources. Post accident electrical loading and fuel consumption is not equally shared among the DGs. Therefore, it may be necessary to transfer post accident loads between DGs or to transfer fuel oil between storage tanks to achieve 7 days of post accident operation for all four DGs. Each storage tank contains sufficient fuel to support the operation of the DG with the heaviest load for greater than 6 days. Each DG is equipped with a day tank and an associated fuel transfer pump that will automatically transfer oil from a fuel storage tank to the day tank of the associated DG when actuated by a float switch in the day tank. Additionally, the capability exists to transfer fuel oil between storage tanks. Redundancy of pumps and piping precludes the failure of one pump, or the rupture of any pipe, valve, or tank to result in the loss of more than one DG. All outside tanks and piping are located underground. For proper operation of the standby DGs, it is necessary to ensure the proper quality of the fuel oil. Regulatory Guide 1.137 (Ref. 2) addresses the recommended fuel oil practices as supplemented by ANSI N195 (Ref. 3). The Fuel oil properties governed by these SRs are the water and sediment content, the kinematic viscosity, specific gravity (or API gravity), and impurity level. (continued) PBAP'i UNIT 3 B 3.8-48 Revision No. 0
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES BACKGROUND The DG lubrication system is designed to provide sufficient (cIntinued) lubrication to permit proper operation of its associated DG under all loading conditions. The system is required to circulate the lube oil to the diesel engine working surfaces and to remove excess heat generated by friction during operation. Each engine oil sump and associated lube oil storage tank contain an inventory capable of supporting a minimum of 7 days of operation. Each lube oil sump utilizes a mechanical float-type level controller to automatically maintain the sump at the 'full level running' level via gravity feed from the associated lube oil storage tank. Onsite storage of lube oil also helps ensure a 7 day supply is maintained. This supply is sufficient to allow the operator to replenish lube oil from outside sources. Each DG has an air start system that includes two air start receivers; each with adequate capacity for five successive normal starts on the DG without recharging the air start receiver. APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in UFSAR, Chapter 8 (Ref. 4), and Chapter 14 (Ref. 5), assume Engineered Safety Feature (ESF) systems are OPERABLE. The DGs are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distributicn Limits; Section 3.5, Emergency Core Cooling Systems ([CCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6, Containment Systems. Since diesel fuel oil, lube oil, and starting air subsystem support the operation of the standby AC power sources, they satisfy Criterion 3 of the NRC Policy Statement. LCO Stored diesel fuel oil is required to have sufficient supply for 7 days of operation at the worst case post accident time-dependent load profile. It is also required to meet specific standards for quality. Additionally, sufficient lube oil supply must be available to ensure the capability to operate at full load for 7 days. This requirement, in (continued) PBAPbS UNIT 3 B 3.8-49 Revision No. 0
Diesel Fuel Oil, Lube Oil, and Starting Air E;3.8.3 BASES LCO conjunction with an ability to obtain replacement supplies (continued) within 7 days, supports the availability of DGs required to shut. down both the Unit 2 and Unit 3 reactors and to maintain them in a safe condition for an abnormal operational transient or a postulated DBA in one unit with loss of offsite power. DG day tank fuel oil requirements, as well as transfer capability from the storage tank to the day tank, are addressed in LCO 3.8.1, "AC Sources-Operating," and LCO 3.8.2, "AC Sources-Shutdown." The starting air system is required to have a minimum capacity for five successive DG normal starts without recharging the air start receivers. Only one air start receiver per DG is required, since each air start receiver has the required capacity. APPLICABILITY The AC sources (LCO 3.8.1 and LCO 3.8.2) are required to ensure the availability of the required power to shut down both the Unit 2 and Unit 3 reactors and maintain them in a safe shutdown condition after an abnormal operational transient or a postulated DBA in either Unit 2 or Unit 3. Because stored diesel fuel oil, lube oil, and starting air subsystem support LCO 3.8.1 and LCO 3.8.2, stored diesel fuel oil, lube oil, and starting air are required to Ibe within limits when the associated DG is required to be OPERABLE. ACTIONS The Actions Table is modified by a Note indicating that separate Condition entry is allowed for each DG. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable DG subsystem. Complying with the Required Actions for one inoperable DG subsystem may allow for continued operation, and subsequent inoperable DG subsystem(s) are governed by separate Condition entry and application of associated Required Actions. (continued) PBAP'S UNIT 3 B 3.8-50 Revision No. 0
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES; ACTIONS L 1 (continued) With fuel oil level < 31,000 gal in a storage tank (which includes margin for the unusable volume of oil), the 7 day fuel oil supply for a DG is not available. However, the Condition is restricted to fuel oil level reductions that maintain at least a 6 day supply. These circumstances may be caused by events such as:
- a. Full load operation required for an inadvertent start while at minimum required level; or
- b. Feed and bleed operations that may be necessitated by increasing particulate levels or any number of other oil quality degradations.
This restriction allows sufficient time for obtaining the requisite replacement volume and performing the analyses required prior to addition of the fuel oil to the tank., A period of 48 hours is considered sufficient to complete restoration of the required level prior to declaring the DG inoperable. This period is acceptable based on the remaining capacity (> 6 days), the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period. B.1 With lube oil inventory < 350 gal, sufficient lube oil to support 7 days of continuous DG operation at full load conditions may not be available. However, the Condition is restricted to lube oil volume reductions that maintain at least a 6 day supply. This restriction allows sufficient time for obtaining the requisite replacement volume. A period of 48 hours is considered sufficient to complete restoration of the required volume prior to declaring the DG inoperable. This period is acceptable based on the remaining capacity (> 6 days), the low rate of usage, the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period. (continued) PBAPtS UNIT 3 B 3.8-51 Revision No. 0
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS C.1 (continued) This Condition is entered as a result of a failure to meet the acceptance criterion for particulates. Normally, trending of particulate levels allows sufficient time to correct high particulate levels prior to reaching the limit of acceptability. Poor sample procedures (bottom sampling), contaminated sampling equipment, and errors in laboratory analysis can produce failures that do not follow a trend. Since the presence of particulates does not mean failure of the fuel oil to burn properly in the diesel engine, since particulate concentration is unlikely to change significantly between Surveillance Frequency intervals, and since proper engine performance has been recently demonstrated (within 31 days), it is prudent to allow a brief period prior to declaring the associated DG inoperable. The 7 day Completion Time allows for further evaluation, resampling, and re-analysis of the DG fuel oil. D.1 With the new fuel oil properties defined in the Bases for SR 3.8.3.3 not within the required limits, a period of 30 days is allowed for restoring the stored fuel oil properties. This period provides sufficient time to test the stored fuel oil to determine that the new fuel oil, when mixed with previously stored fuel oil, remains acceptable, or to restore the stored fuel oil properties. This restoration may involve feed and bleed procedures, filtering, or combination of these procedures. Even if a DG start and load was required during this time interval and the fuel oil properties were outside limits, there is high likelihood that the DG would still be capable of performing its intended function. E.1 With required starting air receiver pressure < 225 psig, sufficient capacity for five successive DG normal starts does not exist. However, as long as the receiver pressure is > 150 psig, there is adequate capacity for at least one start attempt, and the DG can be considered OPERABLE while {continued) PBAPS UNIT 3 B 3.8-52 Revision No. 0
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS E.1 (continued) the air receiver pressure is restored to the required limit. A period of 48 hours is considered sufficient to complete restoration to the required pressure prior to declaring the DG inoperable. This period is acceptable based on the remaining air start capacity, the fact that most DG starts are accomplished on the first attempt, and the low probability of an event during this brief period. F.1 With a Required Action and associated Completion Time of Condition A, B, C, D, or E not met, or the stored diesel fuel oil, lube oil, or starting air subsystem not within limits for reasons other than addressed by Conditions A through E, the associated DG may be incapable of performing its intended function and must be immediately declared inoperable. SURVEILLANCE SR 3.8.3.1 REQUIREMENTS This SR provides verification that there is an adequate useable inventory of fuel oil in the storage tanks to support each DG's operation of all four DGs for 7 days at the worst case post accident time-dependent load profile. The 7 day period is sufficient time to place both Unit 2 and Unit 3 in a safe shutdown condition and to bring in replenishment fuel from an offsite location. The 31 day Frequency is adequate to ensure that a sufficient supply of fuel oil is available, since low level alarms are provided and unit operators would be aware of any large uses of fuel oil during this period. SR 3.8.3.2 Thi.s Surveillance ensures that sufficient lubricating oil inventory (combined inventory in the DG lube oil sump, lube oil storage tank, and in the warehouse) is available to support at least 7 days of full load operation for each DG. The 350 gal requirement is conservative with respect to the DG manufacturer's consumption values for the run time of the DG. Implicit in this SR is the requirement to verify the fconntinued) PBAPS UNIT 3 B 3.8-53 Revision No. 0
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE SR 3.8.3.2 (continued) REQUIREMENTS capability to transfer the lube oil from its storage location to the DG to maintain adequate inventory for 7 days of full load operation without the level reaching the manufacturer's recommended minimum level. A 31 day Frequency is adequate to ensure that a sufficient lube oil supply is onsite, since DG starts and run time are closely monitored by the plant staff. SR 3.8.3.3 The tests of new fuel oil prior to addition to the storage tanks are a means of determining whether new fuel oil is of the appropriate grade and has not been contaminated with substances that would have an immediate detrimental impact on diesel engine combustion. If results from these tests are within acceptable limits, the fuel oil may be added to the storage tanks without concern for contaminating the entire volume of fuel oil in the storage tanks. These tests are to be conducted prior to adding the new fuel to the storage tank(s), but in no case is the time between the sample (and corresponding results) of new fuel and addition of new fuel oil to the storage tanks to exceed 31 days. The tests, limits, and applicable ASTM Standards are as follows:
- a. Sample the new fuel oil in accordance with ASTM D4057-81 (Ref. 6);
- b. Verify in accordance with the tests specified in ASTM D975-81 (Ref. 6) as discussed in Reference 7 that the sample has a kinematic viscosity at 40*C of 2 1.9 centistokes and c 4.1 centistokes (if specific gravity was not determined by comparison with the supplier's certification), and a flash point of 2 125F;
- c. Verify in accordance with tests specified in ASTM D1298-80 (Ref. 6) as discussed in Reference 7 that the sample has an absolute specific gravity at 60/60-F of
; 0.83 and c 0.89 , or an absolute specific gravity of within 0.0016 at 60/60'F when compared to the supplier's certificate, or an API gravity at 60*F of 2 27- and c 39, or an API gravity of within 0.3 at 60OF when compared to the supplier's certification; and
. continued)
PBAPS UNIT 3 B 3.8-54 Revision No. 0
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES' SURVEILLANCE SR 3.8.3.3 (continued) REQU:IREMENTS
- d. Verify that the new fuel oil has a clear and bright appearance with proper color when tested in accordance with ASTM D4176-82 (Ref. 6) as discussed in Reference 7; or verify, in accordance with ASTM D975-81 (Ref.
6), that the sample has a water and sediment content
- 0.05 volume percent when dyes have been intentionally added to fuel oil (for example due to sulfur content).
Failure to meet any of the above limits is cause for rejecting the new fuel oil, but does not represent a failure to meet the LCO concern since the fuel oil is not addec to the storage tanks. Following the initial new fuel oil sample, the fuel oil is analyzed to establish that the other properties specified in Table 1 of ASTM D975-81 (Ref. 6) are met for new fuel cil when tested in accordance with ASTM D975-81 (Ref. 6) as discussed in Reference 7, except that the analysis for sulfur may be performed in accordance with ASTM D1552-79 (Ref. 6) or ASTM D2622-82 (Ref. 6) as discussed in Reference 7. These additional analyses are required by Specification 5.5.9, "Diesel Fuel Oil Testing Program," to be performed within 31 days following sampling and addition. This 31 day requirement is intended to assure that: 1) the new fuel oil sample taken is no more than 31 days old at the time of adding the new fuel oil to the DG storage tank, and
- 2) the results of the new fuel oil sample are obtained within 31 days after addition of the new fuel oil to the DG storage tank. The 31 day period is acceptable because the fuel oil properties of interest, even if they were not within stated limits, would not have an immediate effect on DG operation. This Surveillance ensures the availability of high quality fuel oil for the DGs.
Fuel oil degradation during long term storage shows up as an increase in particulate, mostly due to oxidation. The presence of particulate does not mean that the fuel oil will not burn properly in a diesel engine. The particulate can cause fouling of filters and fuel oil injection equipment, however, which can cause engine failure. The fuel oil properties which can affect diesel generator performance (flash point, cetane number, viscosity, cloud point) do not change during storage. If these properties are within specification when the fuel is placed in storage, they will remain within specification unless other non-specification petroleum products are added to the storage tanks. The addition of non-specification petroleum products is precluded by above described surveillance test program. Particulate concentrations should be determined in accordance with ASTM D2276-78 (Ref. 6), Method A, as discussed in Reference 7 except that the filters specified (continued) PBAP'; UNIT 3 B 3.8-55 Revision Yo. 38
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE SR 3.8.3.3 (continued) REQUIREMENTS in ASTM D2276-78, (Sections 3.1.6 and 3.1.7) may have i. nominal pore size up to three microns. This method involves a gravimetric determination of total particulate concentration in the fuel oil and has a limit of 10 mg/'l. It is acceptable to obtain a field sample for subsequent laboratory testing in lieu of field testing. For the P'each Bottom Atomic Power Station design in which the total volume of stored fuel oil is contained in four interconnected tanks, each tank must be considered and tested separately. The Frequency of this test takes into consideration fuel oil degradation trends that indicate that particulate concentration is unlikely to change significantly between Frequency intervals. SR 3.8.3.4 This Surveillance ensures that, without the aid of the refill compressor, sufficient air start capacity for each DG is available. The system design requirements provide for a minimum of five normal engine starts without recharging. The pressure specified in this SR is intended to reflect the lowest value at which the five starts can be accomplished. The 31 day Frequency takes into account the capacity, capability, redundancy, and diversity of the AC sources and other indications available in the control room, including alarms, to alert the operator to below normal air start pressure. SR 3.8.3.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel storage tanks once every 31 days eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and from (continued) PBAPS UNIT 3 B 3.8-56 Revision No. 0
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE SR 3.8.3.5 (continued) REQUIREMENTS breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequencies are consistent with Regulatory Guide 1.137 (Ref. 2). This SR is for preventive maintenance. The presence of water does not necessarily represent failure of this SR, provided the accumulated water is removed during performance of the Surveillance. REFERENCES 1. UFSAR, Section 8.5.2.
- 2. Regulatory Guide 1.137, Revision 1.
- 3. ANSI N195, 1976.
- 4. UFSAR, Chapter 6.
- 5. UFSAR, Chapter 14.
- 6. ASTM Standards: D4057-81; D975-81; D1298-80; D4176-82; D1552-79; D2622-82; and D2276-78.
- 7. Letter from G.A. Hunger (PECO Energy) to USNRC Document Control Desk; Peach Bottom Atomic Power Station Units 2 and 3, Supplement 7 to TSCR 93-16, Conversion to Improved Technical Specifications; dated May 24, 1995.
PBAPS UNIT 3 B 3.8-57 Revision No. 0
DC Sources-Operating B 3.8.4 B 3.13 ELECTRICAL POWER SYSTEMS B 3.3.4 DC Sources-Operating BASES BACKGROUND The DC electrical power system provides the AC emergency power system with control power. It also provides a source of reliable, uninterruptible 125/250 VDC power and 125 VOC control power and instrument power to Class 1E and non-Class 1E loads during normal operation and for safe shutdown of the plant following any plant design basis event or accident as documented in the UFSAR (Ref. 1), independent of AC power availability. The DC Electrical Power System meets the intent of the Proposed IEEE Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations (Ref. 2). The DC electrical power system is designed to have sufficient independence, redundancy, and testability to perform its safety functions, assuming a single failure. The DC power sources provide both motive and control power, and instrument power, to selected safety related equipment, as well as to the nonsafety related equipment. There are two independent divisions per unit, designated Division I and Division II. Each division consists of two 125 VEIC batteries. The two 125 VDC batteries in each division are connected in series. Each 125 VDC battery has two chz.rgers (one normally inservice charger and one spare charger) that are exclusively associated with that battery and cannot be interconnected with any other 125 VDC battery. The chargers are supplied from separate 480 V motor control centers (MCCs). Each of these MCCs is connected to an independent emergency AC bus. Some of the chargers are capable o1 being supplied by Unit 2 MCCs, which receive power from a 4 kV emergency bus, via manual transfer switches. However,, for a required battery charger to be considered OPERABLE when the unit is in MODE 1, 2, or 3, it must receive power from its associated Unit 3 MCC. The safety related loads between the 125/250 VDC subsystem are not transferable except for the Automatic Depressurization System (ADS) valves and logic circuits and the main steam safety/relief valves. The ADS logic circuits and valves and the main steam safety/relief valves are normally fed from the Division I DC system. (continued) PBAPS UNIT 3 B 3.8-58 Revision No. 0
DC Sources-Operating B 3.8.4 BASES BACKGROUND During normal operation, the DC loads are powered from the (continued) battery chargers with the batteries floating on the system. In case of loss of normal power to the battery charger, the DC loads are powered from the batteries. The DC power distribution system is described in more detail in Bases for LCO 3.8.7, "Distribution System-Operating," and LCO 3.8.8, 'Distribution System-Shutdown.' Each battery has adequate storage capacity to carry the required load continuously for approximately 2 hours. Each of the unit's two DC electrical power divisions, consisting of two 125 V batteries in series, four battery chargers (two normally inservice chargers and two spare chargers), and the corresponding control equipment and interconnecting cabling, is separately housed in a ventilated room apart from its chargers and distribution centers. Each division is separated electrically from the other division to ensure that a single failure in one division does not cause a failure in a redundant division. There is no sharing between redundant Class 1E divisions such as batteries, battery chargers, or distribution panels. The batteries for DC electrical power subsystems are sized to produce required capacity at 80% of nameplate rating, corresponding to warranted capacity at end of life cycles and the 100% design demand. The minimum design voltage for sizing the battery using the methodology in IEEE 485 (Ref. 3) is based on a traditional 1.81 volts per cell at the end of a 2 hour-load profile. The battery terminal voltage using 1.81 volts per cell is 105 V. Using the LOOP/LOCA load profile, the predicted value of the battery terminals is greater than 105 VDC at the end of the profile. Many 1E loads operate exclusively at the beginning of the profile and require greater than the design minimum terminal voltage. The analyzed voltage of the distribution parels and the MCCs is greater than that required during the LOOP/LOCA to support the operation of the lE loads during the time period they are required to operate. Each required battery charger of DC electrical power subsystem has ample power output capacity for the steady state operation of connected loads required during normal operation, while at the same time maintaining its battery (coni:inued) PBAPS UNIT 3 B 3.8-59 Revision No. 0
DC Sources-Operating B 3.8.4 BASES BACKGROUND- bank fully charged. Each battery charger has sufficieit (continued) capacity to restore the battery from the design minimum charge to its fully charged state within 20 hours while supplying normal steady state loads following a LOCA coincident with a loss of offsite power. A description of the Unit 2 DC power sources is provided in the Bases for Unit 2 LCO 3.8.4, "DC Sources-Operating." APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 14 (Ref. 1), assume that Engineered Safety Feature (ESF) systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the DGs, emergency auxiliaries, and control and switching during all MODES of operation. The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining DC sources OPERABLE during accident conditions in the event of:
- a. An assumed loss of all offsite AC power or all orsite AC power; and
- b. A worst case single failure.
The DC sources satisfy Criterion 3 of the NRC Policy Statement. LCO The Unit 3 Division I and Division II DC electrical power subsystems, with each DC subsystem consisting of two 1.25 V station batteries in series, two battery chargers (one per battery), and the corresponding control equipment and interconnecting cabling supplying power to the associated bus, are required to be OPERABLE to ensure the availability of.the required power to shut down the reactor and maintain it in a safe condition after an abnormal operational transient or a postulated DBA. In addition, DC control power (which provides control power for the 4 kV load circuit breakers and the feeder breakers to the 4 kV emergency bus) for two of the four 4 kV emergency buses, as well as control power for two of the diesel generator;, is provided by the Unit 2 DC electrical power subsystems. Therefore, Unit 2 Division I and Division II DC electrical power subsystems are also required to be OPERABLE. A Unit 2 {continued) PBAPS UNIT 3 B 3.8-60 Revision No. 0
DC Sources-Operating B 3.8.4 BASES LCO DC electrical power subsystem OPERABILITY requirements are (continued) the same as those required for a Unit 3 DC electrical power subsystem, except that the Unit 2: 1) Division I DC electrical power subsystem is allowed to consist of only the 125 V battery A, an associated battery charger, and the corresponding control equipment and interconnecting cabling supplying 125 V power to the associated bus; and 2) Division II DC electrical power subsystem is allowed to consist of only the 125 V battery B, an associated battery charger, and the corresponding control equipment and interconnecting cabling supplying 125 V power to the associated bus. This exception is allowed only if all 250 VDC loads are removed from the associated bus. In addition, a Unit 2 battery charger can be powered from a Unit 3 AC source, (as described in the Background section of the Bases for Unit 2 LCO 3.8.4, "DC Sources-Operating"), and be considered OPERABLE for the purposes of meeting this LCO. Thus, loss of any DC electrical power subsystem does not prevent the minimum safety function from being performed. APPLICABILITY The DC electrical power sources are required to be OPEFABLE in MODES 1, 2, and 3 to ensure safe unit operation and to ensure that:
- a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of abnormal operational transients; and
- b. Adequate core cooling is provided, and containment integrity and other vital functions are maintained in the event of a postulated DBA.
The DC electrical power requirements for MODES 4 and 5 are addressed in LCO 3.8.5, "DC Sources- Shutdown." ACTIONS A.1 Pursuant to LCO 3.0.6, the Distribution Systems-Operating ACTIONS would not be entered even if the DC electrical power subsystem inoperability resulted in de-energization of an AC or DC bus. Therefore, the Required Actions of Condition A are modified by a Note to indicate that when Condition A (continued) PBAPS UNIT 3 B 3.8-61 Revision No. 0
DC Sources-Operating B 3.8.4 BASEIS ACTIONS A.1 (continued) results in de-energization of a Unit 3 4 kV emergency bus or a Unit 2 DC bus, Actions for LCO 3.8.7 must be immediately entered. This allows Condition A to provide requirements for the loss of a Unit 2 DC electrical power subsystem (due to performance of SR 3.8.4.7 or SR 3.8.4.8) without regard to whether a bus is de-energized. LCO 3.8.7 provides the appropriate restriction for a de-energized bus. If one Unit 2 DC electrical power subsystem is inoperable due to performance of SR 3.8.4.7 or SR 3.8.4.8, the remaining DC electrical power subsystems have the capacity to support a safe shutdown and to mitigate an accident condition. In the case of an inoperable Unit 2 DC electrical power subsystem, since a subsequent postulated worst case single failure could result in the loss of safety function, continued power operation should not exceed 7 days. The 7 day Completion Time is based upon the Unit 2 DC electrical power subsystem being inoperable due to performance of SR 3.8.4.7 or SR 3.8.4.8. Performance of these two SRs will result in inoperability of the Unit 2 DC divisional batteries since these batteries are needed for Unit 3 operation, more time is provided to restore the batteries, if the batteries are inoperable for performance of required Surveillances, to preclude the need for a dual unit shutdown to perform these Surveillances. The Unit 2 DC electrical power subsystems also do not provide power to the same type of equipment as the Unit 3 DC sources. The Completion Time also takes into account the capacity and capability of the remaining DC sources. B.1 Pursuant to LCO 3.0.6, the Distribution Systems-Operating ACTIONS would not be entered even if the DC electrical power subsystem inoperability resulted in de-energization of an AC bus. Therefore, the Required Actions of Condition A are modified by a Note to indicate that when Condition A results in de-energization of a Unit 3 4 kV emergency bus, Actions for LCO 3.8.7 must be immediately entered. This-allows Condition A to provide requirements for the loss of a Unit 2 DC electrical power subsystem without regard to whether a bus is de-energized. LCO 3.8.7 provides the appropriate restriction for a de-energized bus. {continued) PBAPS UNIT 3 B 3.8-62 Revision No. 0
DC Sources-Operating B 3.8.4 BASES ACTIONS B.1 (continued) If one of the Unit 2 DC electrical power subsystems is inoperable for reasons other than Condition A, the remciining DC electrical power subsystems have the capacity to support a safe shutdown and to mitigate the accident condition.. Since a subsequent worst case single failure could, however, result in a loss of minimum necessary DC electrical subsystems to mitigate a worst case accident, continued power operation should not exceed 12 hours. The 12 hour Completion Time reflects a reasonable time to assess unit status as a function of the inoperable DC electrical power subsystem and takes into consideration the importance of the Unit 2 DC electrical power subsystem. C.1 Condition C represents one Unit 3 division with a loss of ability to completely respond to an event, and a potential loss of ability to remain energized during normal operation. It is therefore imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for complete loss of DC power. If one of the Unit 3 DC electrical power subsystems is inoperable (e.g., inoperable battery/batteries, inoperable required battery charger/chargers, or inoperable required battery charger/chargers and associated battery/batteries), the remaining DC electrical power subsystems have the capacity to support a safe shutdown and to mitigate an accident condition. Since a subsequent worst case single failure could result in the loss of minimum necessary DC electrical subsystems to mitigate a worst case accident, continued power operation should not exceed 2 hours. The 2 hour Completion Time is consistent with Regulatory Guide 1.93 (Ref. 4) and reflects a reasonable time to assess unit status as a function of the inoperable DC electrical power division and, if the Unit 3 DC electrical power division is not restored to OPERABLE status, to prepare to initiate an orderly and safe unit shutdown. The 2 hour limit is also consistent with the allowed time for an inoperable Unit 3 DC Distribution System division. _continued) PBAPS UNIT 3 B 3.8-63 Revision No. 0
DC Sources-Operating B 3.8.4 BASES ACTIONS D.1 and D.2 (continued) If the DC electrical power subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. The Completion Time to bring the unit to MODE 4 is consistent with the time specified in Regulatory Guide 1.93 (Ref. 4). E.1 Condition E corresponds to a level of degradation in the DC electrical power subsystems that causes a required safety function to be lost. When more than one DC source is lost, this results in a loss of a required function, thus the plant is in a condition outside the accident analysis. Thereforej no additional time is justified for continued operation. LCO 3.0.3 must be entered immediately to commence a controlled shutdown. SURVEILLANCE As Noted at the beginning of the SRs, SR 3.8.4.1 through REQUIREMENTS SR 3.8.4.8 are applicable only to the Unit 3 DC electrical power subsystems and SR 3.8.4.9 is applicable only to the Unit 2 DC electrical power subsystems. SR 3.8.4.1 Verifying battery terminal voltage while on float charge for the batteries helps to ensure the effectiveness of the charging system and the ability of the batteries to perform their intended function. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery (or battery cell) and maintain the battery (or a battery cell) in a fully charged state. The voltage requirements are fcontinued) PBAPS UNIT 3 B 3.8-64 Revision No. 0
DC Sources -Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.1 (continued) REQUI REMENTS based on the minimum cell voltage that will maintain a charged cell. This is consistent with the assumptions in the battery sizing calculations. The SR must be perforned every 7 days, unless (as specified by the Note in the Frequency) the battery is on equalize charge or has been on equalize charge any time during the previous 1 day. This allows the routine 7 day Frequency to be extended until such a time that the SR can be properly performed and meaningful results obtained. The 14 day Frequency is not modified by the Note, thus regardless of how often the battery is placed on equalize charge, the SR must be performed every 14 days. SR 3.8.4.2 Visual inspection to detect corrosion of the battery cells and connections or measurement of the resistance of each inter-cell, inter-rack, inter-tier, and terminal connection, provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance. The battery connection resistance limits are established to maintain connection resistance as low as reasonably possible to minimize the overall voltage drop across the battery, and the possibility of battery damage due to heating of connections. The Frequency for these inspections, which can detect conditions that can cause power losses due to resistance heating, is 92 days. This Frequency is considered acceptable based on operating experience related to detecting corrosion trends. SR 3.8.4.3 Visual inspection of the battery cells, cell plates, and battery racks provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance. The presence of physical damage or deterioration does not necessarily represent a failure of (continued) PBAPS UNIT 3 B 3.8-65 Revision No. 0
DC Sources-Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.3 (continued) REQUIREMENTS this SR, provided an evaluation determines that the physical damage or deterioration does not affect the OPERABILITY of the battery (its ability to perform its design function). The 12 month Frequency for these SRs is consistent with IEEE-450 (Ref. 5), which recommends detailed visual inspection of cell condition and rack integrity on a yearly basis. SR 3.8.4.4 and SR 3.8.4.5 Visual inspection and resistance measurements of inter-cell, inter-rack, inter-tier, and terminal connections provides an indication of physical damage or abnormal deterioration that could indicate degraded battery condition. The anti-corrosion material is used to help ensure good electrical connections and to reduce terminal deterioration. The visual inspection for corrosion is not intended to require removal of and inspection under each terminal connection. The removal of visible corrosion is a preventive maintenance SR. The presence of visible corrosion does not necessarily represent a failure of this SR, provided visible corrosion is removed during performance of this Surveillance. The battery connection resistance limits are established to maintain connection resistance as low as reasonably possible to minimize the overall voltage drop across the battery, and the possibility of battery damage due to heating of connections. The 12 month Frequency of these SRs is consistent with IEEE-450 (Ref. 5), which recommends detailed visual inspection of cell condition and inspection of cell to cell and terminal connection resistance on a yearly basis. SR 3.8.4.6 Battery charger capability requirements are based on the design capacity of the chargers. The minimum charging capacity requirement is based on the capacity to maintain the associated battery in its fully charged condition., and _con:inued) PBAPS UNIT 3 I83.8-66 Revision No. 0
DC Sources-Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.6 (continued) REQU[REMENTS to restore the battery to its fully charged condition following the worst case design discharge while supplying normal steady state loads. The minimum required amperes and duration ensures that these requirements can be satisfied. The Frequency is acceptable, given battery charger reliability and the administrative controls existing to ensure adequate charger performance during these 24 month intervals. In addition, this Frequency is intended to be consistent with expected fuel cycle lengths. SR 3.8.4.7 A battery service test is a special test of the battery's capability, as found, to satisfy the design requirements (battery duty cycle) of the DC Electrical Power System. The discharge rate and test length corresponds to the design duty cycle requirements. The Frequency is acceptable, given the unit conditions required to perform the test and the other requirements existing to ensure adequate battery performance during these 24 month intervals. In addition, this Frequency is intended to be consistent with expected fuel cycle lengths. This SR is modified by two Notes. Note I allows performance of either a modified performance discharge test or a performance discharge test (described in the Bases for SR 3.8.4.8) in lieu of a service test once per 60 months provided the test performed envelops the duty cycle of the battery. This substitution is acceptable because as long as the test current is greater than or equal to the actual duty
- cycle of the battery, SR 3.8.4.8 represents a more severe test of battery capacity than a service test. In addition, since POAPS refueling outage cycle is 24 months, SR 3.8.4.8 is performed every 48 months to ensure the 60 month Frequency is met. Therefore, SR 3.8.4.8 is performed in lieu of SR 3.8.4.7 every second refueling outage.
(continued) PBAPS UNIT 3 B 3.8-67 Revision No. 0
DC Sources-Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.7 (continued) REQUIREMENTS The reason for Note 2 is that performing the Surveillance would remove a required DC electrical power subsystem from service, perturb the Electrical Distribution System, and challenge safety systems. Credit may be taken for unplanned events that satisfy the Surveillance. SR 3.8.4.8 A battery performance discharge test is a test of the constant current capacity of a battery, performed between 3 and 30 days after an equalize charge of the battery, to detect any change in the capacity determined by the acceptance test. The test is intended to determine overall battery degradation due to age and usage. A battery modified performance discharge test is a simulated duty cycle consisting of just two rates; the one minute rate published for the battery or the largest current load of the duty cycle, followed by the test rate employed for the performance test, both of which envelope the duty cycle of the service test. Since the ampere-hours removed by a rated one minute discharge represents a very small portion of the battery capacity, the test rate can be changed to that for the performance test without compromising the results of the performance discharge test. The battery terminal voltage for the modified performance discharge test should remain greater than or equal to the minimum battery terminal voltage specified in the battery performance discharge test. A modified performance discharge test is a test of the battery capacity and its ability to provide a high rate, short duration load (usually the highest rate of the duty cycle). This will often confirm the battery's ability to meet the critical period of the load duty cycle, in addition to determining its percentage of rated capacity. Initial conditions for the modified performance discharge test should be identical to those specified for a performance discharge test. Either the battery performance discharge test or the modified performance discharge test is acceptable for satisfying SR 3.8.4.8; however, the discharge test mayt be _(continued) PBAP'S UNIT 3 B 3.8-68 Revision No. 0
DC Sources- Operating B 3.8.4 BASES SURV1ILLANCE SR 3.8.4.8 (continued) REQU[REMENTS used to satisfy SR 3.8.4.8 while satisfying the requirements of SR 3.8.4.7 at the same time only if the test envelops the duty cycle of the battery. The acceptance criteria for this Surveillance is consistent with IEEE-450 (Ref. 5) and IEEE-485 (Ref. 3). These references recommend that the battery be replaced if its capacity is below 80% of the manufacturer's rating. A capacity of 80% shows that the battery rate of deterioration is increasing, even if there is ample capacity to meet the load requirements. The Frequency for this test is normally 60 months. If the battery shows degradation, or if the battery has reached 85% of its expected life and capacity is < 1O0% of the manufacturers rating, the Surveillance Frequency is reduced to 12 months. However, if the battery shows no degradation but has reached 85% of its expected life, the Surveillance Frequency is only reduced to 24 months for batteries that retain capacity x 100% of the manufacturer's rating. Degradation is indicated, according to IEEE-450 (Ref. 5), when the battery capacity drops by more than 10% relative to its capacity on the previous performance test or when it is 10% below the manufacturer's rating. If the rate of discharge varies significantly from the previous discharge test, the absolute battery capacity may change significantly, resulting in a capacity drop exceeding the criteria specified above. This absolute battery capacity change could be a result of acid concentration in the plate material, which is not an indication of degradation. Therefore, results of tests with significant rate differences should be discussed with the vendor and evaluated to determine if degradation has occurred. All these Frequencies, with the exception of the 24 month Frequency, are consistent with the recommendations in IEEE-450 (Ref. 5). The 24 month Frequency is acceptable, given the battery has shown no signs of degradation, the unit conditions required to perform the test and other requirements existing to ensure battery performance during these 24 month intervals. In addition, the 24 month Frequency is intended to be consistent with expected Fuel cycle lengths. {continued) PBAPS UNIT 3 B 3.8-69 Revision No. 0
DC Sources-Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.8 (continued) REQUIREMENTS This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required DC electrical power subsystem from service, perturb the electrical distribution system, and challenge safety systems. Credit may be taken for unplanned events that satisfy the Surveillance. The DC batteries of the other unit are exempted from this restriction since they are required to be OPERABLE by both units and the Surveillance cannot be performed in the manner required by the Note without resulting in a dual unit shutdown. SR 3.8.4.9 With the exception of this Surveillance, all other Surveillances of this Specification (SR 3.8.4.1 through SR 3.8.4.8) are applied only to the Unit 3 DC electrical power subsystems. This Surveillance is provided to direct that the appropriate Surveillances for the required Unit 2 DC electrical power subsystems are governed by the Unit 2 Technical Specifications. Performance of the applicable Unit 2 Surveillances will satisfy Unit 2 requirements, as well as satisfying this Unit 3 Surveillance Requirement. The Frequency required by the applicable Unit 2 SR also governs performance of that SR for Unit 3. As Noted, if Unit 2 is in MODE 4 or 5, or moving irradiated fuel assemblies in the secondary containment, the Note to Unit 2-SR 3.8.5.1 is applicable. This ensures that a Unit 3 SR will not require a Unit 2 SR to be performed, when the Unit 2 Technical Specifications exempts performance of a Unit 2 SR. (However, as stated in the Unit 2 SR 3.8.5.1 Note, while performance of the SR is exempted, the SR still must be met.) REFERENCES 1. UFSAR, Chapter 14.
- 2. "Proposed IEEE Criteria for Class 1E Electrical Systems for Nuclear Power Generating Stations," June 1969.
- 3. IEEE Standard 485, 1983.
(continued) .} PBAP'S UNIT 3 B 3.8-70 Revision No. 0
DC Sources-Operating B 3.8.4 BASES REFERENCES 4. Regulatory Guide 1.93, December 1974. (continued)
- 5. IEEE Standard 450, 1987.
PBAPiS UNIT 3' B 3.8-71 Revision No. 0
DC Sources-Shutdown B 3.8.5 B 3.83 ELECTRICAL POWER SYSTEMS B 3.3.5 DC Sources-Shutdown BASES BACKGROUND A description of the DC sources is provided in the Bases for LCO 3.8.4, "DC Sources-Operating." APPLICABLE The initial conditions of Design Basis Accident and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 14 (Ref. 1), assume that Engineered Safety Feature systems are OPERABLE. *The DC electrical power system provides normal and emergency DC electrical power for the diesel generators (DGs), emergency auxiliaries, and control and switching during all MODES of operation. The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY. The OPERABILITY of the minimum DC electrical power sources during MODES 4 and 5 and during movement of irradiated fuel assemblies in secondary containment ensures that:
- a. The facility can be maintained in the shutdown or refueling condition for extended periods;
- b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and
- c. Adequate DC electrical power is provided to mitigate events postulated during shutdown, such as an inadvertent draindown of the vessel or a fuel handling accident.
The DC sources satisfy Criterion 3 of the NRC Policy Statement. LCO The Unit 3 DC electrical power subsystems, with each D)C subsystem consisting of two 125 V station batteries in series, two battery chargers (one per battery), and the corresponding control equipment and interconnecting cabling supplying power to the associated bus, are required to be {conti nued) PBAPS UNIT 3 B 3.8-72 Revision No. 0-
DC Sources-Shutdown B 3.8.5 BASES LCO OPERABLE to support Unit 3 DC distribution subsystems (continued) required OPERABLE by LCO 3.8.8, 'Distribution Systems-Shutdown." When the equipment required OPERABLE:
- 1) does not require 250 VDC from the DC electrical power subsystem; and 2) does not require 125 VDC from one of the two 125 V batteries of the DC electrical power subsystem, the Unit 3 DC electrical power subsystem requirements can be modified to only include one 125 V battery (the battery needed to provide power to required equipment), an associated battery charger, and the corresponding control equipment and interconnecting cabling supplying 125 V power to the associated bus. This exception is allowed only if all 250 VDC loads are removed from the associated bus. In addition, DC control power (which provides control power for the 4 kV load circuit breakers and the feeder breakers to the 4 kV emergency bus) for two of the four 4 kV emergency buses, as well as control power for two of the diesel generators, is provided by the Unit 2 DC electrical power subsystems. Therefore, the Unit 2 DC electrical power subsystems needed to support required components are also required to be OPERABLE. The Unit 2 DC electrical power subsystem OPERABILITY requirements are the same as those required for a Unit 3 DC electrical power subsystem. In addition, battery chargers (Unit 2 and Unit 3) can be powered from the opposite unit's AC source (as described in the Background section of the Bases for LCO 3.8.4, "DC Sources-Operating"), and be considered OPERABLE for the purpose of meeting this LCO.
This requirement ensures the availability of sufficient. DC electrical power sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents and inadvertent reactor vessel draindown). APPLICABILITY The DC electrical power sources required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment provide assurance that:
- a. Required features to provide adequate coolant inventory makeup are available for the irradiated fuel assemblies in the core in case of an inadvertent draindown of the reactor vessel;
{continued) PBAPS UNIT 3 B 3.8-73 Revision No. 0
DC Sources-Shutdown B 3.8.5 BASES APPLICABILITY b. Required features needed to mitigate a fuel handling (continued) accident are available;
- c. Required features necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and
- d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.
The DC electrical power requirements for MODES 1, 2, and 3 are covered in LCO 3.8.4. ACTIONS LCO 3.0.3 is not applicable while in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2, or 3, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend 1I I;) movement of irradiated fuel assemblies would not be sufficient reason to require a reactor shutdown. A.I. A.2.1. A.2.2. A.2.3. and A.2.4 If more than one DC distribution subsystem is required according to LCO 3.8.8, the DC electrical power subsystems remaining OPERABLE with one or more DC electrical power subsystems inoperable may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS, fuel movement, and operations with a potential for draining the reactor vessel. By allowance of the option to declare required features inoperable with associated DC electrical power subsystems inoperable, appropriate restrictions are implemented in accordance with the affected system LCOs' ACTIONS. However, in many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies in secondary containment, and any activities that could result in inadvertent draining of the reactor vessel). C_,.1 j (continued) PBAP'; UNIT 3 B 3.8-74 Revision No. 0
DC Sources-Shutdown B 3.8.5 BASES ACTIONS A.1. A.2.1, A.2.2. A.2.3. and A.2.4 (continued) Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required DC electrical power subsystems and to continue this action until restoration is accomplished in order to provide the necessary DC electrical power to the plant safety systems. The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required DC electrical power subsystems should be completed as quickly as possible in order to minimize the time during which the plant safety systems may be without sufficient power. SURVEILLANCE SR 3.8.5.1 REQUIREMENTS SR 3.8.5.1 requires performance of all Surveillances required by SR 3.8.4.1 through SR 3.8.4.8. Therefore, see the corresponding Bases for LCO 3.8.4 for a discussion of each SR. This SR is modified by a Note. The reason for the Note is to preclude requiring the OPERABLE DC electrical power subsystems from being discharged below their capability to provide the required power supply or otherwise rendered inoperable during the performance of SRs. It is the intent that these SRs must still be capable of being met, but. actual performance is not required. SR 3.8.5.2 This Surveillance is provided to direct that the appropriate Surveillances for the required Unit 2 DC electrical power subsystems are governed by the Unit 2 Technical Specifications. Performance of the applicable Unit 2 Surveillances will satisfy Unit 2 requirements, as well as satisfying this Unit 3 Surveillance Requirement. The Frequency required by the applicable Unit 2 SR also governs performance of that SR for Unit 3. {Aconti nued) PBAPS UNIT 3 B 3.8-75 Revision No. 0
DC Sources-Shutdown B 3.8.5 BASES SURVEILLANCE SR 3.8.5.2 (continued) REQUIREMENTS As Noted, if Unit 2 is in MODE 4 or 5, or moving irradiated fuel assemblies in the secondary containment, the Note to Unit 2 SR 3.8.5.1 is applicable. This ensures that a Unit 3 SR will not require a Unit 2 SR to be performed, when the Unit 2 Technical Specifications exempts performance of a Unit 2 SR. (However, as stated in the Unit 2 SR 3.8.5.1 Note, while performance of an SR is exempted, the SR still must be met.) REFERENCES 1. UFSAR, Chapter 14. PBAPS UNIT 3 B 3.8-76 Revision No. 0
Battery Cell Parameters B :3.8.6 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.6 Battery Cell Parameters BASES
==
BACKGROUND This LCO delineates the limits on electrolyte temperature, level, float voltage, and specific gravity for the DC electrical power subsystems batteries. A discussion of these batteries and their OPERABILITY requirements is provided in the Bases for LCO 3.8.4, "DC Sources-Operating," and LCO 3.8.5, 'DC Sources-Shutdown." APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in UFSAR, Chapter 14 (Ref. 1), assume Engineered Safety Feature systems are OPERABLE. The DI: electrical power subsystems provide normal and emergency DC electrical power for the diesel generators (DGs), emergency auxiliaries, and control and switching during all MODES of operation. The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit as discussed in the Bases of LCO 3.8.4, "DC Sources-Operating," and LCO 3.8.5, "DC Sources-Shutdown. Since battery cell parameters support the operation of the DC electrical power subsystems, they satisfy Criterion 3 of the NRC Policy Statement. LCO Battery cell parameters must remain within acceptable limits to ensure availability of the required DC power to shut down the reactor and maintain it in a safe condition after an abnormal operational transient or a postulated DBA. Electrolyte limits are conservatively established, allowing continued DC electrical system function even with Category A and B limits not met. APPLICABILITY The battery cell parameters are required solely for the support of the associated DC electrical power subsystem. Therefore, these cell parameters are only required when the DC power source is required to be OPERABLE. Refer to the Applicability discussions in Bases for LCO 3.8.4 and LCO 3.8.5. (continued) PBAPS UNIT 3 B 3.8-77 Revision No. 0
Battery Cell Parameters B 3.8.6 BASES (continued) ACTIONS A.I. A.2. and A.3 With parameters of one or more cells in one or more batteries not within limits (i.e., Category A limits not met or Catecory B limits not met, or Category A and B limits not met) but within the Category C limits specified in Table 3.8.6-1, the battery is degraded but there is still sufficient capacity to perform the intended function. Therefore, the affected battery is not required to be considered inoperable solely as a result of Category A or B limits not met, and continued operation is permitted for a limited period. The pilot cell electrolyte level and float voltage are required to be verified to meet the Category C limits within 1 hour (Required Action A.1). This check provides a quick indication of the status of the remainder of the battery cells. One hour provides time to inspect the electrolyte level and to confirm the float voltage of the pilot cells. One hour is considered a reasonable amount of time to perform the required verification. Verification that the Category C limits are met (Required Action A.2) provides assurance that during the time needed to restore the parameters to the Category A and B limits, the battery is still capable of performing its intended function. A period of 24 hours is allowed to complete the initial verification because specific gravity measurements must be obtained for each connected cell. Taking into consideration both the time required to perform the required verification and the assurance that the battery cell parameters are not severely degraded, this time is considered reasonable. The verification is repeated at 7 day intervals until the parameters are restored to Category A or B limits. This periodic verification is consistent with the normal Frequency of pilot cell surveillances. Continued operation is only permitted for 31 days before battery cell parameters must be restored to within Category A and B limits. Taking into consideration that, while battery capacity is degraded, sufficient capacity exists to perform the intended function and to allow time to fully restore the battery cell parameters to normal limits, this time is acceptable for operation prior to declaring the DC batteries inoperable. _coni:inued) PBAPS UNIT 3 B 3.8-78 Revision No. .O
Battery tell Parameters B 3.8.6 BASE' ACTIONS B.I (continued) When any battery parameter is outside the Category C limit for any connected cell, sufficient capacity to supply the maximum expected load requirement is not ensured and the corresponding DC electrical power subsystem must be declared inoperable. Additionally, other potentially'extreme conditions, such as not completing the Required Action; of Condition A within the required Completion Time or average electrolyte temperature of representative cells falling below 40*F, also are cause for immediately declaring the associated DC electrical power subsystem inoperable. SURVEILLANCE SR 3.8.6.1 REQUIREMENTS This SR verifies that Category A battery cell parameters are consistent with IEEE-450 (Ref. 2), which recommends regular battery inspections (at least one per month) including voltage, specific gravity, and electrolyte temperature of pilot cells. The SR must be performed every 7 days, unless (as specified by the Note in the Frequency) the battery is on equalize charge or has been on equalize charge any time during the previous 4 days. This allows the routine 7 day Frequency to be extended until such a time that the SR can be properly performed and meaningful results obtained. The 14 day Frequency is not modified by the Note, thus regardless of how often the battery is placed on equalize charge, the SR must be performed every 14 days. SR 3.8.6.2 The quarterly inspection of specific gravity and voltage is consistent with IEEE-450 (Ref. 2). In addition, within 24 hours of a battery discharge < 100 V or within 24 hours of a battery overcharge > 145 V, the battery must be demonstrated to meet Category B limits. Transients, such as motor starting transients which may momentarily cause battery voltage to drop to 5 100 V, do not constitute battery discharge provided the battery terminal voltage and float current return to pre-transient values. This inspection is also consistent with IEEE-450 (Ref. 2), which recommends special inspections following a severe discharge or overcharge, to ensure that no significant degradation of the battery occurs as a consequence of such discharge or overcharge. (continued) PBAPS UNIT 3 B 3.8-79 Revision No. 0
Battery Cell Parameters B 3.8.6 BASES SURVEILLANCE SR 3.8.6.3 REQUIREMENTS (continued) This Surveillance verification that the average temperature of representative cells is within limits is consistent with a recommendation of IEEE-450 (Ref. 2) that states that the temperature of electrolytes in representative cells should be determined on a quarterly basis. Lower than normal temperatures act to inhibit or reduce battery capacity. This SR ensures that the operating temperatures remain within an acceptable operating range. Table 3.8.6-1 This table delineates the limits on electrolyte level, float voltage, and specific gravity for three different categories. The meaning of each category is discussed below. Category A defines the normal parameter limit for each designated pilot cell in each battery. The cells selected as pilot cells are those whose temperature, voltage, arid electrolyte specific gravity approximate the state of charge of the entire battery. The Category A limits specified for electrolyte level are based on manufacturer's recommendations and are consistent with the guidance in IEEE-450 (Ref. 2), with the extra I inch allowance above the high water level indication for operating margin to account for temperature and charge effects. In addition to this allowance, footnote a to Table 3.8.6-1 permits the electrolyte level to be above the specified maximum level during equalizing charge, provided it is not overflowing. These limits ensure that the plates suffer no physical damage, and that adequate electron transfer capability is maintained in the event of transient conditions. IEEE-450 (Ref. 2) recommends that electrolyte level readings should be made only after the battery has been at float charge for at least 72 hours. The Category A limit specified for float voltage is x 2.13 V per cell. This value is based on the recommendation of IEEE-450 (Ref. 2), which states that prolonged operation of cells below 2.13 V can reduce the life expectancy of cells. The Category A limit specified for specific gravity fcr each pilot cell is > 1.195 (0.020 below the manufacturer's fully (continued) PBAPS UNIT 3 B 3.8-80 Revision No. 0
Battery Cell Parameters E 3.8.6 BASES SURVEILLANCE Table 3.8.6-1 (continued) REQUIREMENTS charged nominal specific gravity or a battery charging current that had stabilized at a low value). This value is characteristic of a charged cell with adequate capacity. According to IEEE-450 (Ref. 2), the specific gravity readings are based on a temperature of 77'F (25C). The specific gravity readings are corrected for actual electrolyte temperature and level. For each 3'F (1.67'C) above 77F (25C), I point (0.001) is added to the reading; I point is subtracted for each 3F below 77F. The specific gravity of the electrolyte in a cell increases with a loss
*of water due to electrolysis or evaporation. Level correction will be in accordance with manufacturer's recommendations.
Category B defines the normal parameter limits for each connected cell. The term "connected cell" excludes any battery cell that may be jumpered out. The Category B limits specified for electrolyte level and float voltage are the same as those specified for Category A and have been discussed above. The Category B limit specified for specific gravity for each connected cell is x 1.195 (0.020 below the manufacturer's fully charged, nominal specific gravity) with the average of all connected cells 1.205 (0.010 below the manufacturer's fully charged, nominal specific gravity). These values were developed from manufacturer's recommendations. The minimum specific gravity value required for each cell ensures that the effects of a highly charged or newly installed cell do not mask overall degradation of the battery. Category C defines the limit for each connected cell. These values, although reduced, provide assurance that sufficient capacity exists to perform the intended function and maintain a margin of safety. When any battery parameter is outside the Category C limit, the assurance of sufficient capacity described above no longer exists, and the battery must be declared inoperable. The Category C limit specified for electrolyte level (above the top of the plates and not overflowing) ensure that the plates suffer no physical damage and maintain adequate electron transfer capability. The Category C Allowable Value for voltage is based on IEEE-450 (Ref. 2), which. 4continued) PBAI'S UNIT 3 B 3.8-81 Revision No. 0
Battery Cell Parameters B :3.8.6 BASES SURVEILLANCE Table 3.8.6-1 (continued) REQUIREMENTS states that a cell voltage of 2.07 V or below, under float conditions and not caused by elevated temperature of the cell, indicates internal cell problems and may require cell replacement. The Category C limit of average specific gravity > 1.190, is based on manufacturer's recommendations. In addition to that limit, it is required that the specific gravity for each connected cell must be no less than 0.020 below the average of all connected cells. This limit ensures that the effect of a highly charged or new cell does not mask overall degradation of the battery. The footnotes to Table 3.8.6-1 that apply to specific gravity are applicable to Category A, B, and C specific gravity. Footnote b of Table 3.8.6-1 requires the above mentioned correction for electrolyte level and temperature, with the exception that level correction is not required when battery charging current, while on float charge, is
< 1 amp. This current provides, in general, an indication of overall battery condition.
Because of specific gravity gradients that are produced during the recharging process, delays of several days may occur while waiting for the specific gravity to stabilize. A stabilized charger current is an acceptable alternative to specific gravity measurement for determining the state of charge of the designated pilot cell. This phenomenon is discussed in IEEE-450 (Ref. 2). Footnote c to Table ;.8.6-1 allows the float charge current to be used as an alternate to specific gravity for up to 180 days following a battery recharge after a deep discharge. Within 180 days each connected cell's specific gravity must be measured to confirm the state of charge. Following a minor battery recharge (such as equalizing charge that does not follow a deep discharge) specific gravity gradients are not significant, and confirming measurements must be made within 30 days. REFERENCES 1. UFSAR, Chapter 14.
- 2. IEEE Standard 450, 1987.
=...........
PBAPS UNIT 3 B 3.8-82 Revision No. 0
Distribution Systems -Operating B 3.8.7 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.7 Distribution Systems-Operating BASES BACKGROUND The onsite Class lE AC and DC electrical power distribution system is divided into redundant and independent AC and DC electrical power distribution subsystems. The primary AC distribution system for Unit 3 consists of four 4 kV emergency buses each having two offsite sources of power as well as an onsite diesel generator (DG) source. Each 4 kV emergency bus is connected to its normal source of power via either emergency auxiliary transformer no. 2 or no. 3. During a loss of the normal supply of offsite power to the 4 kV emergency buses, the alternate supply breaker from the alternate supply of offsite power for the 4 kV emergency buses attempts to close. If all offsite sources are unavailable, the onsite emergency DGs supply power to the 4 kV emergency buses. (However, these supply breakers are not governed by this LCO; they are governed by LCO 3.8.1, "AC Sources-Operating".) The secondary plant distribution system for Unit 3 includes 480 VAC load centers E134, E234, E334, and E434. There are two independent 125/250 VDC electrical power distribution subsystems for Unit 3 that support the necessary power for ESF functions. In addition, since some components required by Unit 3 receive power through Unit 2 electrical power distribution subsystems, the Unit 2 AC and DC electrical power distribution subsystems needed to support the required equipment are also addressed in LCO 3.8.7. A description of the Unit 2 AC and DC Electrical Power Distribution Sys:tem is provided in the Bases for Unit 2 LCO 3.8.7, "Distribution System-Operating."
'The list of required Unit 3 distribution buses is prei;ented in Table B 3.8.7-1.
(continued) PBAPS UNIT 3 B 3.8-83 Revision No. 0
Distribution Systems-Operating E 3.8.7 BASES (continued) APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 14 (Ref. 1), assume Engineered Safety Feature (ESF) systems are OPERABLE. The AC and DC electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.5, Emergency Core Cooling Systems (ECCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6 Containment Systems. The OPERABILITY of the AC and DC electrical power distribution subsystems is consistent with the initiall assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining distribution systems OPERABLE during accident. conditions in the event of:
- a. An assumed loss of all offsite power or all onsite AC electrical power; and
- b. A postulated worst case single failure.
The AC and DC electrical power distribution system satisfies Criterion 3 of the NRC Policy Statement. LCO The Unit 3 AC and DC electrical power distribution subsystems are required to be OPERABLE. The required Unit 3 electrical power distribution subsystems listed in Table B 3.8.7-1 ensure the availability of AC and DC electrical power for the systems required to -shut down the reactor and maintain it in a safe condition after an abnormal operational transient or a postulated DBA. As stated in the Table, each division of the AC and DC electrical power distribution systems is a subsystem. In addition, since some components required by Unit 3 receive power through Unit 2 electrical power distribution subsystems (e.g., Containment Atmospheric Dilution (CAD) System, Standby Gas Treatment (SGT) System, Emergency Service Water System, Main Control Room Emergency Ventilation (MCREV) System, and DC control power for two of the four 4 kV emergency buses, as well as control power for (continued) PBAPS VNIT 3 B 3.8-84 Revision No. 0
Distribution Systems-Operating B :3.8.7 BASES LCO two of the diesel generators), the Unit 2 AC and DC (continued) electrical power distribution subsystems needed to support the required equipment must also be OPERABLE. The Unit 2 electrical power distribution subsystems that may be required are listed in Unit 2 Table B 3.8.7-1. Maintaining the Unit 3 Division I and II and required Unit 2 AC and DC electrical power distribution subsystems OPERABLE ensures that the redundancy incorporated into the design of ESF is not defeated. Therefore, a single failure within any system or within the electrical power distribution subsystems will not prevent safe shutdown of the reactor. The Unit 2 and Unit 3 AC electrical power distribution subsystems require the associated buses and electrical circuits to be energized to their proper voltages. The Unit 2 and Unit 3 DC electrical power distribution subsystems require the associated buses to be energized to their proper voltage from either the associated batteries or chargers. However, when a Unit 2 DC electrical power subsystem is only required to have one 125 V battery and associated battery charger to be considered OPERABLE (as described in the LCO section of the Bases for LCO 3.8.4, "DC Sources-Operating"), the proper voltage to which the associated bus is -required to be energized is lowered From 250 V to 125 V (as read from the associated battery charger). Based on the number of safety significant electrical loads associated with each electrical power distribution component (i.e., bus, load center, or distribution panel) listed in Table B 3.8.7-1, if one or more of the electrical power distribution components within a division (listed in Table 3.8.7-1) becomes inoperable, entry into the appropriate ACTIONS of LCO 3.8.7 is required. Other electrical power distribution components, such as motor control centers (MCC) and distribution panels, which help comprise the AC and DC distribution systems are not listed in Table B 3.8.7-]. The loss of electrical loads associated with these electrical power distribution components may not result in a complete loss of a redundant safety function necessary to shut down the reactor and maintain it in a safe condition. Therefore, should one or more of these electrical power distribution components become inoperable due to a failure not affecting the OPERABILITY of an electrical power distribution component listed in Table B 3.8.7-1 (e.g., a breaker
-conti nued)
PBAFS UNIT 3 B 3.8-85 Revision No. 0
Distribution Systems-Operating B 3.8.7 BASES LCO supplying a single MCC fails open), the individual loads on (continued) the electrical power distribution component would be considered inoperable, and the appropriate Conditions and Required Actions of the LCOs governing the individual loads would be entered. If however, one or more of these electrical power distribution components is inoperable due to a failure also affecting the OPERABILITY of an electrical power distribution component listed in Table B 3.8.7-1 (e.g., loss of a 4 kV emergency bus, which results in de-energization of all electrical power distribution components powered from the 4 kV emergency bus), while these electrical power distribution components and individual loads are still considered inoperable, the Conditions and Required Actions of the LCO for the individual loads are not required to be entered, since LCO 3.0.6 allows this exception (i.e., the loads are inoperable due to the inoperability of a support system governed by a Technical Specification; the 4 kV emergency bus). In addition, transfer switches between redundant safety related Unit 2 and Unit 3 AC and DC power distribution subsystems must be open. This prevents any electrical malfunction in any power distribution subsystem from propagating to the redundant subsystem, which could cause the failure of a redundant subsystem and a loss of essential safety function(s). If any transfer switches are closed, the electrical power distribution subsystem which is riot being powered from its normal source (i.e., it is being powered from its redundant electrical power distribution subsystem) is considered inoperable. This applies to the - onsite, safety related, redundant electrical power distribution subsystems. It does not, however, preclude redundant Class IE 4 kY emergency buses from being powered from the same offsite circuit. APPLICABILITY The electrical power distribution subsystems are required to be OPERABLE in MODES 1, 2, and 3 to ensure that:
- a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of abnormal operational transients; and
- b. Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.
-continued)
PBAP'S UNIT 3 B 3.8-86 Revision No. 0
Distribution Systems-Operating E 3.8.7 BASES APPLICABILITY Electrical power distribution subsystem requirements for (continued) MODES 4 and 5 and other conditions in which AC and DC electrical power distribution subsystems are required, are covered in LC. 3.8.8, Distribution Systems-Shutdown." ACTIONS A.1 Pursuant to LCO 3.0.6, the DC Sources-Operating ACTIONS would not be entered even if the AC electrical power distribution subsystem inoperability resulted in de-energization of a required battery charger. Therefore, the Required Actions of Condition A are modified by a Note to indicate that when Condition A results in de-energization of a required Unit 2 battery charger, Actions for LCO 3.8.4 must be immediately entered. This allows Condition A to provide requirements for the loss of a Unit 2 AC electrical power distribution subsystem without regard to whether a battery charger is de-energized. LCO 3.8.4 provides the appropriate restriction for a de-energized battery charger. If one or more of the required Unit 2 AC electrical power distribution subsystems are inoperable, and a loss of function has not occurred as described in Condition F. the remaining AC electrical power distribution subsystems have the capacity to support a safe shutdown and to mitigate an accident condition. Since a subsequent worst case single failure could, however, result in the loss of certain safety functions, continued power operation should not exceed 7 days. The 7 day Completion Time takes into account the - capacity and capability of the remaining AC electrical power distribution subsystems, and is based on the shortest restoration time allowed for the systems affected by the inoperable AC electrical power distribution subsystem in the respective system Specification. B.1 If one of the Unit 2 DC electrical power distribution subsystems is inoperable, the remaining DC electrical power distribution subsystems have the capacity to support a safe shutdown and to mitigate an accident condition. Since a subsequent worst case single failure could, however, result in the loss of safety function, continued power operation {continued) PBAFS UNIT 3 B 3.8-87 Revision No. 0
Distribution Systems-Operating B 3.8.7 BASES ACTIONS B.1 (continued) should not exceed 12 hours. The 12 hour Completion Time reflects a reasonable time to assess unit status as a function of the inoperable DC electrical power distribution subsystem and takes into consideration the importance of the Unit 2 DC electrical power distribution subsystem. C.1 With one Unit 3 AC electrical power distribution subsystem inoperable, the remaining AC electrical power distribution subsystems are capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining power distribution subsystems could result in the minimum required ESF functions not being supported. Therefore, the Unit 3 AC electrical power distribution subsystem must be restored to OPERABLE status within 8 hours. The Condition C worst scenario is one 4 kV emergency bus without AC power (i.e., no offsite power to the 4 kV emergency bus and the associated DG inoperable). In Ihis Condition, the unit is more vulnerable to a complete loss of Unit 3 AC power. It is, therefore, imperative that the unit operators' attention be focused on minimizing the potential for loss of power to the remaining buses by stabilizing the-unit, and on restoring power to the affected bus(es). The 8 hour time limit before requiring a unit shutdown in this Condition is acceptable because:
- a. There is a potential for decreased safety if the unit operators' attention is diverted from the evaluations and actions necessary to restore power to the affected bus(es) to the actions associated with taking tha unit to shutdown within this time limit.
- b. The potential for an event in conjunction with a single failure of a redundant component in the division with AC power. (The redundant component is verified .OPERABLE in accordance with Specification 5.5.11, "Safety Function Determination Program (SFDP).")
Icontinued) PBAP'S UNIT 3 B 3.8-88 Revision No. 0
Distribution Systems-Operating B 3.8.7 BASES ACTIONS C.1 (continued) The second Completion Time for Required Action C.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet LCO 3.8.7.a. If Condition C is entered while, for instance, a Unit 3 DC bus is inoperable and subsequently returned OPERABLE, this LCO may already heave been not met for up to 2 hours. This situation could lead to a total duration of 10 hours, since initial failure of the LCO, to restore the Unit 3 AC Electrical Power Distribution System. At this time a Unit 3 DC bus could again become inoperable, and Unit 3 AC Electrical Power Distribution System could be restored OPERABLE. This could continue indefinitely. This Completion Time allows for an exception to the normal "time zero' for beginning the allowed outage time 'clock." This results in establishing the "time zero" at the tine LCO 3.8.7.a was initially not met, instead of at the tVime Condition C was entered. The 16 hour Completion Time is an acceptable limitation on this potential to fail to meet the LCD 3.8.7.a indefinitely. D.I With one Unit 3 DC electrical power distribution subsystem inoperable, the remaining DC electrical power distribution subsystem is capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining DC electrical power distribution subsystem could result in the minimum required ESF functions not being supported. Therefore, the Unit 3 DC electrical power distribution subsystem must be restored to OPERABLE status within 2 hours. Condition D represents one Unit 3 electrical power distribution subsystem without adequate DC power, potentially with both the battery(s) significantly degraded and the associated charger(s) nonfunctioning. In this situation the plant is significantly more vulnerable tD a complete loss of all Unit 3 DC power. It is, therefore, imperative that the operator's attention focus on (continued) PBAPS.UNIT 3 B 3.8-89 Revision No. 0
Distribution Systems-Operating B 3.8.7 BASES ACTIONS D.1 (continued) stabilizing the plant, minimizing the potential for loss of power to the remaining electrical power distribution subsystem, and restoring power to the affected electrical power distribution subsystem. This 2 hour limit is more conservative than Completion Times allowed for the majority of components that would be without power. Taking exception to LCO 3.0.2 for components without adequate DC power, which would have Required Action Completion Times shorter than 2 hours, is acceptable because of:
- a. The potential for decreased safety when requiring a change in plant conditions (i.e., requiring a shutdown) while not allowing stable operations to continue;
- b. The potential for decreased safety when requiring entry into numerous applicable Conditions and Recquired Actions for components without DC power, while not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected subsystem;
- c. The potential for an event in conjunction with a single failure of a redundant component.
The 2 hour Completion Time for DC electrical power distribution subsystems is consistent with Regulatory Guide 1.93 (Ref. 2). The second Completion Time for Required Action D.1 establishes a limit on the maximum time allowed for any combination of required electrical power distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet LCO 3.8.7.a. If Condition D is entered while, for instance, a Unit 3 AC bus is inoperable and subsequently restored OPERABLE, LCO 3.8.7.a may already have been not met for up to 8 hours. This situation could lead to a total duration of 10 hours, since initial failure of LCO 3.8.7.a, to restore the Unit 3 DC Electrical Power Distribution System. At this time, a Unit 3 AC bus could again become inoperable, and Unit 3 DC Electrical Power Distribution System could be restored OPERABLE. This could continue indefinitely. fcontinued) PBAPS UNIT 3 B 3.8-90 Revision No. 0
Distribution Systems-Operating B 3.8.7 BASES ACTIONS -D.1 (continued) This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This allowance results in establishing the 'time zero' at the time LCO 3.8.7.a was initially not met, instead of at the time Condition D was entered. The 16 hour Completion Time is an acceptable limitation on this potential of failing to meet the LCO indefinitely. E.A and E.2 If the inoperable electrical power distribution subsystem cannot be restored to OPERABLE status within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. F.1 Condition F corresponds to a level of degradation in the electrical power distribution system that causes a required safety function to be lost. When more than one Condition is entered, and this results in the loss of a required function, the plant is in a condition outside the accident analysis. Therefore, no additional time is justified for continued operation. LCO 3.0.3 must be entered immediately to commence a controlled shutdown. SURVEILLANCE SR 3.8.7.1 REQUIREMENTS This Surveillance verifies that the AC and DC electrical power distribution systems are functioning properly, with the correct circuit breaker alignment (for the AC electrical power distribution system only). The correct AC breaker alignment ensures the appropriate separation and independence of the electrical buses are maintained, and power is available to each required bus. The verification of indicated power availability on the AC and DC buses _continued) PBAPS UNIT 3 B 3.8-91 Revision No. 0
Distribution Systems-Operating B 3.8.7 BASES SURVEI:LLANCE SR 3.8.7.1 (continued) REQUIREMENTS ensures that the required power is readily available for motive as well as control functions for critical system loads connected to these buses. This may be performed by verification of absence of low voltage alarms. The 7 day Frequency takes into account the redundant capability ol' the AC and DC electrical power distribution subsystems, and other indications available in the control room that alert the operator to subsystem malfunctions. REFERENCES 1. UFSAR, Chapter 14.
- 2. Regulatory Guide 1.93, December 1974.
PBAP'; UNIT 3 B 3.8-92 Revision No. 0
Distribution Systems-Operating B 3.8.7 Table B 3.8.7-1 (page 1 of 1) AC and DC Electrical Power Distribution Systems TYPE VOLTAGE DIVISION * - DIVISION I3* AC buses 4160 V Emergency Buses Emergency Buses E13, E33 E23, E43 480 V Load Centers Load Centers E134, E334 E234, E434 DC buses 250 V Distribution Panel Distribution Panel 3AD18 3BD18
- Each division of the AC and DC electrical power distribution systems is a subsystem. -
PBAI'S UNIT 3 B 3.8-93 Revision No. 0
Distribution Systems -Shutdown B 3.8.8 B 3.3 ELECTRICAL POWER SYSTEMS B 3.8.8 Distribution Systems-Shutdown BASES BACK GROUND A description of the AC and DC electrical power distribution system is provided in the Bases for LCO 3.8.7, 'Distrilbution Systems-Operating." APPLICABLE The initial conditions of Design Basis Accident and SAFETY ANALYSES transient analyses in the UFSAR, Chapter 14 (Ref. 1), assume Engineered Safety Feature (ESF) systems are OPERABLE. The AC and DC electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. The OPERABILITY of the AC and DC electrical power distribution system is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY. The OPERABILITY of the minimum AC and DC electrical power sources and associated power distribution subsystems during MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment ensures that:
- a. The facility can be maintained in the shutdown or refueling condition for extended periods;
- b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit.
status; and
- c. Adequate power is provided to mitigate events postulated during shutdown, such as an inadvertent draindown of the vessel or a fuel handling accident.
The AC and DC electrical power distribution systems satisfy Criterion 3 of the NRC Policy Statement. (continued) PBAPS UNIT 3 B 3.8-94 Revision No. 0
Distribution Systems-Shutdown B :3.8.8 BASES (continued) LCO Various combinations of subsystems, equipment, and components are required OPERABLE by other LCOs, depending on the specific plant condition. Implicit in those requirements is the required OPERABILITY of necessary support required features. This LCO explicitly requires energization of the portions of the Unit 3 electrical distribution system necessary to support OPERABILITY of Technical Specifications required systems, equipment, and components-both specifically addressed by their own LCO, and implicitly required by the definition of OPERABILITY. In addition some components that may be required by Unit 3 receive power through Unit 2 electrical.power distribution subsystems (e.g., Standby Gas Treatment System, Main Control Room Emergency Ventilation System, and DC control power for two of the four 4 kV emergency buses, as well as control power for two of the diesel generators). Therefore, Unit 2 AC and DC electrical power distribution subsystems needed to support the required equipment must also be OPERABLE. In addition, it is acceptable for required buses to be cross-tied during shutdown conditions, permitting a single source to supply multiple redundant buses, provided the. source is capable of maintaining proper frequency (if required) and voltage. Maintaining these portions of the distribution system energized ensures the availability of sufficient power to operate the plant in a safe manner to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents and inadvertent reactor vessel draindoum). APPLICABILITY The AC and DC electrical power distribution subsystems required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment provide assurance that:
- a. Systems to provide adequate coolant inventory makeup are available for the irradiated fuel in the core in case of an inadvertent draindown of the reactor vessel;
- b. Systems needed to mitigate a fuel handling accident are available; (continued)
PBAPS UNIT 3 B 3.8-95 Revision No. 0
Distribution Systems -Shutdown B 3.8.8 BASE'; APPLUCABILITY C. Systems necessary to mitigate the effects of events (continued) that can lead to core damage during shutdown are available; and
- d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.
The AC and DC electrical power distribution subsystem requirements for MODES 1, 2, and 3 are covered in LCO 3.8.7. ACTIONS LCO 3.0.3 is not applicable while in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2, or 3, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be sufficient reason to require a reactor shutdown. A.I. A.2.1. A.2.2. A.2.3. A.2.4. and A.2.5 Although redundant required features may require redundant electrical power distribution subsystems to be OPERABLE, one OPERABLE distribution subsystem may be capable of suppDrting sufficient required features to allow continuation of CORE ALTERATIONS, fuel movement, and operations with a potential for draining the reactor vessel. By allowing the option to declare required features inoperable with associated electrical power distribution subsystems inoperable,, appropriate restrictions are implemented in accordance with the affected distribution subsystem LCO's Required Actions. However, in many instances this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made, (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies in the secondary containment, and any activities that could result in inadvertent draining of the reactor vessel). (continued) II PBAPS UNIT 3 B 3.8-96 Revision No. 0
Distribution Systems-Shutdown B 3.8.8 BASES ACTIONS A.1 A.2.1. A.2.2. A.2.3. A.2.4. and A.2.5 (continued) Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC and DC electrical power distribution subsystems and to continue this action until restoration is accomplished in order to provide the necessary power to the plant safety systems. Notwithstanding performance of the above conservative Required Actions, a required residual heat removal-shutdown cooling (RHR-SDC) subsystem may be inoperable. In this case, Required Actions A.2.1 through A.2.4 do not adequately address the concerns relating to coolant circulation and heat removal. Pursuant to LCO 3.0.6, the RHR-SDC ACTIONS would not be entered. Therefore, Required Action A.2.5 is provided to direct declaring RHR-SDC inoperable, which results in taking the appropriate RHR-SDC ACTIONS. The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required electrical power distribution subsystems should be completed as quickly as possible in order to minimize the time the plant safety systems may be without power. SURVEILLANCE SR 3.8.8.1 REQUIREMENTS This Surveillance verifies that the AC and DC electrical power distribution subsystem is functioning properly, with the buses energized. The verification of indicated power availability on the buses ensures that the required power is readily available for motive as well as control functions for critical system loads connected to these buses. This may be performed by verification of absence of low voltage alarms. The 7 day Frequency takes into account the redundant capability of the electrical power distribution subsystems, as well as other indications available in the control room that alert the operator to subsystem malfunctions. REFERENCES 1. UFSAR, Chapter 14. PBAPS UNIT 3 B 3.8-97 . Revision No. 0
Refueling Equipment Interlocks B 3.9.1 B 3.9 REFUELING OPERATIONS B 3.9.1 Refueling Equipment Interlocks BASES BACKGROUND Refueling equipment interlocks restrict the operation of the refueling equipment or the withdrawal of control rods to reinforce unit procedures that prevent the reactor from achieving criticality during refueling. The refueling interlock circuitry senses the conditions of the refueling equipment and the control rods. Depending on the sensed conditions, interlocks are actuated to prevent the operation of the refueling equipment or the withdrawal of control rods. Design criteria require that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1). The control rods, when fully inserted, serve as the system capable of maintaining the reactor subcritical in cold conditions during all fuel movement activities and accidents. One channel of instrumentation is provided to sense the position of the refueling platform, the loading of the refueling platform fuel grapple and the full insertion of all control rods. Additionally, inputs are provided for the loading of the refueling platform frame mounted auxiliary hoist and the loading of the refueling platform monorail mounted hoist. With the reactor mode switch in the shutdown or refueling position, the indicated conditions are combined in logic circuits to determine if all restrictions on refueling equipment operations and control rod insertion are satisfied. A control rod not at its full-in position interrupts Fower to the refueling equipment and prevents operating the equipment over the reactor core when loaded with a fuel assembly. Conversely, the refueling equipment located over the core and loaded with fuel inserts a control rod withdrawal block in the Reactor Manual Control System to prevent withdrawing a control rod. (conlinued) PBAPS UNIT 3 B 3.9-1 Revision No. 29
Refueling Equipment Interlocks B 3.9.1 BASES BACKGROUND The refueling platform has two mechanical switches that open (continued) before the platform or any of its hoists are physically located over the reactor vessel. All refueling hoists have switches that open when the hoists are loaded with fuel. The refueling interlocks use these indications to prevent operation of the refueling equipment with fuel loaded over the core whenever any control rod is withdrawn, or to prevent control rod withdrawal whenever fuel loaded refueling equipment is over the core (Ref. 2). The hoist switches open at a load lighter than the weight of a single fuel assembly in water. APPLICABLE The refueling interlocks are explicitly assumed in the UFSAR SAFETY ANALYSES analyses for the control rod removal error during refueling (Ref. 3) and the fuel assembly insertion error during refueling (Ref. 4). These analyses evaluate the consequences of control rod withdrawal during refueling and also fuel assembly insertion with a control rod withdrawn. A prompt reactivity excursion during refueling could potentially result in fuel failure with subsequent release of radioactive material to the environment. Criticality and, therefore, subsequent prompt reactivity excursions are prevented during the insertion of fuel, provided all control rods are fully inserted during the fuel insertion. The refueling interlocks accomplish this by preventing loading of fuel into the core with any control rod withdrawn or by preventing withdrawal of a rod from the core during fuel loading. The refueling platform location switches activate at aI point outside of the reactor core such that, with a fuel assembly loaded and a control rod withdrawn, the fuel is not over the core. Refueling equipment interlocks satisfy Criterion 3 of the NRC Policy Statement. (continued) PBAFS UNIT 3 B 3.9-2 Revision No. 0
Refueling Equipment Interlocks E 3.9.1 BASES (continued) LCO To prevent criticality during refueling, the refueling interlocks ensure that fuel assemblies are not loaded with any control rod withdrawn. To prevent these conditions from developing, the all-rods-in, the refueling platform position, the refueling platform fuel grapple fuel loaded, the refueling platform frame mounted auxiliary hoist fuel loaded, and the refueling platform monorail mounted hoist fuel loaded inputs are required to be OPERABLE. These inputs are combined in logic circuits, which provide refueling equipment or control rod blocks to prevent operations that could result in criticality during refueling operations. APPLICABILITY In MODE 5, a prompt reactivity excursion could cause fuel damage and subsequent release of radioactive material to the environment. The refueling equipment interlocks protect against prompt reactivity excursions during MODE 5. The interlocks are required to be OPERABLE during in-vessel fuel movement with refueling equipment associated with the interlocks. In MODES 1, 2, 3, and 4, the reactor pressure vessel head is on, and in-vessel fuel movements are not possible. Therefore, the refueling interlocks are not required to be OPERABLE in these MODES. ACTIONS A.1 With one or more of the required refueling equipment interlocks inoperable, the unit must be placed in a condition in which the LCO does not apply. In-vessel fuel movement with the affected refueling equipment must be immediately suspended. This action ensures that operations are not performed with equipment that would potentially not be blocked from unacceptable operations (e.g., loading fuel into a cell with a control rod withdrawn). Suspension of in-vessel fuel movement shall not preclude completion of movement of a component to a safe position. (continued) PBA'PS UNIT 3 B 3.9-3 Revision No. 29
Refueling Equipment Interlocks B 3.9.1 BASE'i (continued) SURVEILLANCE SR 3.9.1.1 REQUI:REMENTS Performance of a CHANNEL FUNCTIONAL TEST demonstrates each required refueling equipment interlock will function properly when a simulated or actual signal indicative of a required condition is injected into the logic. The CHANNEL FUNCTIONAL TEST may be performed by any series of sequential, overlapping, or total channel steps so that the entire channel is tested.
- The 7 day Frequency is based on engineering judgment anid is considered adequate in view of other indications of refueling interlocks and their associated input status that are available to unit operations personnel.
REFERENCES 1. UFSAR, Sections.1.5.1.1, 1.5.1.8.1, 1.5.2.2.7, and 1 .5.2.7.1.
- 2. UFSAR, Section 7.6.3.
- 3. UFSAR, Section 14.5.3.3.
- 4. UFSAR, Section 14.5.3.4.
PBAPS UNIT 3 B 3.9-4 Revision No. 0
Refuel Position One-Rod-Out Interlock B 3.9.2 B 3.9 REFUELING OPERATIONS B 3.9.2 Refuel Position One-Rod-Out Interlock BASES
=
BACKGROUND The refuel position one-rod-out interlock restricts the movement of control rods to reinforce unit procedures that prevent the reactor from becoming critical during refueling operations.. During refueling operations, no more than one control rod is permitted to be withdrawn. The UFSAR design criteria require that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1). The control rods serve as the system capable of maintaining the reactor subcritical in cold conditions. The refuel position one-rod-out interlock prevents the selection of a second control rod for movement when any other control rod is not fully inserted (Ref. 2). It is a logic circuit that has redundant channels. It uses the all-rods-in signal (from the control rod full-in position indicators discussed in LCO 3.9.4, Control Rod Position Indication") and a rod selection signal (from the Reactor Manual Control System). This Specification ensures that the performance of the refuel position one-rod-out interlock in the event of a Design Basis Accident meets the assumptions used in the safety analysis of Reference 3. APPLICABLE The refueling position one-rod-out interlock is explicitly SAFETY ANALYSES assumed in the UFSAR analysis for the control rod withdrawal error during refueling (Ref. 3). This analysis evaluates the consequences of control rod withdrawal during refueling. A prompt reactivity excursion during refueling could potentially result in fuel failure with subsequent release of radioactive material to the environment. The refuel position one-rod-out interlock and adequate SDM (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)") prevent criticality by preventing withdrawal of more than one control rod. With one control rod withdrawn, the core will remain subcritical, thereby preventing any prompt critical excursion. (continued) PBAPS UNIT 3 B 3.9-5 Revision No. 0
Refuel Position One-Rod-Out Interlock B :3.9.2 BASES APPLICABLE The refuel position one-rod-out interlock satisfies SAFE7Y ANALYSES Criterion 3 of the NRC Policy Statement. (continued) LCO To prevent criticality during MODE 5, the refuel position one-rod-out interlock ensures no more than one control rod may be withdrawn. Both channels of the refuel position one-rod-out interlock are required to be OPERABLE, and the reactor mode switch must be locked in the Refuel position to support the OPERABILITY of these channels. APPLICABILITY In MODE 5, with the reactor mode switch in the refuel position, the OPERABLE refuel position one-rod-out interlock provides protection against prompt reactivity excursions. In MODES 1, 2, 3, and 4, the refuel position one-rod-out interlock is not required to be OPERABLE and is bypassed. In MODES I and 2, the Reactor Protection System (LCO 3.3.1.1) and the control rods (LCO 3.1.3) provide mitigation of potential reactivity excursions. In MODES 3 and 4, with the reactor mode switch in the shutdown position, a control rod block (LCO 3.3.2.1) ensures all control rods are inserted, thereby preventing criticality during shutdown conditions. ACTIONS A.1 and A.2 With one or both channels of the refueling position one-rod-out interlock inoperable, the refueling interlocks may not be capable of preventing more than one control rod from being withdrawn. This condition may lead to criticality. Control rod withdrawal must be immediately suspended, and action must be immediately initiated to fully insert all insertable control rods in core -cells containing one or more fuel assemblies. Action must continue until all such control rods are fully inserted. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and, therefore, do not have to be inserted. (continued) . PBAPS UNIT 3 B 3.9-6 Revision No. 0
Refuel Position One-Rod-Out Interlock B 3.9.2 BASES (continued) SURVEILLANCE SR 3.9.2.1 REQUIREMENTS Proper functioning of the refueling position one-rod-out interlock requires the reactor mode switch to be in Reluel. During control rod withdrawal in MODE 5, improper positioning of the reactor mode switch could, in some instances, allow improper bypassing of required interlocks. Therefore, this Surveillance imposes an additional level of assurance that the refueling position one-rod-out interlock will be OPERABLE when required. By 'locking" the reactor mode switch in the proper position (i.e., removing the reactor mode switch key from the console while the reactor mode switch is positioned in refuel), an additional administrative control is in place to preclude operator errors from resulting in unanalyzed operation. The Frequency of 12 hours is sufficient in view of other administrative controls utilized during refueling operations to ensure safe operation. SR 3.9.2.2 Performance of a CHANNEL FUNCTIONAL TEST on each channel demonstrates the associated refuel position one-rod-out interlock will function properly when a simulated or actual signal indicative of a required condition is injected into the logic. The CHANNEL FUNCTIONAL TEST may be performed by any series of sequential, overlapping, or total channel steps so that the entire channel is tested. The 7 day Frequency is considered adequate because of demonstrated circuit reliability, procedural controls on control rod withdrawals, and visual and audible indications available in the control room to alert the operator to control rods not fully inserted. To perform the required testing, the applicable condition must be entered (i.e., a control rod must be withdrawn from its full-in position). Therefcre, SR 3.9.2.2 has been modified by a Note that states the CHANNEL FUNCTIONAL TEST is not required to be performed until 1 hour after any control rod is withdrawn. REFERENCES 1. UFSAR, Section 1.5.
- 2. UFSAR, Section 7.6.
- 3. UFSAR, Section 14.5.3.3.
PBAPS UNIT 3 B 3.9-7 Revision No. 0
Control Rod Position B 3.9.3 B 3.S' REFUELING OPERATIONS B 3.9.3 Control Rod Position BASES BACKGROUND Control rods provide the capability to maintain the reactor subcritical under all conditions and to limit the potential amount and rate of reactivity increase caused by a malfunction in the Reactor Manual Control System. During refueling, movement of control rods is limited by the refueling interlocks (LCO 3.9.1 and LCO 3.9.2) or the control rod block with the reactor mode switch in the shutdown position (LCO 3.3.2.1). UFSAR design criteria require that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1). The control rods serve as the system capable of maintaining the reactor subcritical in cold conditions. The refueling interlocks allow a single control rod to be withdrawn at any time unless fuel is being loaded into the core. To preclude loading fuel assemblies into the core with a control rod withdrawn, all control rods must be fully inserted. This prevents the reactor from achieving criticality during refueling operations. APPLICABLE Prevention and mitigation of prompt reactivity excursions SAFETY ANALYSES during refueling are provided by the refueling interlocks (LCO 3.9.1 and LCO 3.9.2), the SDM (LCO 3.1.1), the wide I range neutron monitor period-short scram (LCO 3.3.1.1)., and the control rod block instrumentation (LCO 3.3.2.1). The safety analysis for the control rod withdrawal error during refueling in the UFSAR (Ref. 2) assumes the functioning of the refueling interlocks and adequate SIXM. The analysis for the fuel assembly insertion error (Ref. 3) assumes all control rods are fully inserted. Thus, prior to fuel reload, all control rods must be fully inserted tD minimize the probability of an inadvertent criticality. Control rod position satisfies Criterion 3 of the NRC Policy Statement. (continued) PBAPS UNIT 3 B 3.9-8 Revision No. 17
Control Rod Position B 3.9.3 BASES (continued) LCO All control rods must be fully inserted during applicable refueling conditions to minimize the probability of an inadvertent criticality during refueling. APPL[CABILITY During MODE 5, loading fuel into core cells with control rods withdrawn may result in inadvertent criticality. Therefore, the control rods must be inserted before loading fuel into a core cell. All control rods must be inserted before loading fuel to ensure that a fuel loading error does not result in loading fuel into a core cell with the control rod withdrawn. In MODES 1, 2, 3, and 4, the reactor pressure vessel head is on, and no fuel loading activities are possible. Therefore, this Specification is not applicable in these MODES. ACTIONS A.1 With all control rods not fully inserted during the applicable conditions, an inadvertent criticality could occur that is not analyzed in the UFSAR. All fuel loading operations must be immediately suspended. Suspension of these activities shall not preclude completion of movement of:a component to a safe position. SURVEILLANCE SR 3.9.3.1 REQUIREMENTS During refueling, to ensure that the reactor remains subcritical, all control rods must be fully inserted prior to and during.fuel loading. Periodic checks of the control rod position ensure this condition is maintained. The 12 hour Frequency takes into consideration the procedural controls on control rod movement during refueling as well as the redundant functions of the refueling interlocks. REFERENCES 1. UFSAR, Section 1.5.
- 2. UFSAR, Section 14.5.3.3.
- 3. UFSAR, Section 14.5.3.4.
PBAPS UNIT 3 B 3.9-9 Revision No. 0
Control Rod Position Indication B 3.9.4 B 3.9 REFUELING OPERATIONS B 3.9.4 Control Rod Position Indication BASES BACKGROUND The full-in position indication for each control rod provides necessary information to the refueling interlocks to prevent inadvertent criticalities during refueling operations. During refueling, the refueling interlocks (LCO 3.9.1 and LCO 3.9.2) use the full-in position indication to limit the operation of the refueling equipment and the movement of the control rods. The absence of the full-in position indication signal for any control rod removes the all-rods-in permissive for the refueling equipment interlocks and prevents fuel loading. Also, this condition causes the refuel position one-rod-out interlock to not allow the withdrawal of any other control rod. UFSAR design criteria require that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1). The control rods serve as the system capable of maintaining the reactor subcritical in cold conditions. APPLICABLE Prevention and mitigation of prompt reactivity excursions SAFETY ANALYSES during refueling are provided by the refueling interlocks (LCO 3.9.1 and LCO 3.9.2), the SDM (LCO 3.1.1), the wide range neutron monitor period-short scram (LCO 3.3.1.1), and the control rod block instrumentation (LCO 3.3.2.1). The safety analysis for the control rod withdrawal error during refueling (Ref. 2) assumes the functioning of the refueling interlocks and adequate SDM. The analysis for the fuel assembly insertion error (Ref. 3) assumes all control rods are fully inserted. The full-in position indication is required to be OPERABLE so that the refueling interlocks can ensure that fuel cannot be loaded with any control rod withdrawn and that no more than one control rod can be withdrawn at a time. Control rod position indication satisfies Criterion 3 of the NRC Policy Statement. (continued) PBAPS UNIT 3 B 3.9-10 Revision No. 17
Control Rod Position Indication B 3.9.4 BASES (continued) LCO Each control rod full-in position indication must be OPERABLE to provide the required input to the refueling interlocks. A full-in position indication is OPERABLE if it provides correct position indication to the refueling interlock logic. APPLICABILITY During MODE 5, the control rods must have OPERABLE full-in position indication to ensure the applicable refueling interlocks will be OPERABLE. In MODES 1 and 2, requirements for control rod position are specified in LCO 3.1.3, 'Control Rod OPERABILITY." In MODES 3 and 4, with the reactor mode switch in the shutdown position, a control rod block (LCO 3.3.2.1) ensures all control rods are inserted, thereby preventing criticality during shutdown conditions. ACTIONS A Note has been provided to modify the ACTIONS related to control rod position indication channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable control rod position indications provide appropriate compensatory measures for separate inoperable channels. As such, this Note has been provided, which allows separate Condition entry for each inoperable required control rod position indication. A.1.1. A.1.2. A.1.3. A.2.1 and A.2.2 With one or more required full-in position indications inoperable, compensating actions must be taken to protect against potential reactivity excursions from fuel assembly insertions or control rod withdrawals. This may be accomplished by immediately suspending invessel fuel movement and control rod withdrawal, and immediately initiating action to fully insert all insertable control rods in core cells containing one or more fuel assemblies. (continued) PBARS UNIT 3 B -3 .9-11 Revision No. 0
Control Rod Position Indication B 3.9.4 BASES ACTIONS A.1.I. A.1.2. A.1.3. A.2.1 and A.2.2 (continued) Actions must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted. Suspension of invessel fuel movements and control rod withdrawal shall not preclude moving a component to a safe position. Alternatively, actions must be immediately initiated to fully insert the control rod(s) associated with the inoperable full-in position indicator(s) and disarm (electrically or hydraulically) the drive(s) to ensure that the control rod is not withdrawn. A control rod can be hydraulically disarmed by closing the drive water and exhaust water isolation valves. A control rod can be electrically disarmed by disconnecting power from all four direction control valve solenoids. Actions must continue until all associated control rods are fully inserted and drives are disarmed. Under these conditions (control rod fully inserted and disarmed), an inoperable full-in position indication may be bypassed to allow refueling operations to proceed. An alternate method must be used to ensure the control rod is fully inserted (e.g., use the OO" notch position indication). SURVEILLANCE SR 3.9.4.1 REQUIREMENTS The full-in position indications provide input to the one-rod-out interlock and other refueling interlocks that require an all-rods-in permissive. The interlocks are actuated when the full-in position indication for any control rod is not present, since this indicates that all rods are not fully inserted. Therefore, testing of the full-in position indications is performed to ensure that when a control rod is withdrawn, the full-in position indication is not present. The full-in position indication is considered inoperable even with the control rod fully inserted, if it would continue to indicate full-in with the control rod withdrawn. Performing the SR each time a control rod is withdrawn is considered adequate because of the procedural controls on control rod withdrawals and the visual and audible indications available in the control room to alert the operator to control rods not fully inserted. (continued) PBAPS UNIT 3 B 3.9-12 Revision No. 0
Control Rod Position Indication B 3.9.4 BASES (continued) REFERENCES 1. UFSAR, Section 1.5.
- 2. UFSAR, Section 14.5.3.3.
- 3. UFSAR, Section 14.5.3.4.
PBAP.S UNIT 3 . B 3.9-13 Revision No. 0
Control Rod OPERABILITY- Refueling B 3.9.5 B 3.9 REFUELING OPERATIONS B 3.9.5 Control Rod OPERABILITY-Refueling BASE'S BACKGROUND Control rods are components of the Control Rod Drive (CRD) System, the primary reactivity control system for the reactor. In conjunction with the Reactor Protection System, the CRD System provides the means for the reliable control of reactivity changes during refueling operation. In addition, the control rods provide the capability to maintain the reactor subcritical under all conditions and to limit the potential amount and rate of reactivity increase caused by a malfunction in the CRD System. UFSAR design criteria require that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (ReF. 1). The CRD System is the system capable of maintaining the reactor subcritical in cold conditions. APPLICABLE Prevention and mitigation of prompt reactivity excursions SAFETY ANALYSES during refueling are provided by refueling interlocks (LCO 3.9.1 and LCO 3.9.2), the SDM (LCO 3.1.1), the wide range neutron monitor period-short scram (LCO 3.3.1.1), and the control rod block instrumentation (LCO 3.3.2.1). The safety analyses for the control rod withdrawal error during refueling (Ref. 2) and the fuel assembly insertion error (Ref. 3) evaluate the consequences of control rod withdrawal during refueling and also fuel assembly insertion with a control rod withdrawn. A prompt reactivity excursion during refueling could potentially result in fuel failure with subsequent release of radioactive material to the environment. Control rod scram provides protection should a prompt reactivity excursion occur. Control rod OPERABILITY during refueling satisfies Criterion 3 of the NRC Policy Statement. LCO Each withdrawn control rod must be OPERABLE. The withdrawn control rod is considered OPERABLE if the scram accumulator pressure is k 940 psig and the control rod is capable of _continued) PBAPS UNIT 3 B 3.9-14 U 3Revision No. 17
Control Rod OPERABILITY- Refueling B 3.9.5 BASES LCO being automatically inserted upon receipt of a scram signal. (continued) Inserted control rods have already completed their reactivity control function, and therefore, are not required to be OPERABLE. APPLICABILITY During MODE 5, withdrawn control rods must be OPERABLE to ensure that in a scram the control rods will insert and provide the required negative reactivity to maintain the reactor subcritical. For MODES 1 and 2, control rod requirements are found ir, LCO 3.1.2, "Reactivity Anomalies," LCO 3.1.3, "Control Rod OPERABILITY," LCO 3.1.4, "Control Rod Scram Times,' and LCO 3.1.5, "Control Rod Scram Accumulators." During MODES 3 and 4, control rods are not able to be withdrawn since the reactor mode switch is in shutdown and a control rod block is applied. This provides adequate requirements for control rod OPERABILITY duringythese conditions. ACTIONS A-1 With one or more withdrawn control rods inoperable, action must be immediately initiated to fully insert the inoperable control rod(s). Inserting the control rod(s) ensures the shutdown and scram capabilities are not adversely affected. Actions must continue until the inoperable control rod(s) is fully inserted. SURVEILLANCE SR 3.9.5.1 and SR 3.9.5.2 REQUIREMENTS During MODE 5, the OPERABILITY of control rods is primarily required to ensure a withdrawn control rod will automatically insert if a signal requiring a reactor shutdown occurs. Because no explicit analysis exists fir automatic shutdown during refueling, the shutdown function is satisfied if the withdrawn control rod is capable of automatic insertion and the associated CRD scram accumulator I pressure is > 940 psig. The 7 day Frequency takes into consideration equipment reliability, procedural controls over the scram accumulators, and control room alarms and indicating lights that indicate low accumulator charge pressures. (continued) PBAP'; UNIT 3 B 3.9-15 Revision No. 2
Control Rod OPERABILITY-Refueling B 3.9.5 BASES SURVEILLANCE SR 3.9.5.1 and SR 3.9.5.2 (continued) REQUIREMENTS SR 3.9.5.1 is modified by a Note that allows 7 days after withdrawal of the control rod to perform the Surveillance. This acknowledges that the control rod must first be withdrawn before performance of the Surveillance, and therefore avoids potential conflicts with SR 3.0.3 and SR 3.0.4. REFERENCES 1. UFSAR, Section 1.5.
- 2. UFSAR, Section 14.5.3.3.
- 3. UFSAR, Section 14.5.3.4.
PBAPS UNIT 3 B 3.9-16 Revision No. 0
RPV Water Level 11 3.9.6 B 3.9 REFUELING OPERATIONS B 3.9.6 Reactor Pressure Vessel (RPV) Water Level BASES BACKGROUND The movement of fuel assemblies or handling of control rods within the RPV requires a minimum water level of 458 inches above RPV instrument zero. During refueling, this maintains a sufficient water level in the reactor vessel cavity and spent fuel pool. Sufficient water is necessary to retain iodine fission product activity in the water in the event of a fuel handling accident (Refs. 1 and 2). Sufficient iodine activity would be retained to limit offsite doses fromn the accident to well below the guidelines set forth in 10 CFR 100 (Ref. 3). APPLICABLE During movement of fuel assemblies or handling of control SAFETY ANALYSES rods, the water level in the RPV and the spent fuel pDol is an implicit initial condition design parameter in the analysis of a fuel handling accident in containment postulated in Reference 1. A minimum water level of 20 ft 11 inches above the top of the RPV flange allows a partition factor of 100 to be used in the accident analysis for halogens (Ref. 1). Analysis of the fuel handling accident inside containment is described in Reference 1. With a minimum water level of 458 inches above RPV instrument zero (20 ft 11 inches above the top of the RPV flange) and a minimum decay time of 24 hours prior to fuel handling, the analysis and test programs demonstrate that the iodine release due to a postulated fuel handling accident is adequately captured by the water and that offsite doses are maintained within allowable limits (Ref. 3). While the worst case assumptions include the dropping of an irradiated fuel assembly onto the reactor core, the possibility exists of the dropped assembly striking the RPV flange and releasing fission products. Therefore, the minimum depth for water coverage to ensure acceptable radiological consequences is specified from the RPV flange. Since the worst case event results in failed fuel assemblies seated in the core, as well as the dropped assembly, (continued) PBAPS UNIT 3 B 3.9-17 Revision No. 0
RPV Water Level B 3..9.6 BASES APPLICABLE dropping an assembly on the RPV flange will result in SAFETY ANALYSES reduced releases of fission gases. Based on this judgenent, (continued) and the physical dimensions which preclude normal operation with water level 23 feet above the flange, a slight reduction in this water level (to 20 ft 11 inches above the flange) is acceptable (Ref. 3). RPV water level satisfies Criterion 2 of the NRC Policy Statement. LCO A minimum water level of 458 inches above RPV instrument zero (20 ft 11 inches above the top of the RPV flange) is required to ensure that the radiological consequences of a postulated fuel handling accident are within acceptable limits. APPLICABILITY LCD 3.9.6 is applicable when moving fuel assemblies or handling control rods (i.e., movement with other than the normal control rod drive) within the RPV. The LCO minimizes the possibility of a fuel handling accident in containment that is beyond the assumptions of the safety analysis. If irradiated fuel is not present within the RPV, there ca.n be no significant radioactivity release as a result of a postulated fuel handling accident. Requirements for fuel handling accidents in the spent fuel storage pool are covered by LCO 3.7.7, 'Spent Fuel Storage Pool Water Level." ACTICiNS A.1 If the water level is < 458 inches above RPV instrument zero, all operations involving movement of fuel assemblies and handling of control rods within the RPV shall be suspended immediately to ensure that a fuel handling accident cannot occur. The suspension of fuel movement and control rod handling shall not preclude completion of movement of a component to a safe position. (continued) PBAP'; UNIT 3 B 3.9-18 Revision No. 0
RPV Water Level B 3.9.6 BASES (continued) SURVEILLANCE SR 3.9.6.1 REQUIREMENTS Verification of a minimum water level of 458 inches above RPV instrument zero ensures that the design basis for the postulated fuel handling accident analysis during refueling operations is met. Water at the required level limits the consequences of damaged fuel rods, which are postulated to result from a fuel handling accident in containment (Ref. 1). The Frequency of 24 hours is based on engineering judgment and is considered adequate in view of the large volume of water and the normal procedural controls on valve positions, which make significant unplanned level changes unlikely. REFERENCES 1. UFSAR, Section 14.6.4.
- 2. UFSAR, Section 10.3..
- 3. 10 CFR 100.11.
PBAPS UNIT 3 B 3.9-19 Revision No. 0
RHR-High Water Level E,3.9.7 B 3.9 REFUELING OPERATIONS B 3.9.7 Residual Heat Removal (RHR)-High Water Level BASES BACKGROUND The purpose of the RHR System in MODE 5 is to remove decay heat and sensible heat from the reactor coolant, as required in UFSAR, Section 1.5. The RHR System has two loops siith each loop consisting of two motor driven pumps, two heat exchangers, and associated piping and valves. There are two RHR shutdown cooling subsystems per. RHR System loop. The four RHR shutdown cooling subsystems have a common suction from the same recirculation loop. Each pump discharges the reactor coolant, after it has been cooled by circulation through the respective heat exchangers, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the High Pressure Service Water System. The RHR shutdown cooling mode is manually controlled. Any one of the four RHR shutdown cooling subsystems can provide the required decay heat removal function. In addition to the RHR subsystems, the volume of wateir above the reactor pressure vessel (RPV) flange provides a heat sink for decay heat removal. APPLICABLE With the unit in MODE 5, the RHR System is not required to SAFETY ANALYSES mitigate any events or accidents evaluated in the safety analyses. The RHR System is required for removing decay heat to maintain the temperature of the reactor coolant. The RHR System satisfies Criterion 4 of the NRC Policy Statement. LCO Only one RHR shutdown cooling subsystem is required to be OPERABLE and in operation in MODE 5 with irradiated fuel in the RPV and the water level > 458 inches above RPV instrument zero. Only one subsystem is required because the volume of water above the RPV flange provides backup decay heat removal capability. An OPERABLE RHR shutdown cooling subsystem consists of an RHR pump, a heat exchanger, a High Pressure Service Water System pump capable of providing cooling to the heat exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path. In MODE 5, the RHR cross-tie {continued) PBAPS UNIT 3 B 3.9-20 Revision No. 0
RHR-High Water Level B 3.9.7 BASES LCO valve is not required to be closed; thus the valve may be (continued) opened to allow an RHR pump in one loop to discharge through the opposite recirculation loop to make a complete subsystem. In addition, the HPSW cross-tie valve may be open to allow a HPSW pump in one loop to provide cooling to a heat exchanger in the opposite loop to make a complete subsystem. Additionally, each RHR shutdown cooling subsystem is considered OPERABLE if it can be manually aligned (remote or local) in the shutdown cooling mode for removal of decay heat. Operation (either continuous or intermittent) of one subsystem can maintain and reduce the reactor coolant temperature as required. However, to ensure adequate core flow to allow for accurate average reactor coolant temperature monitoring, nearly continuous operation is required. A Note is provided to allow a 2 hour exception to shut dovm the operating subsystem every 8 hours. APPLICABILITY One RHR shutdown cooling subsystem must be OPERABLE and in operation in MODE 5, with irradiated fuel in the RPV and the water level > 458 inches above RPV instrument zero (20 ft 11 inches-above the top of the RPV flange), to provide decay heat removal. RHR shutdown cooling subsystem requirements in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS); Section 3.5, Emergency Core Cooling Systems (ECCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6, Containment Systems. RHR Shutdown Cooling System requirements in MODE 5 with irradiated fuel in the RPV and the water level < 458 inches above RPV instrument zero are given in LCO 3.9.8. ACTIONS A. I With no RHR shutdown cooling subsystem OPERABLE, an alternate method of decay heat removal must be established within 1 hour. In this condition, the volume of water above the RPV flange provides adequate capability to remove decay heat from the reactor core. However, the overall reliability is reduced because loss of water level could result in reduced decay heat removal capability. The 1 hour Completion Time is based on decay heat removal function and (continued) PBAPS UNIT 3 B 3.9-21 Revision No. 0
RHR-High Water Level B 3.9.7 BASES; ACTIONS A.1 (continued) the probability of a loss of the available decay heat removal capabilities. Furthermore, verification of the functional availability of these alternate method(s) must be reconfirmed every 24 hours thereafter. This will ensure continued heat removal capability. Alternate decay heat removal methods are available to the operators for review and preplanning in the unit's Operating Procedures. For example, this may include the use of the Reactor Water Cleanup System, operating with the regenerative heat exchanger bypassed. The method used to remove the decay heat should be the most prudent choice based on unit conditions. B.1. B.2. B.3. and B.4 If no RHR shutdown cooling subsystem is OPERABLE and an alternate method of decay heat removal is not available in accordance with Required Action A.1, actions shall be taken immediately to suspend operations involving an increase in reactor decay heat load by suspending loading of irradiated fuel assemblies into the RPV. Additional actions are required to minimize any potential fission product release to the environment. This includes ensuring secondary containment is OPERABLE; one standby gas treatment subsystem for Unit 3 is OPERABLE; and secondary containment isolation capability (i.e., one secondary containment isolation valve and associated instrumentation are OPERABLE or other acceptable administrative controls to assure isolation capability) in each associated penetration not isolated that is assumed to be isolated to mitigate radioactive releases. This may be performed as an administrative check, by examining logs or other information to determine whether the components are out of service for maintenance or other reasons. It is not necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, a surveillance may need to be performed to restore the component to OPERABLE status. Actions must continue until all required components are OPERABLE. (continued) PBAPS UNIT 3 B 3.9-22 Revision No. 0
RHR-High Water Level B 3.9.7 BASES ACTIONS C.1 and C.2 (continued) If no RHR shutdown cooling subsystem is in operation, an alternate method of coolant circulation is required to be established within 1 hour. This alternate method may utilize forced or natural circulation cooling. The Completion Time is modified such that the-1 hour is applicable separately for each occurrence involving a loss of coolant circulation. During the period when the reactor coolant is being circulated by an alternate method (other than by the required RHR shutdown cooling subsystem), the reactor coolant temperature must be periodically monitored to ensure proper functioning of the alternate method. The once per hour Completion Time is deemed appropriate. SURVEILLANCE SR 3.9.7.1 REQUIREMENTS This Surveillance demonstrates that the RHR shutdown cooling subsystem is in operation and circulating reactor coolant. The required flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability. The Frequency of 12 hours is sufficient in view of other visual and audible indications available to the operator for monitoring the RHR shutdown cooling subsystem in the control room. REFERENCES None. PBAPS UNIT 3 R 3.9-23 Revision No. 0
RHR-Low Water Level B 3.9.8 B 3.9 REFUELING OPERATIONS B 3.9.8 Residual Heat Removal (RHR)-Low Water Level BASES BACKGROUND The purpose of the RHR System in MODE 5 is to remove decay heat and sensible heat from the reactor coolant, as required in UFSAR Section 1.5. The RHR System has two loops with each loop consisting of two motor driven pumps, two heat exchangers, and associated piping and valves. There are two RHR shutdown cooling subsystems per RHR System loop. The four RHR shutdown cooling subsystems have a common suction from the same recirculation loop. Each pump discharges the reactor coolant, after it has been cooled by circulation through the respective heat exchangers, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the High Pressure Service Water System. The RHR shutdown cooling mode is manually controlled. Any one of the four RHR shutdown cooling subsystems can provide the required decay heat removal function. APPLICABLE With the unit in MODE 5, the RHR System is-not required to SAFETY ANALYSES mitigate any events or accidents evaluated in the safety analyses. The RHR System is required for removing decay heat to maintain the temperature of the reactor coolant. The RHR System satisfies Criterion 4 of the NRC Policy Statement. LCO In MODE 5 with irradiated fuel in the RPV and the water level < 458 inches above reactor pressure vessel (RPV) instrument zero both RHR shutdown cooling subsystems must be OPERABLE. An OPERABLE RHR shutdown cooling subsystem consists of an RHR pump, a heat exchanger, a High Pressure Service Water System pump.capable of providing cooling to the heat exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path. The two subsystems have a common suction source and are allowed to have common discharge piping. Since piping is a passive component: that is assumed not to fail, it is allowed to be common to both subsystems. In MODE 5, the RHR cross-tie valve is notE required to be closed, thus the valve may be opened to allow (continued) PBAPS UNIT 3 B 3.9-24 Revision No. 0
RHR-Low Water Level B 3.9.8 BASES ICO an RHR pump in one loop to discharge through the opposite (continued) recirculation loop to make a complete subsystem. In addition, the HPSW cross-tie valve may be open to allow a HPSW pump in one loop to provide cooling to a heat exchanger in the opposite loop to make a complete subsystem. Additionally, each RHR shutdown cooling subsystem is considered OPERABLE if it can be manually aligned (remote or local) in the shutdown cooling mode for removal of dec:ay heat. Operation (either continuous or intermittent) cif one subsystem can maintain and reduce the reactor coolant temperature as required. However, to ensure adequate core flow to allow for accurate average reactor coolant temperature monitoring, nearly continuous operation is required. A Note is provided to allow a 2 hour exception to shut down the operating subsystem every 8 hours. APPL.ICABILITY Two RHR shutdown cooling subsystems are required to be OPERABLE, and one must be in operation in MODE 5, with irradiated fuel in the RPV and the water level < 458 inches above RPV instrument zero (20 ft 11 inches above the top of the RPV flange), to provide decay heat removal. RHR shutdown cooling subsystem requirements in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS); Section 3.5, Emergency Core Cooling Systems (ECCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6, Containment Systems. RHR Shutdown Cooling System requirements in MODE 5 with irradiated fuel in the RPV and the water level 2 458 inches above RPV instrument zero are given in LCO 3.9.7, "Residual Heat Removal (RHR) -High Water Level." ACTIONS A.1 With one of the two required RHR shutdown cooling subsystems inoperable, the remaining subsystem is capable of providing the required decay heat removal. However, the overall reliability is reduced. Therefore an alternate method of decay heat removal must be provided. With both required RHR shutdown cooling subsystems inoperable, an alternate method of decay heat removal must be provided in addition to that provided for the initial RHR shutdown cooling subsystem inoperability. This re-establishes backup decay heat removal capabilities, similar to the requirements of the {continued) PBAPS UNIT 3 B 3.9-25 Revision No. 0
RHR-Low Water Level 13 3.9.8 BASES ACTIONS A.1 (continued) LCO. The 1 hour Completion Time is based on the decay heat removal function and the probability of a loss of the available decay heat removal capabilities. Furthermore, verification of the functional availability of this alternate method(s) must be reconfirmed every 24 hours thereafter. This will ensure continued heat removal capability. Alternate decay heat removal methods are available to the operators for review and preplanning in the unit's Operating Procedures. For example, this may include the use of the Reactor Water Cleanup System, operating with the regenerative heat exchanger bypassed. The method used to remove decay heat should be the most prudent choice based on unit conditions. B.1. B.2. and B.3 With the required decay heat removal subsystem(s) inoperable and the required alternate method(s) of decay heat removal not available in accordance with Required Action A.1, additional actions are required to minimize any potential fission product release to the environment. This includes ensuring secondary containment is OPERABLE; one standby gas treatment subsystem for Unit 3 is OPERABLE; and secondary containment isolation capability (i.e., one secondary containment isolation valve and associated instrumentation are OPERABLE or other acceptable administrative controls to assure isolation capability) in each associated penetration that is assumed to be isolated to mitigate radioactivel releases. This may be performed as an administrative check, by examining logs or other information to determine whether the components are out of service for maintenance or other reasons. It is not necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, the surveillance may need to be performed to restore the component to OPERABLE status. Actions must continue until all required components are OPERABLE. (continued) PBAP'S UNIT 3 B 3.9-26 Revision No. 0
RHR-Low Water Level E 3.9.8 BASES ACTIONS C.1 and C.2 (continued) If no RHR shutdown cooling subsystem is in operation, an alternate method of coolant circulation is required to be established within 1 hour. This alternate method may utilize forced or natural circulation cooling. The Completion Time is modified such that the 1 hour is applicable separately for each occurrence involving a loss of coolant circulation. During the period when the reactor coolant is being circulated by an alternate method (other than by the required RHR shutdown cooling subsystem), the reactor coolant temperature must be periodically monitored to ensure proper functioning of the alternate method. The once per hour Completion Time is deemed appropriate. SURVEILLANCE SR 3.9.8.1 REQUIREMENTS This Surveillance demonstrates that one RHR shutdown cooling subsystem is in operation and circulating reactor coolant. The required flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability. The Frequency of 12 hours is sufficient in view of other visual and audible indications available to the operator for monitoring the RHR shutdown cooling subsystems in the control room. REFERENCES None. PBAP'S UNIT 3 B 3.9-27 Revision No. 0
Inservice Leak and Hydrostatic Testing Operation B 3.10.1 B 3.10 SPECIAL OPERATIONS B 3.10.1 Inservice Leak and Hydrostatic Testing Operation BASES BACKGROUND The purpose of this Special Operations LCO is to allow certain reactor coolant pressure tests to be performed in MODE 4 when the metallurgical characteristics of the reactor pressure vessel (RPV) or plant temperature control I capabilities during these tests require the pressure testing at temperatures > 2126F (normally corresponding to MODE .3). Inservice hydrostatic testing and system leakage pressure tests required by Section XI of the American Society of Mechanical Engineers (ASME) Boiler and Pressure Vessel Code (Ref. 1) are performed prior to the reactor going critical after a refueling outage. Recirculation pump operation and a water solid RPV (except for an air bubble for pressure control) are used to achieve the necessary temperatures and pressures required for these tests. The minimum temperatures (at the required pressures) allowed for these tests are determined from the RPV pressure and temperature (P/T) limits required by LCO 3.4.9, "Reactor Coolant System (RCS) Pressure and Temperature (P/T) Limits." These limits are conservatively based on the fracture toughness of the reactor vessel, taking into account anticipated vessel neutron fluence. With increased reactor vessel fluence over time, the minimum allowable vessel temperature increases at a given pressure. Periodic updates to the RCS P/T limit curves are performed as necessary, based upon the results of analyses of irradiated surveillance specimens removed from the vessel. Hydrostatic and leak testing may eventually be required with minimum reactor coolant temperatures > 212F. APPLICABLE Allowing the reactor to be considered in MODE 4 during SAFETY ANALYSES hydrostatic or leak testing, when the reactor coolant temperature is > 2129F, effectively provides an exception to MODE 3 requirements, including OPERABILITY of primary containment and the full complement of redundant Emergency Core Cooling Systems. Since the hydrostatic or leak tests are performed nearly water solid (except for an air bubble for pressure control), at low decay heat values, and near MODE 4 conditions, the stored energy in the reactor core will be very low. Under these conditions, the potential for (continued) PBAPS UNIT 3 B 3.10-1 Revision No. 1
Inservice Leak and Hydrostatic Testing Operation B 3.10.1 BASES APPLICABLE failed fuel and a subsequent increase in coolant activity SAFETY ANALYSES above the LCO 3.4.6, 'RCS Specific Activity," limits are (continued) minimized. In addition, the secondary containment will be OPERABLE, in accordance with this Special Operations LCO, and will be capable of handling any airborne radioactivity or steam leaks that could occur during the performance of hydrostatic or leak testing. The required pressure testing conditions provide adequate assurance that the consequences of a steam leak will be conservatively bounded by the consequences of the postulated main steam line break outside of primary containment described in Reference 2. Therefore, these requirements will conservatively limit radiation releases to the environment. In the event of a large primary system leak, the reactor vessel would rapidly depressurize, allowing the low pressure core cooling systems to operate. The capability of the low pressure coolant injection and core spray subsystems, as required in MODE 4 by LCO 3.5.2, "ECCS-Shutdown," would be more than adequate to keep the core flooded under this low decay heat load condition. Small system leaks would be detected by leakage inspections before significant inventory loss occurred. For the purposes of this test, the protection provided by normally required MODE 4 applicable LCOs, in addition to the secondary containment requirements required to be met by this Special Operations LCO, will ensure acceptable consequences during normal hydrostatic test conditions and during postulated accident conditions. As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of the NRC Policy Statement apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases. LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation at reactor coolant temperatures > 212'F can be in accordance with Table 1.1-1 for MODE 3 operation without meeting this Special Operations LCO or its ACTIONS. This option may be required due to P/T {continued) PBAPS UNIT 3 B 3.10-2 Revision 11o. 0
or - Inservice Leak and Hydrostatic Testing Operation B 3.10.1 BASES LCO limits, however, which require testing at temperatures (continued) > 212*F, while the ASME inservice test itself requires the safety/relief valves to be gagged, preventing their OPERABILITY. If it is desired to perform these tests while complying with this Special Operations LCO, then the MODE 4 applicable LCOs and specified MODE 3 LCOs must be met. This Special Operations LCO allows changing Table 1.1-1 temperature limits for MODE 4 to 'NA' and suspending the requirements of LCO 3.4.8, Residual Heat Removal (RHR) Shutdown Cooling System-Cold Shutdown.' The additional requirements for secondary containment LCOs to be met will provide sufficient protection for operations at reactor coolant temperatures
> 212'F for the purpose of performing either an inservice leak or hydrostatic test.
This LCO allows primary containment to be open for frequent unobstructed access to perform inspections, and for outage activities on various systems to continue consistent with the MODE 4 applicable requirements that are in effect immediately prior to and immediately after this operation. APPLICABILITY The MODE 4 requirements may only be modified for the performance of inservice leak or hydrostatic tests so that these operations can be considered as in MODE 4, even though the reactor coolant temperature is > 212F. The additional requirement for secondary containment OPERABILITY according to the imposed MODE 3 requirements provides conservatism in, the response of the unit to any event that may occur. Operations in all other MODES are unaffected by this LCO. ACTIONS A Note has been provided to modify the ACTIONS related to inservice leak and hydrostatic testing operation. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for each requirement of the LCO not met provide appropriate fcontinuedl PBAPS UNIT 3 B 3.10-3 Revision No. 0
Inservice Leak and Hydrostatic Testing Operation B :3.10.1 BASES ACTIONS compensatory measures for separate requirements-that are (continued) not met. As such, a Note has been provided that allows separate Condition entry for each requirement of the LCO. A.I If an LCO specified in LCO 3.10.1 is not met, the ACTIONS applicable to. the stated requirements are entered immediately and complied with. Required Action A.1 has been modified by a Note that clarifies the intent of another LCO's Required Action to be in MODE 4 includes reducing the average reactor coolant temperature to c 212*F. A.2.1 and A.2.2 Required Action A.2.1 and Required Action A.2.2 are alternate Required Actions that can be taken instead of' Required Action A.1 to restore compliance with the normal MODE 4 requirements, and thereby exit this Special Operation LCO's Applicability. Activities that could further increase reactor coolant temperature or pressure are suspended immediately, in accordance with Required Action A.2.1, and the reactor coolant temperature is reduced to establish normal MODE 4 requirements. The allowed Completion Time of 24 hours for Required Action A.2.2 is based on engineering judgment and provides sufficient time to reduce the average reactor coolant temperature from the highest expected value to - 212'F with normal cooldown procedures. The Complietion Time is also consistent with the time provided in LCO 3.0.3 to reach MODE 4 from MODE 3. SURVEILLANCE SR 3.10.1.1 REQUIREMENTS The LCOs made applicable are required to have their Surveillances met to establish that this LCO is being met. A discussion of the applicable SRs is provided in their respective Bases. REFERENCES 1. American Society of Mechanical Engineers, Boiler and Pressure Vessel Code, Section XI.
- 2. UFSAR, Section 14.6.5.
PBAPS UNIT 3 B 3.10-4 Revision No. 0
Reactor Mode Switch Interlock Testing B 3.10.2 B 3.10 SPECIAL OPERATIONS B 3.10.2 Reactor Mode Switch Interlock Testing BASES BACKGROUND The purpose of this Special Operations LCO is to permit. operation of the reactor mode switch from one position to another to confirm certain aspects of associated interlocks during periodic tests and calibrations in MODES 3, 4, aind 5. The reactor mode switch is a conveniently located, multiposition, keylock switch provided to select the necessary scram functions for various plant conditions (Ref. 1). The reactor mode switch selects the appropriate trip relays for scram functions and provides appropriate bypasses. The mode switch positions and related scram interlock functions are summarized as follows:
- a. Shutdown- Initiates a reactor scram; bypasses main steam line isolation and main condenser low vacuum scrams;
- b. Refuel - Selects Neutron Monitoring System (NMS) scram function for low neutron flux level operation (wide range neutron monitors and average power range monitor setdown scram); bypasses main steam line isolation and main condenser low vacuum scrams;
- c. Startup/Hot Standby-Selects NMS scram function for low neutron flux level operation (wide range neutron monitors and average power range monitors); bypasses main steam line isolation and main condenser low vacuum scrams; and
- d. Run -Selects NMS scram function for power range operation.
The reactor mode switch also provides interlocks for such functions as control rod blocks, scram discharge volume trip bypass, refueling interlocks, and main steam isolation valve isolations. APPLICABLE The acceptance criterion for reactor mode switch interlock SAFETY ANALYSES testing is to prevent fuel failure by precluding reactivity excursions or core criticality. The interlock functions of (continued) PBAPS UNIT 3 B 3.10-5 Revision No. 17
Reactor Mode Switch Interlock Testing B '3.10.2 BASES APPLICABLE the shutdown and refuel positions normally maintained for SAFETY ANALYSES the reactor mode switch in MODES 3, 4, and 5 are provided to (continued) preclude reactivity excursions that could potentially result in fuel failure. Interlock testing that requires moving the reactor mode switch to other positions (run, startup/hot standby, or refuel) while in MODE 3, 4, or 5, requires administratively maintaining all control rods inserted and no other CORE ALTERATIONS in progress. With all control rods inserted in core cells containing one or more fuel assemblies, and no CORE ALTERATIONS in progress, there are no credible mechanisms for unacceptable reactivity excursions during the planned interlock testing. For postulated accidents, such as control rod removal error during refueling or loading of fuel with a control rod withdrawn, the accident analysis demonstrates that fuel failure will not occur (Refs. 2 and 3). The withdrawal of a single control rod will not result in criticality when adequate SDM is maintained. Also, loading fuel assemblies into the core with a single control rod withdrawn will not result in criticality, thereby preventing fuel failure. As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of the NRC Policy Statement apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases. LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. MODES 3, 4, and 5 operations not specified in Table 1.1-1 can be performed in accordance with other Special Operations LCOs (i.e., LCO 3.10.1, "Inservice Leak and Hydrostatic Testing Operation," LCO 3.10.3, 'Single Control Rod Withdrawal-Hot Shutdown," LCO 3.10.4, 'Single Control Rod Withdrawal-Cold Shutdown," and LCO 3.10.8, "SDM Test-Refueling") without meeting this LCO or its ACTIONS. If any testing is performed that involves the reactor mode switch interlocks and requires repositioning beyond that specified in Table 1.1-1 for the current MODE of operation, the testing can be performed, provided all interlock functions potentially defeated are administratively controlled. In MODES 3, 4, and 5 with the reactor mode switch in shutdown as specified in Table 1.1-1, all. control rods are fully inserted and a control rod block (continued) PBAPS UNIT 3 B 3.10-6 Revision No. 0
Reactor Mode Switch Interlock Testing B .. 10.2 BASES LCO is initiated. Therefore, all control rods in core cells (continued) that contain one or more fuel assemblies must be verified fully inserted while in MODES 3, 4, and 5, with the reactor mode switch in other than the shutdown position. The additional LCO requirement to preclude CORE ALTERATIONS is appropriate for MODE 5 operations, as discussed below, and is inherently met in MODES 3 and 4 by the definition of CORE ALTERATIONS, which cannot be performed with the vessel head in place. In MODE 5, with the reactor mode switch in the refuel position, only one control rod can be withdrawn under the refuel position one-rod-out interlock (LCO 3.9.2, "Refuel Position One-Rod-Out Interlock"). The refueling equipment interlocks (LCO 3.9.1, "Refueling Equipment Interlocks") appropriately control other CORE ALTERATIONS. Due to the increased potential for error in controlling these multiple interlocks, and the limited duration of tests involving the reactor mode switch position, conservative controls are required, consistent with MODES 3 and 4. The additional controls of administratively not permitting other CORE ALTERATIONS will adequately ensure that the reactor does not become critical during these tests. APPLICABILITY Any required periodic interlock testing involving the reactor mode switch, while in MODES 1 and 2, can be performed without the need for Special Operations exceptions. Mode switch manipulations in these MODES would likely result in unit trips. In MODES 3, 4, and 5, this Special Operations LCO is only permitted to be used tco allow reactor mode switch interlock testing that cannot conveniently be performed without this allowance or testing which must be performed prior to entering another MODE. Such interlock testing may consist of required Surveillances, or may be the result of maintenance, repair, or troubleshooting activities. In MODES 3, 4, and 5, the interlock functions provided by the reactor mode switch in shutdown (i.e., all control rods inserted and incapable of withdrawal) and refueling (i.e., refueling interlocks to prevent inadvertent criticality during CORE ALTERATIONS) positions can be administratively controlled adequately during the performance of certain tests. (continued) PBAPS UNIT 3 B 3.10-7 Revision No. 0
Reactor Mode Switch Interlock Testing B 3.10.2 BASES (continued) ACTIONS A.1. A.2. A.3.1. and A.3.2 These Required Actions are provided to restore compliance with the Technical Specifications overridden by this Special Operations LCO. Restoring compliance will also result in exiting the Applicability of this Special Operations L(O. All CORE ALTERATIONS except control rod insertion, if in progress, are immediately suspended in accordance with Required Action A.1, and all insertable control rods in core cells that contain one or more fuel assemblies are fully inserted within 1 hour, in accordance with Required Action A.2. This will preclude potential mechanisms that could lead to criticality. Suspension of CORE ALTERATIONS shall not preclude the completion of movement of a component to a safe condition. Placing the reactor mode switch in the shutdown position will ensure that all inserted control rods remain inserted and result in operating in accordance with Table 1.1-1. Alternatively, if in MODE 5, the reactor mode switch may be placed in the refuel position, which will also result in operating in accordance with Table 1.1-1. A Note is added to Required Action A.3.2 to indicate that this Required Action is only applicable in MODE 5, since only the shutdown position is allowed in MODES 3 and 4. The allowed Completion Time of 1 hour for Required Action A.2, Required Action A.3.1, and Required Action A.3.2 provides sufficient time to normally insert the control rods and place the reactor mode switch in the required position, based on operating experience, and is acceptable given that all operations that could increase core reactivity have been suspended. SURVEILLANCE SR 3.10.2.1 and SR 3.10.2.2 REQUIREMENTS Meeting the requirements of this Special Operations LCO maintains operation consistent with or conservative to operating with the reactor mode switch in the shutdown position (or the refuel position for MODE 5). The functions of the reactor mode switch interlocks that are not in effect, due to the testing in progress,iare adequately compensated for by the Special Operations LCO requirenents. The administrative controls are to be periodically verified to ensure that the operational requirements continue to be met. The Surveillances performed at the 12 hour and 24 hour (continued) PBAPS UNIT 3 B 3.10-8 Revision No. 0
Reactor Mode Switch Interlock Testing B 3.10.2 BASES SURVEILLANCE SR 3.10.2.1 and SR 3.10.2.2 (continued) REQUIREMENTS Frequencies are intended to provide appropriate assurance that each operating shift is aware of and verifies compliance with these Special Operations LCO requirements. REFERENCES 1. UFSAR, Section 7.2.3.7.
- 2. UFSAR, Section 14.5.3.3. .
- 3. UFSAR, Section 14.5.3.4.
PBAPS UNIT 3 B 3.10-9 Revision No. 0
Single Control Rod Withdrawal -Hot Shutdown B S.10.3 B 3.10 SPECIAL OPERATIONS B 3.10.3 Single Control Rod Withdrawal-Hot Shutdown BASE'; BACKGROUND The purpose of this MODE 3 Special Operations LCO is to permit the withdrawal of a single control rod for testing while in hot shutdown, by imposing certain restrictions. In MODE 3, the reactor mode switch is in the shutdown position, and all control rods are inserted and blocked from withdrawal. Many systems and functions are not required in these conditions, due to the other installed interlocks that are actuated when the reactor mode switch is in the shutdown position. However, circumstances may arise while in Mr)DE 3 that present the need to withdraw a single control rod for various tests (e.g., friction tests, scram timing, and coupling integrity checks). These single control rod withdrawals are normally accomplished by selecting the refuel position for the reactor mode switch. This Special Operations LCO provides the appropriate additional controls to allow a single control rod withdrawal in MODE 3. APPLICABLE With the reactor mode switch in the refuel position, the SAFEFY ANALYSES analyses for control rod withdrawal during refueling are applicable and, provided the assumptions of these analyses are satisfied in MODE 3, these analyses will bound the consequences of an accident. Explicit safety analyses in the UFSAR (Refs. 1 and 2) demonstrate that the functioning of the refueling interlocks and adequate SDM will preclude - unacceptable reactivity excursions. Refueling interlocks restrict the movement of control rods to reinforce operational procedures that prevent the reactor from becoming critical. These interlocks prevent the withdrawal of more than one control rod. Under these conditions, since only one control rod can be withdrawn, the core will always be shut down even with the highest worth control rod withdrawn if adequate SDM exists. The control rod scram function provides backup protection to normal refueling procedures and the refueling interlocks, which prevent inadvertent criticalities during refueling. (continued) PBAPS UNIT 3 B 3.10-10 Revision No. 0
Single Control Rod Withdrawal-Hot Shutdown B 3.10.3 BASES; APPLICABLE Alternate backup protection can be obtained by ensuring SAFETY ANALYSES that five by five array of control rods,- centered on the (continued) withdrawn control rod, are inserted and incapable of withdrawal. As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of the NRC Policy Statement apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases. LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 3 with the reactor mode switch in the refuel position can be performed in accordance with other Special Operations LCOs (i.e., LCO 3.10.2, "Reactor Mode Switch Interlock Testing") without meeting this Special Operations LCO or its ACTIONS. However, if a single control rod withdrawal is desired in MODE 3, controls consistent with those required during refueling must be implemented and this Special Operations LCO applied. "Withdrawal," in this application, includes the actual withdrawal of the control rod, as well as maintaining the control rod in a position other than the full-in position, and reinserting the control rod. The refueling interlocks of LCO 3.9.2, 'Refuel Position One-Rod-Out Interlock," required by this Special Operations LCO, will ensure that only one control rod can be withdrawn; To back up the refueling interlocks (LCO 3.9.2), the ability to scram the withdrawn control rod in the event of an inadvertent criticality is provided by this Special Operations LCO's requirements in Item d.1. Alternately, provided a sufficient number of control rods in the vicinity of the Withdrawn control rod are known to be inserted and incapable of withdrawal, Item d.2, the possibility of criticality on withdrawal of this control rod is sufficiently precluded, so as not to require the scram capability of the withdrawn control rod. Also, once this alternate (d.2) is completed, the SDM requirement to account for both the withdrawn untrippable (inoperable) control rod, and the highest worth control rod may be changed to allow the withdrawn untrippable (inoperable) control rod to be the single highest worth control rod. (continued) PBAPS UNIT 3 B 3.10-11 Revision No. 0
Single Control Rod Withdrawal-Hot Shutdown B 3.10.3 BASES (continued) APPLICABILITY Control rod withdrawals are adequately controlled in MODES 1, 2, and 5 by existing LCOs. In MODES 3 and 4, control rod withdrawal is only allowed if performed in accordance with this Special Operations LCO or Special Operations LCO 3.10.4, and if limited to one control rod. This allowance is only provided with the reactor mode switch in the refuel position. For these conditions, the one-rod-out interlock (LCO 3.9.2), control rod position indication (LCO 3.9.4, Control Rod Position Indication'), full insertion requirements for all other control rods and scram functions (LCO 3.3.1.1, 'Reactor Protection Systeri (RPS) Instrumentation,' and LCO 3.9.5, Control Rod OPERABILITY-Refueling"), or the added administrative controls in Item d.2 of this Special Operations LCO, minimize potential reactivity excursions. ACTIONS A Note has been provided to modify the ACTIONS related to a single control rod withdrawal while in MODE 3. Section 1.3, Completion Times, specifies once a Condition has been entered, subsequent divisions, subsystems, components or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However,-the Required Actions for each requirement of the LCO not met provide appropriate! compensatory measures for separate requirements that are not met. As such, a Note has been provided that allows separate Condition entry for each requirement of the LCO. A.1 If one or more of the requirements specified in this Special Operations LCO are not met, the ACTIONS applicable to the stated requirements of the affected LCOs are immediately entered as directed by Required Action A.1. Required Action A.1 has been modified by a Note that clarifies the intent of any other LCO's Required Action to insert all control rods. This Required Action includes exiting this Special Operations Applicability by returning the reactor mode switch to the shutdown position. A second Note has been added, which clarifies that this Required Action is only applicable if the requirements not met are for an affected LCO. (continued) PBAPS UNIT 3 B 3.10-12 Revision No. 0
Single Control Rod Withdrawal -Hot Shutdown B 3.10.3 BASES ACTIONS A.2.1 and A.2.2 (continued) Required Actions A.2.1 and A.2.2 are alternate Required Actions that can be taken. instead of Required Action A.1 to restore compliance with the normal MODE 3 requirements, thereby exiting this Special Operations LCO's Applicability. Actions must be initiated immediately to insert all insertable control rods. Actions must continue until all such control rods are fully inserted. Placing the reactor mode switch in the shutdown position will ensure all inserted rods remain inserted and restore operation in accordance with Table 1.1-1. The allowed Completion Time of 1 hour to place the reactor mode switch in the shutdown position provides sufficient time to normally insert the control rods. SURVEILLANCE SR 3.10.3.1. SR 3.10.3.2. and SR 3.10.3.3 REQUIREMENTS The other LCOs made applicable in this Special Operations LCO are required to have their Surveillances met to establish that this Special Operations LCO is being met. If the local array of control rods is inserted and disarmed while the scram function for the withdrawn rod is not available, periodic verification in accordance with SR 3.10.3.2 is required to preclude the possibility of' criticality. SR 3.10.3.2 has been modified by a Note, which clarifies that this SR is not required to be met if SR 3.10.3.1 is satisfied for LCO 3.10.3.d.1 requirements, since SR 3.10.3.2 demonstrates that the alternative LCO 3.10.3.d.2 requirements are satisfied. Also, SR 3.10.3.3 verifies that all control rods other than the control rod being withdrawn are fully inserted. The 24 hour Frequency is acceptable because of the administrative controls on control rod withdrawal, the protection afforded by the LCOs involved, and hardwire interlocks that preclude additional control rod withdrawals. REFERENCES 1. UFSAR, Section 7.6.4.
- 2. UFSAR, Section 14.5.3.3.
PBAPS UNIT 3 B 3.10-13 Revision ND. 0
Single Control Rod Withdrawal -Cold Shutdown B :3.10.4 B 3.10 SPECIAL OPERATIONS B 3.10.4 Single Control Rod Withdrawal-Cold Shutdown BASES BACKGROUND The purpose of this MODE 4 Special Operations LCO is to permit the withdrawal of a single control rod for testing or maintenance, while in cold shutdown, by imposing certain restrictions. In MODE 4, the reactor mode switch is in the shutdown position, and all control rods are inserted and blocked from withdrawal. Many systems and functions are not required in these conditions, due to the installed interlocks associated with the reactor mode switch in the shutdown position. Circumstances may arise while in FODE 4, however, that present the need to withdraw a single control rod for various tests (e.g., friction tests, scram tine testing, and coupling integrity checks). Certain situations may also require the removal of the associated control rod drive (CRD). These single control rod withdrawals and; possible subsequent removals are normally accomplished by selecting the refuel position for the reactor mode switch. APPLICABLE With the reactor mode switch in the refuel position, the SAFETY ANALYSES analyses for control rod withdrawal during refueling are applicable and, provided the assumptions of these analyses are satisfied in MODE 4, these analyses will bound the consequences of an accident. Explicit safety analyses in the UFSAR (Refs. 1 and 2) demonstrate that-the functioning of the refueling interlocks and adequate SDM will preclude unacceptable reactivity excursions. Refueling interlocks restrict the movement of control rods to reinforce operational procedures that prevent the reactor from becoming critical. These interlocks prevent the withdrawal of more than one control rod. Under these conditions, since only one control rod can be withdrawn, the core will always be shut down even with the highest worth control rod withdrawn if adequate SDM exists. The control rod scram function provides backup protection in the event of normal refueling procedures and the refueling interlocks fail to prevent inadvertent criticalities during refueling. Alternate backup protection can be obtained by ensuring that a five by five array of control rods, centered on the withdrawn control rod, are inserted and incapable of _continued} PBAPS UNIT 3 B 3.10-14 Revision No. 0
Single Control Rod Withdrawal -Cold Shutdown B 3.10.4 BASES APPLICABLE withdrawal. This alternate backup protection is required SAFETY ANALYSES when removing a CRD because this removal renders the (continued) withdrawn control rod incapable of being scrammed. As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of the NRC Policy Statement apply. Special Operations LCC's provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs; is provided in their respective Bases. LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 4 with the reactor mode switch in the refuel position can be performed in accordance with other LCOs (i.e., Special Operations LCO 3.10.2, Reactor Mode Switch Interlock Testing") without meeting this Special Operations LCO or its ACTIONS. If a single control rod withdrawal is desired in MODE 4, controls consistent with those required during refueling must be implemented and this Special Operations LCO applied.
"Withdrawal," in this application, includes the actual withdrawal of the control rod, as well as maintaining the control rod in a position other than the full-in position, and reinserting the control rod.
The refueling interlocks of LCO 3.9.2, "Refuel Position One-Rod-Out Interlock," required by this Special Operations LCO will ensure that only one control rod can be withdrawn. At the time CRD removal begins, the disconnection of the position indication probe will cause LCO 3.9.4, Control Rod Position Indication," and therefore, LCO 3.9.2 to fail to be met. Therefore, prior to commencing CRD removal, a control rod withdrawal block is required to be inserted to ensure that no additional control rods can be withdrawn and that compliance with this Special Operations LCO is maintained. To back up the refueling interlocks (LCO 3.9.2) or the control rod withdrawal block, the ability to scram the withdrawn control rod in the event of an inadvertent criticality is provided by the Special Operations LCO requirements in Item c.1. Alternatively, when the scram (continued) PBAPS UlNIT 3 B 3.10-15 Revision ND. 0
Single Control Rod Withdrawal-Cold Shutdown B 3.10.4 BASES LCO function is not OPERABLE, or when the CRD is to be removed, (continued) a sufficient number of rods in the vicinity of the withdrawn control rod are required to be inserted and made incapable of withdrawal (Item c.2). This precludes the possibility of criticality upon withdrawal of this control rod. Also, once this alternate (Item c.2) is completed, the SDM requirement to account for both the withdrawn untrippable (inoperable) control rod, and the highest worth control rod may be changed to allow the withdrawn untrippable (inoperable) control rod to be the single highest worth control rod. APPLI(ABILITY Control rod withdrawals are adequately controlled in MODES 1, 2, and 5 by existing LCOs. In MODES 3 and 4, control rod withdrawal is only allowed if performed in accordance with Special Operations LCO 3.10.3, or this Special Operations LCO, and if limited to one control rod. This allowance is only provided with the reactor mode switch in the refuel position. During these conditions, the full insertion requirements for all other control rods, the one-rod-out interlock (LCO 3.9.2), control rod position indication (LCO 3.9.4), and scram functions (LCO 3.3.1.1, 'Reactor Protection System (RPS) Instrumentation," and LCO 3.9.5, "Control Rod OPERABILITY-Refueling'), or the added administrative controls in Item b.2 and Item c.2 of this Special Operations LCO, provide mitigation of potential reactivity excursions. ACTIONS A Note has been provided to modify the ACTIONS related to a single control rod withdrawal while in MODE 4. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for each requirement of the LCO not met provide appropriate compensatory measures for separate requirements that zire not met. As such, a Note has been provided that allows separate Condition entry for each requirement of the LCO. Icontinued) PBAPS UNIT 3 B 3.10-16 Revision No. 0
Single Control Rod Withdrawal-Cold Shutdown B 3.10.4 BASES ACTIONS A.I. A.2.1. and A.2.2 (continued) If one or more of the requirements of this Special Operations LCO are not met with the affected control rod insertable, these Required Actions restore operation consistent with normal MODE 4 conditions (i.e., all rods inserted) or with the exceptions allowed in this Specialr Operations LCO. Required Action A.1 has been modified by a Note that clarifies that the intent of any other LCO's Required Action is to insert all control rods. This Required Action includes exiting this Special Operations Applicability by returning the reactor mode switch to the shutdown position. A second Note has been added to Required Action A.1 to clarify that this Required Action is only applicable if the requirements not met are for an affected LCO. Required Actions A.2.1 and A.2.2 are specified, based on the assumption that the control rod is being withdrawn. If the control rod is still insertable, actions must be immediately initiated to fully insert all insertable control rods and within 1 hour place the reactor mode switch in the shutdown position. Actions must continue until all such control rods are fully inserted. The allowed Completion Time of 1 Four for placing the reactor mode switch in the shutdown position provides sufficient time to normally insert the control rods. B.I. B.2.1. and B.2.2 If one or more of the requirements of this Special Operations LCO are not met with the affected control rod not insertable, withdrawal of the control rod and removal of the associated CRD must be immediately suspended. If the CRD has been removed, *such that the control rod is not insertable, the Required Actions require the most expeditious action be taken to either initiate action to restore the CRD and insert its control rod, or initiate action to restore compliance with this Special Operations LCO. (continued) PBAPS UNIT 3 B 3.10-17 Revision No. 0
Single Control Rod Withdrawal -Cold Shutdown B 3.10.4 BASES (continued) SURVEILLANCE SR 3.10.4.1. SR 3.10.4.2. SR 3.10.4.3. and SR 3.1(1.4.4 REQUIREMENTS The other LCOs made applicable by this Special Operations LCO are required to have their associated surveillances met to establish that this Special Operations LCO is being met. If the local array of control rods is inserted and disarmed while the scram function for the withdrawn rod is not available, periodic verification is required to ensure that the possibility of criticality remains precluded. Verification that all the other control rods are fully inserted is required to meet the SDM requirements. Verification that a control rod withdrawal block has been inserted ensures that no other control rods can be inadvertently withdrawn under conditions when position indication instrumentation is inoperable for the affected control rod. The 24 hour Frequency is acceptable because of the administrative controls on control rod withdrawal;, the protection afforded by the LCOs involved, and hardwire interlocks to preclude an additional control rod withdrawal. SR 3.10.4.2 and SR 3.10.4.4 have been modified by Notes, which clarify that these SRs are not required to be met if the alternative requirements demonstrated by SR 3.10.A.1 are satisfied. REFERENCES 1. UFSAR, Section 7.6.4.
- 2. UFSAR, Section 14.5.3.3.
PBAPS UNIT 3 B 3.10-18 Revision No. 0
Single CRD Removal-Refueling B 3.10.5 B 3.10 SPECIAL OPERATIONS B 3.10.5 Single Control Rod Drive (CRD) Removal-Refueling BASES
= .=
BACKG1ROUND The purpose of this MODE 5 Special Operations LCO is to permit the removal of a single CRD during refueling operations by imposing certain administrative controls. Refueling interlocks restrict the movement of control rods and the operation of the refueling equipment to reinforce operational procedures that prevent the reactor from becoming critical during refueling operations. During refueling operations, no more than one control rod is permitted to be withdrawn from a core cell containing one or more fuel assemblies. The refueling interlocks use the "full-in' position indicators to determine the position of all control rods. If the 'full-in' position signal is not present for every control rod, then the all rods in permissive for the refueling equipment interlocks is not present and fuel loading is prevented. Also, the refuel position one-rod-out interlock will not allow the withdrawal of a second control rod. The control rod scram function provides backup protection in the event normal refueling procedures, and the refueling interlocks described above fail to prevent inadvertent criticalities during refueling. The requirement for this function to be OPERABLE precludes the possibility of removing the CRD once a control rod is withdrawn from a core cell containing one or more fuel assemblies. This Special - Operations LCO provides controls sufficient to ensure the possibility of an inadvertent criticality is precluded, while allowing a single CRD to be removed from a core cell containing one or more fuel assemblies. The removal cf the CRD involves disconnecting the position indication probe, which causes noncompliance with LCO 3.9.4, "Control Rod Position Indication,' and, therefore, LCO 3.9.1, "Refueling Equipment Interlocks," and LCO 3.9.2, 'Refueling Position One-Rod-Out Interlock." The CRD removal also requires isolation of the CRD from the CRD Hydraulic System, thereby causing inoperability of the control rod (LCO 3.9.5, "Control Rod OPERABILITY-Refueling"). (continued) PBAPS UNIT 3 B 3.10-19 Revision ND. 0
Single CRD Removal -Refueling B :3.10.5 BASES (continued) APPLICABLE With the reactor mode switch in the refuel position, the SAFETY ANALYSES analyses for control rod withdrawal during refueling are applicable and, provided the assumptions of these analyses are satisfied, these analyses will bound the consequences of accidents. Explicit safety analyses in the UFSAR (Refs. 1 and 2) demonstrate that proper operation of the refueling interlocks and adequate SDM will preclude unacceptable reactivity excursions. Refueling interlocks restrict the movement of control rods and the operation of the refueling equipment to reinforce operational procedures that prevent the reactor from becoming critical. These interlocks prevent the withdrawal of more than one control rod. Under these conditions, since only one control rod can be withdrawn, the core will always be shut down even with the highest worth control rod withdrawn if adequate SDM exists. By requiring all other control rods to be inserted and a control rod withdrawal block initiated, the function of the inoperable one-rod-out interlock (LCO 3.9.2) is adequately maintained. This Special Operations LCO requirement to suspend all CORE: ALTERATIONS adequately compensates for the inoperable all rods in permissive for the refueling equipment interlocks (LCO 3.9.1). The control rod scram function provides backup protection to normal refueling procedures and the refueling interlo:ks, which prevent inadvertent criticalities during refueling. Since the scram function and refueling interlocks may be suspended, alternate backup protection required by this Special Operations LCO is obtained by ensuring that a five by five array of control rods, centered on the withdrawn control rod, are inserted and are incapable of being withdrawn, and all other control rods are inserted and incapable of being withdrawn (by insertion of a control rod block). As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of the NRC Policy Statement apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases. (continued) PBAPS UJNIT 3 B 3.10-20 Revision No. 0
Single CRD Removal -Refueling B 3.10.5 BASES (continued) LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 5 with any of the following LCOs, LCO 3.3.1.1, "Reactor Protection system (RPS) Instrumentation," LCO 3.3.8.2, "Reactor Protection System (RPS) Electric Power Monitoring," LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, or LCO 3.9.5 not met, can be performed in accordance with the Required Actions of these LCOs without meeting this Special Operations LCO or its ACTIONS. However, if a single CRD removal from a core cell containing one or more fuel assemblies is desired in MODE 5, controls consistent with those required by LCO 3.3.1.1, LCO 3.3.8.2, LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, and LCO 3.9.5 must be implemented, and this Special Operations LCO applied. By requiring all other control rods to be inserted and a control rod withdrawal block initiated, the function of the inoperable one-rod-out interlock (LCO 3.9.2) is adequately maintained. This Special Operations LCO requirement to suspend all CORE ALTERATIONS adequately compensates for the inoperable all rods in permissive for the refueling equipment interlocks (LCO 3.9.1). Ensuring that the five by five array of control rods, centered on the withdrawn control rod, are inserted and incapable of withdrawal adequately satisfies the backup protection that LCO 3.3.1.1 and LCO 3.9.2 would have otherwise provided. Also, once these requirements (Items a, b, and c) are completed, the SDM requirement to account for both the withdrawn untrippable (inoperable) control rod and the highest worth control rod may be changed to allow the withdrawn untrippable (inoperable) control rod to be the single highest worth control rod. APPLICABILITY Operation in MODE 5 is controlled by existing LCOs. The allowance to comply with this Special Operations LCO in lieu of the ACTIONS of LCO 3.3.1.1, LCO 3.3.8.2, LCO 3.9.], LCO 3.9.2, LCO 3.9.4, and LCO 3.9.5 is appropriately controlled with the additional administrative controls required by this Special Operations LCO, which reduce, the potential for reactivity excursions. (continued) PBAPS UNIT 3 B 3.10-21 Revision Noo. 0
Single CRD Removal -Refueling B 3.10.5 BASES (continued) ACTIONS A.1. A.2.1. and A.2.2 If one or more of the requirements of this Special Operations LCO are not met, the immediate implementation of these Required Actions restores operation consistent with the normal requirements for failure to meet LCO 3.3.1.1, LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, and LCO 3.9.5 (i.e., all control rods inserted) or with the allowances of this Special Operations LCO. The Completion Times for Required Action A.1, Required Action A.2.1, and Required Action A.2.2 are intended to require that these Required Actions be implemented in a very short time and carried through in an expeditious manner to either-initiate action to restore the CRD and insert its control rod, or initiate action to restore compliance with this Special Operations LCO. Actions must continue until either Required Action A.2.1 or Required Action A.2.2 is satisfied. SURVEILLANCE SR 3.10.5.1. SR 3.10.5.2. SR 3.10.5.3. SR 3.10.5.4.L REQUIREMENTS and SR 3.10.5.5 Verification that all the control rods, other than the control rod withdrawn for the removal of the associated CRD,. are fully inserted is required to ensure the SDM is within limits. Verification that the local five by five array of control rods, other than the control rod withdrawn for removal of the associated CRD, is inserted and disarmed, while the scram function for the withdrawn rod is not available, is required to ensure that the possibility of criticality remains precluded. Verification that a control rod withdrawal block has been inserted ensures that no other control rods can be inadvertently withdrawn under conditions when position indication instrumentation is inoperable for the withdrawn control rod. The Surveillance for LCO 3.1.1, which is made applicable by this Special Operations LCO, is required in order to establish that this Special Operations LCO is being met. Verification that no other CORE ALTERATIONS are being made is required to ensure the assumptions of the safety analysis are satisfied. Periodic verification of the administrative controls established by this Special Operations LCO is prudent to preclude the possibility of an inadvertent criticality. The 24 hour Frequency is acceptable, given the administrative controls on control rod removal and hardwire interlock to block an additional control rod withdrawal. (continued) PBAPS UNIT 3 B 3.10-22 Revision No. 0
Single CRD Removal-Reftieling B :3.10.5 BASES (continued) REFERENCES 1. UFSAR, Section 7.6.4.
- 2. UFSAR, Section 14.5.3.3.
PBAPS UNIT 3 B 3.10-23 Revision No. 0
Multiple Control Rod Withdrawal-Refueling B 3.10.6 B 3.10 SPECIAL OPERATIONS - B 3.10.6 Multiple Control Rod Withdrawal -Refueling BASES _..--=.,. BACKGROUND The purpose of this MODE 5 Special Operations LCO is to permit multiple control rod withdrawal during refueling by imposing certain administrative controls. Refueling interlocks restrict the movement of control rods and the operation of the refueling equipment to reinforce operational procedures that prevent the reactor from becoming critical during refueling operations. During refueling operations, no more than one control rod is permitted to be withdrawn from a core cell containing cne or more fuel assemblies. When all four fuel assemblies are removed from a cell, the control rod may be withdrawn with no restrictions. Any number of control rods may be withdrawn and removed from the reactor vessel if their cells contain no fuel. The refueling interlocks use the 'full-in' position indicators to determine the position of all control rods. If the "full-in* position signal is not present for every control rod, then the all rods in permissive for the refueling equipment interlocks is not present and fuel loading is prevented. Also, the refuel position one-rDd-out interlock will not allow the withdrawal of a second control rod. To allow more than one control rod to be withdrawn during refueling, these interlocks must be defeated. This Special Operations LCO establishes the necessary administrative controls to allow bypassing the "full-in' position indicators. APPLICABLE Explicit safety analyses in the UFSAR (Refs. 1, 2, and 3) SAFETY ANALYSES demonstrate that the functioning of the refueling interlocks and adequate SDM will prevent unacceptable reactivity excursions during refueling. To allow multiple control rod withdrawals, control rod removals, associated control rod drive (CRD) removal, or any combination of these, the "full in'position indication is allowed to be bypassed for each withdrawn control rod if all fuel has been removed from the cell. With no fuel assemblies in the core cell, the (continued) PBAPS UNIT 3 B 3.-10-24 Revision No. 0
Multiple Control Rod Withdrawal -Refueling B 3.10.6
) > BASES APPLICABLE associated control rod has no reactivity control function SAFETY ANALYSES and is not required to remain inserted. - Prior to reloading (continued) fuel into the cell, however, the associated control rod must be inserted to ensure that an inadvertent criticality dces not occur, as evaluated in the Reference 3 analysis.
As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of the NRC Policy. Statement apply. Special Operations LCO:; provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in-their respective Bases. LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 5 with either LCO 3.9.3, 'Control Rod Position,* LCO 3.9.4, 'Control Rod Position Indication," or LCO 3.9.5, 'Control Rod OPERABILITY-Refueling," not met, can be performed in accordance with the Required Actions of these LCOs without meeting this Special Operations LCO or its ACTIONS. If multiple control rod withdrawal or removal, or CRD removal J isdesired, all four fuel assemblies are required to be removed from the associated cells. Prior to entering this LCO, any fuel remaining in a cell whose CRD was previously removed under the provisions of another LCO must be removed.
"Withdrawal," in this application, includes the actual withdrawal of the control rod, as well as maintaining the control rod in a position other than the full-in position, and reinserting the control rod.
When fuel is loaded into the core with multiple control rods withdrawn, special modified quadrant spiral reload sequences are used to ensure that reactivity additions are minimized. Spiral reloading encompasses reloading a cell (four fuel locations immediately adjacent to a control rod) on the edge of a continuous fueled region (the cell can be loaded in any sequence). Otherwise, all control rods must be fully inserted before loading fuel. (continued) PBAPS UNIT 3 B 3.10-25 Revision No. 0
Multiple Control Rod Withdrawal -Refueling B 3.10.6 BASES (continued) APPLICABILITY Operation in MODE 5 is controlled by existing LCOs. The exceptions from other LCO requirements (e.g., the ACTIO1lS of LCO 3.9.3, LCO 3.9.4, or LCO 3.9.5) allowed by this Special Operations LCO are appropriately controlled by requiring all fuel to be removed from cells whose 'full-in' indicator; are allowed to be bypassed. ACTIONS A.1. A.2. A.3.1. and A.3.2 If one or more of the requirements of this Special Operations LCO are not met, the immediate implementation of these Required Actions restores operation consistent with the normal requirements for refueling (i.e., all control rods inserted in core cells containing one or more fuel assemblies) or with the exceptions granted by this Special Operations LCO. The Completion Times for Required Action A.1, Required Action A.2, Required Action A.3.1, and Required Action A.3.2 are intended to require that these Required Actions be implemented in a very short time and carried through in an expeditious manner to either initiate action to restore the affected CRDs and insert their control rods, or initiate action to restore compliance with this Special Operations LCO. SURVEILLANCE SR 3.10.6.1. SR 3.10.6.2. and SR 3.10.6.3 REQUIREMENTS Periodic verification of the administrative controls established by this Special Operations LCO is prudent to preclude the possibility of an inadvertent criticality. The 24 hour Frequency is acceptable, given the administrative controls on fuel assembly and control rod removal, and takes into account other indications of control rod status available in the control room. REFERENCES 1. UFSAR, Section 7.6.4.
- 2. UFSAR, Section 14.5.3.3.
- 3. UFSAR, Section 14.5.3.4.
= .........
PBAPS UNIT 3 B 3.10-26 Revision H4o. 0
Control Rod Testing-Operating B 3.10.7 B 3.10 SPECIAL OPERATIONS Carl#11
.B 3.10.7 Control Rod Testing-Operating BASES BACKGROUND The purpose of this Special Operations LCO is to permit control rod testing, while in MODES I and 2, by imposing certain administrative controls. Control rod patterns during startup conditions are controlled by the operator and the rod worth minimizer (RWM) (LCO 3.3.2.1, "Control Rod Block Instrumentation"), such that only the specified control rod sequences and relative positions required by LCO 3.1.6, 'Rod Pattern Control," are allowed over the operating range from all control rods inserted to the low power setpoint (LPSP) of the RWM.. The sequences effectively limit the potential amount and rate of reactivity increase that could occur during a control rod drop accident (CRDA).
During these conditions, control rod testing is sometimes required that may result in control rod patterns not in compliance with the prescribed sequences of LCO 3.1.6. These tests include SDM demonstrations, control rod scramn time testing, control rod friction testing, and testing performed during the Startup Test Program. This Special Operations LCO provides the necessary exemption to the requirements of LCO 3.1.6 and provides additional administrative controls to allow the deviations in such tests from the prescribed sequences in LCO 3.1.6. APPLICABLE The analytical methods and assumptions used in evaluating - SAFET'i ANALYSES the CRDA are summarized in References I and 2. CRDA analyses assume the reactor operator follows prescribed withdrawal sequences. These sequences define the potential initial conditions for the CRDA analyses. The RWM provides backup to operator control of the withdrawal sequences to ensure the initial conditions of the CRDA analyses are not violated. For special sequences developed for control rod testing, the initial control rod patterns assumed in the safety analysis of References 1 and 2 may not be preserved. Therefore special CRDA analyses are required to demonstrate that these special sequences will not result in unacceptable consequences, should a CRDA occur during the testing. These analyses, performed in accordance with an NRC approved methodology, are dependent on the specific test being performed. (continued) PBAPS WNIT 3 B 3.10-27 Revision No. 0
Control Rod Testing-Operating B 3.10.7 BASES APPLICABILITY Special Operations LCO 3.10.3, "Single Control Rod (continued) Withdrawal-Hot Shutdown," or Special Operations LCO 3.10.4, "Single Control Rod Withdrawal-Cold Shutdown," which provide adequate controls to ensure that the assumptions of the safety analyses of Reference I and 2 are satisfied. During these Special Operations and while in MODE 5, the one-rod-out interlock (LCO 3.9.2, 'Refuel Position One-Rod-Out Interlock,") and scram functions (LCO 3.3.1.1,
'Reactor Protection System (RPS) Instrumentation,' and LCO 3.9.5, 'Control Rod OPERABILITY-Refueling"), or the added administrative controls prescribed in the applicable Special Operations LCOs, provide mitigation of potential reactivity excursions.
ACTIONS A.N With the requirements of the LCO not met (e.g., the control rod pattern is not in compliance with the special test sequence, the sequence is improperly loaded in the RWMP) the testing is required to be immediately suspended. Upon suspension of the special test, the provisions of LCO :3.1.6 are no longer excepted, and appropriate actions are to be taken to restore the control rod sequence to the prescribed sequence of LCO 3.1.6, or to shut down the reactor, if required by LCO 3.1.6. SURVEILLANCE SR 3.10.7.1 REQUIREMENTS With the special test sequence not programmed into the RWM, a second licensed operator or other qualified member of the technical staff (i.e., personnel trained in accordance with an approved training program for this test) is required to verify conformance with the approved sequence for the test. This verification must be performed during control rod movement to prevent deviations from the specified sequence. A Note is added to indicate that this Surveillance does not need to be met if SR 3.10.7.2 is satisfied. (conti nued) PBAPS UNIT 3 B 3.10-29 Revision No. 0
Control Rod Testing-Operating B 3.10.7 BASES APPLICABLE As described in LCO 3.0.7, compliance with Special SAFETY ANALYSES Operations LCOs is optional, and therefore, no criteria of (continued) the NRC Policy Statement apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCC's is provided in their respective Bases. LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Control rod testing may (e performed in compliance with the prescribed sequences of LCO 3.1.6, and during these tests, no exceptions to the requirements of LCO 3.1.6 are necessary. For testing performed with a sequence not in compliance with LCO 3.1.6, the requirements of LCO 3.1.6 may be suspended, provided additional administrative controls are placed on the test to ensure that the assumptions of the special safety analysis for the test sequence are satisfied. Assurances that the test sequence is followed can be provided by either programming the test sequence into the RWM, with conformance verified as specified in SR 3.3.2.1.8 and allowing than RWM to monitor control rod withdrawal and provide appropriate control rod blocks if necessary, or by verifying conformance to the approved test sequence by a second licensed operator or other qualified member of the technical staff. These controls are consistent with those normally applied to operation in the startup range as defined in the SRs and ACTIONS of LCO 3.3.2.1, Control Rod Block-Instrumentation." APPLICABILITY Control rod testing, while in MODES 1 and 2, with THERMAL POWER greater than 10% RTP, is adequately controlled by the existing LCOs on power distribution limits and control rod block instrumentation. Control rod movement during these conditions is not restricted to prescribed sequences and can be performed within the constraints of LCO 3.2.1, 'AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)," LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR),* LCO 3.2.3, "LINEAR HEAT GENERATION RATE (LHGR),' and LCO 3.3.2.1. With THERMAL POWER less than or equal to 10% RTP, the provisions of this Special Operations LCO are necessary to perform special tests that are not in conformance with the prescribed sequences of LCO 3.1.6. While in MODES 3 and 4, control rod withdrawal is only allowed if performed in accordance with lcorntinued) PBAPS UNIT 3 B 3.10-28 Revision 14o. 0
Control Rod Testing-Operating B 8.10.7 BASES SURVEILLANCE SR 3.10.7.2 REQUIREMENTS (continued) When the RWM provides conformance to the special test sequence, the test sequence must be verified to be correctly loaded into the RWM prior to control rod movement. This Surveillance demonstrates compliance with SR 3.3.2.1.8, thereby demonstrating that the RWM is OPERABLE. A Note has been added to indicate that this Surveillance does not need to be met if SR 3.10.7.1 is satisfied. REFERENCES 1. NEDE-24011-P-A-US, General Electric Standard Application for Reactor Fuel, Supplement for United States, February 1991.
- 2. Letter from T. Pickens (BWROG) to G.C. Lainas (NRC)
"Amendment 17 to General Electric Licensing Topical Report NEDE-24011-P-A," August 15, 1986.
PBAPS UNIT 3 B 3.10-30 Revision No. 0
SDM Test- Refueling B 3.10.8 B 3.10 SPECIAL OPERATIONS B 3.10.8 SHUTDOWN MARGIN (SDM) Test- Refueling BASES m BACKGROUND The purpose of this MODE 5 Special Operations LCO is to permit SDM testing to be performed for those plant configurations in which the reactor pressure vessel (RPV) head is either not in place or the head bolts are not fully tensioned. LCO 3.1.1, 'SHUTDOWN MARGIN (SDM)," requires that adequate SDM be demonstrated following fuel movements or control rod replacement within the RPV. The demonstration must be performed prior to or within 4 hours after criticality is reached. This SDM test may be performed prior to or during the first startup following the refueling. Performing the SDM test prior to startup requires the test to be performed while in MODE 5, with the vessel head bolts less than fully tensioned (and possibly with the vessel head removed). While in MODE 5, the reactor mode switch is required to be in the shutdown or refuel position, where the applicable control rod blocks ensure that the reactor will not become critical. The SDM test requires the reactor mode switch to be in the startup/hot standby position, since more than one control rod will be withdrawn for the purpose of demonstrating adequate SDM. This Special Operations LCO provides the appropriate additional controls to allow withdrawing more than one control rod from a core cell containing one or more fuel assemblies when the reactor vessel head bolts are less than fully tensioned. APPLICABLE Prevention and mitigation of unacceptable reactivity SAFETY ANALYSES excursions during control rod withdrawal, with the reactor mode switch in the startup/hot standby position while in MODE 5, is provided by the wide range neutron monitor (WRNM) period-short scram (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation"), and control rod block instrumentation (LCO 3.3.2.1, "Control Rod Block Instrumentation"). The limiting reactivity excursion during startup conditions while in MODE 5 is the control rod drop accident (CRDA). (continued) PBAPS UNIT 3 B 3.10-31 Revision No. 17
SDM Test - Refueling B 3.10.8 BASES APPLICABLE CRDA analyses assume that the reactor operator follows SAFETY ANALYSES prescribed withdrawal sequences. For SDM tests performed (continued) within these defined sequences, the analyses of References 1 and 2 are applicable. However, for some sequences developed for the SDM testing, the control rod patterns assumed in the safety analyses of References 1 and 2 may not be met. Therefore, special CRDA analyses, performed in accordance with an NRC approved methodology, are required to demonstrate the SDM test sequence will not result in unacceptable consequences should a CRDA occur during the testing. For the purpose of this test, the protection provided by the normally required MODE 5 applicable LCOs, in addition to the requirements of this LCO, will maintain normal test operations as well as postulated accidents within the bounds of the appropriate safety analyses (Refs. 1 and 2). In addition to the added requirements for the RWM, WRNM, APRM, and control rod coupling, the notch out mode is specified for out of sequence withdrawals. Requiring the notch out mode limits withdrawal steps to a single notch, which limits inserted reactivity, and allows adequate monitoring of changes in neutron flux, which may occur during the test. As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of the NRC Policy Statement apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases. LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. SDM tests may be performed while in MODE 2, in accordance with Table 1.1-1, without meeting this Special Operations LCO or its ACTIONS. 1For SDM tests performed while in MODE 5, additional requirements must be met to ensure that adequate protection against potential reactivity excursions is available. To provide additional scram protection beyond the normally required WRNMs, the APRMs are also required to be OPERABLE (LCO) 3.3.1.1, Functions 2a, 2.d and 2e) as though the reactor were in MODE 2. Because multiple control rods will be withdrawn and the reactor will potentially become critical, the approved control rod withdrawal sequence must be enforced by the RWM (LCO 3.3.2.1, Function 2, MODE 2), or must be verified by a
~conti nued)
PBAPS UNIT 3 B 3.10-32 Revision No. 30
SDM Test-Refueling B 3.10.8 BASES; LCO second licensed operator or other qualified member of the (continued) technical staff. To provide additional protection against an inadvertent criticality, control rod withdrawals that do not conform to the banked position withdrawal sequence specified in LCO 3.1.6, "Rod Pattern Control,' (i.e., out of sequence control rod withdrawals) must be made in the individual notched withdrawal mode to minimize the potential reactivity insertion associated with each movement. Coupling integrity of withdrawn control rods is require~d to minimize the probability of a CRDA and ensure proper functioning of the withdrawn control rods, if they are required to scram. Because the reactor vessel head may be removed during these tests, no other CORE ALTERATIONS may be in progress. Furthermore, since the control rod scram function with the RCS at atmospheric pressure relies solely on the CRD accumulator, it is essential that the CRD charging water header remain pressurized. This Special Operations LCO then allows changing the Table 1.1-1 reactor mode switch position requirements to include the startup/hot standby position, such that the SDM tests may be performed while in MODE 5. APPLICABILITY These SDM test Special Operations requirements are only applicable if the SDM tests are to be performed while in MODE 5 with the reactor vessel head removed or the head bolts not fully tensioned. Additional requirements during these tests to enforce control rod withdrawal sequences and restrict other CORE ALTERATIONS provide protection against potential reactivity excursions. Operations in all other MODES are unaffected by this LCO. ACTIONS A.1 and A.2 With one or more control rods discovered uncoupled during this Special Operation, a controlled insertion of each uncoupled control rod is required; either to attempt recoupling, or to preclude a control rod drop. This controlled insertion is preferred since, if the control rod fails to follow the drive as it is withdrawn (i.e., is "stuck" in an inserted position), placing the reactor mode switch in the shutdown position per Required Action B.1 could cause substantial secondary damage. If recoupling is not accomplished, operation may continue, provided the control rods are fully inserted within 3 hours and disarmed (electrically or hydraulically) within 4 hours. Inserting a (continued) PBAPS UNIT 3 B 3.10-33 Revision ND. 0
SDM Test-Refueling B 3.10.8 BASES ACTIONS A.1 and A.2 (continued) control rod ensures the shutdown and scram capabilities are not adversely affected. The control rod is disarmed to prevent inadvertent withdrawal during subsequent operations. The control rods can be hydraulically disarmed by closing the drive water and exhaust water isolation valves. Electrically, the control rods can be disarmed by disconnecting power from all four directional control valve solenoids. Required Action A.1 is modified by a Note that allows the RWM to be bypassed if required to allow insertion of the inoperable control rods and continued operation. LCO 3.3.2.1, 'Control Rod Block Instrumentation,' ACTIDNS provide additional requirements when the RWM is bypassed to ensure compliance with the CRDA analysis. The allowed Completion Times are reasonable, considering the small number of allowed inoperable control rods, and provide time to insert and disarm the control rods in an orderly manner and without challenging plant systems. Condition A is modified by a Note allowing separate Condition entry for each uncoupled control rod. This is, acceptable since the Required Actions for this Condition provide appropriate compensatory actions for each uncoupled control rod. Complying with the Required Actions-may allow for continued operation. Subsequent uncoupled control rods are governed by subsequent entry into the Condition and application of the Required Actions. B.1 With one or more of the requirements of this LCO not viet for reasons other than an uncoupled control rod, the testing should be immediately stopped by placing the reactor mode switch in the shutdown or refuel position. This results in a condition that is consistent with the requirements for MODE 5 sphere the provisions of this Special Operations LCO are no longer required. (continued) PBAPS UNIT 3 B 3.10-34 Revision No. 0
SDM Test -Refueling B 3.10.8 BASES (continued) SUFVEILLANCE SR 3.10.8.1. SR 3.10.8.2. and SR 3.10.8.3 REQUIREMENTS LCO 3.3.1.1, Functions 2a, 2.d and 2e, made applicable in this Special Operations L-CO, are required to have their Surveillances met to establish that this Special Operations LCO is being met. However, the control rod withdrawal sequences during the SDM tests may be enforced by the RWM (LCO 3.3.2.1, Function 2, MODE 2 requirements) or by a second licensed operator or other qualified member of the technical staff. As noted, either the applicable SRs for the RWM (LCO 3.3.2.1) must be satisfied according to the applicable Frequencies (SR 3.10.8.2), or the proper mDvement of control rods must be verified (SR 3.10.8.3). This latter verification (i.e., SR 3.10.8.3) must be performed during control rod movement to prevent deviations from the specified sequence. These surveillances provide adequate assurance that the specified test sequence is being followed. SR 3.10.8.4 Periodic verification of the administrative controls established by this LCO will ensure that the reactor is operated within the bounds of the safety analysis. The 12 hour Frequency is intended to provide appropriate assurance that each operating shift is aware of and verifies compliance with these Special Operations LCO requirements. SR 3.10.8.5 Coupling verification is performed to ensure the control rod is connected to the control rod drive mechanism and will perform its intended function when necessary. The verification is required to be performed any time a control rod is withdrawn to the "full out" notch position, or prior to declaring the control rod OPERABLE after work on the control rod or CRD System that could affect coupling. This Frequency is acceptable, considering the low probability that a control rod will become uncoupled when it is not being moved as well as operating experience related to uncoupling events. (continued) PBAPS UNIT 3 B 3.10-35 Revision No. 30
SDM Test - Refueling B 3.10.8 BASES SURVEILLANCE SR 3.10.8.6 REQUIREMENTS (continued) CRD charging water header pressure verification is performed to ensure the motive force is available to scram the control rods in the event of a scram signal. Since the reactor is depressurized in MODE 5, there is insufficient reactor pressure to scram the control rods. Verification of charging water header pressure ensures that if a scram were required, capability for rapid control rod insertion would I exist. The minimum pressure of 940 psig is well below the expected pressure of approximately 1450 psig while still ensuring sufficient pressure for rapid control rod insertion. The 7 day Frequency has been shown to be acceptable through operating experience and takes into account indications available in the control room. REFERENCES 1. NEDE-24011-P-A-US, General Electric Standard Application for Reactor Fuel, Supplement for United States, February 1991.
- 2. Letter from T. Pickens (BWROG) to G.C. Lainas, NRC, "Amendment 17 to General Electric Licensing Topical Report NEDE-24011-P-A,m August 15, 1986.
PBAP-S UNIT 3 B 3.10-36 Revision No. 2}}