ML18312A077
| ML18312A077 | |
| Person / Time | |
|---|---|
| Site: | Farley  |
| Issue date: | 10/30/2018 |
| From: | Southern Nuclear Operating Co |
| To: | Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML18312A093 | List: |
| References | |
| NL-18-1299 | |
| Download: ML18312A077 (727) | |
Text
Bases
Joseph M. Farley Nuclear Plant
Units 1 and 2
Related to:
Docket Nos. 50-348 and 50-364
Appendix A to
NOTE The Bases contained in the succeeding pages summarize the reasons for the associated Specifications but, in accordance with 10 CFR 50.36, are not a part of the Technical Specifications.
Changes to the Bases are controlled by the Technical Specifications (TS) Bases Control Program, 5.5.14, in the Administrative Controls section of the Technical Specifications.
TABLE OF CONTENTS
Farley Units 1 and 2 iii Revision 43 B 3.7.4 Atmospheric Relief Valves (ARVs)..............................................B 3.7.4-1 B 3.7.5 Auxiliary Feedwater (AFW) System.............................................B 3.7.5-1 B 3.7.6 Condensate Storage Tank (CST)................................................B 3.7.6-1 B 3.7.7 Component Cooling Water (CCW) System.................................B 3.7.7-1 B 3.7.8 Service Water System (SWS)......................................................B 3.7.8-1 B 3.7.9 Ultimate Heat Sink (UHS)............................................................B 3.7.9-1 B 3.7.10 Control Room Emergency Filtration/Pressurization System (CREFS)...................................................................B 3.7.10-1 B 3.7.11 Control Room Air Conditioning System (CRACS)...................................................................B 3.7.11-1 B 3.7.12 Penetration Room Filtration (PRF) System.................................B 3.7.12-1 B 3.7.13 Fuel Storage Pool Water Level....................................................B 3.7.13-1 B 3.7.14 Fuel Storage Pool Boron Concentration......................................B 3.7.14-1 B 3.7.15 Spent Fuel Assembly Storage.....................................................B 3.7.15-1 B 3.7.16 Secondary Specific Activity..........................................................B 3.7.16-1 B 3.7.17 Cask Storage Area Boron Concentration-Cask.......................B 3.7.17-1 Loading Operations B 3.7.18 Spent Fuel Assembly Storage-Cask Loading Operations........B 3.7.18-1 B 3.7.19 Engineered Safety Feature (ESF) Room Coolers.......................B 3.7.19-1
B 3.8 ELECTRICAL POWER SYSTEMS......................................................B 3.8.1-1 B 3.8.1 AC Sources-Operating.............................................................B 3.8.1-1 B 3.8.2 AC Sources-Shutdown.............................................................B 3.8.2-1 B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air...................................B 3.8.3-1 B 3.8.4 DC Sources-Operating.............................................................B 3.8.4-1 B 3.8.5 DC Sources-Shutdown.............................................................B 3.8.5-1 B 3.8.6 Battery Cell Parameters...............................................................B 3.8.6-1 B 3.8.7 Inverters-Operating..................................................................B 3.8.7-1 B 3.8.8 Inverters-Shutdown..................................................................B 3.8.8-1 B 3.8.9 Distribution Systems-Operating...............................................B 3.8.9-1 B 3.8.10 Distribution Systems-Shutdown...............................................B 3.8.10-1
B 3.9 REFUELING OPERATIONS................................................................B 3.9.1-1 B 3.9.1 Boron Concentration....................................................................B 3.9.1-1 B 3.9.2 Nuclear Instrumentation...............................................................B 3.9.2-1 B 3.9.3 Containment Penetrations...........................................................B 3.9.3-1 B 3.9.4 Residual Heat Removal (RHR) and Coolant Circulation-High Water Level.............................................B 3.9.4-1 B 3.9.5 Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level..............................................B 3.9.5-1 B 3.9.6 Refueling Cavity Water Level......................................................B 3.9.6-1
Reactor Core SLs B 2.1.1 Farley Units 1 and 2 B 2.1.1-1 Revision 0 B 2.0 SAFETY LIMITS (SLs)
B 2.1.1 Reactor Core SLs
BASES BACKGROUND GDC 10 (Ref. 1) requires that specified acceptable fuel design limits are not exceeded during steady state operation, normal operational transients, and anticipated operational occurrences (AOOs). This is accomplished by having a departure from nucleate boiling (DNB) design basis, which corresponds to a 95% probability at a 95%
confidence level (the 95/95 DNB criterion) that DNB will not occur on the limiting fuel rod and by requiring that fuel centerline temperature
stays below the melting temperature.
The restrictions of this SL prevent overheating of the fuel and cladding, as well as possible cladding perforation, that would result in the release of fission products to the reactor coolant. Overheating of the fuel is prevented by maintaining the steady state peak linear heat rate (LHR) below the level at which fuel centerline melting occurs. Overheating of the fuel cladding is prevented by restricting fuel operation to within the nucleate boiling regime, where the heat transfer coefficient is large and the cladding surface temperature is slightly above the coolant saturation temperature.
Fuel centerline melting occurs when the local LHR, or power peaking, in a region of the fuel is high enough to cause the fuel centerline temperature to reach the melting point of the fuel. Expansion of the pellet upon centerline melting may cause the pellet to stress the cladding to the point of failure, allowing an uncontrolled release of activity to the reactor coolant.
Operation above the boundary of the nucleate boiling regime could result in excessive cladding temperature because of the onset of DNB and the resultant sharp reduction in heat transfer coefficient. Inside the steam film, high cladding temperatures are reached, and a cladding water (zirconium water) reaction may take place. This chemical reaction results in oxidation of the fuel cladding to a structurally weaker form. This weaker form may lose its integrity, resulting in an uncontrolled release of activity to the reactor coolant.
The proper functioning of the Reactor Protection System (RPS) and main steam safety valves prevents violation of the reactor core SLs.
Reactor Core SLs B 2.1.1 Farley Units 1 and 2 B 2.1.1-2 Revision 10BASES APPLICABLE The fuel cladding must not sustain damage as a result of normal SAFETY ANALYSES operation and AOOs. The reactor core SLs are established to preclude violation of the following fuel design criteria:
- a. There must be at least 95% probability at a 95% confidence level (the 95/95 DNB criterion) that the hottest fuel rod in the core does not experience DNB; and
- b. The hottest fuel pellet in the core must not experience centerline fuel melting.
In meeting the DNB design criterion, uncertainties in plant operating parameters, nuclear and thermal parameters, fuel fabrication parameters, and computer codes must be considered. As described in the FSAR, the effects of these uncertainties have been statistically combined with the correlation uncertainty to determine design limit DNBR values that satisfy the DNB design criterion.
Additional DNBR margin is maintained by performing the safety analyses to a higher DNB limit. This margin between the design and
safety analysis limit DNBR values is used to offset known DNBR penalties (e.g., rod bow and transition core) and to provide DNBR margin for operating and design flexibility.
The Reactor Trip System Functions (Ref. 2), in combination with all the LCOs, are designed to prevent any anticipated combination of transient conditions (i.e., resulting from a Condition I or II event) for Reactor Coolant System (RCS) temperature, pressure, and THERMAL POWER level that would result in a departure from nucleate boiling ratio (DNBR) of less than the DNBR limit and preclude the existence of flow instabilities.
Automatic enforcement of these reactor core SLs is provided by appropriate operation of the RPS and the steam generator safety valves.
The SLs represent a design requirement for establishing the RPS trip setpoints identified previously. LCO 3.4.1, "RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB) Limits," or the assumed initial conditions of the safety analyses provide more restrictive limits to ensure that the SLs are not
exceeded.
(continued)
Reactor Core SLs B 2.1.1 Farley Units 1 and 2 B 2.1.1-3 Revision 10 BASES SAFETY LIMITS The reactor core SLs are established to preclude violation of the following fuel design criteria:
- a. There must be at least 95% probability at a 95% confidence level (the 95/95 DNB criterion) that the hottest fuel rod in the core does not experience DNB; and
- b. The hottest fuel pellet in the core must not experience centerline fuel melting.
The reactor core SLs are used to define the various RPS functions such that the above criteria are satisfied during steady state operation, normal operational transients, and anticipated operational occurrences (AOOs). To ensure that the RPS precludes the violation of the above criteria, additional criteria are applied to the Overtemperature and Overpower reactor trip functions. That is, it must be demonstrated that the average enthalpy in the hot leg is less than or equal to the saturation enthalpy and the core exit quality is within the limits defined by the DNBR correlation. Appropriate functioning of the RPS ensures that for variations in the THERMAL POWER, RCS pressure, RCS average temperature, RCS flow rate, and that the reactor core SLs will be satisfied during steady state operations, normal operational transients, and AOOs.
APPLICABILITY SL 2.1.1 only applies in MODES 1 and 2 because these are the only MODES in which the reactor is critical. Automatic protection functions are required to be OPERABLE during MODES 1 and 2 to ensure operation within the reactor core SLs. The main steam safety valves or automatic protection actions serve to prevent RCS heatup to the reactor core SL conditions or to initiate a reactor trip function, which forces the unit into MODE 3. Setpoints for the reactor trip functions are specified in LCO 3.3.1, "Reactor Trip System (RTS)
Instrumentation." In MODES 3, 4, 5, and 6, Applicability is not required since the reactor is not generating significant THERMAL POWER.
SAFETY LIMIT If SL 2.1.1 is violated, the requirement to go to MODE 3 places the VIOLATIONS unit in a MODE in which this SL is not applicable.
The allowed Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> recognizes the importance of bringing the unit to a MODE of operation where this SL is not applicable, and reduces the probability of fuel damage.
Reactor Core SLs B 2.1.1 Farley Units 1 and 2 B 2.1.1-4 Revision 10BASES REFERENCES 1. 10 CFR 50, Appendix A, GDC 10.
- 2. FSAR, Section 7.2.
RCS Pressure SL B 2.1.2 Farley Units 1 and 2 B 2.1.2-2 Revision 0 BASES APPLICABLE The RCS pressurizer safety va lves are sized to prevent system SAFETY ANALYSES pressure from exceeding the design pressure by more than 10%, as (continued) specified in Section III of the ASME Code for Nuclear Power Plant Components (Ref. 2). The transient that establishes the required
relief capacity, and hence valve size requirements and lift settings, is
a complete loss of external load without a direct reactor trip. During
the transient, no control actions are assumed, except that the safety
valves on the secondary plant are assumed to open when the steam
pressure reaches the secondary plant safety valve settings.
The Reactor Trip System Functions (Ref. 5), together with the settings of the MSSVs, provide pressure protection for normal operation and
AOOs. The reactor high pressure trip setpoint is specifically set to
provide protection against overpressurization (Ref. 5). The safety
analyses for both the high pressure trip and the RCS pressurizer
safety valves are performed using conservative assumptions relative
to pressure control devices.
More specifically, no credit is taken for operation of the following:
- a. Pressurizer power operated relief valves (PORVs);
- b. Steam line atmospheric relief valves;
- c. Steam Dump System;
- d. Reactor Control System;
- e. Pressurizer Level Control System; or
- f. Pressurizer spray valve.
SAFETY LIMITS The maximum transient pressure allowed in the RCS pressure vessel pressurizer, and RCS piping and fittings under the ASME Code, Section III, is 110% of design pressure. Therefore, the SL on
maximum allowable RCS pressure is 2735 psig.
APPLICABILITY SL 2.1.2 applies in MODES 1, 2, 3, 4, and 5 because this SL could be approached or exceeded in these MODES due to overpressurization
events. The SL is not applicable in MODE 6 because the reactor
vessel head closure bolts are not fully tightened, making it unlikely
that the RCS can be pressurized.
LCO Applicability B 3.0 Farley Units 1 and 2 B 3.0-2 Revision 0 BASES LCO 3.0.2 restricted by the Completion Time. In this case, compliance with the (continued) Required Actions provides an acceptable level of safety for continued operation.
Completing the Required Actions is not required when an LCO is met or is no longer applicable, unless otherwise stated in the individual Specifications.
The nature of some Required Actions of some Conditions necessitates that, once the Condition is entered, the Required Actions must be completed even though the associated Conditions no longer exist. The individual LCO's ACTIONS specify the Required Actions where this is the case. An example of this is in LCO 3.4.3, "RCS Pressure and Temperature (P/T) Limits."
The Completion Times of the Required Actions are also applicable when a system or component is removed from service intentionally. The reasons for intentionally relying on the ACTIONS include, but are not limited to, performance of Surveillances, preventive maintenance, corrective maintenance, or investigation of operational problems.
Entering ACTIONS for these reasons must be done in a manner that does not compromise safety. Intentional entry into ACTIONS should not be made for operational convenience. Additionally, if intentional entry into ACTIONS would result in redundant equipment being inoperable, alternatives should be used instead. Doing so limits the time both subsystems/trains of a safety function are inoperable and limits the time conditions exist which may result in LCO 3.0.3 being entered. Individual Specifications may specify a time limit for performing an SR when equipment is removed from service or bypassed for testing. In this case, the Completion Times of the Required Actions are applicable when this time limit expires, if the equipment remains removed from service or bypassed.
When a change in MODE or other specified condition is required to comply with Required Actions, the unit may enter a MODE or other specified condition in which another Specification becomes applicable. In this case, the Completion Times of the associated Required Actions would apply from the point in time that the new Specification becomes applicable, and the ACTIONS Condition(s) are entered.
SDM B 3.1.1 Farley Units 1 and 2 B 3.1.1-1 Revision 0 B 3.1 REACTIVITY CONTROL SYSTEMS
B 3.1.1 SHUTDOWN MARGIN (SDM)
BASES
BACKGROUND According to GDC 26 (Ref. 1), t he reactivity control systems must be redundant and capable of holding the reactor core subcritical when
shut down under cold conditions. Maintenance of the SDM ensures
that postulated reactivity events will not damage the fuel.
SDM requirements provide sufficient reactivity margin to ensure that
acceptable fuel design limits will not be exceeded for normal
shutdown and anticipated operational occurrences (AOOs). As such, the SDM defines the degree of subcriticality that would be obtained
immediately following the insertion or trip of all shutdown and control
rods, assuming that the single rod cluster assembly of highest
reactivity worth is fully withdrawn.
The system design requires that two independent reactivity control
systems be provided, and that one of these systems be capable of maintaining the core subcritical under cold conditions. These
requirements are provided by the use of movable control assemblies
and soluble boric acid in the Reactor Coolant System (RCS). The
Rod Control System can compensate for the reactivity effects of the
fuel and water temperature changes accompanying power level
changes over the range from full load to no load. In addition, the Rod
Control System, together with the boration system, provides the SDM during power operation and is capable of making the core subcritical
rapidly enough to prevent exceeding acceptable fuel damage limits, assuming that the rod of highest reactivity worth remains fully
withdrawn. The Chemical and Volume Control System can control the
soluble boron concentration to compensate for fuel depletion during
operation and all xenon burnout reactivity changes and can maintain
the reactor subcritical under cold conditions.
During power operation, SDM control is ensured by operating with the
shutdown banks fully withdrawn and the control banks within the limits
of LCO 3.1.6, "Control Bank Insertion Limits." When the unit is in the
shutdown and refueling modes, the SDM requirements are met by
means of adjustments to the RCS boron concentration.
SDM B 3.1.1 Farley Units 1 and 2 B 3.1.1-2 Revision 0 BASES APPLICABLE The minimum required SDM is assumed as an initial condition in SAFETY ANALYSES safety analyses. The safety anal ysis (Ref. 2) establishes an SDM that ensures specified acceptable fuel design limits are not exceeded for
normal operation and AOOs, with the assumption of the highest worth
rod stuck out on a trip.
For MODE 5, the primary Safety Analysis that relies on the SDM limits
is the boron dilution analysis.
The acceptance criteria for the SDM requirements are that specified
acceptable fuel design limits are maintained. This is done by
ensuring that:
- a. The reactor can be made subcritical from all operating conditions, transients, and Design Basis Events;
- b. The reactivity transients associated with postulated accident conditions are controllable within acceptable limits (departure from
nucleate boiling ratio (DNBR), fuel centerline temperature limits for
AOOs, and less than 200 cal/gm, thus meeting the NRC
acceptance criteria of 280 cal/gm average fuel pellet enthalpy at the hot spot for the rod ejection accident); and
- c. The reactor will be maintained sufficiently subcritical to preclude inadvertent criticality in the shutdown condition.
An Operating Procedure (Ref. 5) assures sufficient operator action
time for the mitigation of an uncontrolled boron dilution event (Ref. 3)
in MODE 5. This procedure is independent of SDM and uses the
RHR system flowrate, and the calculated critical boron concentration
to specify a minimum allowable boron concentration.
The most limiting accident for the SDM requirements is based on a
guillotine break of a main steam line (MSLB) inside containment
initiated at the end of core cycle life with RCS average temperature at
no-load operating temperature, as described in the accident analysis (Ref. 2). The increased steam flow resulting from a pipe break in the
main steam system causes an increased energy removal from the
affected steam generator (SG), and consequently the RCS. This
results in a reduction of the reactor coolant temperature. The resultant
(continued)
SDM B 3.1.1 Farley Units 1 and 2 B 3.1.1-3 Revision 0 BASES APPLICABLE coolant shrinkage causes a reduction in pressure. In the presence SAFETY ANALYSES of a negative moderator temperature coefficient, this cooldown (continued) causes an increase in core reactivity. As RCS temperature decreases, the severity of an MSLB decreases until the MODE 5
value is reached. The most limiting MSLB, with respect to potential
fuel damage before a reactor trip occurs, is a guillotine break of a
main steam line inside containment initiated at the end of core life.
The positive reactivity addition from the moderator temperature
decrease will terminate when the affected SG boils dry, thus
terminating RCS heat removal and cooldown. Following the MSLB, a
post trip return to power may occur; however, no fuel damage occurs
as a result of the post trip return to power, and that the Safety Limit (SL) requirement of SL 2.1.1 is met.
In addition to the limiting MSLB transient, the SDM requirement must also protect against:
- a. Inadvertent boron dilution; and
- b. Rod ejection.
Each of these events is discussed below.
In the boron dilution analysis (Ref. 3), the required SDM defines the reactivity difference between an initial subcritical boron concentration
and the corresponding critical boron concentration. These values, in
conjunction with the configuration of the RCS and the assumed
dilution flow rate, directly affect the results of the analysis. This event
is most limiting at the beginning of core life, when critical boron
concentrations are highest. For each cycle of operation at Farley
Nuclear Plant, the minimum boron concentrations that are required in
MODES 4 and 5 to allow 15 minutes operator action time are given in
the Nuclear Design Report for that cycle.
The ejection of a control rod rapidly adds reactivity to the reactor core, causing both the core power level and heat flux to increase with
corresponding increases in reactor coolant temperatures and
pressure. The ejection of a rod also produces a time dependent
redistribution of core power.
(continued)
SDM B 3.1.1 Farley Units 1 and 2 B 3.1.1-5 Revision 0 BASES ACTIONS A.1 (continued)
systems and components. It is assumed that boration will be continued until the SDM requirements are met.
In the determination of the required combination of boration flow rate and boron concentration, there is no unique requirement that must be satisfied. Since it is imperative to raise the boron concentration of the
RCS as soon as possible, the flowpath of choice would utilize a highly
concentrated solution, such as that normally found in the boric acid
storage tank, or the refueling water storage tank. The operator should
borate with the best source available for the plant conditions.
In determining the boration flow rate, the time in core life must be considered. For instance, the most difficult time in core life to
increase the RCS boron concentration is at the beginning of cycle
when the boron concentration may approach or exceed 2000 ppm.
For example, if the emergency boration path is used, the CVCS is
capable of inserting negative reactivity at a rate of approximately 65
pcm/min when the RCS boron concentration is 1000 ppm and
approximately 75 pcm/min when the RCS boron concentration is 100
ppm.
SURVEILLANCE SR 3.1.1.1 REQUIREMENTS
In MODES 1 and 2, SDM is verified by observing that the requirements of LCO 3.1.5 and LCO 3.1.6 are met. In the event that a
rod is known to be untrippable, however, SDM verification must
account for the worth of the untrippable rod as well as another rod of
maximum worth.
In MODES 3, 4, and 5, the SDM is verified by performing a reactivity balance calculation, considering the listed reactivity effects:
- b. Control bank position;
- c. RCS average temperature;
- d. Fuel burnup based on gross thermal energy generation;
(continued)
Core Reactivity B 3.1.2 Farley Units 1 and 2 B 3.1.2-1 Revision 0 B 3.1 REACTIVITY CONTROL SYSTEMS
B 3.1.2 Core Reactivity
BASES BACKGROUND According to GDC 26, GDC 28, and GDC 29 (Ref. 1), reactivity shall be controllable, such that subcriticality is maintained under cold
conditions, and acceptable fuel design limits are not exceeded during
normal operation and anticipated operational occurrences. Therefore, reactivity balance is used as a measure of the predicted versus
measured core reactivity during power operation. The periodic
confirmation of core reactivity is necessary to ensure that Design
Basis Accident (DBA) and transient safety analyses remain valid. A
large reactivity difference could be the result of unanticipated changes
in fuel, control rod worth, or operation at conditions not consistent with
those assumed in the predictions of core reactivity, and could
potentially result in a loss of SDM or violation of acceptable fuel
design limits. Comparing predicted versus measured core reactivity
validates the nuclear methods used in the safety analysis and
supports the SDM demonstrations (LCO 3.1.1, "SHUTDOWN
MARGIN (SDM)") in ensuring the reactor can be brought safely to
cold, subcritical conditions.
When the reactor core is critical or in normal power operation, a reactivity balance exists and the net reactivity is zero. A comparison
of predicted and measured reactivity is convenient under such a
balance, since parameters are being maintained relatively stable
under steady state power conditions. The positive reactivity inherent
in the core design is balanced by the negative reactivity of the control
components, thermal feedback, neutron leakage, and materials in the
core that absorb neutrons, such as burnable absorbers producing
zero net reactivity. Excess reactivity can be inferred from the boron
letdown curve (or critical boron curve), which provides an indication of
the soluble boron concentration in the Reactor Coolant System (RCS)
versus cycle burnup. Periodic measurement of the RCS boron
concentration for comparison with the predicted value with other
variables fixed (such as rod height, temperature, pressure, and
power), provides a convenient method of ensuring that core reactivity
is within design expectations and that the calculational models used
to generate the safety analysis are adequate.
(continued)
Core Reactivity B 3.1.2 Farley Units 1 and 2 B 3.1.2-2 Revision 0 BASES BACKGROUND In order to achieve the requir ed fuel cycle energy output, the uranium (continued) enrichment, in the new fuel loading and in the fuel remaining from the
previous cycle, provides exce ss positive reactivity beyond that required to sustain steady state operation throughout the cycle.
When the reactor is critical at RTP and moderator temperature, the
excess positive reactivity is co mpensated by burnable absorbers (if any), control rods, whatever neutron poisons (mainly xenon and
samarium) are present in the fuel, and the RCS boron concentration.
When the core is producing THERMAL POWER, the fuel is being
depleted and excess reactivity is decreasing. As the fuel depletes, the RCS boron concentration is reduced to decrease negative
reactivity and maintain constant THERMAL POWER. The boron
letdown curve is based on steady state operation at RTP. Therefore, deviations from the predicted boron letdown curve may indicate
deficiencies in the design analysis, deficiencies in the calculational
models, or abnormal core conditions, and must be evaluated.
APPLICABLE The acceptance criteria for core reactivity are that the reactivity SAFETY ANALYSES balance limit ensures plant operation is maintained within the assumptions of the safety analyses.
Accurate prediction of core reactivity is either an explicit or implicit assumption in the accident analysis evaluations. Every accident
evaluation (Ref. 2) is, therefore, dependent upon accurate evaluation
of core reactivity. In particular, SDM and reactivity transients, such as
control rod withdrawal accidents or rod ejection accidents, are very
sensitive to accurate prediction of core reactivity. These accident
analysis evaluations rely on computer codes that have been qualified
against available test data, operating plant data, and analytical
benchmarks. Monitoring reactivity balance additionally ensures that
the nuclear methods provide an accurate representation of the core
reactivity.
Design calculations and safety analyses are performed for each fuel cycle for the purpose of predetermining reactivity behavior and the
RCS boron concentration requirements for reactivity control during
fuel depletion.
(continued)
Core Reactivity B 3.1.2 Farley Units 1 and 2 B 3.1.2-3 Revision 0 BASES APPLICABLE The comparison between measured and predicted initial core SAFETY ANALYSES reactivity provides a normalization for the calculational models used (continued) to predict core reactivity. If the measured and predicted RCS boron concentrations for identical core conditions at beginning of cycle life (BOL) do not agree, then the assumptions used in the reload cycle
design analysis or the calculational models used to predict soluble
boron requirements may not be accurate. If reasonable agreement
between measured and predicted core reactivity exists at BOL, then
the prediction may be normalized to the measured boron
concentration. Thereafter, any significant deviations in the measured
boron concentration from the predicted boron letdown curve that
develop during fuel depletion may be an indication that the
calculational model is not adequate for core burnups beyond BOL, or
that an unexpected change in core conditions has occurred.
The normalization of predicted RCS boron concentration to the measured value is typically performed after reaching RTP following
startup from a refueling outage, with the control rods in their normal
positions for power operation. The normalization is performed at BOL
conditions, so that core reactivity relative to predicted values can be
continually monitored and evaluated as core conditions change during
the cycle.
Core reactivity satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO Long term core reactivity behavior is a result of the core physics design and cannot be easily controlled once the core design is fixed.
During operation, therefore, the LCO can only be ensured through
measurement and tracking, and appropriate actions taken as
necessary. Large differences between actual and predicted core
reactivity may indicate that the assumptions of the DBA and transient
analyses are no longer valid, or that the uncertainties in the Nuclear
Design Methodology are larger than expected. A limit on the reactivity
balance of +/- 1% k/k has been established based on engineering judgment. A 1% deviation in reactivity from that predicted is larger
than expected for normal operation and should therefore be
evaluated.
(continued)
Core Reactivity B 3.1.2 Farley Units 1 and 2 B 3.1.2-4 Revision 0 BASES LCO When measured core reactivity is within 1% k/k of the predicted (continued) value at steady state thermal conditions, the core is considered to be operating within acceptable design limits. Since deviations from the
limit are normally detected by comparing predicted and measured steady state RCS critical boron concentrations, the difference
between measured and predicted values would be approximately
100 ppm (depending on the boron worth) before the limit is reached.
These values are well within the uncertainty limits for analysis of
boron concentration samples, so that spurious violations of the limit
due to uncertainty in measuring the RCS boron concentration are
unlikely.
APPLICABILITY The limits on core reactivity must be maintained during MODES 1 and 2 because a reactivity balance must exist when the reactor is
critical or producing THERMAL POWER. As the fuel depletes, core
conditions are changing, and confirmation of the reactivity balance
ensures the core is operating as designed. This Specification does
not apply in MODES 3, 4, and 5 because the reactor is shut down and
the reactivity balance is not changing.
In MODE 6, fuel loading results in a continually changing core reactivity. Boron concentration requirements (LCO 3.9.1, "Boron
Concentration") ensure that fuel movements are performed within the
bounds of the safety analysis. An SDM demonstration is required
during the first startup following operations that could have altered
core reactivity (e.g., fuel movement, control rod replacement, control
rod shuffling).
ACTIONS A.1 and A.2
Should an anomaly develop between measured and predicted core
reactivity, an evaluation of the core design and safety analysis must
be performed. Core conditions are evaluated to determine their
(continued)
Core Reactivity B 3.1.2 Farley Units 1 and 2 B 3.1.2-5 Revision 0 BASES ACTIONS A.1 and A.2 (continued)
consistency with input to design calculations. Measured core and process parameters are evaluated to determine that they are within
the bounds of the safety analysis, and safety analysis calculational
models are reviewed to verify that they are adequate for
representation of the core conditions. The required Completion Time
of 7 days is based on the low probability of a DBA occurring during
this period, and allows sufficient time to assess the physical condition
of the reactor and complete the evaluation of the core design and
safety analysis.
Following evaluations of the core design and safety analysis, the cause of the reactivity anomaly may be resolved. If the cause of the
reactivity anomaly is a mismatch in core conditions at the time of RCS
boron concentration sampling, then a recalculation of the RCS boron
concentration requirements may be performed to demonstrate that
core reactivity is behaving as expected. If an unexpected physical
change in the condition of the core has occurred, it must be evaluated
and corrected, if possible. If the cause of the reactivity anomaly is in
the calculation technique, then the calculational models must be
revised to provide more accurate predictions. If any of these results
are demonstrated, and it is concluded that the reactor core is
acceptable for continued operation, then the boron letdown curve may
be renormalized and power operation may continue. If operational
restriction or additional SRs are necessary to ensure the reactor core
is acceptable for continued operation, then they must be defined.
The required Completion Time of 7 days is adequate for preparing whatever operating restrictions or Surveillances that may be required
to allow continued reactor operation.
B.1 If the core reactivity cannot be restored to within the 1% k/k limit, the plant must be brought to a MODE in which the LCO does not apply.
To achieve this status, the plant must be brought to at least MODE 3
within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If the SDM for MODE 3 is not met, then the boration
required by 3.1.1.1 would occur. The allowed Completion Time is
reasonable, based on operating experience, for reaching MODE 3
from full power conditions in an orderly manner and without
challenging plant systems.
Core Reactivity B 3.1.2 Farley Units 1 and 2 B 3.1.2-6 Revision 52 BASES SURVEILLANCE SR 3.1.2.1 REQUIREMENTS
Core reactivity is verified by periodic comparisons of measured and predicted RCS boron concentrations. The comparison is made, considering that other core conditions are fixed or stable, including
control rod position, moderator temperature, fuel temperature, fuel
depletion, xenon concentration, and samarium concentration. The
Surveillance is performed prior to entering MODE 1 as an initial check
on core conditions and design calculations at BOL. The SR is
modified by a Note. The Note indicates that the normalization of
predicted core reactivity to the measured value must take place within
the first 60 effective full power days (EFPD) after each fuel loading.
This allows sufficient time for core conditions to reach steady state, but prevents operation for a large fraction of the fuel cycle without
establishing a benchmark for the design calculations. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES 1. 10 CFR 50, Appendix A, GDC 26, GDC 28, and GDC 29.
- 2. FSAR, Chapter 15.
MTC B 3.1.3 Farley Units 1 and 2 B 3.1.3-1 Revision 0 B 3.1 REACTIVITY CONTROL SYSTEMS
B 3.1.3 Moderator Temperature Coefficient (MTC)
BASES BACKGROUND According to GDC 11 (Ref. 1), the reactor core and its interaction with the Reactor Coolant System (RCS) must be designed for inherently
stable power operation, even in the possible event of an accident. In
particular, the net reactivity feedback in the system must compensate
for any unintended reactivity increases.
The MTC relates a change in core reactivity to a change in reactor coolant temperature (a positive MTC means that reactivity increases
with increasing moderator temperature; conversely, a negative MTC
means that reactivity decreases with increasing moderator
temperature). The reactor is designed to operate with a negative
MTC over the largest possible range of fuel cycle operation.
Therefore, a coolant temperature increase will cause a reactivity
decrease, so that the coolant temperature tends to return toward its
initial value. Reactivity increases that cause a coolant temperature
increase will thus be self limiting, and stable power operation will
result.
MTC values are predicted at selected burnups during the safety evaluation analysis and are confirmed to be acceptable by
measurements. Both initial and reload cores are designed so that the
beginning of cycle life (BOL) MTC is less than zero when THERMAL
POWER is at RTP. The actual value of the MTC is dependent on
core characteristics, such as fuel loading and reactor coolant soluble
boron concentration. The core design may require additional fixed
distributed poisons to yield an MTC at BOL within the range analyzed
in the plant accident analysis. The end of cycle life (EOL) MTC is also
limited by the requirements of the accident analysis. Fuel cycles that
are designed to achieve high burnups or that have changes to other
characteristics are evaluated to ensure that the MTC does not exceed
the EOL limit.
The limitations on MTC are provided to ensure that the value of this coefficient remains within the limiting conditions assumed in the FSAR
accident and transient analyses.
If the LCO limits are not met, the unit response during transients may not be as predicted. The core could violate criteria that prohibit a
(continued)
MTC B 3.1.3 Farley Units 1 and 2 B 3.1.3-2 Revision 0 BASES
BACKGROUND return to criticality, or the departure from nucleate boiling ratio criteria (continued) of the approved correlation may be violated, which could lead to a loss of the fuel cladding integrity.
The SRs for measurement of the MTC at the beginning and near the
end of the fuel cycle are adequate to confirm that the MTC remains
within its limits, since this coefficient changes slowly, due principally to
the reduction in RCS boron concentration associated with fuel burnup.
APPLICABLE The acceptance criteria for the specified MTC are:
SAFETY ANALYSES
- a. The MTC values must remain within the bounds of those used in the accident analysis (Ref. 2); and
- b. The MTC must be such that inherently stable power operations result during normal operation and accidents, such as overheating
and overcooling events.
The FSAR, Chapter 15 (Ref. 2), contains analyses of accidents that result in both overheating and overcooling of the reactor core. MTC is
one of the controlling parameters for core reactivity in these
accidents. Both the most positive value and most negative value of
the MTC are important to safety, and both values must be bounded.
Values used in the analyses consider worst case conditions to ensure
that the accident results are bounding (Ref. 3).
The consequences of accidents that cause core overheating must be evaluated when the MTC is positive. Such accidents include the rod
withdrawal transient from either zero or RTP, loss of main feedwater
flow, loss of load, rod ejection, and loss of forced reactor coolant flow.
The consequences of accidents that cause core overcooling must be
evaluated when the MTC is negative. Such accidents include sudden
feedwater flow increase, rod withdrawal at power, loss of load, and
sudden decrease in feedwater temperature.
In order to ensure a bounding accident analysis, the MTC is assumed to be its most limiting value for the analysis conditions appropriate to
each accident. The bounding value is determined by considering
(continued)
MTC B 3.1.3 Farley Units 1 and 2 B 3.1.3-3 Revision 0 BASES APPLICABLE rodded and unrodded conditions, whether the reactor is at full or zero SAFETY ANALYSES power, and whether it is at BOL or EOL. The most conservative (continued) combination appropriate to the accident is then used for the analysis (Ref. 2).
MTC values are bounded in reload safety evaluations assuming steady state conditions at BOL and EOL. An EOL measurement is
conducted at conditions when the RCS boron concentration reaches
approximately 300 ppm. The measured value may be extrapolated to
project the EOL value, in order to confirm reload design predictions.
MTC satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii). Even though it is not directly observed and controlled from the control room, MTC is
considered an initial condition process variable because of its
dependence on boron concentration.
LCO LCO 3.1.3 requires the MTC to be within specified limits of the COLR to ensure that the core operates within the assumptions of the
accident analysis. During the reload core safety evaluation, the MTC
is analyzed to determine that its values remain within the bounds of
the original accident analysis during operation.
Assumptions made in safety analyses require that the MTC be less positive than a given upper bound and more positive than a given
lower bound. The MTC is most positive at BOL; this upper bound
must not be exceeded. This maximum upper limit occurs at BOL, all
rods out (ARO), hot zero power conditions. At EOL the MTC takes on
its most negative value, when the lower bound becomes important.
This LCO exists to ensure that both the upper and lower bounds are
not exceeded.
During operation, therefore, the conditions of the LCO can only be ensured through measurement. The Surveillance checks at BOL and
EOL on MTC provide confirmation that the MTC is behaving as
anticipated so that the acceptance criteria are met.
The LCO establishes a maximum positive value that cannot be exceeded. The BOL positive limit and the EOL negative limit are established in the COLR to allow specifying limits for each particular
cycle. This permits the unit to take advantage of improved fuel
management and changes in unit operating schedule.
MTC B 3.1.3 Farley Units 1 and 2 B 3.1.3-4 Revision 0 BASES APPLICABILITY Technical Specifications place both LCO and SR values on MTC, based on the safety analysis assumptions described above.
In MODE 1, the limits on MTC must be maintained to ensure that any accident initiated from THERMAL POWER operation will not violate
the design assumptions of the accident analysis. In MODE 2 with the
reactor critical, the upper limit must also be maintained to ensure that
startup and subcritical accidents (such as the uncontrolled CONTROL
ROD assembly or group withdrawal) will not violate the assumptions
of the accident analysis. The lower MTC limit must be maintained in
MODES 2 and 3, in addition to MODE 1, to ensure that cooldown
accidents will not violate the assumptions of the accident analysis. In
MODES 4, 5, and 6, this LCO is not applicable, since no Design Basis
Accidents using the MTC as an analysis assumption are initiated from
these MODES.
ACTIONS A.1
If the BOL MTC limit is violated, administrative withdrawal limits for
control banks must be established to maintain the MTC within its
limits. The MTC becomes more negative with control bank insertion
and decreased boron concentration. A Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />
provides enough time for evaluating the MTC measurement and
computing the required bank withdrawal limits. These withdrawal
limits shall be in addition to the insertion limits required by LCO 3.1.7, "Control Bank Insertion Limits."
As cycle burnup is increased, the RCS boron concentration will be
reduced. The reduced boron concentration causes the MTC to
become more negative. Using physics calculations, the time in cycle
life at which the calculated MTC will meet the LCO requirement can
be determined. At this point in core life Condition A no longer exists.
The unit is no longer in the Required Action, so the administrative
withdrawal limits are no longer in effect.
(continued)
MTC B 3.1.3 Farley Units 1 and 2 B 3.1.3-5 Revision 0 BASES ACTIONS B.1 (continued)
If the required administrative withdrawal limits at BOL are not
established within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the unit must be brought to MODE 3 to
prevent operation with an MTC that is more positive than that
assumed in safety analyses.
The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, for reaching the required MODE from full power
conditions in an orderly manner and without challenging plant systems.
C.1 Exceeding the EOL MTC limit means that the safety analysis
assumptions for the EOL accidents that use a bounding negative MTC
value may be invalid. If the EOL MTC limit is exceeded, the plant
must be brought to a MODE or condition in which the LCO
requirements are not applicable. To achieve this status, the unit must
be brought to at least MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.
The allowed Completion Time is reasonable, based on operating
experience, for reaching the required MODE from full power
conditions in an orderly manner and without challenging plant systems.
SURVEILLANCE SR 3.1.3.1 REQUIREMENTS
This SR requires measurement of the MTC at BOL prior to entering
MODE 1 in order to demonstrate compliance with the most positive
MTC LCO. Meeting the limit prior to entering MODE 1 ensures that
the limit will also be met at higher power levels.
The BOL MTC value for ARO will be inferred from isothermal
temperature coefficient measurements obtained during the physics
tests after refueling. The ARO value can be directly compared to the
BOL MTC limit of the LCO. If required, measurement results and
predicted design values can be used to establish administrative
withdrawal limits for control banks.
(continued)
MTC B 3.1.3 Farley Units 1 and 2 B 3.1.3-6 Revision 67 BASES SURVEILLANCE SR 3.1.3.2 REQUIREMENTS (continued) In similar fashion, the LCO demands that the MTC be less negative than the specified value for EOL full power conditions. This
measurement may be performed at any THERMAL POWER, but its
results must be extrapolated to the conditions of RTP and all banks
withdrawn in order to make a proper comparison with the LCO value.
Because the RTP MTC value will gradually become more negative
with further core depletion and boron concentration reduction, a
300 ppm SR value of MTC should necessarily be less negative than
the EOL LCO limit. The 300 ppm SR value is sufficiently less
negative than the EOL LCO limit value to ensure that the LCO limit
will be met when the 300 ppm Surveillance criterion is met.
SR 3.1.3.2 is modified by four Notes that include the following requirements:
- a. The SR is not required to be performed until 7 effective full power days (EFPDs) after reaching the equivalent of an equilibrium RTP
all rods out (ARO) boron concentration of 300 ppm.
- b. SR 3.1.3.2 is not required to be performed by measurement provided that the benchmark criteria in WCAP-13749-P-A (Ref. 4) are satisfied and the Revised Predicted MTC satisfies the 300 ppm surveillance limit specified in the COLR.
- c. If the 300 ppm Surveillance limit is exceeded, it is possible that the EOL limit on MTC could be reached before the planned EOL.
Because the MTC changes slowly with core depletion, the
Frequency of 14 effective full power days is sufficient to avoid
exceeding the EOL limit.
- d. The Surveillance limit for RTP boron concentration of 100 ppm is conservative. If the measured MTC at 100 ppm is more positive
than the 100 ppm Surveillance limit, the EOL limit will not be
exceeded because of the gradual manner in which MTC changes
with core burnup.
REFERENCES 1. 10 CFR 50, Appendix A, GDC 11.
- 2. FSAR, Chapter 15.
(continued)
MTC B 3.1.3 Farley Units 1 and 2 B 3.1.3-7 Revision 67 BASES REFERENCES 3. WCAP 9273-NP-A, "Westinghouse Reload Safety Evaluation (continued) Methodology," July 1985.
- 4. WCAP-13749-P-A, "Safety Evaluation Supporting the Conditional Exemption of the Most Negat ive EOL Moderator Temperature Coefficient Measurement, " March 1997.
Rod Group Alignment Limits B 3.1.4 Farley Units 1 and 2 B 3.1.4-1 Revision 0 B 3.1 REACTIVITY CONTROL SYSTEMS
B 3.1.4 Rod Group Alignment Limits
BASES BACKGROUND The OPERABILITY (e.g., trippability) of the shutdown and control rods is an initial assumption in all safety analyses that assume rod
insertion upon reactor trip. Maximum rod misalignment is an initial
assumption in the safety analysis that directly affects core power
distributions and assumptions of available SDM.
The applicable criteria for these reactivity and power distribution design requirements are 10 CFR 50, Appendix A, GDC 10, "Reactor
Design," GDC 26, "Reactivity Control System Redundancy and
Protection" (Ref. 1), and 10 CFR 50.46, "Acceptance Criteria for
Emergency Core Cooling Systems for Light Water Nuclear Power
Plants" (Ref. 2).
Mechanical or electrical failures may cause a control rod to become inoperable or to become misaligned from its group. Control rod
inoperability or misalignment may cause increased power peaking, due to the asymmetric reactivity distribution and a reduction in the
total available rod worth for reactor shutdown. Therefore, control rod
alignment and OPERABILITY are related to core operation in design
power peaking limits and the core design requirement of a minimum
SDM.
Limits on control rod alignment have been established, and all rod positions are monitored and controlled during power operation to
ensure that the power distribution and reactivity limits defined by the
design power peaking and SDM limits are preserved.
Rod cluster control assemblies (RCCAs), or rods, are moved by their control rod drive mechanisms (CRDMs). Each CRDM moves its
RCCA one step (approximately 5/8 inch) at a time, but at varying rates (steps per minute) depending on the signal output from the Rod
Control System.
The RCCAs are divided among control banks and shutdown banks. Each bank may be further subdivided into two groups to provide for precise reactivity control. A group consists of two or more
RCCAs that are electrically paralleled to step simultaneously. A bank
(continued)
Rod Group Alignment Limits B 3.1.4 Farley Units 1 and 2 B 3.1.4-2 Revision 0 BASES BACKGROUND of RCCAs consists of two groups that are moved in a staggered (continued) fashion, but always within one step of each other. There are four control banks and two shutdown banks. All control banks and
shutdown banks contain two rod groups.
The shutdown banks are maintained either in the fully inserted or fully withdrawn position. The control banks are moved in an overlap
pattern, using the following withdrawal sequence: When control
bank A reaches a predetermined height in the core, control bank B
begins to move out with control bank A. Control bank A stops at the
position of maximum withdrawal, and control bank B continues to
move out. When control bank B reaches a predetermined height, control bank C begins to move out with control bank B. This
sequence continues until control banks A, B, and C are at the fully
withdrawn position, and control bank D is approximately halfway
withdrawn. The insertion sequence is the opposite of the withdrawal
sequence. The control rods are arranged in a radially symmetric
pattern, so that control bank motion does not introduce radial
asymmetries in the core power distributions.
The axial position of shutdown rods and control rods is indicated by two separate and independent systems, which are the Bank Demand
Position Indication System (commonly called group step counters)
and the Digital Rod Position Indication (DRPI) System.
The Bank Demand Position Indication System counts the pulses from the rod control system that moves the rods. There is one step counter
for each group of rods. Individual rods in a group all receive the same
signal to move and should, therefore, all be at the same position
indicated by the group step counter for that group. The Bank Demand
Position Indication System is considered highly precise (+/- 1 step or
+/- 5/8 inch). If a rod does not move one step for each demand pulse, the step counter will still count the pulse and incorrectly reflect the
position of the rod.
The DRPI System provides a highly accurate indication of actual control rod position, but at a lower precision than the step counters.
This system is based on inductive analog signals from a series of
coils spaced along a hollow tube with a center to center distance of
3.75 inches, which is six steps. To increase the reliability of the
system, the inductive coils are connected alternately to data system A
or B. Thus, if one system fails, the DRPI will go on half accuracy with
(continued)
Rod Group Alignment Limits B 3.1.4 Farley Units 1 and 2 B 3.1.4-3 Revision 0 BASES BACKGROUND an effective coil spacing of 7.5 inches, which is 12 steps. Therefore, (continued) the normal indication accuracy of the DRPI System is +/- 4 steps (all coils operable and 1 step added for manufacturing and temperature
tolerances), and the maximum uncertainty is +/- 10 steps (only one
data system A or B coils operable). With an indicated deviation of
12 steps between the group step counter and DRPI, the maximum
deviation between actual rod position and the demand position could
be 22 steps.
APPLICABLE Control rod misalignment accidents are analyzed in the safety SAFETY ANALYSES analysis (Ref. 3). The acceptance criteria for addressing control rod inoperability or misalignment are that:
- a. There be no violations of:
- 1. specified acceptable fuel design limits, or 2. Reactor Coolant System (RCS) pressure boundary integrity; and
- b. The core remains subcritical after accident transients that result in a reactor trip, except for the MSLB.
Two types of misalignment are distinguished. During movement of a control rod group, one rod may stop moving, while the other rods in
the group continue. This condition may cause excessive power
peaking. The second type of misalignment occurs if one rod fails to
insert upon a reactor trip and remains stuck fully withdrawn. This
condition requires an evaluation to determine that sufficient reactivity
worth is held in the control rods to meet the SDM requirement, with
the maximum worth rod stuck fully withdrawn.
Two types of analysis are performed in regard to static rod misalignment (Ref. 4). With control banks at their insertion limits, one
type of analysis considers the case when any one rod is completely
inserted into the core. The second type of analysis considers the case of a completely withdrawn single rod from a bank inserted to its
insertion limit. Satisfying limits on departure from nucleate boiling
ratio in both of these cases bounds the situation when a rod is
misaligned from its group by 12 steps.
(continued)
Rod Group Alignment Limits B 3.1.4 Farley Units 1 and 2 B 3.1.4-4 Revision 0 BASES APPLICABLE Another type of misalignment occurs if one RCCA fails to insert upon SAFETY ANALYSES a reactor trip and remains stuck fully withdrawn. This condition is (continued) assumed in the evaluation to determine that the required SDM is met with the maximum worth RCCA also fully withdrawn.
The Required Actions in this LCO ensure that either deviations from the alignment limits will be corrected or that THERMAL POWER will
be adjusted so that excessive local linear heat rates (LHRs) will not
occur, and that the requirements on SDM and ejected rod worth are
preserved.
Continued operation of the reactor with a misaligned control rod is allowed if the heat flux hot channel factor (F Q (Z)) and the nuclear enthalpy hot channel factor (NH F) are verified to be within their limits in the COLR and the safety analysis is verified to remain valid. When
a control rod is misaligned, the assumptions that are used to
determine the rod insertion limits, AFD limits, and quadrant power tilt
limits are not preserved. Therefore, the limits may not preserve the design peaking factors, and F Q (Z) and NH F must be verified directly by incore mapping. Bases Section 3.2 (Power Distribution Limits)
contains more complete discussions of the relation of F Q (Z) and NH F to the operating limits.
Shutdown and control rod OPERABILITY and alignment are directly
related to power distributions and SDM, which are initial conditions
assumed in safety analyses. Therefore they satisfy Criterion 2 of 10
CFR 50.36(c)(2)(ii).
LCO The limits on shutdown or control rod alignments ensure that the assumptions in the safety analysis will remain valid. The
requirements on OPERABILITY ensure that upon reactor trip, the
assumed reactivity will be available and will be inserted. The
OPERABILITY requirements also ensure that the RCCAs and banks
maintain the correct power distribution and rod alignment.
The requirement to maintain the rod alignment to within plus or minus 12 steps is conservative. The minimum misalignment assumed in
safety analysis is 24 steps (15 inches), and in some cases a total
misalignment from fully withdrawn to fully inserted is assumed.
(continued)
Rod Group Alignment Limits B 3.1.4 Farley Units 1 and 2 B 3.1.4-5 Revision 0 BASES LCO Failure to meet the requirements of this LCO may produce (continued) unacceptable power peaking factors and LHRs, or unacceptable SDMs, all of which may constitute initial conditions inconsistent with
the safety analysis.
APPLICABILITY The requirements on RCCA OPERABILITY and alignment are applicable in MODES 1 and 2 because these are the only MODES in
which a self-sustaining chain reaction occurs, and the OPERABILITY (i.e., trippability) and alignment of rods have the potential to affect the
safety of the plant. In MODES 3, 4, 5, and 6, the alignment limits do
not apply because the control rods are fully inserted and the reactor is
shut down, with no self-sustaining chain reaction. In the shutdown
MODES, the OPERABILITY of the shutdown and control rods has the
potential to affect the required SDM, but this effect can be
compensated for by an increase in the boron concentration of the
RCS. See LCO 3.1.1, "SHUTDOWN MARGIN (SDM), " for SDM in
MODES 3, 4, and 5 and LCO 3.9.1, "Boron Concentration," for boron
concentration requirements during refueling.
ACTIONS A.1.1 and A.1.2
When one or more rods are untrippable, there is a possibility that the
required SDM may be adversely affected. Under these conditions, it
is important to determine the SDM, and if it is less than the required
value, initiate boration until the required SDM is recovered. The
Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is adequate for determining SDM and, if
necessary, for initiating emergency boration and restoring SDM.
In this situation, SDM verification must account for the absence of the
negative reactivity of the untrippable rod(s), as well as a rod of
maximum worth.
A.2 If the untrippable rod(s) cannot be restored to OPERABLE status, the
plant must be brought to a MODE or condition in which the LCO
requirements are not applicable. To achieve this status, the unit must
be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
(continued)
Rod Group Alignment Limits B 3.1.4 Farley Units 1 and 2 B 3.1.4-10 Revision 0 BASES SURVEILLANCE SR 3.1.4.3 REQUIREMENTS (continued) Verification of rod drop times allows the operator to determine that the maximum rod drop time permitted is consistent with the assumed rod
drop time used in the safety analysis. Measuring rod drop times prior
to reactor criticality, after reactor vessel head removal, ensures that
the reactor internals and rod drive mechanism will not interfere with
rod motion or rod drop time, and that no degradation in these systems
has occurred that would adversely affect control rod motion or drop
time. This testing is performed with all RCPs operating and the
average moderator temperature 541°F to simulate a reactor trip under actual conditions.
Testing is performed with the rods fully withdrawn (225 to 231 steps inclusive). The fully withdrawn position used for determining rod drop
times shall be greater than or equal to the fully withdrawn position
used during subsequent plant operation.
This Surveillance is performed during a plant outage, due to the plant conditions needed to perform the SR and the potential for an
unplanned plant transient if the Surveillance were performed with the
reactor at power.
REFERENCES 1. 10 CFR 50, Appendix A, GDC 10 and GDC 26.
- 2. 10 CFR 50.46.
- 3. FSAR, Section 15.2.3.
- 4. FSAR, Section 15.2.3.2.2.C.
Shutdown Bank Insertion Limits B 3.1.5 Farley Units 1 and 2 B 3.1.5-1 Revision 31 B 3.1 REACTIVITY CONTROL SYSTEMS
B 3.1.5 Shutdown Bank Insertion Limits
BASES BACKGROUND The insertion limits of the shutdown and control rods are initial assumptions in all safety analyses that assume rod insertion upon reactor trip. The insertion limits directly affect core power and fuel burnup distributions and assumptions of available ejected rod worth, SDM and initial reactivity insertion rate.
The applicable criteria for these reactivity and power distribution design requirements are 10 CFR 50, Appendix A, GDC 10, "Reactor Design," GDC 26, "Reactivity Control System Redundancy and Protection," GDC 28, "Reactivity Limits" (Ref. 1), and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light Water Nuclear Power Reactors" (Ref. 2). Limits on control rod insertion have been established, and all rod positions are monitored and controlled during power operation to ensure that the power distribution and reactivity limits defined by the design power peaking and SDM limits are preserved.
The rod cluster control assemblies (RCCAs) are divided among control banks and shutdown banks. Each bank may be further subdivided into two groups to provide for precise reactivity control. A group consists of two or more RCCAs that are electrically paralleled to step simultaneously. A bank of RCCAs consists of two groups that are moved in a staggered fashion, but always within one step of each other. There are four control banks and two shutdown banks. See LCO 3.1.4, "Rod Group Alignment Limits," for individual control and shutdown rod OPERABILITY and alignment requirements, and LCO 3.1.7, "Rod Position Indication," for position indication requirements.
The control banks are used for precise reactivity control of the reactor. The positions of the control banks are normally automatically controlled by the Rod Control System, but they can also be manually controlled. They are capable of adding negative reactivity very quickly (compared to borating). The control banks must be maintained above designed insertion limits and are typically near the fully withdrawn position during normal full power operations.
(continued)
Shutdown Bank Insertion L imits B 3.1.5
Farley Units 1 and 2 B 3.1.5-2 Revision 0 BASES BACKGROUND Hence, they are not capable of adding a large amount of positive (continued) reactivity. Boration or dilution o f the Reactor Coolant System (RCS) compensates for the reactivity changes associated with large
changes in RCS temperature. The design calculations are performed
with the assumption that the shutdown banks are withdrawn first. The
shutdown banks can be f ully withdrawn without the core going critical.
This provides available negative reactivity in the event of boration
errors. The shutdown banks are controlled manually by the control
room operator. During normal unit operation, the shutdown banks are
eit her fully withdrawn or fully inserted. The shutdown banks must be completely withdrawn from the core, prior to withdrawing any control
banks during an approach to criticality. The shutdown banks are then
left in this position until the reactor is shut do wn. They affect core
power and burnup distribution, and add negative reactivity to shut
down the reactor upon receipt of a reactor trip signal.
APPLICABLE On a reactor trip, all RCCAs (shutdown banks and control banks), SAFETY ANALYSES except the most r eactive RCCA, are assumed to insert into the core.
The shutdown banks shall be at or above their insertion limits and
available to insert the maximum amount of negative reactivity on a
reactor trip signal. The control banks may be partially inserted in t he core, as allowed by LCO 3.1.6, "Control Bank Insertion Limits." The shutdown bank and control bank insertion limits are established to
ensure that a sufficient amount of negative reactivity is available to
shut down the reactor and maintain the require d SDM (see LCO 3.1.1, "SHUTDO WN MARGIN (SDM)," following a reactor trip from full power. The combination of control banks and shutdown
banks (less the most reactive RCCA, which is assumed to be fully
withdrawn) is sufficient to take the reactor from full power conditions at rated temperature to zero power, and to maintain the required SDM
at rated no load temperature (Ref.
3). The shutdown bank insertion limit also limits the reactivity worth of an ejected shutdown rod.
(continued)
Control Bank Insertion Limits B 3.1.6
Farley Units 1 and 2 B 3.1.6-1 Revision 0 B 3.1 REACTIVITY CONTROL SYSTEMS
B 3.1.6 Control Bank Insertion Limits
BASES BACKGROUND The insertion limits of the shutdown and control rods are initial
assumptions in all safety analyses that assume rod insertion upon
reactor trip. The insertion l imits directly affect core power and fuel burnup distributions and assumptions of available SDM, and initial
reactivity insertion rate.
The applicable criteria for these reactivity and power distribution
design requirements are 10 CFR 50, Appendix A, GDC 10, "Reactor Design," GDC 26, "Reactivity Control System Redundancy and
Protection," GDC 28, "Reactivity Limits" (Ref.
1), and 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light
Water Nuclear Power Reactors" (Ref.
2). Limits on control rod insertion have been established, and all rod positions are monitored
and controlled during power operation to ensure that the power
distribution and reactivity limits defined by the design power peaking
and SDM limits are preserved.
The ro d cluster control assemblies (RCCAs) are divided among control banks and shutdown banks. Each bank may be further subdivided into two groups to provide for precise reactivity control. A group consists of two or more RCCAs that are electrically paralleled
to step simultaneously. A bank of RCCAs consists of two groups that
are moved in a staggered fashion, but always within one step of each
other. There are four control banks and two shutdown banks. See
LCO 3.1.4, "Rod Group Alignment Limits," for control and shutdown rod OPERABILITY and alignment requirements, and LCO 3.1.7, "Rod Position Indication," for position indication requirements.
The control bank insertion limits are specified in the COLR. An
example is provided for information only in Figure B 3.1.6-1. The control banks are required to be at or above the insertion limit lines.
Figure B 3.1.6-1 also indicates how the control banks are moved in an overlap pattern. Overlap is the distance travelled together by two
control banks. The predeter mined position of control bank C, at which control bank D will begin to move with bank C on a withdrawal, will be at 128 steps for a fully withdrawn position of 225 to 231 steps, inclusive. The fully withdrawn position is defined in the COLR.
(continued
)
Control Bank Insertion Limits B 3.1.6
Farley Units 1 and 2 B 3.1.6-2 Revision 0 BASES BACKGROUND The control banks are used for precise reactivity control of the (continued) reactor. The positions of the control banks are normally controlled
automatically by the Rod Control System, but can also be manually
controlled. They are capable of adding reactivity very quickly (compared to borating or diluting).
The power density at any point in the core must be limited, so that the
fuel design criteria are maintained. Together, LCO 3.1.4, "Rod Group Alignment," LCO 3.1.5, "Shutdown Bank Insertion Limits," LCO 3.1.6, "Control Bank Insertion Limits," LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," and LCO 3.2.4, "QUADRANT PO WER TILT RATIO (QPTR)," provide limits on control component operation and
on monitored process variables, which ensure that the core operates within the fuel design criteria.
The shutdown and control bank insertion and alignment limits, AFD, and
QPTR are process variables that together characterize and control the
three dimensional power distribution of the reactor core.
Additionally, the control bank insertion limits control the reactivity that could be added
in the event of a rod ejection accident, and the shutdown and control
bank insertion limits ensure the required SDM is maintained.
Operation within the subject L CO limits will prevent fuel cladding failures that would breach the primary fission product barrier and
release fission products to the reactor coolant in the event of a loss of
coolant accident (LOCA), loss of flow, ejected rod, or other accident
requirin g termination by a Reactor Trip System (RTS) trip function.
APPLICABLE The shutdown and control bank insertion limits, AFD, and QPTR SAFETY ANALYSES LCOs are required to prevent power distributions that could result in
fuel cladding failures in the even t of a LOCA, loss of flow, ejected rod, or other accident requiring termination by an RTS trip function.
The acceptance criteria for addressing shutdown and control bank
insertion limits and inoperability or misalignment are that:
(continued)
Rod Position Indication B 3.1.7 Farley Units 1 and 2 B 3.1.7-1 Revision 0 B 3.1 REACTIVITY CONTROL SYSTEM
B 3.1.7 Rod Position Indication
BASES BACKGROUND According to GDC 13 (Ref. 1), instrumentation to monitor variables and systems over their operating ranges during normal operation, anticipated operational occurrences, and accident conditions must be
OPERABLE. LCO 3.1.7 is required to ensure OPERABILITY of the control rod position indicators to determine control rod positions and
thereby ensure compliance with the control rod alignment and
insertion limits.
The OPERAB ILITY, including position indication, of the shutdown and
control rods is an initial assumption in all safety analyses that assume
rod insertion upon reactor trip. Maximum rod misalignment is an
initial assumption in the safety analysis that directly affe cts core power distributions and assumptions of available SDM. Rod position
indication is required to assess OPERABILITY and misalignment.
Mechanical or electrical failures may cause a shutdown or a control
rod to become inoperable or to become misalign ed from its group.
Control rod inoperability or misalignment may cause increased power
peaking, due to the asymmetric reactivity distribution and a reduction
in the total available rod worth for reactor shutdown. Therefore, control rod alignment and OPER ABILITY are related to core
operation in design power peaking limits and the core design
requirement of a minimum SDM.
Limits on control rod alignment and OPERABILITY have been
established, and all rod positions are monitored and controlled during
power operation to ensure that the power distribution and reactivity
limits defined by the design power peaking and SDM limits are
preserved.
Rod cluster control assemblies (RCCAs), or rods, are moved out of
the core (up or withdrawn) or into the core (down or inserted) by their control rod drive mechanisms. The RCCAs are divided among
control banks and shutdown banks. Each bank may be further
subdivided into two groups to provide for precise reactivity control.
(continued)
Rod Position Indication B 3.1.7 Farley Units 1 and 2 B 3.1.7-2 Revision 0 BASES BACKGROUND The axial positions of shutdown rods and control rods are determined (continued) by two separate and independent systems: the Bank Demand
Position Indication System (commonly called group step counters)
and the Digital Rod Position Indication (DRPI) System.
The Bank Demand Position Indication System counts the pulses from
the Rod Control System that move the rods. There is one step
counter for each group of rods. Individual rods in a group all receive
the same signal to move and should, therefore, all be at th e same position indicated by the group step counter for that group. The Bank
Demand Position Indication System is considered highly precise
(+/- 1 step or +/- ? inch). If a rod does not move one step for each demand pulse, the step counter will still count t he pulse and
incorrectly reflect the position of the rod.
The DRPI System provides a highly accurate indication of actual
control rod position, but at a lower precision than the step counters.
This system is based on inductive analog signals from a seri es of coils spaced along a hollow tube with a center to center distance of
3.75 inches, which is 6 steps. To increase the reliability of the system, the inductive coils are connected alternately to data system A or B. Thus, if one system fails, the DRPI will go on half accuracy with an effective coil spacing of 7.5 inches, which is 12 steps. Therefore, the normal indication accuracy of the DRPI System is +/-
4 steps (all
coils operable and 1 step added for manufacturing and temperature
tolerances), and the maximum uncertainty is +/-
10 steps (only one data system A or B coils operable).
W ith an indicated deviation of
12 steps between the group step counter and DRPI, the maximum
deviation between actual rod position and the demand position could
be 22 steps.
APPLICABLE Control and shutdown rod position accuracy is essential SAFETY ANALYSES during power operation. Power peaking, ejected rod worth, or SDM limits may be violated in the event of a Design Basis Accident (Ref. 2), with control or shutdown rods o perating outside their limits undetected. Therefore, the acceptance criteria for rod position
indication is that rod positions must be known with sufficient accuracy
in order to verify the core is operating within the assumed group
sequence, overlap, desi gn peaking limits, ejected rod worth, and with
minimum SDM (LCO 3.1.5, "Shutdown Bank Insertion Limits," and LCO 3.1.6, "Control Bank Insertion Limits"). The rod positions must
(continued)
Rod Position Indication B 3.1.7 Farley Units 1 and 2 B 3.1.7-3 Revision 0 BASES APPLICABLE also be known in order to verify the alignm ent limits are preserved SAFETY ANALYSES (LCO 3.1.4, "Rod Group Alignment Limits"). Control rod positions (continued) are continuously monitored to provide operators with information that
ensures the plant is operating within the bounds of the accident
analysis assumptions (Ref.2).
The control rod position indicator channels satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii). The control rod position indicators monitor
control rod position, which is an initial condition of the accident.
LCO LCO 3.1.7 spe cifies that one DRPI System (data System A or B) and one Bank Demand Position Indication System be OPERABLE for
each shutdown and control rod. For the control rod position indicators
to be OPERABLE requires meeting the SR of the LCO and the
following:
- a. The required DRPI System indicates within 12 steps of the group
step counter demand position as required by LCO 3.1.4, "Rod
Group Alignment Limits";
- b. For the required DRPI System there are no failed coils; and
- c. The Bank Demand Indication System h as been calibrated either in the fully inserted position or to the DRPI System.
The 12 step agreement limit between the Bank Demand Position
Indication System and the DRPI System indicates that the Bank
Demand Position Indication System is adequately cal ibrated, and can
be used for indication of the measurement of control rod bank
position.
A deviation of less than the allowable limit, given in LCO 3.1.4, in
position indication for a single control rod, ensures high confidence
that the position uncertai nty of the corresponding control rod group is
within the assumed values used in the analysis (that specified control
rod group insertion limits).
These requirements ensure that control rod position indication during
power operation and PHYSICS TESTS is a ccurate, and that design assumptions are not challenged.
(continued)
PHYSICS TESTS Exceptions
- MODE 2 B 3.1.8
Farley Units 1 and 2 B 3.1.8-1 Revision 0 B 3.1 REACTIVITY CONTROL SYSTEMS
B 3.1.8 PHYSICS TESTS Exceptions
-MODE 2
BASES BACKGROUND The primary purpose of the MODE 2 PHYSICS TESTS exceptions is
to permit relaxations of existing LCOs to allow certain PHYSICS
TESTS to be performed.
Section XI of 10 CFR 50, Appendix B (Ref. 1), requires that a test program be established to ensure that structures, systems, and
components will perform satisfactorily in service. All functions
necessary to ensure that the specif ied design conditions are not exceeded during normal operation and anticipated operational
occurrences must be tested. This testing is an integral part of the
design, construction, and operation of the plant. Requirements for
notification of the NRC, for the purpose of conducting tests and experiments, are specified in 10 CFR 50.59 (Ref.
2).
The key objectives of a test program are to (Ref.
3):
- a. Ensure that the facility has been adequately designed;
- b. Validate the analytical models used in the de sign and analysis;
- c. Verify the assumptions used to predict unit response;
- d. Ensure that installation of equipment in the facility has been
accomplished in accordance with the design; and
- e. Verify that the operating and emergency procedures are
ad equate.
To accomplish these objectives, testing is performed prior to initial
criticality, during startup, during low power operations, during power
ascension, at high power, and after each refueling. The PHYSICS
TESTS requirements for reload fuel cycle s ensure that the operating
characteristics of the core are consistent with the design predictions
and that the core can be operated as designed (Ref.
4).
(continued)
PHYSICS TESTS Exceptions
- MODE 2 B 3.1.8
Farley Units 1 and 2 B 3.1.8-2 Revision 0 BASES BACKGROUND PHYSICS TESTS procedures are written and approved in (continued
) accordance with established formats. The procedures include all
information necessary to permit a detailed execution of the testing
required to ensure that the design intent is met. PHYSICS TESTS
are performed in accordance with these procedures and te st results are approved prior to continued power escalation and long term
power operation.
The PHYSICS TESTS required for reload fuel cycles (Ref.
- 4) in MODE 2 are listed below:
- a. Critical Boron Concentration
-Control Rods W ithdrawn;
- b. Critical Boron Concentration
-Lead Bank Inserted;
- c. Control Rod Worth; and
- d. Isothermal Temperature Coefficient (ITC).
These tests are performed in MODE 2 at hot zero power (HZP), and
they may c ause the operating controls and process variables to
deviate from their LCO requirements during their performance.
- a. The Critical Boron Concentration
-Control Rods W ithdrawn Test measures the critical boron concentration at hot zero power (HZP). W ith all rods out, the lead control bank is at or near its
fully withdrawn position. HZP is where the core is critical (k eff = 1.0), and the Reactor Coolant System (RCS) is at design temperature and pressure for zero power. Per formance of this test should not violate any of the referenced LCOs.
- b. The Critical Boron Concentration
-Control Rods W ithdrawn except lead bank Test measures the critical boron concentration
at HZP, with the lead bank f ully inserted into the core. The reactivity resulting from each incremental bank movement is
measured with a reactivity computer. The difference between the
measured critical boron concentration with all rods fully withdrawn
and with the lead bank insert ed is determined. The boron
reactivity coefficient is determined by dividing the measured bank
worth by the measured boron concentration difference.
Performance of this test could violate LCO 3.1.4, "Rod Group
Alignment Limits"; LCO 3.1.5, "Shutdown Bank Insertion Limit"; or LCO 3.1.6, "Control Bank Insertion Limits."
(continued)
PHYSICS TESTS Exceptions
- MODE 2 B 3.1.8
Farley Units 1 and 2 B 3.1.8-3 Revision 0 BASES BACKGROUND c. The Control Rod Worth Test is used to measure the (continued) reactivity worth of shutdown and control banks. This test is
performed at HZP and has f our alternative methods of performance. The first method, the Boron Exchange
Method, varies the reactor coolant boron concentration and
moves the selected bank in response to the changing boron
concentration. The reactivity changes are measured with a
r eactivity computer. This sequence is repeated for the
remaining shutdown and control banks. The second
method, the Rod Swap Method, measures the worth of a
predetermined lead or reference bank using the Boron
Exchange Method above. The reference bank is then nearly
fully inserted into the core. The selected bank is then
inserted into the core as the reference bank is withdrawn.
The HZP critical conditions are then determined with the
selected bank fully inserted into the core. The worth of the
selected bank is calculated, based on the position of the
reference bank with respect to the selected bank. This
sequence is repeated as necessary for the remaining
shutdown and control banks. The third method, the Boron
Endpoint Method, moves the selected bank over its entire length of travel and then varies the reactor coolant boron
concentration to achieve HZP criticality again. The
difference in boron concentration is the worth of the selected
bank. This sequence is repeated for the remaining shutdown
and co ntrol banks. The fourth method is based on
measuring the reactivity worth of individual control and
shutdown rod banks. It is a fast process that is
accomplished by inserting and withdrawing the bank at a
maximum stepping speed, without changing boron
co ncentration, and recording the signals on the excore
detectors. In this method, referred to as Dynamic Rod
Worth Measurement technique, the recorded signals from
the excore detectors are processed on a conventional
reactivity meter, which solves the inver se point kinetics equation with proper analytical compensation for spacial
effects. Performance of this test could violate LCO 3.1.4, LCO 3.1.5, or LCO 3.1.6.
(continued)
PHYSICS TESTS Exceptions
- MODE 2 B 3.1.8
Farley Units 1 and 2 B 3.1.8-4 Revision 0 BASES BACKGROUND
- d. The ITC Test measures the ITC of the reactor. This test is (continued) performed at HZP and has two methods of performance. The first
method, the Slope Method, varies RCS temperature in a slow and
continuous manner. The reactivity change is measured with a
reactivity computer as a function of the temperat ure change. The ITC is the slope of the reactivity versus the temperature plot. The
test is repeated by reversing the direction of the temperature
change, and the final ITC is the average of the two calculated
ITCs. The second method, the Endpoint Method, changes the RCS temperature and measures the reactivity at the beginning
and end of the temperature change. The ITC is the total reactivity
change divided by the total temperature change. The test is
repeated by reversing the direction of the temperature change, and the final ITC is the average of the two calculated ITCs. The
Moderator Temperature Coefficient (MTC) at the beginning
-of-life (BOL) is determined from the measured ITC. Performance of this
test could violate LCO 3.4.2, "RCS Minimum Temperatu re for Criticality."
APPLICABLE The fuel is protected by LCOs that preserve the initial conditions SAFETY ANALYSES of the core assumed during the safety analyses. The methods for
development of the LCOs that are excepted by this LCO are
described in the Westinghouse Reload Safety Evaluation
Methodology Report (Ref.
5). The above mentioned PHYSICS TESTS, and other tests that may be required to calibrate nuclear
instrumentation or to diagnose operational problems, may require the
operating control or proc ess variables to deviate from their LCO
limitations.
The FSAR defines requirements for initial testing of the facility, including PHYSICS TESTS. Table 14.1-1 summarizes the zero, low power, and power tests. Requirements for reload fuel cycle
PHYSICS TE STS are defined in ANSI/ANS
-19.6.1-1985 (Ref.
4). Although these PHYSICS TESTS are generally accomplished within
the limits for all LCOs, conditions may occur when one or more LCOs
must be suspended to make completion of PHYSICS TESTS possible
or practical. This is acceptable as long as the fuel design criteria are
(continued)
PHYSICS TESTS Exceptions - MODE 2 B 3.1.8 Farley Units 1 and 2 B 3.1.8-8 Revision 52 BASES SURVEILLANCE SR 3.1.8.4 (continued)
REQUIREMENTS
- b. Control bank position;
- c. RCS average temperature;
- d. Fuel burnup based on gross thermal energy generation;
- e. Xenon concentration;
- f. Samarium concentration; and
- g. Isothermal temperature coefficient (ITC).
Using the ITC accounts for Doppler reactivity in this calculation because the reactor is relatively steady-state, and the fuel
temperature will be changing at the same rate as the RCS.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES 1. 10 CFR 50, Appendix B, Section XI.
- 2. 10 CFR 50.59.
- 3. Regulatory Guide 1.68, Revision 2, August, 1978.
- 4. ANSI/ANS-19.6.1-1985, December 13, 1985.
- 5. WCAP-9273-NP-A, "Westinghouse Reload Safety Evaluation Methodology Report," July 1985.
- 6. WCAP-11618, including Addendum 1, April 1989.
- 7. WCAP-13361-NP-A, "Westinghouse Dynamic Rod Worth Measurement Technique," January 1996.
F Q (Z) B 3.2.1
Farley Units 1 and 2 B 3.2.1-1 Revision 0 B 3.2 PO WER DISTRIBUTION LIMITS
B 3.2.1 Heat Flux Hot Channel Factor (F Q (Z))
BASES BACKGROUND The purpose of the limits on the values of F Q (Z) is to limit the local (i.e., pellet) peak power density. The value of F Q (Z) varies along the axial height (Z) of the core.
F Q (Z) is defined as the maximum local fuel rod linear power density divided by the average fuel rod linear power dens ity, assuming
nominal fuel pellet and fuel rod dimensions. Therefore, F Q (Z) is a measure of the peak fuel pellet power within the reactor core.
During power operation, the global power distribution is limited by
LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," and LCO 3.2.4, "QUADRANT TILT PO WER RATIO (QPTR)," which are directly and
continuously measured process variables. These LCOs, along with
LCO 3.1.6, "Control Bank Insertion Limits," maintain the core within power distrib ution limits on a continuous basis.
F Q (Z) varies with fuel loading patterns, control bank insertion, fuel burnup, and changes in axial power distribution.
F Q (Z) is measured periodical ly using the incore detector system.
These measurements are generally taken with the core at or near
steady state conditions.
Using the measured three dimensional power distributions, it is
possible to derive a measured value for F Q (Z). However, because this value represents a steady state condition, it does not include the
variations in the value of F Q (Z) that are present during nonequilibrium situations, such as load following.
To a ccount for these possible variations, the steady state value of F Q (Z) is adjusted by an elevation dependent factor that accounts for the calculated worst case transient conditions.
Core monitoring and control under non steady state conditions are
accomplished by operating the core within the limits of the appropriate
LCOs, including the limits on AFD, QPTR, and control rod insertion.
F Q (Z) B 3.2.1
Farley Units 1 and 2 B 3.2.1-2 Revision 0 BASES APPLICABLE This LCO precludes core power distributions that violate SAFETY ANALYSES the following fuel design criteria:
- a. During a loss of coolant accident (LOCA), the peak cladding
temperature must not exceed 2200°F (Ref.
1);
- b. During normal operation, operational transients and any transient
condition arising from events of moderate frequency, there must be at least 95% probability at the 95% confidence level (the
95/95 DNB criterion) that the hot fuel rod in the core does not
experience a departure from nucleate boiling (DNB) condition;
- c. During an ejected rod accident , the energy deposition to the fuel will be below 200 cal/gm, thus meeting the NRC acceptance criteria of
£ 280 cal/gm (Ref.
2); and d. The control rods must be capable of shutting down the reactor
with a minimum required SDM with the highest worth contr ol rod stuck fully withdrawn (Ref.
3).
Limits on F Q (Z) ensure that the value of the initial total peaking factor assumed in the accident analyses remains valid. Other criteria must
also be met (e.g., maximum cladding ox idation, maximum hydrogen generation, coolable geometry, and long term cooling). However, the
peak cladding temperature is typically most limiting.
F Q (Z) limits assumed in the LOCA analysis are typically limiting relati ve to (i.e., lower than) the F Q (Z) limit assumed in safety analyses for other postulated accidents. Therefore, this LCO provides
conservative limits for other postulated accidents.
F Q (Z) satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
NH F B 3.2.2 Farley Units 1 and 2 B 3.2.2-1 Revision 0 B 3.2 POWER DISTRIBUTION LIMITS
B 3.2.2 Nuclear Enthalpy Rise Hot Channel Factor ()
BASES BACKGROUND The purpose of this LCO is to establish limits on the power density at any point in the core so that the fuel design criteria are not exceeded
and the accident analysis assumptions remain valid. The design
limits on local (pellet) and integrated fuel rod peak power density are
expressed in terms of hot channel factors. Control of the core power
distribution with respect to these factors ensures that local conditions
in the fuel rods and coolant channels do not challenge fuel design
limits at any location in the core during either normal operation or a
postulated accident analyzed in the safety analyses.
NH F is defined as the ratio of the integral of the linear power along the fuel rod with the highest integrated power to the average integrated fuel rod
power. Therefore, NH F is a measure of the maximum total power produced in a fuel rod.
NH F is sensitive to fuel loading patterns, bank insertion, and fuel burnup.
NH F typically increases with control bank insertion and typically decreases with fuel burnup except for a few months of reactor operation.
NH Fis not directly measurable but is inferred from a power distribution map obtained with the movable incore detector system. Specifically, the results of the three dimensional power distribution map are analyzed by a computer to determine NH F This factor is calculated at least every 31 EFPD. However, during power operation, the global power distribution is monitored by LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," and LCO 3.2.4, "QUADRANT POWER TILT RATIO (QPTR),"
which address directly and continuously measured process variables.
The COLR provides peaking factor limits that ensure that the design
criterion for the departure from nucleate boiling (DNB) is met for
normal operation, operational transients, and any transient condition
arising from events of moderate frequency. All DNB limited transient events are assumed to begin with an NH F value that satisfies the LCO requirements.
(continued)
NH F B 3.2.2 Farley Units 1 and 2 B 3.2.2-2 Revision 0 BASES BACKGROUND Operation outside the LCO limits may produce unacceptable (continued) consequences if a DNB limiting event occurs. The DNB design basis ensures that there is no overheating of the fuel that results in possible cladding perforation with the release of fission
products to the reactor coolant.
APPLICABLE Limits on NH F preclude core power distributions that exceed SAFETY ANALYSES the following fuel design limits:
- a. There must be at least 95% probability at the 95% confidence level (the 95/95 DNB criterion) that the hottest fuel rod in the core
does not experience a DNB condition during normal operation, operational transients and any transient condition arising from
events of moderate frequency;
- b. During a loss of coolant accident (LOCA), peak cladding temperature (PCT) must not exceed 2200°F (Ref. 3);
- c. During an ejected rod accident, the energy deposition to the fuel will be less than 200 cal/gm, thus meeting the NRC acceptance
criteria of 280 cal/gm (Ref. 1); and
- d. Fuel design limits required by GDC 26 (Ref. 2) for the condition when control rods must be capable of shutting down the reactor
with a minimum required SDM with the highest worth control rod
stuck fully withdrawn.
For transients that may be DNB limited, NH F is an important core parameter. The limits on NH F ensure that the DNB design criterion is met for normal operation, operational transients, and any transients arising from events of moderate frequency.
Minimum DNBR values (Ref. 4) were established that satisfy the DNB
design criterion. These values provide the required degree of
assurance that the hottest fuel rod in the core does not experience
DNB.
(continued)
NH F B 3.2.2 Farley Units 1 and 2 B 3.2.2-3 Revision 0 BASES APPLICABLE The allowable NH F limit increases with decreasing power level. This SAFETY ANALYSES functionality in NH Fis included in the analyses that provide the (continued) Reactor Core Safety Limits (SLs) of SL 2.1.1. Therefore, any DNB events in which the calculation of t he core limits is modeled implicitly
use this variable value of NH F in the analyses. Likewise, all transients that may be DNB limited are assumed to begin with an initial NH Fas a function of power level defined by the COLR limit equation.
The LOCA safety analysis indirectly models NH F as an input parameter. The Nuclear Heat Flux Hot Channel Factor (F Q (Z)) and the axial peaking factors are inserted directly into the LOCA safety analyses that verify the acceptability of the resulting peak cladding
temperature (Ref. 3).
The fuel is protected in part by Technical Specifications, which ensure
that the initial conditions assumed in the safety and accident analyses remain valid. The following LCOs ensure this: LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," LCO 3.2.4, "QUADRANT POWER TILT
RATIO (QPTR)," LCO 3.1.6, "Control Bank Insertion Limits," LCO 3.2.2, "Nuclear Enthalpy Rise Hot Channel Factor (NH F and LCO 3.2.1, "Heat Flux Hot Channel Factor (F Q (Z))."
NH F and F Q (Z) are measured periodically using the movable incore detector system. Measurements are generally taken with the core at, or near, steady state conditions. Core monitoring and control under transient conditions (Condition 1 events) are accomplished by
operating the core within the limits of the LCOs on AFD, QPTR, and
Bank Insertion Limits.
NH F satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO NH F shall be maintained within the limits of the relationship provided in the COLR.
The NH F limit identifies the coolant flow channel with the maximum enthalpy rise. This channel has the least heat removal capability and thus the highest probability for a DNB.
(continued)
NH F B 3.2.2 Farley Units 1 and 2 B 3.2.2-4 Revision 0 BASES LCO The limiting value of NH F described by the equation contained in the (continued) COLR, is the design radial peaking factor used in the unit safety analyses.
A power multiplication factor in this equation includes an additional
margin for higher radial peaking from reduced thermal feedback and
greater control rod insertion at low power levels. The limiting value of NH F is allowed to increase 0.3% for every 1% RTP reduction in THERMAL POWER.
APPLICABILITY The NH F limits must be maintained in MODE 1 to preclude core power distributions from exceeding the fuel design limits for DNBR and PCT.
Applicability in other modes is not required because there is either
insufficient stored energy in the fuel or insufficient energy being
transferred to the coolant to require a limit on the distribution of core power. Specifically, the design bases events that are sensitive to NH F in other modes (MODES 2 through 5) have significant margin to DNB, and therefore, there is no need to restrict NH F in these modes.
ACTIONS A.1.1 With NH F exceeding its limit, the unit is allowed 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> to restore NH F to within its limits. This restoration may, for example, involve realigning any misaligned rods or reducing power enough to bring NH F within its power dependent limit. When the NH F limit is exceeded, the DNBR limit is not likely violated in steady state operation, because
events that could significantly perturb the NH Fvalue (e.g., static control rod misalignment) are considered in the safety analyses.
However, the DNBR limit may be violated if a DNB limiting event
occurs. Thus, the allowed Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> provides an acceptable time to restore NH F to within its limits without allowing the plant to remain in an unacceptable condition for an extended period of time.
(continued)
NH F B 3.2.2 Farley Units 1 and 2 B 3.2.2-5 Revision 0 BASES ACTIONS A.1.1 (continued)
Condition A is modified by a Note that requires that Required
Actions A.2 and A.3 must be completed whenever Condition A is entered. Thus, if power is not reduced because NH F is restored to within the limit within the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> time period, Required Action A.2 nevertheless requires another measurement and calculation of NH F within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> in accordance with SR 3.2.2.1.
However, if power is reduced below 50% RTP, Required Action A.3 requires that another determination of NH Fmust be done prior to exceeding 50% RTP, prior to exceeding 75% RTP, and within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after reaching or exceeding 95% RTP. In addition, Required
Action A.2 is performed if power ascension is delayed past 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
A.1.2.1 and A.1.2.2 If the value of NH F is not restored to within its specified limit either by adjusting a misaligned rod or by reducing THERMAL POWER, the alternative option is to reduce THERMAL POWER to < 50% RTP in
accordance with Required Action A.1.2.1 and reduce the Power Range Neutron Flux-High to 55% RTP in accordance with Required Action A.1.2.2. Reducing RTP to < 50% RTP increases the
DNB margin and does not likely cause the DNBR limit to be violated in
steady state operation. The reduction in trip setpoints ensures that
continuing operation remains at an acceptable low power level with
adequate DNBR margin. The allowed Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for
Required Action A.1.2.1 is consistent with those allowed for in
Required Action A.1.1 and provides an acceptable time to reach the
required power level from full power operation without allowing the
plant to remain in an unacceptable condition for an extended period of
time. The Completion Times of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for Required Actions A.1.1
and A.1.2.1 are not additive.
The allowed Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to reset the trip setpoints
per Required Action A.1.2.2 recognizes that, once power is reduced, the safety analysis assumptions are satisfied and there is no urgent
need to reduce the trip setpoints. This is a sensitive operation that
may inadvertently trip the Reactor Protection System.
(continued)
NH F B 3.2.2 Farley Units 1 and 2 B 3.2.2-6 Revision 0 BASES ACTIONS A.2 (continued)
Once the power level has been reduced to < 50% RTP per Required
Action A.1.1 or A.1.2.1, an incore flux map (SR 3.2.2.1) must be obtained and the measured value of NH Fverified not to exceed the allowed limit at the lower power level. The unit is provided 20 additional hours to perform this task over and above the 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />
allowed by either Action A.1.1 or Action A.1.2.1. The Completion
Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is acceptable because of the increase in the DNB
margin, which is obtained at lower power levels, and the low
probability of having a DNB limiting event within this 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period.
Additionally, operating experience has indicated that this Completion
Time is sufficient to obtain the incore flux map, perform the required calculations, and evaluate NH F A.3 Verification that NH F is within its specified limits after an out of limit occurrence ensures that the cause that led to the NH F exceeding its limit is corrected, and that subsequent operation proceeds within the LCO
limit. This Action demonstrates that the NH F limit is within the LCO limits prior to exceeding 50% RTP, again prior to exceeding 75% RTP, and within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after THERMAL POWER is 95% RTP.
This Required Action is modified by a Note that states that THERMAL
POWER does not have to be reduced prior to performing this Action.
It is only applicable to the extent that THERMAL POWER has been
reduced to comply with Required Actions A.1.1 or A.1.2.1. For
example, if THERMAL POWER was only reduced to 70% RTP, then
SR 3.2.2.1 must be performed prior to exceeding 75% RTP and within
24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after reaching 95% RTP.
B.1 When Required Actions A.1.1 through A.3 cannot be completed within
their required Completion Times, the plant must be placed in a mode in
which the LCO requirements are not applicable. This is done by placing
the plant in at least MODE 2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion
Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience regarding
the time required to reach MODE 2 from full power conditions in an
orderly manner and without challenging plant systems.
AFD B 3.2.3 Farley Units 1 and 2 B 3.2.3-1 Revision 0 B 3.2 POWER DISTRIBUTION LIMITS
B 3.2.3 AXIAL FLUX DIFFERENCE (AFD)
BASES BACKGROUND The purpose of this LCO is to establish limits on the values of the AFD in order to limit the amount of axial power distribution skewing to
either the top or bottom of the core. By limiting the amount of power
distribution skewing, core peaking factors are consistent with the
assumptions used in the safety analyses. Limiting power distribution
skewing over time also minimizes the xenon distribution skewing, which is a significant factor in axial power distribution control.
RAOC is a calculational procedure that defines the allowed operational space of the AFD versus THERMAL POWER. The AFD limits are
selected by considering a range of axial xenon distributions that may
occur as a result of large variations of the AFD. Subsequently, power
peaking factors and power distributions are examined to ensure that the
loss of coolant accident (LOCA), loss of flow accident, and anticipated
transient limits are met. Violation of the AFD limits invalidate the
conclusions of the accident and transient analyses with regard to fuel
cladding integrity.
The AFD is monitored on an automatic basis using the unit process computer, which has an AFD monitor alarm. The computer
determines the 1 minute average of each of the OPERABLE excore
detector outputs and provides an alarm message immediately if the
AFD for two or more OPERABLE excore channels is outside its
specified limits.
Although the RAOC defines limits that must be met to satisfy safety analyses, typically an operating sc heme, Constant Axial Offset Control (CAOC), is used to control axial power distribution in day to
day operation (Ref. 1). CAOC requires that the AFD be controlled
within a narrow tolerance band around a burnup dependent target to
minimize the variation of axial peaking factors and axial xenon
distribution during unit maneuvers.
The CAOC operating space is typically smaller and lies within the
RAOC operating space. Control within the CAOC operating space
constrains the variation of axial xenon distributions and axial power
distributions.
(continued)
AFD B 3.2.3 Farley Units 1 and 2 B 3.2.3-2 Revision 0 BASES BACKGROUND RAOC calculations assume a wide range of xenon distributions and (continued) then confirm that the resulting power distributions satisfy the requirements of the accident analyses.
APPLICABLE The AFD is a measure of the axial power distribution skewing SAFETY ANALYSES to either the top or bottom half of the core. The AFD is
sensitive to many core related parameters such as control bank positions, core power level, axial burnup, axial xenon distribution, and, to a lesser extent, reactor coolant temperature and boron
concentration.
The allowed range of the AFD is used in the nuclear design process to confirm that operation within these limits produces core peaking
factors and axial power distributions that meet safety analysis
requirements.
The RAOC methodology (Ref. 2) establishes a xenon distribution library with tentatively wide AFD lim its. One dimensional axial power
distribution calculations are then performed to demonstrate that
normal operation power shapes are acceptable for the LOCA and loss
of flow accident, and for initial conditions of anticipated transients.
The tentative limits are adjusted as necessary to meet the safety analysis requirements.
The limits on the AFD ensure that the Heat Flux Hot Channel Factor (F Q (Z)) is not exceeded during either normal operation or in the event of xenon redistribution following power changes. The limits on the
AFD also restrict the range of power distributions that are used as
initial conditions in the analyses of Condition 2, 3, or 4 events. This
ensures that the fuel cladding integrity is maintained for these
postulated accidents. Condition 2 accidents simulated to begin from
within the AFD limits are used to confirm the adequacy of the
Overpower T and Overtemperature T trip setpoints.
The limits on the AFD satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO The shape of the power profile in the axial (i.e., the vertical) direction is largely under the control of the operator through the manual
operation of the control banks or automatic motion of control banks.
(continued)
AFD B 3.2.3 Farley Units 1 and 2 B 3.2.3-3 Revision 0 BASES LCO The automatic motion of the control banks is in response to (continued) temperature deviations resulting from manual operation of the Chemical and Volume Control System to change boron concentration
or from power level changes.
Signals are available to the operator from the Nuclear Instrumentation System (NIS) excore neutron detectors. Separate signals are taken
from the top and bottom detectors. The AFD is defined as the
difference in normalized flux signals between the top and bottom
excore detectors in each detector well. For convenience, this flux
difference is converted to provide flux difference units expressed as a
percentage and labeled as % flux or %I.
The AFD limits are provided in the COLR. Figure B 3.2.3-1 shows typical RAOC AFD limits. The AFD limits for RAOC do not depend on
the target flux difference. However, the target flux difference may be
used to minimize changes in the axial power distribution.
Violating this LCO on the AFD could produce unacceptable consequences if a Condition 2, 3, or 4 event occurs while the AFD is
outside its specified limits.
APPLICABILITY The AFD requirements are applicable in MODE 1 greater than or equal to 50% RTP when the combination of THERMAL POWER and
core peaking factors are of primary importance in safety analysis.
For AFD limits developed using RAOC methodology, the value of the AFD does not affect the limiting accident consequences with
THERMAL POWER < 50% RTP and for lower operating power
MODES.
ACTIONS A.1
As an alternative to restoring the AFD to within its specified limits, Required Action A.1 requires a THERMAL POWER reduction to
< 50% RTP. This places the core in a condition for which the value of
the AFD is not important in the applicable safety analyses. A
Completion Time of 30 minutes is reasonable, based on operating
experience, to reach 50% RTP without challenging plant systems.
AFD B 3.2.3 Farley Units 1 and 2 B 3.2.3-4 Revision 52 BASES SURVEILLANCE SR 3.2.3.1 REQUIREMENTS
This Surveillance verifies that the AFD, as indicated by the NIS excore channel, is within its specified limits. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES 1. WCAP-8403 (nonproprietary), "Power Distribution Control and Load Following Procedures," Westinghouse Electric Corporation, September 1974.
- 2. R. W. Miller et al., "Relaxation of Constant Axial Offset Control: F Q Surveillance Technical Specification," WCAP-10217-A, Rev. 1 (NP), February 1994.
AFD B 3.2.3 Farley Units 1 and 2 B 3.2.3-5 Revision 0 BASES
Figure B 3.2.3-1 (page 1 of 1) AXIAL FLUX DIFFERENCE Acceptable Operation Limits as a Function of RATED THERMAL POWER QPTR B 3.2.4 Farley Units 1 and 2 B 3.2.4-1 Revision 0 B 3.2 POWER DISTRIBUTION LIMITS
B 3.2.4 QUADRANT POWER TILT RATIO (QPTR)
BASES BACKGROUND The QPTR limit ensures that the gross radial power distribution remains consistent with the design values used in the safety
analyses. Precise radial power distribution measurements are made
during startup testing, after refueling, and periodically during power
operation.
The power density at any point in the core must be limited so that the fuel design criteria are maintained. Together, LCO 3.2.3, "AXIAL FLUX DIFFERENCE (AFD)," LCO 3.2.4, and LCO 3.1.6, "Control Rod
Insertion Limits," provide limits on process variables that characterize
and control the three dimensional power distribution of the reactor
core. Control of these variables ensures that the core operates within
the fuel design criteria and that the power distribution remains within
the bounds used in the safety analyses.
APPLICABLE This LCO precludes core power distributions that violate SAFETY ANALYSES the following fuel design criteria:
- a. During a loss of coolant accident, the peak cladding temperature must not exceed 2200°F (Ref. 1);
- b. During normal operation, operational transients and any transient condition arising from events of moderate frequency, there must
be at least 95% probability at the 95% confidence level (the 95/95
departure from nucleate boiling (DNB) criterion) that the hot fuel
rod in the core does not experience a DNB condition;
- c. During an ejected rod accident, the energy deposition to the fuel will be below 200 cal/gm, thus meeting the NRC acceptance criteria of 280 cal/gm (Ref. 2); and
- d. The control rods must be capable of shutting down the reactor with a minimum required SDM with the highest worth control rod
stuck fully withdrawn (Ref. 3).
(continued)
QPTR B 3.2.4 Farley Units 1 and 2 B 3.2.4-2 Revision 0 BASES APPLICABLE The LCO limits on the AFD, the QPTR, the Heat Flux Hot Channel SAFETY ANALYSES Factor (F Q (Z)), the Nuclear Enthalpy Rise Hot Channel Factor (NH F), (continued) and control bank insertion are established to preclude core power distributions that exceed the safety analyses limits.
The QPTR limits ensure that NH F and F Q (Z) remain below their limiting values by preventing an undetected change in the gross radial power distribution.
In MODE 1, the NH F and F Q (Z) limits must be maintained to preclude core power distributions from exceeding design limits assumed in the safety analyses.
The QPTR satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO The QPTR limit of 1.02, at which corrective action is required, provides a margin of protection for both the DNB ratio and linear heat
generation rate contributing to excessive power peaks resulting from X-Y plane power tilts. The value of 1.02 was selected because the
purpose of the LCO is to limit, or require detection of, gross changes
in core power distribution between monthly incore flux maps. In
addition, it is the lowest value of quadrant power tilt that can be used
for an alarm without spurious actuation.
APPLICABILITY The QPTR limit must be maintained in MODE 1 with THERMAL POWER 50% RTP to prevent core power distributions from exceeding the design limits.
Applicability in MODE 1 < 50% RTP and in other MODES is not
required because there is either insufficient stored energy in the fuel
or insufficient energy being transferred to the reactor coolant to
require the implementation of a QPTR limit on the distribution of core
power. The QPTR limit in these conditions is, therefore, not important. Note that the NH F and F Q (Z) LCOs still apply, but allow progressively higher peaking factors at 50% RTP or lower.
QPTR B 3.2.4 Farley Units 1 and 2 B 3.2.4-4 Revision 0 BASES ACTIONS A.3 (continued)
change, and the time required to stabilize the plant and perform a flux
map. If these peaking factors are not within their limits, the Required
Actions of these Surveillances provide an appropriate response for
the abnormal condition. If the QPTR remains above its specified limit, the peaking factor surveillances are required each 7 days thereafter to evaluate NH F and F Q (Z) with changes in power distribution. Relatively small changes are expected due to either burnup and xenon redistribution or correction of the cause for exceeding the QPTR limit.
A.4 Although NH F and F Q (Z) are of primary importance in ensuring that the power distribution remains consistent with the initial conditions used in the safety analyses, other changes in the power distribution may occur
as the QPTR limit is exceeded and may have an impact on the validity
of the safety analysis. A change in the power distribution can affect
such reactor parameters as bank worths and peaking factors for rod
malfunction accidents. When the QPTR exceeds its limit, it does not
necessarily mean a safety concern ex ists. It does mean that there is an indication of a change in the gross radial power distribution that
requires an investigation and evaluation that is accomplished by
examining the incore power distribution. Specifically, the core peaking
factors and the quadrant tilt must be evaluated because they are the
factors that best characterize the core power distribution. This
re-evaluation is required to ensure that, before increasing THERMAL
POWER to above the limit of Required Action A.1, the reactor core
conditions are consistent with the assumptions in the safety analyses
and will remain so after the return to RTP.
A.5 If the QPTR remains above the 1.02 limit and a re-evaluation of the
safety analysis is completed and shows that safety requirements are
met, the excore detectors are normalized to restore QPTR to within
limits prior to increasing THERMAL POWER to above the limit of
Required Action A.1. Normalization is accomplished by measuring
currents for each detector during flux mapping and using this
information to normalize the output from each detector (either through
(continued)
QPTR B 3.2.4 (continued)
Farley Units 1 and 2 B 3.2.4-6 Revision 66 BASES ACTIONS A.6 (continued)
surveillances performed at operating power levels, which can only be accomplished after the excore detectors are normalized to restore
QPTR to within limits and the core returned to power.
B.1 If Required Actions A.1 through A.6 are not completed within their associated Completion Times, the unit must be brought to a MODE or
condition in which the requirements do not apply. To achieve this
status, THERMAL POWER must be reduced to < 50% RTP within
4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The allowed Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is reasonable, based on operating experience regarding the amount of time required
to reach the reduced power level without challenging plant systems.
SURVEILLANCE SR 3.2.4.1 REQUIREMENTS
SR 3.2.4.1 is modified by two Notes. Note 1 allows QPTR to be calculated with three power range channels if THERMAL POWER is 75% RTP and the input from one Power Range Neutron Flux channel is inoperable. Note 2 allows performance of SR 3.2.4.2 in
lieu of SR 3.2.4.1.
This Surveillance verifies that the QPTR, as indicated by the Nuclear Instrumentation System (NIS) excore channels, is within its limits.
The Surveillance Frequency is controlled under the Surveillance
Frequency Control Program.For those causes of QPT that occur quickly (e.g., a dropped rod), there typically are other indications of
abnormality that prompt a verification of core power tilt.
This Surveillance is modified by a Note, which states that the surveillance is only required to be performed if input to QPTR from one or more Power Range Neutron Flux channels is inoperable with THERMAL POWER 75% RTP.
QPTR B 3.2.4
Farley Units 1 and 2 B 3.2.4-7 Revision 52 BASES SURVEILLANCE SR 3.2.4.2 (continued)
REQUIREMENTS
With an NIS power range channel inoperable, tilt monitoring for a portion of the reactor core becomes degraded. Large tilts are likely
detected with the remaining channels, but the capability for detection
of small power tilts in some quadrants is decreased. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
For purposes of monitoring the QPTR when one power range channel is inoperable, the moveable incore detectors are used to confirm that
the normalized symmetric power distribution is consistent with the
indicated QPTR and any previous data indicating a tilt. The incore
detector monitoring is performed with a full incore flux map or two sets
of four thimble locations with quarter core symmetry. The two sets of
four symmetric thimbles is a set of eight unique detector locations.
These locations are C-8, E-5, E-11, H-3, H-13, L-5, L-11, and N-8.
The power flux map can be used to generate power "tilt." This can be compared to a reference power tilt, from the most recent calibration
flux map. Therefore, incore monitoring of QPTR can be used to
confirm the accuracy of the QPTR as indicated by the excore
detectors and that QPTR is within limits.
REFERENCES 1. 10 CFR 50.46, 1988.
- 2. FSAR, Section 15.4.6.
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-25 Revision 42 BASES APPLICABLE 13. Underfrequency Reactor Coolant Pumps SAFETY ANALYSES, LCO, and The Underfrequency RCPs reactor trip Function ensures that APPLICABILITY protection is provided against violating the DNBR limit due to a (continued) loss of flow in two or more RCS loops from a major network frequency disturbance. An underfrequency condition will slow down the pumps, thereby reducing their coastdown time following
a pump trip. The proper coastdown time is required so that reactor heat can be removed immediately after reactor trip. The frequency of each RCP bus is monitored. Two UF sensors (relays) are associated with each bus (one for each logic train).
Each RCP bus is assigned to a protection channel. The actuation logic is two-out-of-three channels (i.e., buses) with an underfrequency condition. The RCP UF reactor trip logic is interlocked by permissive P-7. Above the P-7 setpoint, a loss of frequency detected on two or more RCP buses will initiate a reactor trip and open the RCP breaker to preclude any reduction in the coast down of the RCPs. This trip Function will generate a reactor trip before the Reactor Coolant Flow - Low (Two Loops)
Trip Setpoint is reached. This is an anticipatory trip for reactor core protection against violating the DNB design basis. The primary trip is provided by the loss of flow trip. No credit was taken in the accident analyses for the function of this trip.
However, the functional capability of this trip enhances the overall reliability of the reactor protection system. A minimum time delay is incorporated into each Underfrequency RCP channel to prevent reactor trips due to momentary electrical power transients (e.g., fault clearing and fast bus transfer). This time delay is also set so that the time required for a signal to reach the reactor trip breakers after the underfrequency trip setpoint is reached shall not exceed the maximum allotted for protection system equipment (Ref. 18).
The LCO requires three Underfrequency channels to be OPERABLE.
In MODE 1 above the P-7 setpoint, the Underfrequency RCPs trip must be OPERABLE. Below the P-7 setpoint, all reactor trips on loss of flow are automatically blocked since no conceivable power distributions could occur that would challenge the DNB design basis at this low power level. Above the P-7 setpoint, the reactor trip on loss of flow in two or more RCS loops is automatically enabled. This function also trips the RCP Breakers open to prevent excessive RCP speed reduction. This feature is not interlocked with P-7, and it is not credited in the safety analysis.
(continued)
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-27 Revision 0 BASES APPLICABLE
- 15. Turbine Trip SAFETY ANALYSES, LCO, and a. Turbine Trip
- Low Auto Stop Oil Pressure APPLICABILITY (continued) The Turbine Trip
- Low Auto Stop Oil Pressure trip Function anticipates the loss of heat removal capabilities of the secondary system following a turbine trip. This trip Function acts to minimize the pressure/temperature transient on the reactor and the Reactor Coolant Syst em Pressure Boundary components. Any turbine trip from a power level below the
P-9 setpoint, approximately 50% power, will not actuate a reactor trip. Three pressure switches monitor the turbine control oil system pressure. A low pressure condition sens ed by two-out-of-three pressure switches will actuate a reactor trip. These pressure switches do not provide any input to the
control system. The unit is designed to withstand a complete
loss of load and not sustain core damage or challenge the RCS press ure limitations. Core protection and RCS integrity are provided by the Pressurizer Pressure
- High and Overtemperature D T trip Functions and by the pressurizer
safety valves.
The LCO requires three channels of Turbine Trip
- Low Auto Stop Oil Pressure to be OPERABLE in MODE 1 above P-9. The channels are combined in a 2
-out-of-3 trip Logic.
Below the P
-9 setpoint, a turbine trip does not actuate a reactor trip. In MODE 2, 3, 4, 5, or 6, there is no potential for a turbine trip, and the Turbine Tri p - Low Auto Stop Oil Pressure trip Function does not need to be OPERABLE.
- b. Turbine Trip
- Turbine Throttle Valve Closure
The Turbine Trip
- Turbine Throttle Valve Closure trip Function anticipates the loss of heat removal capabilities of the
seco ndary system following a turbine trip from a power level above the P
-9 setpoint, approximately 50% power. Below the P-9 setpoint this action will not actuate a reactor trip. The trip
Function anticipates the loss of secondary heat removal capability that occurs when the throttle valves close. Tripping the reactor in anticipation of loss of secondary heat removal
(continued)
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-28 Revision 0 BASES APPLICABLE
- b. Turbine Trip
- Turbine Throttle Valve Closure (continued)
SAFETY ANALYSES, LCO, and acts to minim ize the pressure and temperature transient on APPLICABILITY the reactor and the Reactor Coolant System Pressure Boundary components. This trip Function will not and is not required to operate in the presence of a single channel failure.
The unit is de signed to withstand a complete loss of load and not sustain core damage or challenge the RCS pressure
limitations. Core protection and RCS integrity are provided by the Pressurizer Pressure
- High and Overtemperature D T trip Functions, and by the pressurizer safety valves. This trip Function is diverse to the Turbine Trip
- Low Auto Stop Oil Pressure trip Function. Each turbine throttle valve is equipped
with one limit switch that inputs to the RTS logic trains. If all four limit switches indicate that the throttle valves are all
closed, a reactor trip is initiated.
There is no safety analysis limit and there is no LSSS for this
Function. The calibration requirement is to set the limit switch to assure channel trip occurs when the associated throttle valve is completely closed.
The LCO requires four Turbine Trip
- Turbine Throttle Valve Closure channels, one per valve, to be OPERABLE in MODE 1 above P-9. All four channels must trip to cause reactor trip.
Below the P
-9 setpoint, a load rejection can be accommodated by the Steam Dump System in conjunction with the Auto Rod Control System. In MODE 2, 3, 4, 5, or 6, there is no potential for a load rejection, and the Turbine Trip
- Throttle Valve Closure trip Function does not need to be OPERABLE.
- 16. Safety Injection Input from Engineered Safety Feature Actuation System The SI Input from ESFAS ensures that if a reactor trip has not already been generated by the RTS, the ESFAS automatic actuation lo gic will initiate a reactor trip upon any signal that initiates SI. This is a condition of acceptability for the LOCA.
However, other transients and accidents take credit for varying levels of ESF performance and rely upon rod insertion, except for
(continued)
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-29 Revision 0 BASES APPLICABLE
- 16. Safety Injection Input from Engineered Safety Feature SAFETY ANALYSES, Actuation System (continued)
LCO, and APPLICABILITY the most reactive rod that is assumed to be fully withdrawn, to ensure reactor shutdown. Theref ore, a reactor trip is initiated every time an SI signal is present.
Trip Setpoint and Allowable Values are not applicable to this Function. The SI Input is provided by relay in the ESFAS.
Therefore, there is no measurement signal with which to associa te an LSSS.
The LCO requires two trains of SI Input from ESFAS to be
OPERABLE in MODE 1 or 2.
A reactor trip is initiated every time an SI signal is present.
Therefore, this trip Function must be OPERABLE in MODE 1 or 2 to shut down the reactor in the event of an accident. In MODE 3, 4, 5, or 6, the reactor is not critical, and this trip Function does not need to be OPERABLE.
- 17. Reactor Trip System Interlocks Reactor protection interlocks are provided to ensure reactor trips are in the correct c onfiguration for the current unit status. They back up operator actions to ensure protection system Functions are not bypassed during unit conditions under which the safety
analysis assumes the Functions are not bypassed. Therefore, the interlock Functio ns do not need to be OPERABLE when the associated reactor trip functions are outside the applicable
MODES. These are:
- a. Intermediate Range Neutron Flux, P
-6 The Intermediate Range Neutron Flux, P
-6 interlock is actuated when any NIS intermediate ra nge channel goes approximately one decade above the minimum channel reading. If both channels drop below the setpoint, the permissive will automatically be defeated. The LCO requirement for the P
-6 interlock ensures that the following Functions are perfo rmed:
(continued)
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-30 Revision 0 BASES APPLICABLE
- a. Intermediate Range Neutron Flux, P
-6 (continued)
SAFETY ANALYSES, LCO, and
- on increasing power, the P
-6 interlock allows the APPLICABILITY manual block of the NIS Source Range, Neutron Flux reactor trip. This prevents a premature block of the source range trip and allows the operator to ensure that the intermediate range is OPERABLE prior to leaving the source
range. When the source range trip is blocked, the high voltage
to the detectors is also r emoved; and
- on decreasing power, the P
-6 interlock automatically energizes the NIS source range detectors and enables the NIS Source Range Neutron Flux reactor trip.
The LCO requires two channels of Intermediate Range Neutron Flux, P
-6 interlock to be OPERABLE in MODE 2 when below the P
-6 interlock setpoint to ensure the Source Range Reactor Trip logic is enabled.
Above the P
-6 interlock setpoint, this Function is not required for safety. In MODE 3, 4, 5, or 6, the P-6 interlock does not have to be OPERABLE because the NIS Source Range is providing core
protection.
- b. Low Power Reactor Trips Block, P
-7 The Low Power Reactor Trips Block, P
-7 interlock is actuated by input from either the Power Range Neutron Flux, P
-10, or the Turbine I mpulse Pressure, P
-13 interlock. The LCO requirement for the P-7 interlock ensures that the following Functions are performed:
(1) on increasing power, the P
-7 interlock automatically enables reactor trips on the following Functions:
- Pressuriz er Pressure
- Low;
- Pressurizer Water Level
- High;
- Reactor Coolant Flow
- Low (Two Loops);
(continued)
RTS Instrumentation B 3.3.1 (continued)
Farley Units 1 and 2 B 3.3.1-31 Revision 53 BASES APPLICABLE b. Low Power Reactor Trips Block, P-7 (continued) SAFETY ANALYSES, LCO, and APPLICABILITY Undervoltage RCPs; and Underfrequency RCPs.
These reactor trips are only required when operating above the P-7 setpoint (approximately 10% power). The reactor trips provide protection against violating the DNBR limit. Below the P-7 setpoint, the RCS is capable of providing sufficient natural circulation without any RCP running.
(2) on decreasing power, the P-7 interlock automatically blocks reactor trips on the following Functions:
Pressurizer Pressure - Low; Pressurizer Water Level - High;
Reactor Coolant Flow - Low (Two Loops);
Undervoltage RCPs; and Underfrequency RCPs.
Trip Setpoint and Allowable Value are not applicable to the P-7 interlock because it is a logic Function and thus has no parameter with which to associate an LSSS.
The P-7 interlock is a logic Function with train and not channel identity. Therefore, the LCO requires one channel per train of Low Power Reactor Trips Block, P-7 interlock to be OPERABLE in MODE 1.
Since the P-7 interlock has no channels, no CHANNEL CALIBRATION or CHANNEL OPERABILITY TEST is needed.
The logic is tested by SR 3.3.1.5 under Function 20, Automatic Trip Logic.
The low power trips are blocked below the P-7 setpoint and unblocked above the P-7 setpoint. In MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE because the interlock performs its Function when power level drops below 10% power, which is in MODE 1.
RTS Instrumentation B 3.3.1 (continued)
Farley Units 1 and 2 B 3.3.1-32 Revision 53 BASES APPLICABLE c. Power Range Neutron Flux, P-8 SAFETY ANALYSES, LCO, and The Power Range Neutron Flux, P-8 interlock is actuated at APPLICABILITY approximately 30% power as determined by two-out-of-four (continued) NIS power range detectors. The P-8 interlock automatically
enables the Reactor Coolant Flow - Low (Single Loop) reactor trip on one or more RCS loops on increasing power. The LCO requirement for this trip Function ensures that protection is provided against a loss of flow in any RCS loop that could challenge the DNB design basis when greater than approximately 30% power. On decreasing power, the reactor
trip on low flow in any loop is automatically blocked.
The LCO requires four channels of Power Range Neutron Flux, P-8 interlock to be OPERABLE in MODE 1.
In MODE 1, a loss of flow in one RCS loop could result in DNB conditions, so the Power Range Neutron Flux, P-8 interlock must be OPERABLE. In MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE because the core is not producing sufficient power to challenge the DNB design basis.
- d. Power Range Neutron Flux, P-9 The Power Range Neutron Flux, P-9 interlock is actuated at approximately 50% power as determined by two-out-of-four NIS power range detectors. The LCO requirement for this Function ensures that the Turbine Trip - Low Auto Stop Oil Pressure and Turbine Trip - Turbine Throttle Valve Closure reactor trips are enabled above the P-9 setpoint. Above the P-9 setpoint, a turbine trip will cause a load rejection beyond the capacity of the Steam Dump System in conjunction with the Auto Rod Control System. A reactor trip is automatically initiated on a turbine trip when it is above the P-9 setpoint, to minimize the transient on the reactor and the Reactor Coolant System Pressure Boundary components.
The LCO requires four channels of Power Range Neutron Flux, P-9 interlock to be OPERABLE in MODE 1.
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-33 Revision 0 BASES APPLICABLE
- d. Power Range Neutron Flux, P-9 (continued)
SAFETY ANALYSES, LCO, and In MODE 1, a turbine trip could cause a load rejection APPLICABILITY beyond the capacity of the Steam Dump System in conjunction with the auto rod control system, so the Power
Range Neutron Flux in terlock must be OPERABLE. In
MODE 2, 3, 4, 5, or 6, this Function does not have to be OPERABLE because the reactor is not at a power level
sufficient to have a load rejection beyond the capacity of the
Steam Dump System in conjunction with the auto rod co ntrol system.
- e. Power Range Neutron Flux, P
-10 The Power Range Neutron Flux, P
-10 interlock is actuated at approximately 10% power, as determined by two
-out-of-four NIS power range detectors. If power level falls below
10% RTP on 3 of 4 channels, the nuclear instrument trips will be automatically unblocked. The LCO requirement for the P-10 interlock ensures that the following Functions are
performed:
- on increasing power, the P
-10 interlock allows the operator to manually block the Intermedia te Range Neutron Flux reactor trip. Note that blocking the reactor trip also blocks
the signal to prevent automatic and manual rod withdrawal;
- on increasing power, the P
-10 interlock allows the operator to manually block the Power Range Neutron Flux
- Low reactor trip;
- on increasing power, the P
-10 interlock automatically provides a backup signal to block the Source Range Neutron Flux reactor trip, and also to de
-energize the NIS source range detectors;
- the P-10 interlock provides one of the two inputs to the P
-7 interlock; and
- on decreasing power, the P
-10 interlock automatically enables the Power Range Neutron Flux
- Low reactor trip and the Intermediate Range Neutron Flux reactor trip (and rod stop).
(continued)
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-34 Revision 0 BASES APPLIC ABLE e. Power Range Neutron Flux, P
-10 (continued)
SAFETY ANALYSES, LCO, and The LCO requires four channels of Power Range Neutron APPLICABILITY Flux, P-10 interlock to be OPERABLE in MODE 1 or 2.
OPERABILITY in MODE 1 ensures the Function is a vailable to perform its decreasing power Functions in the event of a reactor shutdown. This Function must be OPERABLE in MODE 2 to ensure that core protection is provided during a startup or shutdown by the Power Range Neutron Flux
- Low and Intermediate Range Neutron Flux reactor trips. In MODE 3, 4, 5, or 6, this Function does not have to be OPERABLE because the reactor is not at power and the Source Range Neutron Flux reactor trip provides core protection.
- f. Turbine Impulse Pressure, P
-13 The Turbin e Impulse Pressure, P
-13 interlock is actuated when the pressure in the first stage of the high pressure
turbine is greater than approximately 10% of the rated full load pressure. The Trip Setpoint and Allowable Value for this function in Table 3.3.1
-1 a re specified in percent Turbine
power which is based on the impluse pressure equivalent.
This is determined by one
-out-of-two pressure detectors.
The LCO requirement for this Function ensures that one of the inputs to the P
-7 interlock is available
.
The LCO requires two channels of Turbine Impulse Pressure, P-13 interlock to be OPERABLE in MODE
- 1.
The Turbine Impulse Chamber Pressure, P
-13 interlock must be OPERABLE when the turbine generator is operating. The interlock Function is not requ ired OPERABLE in MODE 2, 3, 4, 5, or 6 because the reactor trips enabled by P
-7 are not required. (continued)
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-35 Revision 0 BASES APPLICABLE
- 18. Reactor Trip Breakers SAFETY ANALYSES, LCO and This trip Function applies to the RTBs exclusive of individual tri p APPLICABILITY mechanisms. The LCO requires two OPERABLE trains of trip (continued) breakers. A trip breaker train consists of all trip breakers
associated with a single RTS logic train that are racked in, closed, and capable of supplying power to the CRD System. Two OPERABLE trains ensure no single random failure can disable the
RTS trip capability.
These trip Functions must be OPERABLE in MODE 1 or 2. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the RTBs or associated by pass breakers are closed, and the CRD System is capable of rod withdrawal.
- 19. Reactor Trip Breaker Undervoltage and Shunt Trip Mechanisms The LCO requires both the Undervoltage and Shunt Trip Mechanisms to be OPERABLE for each RTB that is in service.
The trip mechanisms are not required to be OPERABLE for trip
breakers that are open, racked out, incapable of supplying power to the CRD System, or declared inoperable under Function 18 above. OPERABILITY of both trip mechanisms on each breaker ensures that no single trip mechanism failure will prevent opening any breaker on a valid signal.
These trip Functions must be OPERABLE in MODE 1 or 2. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the RTBs or associated bypass breakers ar e closed, and the CRD System is capable of rod withdrawal.
- 20. Automatic Trip Logic The LCO requirement for the RTBs (Functions 18 and 19) and Automatic Trip Logic (Function
- 20) ensures that means are provided to interrupt the power to allow the rods to fall into the reactor core. Each RTB is equipped with an undervoltage coil and
a shunt trip coil to trip the breaker open when needed. Each RTB is equipped with a bypass breaker to allow testing of the trip breaker while the unit is at power. The rea ctor trip signals generated by the RTS Automatic Trip Logic cause the RTBs and associated bypass breakers to open and shut down the reactor.
(continued)
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-36 Revision 0 BASES APPLICABLE
- 20. Automatic Trip Logic (continued)
SAFETY ANALYSES, LCO, and The LCO requir es two trains of RTS Automatic Trip Logic to be APPLICABILITY OPERABLE. Having two OPERABLE trains ensures that random failure of a single logic train will not prevent reactor trip.
These trip Functions must be OPERABLE in MODE 1 or 2. In MODE 3, 4, or 5, these RTS trip Functions must be OPERABLE when the RTBs or associated bypass breakers are closed, and
the CRD System is capable of rod withdrawal.
The RTS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
ACTIONS A Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed in Table 3.3.1-1. In the event a channel's Trip Setpoint is found nonconservative with
respect to the Allowable Value, or the transmitter, instrument loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared
inoperable and the LCO Condition(s) entered for the p rotection Function(s) affected.
When the number of inoperable channels in a trip Function exceed
those specified in one or other related Conditions associated with a trip Function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 must be immediately entered if applicable in the current MODE of operation.
A.1 Condition A applies to all RTS protection Functions. Condition A addresses the situation where one or more required channels for one or more Functions are inoperable at the sam e time. The Required Action is to refer to Table 3.3.1-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the
referenced Conditions and Required Actions.
(continued)
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-37 Revision 0 BASES ACTIONS B.1, and B.2 (continued)
Condition B applies to the Manual Reactor Trip in MODE 1 or 2. This action addresses the train orientation of the SSPS for this Function.
With one channel inoperable, the inoperable channel must be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. In this Condition, the remaining OPERABLE channel is adequate to perform the safety function.
The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is reasonable considering that there are two automatic actuation trains and another manual initiation channel
OPERABLE, and the low probability of an event occurring during this interval. If the Manual Reactor Trip Function cannot be restored to OPERABLE status within the allowed 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> Completion Time, the unit must be brought to a MODE in which Condition B is no longe r applicable. To achieve this status, the unit must be brought to at least MODE 3 within 6 additional hours (54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> total time). The 6 additional hours is reasonable, based on operating experience, to reach MODE 3 from full power operation in an orderl y manner and without challenging unit
systems. With the unit in MODE 3, Condition C applies to this trip Function.
C.1 and C.2
Condition C applies to the following reactor trip Functions in MODE 3, 4, or 5 with the RTBs closed and the CRD System capab le of rod withdrawal:
- Manual Reactor Trip;
- RTBs;
- RTB Undervoltage and Shunt Trip Mechanisms; and
- Automatic Trip Logic.
This action addresses the train orientation of the SSPS for these Functions. With one channel or train inoperable, th e inoperable channel or train must be restored to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. If the affected Function(s) cannot be restored to OPERABLE status
(continued)
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-38 Revision 66 BASES ACTIONS C.1 and C.2 (continued)
within the allowed 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> Completion Time, the unit must be placed in a MODE in which the requirement does not apply. To achieve this status, the RTBs must be opened within the next hour. The additional hour provides sufficient time to accomplish the action in an orderly manner. With the RTBs open, these Functions are no longer required.
The Completion Time is reasonable considering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function, and given the low probability of an event occurring during this
interval.
D.1 and D.2
Condition D applies to the Power Range Neutron Flux - High and Power Range Neutron Flux - High Positive Rate Functions.
The NIS has a two-out-of-four trip logic. A known inoperable channel must be placed in the tripped condition. This results in a partial trip condition requiring only one-out-of-three logic for actuation. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition is justified in WCAP-14333-P-A (Ref. 11).
The Required Actions have been modified by two Notes. Note 1 allows a channel to be placed in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing. With one channel inoperable, the Note also allows routine surveillance testing of another channel with a channel in bypass. The Note also allows placing a channel in the bypass condition to allow setpoint adjustments when required to reduce the Power Range Neutron Flux-High setpoint in accordance with other Technical Specifications. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 11.
Note 2 refers the user to LCO 3.2.4 for additional requirements that may apply for an inoperable power range channel.
(continued)
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-39 Revision 66 BASES ACTIONS D.1 and D.2 (continued)
As an alternative to the above Action, the plant must be placed in a MODE where this Function is no longer required OPERABLE. Seventy-eight (78) hours are allowed to place the plant in MODE 3. The 78 hour9.027778e-4 days <br />0.0217 hours <br />1.289683e-4 weeks <br />2.9679e-5 months <br /> Completion Time includes an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> for the MODE reduction beyond the Completion Time for Required Action D.1. This is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging plant systems. E.1 and E.2 Condition E applies to the following reactor trip Functions:
Power Range Neutron Flux - Low;
Overtemperature T; Overpower T; Pressurizer Pressure - High; and SG Water Level - Low Low
(continued)
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-40 Revision 46 BASES ACTIONS E.1 and E.2 (continued)
A known inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Placing the channel in the tripped condition results in a partial trip condition requiring only one-out-of-two logic for actuation of the two-out-of-three trips and one-out-of-three logic for actuation of the two-out-of-four trips. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition is justified in Reference 11.
If the inoperable channel cannot be placed in the trip condition within the specified Completion Time, the unit must be placed in a MODE where these Functions are not required OPERABLE. An additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is allowed to place the unit in MODE 3. Six hours is a reasonable time, based on operating experience, to place the unit in MODE 3 from full power in an orderly manner and without challenging unit systems.
The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 11.
F.1 and F.2
Condition F applies to the Intermediate Range Neutron Flux trip when THERMAL POWER is above the P-6 setpoint and below the P-10 setpoint and one channel is inoperable. Above the P-6 setpoint and below the P-10 setpoint, the NIS intermediate range detector performs the monitoring Functions. If THERMAL POWER is greater than the P-6 setpoint but less than the P-10 setpoint, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed to reduce THERMAL POWER below the P-6 setpoint or increase to THERMAL POWER above the P-10 setpoint. The NIS Intermediate Range Neutron Flux channels must be OPERABLE when the power level is above the capability of the source range, P-6, and below the capability of the power range, P-10. If THERMAL POWER is greater than the P-10 setpoint, the NIS power range detectors perform the monitoring and protection functions and the intermediate range is not required. The Completion Times allow for a slow and controlled power adjustment above P-10 or below P-6 and take into account the redundant capability afforded by the redundant OPERABLE channel, and the low probability of its failure during this period. This action does not require the inoperable channel to be tripped because the Function uses one-out-of-two logic. Tripping one channel would trip the reactor. Thus, the Required Actions specified in this Condition are only applicable when channel failure does not result in reactor trip.
(continued)
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-41 Revision 0 BASES ACTIONS G.1 and G.2 (continued)
Condition G applies to two inoperable Intermediate Range Neutron Flux trip channels when THERMAL POWER is above the P
-6 setpoint and below the P
-10 setpoint. Required Actions specified in this Condition are only applicable when channel failures do not result in reactor trip.
Above the P
-6 setpoint and below the P
-10 setpoint, the NIS intermediate r ange detector performs the monitoring Functions. With no intermediate range channels OPERABLE, the Required Actions are to
suspend operations involving positive reactivity additions immediately.
However, this does not preclude actions to maintain or incr ease RCS inventory or place the unit in a safe conservative condition provided the required SDM is maintained. The suspension of positive reactivity
additions will preclude any power level increase since there are no OPERABLE Intermediate Range Neutron Fl ux channels. The operator must also reduce THERMAL POWER below the P
-6 setpoint within two hours. Below P
-6, the Source Range Neutron Flux channels will be
able to monitor the core power level. The Completion Time of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> will allow a slow and contro lled power reduction to less than the P
-6 setpoint and takes into account the low probability of occurrence of an event during this period that may require the protection afforded by the NIS Intermediate Range Neutron Flux trip.
H.1 Condition H appli es to the Intermediate Range Neutron Flux trip when THERMAL POWER is below the P
-6 setpoint and one or two channels
are inoperable. Below the P
-6 setpoint, the NIS source range performs a monitoring and protection function redundant to the credited Power
Range Low Trip Function. The inoperable NIS intermediate range
channel(s) must be returned to OPERABLE status prior to increasing power above the P
-6 setpoint. The NIS intermediate range channels must be OPERABLE when the power level is above the capabil ity of the source range, P
-6, and below the capability of the power range, P
-10.
I.1 Condition I applies to one inoperable Source Range Neutron Flux trip channel when in MODE 2, below the P
-6 setpoint, and performing a reactor startup. With the unit i n this Condition, below P
-6, the NIS
source range performs a monitoring and protection function redundant to the credited Power Range Low Trip Function. With one of the two channels inoperable, operations involving positive reactivity additions shall be suspended immediately. This will preclude any power
(continued)
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-42 Revision 46 BASES ACTIONS I.1 (continued)
escalation. With only one source range channel OPERABLE, core protection is severely reduced and any actions that add positive reactivity to the core must be suspended immediately. However, this does not preclude actions to maintain or increase RCS inventory or place the unit in a safe conservative condition provided the required SDM is maintained.
J.1 Condition J applies to two inoperable Source Range Neutron Flux trip channels when in MODE 2, below the P-6 setpoint, and performing a reactor startup, or in MODE 3, 4, or 5 with the RTBs closed and the CRD System capable of rod withdrawal. With the unit in this Condition, below P-6, the NIS source range performs a monitoring and protection function redundant to the credited Power Range Low Trip Function.
With both source range channels inoperable, the RTBs must be opened immediately. With the RTBs open, the core is in a more stable condition and the unit enters Condition L.
K.1 and K.2
Condition K applies to one inoperable source range channel in MODE 3, 4, or 5 with the RTBs closed and the CRD System capable of rod withdrawal. With the unit in this Condition, below P-6, the NIS source range performs a monitoring and protection function redundant to the credited Power Range Low Trip Function. With one of the source range channels inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to restore it to an OPERABLE status. If the channel cannot be returned to an OPERABLE status, 1 additional hour is allowed to open the RTBs. Once the RTBs are open, the core is in a more stable condition and the unit enters Condition L. The allowance of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> to restore the channel to OPERABLE status, and the additional hour to open the RTBs, are justified in Reference 12.
(continued)
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-43 Revision 0 BASES ACTIONS L.1, L.2, and L.3 (continued)
Condition L applies when the required number of OPERABLE Source Range Neutron Flux channels is not met in MODE 3, 4, or 5 with the RTBs open. With the unit in this Condition, the NIS source range performs a monitoring function. With less than the required number of source range channels OPERABLE, operations involving positive reactivity additions shall be suspended immediately. This will preclude any power escalation. However, this does not preclude actions to maintain or increase RCS inventory or place the unit in a safe conservative condition provided the required SDM is maintained. In addition to suspension of positive reactivity additions, all valves that could add unborated water to the RCS must be closed within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.
The isolation of unborated water sources will preclude a boron dilution accident.
Also, the SDM must be verified within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter as per SR 3.1.1.1, SDM verification. With no source range channels OPERABLE, core protection is severely reduced. Verifying the SDM within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> allows sufficient time to perform the calculations and determine that the SDM requirements are met. The SDM must also be verified once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter to ensure that the core reactivity has not changed. Required Action L.1 precludes any positive reactivity additions; therefore, core reactivity should not be increasing, and a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency is adequate. The Completion Times of within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and once per 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> are based on operating experience in performing the Required Actions and the knowledge that unit conditions will change slowly.
M.1 and M.2 Condition M applies to the following reactor trip Functions:
Pressurizer Pressure - Low; Pressurizer Water Level - High; Reactor Coolant Flow - Low (Single Loop);
Reactor Coolant Flow - Low (Two Loop);
(continued)
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-44 Revision 51 BASES ACTIONS M.1 and M.2 (continued)
Undervoltage RCPs; and
Underfrequency RCPs.
With one channel inoperable, the inoperable channel must be placed in the tripped condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. For RCP UV and RCP UF, both sensors associated with a given channel must be tripped (or, if applicable, bypassed) to satisfy the requirements of action M.1. Placing the channel in the tripped condition results in a partial trip condition requiring only one additional channel to initiate a reactor trip above the P-7 setpoint (above P-8 for Reactor Coolant Flow - Low (Single Loop)). These Functions do not have to be OPERABLE below the P-7 setpoint because the trip protection provided is no longer required. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the channel in the tripped condition is justified in Reference 11. An additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is allowed to reduce THERMAL POWER to below P-7 if the inoperable channel cannot be restored to OPERABLE status or placed in trip within the specified Completion Time. The Reactor Coolant Flow - Low (Single Loop) reactor trip Function does not have to be OPERABLE below the P-8 setpoint; however, the Required Action must take the plant below the P-7 setpoint if an inoperable channel is not tripped within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> due to shared components between this Function and the Reactor Coolant Flow - Low (Two Loops) trip function.
Allowance of this time interval takes into consideration the redundant capability provided by the remaining redundant OPERABLE channel, and the low probability of occurrence of an event during this period that may require the protection afforded by the Functions associated with
Condition M.
The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 11.
(Unit 2 only) N.1 and N.2 Condition N applies to the RCP Breaker Position (Single Loop) reactor trip Function. There is one breaker position channel per RCP breaker. Each channel contains one Train A and one Train B auxiliary contact.
With one channel inoperable, the inoperable channel must be restored to OPERABLE status within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If the channel cannot be restored to OPERABLE status within the 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, then THERMAL POWER must (continued)
RTS Instrumentation B 3.3.1 (continued)
Farley Units 1 and 2 B 3.3.1-45 Revision 53 BASES ACTIONS N.1 and N.2 (continued)
Not used.
O.1 and O.2 Not used.
P.1 and P.2
Condition P applies to Turbine Trip on Low Auto Stop Oil Pressure. With one channel inoperable, the inoperable channel must be placed in
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-46 Revision 46 BASES ACTIONS P.1 and P.2 (continued)
the trip condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. If placed in the tripped condition, this results in a partial trip condition requiring only one additional channel to initiate a reactor trip. If the channel cannot be restored to OPERABLE status or placed in the trip condition, then power must be reduced below the P-9 setpoint within the next 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place the inoperable channel in the tripped condition is justified in Reference 11. The additional 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for reducing power is reasonable based on operating experience.
The Required Actions have been modified by a Note that allows placing the inoperable channel in the bypassed condition for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> while performing routine surveillance testing of the other channels. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time limit is justified in Reference 11.
Q.1 and Q.2
Condition Q applies to the Turbine Trip on Throttle Valve Closure Function. With one, two, or three channels inoperable, each inoperable channel must be placed in the trip condition within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Since all the valves must be tripped in order for the reactor trip signal to be generated, it is acceptable to place more than one Turbine Throttle Valve Closure channel in the tripped condition. If a channel cannot be restored to OPERABLE status or placed in the trip condition, then power must be reduced below the P-9 setpoint within the next 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> allowed to place each inoperable channel in the tripped condition is justified in Reference 11. The additional 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for reducing power is reasonable based on operating experience.
R.1 and R.2
Condition R applies to the SI Input from ESFAS reactor trip and the RTS Automatic Trip Logic in MODES 1 and 2. These actions address the train orientation of the RTS for these Functions. With one train inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> are allowed to restore the train to OPERABLE status (Required Action R.1) or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (Required Action R.1) is reasonable considering that in this Condition, the remaining OPERABLE train is adequate to perform the safety function and given the low probability of an event during this interval. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed to restore the inoperable RTS Automatic Trip Logic train to OPERABLE status is justified in Reference 11. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (Required Action R.2) is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and (continued)
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-47 Revision 46 BASES ACTIONS R.1 and R.2 (continued)
without challenging unit systems.
The Required Actions have been modified by a Note that allows bypassing one train up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing, provided the other train is OPERABLE. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> time limit for testing the RTS Automatic Trip Logic train may include testing the RTB also, if both the Logic test and RTB test are conducted within the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> time limit. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> time limit is justified in Reference 11.
S.1 and S.2
Condition S applies to the RTBs in MODES 1 and 2. These actions address the train orientation of the RTS for the RTBs. With one train inoperable, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed for train corrective maintenance to restore the train to OPERABLE status or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is justified in Reference 15. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems. Placing the unit in MODE 3 removes the requirement for this particular Function.
The Required Actions have been modified by a Note. The Note allows one train to be bypassed for up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for surveillance testing, provided the other train is OPERABLE. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> time limit is justified in Reference 15.
T.1 and T.2 Condition T applies to the P-6 and P-10 interlocks. This Condition is applicable when the interlock is inoperable to the extent that a reactor trip which should not be blocked in the current MODE is blocked. With one or more channels inoperable for one-out-of-two or two-out-of-four coincidence logic, the associated interlock must be verified to be in its required state for the existing unit condition within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or the unit must be placed in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. Verifying the interlock status manually accomplishes the interlock's Function. The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is based on operating experience and the
(continued)
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-48 Revision 46 BASES ACTIONS T.1 and T.2 (continued)
minimum amount of time allowed for manual operator actions. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Times are equal to the time allowed by LCO 3.0.3 for shutdown actions in the event of a complete loss of RTS Function.
U.1 and U.2 Condition U applies to the P-7, P-8, P-9, and P-13 interlocks. This Condition is applicable when the interlock is inoperable to the extent that a reactor trip which should not be blocked in the current MODE is blocked. With one or more channels inoperable for one-out-of-two or two-out-of-four coincidence logic, the associated interlock must be verified to be in its required state for the existing unit condition within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or the unit must be placed in MODE 2 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
These actions are conservative for the case where power level is being raised. Verifying the interlock status manually accomplishes the interlock's Function. The Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is based on operating experience and the minimum amount of time allowed for manual operator actions. The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 2 from full power in an orderly manner and without challenging unit systems.
V.1 and V.2
Condition V applies to the RTB Undervoltage and Shunt Trip Mechanisms, or diverse trip features, in MODES 1 and 2. With one of the diverse trip features inoperable, it must be restored to an OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> or the unit must be placed in a MODE where Condition V is no longer applicable. This is accomplished by placing the unit in MODE 3 within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (54 hours6.25e-4 days <br />0.015 hours <br />8.928571e-5 weeks <br />2.0547e-5 months <br /> total time). The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is a reasonable time, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging unit systems.
With the unit in MODE 3, Condition C applies to this trip Function. The affected RTB shall not be bypassed while one of the diverse features is inoperable except for the time required to perform maintenance to one of the diverse features.
With the unit in MODE 3, Condition C applies to this trip Function. The Required Actions have been modified by a Note. The Note allows one (continued)
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-49 Revision 46 BASES ACTIONS V.1 and V.2 (continued)
RTB to be bypassed for maintenance on an undervoltage or shunt trip mechanism if the other RTB train is OPERABLE. However, the affected RTB shall not be bypassed while one of the diverse features is inoperable except for the time required to perform maintenance on one of the diverse features. While no explicit bypass time duration is provided by this Note, it is expected that such corrective maintenance would be accomplished in a timely manner. Reference 13 provides the basis for the bypass allowance.
The 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> Completion Time is based on confirmation of the OPERABILITY of the other diverse trip mechanism and the associated RTB during the test which identifies a failure of one diverse trip feature (Ref. 13).
The Completion Time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> for Required Action V.1 is reasonable considering that in this Condition there is one remaining diverse feature for the affected RTB, and one OPERABLE RTB capable of performing the safety function and given the low probability of an event occurring during this interval.
W.1 With two RTS trains inoperable, no automatic capability is available to shut down the reactor, and immediate plant shutdown in accordance with LCO 3.0.3 is required.
SURVEILLANCE The SRs for each RTS Function are identified by the SRs column of REQUIREMENTS Table 3.3.1-1 for that Function.
A Note has been added to the SR Table stating that Table 3.3.1-1 determines which SRs apply to which RTS Functions.
Note that each channel of process protection supplies both trains of the RTS. When testing Channel I, Train A and Train B must be examined.
Similarly, Train A and Train B must be examined when testing Channel II, Channel III, and Channel IV (if applicable). The CHANNEL CALIBRATION and COTs are performed in a manner that is consistent with the assumptions used in analytically calculating the required channel accuracies.
(continued)
RTS Instrumentation B 3.3.1 (continued)
Farley Units 1 and 2 B 3.3.1-54 Revision 52 BASES SURVEILLANCE SR 3.3.1.7 (continued) REQUIREMENTS
Setpoints must be within the Allowable Values specified in Table 3.3.1-1.
The "as found" and "as left" data have been evaluated to ensure consistency with (i.e., bounded by) the drift allowance used in the
setpoint methodology. The COT "as found" limits are based, in part, on
expected performance of a healthy instrument channel. Appropriate corrective action is taken when the "as found" values exceed the prescribed values. The setpoint shall be left set consistent with the assumptions of the current unit specific setpoint methodology.
SR 3.3.1.7 is modified by a Note that provides a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> delay in the requirement to perform this Surveillance for source range instrumentation when entering MODE 3 from MODE 2. This Note allows a normal shutdown to proceed without a delay for testing in MODE 2 and for a short time in MODE 3 until the RTBs are open and SR 3.3.1.7 is no longer required to be performed. If the unit is to be in MODE 3 with the RTBs closed for > 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> this Surveillance must be performed prior to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after entry into MODE 3.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.3.1.8 SR 3.3.1.8 is the performance of a COT as described in SR 3.3.1.7, except it is modified by a Note that this test shall include verification that the P-6 and P-10 interlocks are in their required state for the existing unit condition. The Frequency is modified by a Note that allows this surveillance to be satisfied if it has been performed within the Frequency specified in the Surveillance Frequency Control Program of the Frequencies prior to reactor startup and four hours after reducing power below P-10 and P-6. The Frequency of "prior to startup" ensures this surveillance is performed prior to critical operations and applies to the source, intermediate and power range low instrument channels. The Frequency of "12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reducing power below P-10" (applicable to the intermediate range and the power range low channels) and "4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after reducing power below P-6" (applicable to source range channels) allows a normal shutdown to be completed and the unit removed from the MODE of Applicability for this surveillance without a delay to perform the testing required by this surveillance. The
RTS Instrumentation B 3.3.1 (continued)
Farley Units 1 and 2 B 3.3.1-55 Revision 52 BASES SURVEILLANCE SR 3.3.1.8 (continued) REQUIREMENTS
Frequency specified in the Surveillance Frequency Control Program applies if the plant remains in the MODE of Applicability after the initial performances of prior to reactor startup and twelve and four hours after reducing power below P-10 or P-6, respectively. The MODE of Applicability for this surveillance is < P-10 for the power range low and intermediate range channels and < P-6 for the source range channels.
Once the unit is in MODE 3, this surveillance is no longer required. If power is to be maintained < P-10 for more than 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> or < P-6 for more than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, then the testing required by this surveillance must be performed prior to the expiration of the time limit. Twelve hours and four hours are reasonable times to complete the required testing or place the unit in a MODE where this surveillance is no longer required. This test ensures that the NIS source, intermediate, and power range low channels are OPERABLE prior to taking the reactor critical and after reducing power into the applicable MODE (< P-10 or < P-6) for periods
> 12 and 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, respectively. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.3.1.9 SR 3.3.1.9 is a calibration of the excore channels to the incore channels based on analysis of a range of core flux distributions or a single core flux distribution coupled with core design information. If the measurements do not agree, the excore channels are not declared inoperable but must be adjusted (i.e., normalized) to agree with the incore detector measurements. If the excore channels cannot be adjusted, the channels are declared inoperable. This Surveillance is performed at BOL to normalize the excore f(I) input to the overtemperature T Function for a given operating cycle. The surveillance also normalizes the excore I indications.
Two Notes modify SR 3.3.1.9. Note 1 states that neutron detectors are excluded from the calibration. Note 2 specifies that this Surveillance is required only if reactor power is 50% RTP and that 7 days are allowed for completing the surveillance after reaching 50% RTP. Based on operating experience, a time allowance of 7 days for test performance, data analysis, and channel adjustments is sufficient. A power level of 50% RTP corresponds to the power level for the AFD surveillance (SR 3.2.3.1), which requires calibrated excore I indications.
RTS Instrumentation B 3.3.1 (continued)
Farley Units 1 and 2 B 3.3.1-56 Revision 52 BASES SURVEILLANCE SR 3.3.1.9 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.3.1.10
CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.
CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the unit specific setpoint methodology. The "as found" and "as left" data have been evaluated to ensure consistency with (i.e., bounded by) the drift allowance used in the setpoint methodology.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
This SR is modified by two Notes. Note 1 states that neutron detectors are excluded from the CHANNEL CALIBRATION where applicable. The CHANNEL CALIBRATION for the power range neutron detectors consists of a normalization of the detector outputs based on an incore/excore cross-calibration (SR 3.3.1.9). In addition, the CHANNEL CALIBRATION for the power range neutron detector outputs includes normalization of the channel output based on a power calorimetric (SR
3.3.1.2) performed above 15% RTP. The CHANNEL CALIBRATION for the intermediate range neutron detector outputs includes normalization of the high flux bistable based on a power calorimetric. The CHANNEL CALIBRATION for the source range neutron detectors consists of obtaining new detector plateau and preamp discriminator curves after a detector is replaced. This Surveillance is not required for the NIS power range detectors for entry into MODE 2 or 1, and is not required for the NIS intermediate range detectors for entry into MODE 2, because the unit must be in at least MODE 2 to perform the test for the intermediate range detectors and MODE 1 for the power range detectors. Note 2 states that this test shall include verification that the time constants are adjusted to the prescribed values where applicable. The OTT, OPT, and the power range neutron flux rate functions contain required time constants.
RTS Instrumentation B 3.3.1 (continued)
Farley Units 1 and 2 B 3.3.1-57 Revision 59 BASES SURVEILLANCE SR 3.3.1.11 REQUIREMENTS (continued) SR 3.3.1.11 is the performance of a COT of RTS interlocks. This COT is also intended to verify the interlock prior to startup, if not performed in the Frequency specified in the Surveillance Frequency Control Program.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.Performance of the RTS Interlock COTs in conjunction with periodic actuation logic tests (SR 3.3.1.5) provides assurance that the total interlock function is OPERABLE prior to reactor startup and power ascension.
SR 3.3.1.12 SR 3.3.1.12 is the performance of a TADOT of the Manual Reactor Trip and the SI Input from ESFAS. The test shall independently verify the OPERABILITY of the undervoltage and shunt trip mechanisms for the Manual Reactor Trip Function for the Reactor Trip Breakers and Reactor Trip Bypass Breakers. The Reactor Trip Bypass Breaker test shall include testing of the automatic undervoltage trip.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
Any change in the components being tested by this SR will require reevaluation of STI Evaluation Number 558904 in accordance with the Surveillance Frequency Control Program.
The SR is modified by a Note that excludes verification of setpoints from the TADOT. The Functions affected have no setpoints associated with
them.
SR 3.3.1.13 SR 3.3.1.13 is the performance of a TADOT of Turbine Trip Functions prior to exceeding P-9. This TADOT consists of verifying that each channel indicates a Turbine trip before Latching the turbine and indicates no turbine trip after the turbine is latched prior to exceeding the P-9 interlock whenever the unit has been in MODE 3. A Note states that this Surveillance is not required if it has been performed within the
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-58 Revision 46 BASES SURVEILLANCE SR 3.3.1.13 (continued) REQUIREMENTS previous 31 days. Verification of the Trip Setpoint does not have to be performed for this Surveillance. Performance of this test will ensure that the turbine trip Function is OPERABLE prior to exceeding the P-9 interlock. This test may be performed with the reactor at power below P-9 and/or prior to reactor startup.
SR 3.3.1.14 SR 3.3.1.14 verifies that the individual channel/train actuation response times are less than or equal to the maximum values assumed in the accident analysis. Response time testing acceptance criteria are included in FSAR, Table 7.2.5 (Ref. 16). Individual component response times are not typically modeled in the analyses.
The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point when the rods are free to fall (i.e., control and shutdown loss of control rod drive mechanism (CRDM) stationary gripper voltage, including gripper release delay time (Ref. 17)).
For channels that include dynamic transfer Functions (e.g., lag, lead/lag, rate/lag, etc.), the response time test may be performed with the transfer Function set to one, or with the time constants set to their nominal value. The test results must be compared to properly defined acceptance criteria.
Response time may be verified by actual response time tests in any series of sequential, overlapping or total channel measurements, or by summation of allocated sensor, signal processing and actuation logic response times with actual response time tests on the remainder of the channel in any series of sequential or overlapping measurements.
Allocations for specific pressure and differential pressure sensor response times may be obtained from: (1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in place, onsite, or offsite (e.g., vendor) test measurements, or (3) utilizing vendor engineering specifications.
WCAP - 13632-P-A, Revision 2, "Elimination of Pressure Sensor Response Time Testing Requirements," (Ref. 18) provides the basis and methodology for using allocated sensor response times in the overall verification of the channel response time for specific sensors identified in the WCAP. Response time verification for other sensor (continued)
RTS Instrumentation B 3.3.1 (continued)
Farley Units 1 and 2 B 3.3.1-59 Revision 52 BASES SURVEILLANCE SR 3.3.1.14 (continued) REQUIREMENTS
types must be demonstrated by test.
WCAP-14036-P-A, Revision 1, "Elimination of Periodic Protection Channel Response Time Tests," (Ref. 19) provides the basis and methodology for using allocated signal processing and actuation logic response times in the overall verification of the protection system channel response time. The allocations for the sensor, signal conditioning and actuation logic response times must be verified prior to placing the component in operational service and re-verified following maintenance that may adversely affect response time. In general, electric repair work does not impact response time provided the parts used for repair are of the same type and value. Specific components identified in the WCAP may be replaced without verification testing. One example where time response could be affected is replacing the sensing assembly of a transmitter.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.3.1.14 is modified by a Note stating that neutron detectors are excluded from RTS RESPONSE TIME testing. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure a virtually instantaneous response.
REFERENCES 1. FSAR, Chapter 7.
- 2. FSAR, Chapter 6.
- 3. FSAR, Chapter 15.
- 4. Joseph M. Farley Nuclear Power Plant Unit 1 (2) Precautions, Limitations and Setpoints U-266647 (U-280912).
RTS Instrumentation B 3.3.1 Farley Units 1 and 2 B 3.3.1-60 Revision 46 BASES REFERENCES (continued) 5. IEEE-279-1971
- 6. 10 CFR 50.49.
- 7. WCAP 13751, Rev. 1, Westinghouse Setpoint Methodology for Protection Systems Farley Nuclear Plant Units 1 and 2.
- 8. WCAP 13751 Rev. 0, Westinghouse Setpoint Methodology for Protection Systems SNOC Farley Nuclear Plant Units 1 and 2.
- 9. Joseph M. Farley Nuclear Power Plant Units 1 & 2 Precautions, Limitations, and Setpoints for Nuclear Steam Supply Systems, March 1978, U258631/U278997 Rev. 5.
- 10. Alabama Power Company Joseph M. Farley Units 1 and 2 Functional Diagrams Westinghouse Drawing 5655D37, Sheets 1-8.
- 11. WCAP-14333-P-A, Revision 1, "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times," October 1998.
- 12. WCAP-10271, "Evaluation of Surveillance Frequencies and Out of Service Times for the Reactor Protection Instrumentation System,"
and supplements to that report as approved by the NRC and documented in the SERs and SSER (letters to J.J. Sheppard from Cecil O. Thomas dated February 21, 1985; Roger A. Newton from Charles E. Rossi dated February 22, 1989; and Gerard T. Goering from Charles E. Rossi dated April 30, 1990).
- 13. NRC Generic Letter 85-09, "Technical Specifications For Generic Letter 83-28 [Required Actions Based On Generic Implications Of Salem ATWS Events], Item 43."
- 14. Westinghouse Technical Bulletin, ESBU-TB-92-14-R1, "Decalibration Effects of Calorimetric Power Level Measurements On The NIS High Power Reactor Trip At Power Levels Less Than 70% RTP."
- 15. WCAP-15376-P-A, Revision 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," March 2003.
- 16. FSAR, Table 7.2.5.
(continued)
ESFAS Instrumentation B 3.3.2 Farley Units 1 and 2 B 3.3.2-13 Revision 0 BASES APPLICABLE 2. Containment Spray (continued) SAFETY ANALYSES, LCO, and containment sump if continued containment spray is required. APPLICABILITY Containment spray is actuated manually or by Containment Pressure - High 3.
- a. Containment Spray - Manual Initiation
The operator can initiate containment spray at any time from the control room by simultaneously turning two associated containment spray actuation switches. Because an inadvertent actuation of containment spray could have such serious consequences, two associated switches must be turned simultaneously to initiate containment spray. There are four switches in the control room. Simultaneously turning two associated switches will actuate containment spray in both trains in the same manner as the automatic actuation signal. Two channels of Manual Initiation switches with two associated switches in each channel are required to be OPERABLE to ensure no single failure disables the Manual Initiation Function. Note that Manual Initiation of containment spray also actuates Phase B containment
isolation.
- b. Containment Spray - Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b, paragraph 1.
Manual and automatic initiation of containment spray must be OPERABLE in MODES 1, 2, and 3 when there is a potential for an accident to occur, and sufficient energy in the primary or secondary systems to pose a threat to containment integrity due to overpressure conditions. Manual Initiation is also required in MODE 4, even though automatic initiation from Containment Pressure - High 3 is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA. However, because of the large number of components actuated on a containment spray, actuation is simplified by
(continued)
ESFAS Instrumentation B 3.3.2 Farley Units 1 and 2 B 3.3.2-14 Revision 0 BASES APPLICABLE b. Containment Spray - Automatic Actuation Logic and SAFETY ANALYSES, Actuation Relays (continued)
LCO, and APPLICABILITY the use of the Manual Initiation Switches. Automatic Actuation Logic and Actuation Relays must be OPERABLE
in MODE 4 to support system level Manual Initiation. In MODES 5 and 6, there is insufficient energy in the primary and secondary systems to result in containment overpressure. In MODES 5 and 6, there is also adequate time for the operators to evaluate unit conditions and respond, to mitigate the consequences of abnormal conditions by manually starting individual components.
- c. Containment Spray - Containment Pressure - High 3
This signal provides protection against a LOCA or an SLB inside containment. The transmitters (d/p cells) and electronics are located outside of containment with the sensing line (high pressure side of the transmitter) located inside containment. Thus, the transmitters will not experience any adverse environmental conditions and the Trip Setpoint reflects only steady state instrument uncertainties.
This Function requires the bistable output to energize to perform its required action. It is not desirable to have a loss of power actuate containment spray, since the consequences of an inadvertent actuation of containment spray could be serious. Note that this Function also has the inoperable channel placed in bypass (disabled) rather than trip to decrease the probability of an inadvertent actuation.
The Containment Pressure High 3 instrument Function consists of a two-out-of-four logic configuration. Since containment pressure is not used for control, this arrangement exceeds the minimum redundancy requirements. Additional redundancy is warranted because this Function is energize to trip. Containment Pressure -
High 3 must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the primary and secondary sides to pressurize the containment following a pipe break. In
(continued)
ESFAS Instrumentation B 3.3.2 Farley Units 1 and 2 B 3.3.2-16 Revision 0 BASES APPLICABLE 3. Containment Isolation (continued) SAFETY ANALYSES, LCO, and pressure that is indicative of a large break LOCA or an SLB. APPLICABILITY Isolating the CCW at the higher pressure does not pose a challenge to the containment boundary because the CCW System is a closed loop inside containment. Although some system components do not meet all of the ASME Code requirements applied to the containment itself, the system is continuously pressurized to a pressure greater than the Phase B setpoint. Thus, routine operation demonstrates the integrity of the system pressure boundary for pressures exceeding the Phase B setpoint.
Furthermore, because system pressure exceeds the Phase B setpoint, any system leakage prior to initiation of Phase B isolation would be into containment. Therefore, the combination of CCW System design and Phase B isolation ensures the CCW System is not a potential path for radioactive release from containment.
Phase B containment isolation is actuated by Containment Pressure - High 3, or manually, via the automatic actuation logic, as previously discussed. For containment pressure to reach a value high enough to actuate Containment Pressure - High 3 a large break LOCA or SLB must have occurred and containment spray must have been actuated. Under these conditions, in conjunction with CCW isolation, RCP operation will no longer be
favorable.
Manual Phase B Containment Isolation is accomplished by the same switches that actuate Containment Spray. When the two associated switches are operated simultaneously, Phase B Containment Isolation and Containment Spray will be actuated in
both trains.
- a. Containment Isolation - Phase A Isolation
(1) Phase A Isolation - Manual Initiation Manual Phase A Containment Isolation is actuated by either of two switches in the control room. Either switch actuates both trains. Note that manual initiation of Phase A Containment Isolation also actuates Containment Purge Isolation.
(continued)
ESFAS Instrumentation B 3.3.2 Farley Units 1 and 2 B 3.3.2-17 Revision 0 BASES APPLICABLE (2) Phase A Isolation - Automatic Actuation SAFETY ANALYSES, Logic and Actuation Relays LCO, and APPLICABILITY Automatic Actuation Logic and Actuation Relays (continued) consist of the same features and operate in the same manner as described for ESFAS Function 1.b, paragraph 1.
Manual and automatic initiation of Phase A Containment Isolation must be OPERABLE in MODES 1, 2, and 3, when there is a potential for an accident to occur. Manual Initiation is also required in MODE 4 even though automatic actuation is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA, but because of the large number of components actuated on a Phase A Containment Isolation, actuation is simplified by the use of the Manual Initiation switches.
Automatic Actuation Logic and Actuation Relays must be OPERABLE in MODE 4 to support system level Manual Initiation. In MODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require Phase A Containment Isolation.
There also is adequate time for the operator to evaluate unit conditions and manually actuate individual isolation valves in response to abnormal or accident conditions.
(3) Phase A Isolation - Safety Injection
Phase A Containment Isolation is also initiated by all Functions that initiate SI. The Phase A Containment Isolation requirements for these Functions are the same as the requirements for their SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating Functions and requirements.
- b. Containment Isolation - Phase B Isolation Phase B Containment Isolation is accomplished by Manual Initiation, Automatic Actuation Logic and Actuation Relays, and by Containment Pressure channels (the same channels that actuate Containment Spray, Function 2). The
(continued)
ESFAS Instrumentation B 3.3.2 Farley Units 1 and 2 B 3.3.2-18 Revision 0 BASES APPLICABLE b. Containment Isolation - Phase B Isolation (continued) SAFETY ANALYSES, LCO, and Containment Pressure actuation of Phase B Containment APPLICABILITY Isolation is energized to actuate in order to minimize the potential of spurious actuation, which would be undesirable.
(1) Phase B Isolation - Manual Initiation
(2) Phase B Isolation - Automatic Actuation Logic and Actuation Relays
Manual and automatic initiation of Phase B containment isolation must be OPERABLE in MODES 1, 2, and 3, when there is a potential for an accident to occur. Manual Initiation is also required in MODE 4 even though automatic initiation from Containment Pressure - High 3 is not required. In this MODE, adequate time is available to manually actuate required components in the event of a DBA. However, because of the large number of components actuated on a Phase B containment isolation, actuation is simplified by the use of the Manual Initiation switches. Automatic Actuation Logic and
Actuation Relays must be OPERABLE in MODE 4 to support system level Manual Initiation. In MODES 5 and 6, there is insufficient energy in the primary or secondary systems to pressurize the containment to require Phase B containment isolation. There also is
adequate time for the operator to evaluate unit conditions
and manually actuate individual isolation valves in response to abnormal or accident conditions.
(3) Phase B Isolation - Containment Pressure The basis for containment pressure MODE applicability is as discussed for ESFAS Function 2.c above.
(continued)
ESFAS Instrumentation B 3.3.2 Farley Units 1 and 2 B 3.3.2-19 Revision 0 BASES APPLICABLE 4. Steam Line Isolation SAFETY ANALYSES, LCO, and Isolation of the main steam lines provides protection in the event APPLICABILITY of an SLB inside or outside containment. Rapid isolation of the (continued) steam lines will limit the steam break accident to the blowdown from one SG, at most. For an SLB upstream of the main steam isolation valves (MSIVs), inside or outside of containment, closure of the MSIVs limits the accident to the blowdown from only the affected SG. For an SLB downstream of the MSIVs, closure of the MSIVs terminates the accident as soon as the steam line header depressurizes. Steam Line Isolation mitigates the effects of a feed line break and ensures a source of steam for the turbine driven AFW pump during a feed line break.
- a. Steam Line Isolation - Manual Initiation Manual initiation of Steam Line Isolation can be accomplished from the control room. There are six switches in the control room and each switch can initiate action to immediately close the associated MSIV. The LCO requires one channel per steam line to be OPERABLE. Although two MSIVs per steam line are required OPERABLE by LCO 3.7.2, the Manual Initiation function for these valves is not credited in the safety analyses and redundant Manual Initiation per steam line is not required.
- b. Steam Line Isolation - Automatic Actuation Logic and Actuation Relays
Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same manner as described for ESFAS Function 1.b, paragraph 1.
Manual and automatic initiation of steam line isolation must be OPERABLE in MODES 1, 2, and 3 when there is sufficient energy in the RCS and SGs to have an SLB or other accident. This could result in the release of significant quantities of energy and cause a cooldown of the primary system. The Steam Line Isolation Function is required in MODES 2 and 3 unless one MSIV in each Steam Line is closed. In MODES 4, 5, and 6, there is insufficient energy in the RCS and SGs to experience an SLB or other accident releasing significant quantities of energy.
(continued)
ESFAS Instrumentation B 3.3.2 Farley Units 1 and 2 B 3.3.2-20 Revision 0 BASES APPLICABLE c. Steam Line Isolation - Containment Pressure - High 2 SAFETY ANALYSES, LCO, and This Function actuates closure of the MSIVs in the event of APPLICABILITY a LOCA or an SLB inside containment to maintain at least (continued) one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. The transmitters (d/p cells) are located outside containment with the sensing line (high pressure side of the transmitter) located inside containment. Containment Pressure - High 2 provides no input to any control functions. Thus, three OPERABLE channels are sufficient to satisfy protective requirements with two-out-of-three logic. The transmitters and electronics are located outside of
containment. Thus, they will not experience any adverse environmental conditions, and the Trip Setpoint reflects only steady state instrument uncertainties.
Containment Pressure - High 2 must be OPERABLE in MODES 1, 2, and 3, when there is sufficient energy in the primary and secondary side to pressurize the containment following a pipe break. This would cause a significant increase in the containment pressure, thus allowing detection and closure of the MSIVs. The Steam Line Isolation Function remains OPERABLE in MODES 2 and 3 unless one MSIV in each Steam Line is closed. In MODES 4, 5, and 6, there is not enough energy in the primary and secondary sides to pressurize the containment
to the Containment Pressure - High 2 setpoint.
- d. Steam Line Isolation - Steam Line Pressure - Low Steam Line Pressure - Low provides closure of the MSIVs in the event of an SLB to maintain at least one unfaulted SG as a heat sink for the reactor, and to limit the mass and energy release to containment. This Function provides closure of the MSIVs in the event of a feed line break to ensure a supply of steam for the turbine driven AFW pump.
Steam Line Pressure - Low Function must be OPERABLE in MODES 1, 2, and 3 (above P-12), when a secondary
(continued)
ESFAS Instrumentation B 3.3.2 Farley Units 1 and 2 B 3.3.2-21 Revision 0 BASES APPLICABLE d. Steam Line Isolation - Steam Line Pressure - Low SAFETY ANALYSES, (continued)
LCO, and APPLICABILITY side break could result in the rapid depressurization of the steam lines. This signal may be manually blocked by the operator below the P-12 setpoint. Below P-12, an inside
containment SLB will be terminated by automatic actuation
via Containment Pressure - High 2. Stuck valve transients and outside containment SLBs will be terminated by the Steam Line High flow in Two Steam Lines coincident with Tavg Low - Low signal for Steam Line Isolation below P-12 when SI has been manually blocked. The Steam Line Isolation Function is required in MODES 2 and 3 unless one MSIV in each Steam Line is closed. This Function is not required to be OPERABLE in MODES 4, 5, and 6 because there is insufficient energy in the secondary side of the unit to have an accident with any significant adverse
consequences.
- e. Steam Line Isolation - High Steam Flow in Two Steam Lines Coincident with T avg - Low Low
This function provides closure of the MSIVs during an SLB or inadvertent opening of an SG relief or safety valve, to maintain at least one unfaulted SG as a heat sink for the reactor and to limit the mass and energy release to containment.
Two steam line flow channels per steam line are required OPERABLE for this Function. The steam line flow channels are combined in a one-out-of-two logic to indicate high steam flow in one steam line. Therefore, two channels are sufficient to satisfy redundancy requirements. The one-out-of-two configuration allows on-line testing because trip of one high steam flow channel is not sufficient to cause initiation. Steam line isolation on high steam flow in two steam lines is acceptable in the case of a single steam line fault due to the fact that the steam flow in the remaining intact steam lines will increase due to the fault in the other line. The increased steam flow in the remaining intact lines will actuate the required high steam flow trip. The Function trips on one-out-of-two high steam flow in any two-out-of-three steam lines if there is a one-out-of-one low low Tavg trip in any two-out-of- three RCS loops. The one channel per
(continued)
ESFAS Instrumentation B 3.3.2 (continued)
Farley Units 1 and 2 B 3.3.2-26 Revision 51 BASES APPLICABLE c. Auxiliary Feedwater - Safety Injection SAFETY ANALYSES, LCO, and An SI signal starts the motor driven AFW pumps. The AFW APPLICABILITY initiation functions are the same as the requirements for their (continued) SI function. Therefore, the requirements are not repeated in Table 3.3.2-1. Instead, Function 1, SI, is referenced for all initiating functions and requirements.
Functions 6.a through 6.c must be OPERABLE in MODES 1, 2, and 3 to ensure that the SGs remain the heat sink for the reactor.
The Farley safety analyses assume two pumps operating to assure that the minimum required flow rate is delivered to the SGs for all postulated events. SG Water Level - Low Low in any operating SG will cause the motor driven AFW pumps to start. The system is aligned so that upon a start of the pump, water immediately begins to flow to the SGs. Since the SG Low-Low level signal is credited in the safety analyses as the primary ESF signal for loss of heat sink events, periodic response time testing is required. SG Water Level - Low Low in any two operating SGs will cause the turbine driven pump to start. Since this signal provides backup protection for loss of heat sink events, periodic response time testing is not required. These Functions do not have to be OPERABLE in MODES 5 and 6 because there is not enough heat being generated in the reactor to require the SGs as a heat sink. In MODE 4, AFW actuation does not need to be OPERABLE because either AFW or residual heat removal (RHR) will already be in operation to remove decay heat or sufficient time is available to manually place either system in operation.
- d. Auxiliary Feedwater - Undervoltage Reactor Coolant Pump A loss of power on the buses that provide power to the RCPs provides indication of a pending loss of RCP forced flow in the RCS and a loss of power to the station auxiliaries. The SBLOCA analysis credits the TDAFW pump start by RCP bus UV as a primary ESFAS signal. The Undervoltage RCP Function senses the voltage on each RCP bus. Two UV sensors are associated with each bus (one for each logic train). Each RCP bus is assigned to a protection channel. The UV sensors and logic circuits are common to both the RCP UV reactor trip and the TDAFW pump ESF start (Unit 2 only). Separate UV sensors and logic circuits are provided for the RCP UV reactor trip and the TDAFW pump ESF start functions (Unit 1 only). A
ESFAS Instrumentation B 3.3.2 Farley Units 1 and 2 B 3.3.2-27 Revision 0 BASES APPLICABLE d. Auxiliary Feedwater - Undervoltage Reactor Coolant SAFETY ANALYSES, Pump (continued) LCO, and APPLICABILITY loss of power on two or more RCP buses, will start the turbine driven AFW pump to ensure that the available SGs contain enough water to serve as the heat sink for reactor decay heat and sensible heat removal following the reactor
trip. Function 6.d must be OPERABLE in MODES 1 and 2. This ensures that the available SGs are provided with water to serve as the heat sink to remove reactor decay heat and sensible heat in the event of an accident. In MODES 3, 4, and 5, the RCPs may be normally shut down, and thus a loss of voltage on two or more RCP buses trip may not be indicative of a condition requiring automatic AFW initiation.
- e. Auxiliary Feedwater - Trip of All Main Feedwater Pumps A Trip of all MFW pumps is an indication of a loss of MFW and the subsequent need for some method of decay heat and sensible heat removal to bring the reactor back to no
load temperature and pressure.
Each MFW pump has two steam stop valves (HP and LP) for the turbine driver. Each MFW pump turbine stop valve is equipped with a limit switch that actuates when the valve is closed. When both MFW pumps are shut down (all four turbine stop valve limit switches are actuated), a start of the motor-driven AFW pumps is initiated. The four-out-of-four logic of this function is not single failure proof but is acceptable due to the backup nature of this AFW pump start function. This ESF function is not credited for diversity, and its electrical circuits are not required to the safety-grade. This function is not relied on in any safety analyses as the primary actuation signal to initiate the AFW pumps but is part of the licensing basis of the ESFAS. Therefore, two channels per pump are required OPERABLE to ensure this function is available if needed. The automatic start of the AFW pumps ensures that the available SGs are supplied with water to act as the heat sink for the reactor.
(continued)
ESFAS Instrumentation B 3.3.2 Farley Units 1 and 2 B 3.3.2-28 Revision 0 BASES APPLICABLE e. Auxiliary Feedwater - Trip of All Main Feedwater SAFETY ANALYSES Pumps (continued)
LCO, and APPLICABILITY Function 6.e must be OPERABLE in MODE 1 to provide the automatic start of the motor-driven AFW pumps if needed.
The automatic start of the AFW pumps ensures that the available SGs are supplied with water to act as the heat sink for the reactor in the event of an accident. In MODES 2, 3, 4, and 5, the MFW pumps may be normally shut down and thus the pump trip is not indicative of a condition requiring automatic AFW initiation.
- 7. Engineered Safety Feature Actuation System Interlocks To allow some flexibility in unit operations, several interlocks are included as part of the ESFAS. These interlocks permit the operator to block some signals, automatically enable other signals, prevent some actions from occurring, and cause other actions to occur. The interlock Functions back up manual actions to ensure bypassable functions are in operation under the conditions assumed in the safety analyses.
- a. Engineered Safety Feature Actuation System Interlocks-Automatic Actuation Logic and Actuation Relays Automatic actuation logic and actuation relays consist of the same features and operate in the same manner as described for ESFAS function 1.b, paragraph 1.
- b. Engineered Safety Feature Actuation System Interlocks - Reactor Trip, P-4
The P-4 interlock is enabled when a reactor trip breaker (RTB) and its associated bypass breaker are open. Once the P-4 interlock is enabled, if an SI has occurred, reset of the SI is allowed after a 60 second time delay. This Function allows operators to take manual control of SI systems after the initial phase of injection is complete. Once the SI is reset, automatic actuation of SI cannot occur until the RTBs have been manually closed. The additional functions of the P-4 interlock
are:
(continued)
ESFAS Instrumentation B 3.3.2 Farley Units 1 and 2 B 3.3.2-29 Revision 0 BASES APPLICABLE b. Engineered Safety Feature Actuation System SAFETY ANALYSES, Interlocks - Reactor Trip, P-4 (continued)
LCO, and APPLICABILITY Control Block steam dump control via load rejection controller; Arm steam dump control for tripping and/or modulation of dump valves via turbine trip controller; and Isolate MFW with coincident low Tavg.
Safety Prevent auto reactuation of SI after a manual reset of SI; Trip the main turbine; Reset high steam flow setpoint to no-load value; and Prevent opening of the MFW isolation valves if they were closed on SI or SG Water Level - High High.
Each of the above Functions is interlocked with P-4 to avert or reduce the continued cooldown of the RCS following a reactor trip. An excessive cooldown of the RCS following a reactor trip could cause an insertion of positive reactivity with a subsequent increase in generated power. Addition of feedwater to a steam generator associated with a steamline or feedline break could result in excessive containment building pressure. To avoid such a situation, the noted Functions have been interlocked with P-4 as part of the design of the unit control and protection system.
The turbine trip Function is explicitly assumed in the non-LOCA safety analyses, since it is an immediate consequence of the reactor trip Function. Block of the auto SI signals is required to support long-term ECCS operation in the post-
LOCA recirculation mode.
The RTB position switches that provide input to the P-4 interlock only function to energize or de-energize or open or close contacts. Therefore, this Function has no adjustable trip setpoint with which to associate a Trip Setpoint and Allowable Value. (continued)
ESFAS Instrumentation B 3.3.2 Farley Units 1 and 2 B 3.3.2-30 Revision 0 BASES APPLICABLE b. Engineered Safety Feature Actuation System SAFETY ANALYSES, Interlocks - Reactor Trip, P-4 (continued)
LCO, and APPLICABILITY This Function must be OPERABLE in MODES 1, 2, and 3 when the reactor may be critical or approaching criticality.
This Function does not have to be OPERABLE in MODE 4, 5, or 6 because automatic SI is not required in these modes and the main turbine and the MFW System are not in operation.
- c. Engineered Safety Feature Actuation System Interlocks - Pressurizer Pressure, P-11 The P-11 interlock permits a normal unit cooldown and depressurization without actuation of SI from pressurizer Low pressure. With two-out-of-three pressurizer pressure channels (discussed previously) less than the P-11 setpoint, the operator can manually block the Pressurizer Pressure -
Low SI signal. The P-11 interlock provides the following two safety functions. With two-out-of-three pressurizer pressure channels above the P-11 setpoint, the Pressurizer Pressure - Low SI actuation is automatically reinstated. To prevent uncontrolled RCS de-pressurization due to control system failure, the pressurizer PORVs are interlocked closed in the autocontrol mode, with two-out-of-three channels below the P-11 setpoint. The Trip Setpoint reflects steady state instrument uncertainties.
This Function must be OPERABLE in MODES 1, 2, and 3 to automatically reinstate SI during normal unit startup and to allow an orderly cooldown and depressurization of the unit without the actuation of a pressurizer low pressure SI. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because system pressure must already be below the P-11 setpoint for the requirements of the heatup and cooldown
curves to be met.
- d. Engineered Safety Feature Actuation System Interlocks - Tavg - Low Low, P-12 On increasing reactor coolant temperature, the P-12 interlock safety function is to reinstate the SI and main steam isolation on Steam Line Pressure - Low with two-out-of-three channels above the setpoint. On decreasing reactor coolant temperature, to permit a normal unit cooldown, the P-12 interlock allows the operator to manually block SI and main (continued)
ESFAS Instrumentation B 3.3.2 Farley Units 1 and 2 B 3.3.2-31 Revision 36 BASES APPLICABLE d. Engineered Safety Feature Actuation System SAFETY ANALYSES, Interlocks - T avg - Low Low, P-12 (continued) LCO, and APPLICABILITY steam isolation on Steam Line Pressure - Low. On decreasing temperature with two-out-of-three T avg channels below the setpoint, the P-12 interlock safety function is to provide main steam isolation on high steam flow in two steam lines coincident with T avg - Low Low. Another P-12 safety function on a decreasing temperature is for the P-12 interlock to prevent an excessive cooldown of the RCS due to a malfunctioning Steam Dump Control System. The Trip Setpoint and Reset reflect steady-state instrument uncertainties.
Since T avg is used as an indication of bulk RCS temperature, this Function meets redundancy requirements with one OPERABLE channel in each loop. These channels are used in two-out-of-three logic.
This Function must be OPERABLE in MODES 1, 2, and 3 to automatically reinstate SI and MSLI on Steam Line
Pressure Low when RCS T avg is above the P-12 setpoint and to afford protection when a secondary side break or stuck open valve could result in the rapid depressurization of the steam lines. This Function is OPERABLE when the interlock is in the required state for the unit condition. This Function does not have to be OPERABLE in MODE 4, 5, or 6 because there is insufficient energy in the secondary side of the unit to have a design basis accident.
The ESFAS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii)
ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed on Table 3.3.2-1.
In the event a channel's Trip Setpoint is found nonconservative with respect to the Allowable Value, or the transmitter, instrument Loop, signal processing electronics, or bistable is found inoperable, then all affected Functions provided by that channel must be declared inoperable and the LCO Condition(s) entered for the protection
(continued)
ESFAS Instrumentation B 3.3.2 Farley Units 1 and 2 B 3.3.2-32 Revision 0 BASES ACTIONS Function(s) affected. When the Required Channels in Table 3.3.2-1 (continued) are specified (e.g., on a per steam line, per loop, per SG, etc., basis), then the Condition may be entered separately for each steam line, loop, SG, etc., as appropriate.
When the number of inoperable channels in a trip function exceed those specified in one or other related Conditions associated with a trip function, then the unit is outside the safety analysis. Therefore, LCO 3.0.3 should be immediately entered if applicable in the current MODE of operation.
A.1 Condition A applies to all ESFAS protection functions.
Condition A addresses the situation where one or more channels or trains for one or more Functions are inoperable at the same time. The Required Action is to refer to Table 3.3.2-1 and to take the Required Actions for the protection functions affected. The Completion Times are those from the referenced Conditions and Required Actions.
B.1, B.2.1 and B.2.2
Condition B applies to manual initiation of:
Phase A Isolation; and
Phase B Isolation.
This action addresses the train orientation of the SSPS for the functions listed above. If a channel or train is inoperable, 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is allowed to return it to an OPERABLE status. Note that for containment spray and Phase B isolation, failure of one or both channels in one train renders the train inoperable. Condition B, therefore, encompasses both situations. The specified Completion Time is reasonable considering that there are two automatic actuation trains and another manual initiation train OPERABLE for each Function, and the low probability of an event occurring during this interval. If the train cannot be restored to OPERABLE status, the unit (continued)
PAM Instrumentation B 3.3.3 Farley Units 1 and 2 B 3.3.3-1 Revision 0 B 3.3 INSTRUMENTATION
B 3.3.3 Post Accident Monitoring (PAM) Instrumentation
BASES BACKGROUND The primary purpose of the PAM instrumentation is to display unit variables that provide information required by the control room
operators during accident situations. This information provides the
necessary support for the operator to take the manual actions for
which no automatic control is provided and that are required for safety
systems to accomplish their safety functions for Design Basis
Accidents (DBAs).
The OPERABILITY of the accident monitoring instrumentation ensures that there is sufficient information available on selected unit
parameters to monitor and to assess unit status and behavior
following an accident.
The availability of accident monitoring instrumentation is important so that responses to corrective actions can be observed and the need
for, and magnitude of, further actions can be determined. These
essential instruments are identified by unit specific documents (Ref. 1)
addressing the recommendations of Regulatory Guide 1.97 (Ref. 2)
as required by Supplement 1 to NUREG-0737 (Ref. 3).
The instrument channels required to be OPERABLE by this LCO include two classes of parameters identified during unit specific
implementation of Regulatory Guide 1.97 as Type A and certain
Category I variables.
Type A variables are included in this LCO because they provide the primary information required for the control room operator to take
specific manually controlled actions for which no automatic control is
provided, and that are required for safety systems to accomplish their
safety functions for DBAs.
Category I variables are the key variables deemed risk significant because they are needed to:
Determine whether other systems important to safety are performing their intended functions;
(continued)
PAM Instrumentation B 3.3.3 Farley Units 1 and 2 B 3.3.3-2 Revision 0
BASES BACKGROUND Provide information to the operators that will enable them to (continued) determine the likelihood of a gross breach of the barriers to radioactivity release; and Provide information regarding the release of radioactive materials to allow for early indication of the need to initiate action necessary
to protect the public, and to estimate the magnitude of any
impending threat.
These key variables are identified by the unit specific Regulatory
Guide 1.97 analyses (Ref. 1). These analyses identify the unit
specific Type A and Category I variables and provide justification for
deviating from the NRC proposed list of Category I variables.
The specific instrument Functions listed in Table 3.3.3-1 are
discussed in the LCO section.
APPLICABLE The PAM instrumentation ensures the operability of Regulatory Guide SAFETY ANALYSES 1.97 Type A and certain Category I variables so that the control room operating staff can:
Perform the diagnosis specified in the emergency operating procedures (these variables are restricted to preplanned actions
for the primary success path of DBAs), e.g., loss of coolant
accident (LOCA);
Take the specified, pre-planned, manually controlled actions, for which no automatic control is provided, and that are required for
safety systems to accomplish their safety function;
Determine whether systems impor tant to safety are performing their intended functions;
Determine the likelihood of a gross breach of the barriers to radioactivity release;
Determine if a gross breach of a barrier has occurred; and
Initiate action necessary to protect the public and to estimate the magnitude of any impending threat.
(continued)
PAM Instrumentation B 3.3.3 Farley Units 1 and 2 B 3.3.3-4 Revision 0 BASES LCO Type A and Category I variables are required to meet Regulatory (continued) Guide 1.97 Category I (Ref. 2) design and qualification requirements for seismic and environmental qualification, single failure criterion, utilization of emergency standby power, immediately accessible
display, continuous readout, and recording of display.
Listed below are discussions of the specified instrument Functions listed in Table 3.3.3-1.
1, 2. Reactor Coolant System (RCS) Hot and Cold Leg Temperatures (Wide Range)
RCS Hot and Cold Leg Temperatures are Category I, Type A variables provided for verification of core cooling and long term
surveillance.
RCS hot and cold leg temperatures are used to determine RCS subcooling margin. RCS subcooling margin will allow
termination of safety injection (SI), if still in progress, or
reinitiation of SI if it has been stopped. RCS subcooling margin
is also used for unit stabilization and cooldown control.
In addition, RCS cold leg temperature is used in conjunction with RCS hot leg temperature to verify the unit conditions necessary
to establish natural circulation in the RCS.
Reactor inlet and outlet temperature inputs to the Reactor Protection System are provided by two fast response resistance
elements in each loop. The channels provide indication over a
range of 0°F to 700°F.
- 3. Reactor Coolant System Pressure (Wide Range)
RCS wide range pressure is a Category I, Type A variable provided for verification of core cooling and RCS integrity long
term surveillance.
RCS pressure is used to verify delivery of SI flow to RCS from at least one train when the RCS pressure is below the pump
shutoff head. RCS pressure is also used to verify closure of
manually closed spray line valves and pressurizer power
operated relief valves (PORVs).
(continued)
PAM Instrumentation B 3.3.3 Farley Units 1 and 2 B 3.3.3-5 Revision 0 BASES LCO 3. Reactor Coolant System Pressure (Wide Range)
(continued)
In addition to these verifications, RCS pressure is used for determining RCS subcooling margin. RCS subcooling margin
will allow termination of SI, if still in progress, or reinitiation of SI
if it has been stopped. RCS pressure can also be used:
to determine whether to terminate actuated SI or to reinitiate stopped SI;
to determine when to reset SI and shut off low head SI;
to manually restart low head SI;
as reactor coolant pump (RCP) trip criteria; and
to make a determination on the nature of the accident in progress and where to go next in the procedure.
RCS subcooling margin is also used for unit stabilization and cooldown control.
RCS pressure is also related to three decisions about depressurization. They are:
to determine whether to proceed with primary system depressurization;
to verify termination of depressurization; and
to determine whether to close accumulator isolation valves during a controlled cooldown/depressurization.
A final use of RCS pressure is to determine whether to operate the pressurizer heaters.
RCS pressure is also a Type A variable because the operator uses this indication to monitor the cooldown of the RCS
following a steam generator tube rupture (SGTR) or small break
LOCA. Operator actions to maintain a controlled cooldown, such as adjusting steam generator (SG) pressure or level, would
use this indication. Furthermore, RCS pressure is one factor
that may be used in decisions to terminate RCP operation. (continued)
PAM Instrumentation B 3.3.3 Farley Units 1 and 2 B 3.3.3-6 Revision 0 BASES LCO 4. Steam Generator Water Level (Wide and Narrow Range)
(continued)
SG Water Level is provided to monitor operation of decay heat removal via the SGs. The Category I, Type A indication of SG
level includes both the wide and narrow range instrumentation.
The wide range level covers a span of 12 inches to 587 inches
above the lower tubesheet. The measured differential pressure
is displayed in percent level at 70°F.
Temperature compensation of this indication is performed manually by the operator. Redundant monitoring capability is
provided by multiple level channels on each SG. The
uncompensated level signal is input to the plant computer and a
control room indicator.
SG Water Level is used to:
identify the faulted SG following a tube rupture;
verify that the intact SGs are an adequate heat sink for the reactor; determine the nature of the accident in progress (e.g., verify an SGTR); and
verify unit conditions for termination of SI.
Operator action is based on the control room indication of SG level. SG level is a Type A variable because the operator must
manually raise and control SG level to establish the required
heat sink. Operator action is initiated on a loss of minimum level
or minimum AFW flow. Feedwater flow is increased until the
indicated level reaches a point where an adequate heat sink is
being maintained.
- 5. Refueling Water Storage Tank (RWST) Level
The RWST level is a Category I, Type A variable provided for verifying a water source to the Emergency Core Cooling Systems (ECCS) and Containment Spray System. It is used to determine
the time for initiation of cold leg recirculation following a LOCA.
The RWST level accuracy is established to allow an adequate supply of water to the ECCS and spray pumps during the (continued)
PAM Instrumentation B 3.3.3 Farley Units 1 and 2 B 3.3.3-7 Revision 0 BASES LCO 5. Refueling Water Storage Tank (RWST) Level (continued)
switchover to cold leg recirculation mode. A high degree of accuracy is required to maximize the time available to the
operator to complete the switchover to the sump recirculation
phase and ensure sufficient water is available to avoid losing
pump suction.
- 6. Containment Pressure (Narrow Range)
Containment Pressure (Narrow Range) is a Category I, Type A variable provided for verification of RCS and containment
OPERABILITY.
Containment pressure is used to verify closure of main steam isolation valves (MSIVs) on High-2 Main Steam Line Isolation, and containment spray Phase B isolation when High-3
containment pressure is reached as well as manual actuation of
containment spray if necessary.
- 7. Pressurizer Level Pressurizer Level is a Category I, Type A variable used to determine whether to terminate SI, if still in progress, or to
reinitiate SI if it has been stopped. Knowledge of pressurizer
water level is also used to verify that the unit is maintained in a
safe shutdown condition.
- 8. Steam Line Pressure
Main Steam line pressure is a Category I, Type A variable provided for the following:
Determining if a high energy secondary line rupture occurred and which SG is faulted;
Maintaining the plant in a cold shutdown condition;
Monitoring the primary to SG differential pressure during plant cooldown rate; and
Providing diverse indication to cold leg temperature for natural circulation determination.
(continued)
PAM Instrumentation B 3.3.3 Farley Units 1 and 2 B 3.3.3-9 Revision 0 BASES LCO 10. RCS Subcooling Margin Monitor (continued)
RCS subcooling is a Category II, Type A variable provided to determine safety injection termination and reinitiation and
depressurization and cooldown progression. The subcooled
margin monitor (SMM) measures saturation/superheat margin.
The function of the SMM is to calculate the subcooled margin
which is the difference between the measured temperature of
the reactor coolant and the saturation temperature. The
saturation temperature is calculated from the minimum primary
system pressure input. A maximum or representative
temperature input is used for the measured value, which could
come from an RTD loop, or a representative core exit
thermocouple.
- 11. Containment Sump Water Level (Wide Range)
Containment Sump Water Level is a Category I, Type A variable provided for verification and long term surveillance of RCS
integrity. This information provides a diverse means for
checking RWST level.
Containment Sump Water Level is used to determine:
containment sump level accident diagnosis; and
when to begin the recirculation procedure.
12, 13, 14, 15. Core Exit Temperature
Core Exit Temperature is provided for verification and long term surveillance of core cooling.
Adequate monitoring of core cooling is ensured with two valid Core Exit Temperature channels per quadrant with two core exit
thermocouples (CETs) per required channel. The CET pair are
oriented radially to permit evaluation of core radial decay power
distribution. Core Exit Temperature is used to determine
whether to terminate SI, if still in progress, or to reinitiate SI if it
has been stopped. Core Exit Temperature is also used for unit
stabilization and cooldown control.
(continued)
PAM Instrumentation B 3.3.3 Farley Units 1 and 2 B 3.3.3-10 Revision 0 BASES LCO 12, 13, 14, 15. Core Exit Temperature (continued)
Two OPERABLE channels of Core Exit Temperature are required in each quadrant to provide indication of radial
distribution of the coolant temperature rise across representative
regions of the core. Power distribution symmetry was considered
in determining the specific number and locations provided for
diagnosis of local core problems. The two thermocouples in
each channel must be located such that the pair of Core Exit
Temperatures indicate the radial temperature gradient across
their core quadrant consistent with the requirements of NUREG
- 0737 (Ref. 3). Two sets of two thermocouples ensure a single
failure will not disable the ability to determine the radial
temperature gradient.
Reactor Vessel Water Level is a Category I variable provided for verification and long term surveillance of core cooling. It is also
used for accident diagnosis and to determine reactor coolant
inventory adequacy. A channel is a probe with eight sensors. A
channel is OPERABLE if at least four sensors are OPERABLE.
The reactor vessel water level is derived from the heated junction thermocouple (HJTC) system. The HJTC system is part
of the inadequate core cooling monitoring system (ICCMS). The
HJTC system consists of thermocouples strategically located at
different heights in the reactor vessel. The reactor vessel water
level indicating system provides an indirect measurement of the
collapsed liquid level at various plateaus above the upper core
plate. The collapsed level represents the amount of liquid mass
that is in the reactor vessel above the upper core plate.
Measurement of the collapsed liquid level is selected because it
is a direct indication of the water inventory.
(continued)
PAM Instrumentation B 3.3.3 Farley Units 1 and 2 B 3.3.3-12 Revision 33 BASES APPLICABILITY The PAM instrumentation LCO is applicable in MODES 1, 2, and 3. These variables are related to the diagnosis and pre-planned actions required to mitigate DBAs. The applicable DBAs are assumed to occur in MODES 1, 2, and 3. In MODES 4, 5, and 6, unit conditions are such that the likelihood of an event that would require PAM instrumentation is low; therefore, the PAM instrumentation is not required to be OPERABLE in these MODES.
ACTIONS A Note has been added in the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed on Table 3.3.3-1. The Completion Time(s) of the inoperable channel(s) of a Function will be tracked separately for each Function starting from the time the Condition was entered for that Function.
A.1 Condition A applies when one or more Functions have one required channel that is inoperable. Required Action A.1 requires restoring the inoperable channel to OPERABLE status within 30 days. The 30 day Completion Time is based on operating experience and takes into account the remaining OPERABLE channel (or in the case of a Function that has only one required channel, other non-Regulatory Guide 1.97 instrument channels to monitor the Function), the passive nature of the instrument (no critical automatic action is assumed to occur from these instruments), and the low probability of an event requiring PAM instrumentation during this interval.
(continued)
PAM Instrumentation B 3.3.3 Farley Units 1 and 2 B 3.3.3-15 Revision 52 BASES SURVEILLANCE A Note has been added to the SR Table to clarify that SR 3.3.3.1 and REQUIREMENTS SR 3.3.3.2 apply to each PAM instrumentation Function in Table 3.3.3-1.
SR 3.3.3.1 Performance of the CHANNEL CHECK ensures that a gross instrumentation failure has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. The high radiation instrumentation
should be compared to similar unit instruments.
Agreement criteria are based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE.
As specified in the SR, a CHANNEL CHECK is only required for those channels that are normally energized.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies that the channel responds to measured parameter with the necessary range and accuracy.
(continued)
PAM Instrumentation B 3.3.3 Farley Units 1 and 2 B 3.3.3-16 Revision 52 BASES SURVEILLANCE SR 3.3.3.2 (continued) REQUIREMENTS
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES 1. A-181866 Unit 1 RG 1.97 Compliance Review A-204866 Unit 2 RG 1.97 Compliance Review NRC SER for FNP RG 1.97 Compliance Report, Letter, Reeves to McDonald, 2/12/87.
- 3. NUREG-0737, Supplement 1, "TMI Action Items."
Remote Shutdown System B 3.3.4 Farley Units 1 and 2 B 3.3.4-1 Revision 0 B 3.3 INSTRUMENTATION
B 3.3.4 Remote Shutdown System
BASES BACKGROUND The Remote Shutdown System pr ovides the control room operator with sufficient instrumentation and controls to place and maintain the
unit in a safe shutdown condition from a location other than the
control room. This capability is necessary to protect against the
possibility that the control room becomes inaccessible. A safe
shutdown condition is defined as MODE 3. With the unit in MODE 3, the Auxiliary Feedwater (AFW) System and the steam generator (SG)
atmospheric relief valves (ARVs) can be used to remove core decay
heat and meet all safety requirements. The long term supply of water
for the AFW System and the ability to borate the Reactor Coolant
System (RCS) from outside the control room allows extended
operation in MODE 3.
If the control room becomes inaccessible, the operators can establish
control at the hot shutdown panels, and place and maintain the unit in
MODE 3. Not all controls and necessary transfer switches are located
at the hot shutdown panels. Some controls and transfer switches will
have to be operated locally at the switchgear, motor control centers, or other local stations. The unit automatically reaches MODE 3
following a unit shutdown and can be maintained safely in MODE 3 for
an extended period of time.
The OPERABILITY of the remote shutdown control and
instrumentation functions ensures there is sufficient information
available on selected unit parameters to place and maintain the unit in
MODE 3 should the control room become inaccessible.
APPLICABLE The Remote Shutdown System is required to provide equipment SAFETY ANALYSES at appropriate locations outside the control room with a capability to promptly shut down and maintain the unit in a safe condition in
MODE 3.
The criteria governing the design and specific system requirements of the Remote Shutdown System are located in 10 CFR 50, Appendix A, GDC 19 (Ref. 1).
(continued)
Remote Shutdown System B 3.3.4 (continued)
Farley Units 1 and 2 B 3.3.4-4 Revision 52 BASES ACTIONS A.1 (continued)
The Required Action is to restore the required Function to OPERABLE status within 30 days. The Completion Time is based on
operating experience and the low probability of an event that would
require evacuation of the control room.
B.1 and B.2
A Note modifies Condition B indicating that it is not applicable to the Source Range Neutron Flux (Gammametrics) Function. This Function
is covered under Condition C.
If the Required Action and associated Completion Time of Condition A is not met, the unit must be brought to a MODE in which the LCO
does not apply. To achieve this status, the unit must be brought to at
least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The
allowed Completion Times are reasonable, based on operating
experience, to reach the required unit conditions from full power
conditions in an orderly manner and without challenging unit systems.
C.1 Condition C applies when the Required Action and associated Completion Time for Condition A are not met for the Source Range
Neutron Flux (Gammametrics) monitor. This Required Action requires
a written report be submitted to the NRC. This report discusses the
results of the root cause evaluation of the inoperability, if performed, and identifies proposed restorative actions. This action is appropriate
in lieu of a shutdown requirement since alternative actions are
identified before loss of functional capability, and given the likelihood
of unit conditions that would require information provided by this
instrumentation.
SURVEILLANCE SR 3.3.4.1 REQUIREMENTS
Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a
comparison of the parameter indicated on one channel to a similar
parameter on other channels. It is based on the assumption that
instrument channels monitoring the same parameter should read
Remote Shutdown System B 3.3.4 (continued)
Farley Units 1 and 2 B 3.3.4-5 Revision 59 BASES SURVEILLANCE SR 3.3.4.1 (continued)
REQUIREMENTS
approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more
serious. CHANNEL CHECK will detect gross channel failure; thus, it
is key to verifying that the instrumentation continues to operate
properly between each CHANNEL CALIBRATION.
Agreement criteria are based on a combination of the channel instrument uncertainties, including indication and readability. If the
channels are within the criteria, it is an indication that the channels
are OPERABLE. If a channel is outside the criteria, it may be an
indication that the sensor or the signal processing equipment has
drifted outside its limit.
As specified in the Surveillance, a CHANNEL CHECK is only required for those channels which are normally energized.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.3.4.2 verifies each required Remote Shutdown System control circuit and transfer switch performs the intended function. This
verification is performed from the remote shutdown panel and locally, as appropriate. Operation of the equipment from the remote
shutdown panel is not necessary. The Surveillance can be satisfied
by performance of a continuity check. This will ensure that if the
control room becomes inaccessible, the unit can be placed and
maintained in MODE 3 from the remote shutdown panel and the local
control stations. The Surveillance Frequency is controlled under the
Surveillance Frequency Control Program.
Any change in the components being tested by this SR will require reevaluation of STI Evaluation Number 558904 in accordance with the Surveillance Frequency Control Program.
Remote Shutdown System B 3.3.4
Farley Units 1 and 2 B 3.3.4-6 Revision 52
BASES SURVEILLANCE SR 3.3.4.3 REQUIREMENTS (continued) CHANNEL CALIBRATION is a complete check of the monitoring instrument loop and the sensor. The test verifies that the channel
responds to a measured parameter within the necessary range and accuracy.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES 1. 10 CFR 50, Appendix A, GDC 19.
Containment Purge and Exhaust Isolation Instrumentation B 3.3.6 Farley Units 1 and 2 B 3.3.6-1 Revision 0 B 3.3 INSTRUMENTATION
B 3.3.6 Containment Purge and Exhaust Isolation Instrumentation
BASES BACKGROUND Containment purge and exhaust isolation instrumentation closes the containment isolation valves in the Mini Purge System and the Main
Purge System. This action isolates the containment atmosphere from
the environment to minimize releases of radioactivity in the event of
an accident. The Mini Purge System may be in use during reactor
operation and the Main Purge System will be in use with the reactor
shutdown.
Containment purge and exhaust isolation initiates on a automatic safety injection (SI) signal through the Containment Isolation-
Phase A Function, or by manual actuation of Phase A Isolation or
manual initiation of the associated valve handswitches. The Bases
for LCO 3.3.2, "Engineered Safety Feature Actuation System (ESFAS) Instrumentation," discuss these modes of initiation.
Two radiation monitoring channels are also provided as input to the containment purge and exhaust isolation. The two channels measure
radiation in a sample of the containment purge exhaust. The purge
exhaust radiation detectors are gaseous type monitors. Both detectors
will respond to events that release radioactivity to containment.
Therefore, for the purposes of this LCO the two channels are
considered redundant. Since the purge exhaust monitors constitute a
sampling system, various components such as sample line valves and
sample pumps are required to support monitor OPERABILITY.
Each of the purge systems has inner and outer containment isolation valves in its supply and exhaust ducts. A high radiation signal from
either detector initiates containment purge isolation, which closes
containment isolation valves in the Mini Purge System and the Main
Purge System. These systems are described in the Bases for
LCO 3.6.3, "Containment Isolation Valves."
APPLICABLE The safety analyses assume that the containment remains intact with SAFETY ANALYSES penetrations unnecessary for core cooling isolated early in the event.
The isolation of the purge valves has not been analyzed in the dose
calculations, although its rapid isolation is assumed. The containment (continued)
Containment Purge and Exhaust Isolation Instrumentation B 3.3.6 Farley Units 1 and 2 B 3.3.6-3 Revision 0 BASES LCO 2. Automatic Actuation Logic and Actuation Relays (continued)
Containment Phase A Isolation. The Actions Conditions for the containment purge isolation portion of these Functions are
different and less restrictive than those for their Phase A isolation
and SI roles. If one or more of the SI or Phase A isolation
Functions becomes inoperable in such a manner that only the
Containment Purge Isolation Function is affected, the Conditions
applicable to their SI and Phase A isolation Functions need not be
entered. The less restrictive Actions specified for inoperability of
the Containment Purge Isolation Functions specify sufficient
compensatory measures for this case.
- 3. Containment Radiation The LCO specifies one required channel of radiation monitor in MODES 1-4 and two radiation monitoring channels during CORE
ALTERATIONS or movement of irradiated fuel assemblies in
containment to ensure that the radiation monitoring
instrumentation necessary to initiate Containment Purge Isolation
remains OPERABLE.
For sampling systems, channel OPERABILITY involves more than OPERABILITY of the channel electronics. OPERABILITY also
requires correct valve lineups and sample pump operation, as well
as detector OPERABILITY.
- 4. Containment Isolation - Phase A
Refer to LCO 3.3.2, Function 3.a., for all initiating Functions and requirements except as described above in item 2, Automatic Actuation Logic and Actuation Relays.
APPLICABILITY The Automatic Actuation Logic and Actuation Relays and Containment Isolation-Phase A Functions are required OPERABLE
in MODES 1, 2, 3 and 4. The Manual Initiation and Containment
Radiation Functions are required OPERABLE in MODES 1, 2, 3, and 4, and during CORE ALTERATIONS or movement of irradiated
fuel assemblies within containment. Under these conditions, the
potential exists for an accident that could release fission product
(continued)
Containment Purge and Exhaust Isolation Instrumentation B 3.3.6 Farley Units 1 and 2 B 3.3.6-4 Revision 0 BASES APPLICABILITY radioactivity into containment. Therefore, the containment purge and (continued) exhaust isolation instrumentation must be OPERABLE in these MODES.
While in MODES 5 and 6 without fuel handling in progress, the containment purge and exhaust isolation instrumentation need not be
OPERABLE since the potential for radioactive releases is minimized
and operator action is sufficient to ensure post accident offsite doses
are maintained within the limits of Reference 1.
The Applicability for the containment purge and exhaust isolation on the ESFAS Containment Isolation Phase A Functions is specified in
LCO 3.3.2. Refer to the Bases for LCO 3.3.2 for discussion of the
Containment Isolation-Phase A Function Applicability.
ACTIONS The most common cause of channel inoperability is outright failure or drift of the bistable or process module sufficient to exceed the
tolerance allowed by unit specific calibration procedures. Typically, the drift is found to be small and results in a delay of actuation rather
than a total loss of function. This determination is generally made
during the performance of a COT, when the process instrumentation
is set up for adjustment to bring it within specification. If the Trip
Setpoint is less conservative than the tolerance specified by the
calibration procedure, the channel must be declared inoperable
immediately and the appropriate Condition entered.
A Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be entered independently for each Function listed
in Table 3.3.6-1. The Completion Time(s) of the inoperable
channel(s)/train(s) of a Function will be tracked separately for each
Function starting from the time the Condition was entered for that
Function.
A.1 Condition A applies to the failure of one required containment purge
isolation radiation monitor channel. The failed channel must be
restored to OPERABLE status. The 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> allowed to restore the
affected channel is justified by the low likelihood of events occurring
during this interval, and recognition that the radiation monitor provides
(continued)
Containment Purge and Exhaust Isolation Instrumentation B 3.3.6 Farley Units 1 and 2 B 3.3.6-5 Revision 0
ACTIONS A.1 (continued)
backup protection to the Phase A Isolation signal in MODES 1-4 and that during the Applicability of CORE ALTERTIONS or movement of
irradiated fuel assemblies in containment the remaining radiation
monitoring channel remains capable of responding if required.
B.1 Condition B applies to all Containment Purge and Exhaust Isolation Functions and addresses the train orientation of the Solid State
Protection System (SSPS) and the master and slave relays for these
Functions as well as the manual handswitches for the isolation valves.
It also addresses the inability to restore a single failed radiation
monitor channel to OPERABLE status in the time allowed for
Required Action A.1.
If a train is inoperable, multiple channels are inoperable, or the Required Action and associated Completion Time of Condition A are
not met, operation may continue as long as the Required Action for
the applicable Conditions of LCO 3.6.3 is met for each valve made
inoperable by failure of isolation instrumentation.
A Note is added stating that Condition B is only applicable in MODE 1, 2, 3, or 4.
C.1 and C.2
Condition C applies to the Containment Purge and Exhaust Manual Isolation Function. It also addresses the failure of two radiation
monitoring channels, or the inability to restore a single failed radiation
monitor channel to OPERABLE status in the time allowed for
Required Action A.1. If one or more manual handswitch channels(s)
are inoperable, or two radiation monitor channels are inoperable, or
the Required Action and associated Completion Time of Condition A
are not met, operation may continue as long as the Required Action to
place and maintain containment purge and exhaust isolation valves in
their closed position is met or the applicable Conditions of LCO 3.9.3, "Containment Penetrations," are met for each valve made inoperable
by failure of isolation instrumentation (which includes manual
handswitch channel(s)). The Completion Time for these Required
Actions is Immediately.
(continued)
Containment Purge and Exhaust Isolation Instrumentation B 3.3.6 (continued)
Farley Units 1 and 2 B 3.3.6-6 Revision 52 BASES ACTIONS C.1 and C.2 (continued)
A Note states that Condition C is applicable during the Applicability of CORE ALTERATIONS and during movement of irradiated fuel
assemblies within containment.
SURVEILLANCE A Note has been added to the SR Table to clarify that REQUIREMENTS Table 3.3.6-1 determines which SRs apply to which Containment Purge and Exhaust Isolation Functions.
Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a
comparison of the parameter indicated on one channel to a similar
parameter on other channels. It is based on the assumption that
instrument channels monitoring the same parameter should read
approximately the same value. Significant deviations between the two
instrument channels could be an indication of excessive instrument
drift in one of the channels or of something even more serious. A
CHANNEL CHECK will detect gross channel failure; thus, it is key to
verifying the instrumentation continues to operate properly between
each CHANNEL CALIBRATION.
Agreement criteria are based on a combination of the channel instrument uncertainties, including indication and readability. If a
channel is outside the criteria, it may be an indication that the sensor
or the signal processing equipment has drifted outside its limit.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.3.6.2 is the performance of an ACTUATION LOGIC TEST. The train being tested is placed in the bypass condition, thus preventing
inadvertent actuation. Through the semiautomatic tester, all possible
logic combinations, with and without applicable permissives, are
Containment Purge and Exhaust Isolation Instrumentation B 3.3.6 (continued)
Farley Units 1 and 2 B 3.3.6-7 Revision 59 BASES SURVEILLANCE SR 3.3.6.2 (continued)
REQUIREMENTS
tested for each protection function. In addition, the master relay coil is pulse tested for continuity. This verifies that the logic modules are
OPERABLE and there is an intact voltage signal path to the master
relay coils. The Surveillance Frequency is controlled under the
Surveillance Frequency Control Program.
Any change in the components being tested by this SR will require reevaluation of STI Evaluation Number 558904 in accordance with the Surveillance Frequency Control Program.
SR 3.3.6.3 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying
contact operation and a low voltage continuity check of the slave relay
coil. Upon master relay contact operation, a low voltage is injected to
the slave relay coil. This voltage is insufficient to pick up the slave
relay, but large enough to demonstrate signal path continuity. The
Surveillance Frequency is controlled under the Surveillance
Frequency Control Program.
Any change in the components being tested by this SR will require reevaluation of STI Evaluation Number 558904 in accordance with the Surveillance Frequency Control Program.
A COT is performed on each required channel to ensure the entire channel will perform the intended Function. The Surveillance
Frequency is controlled under the Surveillance Frequency Control
Program. This test verifies the capability of the instrumentation to
provide the containment purge and exhaust system isolation. The
setpoint shall be left consistent with the current unit specific
calibration procedure tolerance.
Any change in the components being tested by this SR will require reevaluation of STI Evaluation Number 558904 in accordance with the Surveillance Frequency Control Program.
Containment Purge and Exhaust Isolation Instrumentation B 3.3.6 (continued)
Farley Units 1 and 2 B 3.3.6-8 Revision 59 BASES SURVEILLANCE SR 3.3.6.5 REQUIREMENTS (continued) SR 3.3.6.5 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of the slave relays. Contact
operation is verified in one of two ways. Actuation equipment that
may be operated in the design mitigation mode is either allowed to
function or is placed in a condition where the relay contact operation
can be verified without operation of the equipment. Actuation
equipment that may not be operated in the design mitigation mode is
prevented from operation by the SLAVE RELAY TEST circuit. For
this latter case, contact operation is verified by a continuity check of
the circuit containing the slave relay.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
Any change in the components being tested by this SR will require reevaluation of STI Evaluation Number 558904 in accordance with the Surveillance Frequency Control Program.
SR 3.3.6.6 is the performance of a TADOT. This test is a check of the Manual Actuation Functions. Each Manual Actuation Function is
tested up to, and including, the master relay coils. In some instances, the test includes actuation of the end device (i.e., pump starts, valve cycles, etc.).
The test also includes trip devices that provide actuation signals directly to the SSPS, bypassing the analog process control
equipment. The SR is modified by a Note that excludes verification of
setpoints during the TADOT. The Functions tested have no setpoints
associated with them.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
CREFS Actuation Instrumentation B 3.3.7 Farley Units 1 and 2 B 3.3.7-1 Revision 0 B 3.3 INSTRUMENTATION
B 3.3.7 Control Room Emergency Filtration/Pressurization System (CREFS) Actuation
Instrumentation
BASES BACKGROUND The CREFS provides an enclos ed control room environment from which the unit can be operated following an uncontrolled release of
radioactivity. During normal operation, the Computer Room
Ventilation System provides fresh outside air to the control room
ventilation. Upon receipt of an actuation signal, the CREFS initiates
filtered ventilation and pressurization of the control room. This system
is described in the Bases for LCO 3.7.10, "Control Room Emergency
Filtration/Pressurization System."
The actuation instrumentation consists of redundant radiation
monitors in the air intake. A high radiation signal from one of these
detectors will isolate the control room ventilation. The control room
operator can initiate CREFS trains by manual switches in the control
room. The CREFS is automatically actuated by a Phase A
Containment isolation signal which also isolates the control room
ventilation. The SI Function is discussed in LCO 3.3.2, "Engineered
Safety Feature Actuation System (ESFAS) Instrumentation."
APPLICABLE The control room must be kept habitable for the operators SAFETY ANALYSES stationed there during accident recovery and post accident operations.
The automatic actuation of CREFS acts to terminate the supply of unfiltered outside air to the control room, initiate filtration, and
pressurize the control room. These actions are necessary to ensure
the control room is kept habitable for the operators stationed there
during accident recovery and post accident operations by minimizing
the radiation exposure of control room personnel.
In MODES 1, 2, 3, and 4, the Phase A signal actuation ensures initiation of the CREFS during a loss of coolant accident or steam
generator tube rupture. The automatic isolation of the control room
ventilation by the radiation detectors provides backup protection for
the control room but requires manual initiation of the CREFS.
(continued)
CREFS Actuation Instrumentation B 3.3.7 Farley Units 1 and 2 B 3.3.7-2 Revision 0 BASES APPLICABLE The radiation monitor actuation of control room isolation during SAFETY ANALYSES movement of irradiated fuel assemblies, and CORE ALTERATIONS, (continued) alerts the operators to the need for manual initiation of the CREFS which will ensure control room habitability in the event of a fuel
handling accident.
The CREFS actuation instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO The LCO requirements ensure that instrumentation necessary to initiate the CREFS is OPERABLE.
- 1. Manual Initiation
The LCO requires two trains of manual initiation OPERABLE in MODES 1-4 and during CORE ALTERATIONS or movement of
irradiated fuel assemblies. Two different methods of manual
initiation are available to meet the requirements of this LCO, either
method of manual initiation will accomplish the isolation of the
control room and initiation of CREFS. Plant conditions and
equipment availability vary through different MODES of operation
and will affect which method of manual initiation may be used to
meet the requirements of this LCO. The Phase A Containment
Isolation manual switches (1 per train) provide a system level
control room isolation and CREFS initiation to ensure the
habitability of the control room, but Phase A Containment Isolation
is only required OPERABLE by LCO 3.3.2, ESFAS
Instrumentation, in MODES 1-4, and normally will not be available
in MODES 5 and 6. When the system level manual Phase A
initiation is not available, the manual switches for the individual
CREFS recirculation and pressurization fans (2 handswitches per
train) and the manual switches for the control room isolation
valves (4 handswitches per train) also provide 2 trains of manual
initiation capability to ensure the habitability of the control room.
Either method may be used, as permitted by plant conditions and
equipment availability, to meet the LCO requirement for two trains
of manual initiation.
The LCO for Manual Initiation ensures the proper amount of redundancy is maintained in the manual actuation circuitry to
ensure the operator has manual initiation capability.
(continued)
CREFS Actuation Instrumentation B 3.3.7 Farley Units 1 and 2 B 3.3.7-3 Revision 0 BASES LCO 2. Automatic Actuation Logic and Actuation Relays (continued)
The LCO requires two trains of Actuation Logic and Relays OPERABLE to ensure that no single random failure can prevent
automatic actuation.
Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same manner as described for
ESFAS Function 3.a.2, Containment Isolation-Phase A, in
LCO 3.3.2. The Actions Conditions for the CREFS portion of
these Functions are different and less restrictive than those
specified for their Phase A Isolation roles. If one or more of the
Phase A Isolation Functions becomes inoperable in such a
manner that only the CREFS Function is affected, the Conditions
applicable to their Phase A Isolation Function need not be
entered. The less restrictive Actions specified for inoperability of
the CREFS Functions specify sufficient compensatory measures
for this case.
- 3. Control Room Radiation
The LCO specifies one required Control Room Air Intake Radiation Monitor in MODES 1-4 to ensure that the radiation
monitoring instrumentation necessary to provide a backup
initiation of control room isolation remains OPERABLE. The LCO
requires two air intake radiation monitor channels OPERABLE
during CORE ALTERATIONS and during movement of irradiated
fuel assemblies when the radiation monitor channels provide the
primary control room protection function.
For sampling systems, channel OPERABILITY involves more than OPERABILITY of channel electronics. OPERABILITY also
requires correct valve lineups and sample pump operation, as well
as detector OPERABILITY.
- 4. Containment Isolation-Phase A
Refer to LCO 3.3.2, Function 3.a, for all initiating Functions and requirements except as described above in item 2, Automatic Actuation Logic and Actuation Relays.
CREFS Actuation Instrumentation B 3.3.7 Farley Units 1 and 2 B 3.3.7-4 Revision 18 BASES APPLICABILITY The CREFS Functions must be OPERABLE in MODES 1, 2, 3, 4, and the radiation monitor and manual initiation Functions must also be
OPERABLE during CORE ALTERATIONS and movement of
irradiated fuel assemblies to ensure a habitable environment for the
control room operators. The Applicability for the CREFS actuation on
the ESFAS Containment Isolation-Phase A Functions are specified in
LCO 3.3.2. Refer to the Bases for LCO 3.3.2 for discussion of the
Containment Isolation-Phase A Function Applicability.
ACTIONS The most common cause of channel inoperability is outright failure or drift of the bistable or process module sufficient to exceed the
tolerance allowed by the unit specific calibration procedures.
Typically, the drift is found to be small and results in a delay of
actuation rather than a total loss of function. This determination is
generally made during the performance of a COT, when the process
instrumentation is set up for adjustment to bring it within specification.
If the Trip Setpoint is less conservative than the tolerance specified
by the calibration procedure, the channel must be declared inoperable
immediately and the appropriate Condition entered.
A Note has been added to the ACTIONS indicating that separate Condition entry is allowed for each Function. The Conditions of this
Specification may be entered independently for each Function listed
in Table 3.3.7-1 in the accompanying LCO. The Completion Time(s)
of the inoperable channel(s)/train(s) of a Function will be tracked
separately for each Function starting from the time the Condition was
entered for that Function.
A.1 Condition A applies to the actuation logic train Function of the
CREFS, the radiation monitor channel Functions, and the manual
channel Functions.
If one train is inoperable, or one required radiation monitor channel is
inoperable in one or more Functions, 7 days are permitted to restore it
to OPERABLE status. The 7 day Completion Time is the same as is
allowed if one train of the mechanical portion of the system is
inoperable. The basis for this Completion Time is the same as
provided in LCO 3.7.10. If the channel/train cannot be restored to
(continued)
PRF Actuation Instrumentation B 3.3.8 Farley Units 1 and 2 B 3.3.8-2 Revision 0 BASES APPLICABLE The PRF actuation instrumentation satisfies Criterion 3 of SAFETY ANALYSES 10 CFR 50.36(c)(2)(ii).
(continued)
LCO The LCO requirements ensure that instrumentation necessary to initiate the PRF is OPERABLE.
- 1. Manual Initiation
The LCO requires two trains OPERABLE. Each train consists of 2 handswitches for the PRF ventilation fans and one handswitch for
the penetration room suction damper. The operator can initiate a
PRF train at any time by using two fan switches and one damper
switch in the control room. This action will cause actuation of all
components in the same manner as any of the automatic
actuation signals.
The LCO for Manual Initiation ensures the proper amount of redundancy is maintained in the manual actuation circuitry to
ensure the operator has manual initiation capability.
Each train consists of two fan handswitches and one damper handswitch and the interconnecting wiring to the PRF fans and
- 2. Automatic Actuation Logic and Actuation Relays
The LCO requires two trains of Actuation Logic and Relays OPERABLE to ensure that no single random failure can prevent
automatic actuation.
Automatic Actuation Logic and Actuation Relays consist of the same features and operate in the same manner as described for
ESFAS Function 3.b.2, Phase B Containment Isolation, in LCO
3.3.2. The ACTIONS Conditions for the PRF portion of these
functions are different and less restrictive than those specified for
their Phase B roles. If one or more of the Phase B functions
becomes inoperable in such a manner that only the PRF function
is affected, the Conditions applicable to their Phase B function
need not be entered. The less restrictive Actions specified for
inoperability of the PRF functions specify sufficient compensatory
measures for this case.
(continued)
PRF Actuation Instrumentation B 3.3.8 Farley Units 1 and 2 B 3.3.8-3 Revision 0 BASES LCO 3. Spent Fuel Pool Room Radiation (continued)
The LCO specifies two required Gaseous Radiation Monitor channels to ensure that the radiation monitoring instrumentation
necessary to initiate the PRF remains OPERABLE. Each monitor
will initiate the associated train of PRF and isolate the normal
Spent Fuel Pool Room ventilation.
For sampling systems, channel OPERABILITY involves more than OPERABILITY of channel electronics. OPERABILITY requires
correct valve lineups, sample pump operation, and detector
OPERABILITY.
- 4. Spent Fuel Pool Room Ventilation Differential Pressure
The LCO specifies two channels of spent fuel pool room
ventilation differential pressure instrumentation to assure filtration
protection is provided when insufficient normal spent fuel pool
room ventilation system flow exis ts to ensure proper operation of
the radiation monitors. When the instrumentation detects
insufficient spent fuel pool room ventilation flow, the PRF is
actuated and the spent fuel storage pool room ventilation isolated
in the same manner as the radiation monitor actuation of the
system. The differential pressure instrumentation assures
filtration of the spent fuel pool room exhaust when the spent fuel
pool room normal ventilation system flow is not sufficient for
proper operation of the radiation monitors.
- 5. Containment Isolation - Phase B
Refer to LCO 3.3.2, Function 3.b for all initiation Functions and
requirements except as described above in item 2, "Automatic
Actuation Logic and Actuation Relays."
Only the Trip Setpoint is specified for each PRF Function in the LCO.
The Trip Setpoint limits are defined in plant procedures (Ref. 2).
APPLICABILITY The manual PRF initiation must be OPERABLE in MODES 1, 2, 3, and 4 and when moving irradiated fuel assemblies in the Spent Fuel
Pool Room, to ensure the PRF operates to remove fission products
(continued)
PRF Actuation Instrumentation B 3.3.8 Farley Units 1 and 2 B 3.3.8-4 Revision 0 BASES APPLICABILITY associated with leakage after a LOCA or a fuel handling accident.
(continued) The automatic Phase B PRF actuation instrumentation is also required in MODES 1, 2, 3, and 4 to remove fission products caused
by post LOCA Emergency Core Cooling Systems leakage.
High radiation and the normal Spent Fuel Pool Room ventilation system low flow signal initiation of the PRF must be OPERABLE in
any MODE during movement of irradiated fuel assemblies in the
Spent Fuel Pool Room to ensure automatic initiation of the PRF when
the potential for a fuel handling accident exists.
While in MODES 5 and 6 without fuel handling in progress, the PRF instrumentation need not be OPERABLE since a fuel handling
accident cannot occur.
ACTIONS The most common cause of channel inoperability is outright failure or drift of the bistable or process module sufficient to exceed the
tolerance allowed by unit specific calibration procedures. Typically, the drift is found to be small and results in a delay of actuation rather
than a total loss of function. This determination is generally made
during the performance of a COT, when the process instrumentation
is set up for adjustment to bring it within specification. If the Trip
Setpoint is less conservative than the tolerance specified by the
calibration procedure, the channel must be declared inoperable
immediately and the appropriate Condition entered.
A Note has been added to the ACTIONS to clarify the application of Completion Time rules. The Conditions of this Specification may be
entered independently for each Function listed in Table 3.3.8-1 in the
accompanying LCO. The Completion Time(s) of the inoperable
channel(s)/train(s) of a Function will be tracked separately for each
Function starting from the time the Condition was entered for that
Function.
A.1 Condition A applies to the actuation logic train function of the Solid
State Protection System (SSPS), the radiation monitor function, the
Spent Fuel Pool Room differential pressure function, and the manual
function. Condition A applies to the failure of a single actuation logic
(continued)
PRF Actuation Instrumentation B 3.3.8 Farley Units 1 and 2 B 3.3.8-5 Revision 18 BASES ACTIONS A.1 (continued)
train, radiation monitor channel, Spent Fuel Pool Room differential pressure channel, or manual train. If one channel or train is inoperable, a period of 7 days is allowed to restore it to OPERABLE
status. If the train cannot be restored to OPERABLE status, one PRF
train must be placed in operation. This accomplishes the actuation
instrumentation function and places the unit in a conservative mode of
operation. The 7 day Completion Time is the same as is allowed if
one train of the mechanical portion of the system is inoperable. The
basis for this time is the same as that provided in LCO 3.7.12.
B.1.1, B.1.2, B.2
Condition B applies to the failure of two PRF actuation logic trains, two radiation monitors, two Spent Fuel Pool Room differential
pressure channels, or two manual trains. The Required Action is to
place one PRF train in operation immediately. This accomplishes the
actuation instrumentation function that may have been lost and places
the unit in a conservative mode of operation. The applicable
Conditions and Required Actions of LCO 3.7.12 must also be entered for the PRF train made inoperable by the inoperable actuation
instrumentation. This ensures appropriate limits are placed on train
inoperability as discussed in the Bases for LCO 3.7.12.
Alternatively, both trains may be placed in operation. This ensures the PRF Function is performed even in the presence of a single
failure.
C.1 Condition C applies when the Required Action and associated Completion Time for Condition A or B have not been met and
irradiated fuel assemblies are being moved in the Spent Fuel Pool
Room. Movement of irradiated fuel assemblies in the Spent Fuel Pool
Room must be suspended immediately to eliminate the potential for
events that could require PRF actuation.
This Condition is modified by a Note which limits the applicability of this Condition to those Functions on Table 3.3.8-1 required
OPERABLE during movement of irradiated fuel assemblies in the
spent fuel pool room to mitigate the consequences of a fuel handling
accident. This Condition does not apply to Functions which are only
(continued)
PRF Actuation Instrumentation B 3.3.8 (continued)
Farley Units 1 and 2 B 3.3.8-6 Revision 52 BASES ACTIONS C.1 (continued)
required to mitigate the consequences of a LOCA (Phase B Isolation and associated automatic actuation logic and actuation relays).
These Functions are not required OPERABLE when moving irradiated
fuel assemblies and are unrelated to the mitigation of a fuel handling
accident in the spent fuel pool room.
D.1 and D.2
Condition D applies when the Required Action and associated Completion Time for Condition A or B have not been met and the unit
is in MODE 1, 2, 3, or 4. The unit must be brought to a MODE in
which the LCO requirements are not applicable. To achieve this
status, the unit must be brought to MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and
MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are
reasonable, based on operating experience, to reach the required unit
conditions from full power conditions in an orderly manner and without
challenging unit systems.
This Condition is modified by a Note which limits the applicability of this Condition to those Functions on Table 3.3.8-1 required
OPERABLE during MODES 1, 2, 3, or 4 to mitigate the consequences
of a LOCA. This Condition is not intended to be applied to Functions
which are only required to mitigate the consequences of a fuel
handling accident in the Spent Fuel Pool Room (radiation monitors
and Spent Fuel Pool Room normal ventilation differential pressure).
These Functions are only required OPERABLE when moving
irradiated fuel assemblies in the Spent Fuel Pool Room and are
unrelated to the mitigation of the consequences of a LOCA.
SURVEILLANCE A Note has been added to the SR Table to clarify that Table 3.3.8-1 REQUIREMENTS determines which SRs apply to which PRF Actuation Functions.
Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a
comparison of the parameter indicated on one channel to a similar
parameter on other channels. It is based on the assumption that
PRF Actuation Instrumentation B 3.3.8 (continued)
Farley Units 1 and 2 B 3.3.8-7 Revision 52 BASES SURVEILLANCE SR 3.3.8.1 (continued)
REQUIREMENTS
instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two
instrument channels could be an indication of excessive instrument
drift in one of the channels or of something even more serious. A
CHANNEL CHECK will detect gross channel failure; thus, it is key to
verifying the instrumentation continues to operate properly between
each CHANNEL CALIBRATION.
Agreement criteria are based on a combination of the channel instrument uncertainties, including indication and readability. If a
channel is outside the criteria, it may be an indication that the sensor
or the signal processing equipment has drifted outside its limit.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
A COT is performed on each required channel to ensure the entire channel will perform the intended function. This test verifies the
capability of the instrumentation to provide the PRF actuation. The
setpoints shall be left consistent with the unit specific calibration
procedure tolerance. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.3.8.3 SR 3.3.8.3 is the performance of an ACTUATION LOGIC TEST. All possible logic combinations, with and without applicable permissives, are tested for each protection function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
PRF Actuation Instrumentation B 3.3.8 (continued)
Farley Units 1 and 2 B 3.3.8-8 Revision 52 BASES SURVEILLANCE SR 3.3.8.4 REQUIREMENTS (continued) SR 3.3.8.4 is the performance of a MASTER RELAY TEST. The MASTER RELAY TEST is the energizing of the master relay, verifying
contact operation and a low voltage continuity check of the slave relay
coil. Upon master relay contact operation, a low voltage is injected to
the slave relay coil. This voltage is insufficient to pick up the slave
relay, but large enough to demonstrate signal path continuity. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.3.8.5 SR 3.3.8.5 is the performance of a SLAVE RELAY TEST. The SLAVE RELAY TEST is the energizing of the slave relays. Contact
operation is verified in one of two ways. Actuation equipment that
may be operated in the design mitigation MODE is either allowed to
function or is placed in a condition where the relay contact operation
can be verified without operation of the equipment. Actuation
equipment that may not be operated in the design mitigation MODE is
prevented from operation by the SLAVE RELAY TEST circuit. For
this latter case, contact operation is verified by a continuity check of
the circuit containing the slave relay. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.3.8.6 SR 3.3.8.6 is the performance of a TADOT. This test is a check of the manual and Spent Fuel Pool Room ventilation Differential Pressure
actuation functions. The test includes actuation of the end device (e.g., pump starts, valve cycles, etc.). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The SR is modified by a Note that excludes verification of setpoints during
the TADOT. The Functions tested have no required setpoints
associated with them.
RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 Farley Units 1 and 2 B 3.4.1-1 Revision 0 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.1 RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB) Limits
BASES BACKGROUND These Bases address requirements for maintaining RCS pressure, temperature, and flow rate within limits assumed in the safety
analyses. The safety analyses (Ref. 1) of normal operating conditions
and anticipated operational occurrences assume initial conditions
within the normal steady state envelope. The limits placed on RCS
pressure, temperature, and flow rate ensure that the minimum
departure from nucleate boiling ratio (DNBR) will be met for each of the
transients analyzed.
The RCS pressure limit is consistent with operation within the nominal operational envelope. Pressurizer pressure indications are averaged
to come up with a value for comparison to the limit. The indicated limit
is based on the average of two control board readings. A lower
pressure will cause the reactor core to approach DNB limits.
The RCS coolant average temperature limit is consistent with full power operation within the nominal operational envelope. Indications
of temperature are averaged to determine a value for comparison to
the limit. The indicated limit is based on the average of two control
board readings. A higher average temperature will cause the core to
approach DNB limits.
The RCS flow rate normally remains constant during an operational fuel cycle with all pumps running. The minimum RCS flow limit
corresponds to that assumed for DNB analyses. A lower RCS flow will
cause the core to approach DNB limits.
Operation for significant periods of time outside these DNB limits increases the likelihood of a fuel cladding failure in a DNB limited
event.
APPLICABLE The requirements of this LCO represent the initial conditions for DNB SAFETY ANALYSES limited transients analyzed in the plant safety analyses (Ref. 1). The safety analyses have shown that transients initiated from the limits of
this LCO will result in meeting the DNB design criterion throughout
(continued)
RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 Farley Units 1 and 2 B 3.4.1-2 Revision 10 BASES APPLICABLE each analyzed transient. This is the acceptance limit for the RCS DNB SAFETY ANALYSES parameters. Changes to the unit that could impact these parameters (continued) must be assessed for their impact on the DNBR criteria. The transients analyzed include loss of coolant flow events and dropped or
stuck rod events. A key assumption for the analysis of these events is
that the core power distribution is within the limits of LCO 3.1.6, "Control Bank Insertion Limits"; LCO 3.2.3, "AXIAL FLUX
DIFFERENCE (AFD)"; and LCO 3.2.4, "QUADRANT POWER TILT
RATIO (QPTR)."
The pressurizer pressure limit and the RCS average temperature limit specified in the COLR correspond to analytical limits used in the safety analyses, with allowance for measurement uncertainty.
The RCS DNB parameters satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO This LCO specifies limits on the monitored process variables-pressurizer pressure, RCS average temperature, and RCS total flow rate-to ensure the core operates within the limits assumed in the
safety analyses. Operating within these limits will result in meeting the
DNB design criterion in the event of a DNB limited transient.
RCS total flow rate is based on two elbow tap measurements from each loop and contains a measurement error of 2.3% based on p measurements from the cold leg elbow taps, which are correlated to
past precision heat balance measurements or performing a precision
heat balance at the beginning of the current cycle. Potential fouling of
the feedwater venturi, which might not be detected, could bias the
result from the precision heat balance in a nonconservative manner.
Therefore, a penalty of 0.1% for undetected fouling of the feedwater
venturi raises the nominal flow measurement allowance to 2.4%.
Any fouling that might bias the flow rate measurement greater than
0.1% can be detected by monitoring and trending various plant
performance parameters. If detected, action shall be taken before
performing subsequent precision heat balance measurements, i.e.,
either the effect of the fouling shall be quantified and compensated for
in the RCS flow rate measurement or the venturi shall be cleaned to
eliminate the fouling.
RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 Farley Units 1 and 2 B 3.4.1-3 Revision 10 BASES APPLICABILITY In MODE 1, the limits on pressurizer pressure, RCS coolant average temperature, and RCS flow rate must be maintained during steady state operation in order to ensure DNBR criteria will be met in the
event of an unplanned loss of forced coolant flow or other DNB limited
transient. In all other MODES, the power level is low enough that DNB
is not a concern.
A Note has been added to indicate the limit on pressurizer pressure is not applicable during short term operational transients such as a
THERMAL POWER ramp > 5% RTP per minute or a THERMAL
POWER step > 10% RTP. These conditions represent short term
perturbations where actions to control pressure variations might be
counterproductive. Also, since they represent transients initiated from
power levels < 100% RTP, an increased DNBR margin exists to offset
the temporary pressure variations.
The DNBR limit on DNB related parameters is provided in SL 2.1.1, "Reactor Core SLs." The conditions that define the DNBR limit are less restrictive than the limits of this LCO, but violation of a Safety Limit (SL) merits a stricter, more severe Required Action. Should a violation
of this LCO occur, the operator must check whether or not an SL may
have been exceeded.
ACTIONS A.1
RCS pressure and RCS average temperature are controllable and measurable parameters. With one or both of these parameters not
within LCO limits, action must be taken to restore parameter(s).
RCS total flow rate is not a controllable parameter and is not expected to vary during steady state operation. If the indicated RCS total flow
rate is below the LCO limit, power must be reduced, as required by
Required Action B.1, to restore DNB margin and eliminate the potential
for violation of the accident analysis bounds.
The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Completion Time for restoration of the parameters provides sufficient time to adjust plant parameters, to determine the cause for
the off normal condition, and to restore the readings within limits, and
is based on plant operating experience.
(continued)
RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 (continued)
Farley Units 1 and 2 B 3.4.1-4 Revision 52 BASES ACTIONS B.1 (continued)
If Required Action A.1 is not met within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not
apply. To achieve this status, the plant must be brought to at least
MODE 2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. In MODE 2, the reduced power condition
eliminates the potential for violation of the accident analysis bounds.
The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable to reach the required
plant conditions in an orderly manner.
SURVEILLANCE SR 3.4.1.1 REQUIREMENTS
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
RCS Pressure, Temperature, and Flow DNB Limits B 3.4.1 Farley Units 1 and 2 B 3.4.1-5 Revision 52 BASES SURVEILLANCE SR 3.4.1.4 REQUIREMENTS (continued) The surveillance of the total RCS flow rate may be performed by one of two alternate methods. One method is a precision calorimetric as documented in WCAP-12771, Rev. 1. The other method is based on
the p measurements from the cold leg elbow taps, which are
correlated to past precision heat balance measurements. Correlation
of the flow indication channels with selected precision loop flow
calorimetrics for this method is documented in WCAP-14750. Use of
the elbow tap p measurement method removes the requirement for performance of a precision RCS flow calorimetric measurement.
Measurement of RCS total flow rate by performance of one of these two methods verifies the actual RCS flow rate is greater than or equal to the minimum required RCS flow rate.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
This SR is modified by a Note that allows entry into MODE 1, without having performed the SR, and placement of the unit in the best
condition for performing the SR. The Note states that the SR is not
required to be performed until 7 days after 90% RTP. This exception is appropriate since the heat balance and elbow tap measurement
methods both require the plant to be at a minimum of 90% RTP to
obtain the stated RCS flow accuracies. The Surveillance shall be
performed within 7 days after reaching 90% RTP. The intent is that
this Surveillance be performed near the beginning of the cycle as close
as possible to 100% RTP.
REFERENCES 1. FSAR, Section 4.4 and 15.
RCS Minimum Temperature for Criticality B 3.4.2 Farley Units 1 and 2 B 3.4.2-1 Revision 0 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.2 RCS Minimum Temperature for Criticality
BASES BACKGROUND This LCO is based upon meeting several major considerations before the reactor can be made critical and while the reactor is critical.
The first consideration is moderator temperature coefficient (MTC), LCO 3.1.3, "Moderator Temperature Coefficient (MTC)." In the
transient and accident analyses, the MTC is assumed to be in a range
from slightly positive to negativ e and the operating temperature is assumed to be within the nominal operating envelope while the
reactor is critical. The LCO on minimum temperature for criticality
helps ensure the plant is operated consistent with these assumptions.
The second consideration is the protective instrumentation. Because
certain protective instrumentation (e.g., excore neutron detectors) can
be affected by moderator temperature, a temperature value within the
nominal operating envelope is chosen to ensure proper indication and
response while the reactor is critical.
The third consideration is the pressurizer operating characteristics.
The transient and accident analyses assume that the pressurizer is
within its normal startup and operating range (i.e., saturated
conditions and steam bubble present). It is also assumed that the
RCS temperature is within its normal expected range for startup and
power operation. Since the density of the water, and hence the
response of the pressurizer to transients, depends upon the initial
temperature of the moderator, a minimum value for moderator
temperature within the nominal operating envelope is chosen.
The fourth consideration is that the reactor vessel is above its
minimum nil ductility reference temperature when the reactor is
critical.
APPLICABLE Although the RCS minimum temperature for criticality is not SAFETY ANALYSES itself an initial condition assumed in Design Basis Accidents (DBAs),
the closely aligned temperature for hot zero power (HZP) is a process variable that is an initial condition of DBAs, such as the rod cluster
(continued)
RCS Minimum Temperature for Criticality B 3.4.2 Farley Units 1 and 2 B 3.4.2-2 Revision 0 BASES APPLICABLE control assembly (RCCA) withdrawal, RCCA ejection, and main SAFETY ANALYSES steam line break accidents performed at zero power that either (continued) assumes the failure of, or presents a challenge to, the integrity of a fission product barrier.
All low power safety analyses assume initial RCS loop temperatures the HZP temperature of 547°F (Ref. 1). The minimum temperature for criticality limitation provides a small band, 6°F, for critical operation
below HZP. This band allows critical operation below HZP during
plant startup and does not adversely affect any safety analyses since
the MTC is not significantly affected by the small temperature
difference between HZP and the minimum temperature for criticality.
The RCS minimum temperature for criticality satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO Compliance with the LCO ensures that the reactor will not be made or maintained critical (k eff 1.0) at a temperature less than a small band below the HZP temperature, which is assumed in the safety analysis.
Failure to meet the requirements of this LCO may produce initial
conditions inconsistent with the initial conditions assumed in the
safety analysis.
APPLICABILITY In MODE 1 and MODE 2 with k eff 1.0, LCO 3.4.2 is applicable since the reactor can only be critical (k eff 1.0) in these MODES.
The special test exception of LCO 3.1.8, "MODE 2 PHYSICS TESTS
Exceptions," permits PHYSICS TESTS to be performed at 5% RTP with RCS loop average temperatures slightly lower than normally
allowed so that fundamental nuclear characteristics of the core can be
verified. In order for nuclear characteristics to be accurately
measured, it may be necessary to operate outside the normal
restrictions of this LCO. For example, to measure the MTC at
beginning of cycle, it is necessary to allow RCS loop average
temperatures to fall below T no load , which may cause RCS loop average temperatures to fall below t he temperature limit of this LCO.
RCS P/T Limits B 3.4.3 Farley Units 1 and 2 B 3.4.3-1 Revision 0 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.3 RCS Pressure and Temperature (P/T) Limits
BASES BACKGROUND All components of the RCS are designed to withstand effects of cyclic loads due to system pressure and temperature changes. These loads
are introduced by startup (heatup) and shutdown (cooldown)
operations, power transients, and reactor trips. This LCO limits the
pressure and temperature changes during RCS heatup and cooldown, within the design assumptions and the stress limits for cyclic
operation.
The PTLR contains P/T limit curves for heatup, cooldown, inservice leak and hydrostatic (ISLH) testing, and data for the maximum rate of
change of reactor coolant temperature (Ref. 1).
Each P/T limit curve defines an acceptable region for normal operation. The usual use of the curves is operational guidance during
heatup or cooldown maneuvering, when pressure and temperature
indications are monitored and compared to the applicable curve to
determine that operation is within the allowable region.
The LCO establishes operating limits that provide a margin to brittle failure of the reactor vessel and piping of the reactor coolant pressure
boundary (RCPB). The vessel is the component most subject to
brittle failure, and the LCO limits apply mainly to the vessel. The limits
do not apply to the pressurizer, which has different design
characteristics and operating functions.
10 CFR 50, Appendix G (Ref. 2), requires the establishment of P/T limits for specific material fracture toughness requirements of the
RCPB materials. Reference 2 requires an adequate margin to brittle
failure during normal operation, anticipated operational occurrences, and system hydrostatic tests. It mandates the use of the American Society of Mechanical Engineers (ASME) Code, Section XI, Appendix G (Ref. 3).
The neutron embrittlement effect on the material toughness is reflected by increasing the nil ductility reference temperature (RT NDT) as exposure to neutron fluence increases.
The actual shift in the RT NDT of the vessel material will be established periodically by removing and evaluating the irradiated reactor vessel (continued)
RCS P/T Limits B 3.4.3 Farley Units 1 and 2 B 3.4.3-2 Revision 0 BASES BACKGROUND material specimens, in accordance with ASTM E 185 (Ref. 4) and (continued) Appendix H of 10 CFR 50 (Ref. 5). The operating P/T limit curves will be adjusted, as necessary, based on the evaluation findings and the
recommendations of Regulatory Guide 1.99 (Ref. 6).
The P/T limit curves are composite curves established by superimposing limits derived from stress analyses of those portions of
the reactor vessel and head that are the most restrictive. At any
specific pressure, temperature, and temperature rate of change, one
location within the reactor vessel will dictate the most restrictive limit.
Across the span of the P/T limit curves, different locations are more
restrictive, and, thus, the curves are composites of the most restrictive
regions.
The heatup curve represents a different set of restrictions than the cooldown curve because the directions of the thermal gradients
through the vessel wall are reversed. The thermal gradient reversal
alters the location of the tensile stress between the outer and inner
walls.
The criticality limit curve includes the Reference 2 requirement that it be 40°F above the heatup curve or the cooldown curve, and not less than the minimum permissible temperature for ISLH testing.
However, the criticality curve is not operationally limiting; a more
restrictive limit exists in LCO 3.4.2, "RCS Minimum Temperature for
Criticality."
The consequence of violating the LCO limits is that the RCS has been
operated under conditions that can result in brittle failure of the RCPB, possibly leading to a nonisolable leak or loss of coolant accident. In
the event these limits are exceeded, an evaluation must be performed
to determine the effect on the structural integrity of the RCPB components. The ASME Code, Section XI, Appendix E (Ref. 7),
provides a recommended methodology for evaluating an operating
event that causes an excursion outside the limits.
APPLICABLE The P/T limits are not derived from Design Basis Accident (DBA) SAFETY ANALYSES analyses. They are prescribed during normal operation to avoid encountering pressure, temperature, and temperature rate of change
conditions that might cause undetected flaws to propagate and cause
nonductile failure of the RCPB, an unanalyzed condition. Reference 1
(continued)
RCS P/T Limits B 3.4.3 Farley Units 1 and 2 B 3.4.3-3 Revision 0 BASES APPLICABLE establishes the methodology for determining the P/T limits. Although SAFETY ANALYSES the P/T limits are not derived from any DBA, the P/T limits are (continued) acceptance limits since they preclude operation in an unanalyzed condition.
RCS P/T limits satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO The two elements of this LCO are:
- a. The limit curves for heatup, cooldown, and ISLH testing; and
- b. Limits on the rate of change of temperature.
The LCO limits apply to all components of the RCS, except the pressurizer. These limits define allowable operating regions and
permit a large number of operating cycles while providing a wide
margin to nonductile failure.
The limits for the rate of change of temperature control the thermal gradient through the vessel wall and are used as inputs for calculating
the heatup, cooldown, and ISLH testing P/T limit curves. Thus, the
LCO for the rate of change of temperature restricts stresses caused
by thermal gradients and also ensures the validity of the P/T limit curves.
Violating the LCO limits places the reactor vessel outside of the bounds of the stress analyses and can increase stresses in other
RCPB components. The consequences depend on several factors, as follow:
- a. The severity of the departure from the allowable operating P/T regime or the severity of the rate of change of temperature;
- b. The length of time the limits were violated (longer violations allow the temperature gradient in the thick vessel walls to become more
pronounced); and
- c. The existences, sizes, and orientations of flaws in the vessel material.
RCS P/T Limits B 3.4.3 Farley Units 1 and 2 B 3.4.3-4 Revision 0 BASES APPLICABILITY The RCS P/T limits LCO provides a definition of acceptable operation for prevention of nonductile failure in accordance with 10 CFR 50, Appendix G (Ref. 2). Although the P/T limits were developed to
provide guidance for operation during heatup or cooldown (MODES 3, 4, and 5) or ISLH testing, their Applicability is at all times in keeping
with the concern for nonductile failure. The limits do not apply to the
pressurizer.
During MODES 1 and 2, other Technical Specifications provide limits for operation that can be more restrictive than or can supplement
these P/T limits. LCO 3.4.1, "RCS Pressure, Temperature, and Flow
Departure from Nucleate Boiling (DNB) Limits"; LCO 3.4.2, "RCS
Minimum Temperature for Criticality"; and Safety Limit 2.1, "Safety
Limits," also provide operational restrictions for pressure and
temperature and maximum pressure. Furthermore, MODES 1 and 2
are above the temperature range of concern for nonductile failure, and
stress analyses have been performed for normal maneuvering
profiles, such as power ascension or descent.
ACTIONS A.1 and A.2
Operation outside the P/T limits during MODE 1, 2, 3, or 4 must be
corrected so that the RCPB is returned to a condition that has been
verified by stress analyses.
The 30 minute Completion Time reflects the urgency of restoring the
parameters to within the analyzed range. Most violations will not be
severe, and the activity can be accomplished in this time in a
controlled manner.
Besides restoring operation within limits, an evaluation is required to
determine if RCS operation can continue. The evaluation must verify
the RCPB integrity remains acceptable and must be completed before
continuing operation. Several methods may be used, including
comparison with pre-analyzed transients in the stress analyses, new
analyses, or inspection of the components.
ASME Code, Section XI, Appendix E (Ref. 7), may be used to support
the evaluation. However, its use is restricted to evaluation of the
vessel beltline.
(continued)
RCS P/T Limits B 3.4.3 Farley Units 1 and 2 B 3.4.3-5 Revision 0 BASES ACTIONS A.1 and A.2 (continued)
The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is reasonable to accomplish the
evaluation. The evaluation for a mild violation is possible within this
time, but more severe violations may require special, event specific
stress analyses or inspections. A favorable evaluation must be
completed before continuing to operate.
Condition A is modified by a Note requiring Required Action A.2 to be
completed whenever the Condition is entered. The Note emphasizes
the need to perform the evaluation of the effects of the excursion
outside the allowable limits. Restoration alone per Required
Action A.1 is insufficient because higher than analyzed stresses may
have occurred and may have affected the RCPB integrity.
B.1 and B.2
If a Required Action and associated Completion Time of Condition A
are not met, the plant must be placed in a lower MODE because
either the RCS remained in an unacceptable P/T region for an
extended period of increased stress or a sufficiently severe event
caused entry into an unacceptable region. Either possibility indicates
a need for more careful examination of the event, best accomplished
with the RCS at reduced pressure and temperature. In reduced
pressure and temperature conditions, the possibility of propagation
with undetected flaws is decreased.
If the required restoration activity cannot be accomplished within
30 minutes, Required Action B.1 and Required Action B.2 must be
implemented to reduce pressure and temperature.
If the required evaluation for continued operation cannot be
accomplished within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or the results are indeterminate or
unfavorable, action must proceed to reduce pressure and temperature
as specified in Required Action B.1 and Required Action B.2. A
favorable evaluation must be completed and documented before
returning to operating pressure and temperature conditions.
Pressure and temperature are reduced by bringing the plant to
MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 5 with RCS pressure < 500 psig
within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.
(continued)
RCS P/T Limits B 3.4.3 Farley Units 1 and 2 B 3.4.3-6 Revision 0 BASES ACTIONS B.1 and B.2 (continued)
The allowed Completion Times are reasonable, based on operating
experience, to reach the required plant conditions from full power
conditions in an orderly manner and without challenging plant systems.
C.1 and C.2
Actions must be initiated immediately to correct operation outside of
the P/T limits at times other than when in MODE 1, 2, 3, or 4, so that
the RCPB is returned to a condition that has been verified by stress
analysis.
The immediate Completion Time reflects the urgency of initiating
action to restore the parameters to within the analyzed range. Most
violations will not be severe, and the activity can be accomplished in
this time in a controlled manner.
Besides restoring operation within limits, an evaluation is required to
determine if RCS operation can continue. The evaluation must verify
that the RCPB integrity remains acceptable and must be completed
prior to entry into MODE 4. Several methods may be used, including
comparison with pre-analyzed transients in the stress analyses, or
inspection of the components.
ASME Code, Section XI, Appendix E (Ref. 7), may be used to support the evaluation. However, its use is restricted to evaluation of
the vessel beltline.
Condition C is modified by a Note requiring Required Action C.2 to be
completed whenever the Condition is entered. The Note emphasizes
the need to perform the evaluation of the effects of the excursion
outside the allowable limits. Restoration alone per Required
Action C.1 is insufficient because higher than analyzed stresses may
have occurred and may have affected the RCPB integrity.
RCS P/T Limits B 3.4.3 Farley Units 1 and 2 B 3.4.3-7 Revision 63 BASES SURVEILLANCE SR 3.4.3.1 REQUIREMENTS
Verification that operation is within the PTLR limits is required when RCS pressure and temperature conditions are undergoing planned
changes. The Surveillance Frequency is controlled under the
Surveillance Frequency Control Program.
Surveillance for heatup, cooldown, or ISLH testing may be discontinued when the definition given in the relevant plant procedure
for ending the activity is satisfied.
This SR is modified by a Note that only requires this SR to be performed during system heatup, cooldown, and ISLH testing. No SR
is given for criticality operations because LCO 3.4.2 contains a more
restrictive requirement.
REFERENCES 1. WCAP-14040-A, Revision 4, May 2004.
- 3. ASME, Boiler and Pressure Vessel Code, Section XI, Appendix G.
- 4. ASTM E 185-82, July 1982.
- 6. Regulatory Guide 1.99, Revision 2, May 1988.
- 7. ASME, Boiler and Pressure Vessel Code, Section XI, Appendix E.
RCS Loops - MODES 1 and 2 B 3.4.4 Farley Units 1 and 2 B 3.4.4-1 Revision 0 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.4 RCS Loops-MODES 1 and 2
BASES BACKGROUND The primary function of the RCS is removal of the heat generated in the fuel due to the fission process, and transfer of this heat, via the
steam generators (SGs), to the secondary plant.
The secondary functions of the RCS include:
- a. Moderating the neutron energy level to the thermal state, to increase the probability of fission;
- b. Improving the neutron economy by acting as a reflector;
- c. Carrying the soluble neutron poison, boric acid;
- d. Providing a second barrier against fission product release to the environment; and
- e. Removing the heat generated in the fuel due to fission product decay following a unit shutdown.
The reactor coolant is circulated through three loops connected in parallel to the reactor vessel, each containing an SG, a reactor
coolant pump (RCP), and appropriate flow and temperature
instrumentation for both control and protection. The reactor vessel
contains the clad fuel. The SGs provide the heat sink to the isolated
secondary coolant. The RCPs circulate the coolant through the
reactor vessel and SGs at a sufficient rate to ensure proper heat
transfer and prevent fuel damage. This forced circulation of the
reactor coolant ensures mixing of the coolant for proper boration and
chemistry control.
APPLICABLE Safety analyses contain various assumptions for the design bases SAFETY ANALYSES accident initial conditions including RCS pressure, RCS temperature, reactor power level, core parameters, and safety system setpoints.
The important aspect for this LCO is the reactor coolant forced flow
rate, which is represented by the number of RCS loops in service.
(continued)
RCS Loops - MODES 1 and 2 B 3.4.4 Farley Units 1 and 2 B 3.4.4-3 Revision 0 BASES APPLICABILITY In MODES 1 and 2, the reactor is critical and thus has the potential to produce maximum THERMAL POWER. Thus, to ensure that the
assumptions of the accident analyses remain valid, all RCS loops are
required to be OPERABLE and in operation in these MODES to
prevent DNB and core damage.
The decay heat production rate is much lower than the full power heat rate. As such, the forced circulation flow and heat sink requirements
are reduced for lower, noncritical MODES as indicated by the LCOs
for MODES 3, 4, and 5.
Operation in other MODES is covered by:
LCO 3.4.5, "RCS Loops-MODE 3";
LCO 3.4.6, "RCS Loops-MODE 4";
LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled";
LCO 3.4.8, "RCS Loops-MODE 5, Loops Not Filled";
LCO 3.9.4, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level" (MODE 6); and LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level" (MODE 6).
ACTIONS A.1
If the requirements of the LCO are not met, the Required Action is to reduce power and bring the plant to MODE 3. This lowers power level
and thus reduces the core heat removal needs and minimizes the
possibility of violating DNB limits.
The Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly
manner and without challenging safety systems.
RCS Loops - MODES 1 and 2 B 3.4.4 Farley Units 1 and 2 B 3.4.4-4 Revision 52 BASES SURVEILLANCE SR 3.4.4.1 REQUIREMENTS
This SR requires verification that each RCS loop is in operation.
Verification includes flow rate, temperature, or pump status
monitoring, which help ensure that forced flow is providing heat
removal while maintaining the margin to DNB. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES 1. FSAR, Sections 15.2.2, 15.2.5, 15.3.4, 15.3.6, 15.4.4.3, and 15.4.6.3.
RCS Loops - MODE 3 B 3.4.5 Farley Units 1 and 2 B 3.4.5-6 Revision 52 BASES SURVEILLANCE SR 3.4.5.2 (continued) REQUIREMENTS
secondary side narrow range water level is < 30%, the tubes may become uncovered and the associated loop may not be capable of providing the heat sink for removal of the decay heat. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
Verification that the required RCPs are OPERABLE ensures that safety analyses limits are met. The requirement also ensures that an additional RCP can be placed in operation, if needed, to maintain decay heat removal and reactor coolant circulation. Verification is performed by verifying proper breaker alignment and power availability to the required RCPs. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES None.
RCS Loops - MODE 4 B 3.4.6 Farley Units 1 and 2 B 3.4.6-1 Revision 0 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.6 RCS Loops-MODE 4
BASES BACKGROUND In MODE 4, the primary function of the reactor coolant is the removal of decay heat and the transfer of this heat to either the steam
generator (SG) secondary side coolant or the component cooling
water via the residual heat removal (RHR) heat exchangers. The
secondary function of the reactor coolant is to act as a carrier for
soluble neutron poison, boric acid.
The reactor coolant is circulated through three RCS loops connected in parallel to the reactor vessel, each loop containing an SG, a reactor
coolant pump (RCP), and appropriate flow, pressure, level, and
temperature instrumentation for control, protection, and indication.
The RCPs circulate the coolant through the reactor vessel and SGs at
a sufficient rate to ensure proper heat transfer and to prevent boric
acid stratification.
In MODE 4, either RCPs or RHR loops can be used to provide forced circulation. The intent of this LCO is to provide forced flow from at
least one RCP or one RHR loop for decay heat removal and transport.
The flow provided by one RCP loop or RHR loop is adequate for
decay heat removal. The other intent of this LCO is to require that
two paths be available to provide redundancy for decay heat removal.
APPLICABLE In MODE 4, RCS circulation is considered in the determination of the SAFETY ANALYSES time available for mitigation of the accidental boron dilution event.
The RCS and RHR loops provide this circulation.
RCS Loops-MODE 4 have been identified in the NRC Policy Statement as important contributors to risk reduction.
LCO The purpose of this LCO is to require that at least two loops be OPERABLE in MODE 4 and that one of these loops be in operation.
The LCO allows the two loops that are required to be OPERABLE to (continued)
RCS Loops - MODE 4 B 3.4.6 Farley Units 1 and 2 B 3.4.6-2 Revision 63 BASES LCO consist of any combination of RCS loops and RHR loops. Any one (continued) loop in operation provides enough flow to remove the decay heat from the core with forced circulation. An additional loop is required to be
OPERABLE to provide redundancy for heat removal.
Note 1 permits all RCPs or RHR pumps to not be in operation for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> per 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> period. The purpose of the Note is to permit tests that are designed to validate various accident analyses values.
One of the tests performed during the startup testing program is the validation of rod drop times during cold conditions, both with and without flow. The no flow test may be performed in MODE 3, 4, or 5 and requires that the pumps be stopped for a short period of time.
The Note permits the stopping of the pumps in order to perform this test and validate the assumed analysis values. If changes are made to the RCS that would cause a change to the flow characteristics of the RCS, the input values must be revalidated by conducting the test again. The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> time period is adequate to perform the test, and operating experience has shown that boron stratification is not a problem during this short period with no forced flow.
Utilization of Note 1 is permitted provided the following conditions are met along with any other conditions imposed by initial startup test procedures:
- a. No operations are permitted that would dilute the RCS boron concentration, therefore maintaining the margin to criticality.
Boron reduction is prohibited because a uniform concentration distribution throughout the RCS cannot be ensured when in natural circulation; and
- b. Core outlet temperature is maintained at least 10°F below saturation temperature, so that no vapor bubble may form and possibly cause a natural circulation flow obstruction.
Note 2 requires that the secondary side water temperature of each SG be < 50°F above each of the RCS cold leg temperatures or that the pressurizer water volume is less than 770 cubic feet (24% of wide range, cold, pressurizer level indication) before the start of an RCP with any RCS cold leg temperature the Low Temperature Overpressure Protection (LTOP) System applicability temperature specified in the PTLR. This restraint is to prevent a low temperature overpressure event due to a thermal transient when an RCP is started.
(continued)
RCS Loops - MODE 4 B 3.4.6 (continued)
Farley Units 1 and 2 B 3.4.6-4 Revision 52 BASES ACTIONS B.1 (continued)
If one required RHR loop is OPERABLE and in operation and there are no RCS loops OPERABLE, an inoperable RCS or RHR loop must be restored to OPERABLE status to provide a redundant means for decay heat removal.
If the parameters that are outside the limits cannot be restored, the unit must be brought to MODE 5 within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Bringing the unit to MODE 5 is a conservative action with regard to decay heat removal. With only one RHR loop OPERABLE, redundancy for decay heat
removal is lost and, in the event of a loss of the remaining RHR loop, it would be safer to initiate that loss from MODE 5 ( 200°F) rather than MODE 4 (200 to 350°F). The Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is a reasonable time, based on operating experience, to reach MODE 5 from MODE 4 in an orderly manner and without challenging plant systems.
C.1 and C.2 If no loop is OPERABLE or in operation, except during conditions permitted by Note 1 in the LCO section, all operations involving a reduction of RCS boron concentration must be suspended and action to restore one RCS or RHR loop to OPERABLE status and operation must be initiated. Boron dilution requires forced circulation for proper mixing, and the margin to criticality must not be reduced in this type of operation. The immediate Completion Times reflect the importance of maintaining operation for decay heat removal. The action to restore must be continued until one loop is restored to OPERABLE status and operation.
SURVEILLANCE SR 3.4.6.1 REQUIREMENTS
This SR requires verification that one RCS or RHR loop is in operation. Verification includes flow rate, temperature, or pump status monitoring, which help ensure that forced flow is providing heat removal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
RCS Loops - MODE 5, Loops Filled B 3.4.7 Farley Units 1 and 2 B 3.4.7-1 Revision 5 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.7 RCS Loops-MODE 5, Loops Filled
BASES BACKGROUND In MODE 5 with the RCS loops filled, the primary function of the reactor coolant is the removal of decay heat and transfer this heat
either to the steam generator (SG) secondary side coolant via natural
circulation (Ref. 1) or the component cooling water via the residual
heat removal (RHR) heat exchangers. While the principal means for
decay heat removal is via the RHR System, the SGs via natural
circulation (Ref. 1) are specified as a backup means for redundancy.
Even though the SGs cannot produce steam in this MODE, they are
capable of being a heat sink due to their large contained volume of
secondary water. As long as the SG secondary side water is at a
lower temperature than the reactor coolant, heat transfer will occur.
The rate of heat transfer is directly proportional to the temperature
difference. The secondary function of the reactor coolant is to act as
a carrier for soluble neutron poison, boric acid.
In MODE 5 with RCS loops filled, the reactor coolant is circulated by means of two RHR loops connected to the RCS, each loop containing
an RHR heat exchanger, an RHR pump, and appropriate flow and
temperature instrumentation for control, protection, and indication.
One RHR pump circulates the water through the RCS at a sufficient
rate to prevent boric acid stratification.
The number of loops in operation can vary to suit the operational needs. The intent of this LCO is to provide forced flow from at least
one RHR loop for decay heat removal and transport. The flow
provided by one RHR loop is adequate for decay heat removal. The
other intent of this LCO is to require that a second path be available to
provide redundancy for heat removal.
The LCO provides for redundant paths of decay heat removal capability. The first path can be an RHR loop that must be
OPERABLE and in operation. The second path can be another
OPERABLE RHR loop or maintaining two SGs with secondary side
water levels 75% (wide range) to provide an alternate method for decay heat removal via natural circulation (Ref. 1).
RCS Loops - MODE 5, Loops Filled B 3.4.7 Farley Units 1 and 2 B 3.4.7-2 Revision 5 BASES APPLICABLE In MODE 5, RCS circulation is considered in the determination SAFETY ANALYSES of the time available for mitigation of the accidental boron dilution
event. The RHR loops provide this circulation.
RCS Loops-MODE 5 (Loops Filled) have been identified in the NRC Policy Statement as important contributors to risk reduction.
LCO The purpose of this LCO is to require that at least one of the RHR loops be OPERABLE and in operation with an additional RHR loop
OPERABLE or two SGs with secondary side water level 75% (wide range). One RHR loop provides sufficient forced circulation to perform
the safety functions of the reactor coolant under these conditions. An
additional RHR loop is required to be OPERABLE to meet single
failure considerations. However, if the standby RHR loop is not
OPERABLE, an acceptable alternate method is two SGs with
their secondary side water levels 75% (wide range). Should the operating RHR loop fail, the SGs could be used to remove the decay
heat via natural circulation.
Note 1 permits all RHR pumps to not be in operation 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> per 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> period. The purpose of the Note is to permit tests designed to validate
various accident analyses values. One of the tests performed during the
startup testing program is the validation of rod drop times during cold
conditions, both with and without flow. The no flow test may be
performed in MODE 3, 4, or 5 and requires that the pumps be stopped for
a short period of time. The Note permits stopping of the pumps in order
to perform this test and validate the assumed analysis values. If changes
are made to the RCS that would cause a change to the flow
characteristics of the RCS, the input values must be revalidated by
conducting the test again. The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> time period is adequate to perform
the test, and operating experience has shown that boron stratification is
not likely during this short period with no forced flow.
Utilization of Note 1 is permitted provided the following conditions are
met, along with any other conditions imposed by initial startup test
procedures:
- a. No operations are permitted that would dilute the RCS boron concentration, therefore maintaining the margin to criticality. Boron
reduction is prohibited because a uniform concentration (continued)
RCS Loops - MODE 5, Loops Filled B 3.4.7 Farley Units 1 and 2 B 3.4.7-4 Revision 5 BASES APPLICABILITY In MODE 5 with RCS loops filled, this LCO requires forced circulation of the reactor coolant to remove decay heat from the core and to
provide proper boron mixing. One loop of RHR provides sufficient
circulation for these purposes. However, one additional RHR loop is
required to be OPERABLE, or the secondary side water level of at
least two SGs is required to be 75% (wide range).
Operation in other MODES is covered by:
LCO 3.4.4, "RCS Loops-MODES 1 and 2";
LCO 3.4.5, "RCS Loops-MODE 3";
LCO 3.4.6, "RCS Loops-MODE 4";
LCO 3.4.8, "RCS Loops-MODE 5, Loops Not Filled";
LCO 3.9.4, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level" (MODE 6); and LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level" (MODE 6).
ACTIONS A.1 and A.2
If one RHR loop is inoperable and the required SGs have secondary
side water levels 75% (wide range), redundancy for heat removal is lost. Action must be initiated immediately to restore a second RHR
loop to OPERABLE status or to restore the required SG secondary
side water levels. Either Required Action A.1 or Required Action A.2
will restore redundant heat removal paths. The immediate
Completion Time reflects the importance of maintaining the availability
of two paths for heat removal.
B.1 and B.2
If no RHR loop is in operation, except during conditions permitted by
Note 1, or if no loop is OPERABLE, all operations involving a
reduction of RCS boron concentration must be suspended and action
to restore one RHR loop to OPERABLE status and operation must be
initiated. To prevent boron dilution, forced circulation is required to
provide proper mixing and preserve the margin to criticality in this type
of operation. The immediate Completion Times reflect the importance
of maintaining operation for heat removal.
RCS Loops, - MODE 5, Loops Not Filled B 3.4.8 Farley Units 1 and 2 B 3.4.8-1 Revision 0 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.8 RCS Loops-MODE 5, Loops Not Filled
BASES BACKGROUND In MODE 5 with the RCS loops not filled, the primary function of the reactor coolant is the removal of decay heat generated in the fuel, and
the transfer of this heat to the component cooling water via the
residual heat removal (RHR) heat exchangers. The steam generators (SGs) are not available as a heat sink when the loops are not filled.
The secondary function of the reactor coolant is to act as a carrier for
the soluble neutron poison, boric acid.
In MODE 5 with loops not filled, only RHR pumps can be used for coolant circulation. The number of pumps in operation can vary to
suit the operational needs. The intent of this LCO is to provide forced
flow from at least one RHR pump for decay heat removal and
transport and to require that two paths be available to provide
redundancy for heat removal.
APPLICABLE In MODE 5, RCS circulation is considered in the determination of the SAFETY ANALYSES time available for mitigation of the accidental boron dilution event.
The RHR loops provide this circulation. The flow provided by one RHR loop is adequate for heat removal and for boron mixing.
RCS loops in MODE 5 (loops not filled) have been identified in the NRC Policy Statement as important contributors to risk reduction.
LCO The purpose of this LCO is to require that at least two RHR loops be OPERABLE and one of these loops be in operation. An OPERABLE
loop is one that has the capability of transferring heat from the reactor
coolant at a controlled rate. Heat cannot be removed via the RHR
System unless forced flow is used. A minimum of one running RHR
pump meets the LCO requirement for one loop in operation. An
additional RHR loop is required to be OPERABLE to meet single
failure considerations.
(continued)
Pressurizer B 3.4.9 Farley Units 1 and 2 B 3.4.9-1 Revision 0 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.9 Pressurizer
BASES BACKGROUND The pressurizer provides a point in the RCS where liquid and vapor are maintained in equilibrium under saturated conditions for pressure
control purposes to prevent bulk boiling in the remainder of the RCS.
Key functions include maintaining required primary system pressure
during steady state operation, and limiting the pressure changes
caused by reactor coolant thermal expansion and contraction during
normal load transients.
The pressure control components addressed by this LCO include the pressurizer water level, the required heaters, and their controls and
emergency power supplies. Pressurizer safety valves and pressurizer
power operated relief valves are addressed by LCO 3.4.10, "Pressurizer Safety Valves," and LCO 3.4.11, "Pressurizer Power
Operated Relief Valves (PORVs)," respectively.
The intent of the LCO is to ensure that a steam bubble exists in the pressurizer prior to power operation to minimize the consequences of
potential overpressure transients. The presence of a steam bubble is
consistent with analytical assumptions. Relatively small amounts of
noncondensible gases can inhibit the condensation heat transfer
between the pressurizer spray and the steam, and diminish the spray
effectiveness for pressure control.
Electrical immersion heaters, located in the lower section of the pressurizer vessel, keep the water in the pressurizer at saturation
temperature and maintain a constant operating pressure. A minimum
required available capacity of pressurizer heaters ensures that the
RCS pressure can be maintained. The capability to maintain and
control system pressure is important for maintaining subcooled
conditions in the RCS and ensuring the capability to remove core
decay heat by either forced or natural circulation of reactor coolant.
Unless adequate heater capacity is available, the hot, high pressure
condition cannot be maintained indefinitely and still provide the
required subcooling margin in the primary system. Inability to control
the system pressure and maintain subcooling under conditions of
natural circulation flow in the primary system could lead to a loss of
single phase natural circulation and decreased capability to remove
core decay heat.
Pressurizer B 3.4.9 Farley Units 1 and 2 B 3.4.9-2 Revision 0 BASES APPLICABLE In MODES 1, 2, and 3, the LCO requirement for a steam bubble SAFETY ANALYSES is reflected implicitly in the accident analyses. Safety
analyses performed for lower MODES are not limiting. All analyses performed from a critical reactor condition assume the existence of a
steam bubble and saturated conditions in the pressurizer. In making
this assumption, the analyses neglect the small fraction of
noncondensible gases normally present.
Safety analyses presented in the FSAR (Ref. 1) do not take credit for pressurizer heater operation; however, an implicit initial condition
assumption of the safety analyses is that the RCS is operating at
normal pressure.
The maximum pressurizer water level limit, which ensures that a steam bubble exists in the pressurizer, satisfies Criterion 2 of 10 CFR
50.36(c)(2)(ii). Although the heaters are not specifically used in
accident analysis, the need to maintain subcooling in the long term
during loss of offsite power, as indicated in NUREG-0737 (Ref. 2), is
the reason for providing an LCO.
LCO The LCO requirement for the pressurizer to be OPERABLE with a water volume 868 cubic feet, which is equivalent to 63.5% indicated, ensures that a steam bubble exists. Limiting the LCO maximum
operating water level preserves the steam space for pressure control.
The LCO has been established to ensure the capability to establish
and maintain pressure control for steady state operation and to
minimize the consequences of potential overpressure transients.
Requiring the presence of a steam bubble is also consistent with
analytical assumptions.
The LCO requires two groups of OPERABLE pressurizer heaters, each with a capacity 125 kW, capable of being powered from either the offsite power source or the emergency power supply. The
minimum heater capacity required is sufficient to maintain the RCS
near normal operating pressure when accounting for heat losses
through the pressurizer insulation. By maintaining the pressure near
the operating conditions, a wide margin to subcooling can be obtained
in the loops. The exact design value of 125 kW is derived from the
use of seven heaters rated at 17.9 kW each. The amount needed to
maintain pressure is dependent on the heat losses.
Pressurizer B 3.4.9 (continued)
Farley Units 1 and 2 B 3.4.9-4 Revision 59 BASES ACTIONS B.1 (continued)
If one required group of pressurizer heaters is inoperable, restoration is required within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is
reasonable considering the anticipation that a demand caused by loss
of offsite power would be unlikely in this period. Pressure control may
be maintained during this time using normal station powered heaters.
C.1 and C.2
If one group of pressurizer heaters are inoperable and cannot be restored in the allowed Completion Time of Required Action B.1, the
plant must be brought to a MODE in which the LCO does not apply.
To achieve this status, the plant must be brought to MODE 3 within
6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion
Times are reasonable, based on operating experience, to reach the
required plant conditions from full power conditions in an orderly
manner and without challenging plant systems.
SURVEILLANCE SR 3.4.9.1 REQUIREMENTS
This SR requires that during steady state operation, pressurizer level is maintained below the nominal upper limit to provide a minimum
space for a steam bubble. The Surveillance is performed by
observing the indicated level. The Surveillance Frequency is
controlled under the Surveillance Frequency Control Program.
The SR is satisfied when the power supplies are demonstrated to be capable of producing the minimum power and the associated
pressurizer heaters are verified to be at their design rating. This may
be done by measuring circuit current or testing the power supply
output and by performing an electrical check on heater element
continuity and resistance. The Surveillance Frequency is controlled
under the Surveillance Frequency Control Program.
Any change in the components being tested by this SR will require reevaluation of STI Evaluation Number 558904 in accordance with the Surveillance Frequency Control Program.
Pressurizer B 3.4.9 Farley Units 1 and 2 B 3.4.9-5 Revision 52 BASES SURVEILLANCE SR 3.4.9.3 REQUIREMENTS (continued) This Surveillance demonstrates that the heaters can be manually transferred from the normal to the emergency power supply and
energized. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES 1. FSAR, Sections 15.1, 15.2, and 6.2.
- 2. NUREG-0737, November 1980.
Pressurizer Safety Valves B 3.4.10 Farley Units 1 and 2 B 3.4.10-1 Revision 63 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.10 Pressurizer Safety Valves
BASES BACKGROUND The pressurizer safety valves pr ovide, in conjunction with the Reactor Protection System, overpressure protection for the RCS. The
pressurizer safety valves are totally enclosed pop type, spring loaded, self actuated valves with backpressure compensation. The safety
valves are designed to prevent the system pressure from exceeding
the system Safety Limit (SL), 2735 psig, which is 110% of the design
pressure.
Because the safety valves are totally enclosed and self actuating, they
are considered independent components. The relief capacity for each
valve, 345,000 lb/hr, is based on postulated overpressure transient
conditions resulting from a complete loss of steam flow to the turbine.
This event results in the maximum surge rate into the pressurizer, which specifies the minimum relief capacity for the safety valves. The
discharge flow from the pressurizer safety valves is directed to the
pressurizer relief tank. This discharge flow is indicated by an increase
in temperature downstream of the pressurizer safety valves or
increase in the pressurizer relief tank temperature or level.
Overpressure protection is required in MODES 1, 2, 3, 4, and 5;
however, in MODE 4, with one or more RCS cold leg temperatures the Low Temperature Overpressure Protection (LTOP) System applicability temperature specified in the PTLR, and MODE 5 and MODE 6 with the reactor vessel head on, overpressure protection is
provided by operating procedures and by meeting the requirements of LCO 3.4.12, "Low Temperature Overpressure Protection (LTOP)
System."
The upper and lower pressure limits are based on the +/- 1% tolerance requirement (Ref. 1) for lifting pressures above 1000 psig. The lift
setting is for the ambient conditions associated with MODES 1, 2, and 3. This requires either that the valves be set hot or that a
correlation between hot and cold settings be established.
The pressurizer safety valves are part of the primary success path and mitigate the effects of postulated accidents. OPERABILITY of the
safety valves ensures that the RCS pressure will be limited to 110% of
design pressure. The consequences of exceeding the
(continued)
Pressurizer Safety Valves B 3.4.10 Farley Units 1 and 2 B 3.4.10-2 Revision 0 BASES BACKGROUND American Society of Mechanical Engineers (ASME) pressure limit (continued) (Ref. 1) could include damage to RCS components, increased leakage, or a requirement to perform additional stress analyses prior
to resumption of reactor operation.
APPLICABLE All accident and safety analyses in the FSAR (Ref. 2) that require SAFETY ANALYSES safety valve actuation assume operation of three pressurizer safety valves to limit increases in RCS pressure. The overpressure
protection analysis (Ref. 3) is also based on operation of three safety
valves. Accidents that could result in overpressurization if not
properly terminated include:
- a. Uncontrolled rod withdrawal from full power;
- b. Loss of reactor coolant flow;
- c. Loss of external electrical load;
- d. Loss of normal feedwater;
- e. Loss of all AC power to station auxiliaries; and
- f. Locked rotor.
Detailed analyses of the above transients are contained in
Reference 2. Safety valve actuation is required in events c, d, and e (above) to limit the pressure increase. Compliance with this LCO is
consistent with the design bases and accident analyses assumptions.
Pressurizer safety valves satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO The three pressurizer safety valves are set to open at the RCS design pressure (2500 psia), and within the ASME specified tolerance, to
avoid exceeding the maximum design pressure SL, to maintain
accident analyses assumptions, and to comply with ASME
requirements. The upper and lower pressure tolerance limits are
based on the +/- 1% tolerance requirements (Ref. 1) for lifting
pressures above 1000 psig. The limit protected by this Specification (continued)
Pressurizer PORVs B 3.4.11 Farley Units 1 and 2 B 3.4.11-1 Revision 0 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.11 Pressurizer Power Operated Relief Valves (PORVs)
BASES BACKGROUND The pressurizer is equipped with two types of devices for pressure relief: pressurizer safety valves and PORVs. The PORVs are air
operated valves that are controlled to open at a specific set pressure
when the pressurizer pressure increases and close when the
pressurizer pressure decreases. The PORVs may also be manually
operated from the control room.
Block valves, which are normally open, are located between the pressurizer and the PORVs. The block valves are used to isolate the
PORVs in case of excessive leakage or a stuck open PORV. Block
valve closure is accomplished manually using controls in the control
room. A stuck open PORV is, in effect, a small break loss of coolant
accident (LOCA). As such, block valve closure terminates the RCS
depressurization and coolant inventory loss.
The PORVs and their associated block valves may be used by plant operators to depressurize the RCS to recover from certain transients if
normal pressurizer spray is not available. Additionally, the series
arrangement of the PORVs and their block valves permit performance
of surveillances on the valves during power operation.
The PORVs may also be used for feed and bleed core cooling in the case of multiple equipment failure events that are not within the
design basis, such as a total loss of feedwater.
The PORVs, their block valves, and their controls are powered from the vital buses that normally receive power from offsite power
sources, but are also capable of being powered from emergency
power sources in the event of a loss of offsite power. Two PORVs
and their associated block valves are powered from two separate
safety trains (Ref. 1).
The plant has two PORVs, each having a design relief capacity of 210,000 lb/hr at 2485 psig with a set pressure of 2335 psig. The
functional design of the PORVs is based on maintaining pressure below the Pressurizer Pressure-High reactor trip setpoint following
a step reduction of 50% of full load with steam dump. In addition, the
PORVs minimize challenges to the pressurizer safety valves.
Pressurizer PORVs B 3.4.11 Farley Units 1 and 2 B 3.4.11-2 Revision 0 BASES APPLICABLE Plant operators employ the PORVs to depressurize the RCS in SAFETY ANALYSES response to certain plant transients if normal pressurizer spray is not available. For the Steam Generator Tube Rupture (SGTR) event, the
safety analysis assumes that manual operator actions are required to
mitigate the event. A loss of offsite power is assumed to accompany
the event, and thus, normal pressurizer spray is unavailable to reduce
RCS pressure. The PORVs are assumed to be used for RCS
depressurization, which is one of the steps performed to equalize the
primary and secondary pressures in order to terminate the primary to
secondary break flow and the radioactive releases from the affected
For the Inadvertent Operation of ECCS During Power Operation event, the safety analysis assumes that manual operator actions are
required to mitigate the event. At least one PORV is assumed to be
unblocked and available for water relief prior to reaching a water-solid
condition. Use of at least one PORV precludes subcooled water relief
through the Pressurizer Safety Relief Valves (PSRVs) by
depressurinzing the RCS below the pressure where the PSRVs
reseat. Should water relief through the PORV(s) occur, the PORV
block valve(s) would be available to isolate the RCS.
The PORVs are used in safety analyses for events that result in increasing RCS pressure for which departure from nucleate boiling
ratio (DNBR) criteria are critical. By assuming PORV manual
actuation, the primary pressure remains below the high pressurizer
pressure trip setpoint; thus, the DNBR calculation is more
conservative. Events that assume this condition include a loss of
RCS flow and a turbine trip (Ref. 2).
Pressurizer PORVs satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO The LCO requires the PORVs and their associated block valves to be OPERABLE for manual operation to mitigate the effects associated
with an SGTR or an inadvertent operation of ECCS during power
operation event.
The OPERABILITY of the PORVs and block valves is determined on the basis of their being capable of performing the following functions:
(continued)
Pressurizer PORVs B 3.4.11 Farley Units 1 and 2 B 3.4.11-3 Revision 0 BASES LCO A. Manual control of PORVs to control reactor coolant system (continued) pressure. This is a function that is used for the steam generator tube rupture accident, the inadvertent operation of ECCS during
power operation event, and for plant shutdown.
B. Maintaining the integrity of the reactor coolant pressure boundary.
This is a function that is related to controlling identified leakage
and ensuring the ability to detect unidentified reactor coolant
C. Manual control of the block valve to: (1) unblock an isolated PORV to allow it to be used for manual control of reactor coolant system
pressure (Item A), and (2) isolate a PORV with excessive seat
leakage (Item B).
D. Manual control of a block valve to isolate a stuck-open PORV.
By maintaining two PORVs and their associated block valves OPERABLE, the single failure criterion is satisfied. The block valves
are available to isolate the flow path through either a failed open
PORV or a PORV with excessive leakage. Satisfying the LCO helps
minimize challenges to fission product barriers.
APPLICABILITY In MODES 1, 2, and 3, the PORV and its block valve are required to be OPERABLE to limit the potential for a small break LOCA through
the flow path. The most likely cause for a PORV small break LOCA is
a result of a pressure increase transient that causes the PORV to
open. Imbalances in the energy output of the core and heat removal
by the secondary system can cause the RCS pressure to increase to
the PORV opening setpoint. The most rapid increases will occur at
the higher operating power and pressure conditions of MODES 1
and 2. The PORVs are also required to be OPERABLE in MODES 1, 2, and 3 to minimize challenges to the pressurizer safety valves.
Pressure increases are less prominent in MODE 3 because the core input energy is reduced, but the RCS pressure is high. Therefore, the
LCO is applicable in MODES 1, 2, and 3. The LCO is not applicable
in MODE 4 when both pressure and core energy are decreased and
the pressure surges become much less significant. The RHR relief
(continued)
Pressurizer PORVs B 3.4.11 Farley Units 1 and 2 B 3.4.11-5 Revision 0 BASES ACTIONS B.1, B.2, and B.3 (continued)
If one PORV is inoperable and not capable of being manually cycled, it must be either restored or isolated by closing the associated block
valve and removing the power to the associated block valve. The
Completion Times of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> are reasonable, based on challenges to
the PORVs during this time period, and provide the operator adequate
time to correct the situation. If the inoperable valve cannot be
restored to OPERABLE status, it must be isolated within the specified
time. Because there is at least one PORV that remains OPERABLE, an additional 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is provided to restore the inoperable PORV to
OPERABLE status. If the PORV cannot be restored within this
additional time, the plant must be brought to a MODE in which the
LCO does not apply, as required by Condition D.
C.1 and C.2
If one block valve is inoperable, then it is necessary to either restore
the block valve to OPERABLE status within the Completion Time of
1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or place the associated PORV in manual control. The prime
importance for the capability to close the block valve is to isolate a
stuck open PORV. Therefore, if the block valve cannot be restored to
OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, the Required Action is to place the
PORV in manual control to preclude its automatic opening for an
overpressure event and to avoid the potential for a stuck open PORV
at a time that the block valve is inoperable. The Completion Time of
1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is reasonable, based on the small potential for challenges to
the system during this time period, and provides the operator time to
correct the situation. Because at least one PORV remains
OPERABLE, the operator is permitted a Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />
to restore the inoperable block valve to OPERABLE status. The time
allowed to restore the block valve is based upon the Completion Time
for restoring an inoperable PORV in Condition B, since the PORVs
are not capable of mitigating an overpressure event when placed in
manual control. If the block valve is restored within the Completion
Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the power will be restored and the PORV restored
to OPERABLE status. If it cannot be restored within this additional
time, the plant must be brought to a MODE in which the LCO does not
apply, as required by Condition D.
(continued)
LTOP System B 3.4.12 Farley Units 1 and 2 B 3.4.12-1 Revision 63 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.12 Low Temperature Overpressure Protection (LTOP) System BASES BACKGROUND The LTOP System controls RCS pr essure at low temperatures so the integrity of the reactor coolant pressure boundary (RCPB) is not compromised by violating the pressure and temperature (P/T) limits of
10 CFR 50, Appendix G (Ref. 1). The reactor vessel is the limiting
RCPB component for demonstrating such protection. This Technical
Specification provides the maximum allowable actuation setpoints for
the RHR relief valves and the PTLR contains the maximum RCS
pressure for the existing RCS cold leg temperature during cooldown, shutdown, and heatup to meet the Reference 1 requirements during the
LTOP MODES. In addition, the PTLR contains the LTOP System MODE 4 applicability temperature.
The reactor vessel material is less tough at low temperatures than at
normal operating temperature. As the vessel neutron exposure
accumulates, the material toughness decreases and becomes less
resistant to pressure stress at low temperatures (Ref. 2). RCS
pressure, therefore, is maintained low at low temperatures and is
increased only as temperature is increased.
The potential for vessel overpressurization is most acute when the RCS
is water solid, occurring only while shutdown; a pressure fluctuation can
occur more quickly than an operator can react to relieve the condition.
Exceeding the RCS P/T limits by a significant amount could cause
brittle cracking of the reactor vessel. LCO 3.4.3, "RCS Pressure and
Temperature (P/T) Limits," requires administrative control of RCS
pressure and temperature during heatup and cooldown to prevent
exceeding the PTLR limits.
This LCO provides RCS overpressure protection by having a minimum
coolant input capability and having adequate pressure relief capacity.
Limiting coolant input capability requires:
- a. A maximum of one charging pump capable of injecting into the RCS when one or more RCS cold leg temperatures are 180°F; b. A maximum of two charging pumps capable of injecting into the RCS when all the RCS cold leg temperatures are > 180°F; and
(continued)
LTOP System B 3.4.12 Farley Units 1 and 2 B 3.4.12-2 Revision 63 BASES BACKGROUND c. Isolating the accumulators. (continued)
The pressure relief capacity requires either two redundant RHR relief
valves or a depressurized RCS and an RCS vent of sufficient size.
One RHR relief valve or the open RCS vent is the overpressure
protection device that acts to terminate an increasing pressure event.
With minimum coolant input capability, the ability to provide core
coolant addition is restricted. The LCO does not require the makeup
control system deactivated or the safety injection (SI) actuation circuits
blocked. Due to the lower pressures in the LTOP MODES and the
expected core decay heat levels, the makeup system can provide
adequate flow via the makeup control valve. If conditions require the
use of more than one charging pump for makeup in the event of loss of
inventory, then pumps can be made available through manual actions.
The LTOP System for pressure relief consists of two residual heat
removal (RHR) suction relief valves, or a depressurized RCS and an
RCS vent of sufficient size. Two RHR relief valves are required for
redundancy. One RHR relief valve has adequate relieving capability
to keep from overpressurization for the required coolant input
capability.
RHR Suction Relief Valve Requirements
During LTOP MODES, the RHR System is operated for decay heat removal and low pressure letdown control. Therefore, the RHR suction
isolation valves are open in the piping from the RCS hot legs to the
inlets of the RHR pumps. While these valves are open and the RHR
suction valves are open, the RHR suction relief valves are exposed to
the RCS and are able to relieve pressure transients in the RCS.
The RHR suction isolation valves and the RHR suction valves must be open to make the RHR suction relief valves OPERABLE for RCS
overpressure mitigation. The RHR suction relief valves are spring
loaded, bellows type water relief valves with pressure tolerances and
accumulation limits established by Section III of the American Society
of Mechanical Engineers (ASME) Code (Ref. 3) for Class 2 relief
valves. Each relief valve has the capacity to mitigate
overpressurization in the worst case of inadvertent startup of three
charging pumps injecting into a solid RCS.
(continued)
LTOP System B 3.4.12 Farley Units 1 and 2 B 3.4.12-3 Revision 63 BASES BACKGROUND RCS Vent Requirements (continued)
Once the RCS is depressurized, a vent exposed to the containment atmosphere will maintain the RCS at containment ambient pressure in
an RCS overpressure transient, if the relieving requirements of the
transient do not exceed the capabilities of the vent. Thus, the vent
path must be capable of relieving the flow resulting from the limiting
LTOP mass or heat input transient, and maintaining pressure below
the P/T limits. The required vent capacity may be provided by one or
more vent paths. The vent path(s) must be above the level of reactor
coolant, so as not to drain the RCS when open.
APPLICABLE Safety analyses (Ref. 4) demonstrate that the reactor vessel is SAFETY ANALYSES adequately protected against exceeding the Reference 1 P/T limits. In MODES 1, 2, and 3, and in MODE 4 with all RCS cold leg temperatures exceeding the LTOP System applicability temperature specified in the PTLR, the pressurizer safety valves will prevent RCS pressure from exceeding the Reference 1 limits. With one or more RCS cold leg temperatures the LTOP System applicability temperature specified in the PTLR, overpressure prevention falls to two OPERABLE RHR relief valves or to a depressurized RCS and a sufficient sized RCS vent.
Each of these means has a limited overpressure relief capability.
The actual temperature at which the pressure in the P/T limit curve
falls below the pressurizer safety valve setpoint increases as the
reactor vessel material toughness decreases due to neutron
embrittlement. Each time the PTLR curves are revised, the LTOP
System must be re-evaluated to ensure its functional requirements
can still be met using the RHR relief valve method or the
depressurized and vented RCS condition.
The PTLR contains the acceptance limits that define the LTOP
requirements. Any change to the RCS must be evaluated against the
Reference 4 analyses to determine the impact of the change on the
LTOP acceptance limits.
Transients that are capable of overpressurizing the RCS are
categorized as either mass or heat input transients, examples of
which follow:
(continued)
LTOP System B 3.4.12 Farley Units 1 and 2 B 3.4.12-4 Revision 63 BASES APPLICABLE Mass Input Type Transients SAFETY ANALYSES (continued) a. Inadvertent safety injection; or
- b. Charging/letdown flow mismatch.
Heat Input Type Transients
- a. Inadvertent actuation of pressurizer heaters;
- b. Loss of RHR cooling; or
- c. Reactor coolant pump (RCP) startup with temperature asymmetry within the RCS or between the RCS and steam generators.
The following are required during the LTOP MODES to ensure that mass and heat input transients do not occur, which either of the LTOP
overpressure protection means cannot handle:
- a. A maximum of one charging pump capable of injecting into the RCS when one or more RCS cold leg temperatures are 180°F and a maximum of two charging pumps capable of injecting into the RCS when all the RCS cold leg temperatures are > 180°F.
- b. Deactivating the accumulator discharge isolation valves in their closed positions; and
- c. Disallowing start of an RCP if secondary temperature is more than 50°F above primary temperature in any one loop except as provided for in LCO 3.4.6, "RCS Loops-MODE 4," and LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled."
In the Reference 4 analyses, the worst case mass input event was assumed to be the inadvertent operation of three high-head safety injection pumps (i.e., charging pumps) with a maximum total flowrate of 1000 gal/min at 0 psig backpressure at RCS temperatures 180°F. The analysis conservatively assumes the operation of three charging pumps although the plant design limits the total number of operating charging pumps to two pumps at a time. Additionally, Reference 4 states that due to the Technical Specification restrictions that allow only one charging pump capable of injecting into the RCS at RCS temperatures < 180°F, the worst case mass injection is limited to the start of a single charging pump. Since one RHR relief valve has not
(continued)
LTOP System B 3.4.12 Farley Units 1 and 2 B 3.4.12-5 Revision 63 BASES APPLICABLE Heat Input Type Transients (continued)
SAFETY ANALYSES
been demonstrated to be able to handle the pressure transient need from accumulator injection, when RCS temperature is low, the LCO
also requires the accumulators isolated when accumulator pressure is
greater than or equal to the maximum RCS pressure for the existing
RCS cold leg temperature allowed in the PTLR.
The isolated accumulators must have their discharge valves closed
and the valve power supply breakers fixed in their open positions.
Fracture mechanics analyses establish the temperature for the LTOP System Applicability specified in the PTLR.
The consequences of a small break loss of coolant accident (LOCA)
in LTOP MODE 4 conform to 10 CFR 50.46 and 10 CFR 50, Appendix K (Refs. 5 and 6), requirements by having a maximum of
one charging pump OPERABLE at RCS temperatures 180°F and SI actuation enabled.
RHR Suction Relief Valve Performance The RHR suction relief valves do not have variable pressure and
temperature lift setpoints like the PORVs. Analyses show that one
RHR suction relief valve (2.85 square inch throat) with a setpoint 450 psig will pass flow greater than that required for the limiting LTOP
transient while maintaining RCS pressure less than the P/T limit
curve. Assuming all relief flow requirements during the limiting LTOP
event, an RHR suction relief valve will maintain RCS pressure to
within the valve rated lift setpoint, plus an accumulation 10% of the rated lift setpoint.
Although each RHR suction relief valve may itself meet single failure
criteria, its inclusion and location within the RHR System does not allow
it to meet single failure criteria when spurious RHR suction isolation
valve closure is postulated. Also, as the RCS P/T limits are decreased
to reflect the loss of toughness in the reactor vessel materials due to
neutron embrittlement, the RHR suction relief valves must be analyzed
to still accommodate the design basis transients for LTOP.
The RHR suction relief valves are considered active components.
Thus, the failure of one valve is assumed to represent the worst case
single active failure.
The RHR suction relief valves are considered active components.
Thus, the failure of one valve is assumed to represent the worst case
single active failure. (continued)
LTOP System B 3.4.12 Farley Units 1 and 2 B 3.4.12-6 Revision 63 BASES APPLICABLE RCS Vent Performance SAFETY ANALYSES (continued) With the RCS depressurized, analyses show a vent equivalent to an RHR relief valve is capable of mitigating the allowed LTOP
overpressure transient. The capacity of a vent this size is greater than
the flow of the limiting transient for the LTOP configuration, one
charging pump OPERABLE, maintaining RCS pressure less than the
maximum pressure on the P/T limit curve.
The RCS vent size will be re-evaluated for compliance each time the P/T limit curves are revised based on the results of the vessel material
surveillance.
The RCS vent is passive and is not subject to active failure.
The LTOP System satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO This LCO requires that the LTOP System is OPERABLE. The LTOP System is OPERABLE when the minimum coolant input and pressure
relief capabilities are OPERABLE. Violation of this LCO could lead to
the loss of low temperature overpressure mitigation and violation of
the Reference 1 limits as a result of an operational transient.
To limit the coolant input capability, the LCO requires the following:
- a. A maximum of one charging pump capable of injecting into the RCS when one or more RCS cold leg temperatures are 180°F;
- b. A maximum of two charging pumps capable of injecting into the RCS when all the RCS cold leg temperatures are > 180°F; and
- c. All accumulator discharge isolation valves closed and immobilized when accumulator pressure is greater than or equal to the
maximum RCS pressure for the existing RCS cold leg temperature
allowed in the PTLR.
(continued)
LTOP System B 3.4.12 Farley Units 1 and 2 B 3.4.12-7 Revision 63 BASES LCO The elements of the LCO that provide low temperature overpressure (continued) mitigation through pressure relief are:
- a. Two OPERABLE RHR suction relief valves; or
An RHR suction relief valve is OPERABLE for LTOP when its RHR suction isolation valve and its RHR suction valve are open, its setpoint is 450 psig, and testing has proven its ability to open at this setpoint.
An RCS vent is OPERABLE when open with an area of 2.85 square inches.
Each of these methods of overpressure prevention is capable of mitigating the limiting LTOP transient.
The LCO is modified by two Notes. Note 1 allows for two charging pumps to be capable of injecting into the RCS during pump swap operations, when one or more of the RCS cold legs is 180°F, for a period of no more than 15 minutes provided that the RCS is in a non-water solid condition and both RHR relief valves are OPERABLE or the RCS is vented via an opening of no less than 5.7 square inches in area. A 5.7 square inch opening is equivalent to the throat size area of two RHR relief valves. This allows seal injection flow to be continually maintained, thus minimizing the potential for RCP number one seal damage by reducing pressure transients on the seal and by preventing RCS water from entering the seal. Particles in the RCS water may cause wear on the seal surfaces and loss of seal injection pressure may cause the seal not to fully reseat when pressure is reapplied. Note 2 states that accumulator isolation is only required when the accumulator pressure is more than or at the maximum RCS pressure for the existing temperature, as allowed by the P/T limit curves. This Note permits the accumulator discharge isolation valve Surveillance to be performed only under these pressure and temperature conditions.
APPLICABILITY This LCO is applicable in MODE 4 when any RCS cold leg temperature is the LTOP System applicability temperature specified in the PTLR, in MODE 5, and in MODE 6 when the reactor vessel head is on (i.e., fully seated on the reactor vessel flange, with or (continued)
LTOP System B 3.4.12 Farley Units 1 and 2 B 3.4.12-8 Revision 63 BASES APPLICABILITY without studs). The pressurizer safety valves provide overpressure (continued) protection that meets the Reference 1 P/T limits when all the RCS cold leg temperatures are > the LTOP System applicability temperature specified in the PTLR. When the reactor vessel head is raised, such that a total vent area of 2.85 square inches is created, seated on blocks providing an equivalent vent area, or off, overpressurization cannot occur.
LCO 3.4.3 provides the operational P/T limits for all MODES.
LCO 3.4.10, "Pressurizer Safety Valves," requires the OPERABILITY
of the pressurizer safety valves that provide overpressure protection
during MODES 1, 2, and 3, and MODE 4 when all the RCS cold leg temperatures are > the LTOP System applicability temperature specified in the PTLR.
Low temperature overpressure prevention is most critical during shutdown when the RCS is water solid, and a mass or heat input transient can cause a very rapid increase in RCS pressure with little
or no time allowed for operator action to mitigate the event.
ACTIONS A Note prohibits the application of LCO 3.0.4b to an inoperable LTOP system when entering MODE 4. There is an increased risk
associated with entering MODE 4 from MODE 5 with LTOP
inoperable and the provisions of LCO 3.0.4b, which allow entry into a
MODE or other specified condition in the Applicability with the LCO
not met after performance of a risk assessment addressing inoperable
systems and components, should not be applied in this circumstance.
A.1 With more than the maximum required charging pumps capable of injecting into the RCS, RCS overpressurization is possible.
To immediately initiate action to restore restricted coolant input capability to the RCS reflects the urgency of removing the RCS from
this condition.
(continued)
LTOP System B 3.4.12 Farley Units 1 and 2 B 3.4.12-9 Revision 63 BASES ACTIONS B.1, C.1, and C.2 (continued)
An unisolated accumulator requires isolation within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This is only required when the accumulator pressure is at or more than the
maximum RCS pressure for the existing temperature allowed by the
P/T limit curves.
If isolation is needed and cannot be accomplished in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, Required Action C.1 and Required Action C.2 provide two options, either of
which must be performed in the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. By increasing the
RCS temperature in all the cold legs to > the LTOP System applicability temperature specified in the PTLR, an accumulator pressure of 600-650 psig cannot exceed the LTOP limits if the
accumulators are fully injected. Depressurizing the accumulators
below the LTOP limit from the PTLR also gives this protection.
The Completion Times are based on operating experience that these
activities can be accomplished in these time periods and on
engineering evaluations indicating that an event requiring LTOP is not
likely in the allowed times.
D.1, D.2, and D.3
In MODE 4 when any RCS cold leg temperature is the LTOP System applicability temperature specified in the PTLR, with one required RHR relief valve inoperable, the pressurizer level must be
reduced to 30% (cold calibrated) and a dedicated operator must be assigned for RCS pressure monitoring and control within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
These actions provide additional assurance that an RCS pressure
transient will be rapidly identified and operator action taken to limit the
transient. The RHR relief valve must be restored to OPERABLE
status within a Completion Time of 7 days. Two RHR relief valves are
required to provide low temperature overpressure mitigation while
withstanding a single failure of an active component.
The 7 day Completion Time considers the facts that only one of the
RHR relief valves is required to mitigate an overpressure transient, the actions taken to reduce pressurizer level and monitor RCS
pressure, and that the likelihood of an active failure of the remaining
valve path during this time period is very low.
(continued)
LTOP System B 3.4.12 Farley Units 1 and 2 B 3.4.12-10 Revision 63 BASES ACTIONS E.1 (continued)
The RCS must be depressurized and a vent must be established within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> when:
- a. Both required RHR relief valves are inoperable; or
- b. A Required Action and associated Completion Time of Condition A, C, or D is not met; or
- c. The LTOP System is inoperable for any reason other than Condition A, B, C, or D.
The vent must be sized 2.85 square inches to ensure that the flow capacity is greater than that required for the worst case mass input
transient reasonable during the applicable MODES. This action is
needed to protect the RCPB from a low temperature overpressure
event and a possible brittle failure of the reactor vessel.
The Completion Time considers the time required to place the plant in
this Condition and the relatively low probability of an overpressure
event during this time period due to increased operator awareness of
administrative control requirements.
SURVEILLANCE SR 3.4.12.1, SR 3.4.12.2, and SR 3.4.12.3 REQUIREMENTS
To minimize the potential for a low temperature overpressure event by limiting the mass input capability, the following are required:
- a. A maximum of one charging pump capable of injecting into the RCS when one or more RCS cold leg temperatures are 180°F;
- b. A maximum of two charging pumps capable of injecting into the RCS when all the RCS cold leg temperatures are > 180°F; and
- c. The accumulator discharge isolation valves are verified closed and locked out.
The charging pumps are rendered incapable of injecting into the RCS through removing the power from the pumps by racking the breakers
out under administrative control. An alternate method of LTOP control
may be employed using at least two independent means to prevent a (continued)
RCS Operational LEAKAGE B 3.4.13 Farley Units 1 and 2 B 3.4.13-1 Revision 0 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.13 RCS Operational LEAKAGE
BASES BACKGROUND Components that contain or transport the coolant to or from the reactor core make up the RCS. Component joints are made by welding, bolting, rolling, or pressure loading, and valves isolate connecting
systems from the RCS.
During plant life, the joint and valve interfaces can produce varying
amounts of reactor coolant LEAKAGE, through either normal
operational wear or mechanical deterioration. The purpose of the RCS
Operational LEAKAGE LCO is to limit system operation in the presence
of LEAKAGE from these sources to amounts that do not compromise
safety. This LCO specifies the types and amounts of LEAKAGE.
10 CFR 50, Appendix A, GDC 30 (Ref. 1), requires means for
detecting and, to the extent practical, identifying the source of reactor
coolant LEAKAGE. Regulatory Guide 1.45 (Ref. 2) describes
acceptable methods for selecting leakage detection systems.
The safety significance of RCS LEAKAGE varies widely depending on
its source, rate, and duration. Therefore, detecting and monitoring
reactor coolant LEAKAGE into the containment area is necessary.
Quickly separating the identified LEAKAGE from the unidentified
LEAKAGE is necessary to provide quantitative information to the
operators, allowing them to take corrective action should a leak occur
that is detrimental to the safety of the facility and the public.
A limited amount of leakage inside containment is expected from
auxiliary systems that cannot be made 100% leaktight. Leakage from
these systems should be detected, located, and isolated from the
containment atmosphere, if possible, to not interfere with RCS leakage
detection.
This LCO deals with protection of the reactor coolant pressure
boundary (RCPB) from degradation and the core from inadequate
cooling, in addition to preventing the accident analyses radiation
release assumptions from being exceeded. The consequences of
violating this LCO include the possibility of a loss of coolant accident (LOCA).
RCS PIV Leakage B 3.4.14 Farley Units 1 and 2 B 3.4.14-1 Revision 0 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.14 RCS Pressure Isolation Valve (PIV) Leakage
BASES BACKGROUND 10 CFR 50.2, 10 CFR 50.55a(c), and GDC 55 of 10 CFR 50, Appendix A (Refs. 1, 2, and 3), define RCS PIVs as any two normally
closed valves in series within the reactor coolant pressure boundary (RCPB), which separate the high pressure RCS from an attached low
pressure system. During their lives, these valves can produce varying
amounts of reactor coolant leakage through either normal operational
wear or mechanical deterioration. The RCS PIV Leakage LCO allows
RCS high pressure operation when leakage through these valves
exists in amounts that do not compromise safety.
The PIV leakage limit applies to each individual valve. Leakage
through both series PIVs in a line must be included as part of the
identified LEAKAGE, governed by LCO 3.4.13, "RCS Operational
LEAKAGE." This is true during operation only when the loss of RCS
mass through two series valves is determined by a water inventory
balance (SR 3.4.13.1). A known component of the identified
LEAKAGE before operation begins is the least of the two individual
leak rates determined for leaking series PIVs during the required
surveillance testing; leakage measured through one PIV in a line is
not RCS operational LEAKAGE if the other is leaktight.
Although this specification provides a limit on allowable PIV leakage
rate, its main purpose is to prevent overpressure failure of the low
pressure portions of connecting systems. The leakage limit is an
indication that the PIVs between the RCS and the connecting systems
are degraded or degrading. PIV leakage could lead to overpressure
of the low pressure piping or components. Failure consequences
could be a loss of coolant accident (LOCA) outside of containment, an
unanalyzed accident, that could degrade the ability for low pressure
injection.
The basis for this LCO is the 1975 NRC "Reactor Safety Study" (Ref. 4) that identified potential intersystem LOCAs as a significant
contributor to the risk of core melt. A subsequent study (Ref. 5)
evaluated various PIV configurations to determine the probability of
intersystem LOCAs.
(continued)
RCS PIV Leakage B 3.4.14 Farley Units 1 and 2 B 3.4.14-2 Revision 0 BASES BACKGROUND PIVs are provided to isolate the RCS from the following typically (continued) connected systems:
- a. Residual Heat Removal (RHR) System; and
- b. Charging System.
The PIVs are listed in the Technical Requirements Manual (TRM)
(Ref. 6).
Violation of this LCO could result in continued degradation of a PIV, which could lead to overpressurization of a low pressure system and
the loss of the integrity of a fission product barrier.
APPLICABLE Reference 4 identified potential intersystem LOCAs as a significant SAFETY ANALYSES contributor to the risk of core melt. The dominant accident sequence
in the intersystem LOCA category is the failure of the low pressure
portion of the RHR System outside of containment. The accident is
the result of a postulated failure of the PIVs, which are part of the
RCPB, and the subsequent pressurization of the RHR System
downstream of the PIVs from the RCS. Because the low pressure
portion of the RHR System is typically designed for 600 psig, overpressurization failure of the RHR low pressure line would result in
a LOCA outside containment and subsequent risk of core melt.
Reference 5 evaluated various PIV configurations, leakage testing of
the valves, and operational changes to determine the effect on the
probability of intersystem LOCAs. This study concluded that periodic
leakage testing of the PIVs can substantially reduce the probability of
an intersystem LOCA.
RCS PIV leakage satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO RCS PIV leakage is identified LEAKAGE into closed systems connected to the RCS. Isolation valve leakage is usually on the order
of drops per minute. Leakage that increases significantly suggests
that something is operationally wrong and corrective action must be
taken.
(continued)
RCS PIV Leakage B 3.4.14 Farley Units 1 and 2 B 3.4.14-3 Revision 14 BASES LCO The LCO PIV leakage limit is 0.5 gpm per nominal inch of valve size (continued) with a maximum limit of 3 or 5 gpm depending on the valve. The previous NRC Standard criterion of 1 gpm for all valve sizes imposed
an unjustified penalty on the larger valves without providing
information on potential valve degradation and resulted in higher
personnel radiation exposures. A study concluded a leakage rate
limit based on valve size was superior to a single allowable value.
Reference 7 permits leakage testing at a lower pressure differential
than between the specified maximum RCS pressure and the normal
pressure of the connected system during RCS operation (the
maximum pressure differential) in those types of valves in which the
higher service pressure will tend to diminish the overall leakage
channel opening. In such cases, the observed rate may be adjusted
to the maximum pressure differential by assuming leakage is directly
proportional to the pressure differential to the one half power.
APPLICABILITY In MODES 1, 2, 3, and 4, this LCO applies because the PIV leakage potential is greatest when the RCS is pressurized. In MODE 4, valves
in the RHR flow path are not required to meet the requirements of this
LCO when in, or during the transition to or from, the RHR mode of
operation.
In MODES 5 and 6, leakage limits are not provided because the lower
reactor coolant pressure results in a reduced potential for leakage and
for a LOCA outside the containment.
ACTIONS The Actions are modified by two Notes. Note 1 provides clarification that each flow path allows separate entry into a Condition. This is
allowed based upon the functional independence of the flow path.
Note 2 requires an evaluation of affected systems if a PIV is inoperable.
The leakage may have affected system operability, or isolation of a
leaking flow path with an alternate valve may have degraded the ability
of the interconnected system to perform its safety function.
(continued)
RCS Leakage Detection Instrumentation B 3.4.15 Farley Units 1 and 2 B 3.4.15-1 Revision 55 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.15 RCS Leakage Detection Instrumentation
BASES BACKGROUND GDC 30 of Appendix A to 10 CFR 50 (Ref. 1) requires means for detecting and, to the extent practical, identifying the location of the
source of RCS LEAKAGE. Regulatory Guide 1.45, Revision 0 (Ref. 2) describes acceptable methods for selecting leakage detection systems.
Leakage detection systems must have the capability to detect
significant reactor coolant pressure boundary (RCPB) degradation as
soon after occurrence as practical to minimize the potential for
propagation to a gross failure. Thus, an early indication or warning
signal is necessary to permit proper evaluation of all unidentified
LEAKAGE. In addition to meeting the OPERABILITY requirements, the monitors are typically set to provide the most sensitive response without causing an excessive number of spurious alarms.
The containment air cooler condensate level monitor is instrumented to alarm for abnormal increases in the level (flow rates). The condensate flow rate is measured by monitoring the water level in a
vertical standpipe. As flow rate increases, the water level in the
standpipe rises.
The reactor coolant contains radioactivity that, when released to the
containment, may be detected by radiation monitoring instrumentation. Radioactivity detection systems are included for monitoring both particulate and gaseous activities because of their
sensitivities and rapid responses to RCS LEAKAGE. Other indications may be used to detect an increase in unidentified LEAKAGE; however, they are not required to be OPERABLE by this LCO.
An increase in humidity of the containment atmosphere would indicate release of water vapor to the containment. Dew point temperature
measurements can thus be used to monitor humidity
(continued)
RCS Leakage Detection Instrumentation B 3.4.15 Farley Units 1 and 2 B 3.4.15-2 Revision 55 BASES BACKGROUND levels of the containment atmosphere as an indicator of potential RCS (continued) LEAKAGE.
Since the humidity level is influenced by several factors, a quantitative evaluation of an indicated leakage rate by this means may be
questionable and should be compared to observed increases in liquid
flow from the containment condensate air coolers. Humidity level
monitoring is considered most useful as an indirect alarm or indication
to alert the operator to a potential problem. Humidity monitors are not
required by this LCO.
Air temperature and pressure monitoring methods may also be used to infer unidentified LEAKAGE to the containment. Containment
temperature and pressure fluctuate slightly during plant operation, but
a rise above the normally indicated range of values may indicate RCS
leakage into the containment. The relevance of temperature and
pressure measurements is affected by containment free volume and, for temperature, detector location. Alarm signals from these
instruments can be valuable in recognizing rapid and sizable leakage
to the containment. Temperature and pressure monitors are not
required by this LCO.
The above-mentioned LEAKAGE detection systems differ in sensitivity and response time. Some of these systems could serve as early alarm systems identifying to the operators that closer examination of other detection systems is necessary to determine the extent of any corrective action that may be required.
APPLICABLE The need to evaluate the severity of an alarm or an SAFETY ANALYSES indication is important to the operators, and the ability to
compare and verify with indications from other systems is necessary.
The safety significance of RCS LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring
RCS LEAKAGE into the containment area is necessary. Quickly
separating the identified LEAKAGE from the unidentified LEAKAGE
provides quantitative information to the operators, allowing them to
take corrective action should a leakage occur detrimental to the safety
of the unit and the public.
RCS leakage detection instrumentation satisfies Criterion 1 of 10 CFR 50.36(c)(2)(ii).
RCS Leakage Detection Instrumentation B 3.4.15 Farley Units 1 and 2 B 3.4.15-3 Revision 55 BASES LCO This LCO requires instruments of diverse monitoring principles to be OPERABLE to provide confidence that small amounts of unidentified LEAKAGE are detected in time to allow actions to place the plant in a safe condition, when RCS LEAKAGE indicates possible RCPB degradation.
The LCO requires two instruments to be OPERABLE.
The reactor coolant contains radioactivity that, when released to the containment, can be detected by the gaseous or particulate containment atmosphere radioactivity monitor. Radioactivity detection systems are included for monitoring both particulate and gaseous activities because of their sensitivities and rapid responses to RCS LEAKAGE, but have recognized limitations. Reactor coolant radioactivity levels will be low during the initial reactor startup following a refueling outage and for a few weeks thereafter, until activated corrosion products have been formed and fission products appear from fuel assembly cladding contamination or cladding defects. If there are few fuel assembly cladding defects and low levels of activation products, it may not be possible for the gaseous or particulate containment atmosphere radioactivity monitors to detect a 1 gpm increase within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> during normal operation. However, the gaseous or particulate containment atmosphere radioactivity monitor is OPERABLE when it is capable of detecting approximately a 1 gpm increase in unidentified LEAKAGE within approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> given an RCS activity equivalent to that assumed in the design calculations for the monitors as described in Reference 3.
An increase in humidity of the containment atmosphere could indicate the release of water vapor to the containment. The containment air cooler condensate level monitor detects condensate flow from air coolers by monitoring a standpipe level increase versus time. The time required to detect approximately a 1 gpm increase above the normal value varies based on environmental and system conditions and may take longer than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This sensitivity is acceptable for containment air cooler condensate level monitor OPERABILITY.
The LCO is satisfied when monitors of diverse measurement means are available. Thus, the containment atmosphere particulate
radioactivity monitor (R-11) in combination with a gaseous
radioactivity monitor (R-12) or a containment air cooler condensate
level monitor provides an acceptable minimum.
RCS Leakage Detection Instrumentation B 3.4.15 Farley Units 1 and 2 B 3.4.15-4 Revision 55 BASES APPLICABILITY Because of elevated RCS temperature and pressure in MODES 1, 2, 3, and 4, RCS leakage detection instrumentation is required to be
OPERABLE.
In MODE 5 or 6, the temperature is to be 200°F and pressure is maintained low or at atmospheric pressure. Since the temperatures
and pressures are far lower than those for MODES 1, 2, 3, and 4, the
likelihood of leakage and crack propagation are much smaller.
Therefore, the requirements of this LCO are not applicable in
MODES 5 and 6.
ACTIONS A.1.1, A.1.2, and A.2
With the required containment atmosphere particulate radioactivity
monitor inoperable, no other form of sampling can provide the equivalent information; however, the containment atmosphere
gaseous radioactivity monitor or the containment air cooler
condensate level monitor will provide indications of changes in
leakage. Together with the containment atmosphere gaseous radioactivity monitor or the containment air cooler condensate level monitor, the periodic surveillance for RCS water inventory balance, SR 3.4.13.1, must be performed at an increased frequency of
24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or grab samples of the containment atmosphere must be
taken and analyzed once per 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to provide information that is
adequate to detect leakage.
Restoration of the required Particulate radioactivity monitor to
OPERABLE status within a Completion Time of 30 days is required to
regain the function after the monitor's failure. This time is acceptable, considering the Frequency and adequacy of the RCS water inventory
balance or containment grab sample analyses required by Required
Action A.1.1 or A.1.2.
(continued)
SG Tube Integrity B 3.4.17 Farley Units 1 and 2 B 3.4.17-1 Revision 24 B 3.4 REACTOR COOLANT SYSTEM (RCS)
B 3.4.17 Steam Generator (SG) Tube Integrity
BASES BACKGROUND Steam generator (SG) tubes are small diameter, thin walled tubes that carry primary coolant through the primary to secondary heat
exchangers. The SG tubes have a number of important safety functions. SG tubes are an integral part of the reactor coolant
pressure boundary (RCPB) and, as such, are relied on to maintain the
primary system's pressure and inventory. The SG tubes isolate the
radioactive fission products in the primary coolant from the secondary
system. In addition, as part of the RCPB, the SG tubes are unique in
that they act as the heat transfer surface between the primary and
secondary systems to remove heat from the primary system. This
Specification addresses only the RCPB integrity function of the SG.
The SG heat removal function is addressed by LCO 3.4.4, "RCS Loops - MODES 1 and 2," LCO 3.4.5, "RCS Loops - MODE 3,"
LCO 3.4.6, "RCS Loops - MODE 4," and LCO 3.4.7, "RCS Loops -
MODE 5, Loops Filled."
SG tube integrity means that the tubes are capable of performing their
intended RCPB safety function consistent with the licensing basis, including applicable regulatory requirements.
SG tubing is subject to a variety of degradation mechanisms. SG
tubes may experience tube degradation related to corrosion
phenomena, such as wastage, pitting, intergranular attack, and stress
corrosion cracking, along with other mechanically induced
phenomena such as denting and wear. These degradation
mechanisms can impair tube integrity if they are not managed
effectively. The SG performance criteria are used to manage SG tube
degradation.
Specification 5.5.9, "Steam Generator (SG) Program," requires that a
program be established and implemented to ensure that SG tube
integrity is maintained. Pursuant to Specification 5.5.9, tube integrity
is maintained when the SG performance criteria are met. There are
three SG performance criteria: structural integrity, accident induced
leakage, and operational LEAKAGE. The SG performance criteria are
described in Specification 5.5.9. Meeting the SG performance criteria
provides reasonable assurance of maintaining tube integrity at normal
and accident conditions.
(continued)
SG Tube Integrity B 3.4.17 Farley Units 1 and 2 B 3.4.17-3 Revision 24 BASES LCO In the context of this Specification, a SG tube is defined as the entire (continued) length of the tube, including the tube wall between the tube-to-tubesheet weld at the tube inlet and the tube-to-tubesheet weld at
the tube outlet. The tube-to-tubesheet weld is not considered part
of the tube.
A SG tube has tube integrity when it satisfies the SG performance criteria. The SG performance criteria are defined in Specification
5.5.9, "Steam Generator Program," and describe acceptable SG
tube performance. The Steam Generator Program also provides the
evaluation process for determining conformance with the SG performance criteria.
There are three SG performance criteria: structural integrity, accident
induced leakage, and operational LEAKAGE. Failure to meet any
one of these criteria is considered failure to meet the LCO.
The structural integrity performance criterion provides a margin of
safety against tube burst or collapse under normal and accident
conditions, and ensures structural integrity of the SG tubes under all
anticipated transients included in the design specification. Tube
burst is defined as, "The gross structural failure of the tube wall. The
condition typically corresponds to an unstable opening displacement (e.g., opening area increased in response to constant pressure)
accompanied by ductile (plastic) tearing of the tube material at the
ends of the degradation." Tube collapse is defined as, "For the load
displacement curve for a given structure, collapse occurs at the top
of the load versus displacement curve where the slope of the curve
becomes zero."
Structural integrity requires that the primary membrane stress intensity in a tube not exceed the yield strength for
all ASME Code, Section III, Service Level A (normal operating
conditions) and Service Level B (upset or abnormal conditions)
transients included in the design specification. This includes safety
factors and applicable design basis loads based on ASME Code, Section III, Subsection NB (Ref. 4) and Draft Regulatory Guide 1.121 (Ref. 5).
The accident induced leakage performance criterion ensures that the
primary to secondary LEAKAGE caused by a design basis accident, other than a SGTR, is within the accident analysis assumptions. The
accident analysis assumes that accident induced leakage does not
exceed 1 gallon per minute (gpm) total from all SGs. The accident
(continued)
SG Tube Integrity B 3.4.17 Farley Units 1 and 2 B 3.4.17-4 Revision 60 BASES LCO induced leakage rate includes any primary to secondary (continued)
LEAKAGE existing prior to the accident in addition to primary to secondary LEAKAGE induced during the accident.
The operational LEAKAGE performance criterion provides an
observable indication of SG tube conditions during plant operation.
The limit on operational LEAKAGE is contained in LCO 3.4.13, "RCS Operational LEAKAGE," and limits primary to secondary
LEAKAGE through any one SG to 150 gpd. This limit is based on
the assumption that a single crack leaking this amount would not
propagate to a SGTR under the stress conditions of a LOCA or a
main steam line break. If this amount of LEAKAGE is due to more
than one crack, the cracks are very small, and the above
assumption is conservative.
APPLICABILITY Steam generator tube integrity is challenged when the pressure differential across the tubes is large. Large differential pressures
across SG tubes can only be experienced in MODE 1, 2, 3, or 4.
RCS conditions are far less challenging in MODES 5 and 6 than
during MODES 1, 2, 3, and 4. In MODES 5 and 6, primary to
secondary differential pressure is low, resulting in lower stresses and
reduced potential for LEAKAGE.
ACTIONS The ACTIONS are modified by a Note clarifying that the Conditions may be entered independently for each SG tube. This is acceptable
because the Required Actions provide appropriate compensatory
actions for each affected SG tube. Complying with the Required
Actions may allow for continued operation, and subsequent affected
SG tubes are governed by subsequent Condition entry and
application of associated Required Actions.
A.1 and A.2 Condition A applies if it is discovered that one or more SG tubes
examined in an inservice inspection satisfy the tube plugging criteria but were not plugged in accordance with the Steam Generator
Program as required by SR 3.4.17.2. An evaluation of SG tube
integrity of the
(continued)
SG Tube Integrity B 3.4.17 Farley Units 1 and 2 B 3.4.17-5 Revision 60 BASES ACTIONS A.1 and A.2 (continued) affected tube(s) must be made. Steam generator tube integrity is
based on meeting the SG performance criteria described in the
Steam Generator Program. The SG plugging criteria define limits on SG tube degradation that allow for flaw growth between inspections
while still providing assurance that the SG performance criteria will
continue to be met. In order to determine if a SG tube that should
have been plugged has tube integrity, an evaluation must be
completed that demonstrates that the SG performance criteria will
continue to be met until the next SG tube inspection. The tube
integrity determination is based on the estimated condition of the
tube at the time the situation is discovered and the estimated growth
of the degradation prior to the next SG tube inspection. If it is
determined that tube integrity is not being maintained, Condition B
applies.
A Completion Time of 7 days is sufficient to complete the evaluation
while minimizing the risk of plant operation with a SG tube that may
not have tube integrity.
If the evaluation determines that the affected tube(s) have tube
integrity, Required Action A.2 allows plant operation to continue until
the next refueling outage or SG inspection provided the inspection
interval continues to be supported by an operational assessment that
reflects the affected tubes. However, the affected tube(s) must be
plugged prior to entering MODE 4 following the next refueling outage
or SG inspection. This Completion Time is acceptable since
operation until the next inspection is supported by the operational assessment.
B.1 and B.2
If the Required Actions and associated Completion Times of
Condition A are not met or if SG tube integrity is not being
maintained, the reactor must be brought to MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />
and MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.
The allowed Completion Times are reasonable, based on operating
experience, to reach the desired plant conditions from full power
conditions in an orderly manner and without challenging plant systems.
SG Tube Integrity B 3.4.17 Farley Units 1 and 2 B 3.4.17-6 Revision 60 BASES SURVEILLANCE SR 3.4.17.1 REQUIREMENTS During shutdown periods the SGs are inspected as required by this
SR and the Steam Generator Program. NEI 97-06, Steam
Generator Program Guidelines (Ref. 1), and its referenced EPRI
Guidelines, establish the content of the Steam Generator Program.
Use of the Steam Generator Program ensures that the inspection is
appropriate and consistent with accepted industry practices.
During SG inspections a condition monitoring assessment of the SG
tubes is performed. The condition monitoring assessment
determines the "as found" condition of the SG tubes. The purpose
of the condition monitoring assessment is to ensure that the SG
performance criteria have been met for the previous operating
period.
The Steam Generator Program determines the scope of the
inspection and the methods used to determine whether the tubes
contain flaws satisfying the tube plugging criteria. Inspection scope (i.e., which tubes or areas of tubing within the SG are to be
inspected) is a function of existing and potential degradation
locations. The Steam Generator Program also specifies the
inspection methods to be used to find potential degradation.
Inspection methods are a function of degradation morphology, non-
destructive examination (NDE) technique capabilities, and inspection
locations.
The Steam Generator Program defines the Frequency of
SR 3.4.17.1. The Frequency is determined by the operational
assessment and other limits in the SG examination guidelines (Ref. 6). The Steam Generator Program uses information on existing
degradations and growth rates to determine an inspection Frequency
that provides reasonable assurance that the tubing will meet the SG
performance criteria at the next scheduled inspection. In addition, Specification 5.5.9 contains prescriptive requirements concerning
inspection intervals to provide added assurance that the SG
performance criteria will be met between scheduled inspections. If crack indications are found in any SG tube, the maximum inspection interval for all affected and potentially affected SGs is restricted by Specification 5.5.9 until subsequent inspections support extending the inspection interval.
(continued)
Accumulators B 3.5.1 Farley Units 1 and 2 B 3.5.1-1 Revision 0 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)
B 3.5.1 Accumulators
BASES BACKGROUND The functions of the ECCS accumulators are to supply water to the reactor vessel during the blowdown phase of a loss of coolant accident (LOCA), to provide inventory to help accomplish the refill phase that
follows thereafter, and to provide Reactor Coolant System (RCS)
makeup for a small break LOCA.
The blowdown phase of a large break LOCA is the initial period of the transient during which the RCS departs from equilibrium conditions, and
heat from fission product decay, hot internals, and the vessel continues
to be transferred to the reactor coolant. The blowdown phase of the
transient ends when the RCS pressure falls to a value approaching that
of the containment atmosphere.
In the refill phase of a LOCA, which immediately follows the blowdown phase, reactor coolant inventory has vacated the core through steam
flashing and ejection out through the break. The core is essentially in
adiabatic heatup. The balance of accumulator inventory is then available
to help fill voids in the lower plenum and reactor vessel downcomer so as
to establish a recovery level at the bottom of the core and ongoing
reflood of the core with the addition of safety injection (SI) water.
The accumulators are pressure vessels partially filled with borated water and pressurized with nitrogen gas. The accumulators are passive
components, since no operator or control actions are required in order
for them to perform their function. Internal accumulator tank pressure is
sufficient to discharge the accumulator contents to the RCS, if RCS
pressure decreases below the accumulator pressure.
Each accumulator is piped into an RCS cold leg via an accumulator line and is isolated from the RCS by a motor operated isolation valve and two check valves in series.
The accumulator motor operated isolation valves are maintained in the open position with power to the valve removed when pressurizer
pressure is 2000 psig. Should the valves be inadvertently closed below 2000 psig, the requirements of this LCO would ensure that the
valves would be returned to their correct position in a timely manner or
the plant would be taken out of the Mode of Applicability. The valves will
(continued)
Accumulators B 3.5.1 Farley Units 1 and 2 B 3.5.1-2 Revision 0 BASES BACKGROUND automatically open, however, as a result of an SI signal. These features (continued) and requirements ensure that the accumulators will be available for injection.
The accumulator size, water volume, and nitrogen cover pressure are selected so that two of the three accumulators are sufficient to partially
cover the core before significant clad melting or zirconium water reaction
can occur following a LOCA. The need to ensure that two accumulators
are adequate for this function is consistent with the LOCA assumption
that the entire contents of one accumulator will be lost via the RCS pipe
break during the blowdown phase of the LOCA.
APPLICABLE The accumulators are assumed OPERABLE in both the large and SAFETY ANALYSES small break LOCA analyses at full power (Ref. 1). These are
the Design Basis Accidents (DBAs) that establish the acceptance limits for the accumulators. Reference to the analyses for these DBAs is used
to assess changes in the accumulators as they relate to the acceptance
limits.
In performing the LOCA calculations, conservative assumptions are made concerning the availability of ECCS flow. In the early stages of a
LOCA, with or without a loss of offsite power, the accumulators provide
the sole source of makeup water to the RCS. The assumption of loss of
offsite power is also considered to determine if it is most limiting, and if
so, imposes a delay wherein the E CCS pumps cannot deliver flow until
the emergency diesel generators start, come to rated speed, and go
through their timed loading sequence. In cold leg break scenarios, the
entire contents of one accumulator are assumed to be lost through the
break.
The limiting large break LOCA is a double ended guillotine break in the
cold leg. During this event, the accumulators discharge to the RCS as
soon as RCS pressure decreases to below accumulator pressure.
As a conservative estimate, no credit is taken for ECCS pump flow until
an effective delay has elapsed. This delay accounts for the diesels
starting and the pumps being loaded and delivering full flow. The delay
time is conservatively set with an additional 2 seconds to account for SI
signal generation. During this time, the accumulators are analyzed as
providing the sole source of emergency core cooling. No operator action
is assumed during the blowdown stage of a large break LOCA.
(continued)
Accumulators B 3.5.1 Farley Units 1 and 2 B 3.5.1-3 Revision 0 BASES APPLICABLE The worst case small break LOCA analyses also assume a time delay SAFETY ANALYSES before pumped flow reaches the core. For the larger range of small (continued) breaks, the rate of blowdown is such that the increase in fuel clad temperature is terminated solely by the accumulators, with pumped flow then providing continued cooling. As break size decreases, the
accumulators and centrifugal charging pumps both play a part in
terminating the rise in clad temperature. As break size continues to
decrease, the role of the accumulators continues to decrease until they
are not required and the centrifugal charging pumps become solely
responsible for terminating the temperature increase.
This LCO helps to ensure that the following acceptance criteria established for the ECCS by 10 CFR 50.46 (Ref. 2) will be met following
a LOCA:
- a. Maximum fuel element cladding temperature is 2200°F;
- b. Maximum cladding oxidation is 0.17 times the total cladding thickness before oxidation;
- c. Maximum hydrogen generation from a zirconium water reaction is 0.01 times the hypothetical amount that would be generated if all of the metal in the cladding cylinders surrounding the fuel, excluding the
cladding surrounding the plenum volume, were to react; and
- d. Core is maintained in a coolable geometry.
Since the accumulators discharge during the blowdown phase of a
LOCA, they do not contribute to the long term cooling requirements of
For both the large and small break LOCA analyses, a nominal contained
accumulator water volume is used. The contained water volume is the
same as the deliverable volume for the accumulators, since the
accumulators are emptied, once discharged. For large breaks, an
increase in water volume can be either a peak clad temperature penalty
or benefit, depending on downcomer filling and subsequent spill through
the break during the core reflooding portion of the transient. The safety
analysis assumes values of 7331 gallons for the accumulator, and 337
gallons for the accumulator discharge line. To allow for instrument
inaccuracy, values of 7,555 gallons and 7,780 gallons are specified.
These values include the volume of water in the accumulator discharge
line.
(continued)
Accumulators B 3.5.1 Farley Units 1 and 2 B 3.5.1-4 Revision 0 BASES APPLICABLE The minimum boron concentration setpoint is used in the post LOCA SAFETY ANALYSES boron concentration calculation. The calculation is performed to assure (continued) reactor subcriticality in a post LOCA environment. Of particular interest is the large break LOCA, since no credit is taken for control rod assembly
insertion. A reduction in the accumulator minimum boron concentration
would produce a subsequent reduction in the available containment
sump concentration for post LOCA shutdown and an increase in the
maximum sump pH. The maximum boron concentration is used in
determining the cold leg to hot leg recirculation injection switchover time
and minimum sump pH.
The large and small break LOCA analyses are performed at the minimum nitrogen cover pressure for small break LOCA and nominal
nitrogen cover pressure for large break LOCA, since sensitivity analyses
have demonstrated that higher nitrogen cover pressure results in a
computed peak clad temperature benefit. A sensitivity study is
performed for the BE LOCA (large break LOCA) to determine the
sensitivity of PCT to accumulator pressure. This study, in addition to
several others, is incorporated into a PCT response surface in order to
generate a 95/95 PCT. The maximum nitrogen cover pressure limit
prevents accumulator relief valve actuation, and ultimately preserves
accumulator integrity.
The effects on containment mass and energy releases from the accumulators are accounted for in the appropriate analyses (Ref. 2).
The accumulators satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO The LCO establishes the minimum conditions required to ensure that the accumulators are available to accomplish their core cooling safety
function following a LOCA. Three accumulators are required to ensure
that 100% of the contents of two of the accumulators will reach the core
during a LOCA. This is consistent with the assumption that the contents
of one accumulator spill through the break. If less than two accumulators
are injected during the blowdown phase of a LOCA, the ECCS
acceptance criteria of 10 CFR 50.46 (Ref. 2) could be violated.
For an accumulator to be considered OPERABLE, the isolation valve must be fully open, power removed above 2000 psig, and the limits
established in the SRs for contained volume, boron concentration, and
nitrogen cover pressure must be met.
Accumulators B 3.5.1 Farley Units 1 and 2 B 3.5.1-5 Revision 0 BASES APPLICABILITY In MODES 1 and 2, and in MODE 3 with RCS pressure > 1000 psig, the accumulator OPERABILITY requirements are based on full power operation. Although cooling requirements decrease as power decreases, the accumulators are still required to provide core cooling as long as elevated RCS pressures and temperatures exist.
This LCO is only applicable at pressures > 1000 psig. At pressures 1000 psig, the rate of RCS blowdown is such that the ECCS pumps can provide adequate injection to ensure that peak clad temperature remains below the 10 CFR 50.46 (Ref. 2) limit of 2200°F.
The Accumulator Applicability is modified by a Note which takes exception to the LCO requirements for the Accumulators to be OPERABLE in MODE 3 with RCS pressure above 1,000 psig for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> during the performance of isolation valve testing required by SR 3.4.14.1. The applicability of the Note is restricted solely to the isolation valve testing required by SR 3.4.14.1. In order to perform the required isolation valve testing, the Accumulators must be isolated and various parameters (e.g., pressure, level) must be adjusted. The exception provided by this Note allows operation in MODE 3 with RCS pressure above 1,000 psig for up to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> with Accumulators not configured per the requirements of the LCO such that the Actions for an inoperable Accumulator are not applicable.
In MODE 3, with RCS pressure 1000 psig, and in MODES 4, 5, and 6, the accumulator motor operated isolation valves are closed to isolate the accumulators from the RCS. This allows RCS cooldown and depressurization without discharging the accumulators into the RCS or requiring depressurization of the accumulators.
ACTIONS A.1 If the boron concentration of one accumulator is not within limits, it must be returned to within the limits within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. In this Condition, ability to maintain subcriticality or minimum boron precipitation time may be reduced. An average boron concentration for the injected water is assumed in the Best Estimate LOCA (large break LOCA) analysis. One accumulator up to 100 ppm below the minimum boron concentration limit, however, will have no effect on available ECCS water and an insignificant effect on post-LOCA core subcriticality. The large main steam line break analysis predicts that the accumulators would discharge following the event. However, their impact is minor and not a design limiting event. Thus, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is allowed to return the boron concentration to within limits.
(continued)
Accumulators B 3.5.1 (continued)
Farley Units 1 and 2 B 3.5.1-6 Revision 52 BASES ACTIONS B.1 (continued)
If one accumulator is inoperable for a reason other than boron concentration, the accumulator must be returned to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. In this Condition, the required contents of two accumulators cannot be assumed to reach the core during a LOCA. Due to the severity of the consequences should a LOCA occur in these conditions, the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time to open the valve, remove power to the valve, or restore the proper water volume or nitrogen cover pressure ensures that prompt action will be taken to return the inoperable accumulator to OPERABLE status. The Completion Time minimizes the potential for exposure of the plant to a LOCA under these conditions. The 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed to restore an inoperable accumulator to OPERABLE status is justified in WCAP-15049-A, Rev. 1 (Ref. 3).
C.1 and C.2 If the accumulator cannot be returned to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and RCS pressure reduced to 1000 psig within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.
D.1 If more than one accumulator is inoperable, the plant is in a condition outside the accident analyses; therefore, LCO 3.0.3 must be entered
immediately.
SURVEILLANCE SR 3.5.1.1 REQUIREMENTS
Each accumulator valve should be verified to be fully open. This verification ensures that the accumulators are available for injection and ensures timely discovery if a valve should be less than fully open. If an isolation valve is not fully open, the rate of injection to the RCS would be reduced. Although a motor operated valve position should not change with power removed, a closed valve could result in not meeting accident analyses assumptions. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
Accumulators B 3.5.1 (continued)
Farley Units 1 and 2 B 3.5.1-7 Revision 52 BASES SURVEILLANCE SR 3.5.1.2 and SR 3.5.1.3 REQUIREMENTS (continued) The borated water volume and nitrogen cover pressure are verified for each accumulator. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
The boron concentration should be verified to be within required limits for each accumulator since the static design of the accumulators limits the ways in which the concentration can be changed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Sampling the affected accumulator within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> after a 12% level, indicated, increase (approximately 1% of tank volume) will identify whether inleakage has caused a reduction in boron concentration to below the required limit. It is not necessary to verify boron concentration if the added water inventory is from the refueling water storage tank (RWST), when the water contained in the RWST is within the accumulator boron concentration requirements. This is consistent with the recommendation of NUREG-1366 (Ref. 4).
SR 3.5.1.5 Verification that power is removed from each accumulator isolation valve operator when the pressurizer pressure is 2000 psig ensures that an active failure could not result in the undetected closure of an accumulator motor operated isolation valve. If this were to occur, only one accumulator would be available for injection given a single failure coincident with a LOCA. Therefore, each isolation valve operator is disconnected by a locked open disconnect device. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
This SR allows power to be supplied to the motor operated isolation valves when RCS pressure is < 2000 psig, thus allowing operational flexibility by avoiding unnecessary delays to manipulate the breakers during plant startups or shutdowns.
Accumulators B 3.5.1 Farley Units 1 and 2 B 3.5.1-8 Revision 22 BASES SURVEILLANCE SR 3.5.1.5 (continued) REQUIREMENTS Should closure of a valve occur below 2000 psig, the SI signal provided to the valves would open a closed valve in the event of a LOCA.
REFERENCES 1. FSAR, Chapter 15.
- 2. 10 CFR 50.46
- 3. WCAP-15049-A, Rev. 1, April 1999.
- 4. NUREG-1366, February 1990.
ECCS - Operating B 3.5.2 Farley Units 1 and 2 B 3.5.2-6 Revision 0
BASES LCO Note 2 provides an allowance of up to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> to reposition the state (continued) of the power supplies for the RHR discharge to centrifugal charging pump suction valves 8706A and 8706B when transitioning from
MODE 4 into MODE 3. This allowance is necessary since the required
state of the power supplies for these two valves in MODE 4 is
opposite the required state in MODE 3 and time is necessary to
restore power to the valves when entering MODE 3 from MODE 4.
APPLICABILITY In MODES 1, 2, and 3, the ECCS OPERABILITY requirements for the
limiting Design Basis Accident, a large break LOCA, are based on full power operation. Although reduced power would not require the
same level of performance, the accident analysis does not provide for
reduced cooling requirements in the lower MODES. The centrifugal
charging pump performance is based on a small break LOCA, which
establishes the pump performance curve and has less dependence
on power. MODE 2 and MODE 3 requirements are bounded by the
MODE 1 analysis.
This LCO is only applicable in MODE 3 and above. Below MODE 3, the SI signal setpoints which are affected by normal mode reduction (steam line pressure-low and pressurizer pressure-low actuation signals) have been manually bypassed by operator control, and
system functional requirements are relaxed as described in LCO 3.5.3, "ECCS-Shutdown."
In MODES 5 and 6, plant conditions are such that the probability of an
event requiring ECCS injection is extremely low. Core cooling requirements in MODE 5 are addressed by LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled," and LCO 3.4.8, "RCS Loops-MODE 5, Loops Not Filled." MODE 6 core cooling requirements are addressed
by LCO 3.9.4, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level," and LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level."
ECCS - Shutdown B 3.5.3 Farley Units 1 and 2 B 3.5.3-1 Revision 0 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)
B 3.5.3 ECCS-Shutdown
BASES BACKGROUND The Background section for Bases 3.5.2, "ECCS-Operating," is applicable to these Bases, with the following modifications.
In MODE 4, only one ECCS train consisting of two separate subsystems: centrifugal charging (high head) and residual heat
removal (RHR) (low head) is required operable.
The ECCS flow paths consist of piping, valves, heat exchangers, and pumps such that water from the refueling water storage tank (RWST)
can be injected into the Reactor Coolant System (RCS) following the
accidents described in Bases 3.5.2.
APPLICABLE The Applicable Safety Analyses section of Bases 3.5.2 also SAFETY ANALYSES applies to this Bases section.
Due to the stable conditions associated with operation in MODE 4 and the reduced probability of occurrence of a Design Basis Accident (DBA), the ECCS operational requirements are reduced. It is
understood in these reductions that certain automatic safety injection (SI) actuation is not available. In this MODE, sufficient time exists for
manual actuation of the required ECCS to mitigate the consequences
of a DBA.
Only one train of ECCS is required for MODE 4. This requirement dictates that single failures are not considered during this MODE of
operation. The ECCS trains satisfy Criterion 3 of 10 CFR
50.36(c)(2)(ii).
LCO In MODE 4, one of the two independent (and redundant) ECCS trains is required to be OPERABLE to ensure that sufficient ECCS flow is
available to the core following a DBA.
In MODE 4, an ECCS train consists of a centrifugal charging subsystem and an RHR subsystem. Each train includes the piping, instruments,
(continued)
ECCS - Shutdown B 3.5.3 Farley Units 1 and 2 B 3.5.3-3 Revision 33 BASES ACTIONS A Note prohibits the application of LCO 3.0.4b to an inoperable ECCS centrifugal charging subsystem when entering MODE 4. There is an increased risk associated with entering MODE 4 from MODE 5 with an inoperable ECCS centrifugal charging subsystem and the provisions of LCO 3.0.4b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.
A.1 With no ECCS RHR subsystem OPERABLE, the plant is not prepared to respond to a loss of coolant accident or to continue a cooldown using the RHR pumps and heat exchangers. The Completion Time of immediately to initiate actions that would restore at least one ECCS RHR subsystem to OPERABLE status ensures that prompt action is taken to restore the required cooling capacity. Normally, in MODE 4, reactor decay heat is removed from the RCS by an RHR loop. If no RHR loop is OPERABLE for this function, reactor decay heat must be removed by some alternate method, such as use of the steam generators. The alternate means of heat removal must continue until the inoperable RHR loop components can be restored to operation so that decay heat removal is continuous.
With both RHR pumps and heat exchangers inoperable, it would be unwise to require the plant to go to MODE 5, where the only available heat removal system is the RHR. Therefore, the appropriate action is to initiate measures to restore one ECCS RHR subsystem and to continue the actions until the subsystem is restored to OPERABLE status.
B.1 With the required ECCS centrifugal charging subsystem inoperable, and at least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train available, the inoperable components must be returned to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is acceptable when the unit is in MODES 1, 2, and 3 (Ref. 5). Since MODE 4 represents less severe conditions for the initiation of a LOCA, the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is also acceptable for MODE 4. An ECCS train is inoperable if it is not capable of delivering design flow to the RCS. Individual components are inoperable if they are not capable of performing their design function or supporting systems are not available. The intent of this Condition is
(continued)
ECCS - Shutdown B 3.5.3 Farley Units 1 and 2 B 3.5.3-4 Revision 33 BASES ACTIONS B.1 (continued)
to maintain a combination of equipment such that 100% of the ECCS flow equivalent to a single operable ECCS train remains available.
This allows increased flexibility in plant operations under circumstances when components in the required subsystem may be inoperable, but the ECCS remains capable of delivering 100% of the required flow equivalent.
C.1 With no ECCS centrifugal charging subsystem OPERABLE, due to the inoperability of the centrifugal charging pump or flow path from the RWST, the plant is not prepared to provide high pressure response to Design Basis Events requiring SI. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time to restore at least one ECCS centrifugal charging subsystem to OPERABLE status ensures that prompt action is taken to provide the required cooling capacity or to initiate actions to place the plant in MODE 5, where an ECCS train is not required.
D.1 When the Required Actions of Condition B or C cannot be completed within the required Completion Time, a controlled shutdown should be initiated provided that adequate RHR cooling capacity exists to support reaching and maintaining MODE 5 conditions safely. With both RHR subsystems inoperable, it would be unwise to require the plant to go to MODE 5, where the only available heat removal system is the RHR. Therefore, the appropriate action is to initiate measures to restore at least one ECCS RHR subsystem and to continue the actions until the subsystem is restored to OPERABLE status. Only then would it be safe to go to MODE 5. Twenty-four hours is a reasonable time, based on operating experience, to reach MODE 5 in an orderly manner and without challenging plant systems or operators.
SURVEILLANCE SR 3.5.3.1 REQUIREMENTS
The applicable Surveillance descriptions from Bases 3.5.2 apply.
ECCS - Shutdown B 3.5.3 Farley Units 1 and 2 B 3.5.3-5 Revision 52 BASES SURVEILLANCE SR 3.5.3.2 REQUIREMENTS (continued) Verification of proper valve alignment ensures that the flow path from the ECCS pumps to the RCS is maintained. Misalignment of these
valves could render the required ECCS trains inoperable. Securing
these valves in position by removal of power by locking open the
breaker or disconnect device for the valve operator ensures that they
cannot change position as a result of an active failure or be
inadvertantly misaligned. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES The applicable references from Bases 3.5.2 apply.
RWST B 3.5.4 Farley Units 1 and 2 B 3.5.4-1 Revision 0
B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)
B 3.5.4 Refueling Water Storage Tank (RWST)
BASES BACKGROUND The RWST supplies borated water to the Chemical and Volume Control System (CVCS) during abnormal operating conditions, to the
refueling pool during refueling, and to the ECCS and the Containment
Spray System during accident conditions.
The RWST supplies both trains of the ECCS and the Containment Spray System through separate, redundant supply headers during the
injection phase of a loss of coolant accident (LOCA) recovery. A
motor operated isolation valve is provided in each header to isolate
the RWST from the ECCS once the system has been transferred to
the recirculation mode. The recirculation mode is entered when pump
suction is manually transferred to the containment sump following receipt of the RWST-Low alarm. Use of a single RWST to supply
both trains of the ECCS and Containment Spray System is acceptable
since the RWST is a passive component, and passive failures are not
required to be assumed to occur coincidentally with Design Basis
Events.
The switchover from normal operation to the injection phase of ECCS operation requires changing centrifugal charging pump suction from
the CVCS volume control tank (VCT) to the RWST through the use of
isolation valves. Each set of isolation valves is interlocked so that the
VCT isolation valves will begin to close once the RWST isolation
valves are fully open. Since the VCT is under pressure, the preferred
pump suction will be from the VCT until the tank is isolated. This will
result in a delay in obtaining the RWST borated water. The effects of
this delay are discussed in the Applicable Safety Analyses section of
these Bases.
During normal operation in MODES 1, 2, and 3, the residual heat removal (RHR) pumps are aligned to take suction from the RWST.
The ECCS and Containment Spray System pumps are provided with recirculation lines that ensure each pump can maintain minimum flow
requirements when operating at or near shutoff head conditions.
When the suction for the ECCS and Containment Spray System pumps is transferred to the containment sump, the RWST flow paths
must be isolated to prevent a release of the containment sump (continued)
RWST B 3.5.4 Farley Units 1 and 2 B 3.5.4-2 Revision 0
BASES BACKGROUND contents to the RWST, which could result in a release of (continued) contaminants to the atmosphere and the eventual loss of suction head for the ECCS pumps.
This LCO ensures that:
- b. Sufficient water volume exists in the containment sump to support continued operation of the ECCS and Containment Spray System
pumps at the time of transfer to the recirculation mode of cooling;
and
- c. The reactor remains subcritical following a LOCA.
Insufficient water in the RWST could result in insufficient cooling capacity when the transfer to the recirculation mode occurs. Improper
boron concentrations could result in a reduction of SDM or excessive
boric acid precipitation in the core following the LOCA, as well as
excessive caustic stress corrosion of mechanical components and
systems inside the containment.
APPLICABLE During accident conditions, the RWST provides a source of borated SAFETY ANALYSES water to the ECCS and Containment Spray System pumps. As such, it provides containment cooling and depressurization, core cooling, and replacement inventory and is a source of negative reactivity for
reactor shutdown (Ref. 1). The design basis transients and applicable
safety analyses concerning each of these systems are discussed in the Applicable Safety Analyses section of B 3.5.2, "ECCS-Operating"; B 3.5.3, "ECCS-Shutdown"; and B 3.6.6, "Containment
Spray and Cooling Systems." These analyses are used to assess
changes to the RWST in order to evaluate their effects in relation to
the acceptance limits in the analyses.
The RWST must also meet volume, boron concentration, and temperature requirements for non-LOCA events. The volume is not
an explicit assumption in non-LOCA events since the required volume
is a small fraction of the available volume. The deliverable volume
limit is set by the LOCA and containment analyses. For the RWST, the deliverable volume is different from the total volume contained (continued)
RWST B 3.5.4 Farley Units 1 and 2 B 3.5.4-3 Revision 0 BASES APPLICABLE since, due to the design of the tank, more water can be contained SAFETY ANALYSES than can be delivered. The minimum boron concentration is an (continued) explicit assumption in the main steam line break (MSLB) analysis to ensure the required shutdown capability. The minimum boron
concentration limit is an important assumption in ensuring the
required shutdown capability. The maximum boron concentration is
an explicit assumption in the inadvertent ECCS actuation analysis, although the results are very insensitive to small changes in boron
concentrations. The minimum temperature is an assumption in both
the MSLB and inadvertent ECCS actuation analyses.
The MSLB analysis has considered a delay associated with the interlock between the VCT and RWST isolation valves, and the results
show that the departure from nucleate boiling design basis is met.
The delay has been established as 27 seconds, with offsite power
available, or 42 seconds without offsite power. This response time
includes 2 seconds for electronics delay, a 10 second stroke time for
the RWST valves, and a 15 second stroke time for the VCT valves.
For a large break LOCA analysis, the minimum water volume limit of 321,000 gallons and the lower boron concentration limit of 2300 ppm
are used to compute the post LOCA sump boron concentration
necessary to assure subcriticality. The large break LOCA is the
limiting case since the safety analysis assumes that all control rods
are out of the core.
A water volume of 506,600 gallons and the upper limit on boron concentration of 2500 ppm are used to determine the maximum
allowable time to switch to hot leg recirculation following a LOCA.
The purpose of switching from cold leg to hot leg injection is to avoid
boron precipitation in the core following the accident.
In the ECCS analysis, the containment spray temperature is assumed to be equal to the RWST lower temperature limit of 35°F. If the lower
temperature limit is violated, the containment spray further reduces
containment pressure, which decreases the rate at which steam can
be vented out the break and increases peak clad temperature. An
upper temperature assumption of 120°F is used in the small break
LOCA analysis and containment OPERABILITY analysis. Exceeding
this temperature would result in a higher peak clad temperature, because there would be less heat transfer from the core to the
(continued)
RWST B 3.5.4 Farley Units 1 and 2 B 3.5.4-4 Revision 54 BASES APPLICABLE injected water for the small break LOCA and higher containment SAFETY ANALYSES pressures due to reduced containment spray cooling capacity. For (continued) the containment response following an MSLB, the lower limit on boron concentration and the upper assumption on RWST water temperature
are used to maximize the total energy release to containment.
The RWST satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO The RWST ensures that an adequate supply of borated water is available to cool and depressurize the containment in the event of a
Design Basis Accident (DBA), to cool and cover the core in the event
of a LOCA, to maintain the reactor subcritical following a DBA, and to
ensure adequate level in the containment sump to support ECCS and
Containment Spray System pump operation in the recirculation mode.
To be considered OPERABLE, the RWST must meet the water volume, boron concentration, and temperature limits established in
the SRs.
APPLICABILITY In MODES 1, 2, 3, and 4, RWST OPERABILITY requirements are dictated by ECCS and Containment Spray System OPERABILITY
requirements. Since both the ECCS and the Containment Spray
System must be OPERABLE in MODES 1, 2, 3, and 4, the RWST
must also be OPERABLE to support their operation. Core cooling requirements in MODE 5 are addressed by LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled," and LCO 3.4.8, "RCS Loops-MODE 5, Loops Not Filled." MODE 6 core cooling requirements are addressed
by LCO 3.9.4, "Residual Heat Removal (RHR) and Coolant Circulation-High Water Level," and LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level.
ACTIONS The ACTIONS are modified by Notes that allow RWST piping flow paths to be unisolated from non-safety related piping under administrative controls for limited periods of time. The piping may be unisolated from non-safety related piping for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> under administrative controls to perform SR 3.5.4.3 and for 30 days per fuel cycle under administrative controls for filtration or silica removal.
(continued)
Seal Injection Flow B 3.5.5 Farley Units 1 and 2 B 3.5.5-1 Revision 0
B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)
B 3.5.5 Seal Injection Flow
BASES BACKGROUND This LCO is applicable only to those units that utilize the centrifugal charging pumps for safety injection (SI). The function of the seal
injection throttle valves during an accident is similar to the function of
the ECCS throttle valves in that each restricts flow from the centrifugal
charging pump header to the Reactor Coolant System (RCS).
The restriction on reactor coolant pump (RCP) seal injection flow limits the amount of ECCS flow that would be diverted from the
injection path following an accident. This limit is based on safety
analysis assumptions that are required because RCP seal injection
flow is not isolated during SI.
APPLICABLE One ECCS train (i.e. one RHR and one centrifugal charging pump) is SAFETY ANALYSES assumed to fail during a large break loss of coolant accident (LOCA) at full power (Ref. 1). The LOCA analysis establishes the minimum
flow for the ECCS pumps. The centrifugal charging pumps are also
credited in the small break LOCA analysis. This analysis, and the
LOCA mass and energy release analysis, establish the flow and
discharge head at the design point for the centrifugal charging pumps.
The steam generator tube rupture, main feedwater line break, and
main steam line break event analyses also credit the centrifugal
charging pumps, but are not limiting in their design. Reference to
these analyses is made in assessing changes to the Seal Injection
System for evaluation of their effects in relation to the acceptance
limits in these analyses.
This LCO ensures that seal injection flow with the seal water injection flow control valve full open, will be sufficient for RCP seal integrity but
limited so that the ECCS trains will be capable of delivering sufficient
water to match boiloff rates soon enough to minimize uncovering of
the core following a large LOCA. It also ensures that the centrifugal
charging pumps will deliver sufficient water for a small LOCA and
sufficient boron to maintain the core subcritical. For smaller LOCAs, the charging pumps alone deliver sufficient fluid to overcome the loss
and maintain RCS inventory. Seal injection flow satisfies Criterion 2
Seal Injection Flow B 3.5.5 Farley Units 1 and 2 B 3.5.5-2 Revision 0 BASES LCO The intent of the LCO limit on seal injection flow is to make sure that flow through the RCP seal water injection line is low enough to ensure
that sufficient centrifugal charging pump injection flow is directed to
the RCS via the injection points (Ref. 2).
The LCO is not strictly a flow limit, but rather a flow limit based on a flow line resistance. In order to establish the proper flow line
resistance, a pressure and flow must be known. The flow line
resistance is established by adjusting the reactor coolant pump seal
injection needle valves to provide a total seal injection flow in the
Acceptable Region of Figure 3.5.5-1 at a given pressure differential
between the charging header pressure and the pressurizer pressure.
The centrifugal charging pump discharge header pressure remains
essentially constant through all the applicable MODES of this LCO. A
reduction in RCS pressure would result in more flow being diverted to
the RCP seal injection line than at normal operating pressure. The
valve settings established at the prescribed centrifugal charging pump
discharge header pressure result in a conservative valve position
should RCS pressure decrease. The additional modifier of this LCO, the seal water injection flow control valve being full open, is required
since the valve is designed to fail open for the accident condition.
With the discharge pressure and control valve position as specified by
the LCO, a resistance limit is established. It is this resistance limit
that is used in the accident analyses.
The limit on seal injection flow (operation in the Acceptable Region of Figure 3.5.5-1) and an open wide condition of the seal water
injection flow control valve, must be met to render the ECCS
OPERABLE. If these conditions are not met, the ECCS flow will not
be as assumed in the accident analyses.
APPLICABILITY In MODES 1, 2, and 3, the seal injection flow limit is dictated by ECCS flow requirements, which are specified for MODES 1, 2, 3, and 4. The
seal injection flow limit is not applicable for MODE 4 and lower, however, because high seal injection flow is less critical as a result of
the lower initial RCS pressure and decay heat removal requirements
in these MODES. Therefore, RCP seal injection flow must be limited
in MODES 1, 2, and 3 to ensure adequate ECCS performance.
Seal Injection Flow B 3.5.5 (continued)
Farley Units 1 and 2 B 3.5.5-3 Revision 52 BASES ACTIONS A.1
With the seal injection flow exceeding its limit, the amount of charging flow available to the RCS may be reduced. Under this Condition, action must be taken to restore the flow to below its limit. The
operator has 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> from the time the flow is known to be above the
limit to perform SR 3.5.5.1 and correctly position the manual valves
and thus be in compliance with the accident analysis. The
Completion Time minimizes the potential exposure of the plant to a
LOCA with insufficient injection flow and provides a reasonable time
to restore seal injection flow within limits. This time is conservative
with respect to the Completion Times of other ECCS LCOs; it is based
on operating experience and is sufficient for taking corrective actions
by operations personnel.
B.1 and B.2
When the Required Actions cannot be completed within the required Completion Time, a controlled shutdown must be initiated. The
Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> for reaching MODE 3 from MODE 1 is a
reasonable time for a controlled shutdown, based on operating
experience and normal cooldown rates, and does not challenge plant
safety systems or operators. Continuing the plant shutdown begun in
Required Action B.1, an additional 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is a reasonable time, based on operating experience and normal cooldown rates, to reach
MODE 4, where this LCO is no longer applicable.
SURVEILLANCE SR 3.5.5.1 REQUIREMENTS
Verification that the manual seal injection throttle valves are adjusted to give a flow within the limits (operation in the acceptable region of
Figure 3.5.5-1) ensures that proper manual seal injection throttle valve
position, and hence, proper seal injection flow, is maintained. A
differential pressure that is above the reference minimum value is
established between the charging header (PT-121, charging header
pressure) and the pressurizer, and the total seal injection flow is
verified to be within the limits determined in accordance with the
ECCS safety analysis. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
Seal Injection Flow B 3.5.5 Farley Units 1 and 2 B 3.5.5-4 Revision 0 BASES SURVEILLANCE SR 3.5.5.1 (continued)
REQUIREMENTS
As noted, the Surveillance is not required to be performed until 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after the RCS pressure has stabilized within a +/- 20 psig range
of normal operating pressure. The RCS pressure requirement is
specified since this configuration will produce the required pressure
conditions necessary to assure that the manual valves are set
correctly. The exception is limited to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> to ensure that the
Surveillance is timely.
REFERENCES 1. FSAR, Chapter 6 and Chapter 15.
- 2. 10 CFR 50.46.
Containment B 3.6.1 Farley Units 1 and 2 B 3.6.1-1 Revision 0 B 3.6 CONTAINMENT SYSTEMS
B 3.6.1 Containment
BASES BACKGROUND The containment consists of the concrete reactor building, its steel liner, and the penetrations through this structure. The structure is designed
to contain radioactive material that may be released from the reactor
core following a Design Basis Accident (DBA). Additionally, this
structure provides shielding from the fission products that may be
present in the containment atmosphere following accident conditions.
The containment is a reinforced concrete structure with a cylindrical wall, a flat foundation mat, and a shallow dome roof. The inside surface
of the containment is lined with a carbon steel liner to ensure a high
degree of leak tightness during operating and accident conditions.
The cylinder wall is prestressed with a post tensioning system in the vertical and horizontal directions, and the dome roof is prestressed
utilizing a three way post tensioning system.
The concrete reactor building is required for structural integrity of the containment under DBA conditions. The steel liner and its penetrations
establish the leakage limiting boundary of the containment. Maintaining
the containment OPERABLE limits the leakage of fission product
radioactivity from the containment to the environment. SR 3.6.1.1
leakage rate requirements comply with 10 CFR 50, Appendix J, Option
B (Ref. 1), as modified by approved exemptions.
The isolation devices for the penetrations in the containment boundary are a part of the containment leak tight barrier. To maintain this leak
tight barrier:
- a. All penetrations required to be closed during accident conditions are either:
- 1. capable of being closed by an OPERABLE automatic containment isolation system, or
(continued)
Containment B 3.6.1 Farley Units 1 and 2 B 3.6.1-2 Revision 5 BASES BACKGROUND 2. closed by manual valves, blind flanges, or de-activated (continued) automatic valves secured in their closed positions, except as provided in LCO 3.6.3, "Containment Isolation Valves";
- b. Each air lock is OPERABLE, except as provided in LCO 3.6.2, "Containment Air Locks";
- c. All equipment hatches are closed; and
- d. The sealing mechanism associated with each penetration (e.g., welds, bellows or O-rings) is OPERABLE.
APPLICABLE The safety design basis for the containment is that the containment SAFETY ANALYSES must withstand the pressures and temperatures of the limiting DBA without exceeding the design leakage rate.
The DBAs that result in a challenge to containment OPERABILITY from high pressures and temperatures are a loss of coolant accident (LOCA), a steam line break, and a rod ejection accident (REA)
(Ref. 2). In addition, release of significant fission product radioactivity
within containment can occur from a LOCA or REA. In the DBA
analyses, it is assumed that the containment is OPERABLE such that, for the DBAs involving release of fission product radioactivity, release
to the environment is controlled by the rate of containment leakage.
The containment was designed with an allowable leakage rate of
0.15% of containment air weight per day for the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and
0.075% thereafter (Ref. 3). This leakage rate, used to evaluate offsite
doses resulting from accidents, is defined in 10 CFR 50, Appendix J, Option B (Ref. 1), as L a: the maximum allowable containment leakage rate at the calculated peak containment internal pressure (P a) resulting from the limiting design basis LOCA. The allowable leakage rate
represented by L a forms the basis for the acceptance criteria imposed on all containment leakage rate testing. L a is assumed to be 0.15%
per day in the safety analysis at P a = 43.8 psig (Ref. 3).
Satisfactory leakage rate test results are a requirement for the establishment of containment OPERABILITY.
The containment satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
(continued)
Containment B 3.6.1 Farley Units 1 and 2 B 3.6.1-3 Revision 0 BASES LCO Containment OPERABILITY is maintained by limiting leakage to 1.0 L a , except prior to the first startup after performing a required Containment Leakage Rate Testing Program leakage test. At this time, the applicable leakage limits must be met.
Compliance with this LCO will ensure a containment configuration, including equipment hatches, that is structurally sound and that will limit
leakage to those leakage rates assumed in the safety analysis.
Individual leakage rates specified for the containment air lock (LCO 3.6.2) and purge valves with resilient seals (LCO 3.6.3) are not
specifically part of the acceptance criteria of 10 CFR 50, Appendix J, Option B. Therefore, leakage rates exceeding these individual limits
only result in the containment being inoperable when the leakage
results in exceeding the overall acceptance criteria of 1.0 L
- a.
APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material into containment. In MODES 5 and 6, the probability and
consequences of these events are reduced due to the pressure and
temperature limitations of these MODES. Therefore, containment is not
required to be OPERABLE in MODE 5 to prevent leakage of radioactive
material from containment. The requirements for containment during
MODE 6 are addressed in LCO 3.9.3, "Containment Penetrations."
ACTIONS A.1
If the requirements of SR 3.6.1.2 are not met, the structural integrity of
the containment is in a degraded state. SR 3.6.1.2 ensures that the
structural integrity of the containment will be maintained in accordance
with the provisions of the Containment Tendon Surveillance Program. If
a limit of the Program is not met, Condition A allows 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to restore
the structural integrity to within limits. The 24-hour Completion Time
allows for the correction of minor problems while providing a limit to the
amout of time that the structural integrity of containment may be in a
degraded condition during at-power conditions.
(continued)
Containment Air Locks B 3.6.2 Farley Units 1 and 2 B 3.6.2-1 Revision 18
B 3.6 CONTAINMENT SYSTEMS
B 3.6.2 Containment Air Locks
BASES BACKGROUND Containment air locks form part of the containment pressure boundary and provide a means for personnel access during all MODES of
operation.
The personnel air lock is nominally a right circular cylinder, 10 ft in diameter, with a door at each end. The auxiliary hatch is nominally a
right circular cylinder, 6 ft in diameter, with a door at each end. The
doors are interlocked to prevent simultaneous opening. During
periods when containment is not required to be OPERABLE, the door
interlock mechanism may be disabled, allowing both doors of an air
lock to remain open for extended periods when frequent containment
entry is necessary. Each air lock door has been designed and tested
to certify its ability to withstand a pressure in excess of the maximum
expected pressure following a Design Basis Accident (DBA) in
containment. As such, closure of a single door supports containment
OPERABILITY. The interior doors have a single gasket to seal the door against the bulkhead. The gasket is installed in the bulkhead and the door has a raised edge on the surface of the door that seats against the gasket when closed. The exterior doors have two gaskets to seal the door against the bulkhead. The gaskets are installed concentrically in the bulkhead with a space between them and the door has double, concentric raised edges on the surface of the door that seat against the gaskets when closed. There is a pressure tap that is accessible from the outside of the exterior end of the airlock that may be used to pressurize the gap between the two seals on the exterior door to test for leakage. To effect a leak tight seal, the air lock design uses pressure seated doors (i.e., an increase in
containment internal pressure results in increased sealing force on
each door).
Each personnel air lock is provided with limit switches and mechanical
pointers for both doors that provide local indication of door position.
With power supplied to the door operators, this indication is provided
by position indication lights. With power removed from the door
operators, this indication is provided by mechanical pointers located
beside each door's manual handwheels. A set of handwheels, indicating lights, and manual pointers is located inside the air locks, and on the outside of the air locks on both the auxiliary building and
containment sides. (continued)
Containment Air Locks B 3.6.2 Farley Units 1 and 2 B 3.6.2-2 Revision 18 BASES BACKGROUND The containment air locks form part of the containment pressure (continued) boundary. As such, air lock integrity and leak tightness is essential for maintaining the containment leakage rate within limit in the event
of a DBA. Not maintaining air lock integrity or leak tightness may
result in a leakage rate in excess of that assumed in the unit safety
analyses.
APPLICABLE The DBAs that result in a release of radioactive material within SAFETY ANALYSES containment are a loss of coolant accident, a rod ejection accident, and a fuel handling accident in containment (Ref. 2). In the analysis of
each of these accidents, it is assumed that containment is OPERABLE
such that release of fission products to the environment is controlled
by the rate of containment leakage. The containment was designed
with an allowable leakage rate of 0.15% of containment air weight per
day (Ref. 2). This leakage rate is defined in 10 CFR 50, Appendix J,
Option B, as L a , the maximum allowable containment leakage rate at the calculated peak containment internal pressure, P a (43.8 psig),
following a design basis LOCA. This allowable leakage rate forms the
basis for the acceptance criteria imposed on the SRs associated with
the air locks.
The containment air locks satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO Each containment air lock forms part of the containment pressure boundary. As part of the containment pressure boundary, the air lock
safety function is related to control of the containment leakage rate
resulting from a DBA. Thus, each air lock's structural integrity and
leak tightness are essential to the successful mitigation of such an
event.
Each air lock is required to be OPERABLE. For the air lock to be considered OPERABLE, the air lock interlock mechanism must be
OPERABLE, the air lock must be in compliance with the Type B air
lock leakage test, and both air lock doors must be OPERABLE. The
interlock allows only one air lock door of an air lock to be opened at
one time. This provision ensures that a gross breach of containment
does not exist when containment is required to be OPERABLE.
Closure of a single door in each air lock is sufficient to provide a leak
tight barrier following postulated events. Nevertheless, both doors are
kept closed when the air lock is not being used for normal entry into or
exit from containment.
Containment Air Locks B 3.6.2 Farley Units 1 and 2 B 3.6.2-3 Revision 18 BASES APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. In MODES 5 and 6, the probability and
consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, the containment air locks are not required in MODE 5 to prevent leakage of radioactive material from containment. The requirements for the containment air locks during MODE 6 are addressed in LCO 3.9.3, "Containment Penetrations."
ACTIONS The ACTIONS are modified by a Note that allows entry and exit to perform repairs on the affected air lock component. If the outer door
is inoperable, then it may be easily accessed for most repairs. It is
preferred that the air lock be accessed from inside primary
containment by entering through the other OPERABLE air lock.
However, if this is not practicable, or if repairs on either door must be
performed from the barrel side of the door then it is permissible to
enter the air lock through the OPERABLE door, which means there is
a short time during which the containment boundary is not intact (during access through the OPERABLE door). The ability to open the
OPERABLE door, even if it means the containment boundary is
temporarily not intact, is acceptable due to the low probability of an
event that could pressurize the containment during the short time in
which the OPERABLE door is expected to be open. After each entry
and exit, the OPERABLE door must be immediately closed. If ALARA
conditions permit, entry and exit should be via an OPERABLE air lock.
A second Note has been added to provide clarification that, for this LCO, separate Condition entry is allowed for each air lock. This is
acceptable, since the Required Actions for each Condition provide
appropriate compensatory actions for each inoperable air lock.
Complying with the Required Actions may allow for continued
operation, and a subsequent inoperable air lock is governed by
subsequent Condition entry and application of associated Required
Actions.
In the event the air lock leakage results in exceeding the overall containment leakage rate, Note 3 directs entry into the applicable
Conditions and Required Actions of LCO 3.6.1, "Containment."
(continued)
Containment Air Locks B 3.6.2 Farley Units 1 and 2 B 3.6.2-4 Revision 18 BASES ACTIONS A.1, A.2, and A.3 (continued)
With one air lock door in one or more containment air locks
inoperable, the OPERABLE door must be verified closed (Required Action A.1) in each affected containment air lock. This ensures that a
leak tight containment barrier is maintained by the use of an
OPERABLE air lock door. This action must be completed within
1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. This specified time period is consistent with the ACTIONS of
LCO 3.6.1, which requires containment be restored to OPERABLE
status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.
In addition, the affected air lock penetration must be isolated by
locking closed the OPERABLE air lock door within the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />
Completion Time. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is reasonable for
locking the OPERABLE air lock door, considering the OPERABLE
door of the affected air lock is being maintained closed.
Required Action A.3 verifies that an air lock with an inoperable door
has been isolated by the use of a locked and closed OPERABLE air
lock door. This ensures that an acceptable containment leakage
boundary is maintained. The Completion Time of once per 31 days is
based on engineering judgment and is considered adequate in view of
the low likelihood of a locked door being mispositioned and other
administrative controls. Required Action A.3 is modified by a Note
that applies to air lock doors located in high radiation areas and
allows these doors to be verified locked closed by use of
administrative means. Allowing veri fication by administrative means is considered acceptable, since access to these areas is typically
restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small.
The Required Actions have been modified by two Notes. Note 1
ensures that only the Required Actions and associated Completion
Times of Condition C are required if both doors in the same air lock
are inoperable. With both doors in the same air lock inoperable, an
OPERABLE door is not available to be closed. Required Actions C.1
and C.2 are the appropriate remedial actions. The exception of Note
1 does not affect tracking the Completion Time from the initial entry
into Condition A, only the requirement to comply with the Required
Actions. Note 2 allows use of the air lock for entry and exit for 7 days
under administrative controls if both air locks have an inoperable
door. This 7 day restriction begins when the second air lock is
discovered inoperable. Containment entry may be required on a
(continued)
Containment Air Locks B 3.6.2 Farley Units 1 and 2 B 3.6.2-5 Revision 0 BASES ACTIONS A.1, A.2, and A.3 (continued)
periodic basis to perform Technical Specifications (TS) Surveillances
and Required Actions, as well as other activities on equipment inside
containment that are required by TS or activities on equipment that
support TS-required equipment. This Note is not intended to preclude
performing other activities (i.e., non-TS-required activities) if the
containment is entered, using the inoperable air lock, to perform an
allowed activity listed above. This allowance is acceptable due to the
low probability of an event that could pressurize the containment
during the short time that the OPERABLE door is expected to be
open.
B.1, B.2, and B.3
With an air lock interlock mechanism inoperable in one or more air
locks, the Required Actions and associated Completion Times are
consistent with those specified in Condition A.
The Required Actions have been modified by two Notes. Note 1
ensures that only the Required Actions and associated Completion
Times of Condition C are required if both doors in the same air lock
are inoperable. With both doors in the same air lock inoperable, an
OPERABLE door is not available to be closed. Required Actions C.1
and C.2 are the appropriate remedial actions. Note 2 allows entry into
and exit from containment under the control of a dedicated individual
stationed at the air lock to ensure that only one door is opened at a
time (i.e., the individual performs the function of the interlock).
Required Action B.3 is modified by a Note that applies to air lock
doors located in high radiation areas and allows these doors to be
verified locked closed by use of administrative means. Allowing
verification by administrative means is considered acceptable, since
access to these areas is typically restricted. Therefore, the probability
of misalignment of the door, once it has been verified to be in the
proper position, is small.
C.1, C.2, and C.3
With one or more air locks inoperable for reasons other than those
described in Condition A or B, Required Action C.1 requires action to
(continued)
Containment Air Locks B 3.6.2 Farley Units 1 and 2 B 3.6.2-6 Revision 0 BASES ACTIONS C.1, C.2, and C.3 (continued)
be initiated immediately to evaluate previous combined leakage rates
using current air lock test results. An evaluation is acceptable, since it
is overly conservative to immediately declare the containment
inoperable if both doors in an air lock have failed a seal test or if the
overall air lock leakage is not within limits. In many instances (e.g.,
only one seal per door has failed), containment remains OPERABLE, yet only 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (per LCO 3.6.1) would be provided to restore the air
lock door to OPERABLE status prior to requiring a plant shutdown. In
addition, even with both doors failing the seal test, the overall
containment leakage rate can still be within limits.
Required Action C.2 requires that one door in the affected
containment air lock must be verified to be closed within the 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />
Completion Time. This specified time period is consistent with the
ACTIONS of LCO 3.6.1, which requires that containment be restored
to OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.
Additionally, the affected air lock(s) must be restored to OPERABLE
status within the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time. The specified time period
is considered reasonable for restoring an inoperable air lock to
OPERABLE status, assuming that at least one door is maintained
closed in each affected air lock.
D.1 and D.2
If the inoperable containment air lock cannot be restored to
OPERABLE status within the required Completion Time, the plant
must be brought to a MODE in which the LCO does not apply. To
achieve this status, the plant must be brought to at least MODE 3
within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed
Completion Times are reasonable, based on operating experience, to
reach the required plant conditions from full power conditions in an
orderly manner and without challenging plant systems.
SURVEILLANCE SR 3.6.2.1 REQUIREMENTS
Maintaining containment air locks OPERABLE requires compliance
with the leakage rate test requirements of the Containment Leakage
(continued)
Containment Air Locks B 3.6.2 (continued)
Farley Units 1 and 2 B 3.6.2-7 Revision 52 BASES SURVEILLANCE SR 3.6.2.1 (continued)
REQUIREMENTS
Rate Testing Program. This SR reflects the leakage rate testing requirements with regard to air lock leakage (Type B leakage tests).
The acceptance criteria were established during initial air lock and
containment OPERABILITY testing. The periodic testing
requirements verify that the air lock leakage does not exceed the
allowed fraction of the overall containment leakage rate. The
Frequency is required by the Containment Leakage Rate Testing
Program.
The SR has been modified by two Notes. Note 1 states that an inoperable air lock door does not invalidate the previous successful
performance of the overall air lock leakage test. This is considered
reasonable since either air lock door is capable of providing a fission
product barrier in the event of a DBA. Note 2 has been added to this
SR requiring the results to be evaluated against the acceptance
criteria which is applicable to SR 3.6.1.1. This ensures that air lock
leakage is properly accounted for in determining the combined Type B
and C containment leakage rate.
The air lock interlock is designed to prevent simultaneous opening of both doors in a single air lock. Since both the inner and outer doors
of an air lock are designed to withstand the maximum expected post
accident containment pressure, closure of either door will support
containment OPERABILITY. Thus, the door interlock feature supports
containment OPERABILITY while the air lock is being used for
personnel transit in and out of the containment. Periodic testing of
this interlock demonstrates that the interlock will function as designed
and that simultaneous opening of the inner and outer doors will not
inadvertently occur. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
Containment Air Locks B 3.6.2 Farley Units 1 and 2 B 3.6.2-8 Revision 18 BASES REFERENCES 1. 10 CFR 50, Appendix J, Option B.
- 2. FSAR, Section 6.2.
- 3. NEL Letter NEL-02-0144, dated June 25, 2002.
Containment Isolation Valves B 3.6.3 Farley Units 1 and 2 B 3.6.3-1 Revision 0 B 3.6 CONTAINMENT SYSTEMS
B 3.6.3 Containment Isolation Valves
BASES BACKGROUND The containment isolation valves form part of the containment pressure boundary and provide a means for fluid penetrations not serving
accident consequence limiting systems to be provided with two
isolation barriers that are closed on a containment isolation signal.
These isolation devices are either passive or active (automatic).
Manual valves, de-activated automatic valves secured in their closed
position (including check valves with forward flow through the valve
secured), blind flanges, and closed systems are considered passive
devices. Check valves, or other automatic valves designed to close
without operator action following an accident, are considered active
devices. Two barriers in series are provided for each penetration so
that no single credible failure or malfunction of an active component
can result in a loss of isolation or leakage that exceeds limits assumed
in the safety analyses. One of these barriers may be a closed system.
These barriers (typically containment isolation valves) make up the
Containment Isolation System.
Automatic isolation signals are produced during accident conditions.
Containment Phase "A" isolation occurs upon receipt of a safety
injection signal. The Phase "A" isolation signal isolates nonessential
process lines in order to minimize leakage of fission product
radioactivity. Containment Phase "B" isolation occurs upon receipt of a
containment pressure High-High-High signal and isolates the
remaining process lines, except systems required for accident
mitigation. In addition to the isolation signals listed above, the purge
and exhaust valves receive an isolation signal on a containment high
radiation condition. As a result, the containment isolation valves (and
blind flanges) help ensure that the containment atmosphere will be
isolated from the environment in the event of a release of fission
product radioactivity to the containment atmosphere as a result of a
Design Basis Accident (DBA).
The OPERABILITY requirements for containment isolation valves help
ensure that containment is isolated as assumed in the safety analyses.
Therefore, the OPERABILITY requirements provide assurance that the
containment function assumed in the safety analyses will be
maintained.
(continued)
Containment Isolation Valves B 3.6.3 Farley Units 1 and 2 B 3.6.3-2 Revision 0 BASES BACKGROUND Shutdown Purge System (48-inch purge valves CBV-HV-3198A, (continued) 3198D, 3196, 3197)
The Shutdown Purge System operates to supply outside air into the
containment for ventilation and cooling or heating and may also be
used to reduce the concentration of noble gases within containment
prior to and during personnel access. The supply and exhaust lines
each contain two isolation valves. Because of their large size, the 48-inch purge valves are not qualified for automatic closure from their
open position under DBA conditions. Therefore, the 48-inch purge
valves are normally maintained closed in MODES 1, 2, 3, and 4 to
ensure the containment boundary is maintained.
Minipurge System (8-inch purge valves CBV-HV-2866C, 2866D, 2867C, 2867D)
The Minipurge System operates to:
- b. Maintain radioactivity levels in the containment consistent with occupancy requirements with continuous system operation; and
- b. Equalize internal and external pressures with continuous system operation.
Since the valves used in the Minipurge System are designed to meet
the requirements for automatic containment isolation valves, these
valves may be opened as needed in MODES 1, 2, 3, and 4.
References to purge valves in the technical specifications apply to both
the Shutdown and Minipurge System unless otherwise stated.
APPLICABLE The containment isolation valve LCO was derived from the SAFETY ANALYSES assumptions related to minimizing the loss of reactor coolant inventory and establishing the containment boundary during major accidents. As
part of the containment boundary, containment isolation valve
OPERABILITY supports leak tightness of the containment. Therefore, the safety analyses of any event requiring isolation of containment is
applicable to this LCO.
The DBAs that result in a release of radioactive material within containment are a loss of coolant accident (LOCA) and a rod ejection
(continued)
Containment Isolation Valves B 3.6.3 Farley Units 1 and 2 B 3.6.3-3 Revision 0 BASES APPLICABLE accident (Ref. 1). In the analyses for each of these accidents, it is SAFETY ANALYSES assumed that containment isolation valves are either closed or (continued) function to close within the required isolation time following event initiation. This ensures that potential paths to the environment through
containment isolation valves (including containment purge valves) are
minimized. The safety analyses assume that the 48-inch purge valves
are closed at event initiation.
The DBA analysis assumes that, except for containment minipurge valves, isolation of the containment is complete and leakage
terminated except for the design leakage rate, L a , prior to significant activity release. The containment minipurge isolation total response time of 6 seconds includes signal delay, and containment isolation valve stroke times.
The single failure criterion required to be imposed in the conduct of
plant safety analyses was considered in the original design of the
containment minipurge valves. Two minipurge valves in series on
each purge line provide assurance that both the supply and exhaust
lines could be isolated even if a single failure occurred. The inboard
and outboard minipurge isolation valves on each line are provided with
diverse power sources, pneumatically operated spring closed valves
that will fail closed on the loss of power or air. This arrangement was
designed to preclude common mode failures from disabling both
minipurge valves on a purge line.
The 48-inch purge valves may be unable to close in the environment
following a LOCA. Therefore, each of the 48-inch purge valves is
required to remain sealed closed during MODES 1, 2, 3, and 4. In this
case, the single failure criterion remains applicable to the 48-inch
containment purge valves due to failure in the control circuit associated
with each valve. Again, the shutdown purge system valve design
precludes a single failure from compromising the containment
boundary as long as the system is operated in accordance with the
subject LCO.
The containment isolation valves satisfy Criterion 3 of 10 CFR 50.36 (c)(2)(ii).
Containment Isolation Valves B 3.6.3 Farley Units 1 and 2 B 3.6.3-4 Revision 0 BASES LCO This specification is governing for the containment purge supply and exhaust isolation penetration leakage and 48-inch isolation valve
position.
The 8-inch containment minipurge supply and exhaust isolation valves may be open for safety-related reasons. Safety-related reasons for
venting containment during operation (MODES 1-4) include controlling
containment pressure and reducing airborne radioactivity.
Containment isolation valves form a part of the containment boundary.
The containment isolation valves' safety function is related to
minimizing the loss of reactor coolant inventory and establishing the
containment boundary during a DBA.
The automatic power operated isolation valves are required to have isolation times within limits and to actuate on an automatic isolation
signal. The 48-inch purge valves must be maintained sealed closed.
The valves covered by this LCO are listed along with their associated
stroke times in the FSAR (Ref. 2).
The normally closed isolation valves are considered OPERABLE when manual valves are closed, automatic valves are de-activated and
secured in their closed position, blind flanges are in place, and closed
systems are intact. These passive isolation valves/devices are those
listed in Reference 2.
Purge valves with resilient seals must meet additional leakage rate requirements. The other containment isolation valve leakage rates are
addressed by LCO 3.6.1, "Containment," as Type C testing.
This LCO provides assurance that the containment isolation valves and purge valves will perform their designed safety functions to
minimize the loss of reactor coolant inventory and establish the
containment boundary during accidents.
APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. In MODES 5 and 6, the probability and
consequences of these events are reduced due to the pressure and
temperature limitations of these MODES. Therefore, the containment
isolation valves are not required to be OPERABLE in MODE 5. The
requirements for containment isolation valves during MODE 6 are
addressed in LCO 3.9.3, "Containment Penetrations."
Containment Isolation Valves B 3.6.3 Farley Units 1 and 2 B 3.6.3-5 Revision 0 BASES ACTIONS The ACTIONS are modified by a Note allowing penetration flow paths, except for 48-inch purge valve penetration flow paths, to be unisolated
intermittently under administrativ e controls. These administrative controls consist of stationing a dedicated operator at the valve controls, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for containment
isolation is indicated. Due to the size of the containment purge line
penetration and the fact that those penetrations exhaust directly from
the containment atmosphere to the environment, the penetration flow
path containing these valves may not be opened under administrative
controls. A single purge valve in a penetration flow path may be
opened to effect repairs to an inoperable valve, as allowed by
A second Note has been added to provide clarification that, for this LCO, separate Condition entry is allowed for each penetration flow
path. This is acceptable, since the Required Actions for each
Condition provide appropriate compensatory actions for each
inoperable containment isolation valve. Complying with the Required
Actions may allow for continued operation, and subsequent inoperable
containment isolation valves are governed by subsequent Condition
entry and application of associated Required Actions.
The ACTIONS are further modified by a third Note, which ensures appropriate remedial actions are taken, if necessary, if the affected
systems are rendered inoperable by an inoperable containment
isolation valve.
In the event the isolation valve leakage results in exceeding the overall containment leakage rate, Note 4 directs entry into the applicable
Conditions and Required Actions of LCO 3.6.1.
A.1 and A.2
In the event one containment isolation valve in one or more penetration
flow paths is inoperable except for purge valve penetration leakage not
within limit, the affected penetration flow path must be isolated. The
method of isolation must include the use of at least one isolation
barrier that cannot be adversely affected by a single
(continued)
Containment Isolation Valves B 3.6.3 Farley Units 1 and 2 B 3.6.3-6 Revision 0 BASES ACTIONS A.1 and A.2 (continued)
active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic containment isolation valve, a
closed manual valve, a blind flange, and a check valve with forward
flow through the valve secured. For a penetration flow path isolated in
accordance with Required Action A.1, the device used to isolate the
penetration should be the closest available one to containment.
Required Action A.1 must be completed within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />
Completion Time is reasonable, considering the time required to
isolate the penetration and the relative importance of supporting
containment OPERABILITY during MODES 1, 2, 3, and 4.
For affected penetration flow paths that cannot be restored to
OPERABLE status within the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time and that have
been isolated in accordance with Required Action A.1, the affected
penetration flow paths must be verified to be isolated on a periodic
basis. This is necessary to ensure that containment penetrations
required to be isolated following an accident and no longer capable of
being automatically isolated will be in the isolation position should an
event occur. This Required Action does not require any testing or
device manipulation. Rather, it involves verification, through a system
walkdown, that those isolation devices outside containment and
capable of being mispositioned are in the correct position. The
Completion Time of "once per 31 days for isolation devices outside
containment" is appropriate considering the fact that the devices are
operated under administrative controls and the probability of their
misalignment is low. For the isolation devices inside containment, the
time period specified as "prior to entering MODE 4 from MODE 5 if not
performed within the previous 92 days" is based on engineering
judgment and is considered reasonable in view of the inaccessibility of
the isolation devices and other administrative controls that will ensure
that isolation device misalignment is an unlikely possibility.
Condition A has been modified by a Note indicating that this Condition
is only applicable to those penetration flow paths with two containment
isolation valves. For penetration flow paths with only one containment
isolation valve and a closed system, Condition C provides the
appropriate actions.
(continued)
Containment Isolation Valves B 3.6.3 Farley Units 1 and 2 B 3.6.3-7 Revision 0 BASES ACTIONS A.1 and A.2 (continued)
Required Action A.2 is modified by a Note that applies to isolation
devices located in high radiation areas and allows these devices to be
verified closed by use of administrative means. Allowing verification by
administrative means is considered acceptable, since access to these
areas is typically restricted. Therefore, the probability of misalignment
of these devices, once they have been verified to be in the proper
position, is small.
B.1 With two containment isolation valves in one or more penetration flow
paths inoperable, the affected penetration flow path must be isolated
within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The method of isolation must include the use of at least
one isolation barrier that cannot be adversely affected by a single
active failure. Isolation barriers that meet this criterion are a closed
and de-activated automatic valve, a closed manual valve, and a blind
flange. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is consistent with the ACTIONS of
LCO 3.6.1. In the event the affected penetration is isolated in
accordance with Required Action B.1, the affected penetration must be
verified to be isolated on a periodic basis per Required Action A.2, which remains in effect. This periodic verification is necessary to
assure leak tightness of containment and that penetrations requiring
isolation following an accident are isolated. The Completion Time of
once per 31 days for verifying each affected penetration flow path is
isolated is appropriate considering the fact that the valves are operated
under administrative control and the probability of their misalignment is
low.
Condition B is modified by a Note indicating this Condition is only
applicable to penetration flow paths with two containment isolation
valves. Condition A of this LCO addresses the condition of one
containment isolation valve inoperable in this type of penetration flow
path.
C.1 and C.2
With one or more penetration flow paths with one containment isolation
valve inoperable, the inoperable valve flow path must be restored to
OPERABLE status or the affected penetration flow path must be
isolated. The method of isolation must include the use of at least one
isolation barrier that cannot be adversely affected by a
(continued)
Containment Isolation Valves B 3.6.3 Farley Units 1 and 2 B 3.6.3-8 Revision 19 BASES ACTIONS C.1 and C.2 (continued)
single active failure. Isolation barriers that meet this criterion are a
closed and de-activated automatic valve, a closed manual valve, and a
blind flange. A check valve may not be used to isolate the affected
penetration flow path. Required Action C.1 must be completed within
the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time. The specified time period is reasonable
considering the relative stability of the closed system (hence, reliability)
to act as a penetration isolation boundary and the relative importance
of maintaining containment integrity during MODES 1, 2, 3, and 4. In
the event the affected penetration flow path is isolated in accordance
with Required Action C.1, the affected penetration flow path must be
verified to be isolated on a periodic basis. This periodic verification is
necessary to assure leak tightness of containment and that
containment penetrations requiring isolation following an accident are
isolated. The Completion Time of once per 31 days for verifying that
each affected penetration flow path is isolated is appropriate because
the valves are operated under administrative controls and the
probability of their misalignment is low.
Condition C is modified by a Note indicating that this Condition is only
applicable to those penetration flow paths with only one containment
isolation valve and a closed system.
The closed system must meet the requirements of Ref. 5. This Note is necessary since this Condition is
written to specifically address those penetration flow paths in a closed
system. FSAR Table 6.2-31 identifies the following containment
isolation valves as being in a Type III penetration (closed
system) and having only one containment isolation valve:
Q1/2 B13V026B (Pressurizer pressure generator).
Required Action C.2 is modified by a Note that applies to valves and
blind flanges located in high radiation areas and allows these devices
to be verified closed by use of administrative means. Allowing
verification by administrative means is considered acceptable, since
access to these areas is typically restricted. Therefore, the probability
of misalignment of these valves, once they have been verified to be in
the proper position, is small.
(continued)
Containment Isolation Valves B 3.6.3 (continued)
Farley Units 1 and 2 B 3.6.3-9 Revision 52 BASES ACTIONS D.1, D.2, and D.3 (continued)
In the event one or more penetration flow paths containing containment purge valves, have penetration leakage such that the sum
of the leakage for all Type B and C tests is not within limits, purge
valve penetration leakage must be restored such that the overall Type
B and C testing limit is not exceeded, or the affected penetration flow
path must be isolated. The method of isolation must be by the use of
at least one isolation barrier that cannot be adversely affected by a
single active failure. Isolation barriers that meet this criterion are a
closed and de-activated automatic valve, closed manual valve, or blind
flange. A purge valve with resilient seals utilized to satisfy Required
Action D.1 must have been demonstrated to support the penetration
meeting the leakage requirements of SR 3.6.3.5. The specified
Completion Time is reasonable, considering that one containment
purge valve remains closed so that a gross breach of containment
does not exist.
In accordance with Required Action D.2, this penetration flow path must be verified to be isolated on a periodic basis. The periodic
verification is necessary to ensure that containment penetrations
required to be isolated following an accident, which are no longer
capable of being automatically isolated, will be in the isolation position
should an event occur. This Required Action does not require any
testing or valve manipulation. Rather, it involves verification, through a
system walkdown, that those isolation devices outside containment
capable of being mispositioned are in the correct position. For the
isolation devices inside containment, the time period specified as "prior
to entering MODE 4 from MODE 5 if not performed within the previous
92 days" is based on engineering judgment and is considered
reasonable in view of the inaccessibility of the isolation devices and
other administrative controls that will ensure that isolation device
misalignment is an unlikely possibility.
For the containment penetration containing a containment purge valve with resilient seal that is isolated in accordance with Required
Action D.1, SR 3.6.3.5 must be performed at least once every 92 days.
This assures that degradation of the resilient seal is detected and
confirms that the leakage rate of the containment purge valve
penetration does not increase during the time the penetration is
isolated. Since more reliance is placed on a single valve while in
Containment Isolation Valves B 3.6.3 (continued)
Farley Units 1 and 2 B 3.6.3-10 Revision 52 BASES ACTIONS D.1, D .2, and D.3 (continued)
this Condition, it is prudent to perform the SR more often. Therefore, a Frequency of once per 92 days was chosen and has been shown to be
acceptable based on operating experience.
E.1 and E.2
If the Required Actions and associated Completion Times of Condition A, B, C, or D are not met, the plant must be brought to a MODE in
which the LCO does not apply. To achieve this status, the plant must
be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 5 within
36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on
operating experience, to reach the required plant conditions from full
power conditions in an orderly manner and without challenging plant systems.
F.1 In the event one or more penetration flow paths containing containment purge valves have penetration leakage which exceeds the
individual purge valve penetration leakage limit, purge valve
penetration leakage must be reduced to within the limit prior to the next
time that the unit transitions from MODE 5 to MODE 4. Provided that
the penetration flow path leakage does not cause the total leakage
from all Type B and C tests to exceed the limits, no additional action is
required (i.e., isolation or unit shutdown). If the leakage is sufficient to
cause the total leakage from all Type B and C tests to exceed the
limits, Condition D also applies.
SURVEILLANCE SR 3.6.3.1 REQUIREMENTS
Each 48-inch containment purge valve (CBV-HV-3198A, 3198D, 3196, 3197) is required to be verified sealed closed. This Surveillance is designed to ensure that a gross breach of containment is not caused
by an inadvertent or spurious opening of a containment purge valve.
Detailed analysis of the purge valves failed to conclusively
demonstrate their ability to close during a LOCA in time to limit offsite
doses. Therefore, these valves are required to be in the sealed closed
position during MODES 1, 2, 3, and 4. A containment purge valve that
is sealed closed must have motive power to the valve operator
removed. This can be accomplished by de-energizing the source of
Containment Isolation Valves B 3.6.3 (continued)
Farley Units 1 and 2 B 3.6.3-11 Revision 52 BASES SURVEILLANCE SR 3.6.3.1 (continued)
REQUIREMENTS electric power or by removing the air supply to the valve operator. In
this application, the term "sealed" has no connotation of leak tightness.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
This SR requires verification that each containment isolation manual valve and blind flange located outside containment and not locked, sealed, or otherwise secured and required to be closed during accident
conditions is closed. The SR helps to ensure that post accident
leakage of radioactive fluids or gases outside of the containment
boundary is within design limits. This SR does not require any testing
or valve manipulation. Rather, it involves verification, through a system
walkdown, that those containment isolation valves outside containment
and capable of being mispositioned are in the correct position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The SR specifies that containment isolation valves that are open under administrative controls are not required to meet
the SR during the time the valves are open. This includes RHR-MOV-
8701A and RHR-MOV-8702A which may be opened and power
removed under administrative controls when the plant is in MODE 4 (for ensuring over-pressure protection system operability). This SR
does not apply to valves that are locked, sealed, or otherwise secured
in the closed position, since these were verified to be in the correct
position upon locking, sealing, or securing.
The Note applies to valves and blind flanges located in high radiation areas and allows these devices to be verified closed by use of
administrative means. Allowing verifi cation by administrative means is considered acceptable, since access to these areas is typically
restricted during MODES 1, 2, 3 and 4 for ALARA reasons. Therefore, the probability of misalignment of these containment isolation valves, once they have been verified to be in the proper position, is small.
Containment Isolation Valves B 3.6.3 (continued)
Farley Units 1 and 2 B 3.6.3-13 Revision 59 BASES SURVEILLANCE SR 3.6.3.5 REQUIREMENTS (continued) For containment purge valves with resilient seals, additional leakage rate testing beyond the test requirements of 10 CFR 50, Appendix J, Option B, is required to ensure OPERABILITY. The containment
purge and exhaust penetration leakage limit is based on not exceeding
the total combined leakage rate limit for all Type B and C testing
specified in 5.5.17, Containment Leakage Rate Testing Program.
Operating experience has demonstrated that this type of seal has the
potential to degrade in a shorter time period than do other seal types.
The Surveillance Frequency is controlled under the Surveillance
Frequency Control Program.
Additionally, this SR must be performed within 92 days after opening the valve. The 92 day Frequency was chosen recognizing that cycling
the valve could introduce additional seal degradation (beyond that
occurring to a valve that has not been opened). Thus, decreasing the
interval (from 184 days) is a prudent measure after a valve has been
opened.
Automatic containment isolation valves close on a containment isolation signal to prevent leakage of radioactive material from
containment following a DBA. This SR ensures that each automatic
containment isolation valve will actuate to its isolation position on a
containment isolation signal (Phase A or Phase B). This surveillance
is not required for valves that are locked, sealed, or otherwise secured
in the required position under administrative controls. The Surveillance
Frequency is controlled under the Surveillance Frequency Control
Program.
Containment Isolation Valves B 3.6.3
Farley Units 1 and 2 B 3.6.3-14 Revision 52 BASES REFERENCES 1. FSAR, Section 15.
- 2. FSAR, Section 6.2.
- 3. Not used.
- 4. Not used.
- 5. Standard Review Plan 6.2.4.
Containment Pressure B 3.6.4 Farley Units 1 and 2 B 3.6.4-2 Revision 0
BASES APPLICABLE For certain aspects of transient accident analyses, maximizing the SAFETY ANALYSES calculated containment pressure is not conservative. In particular, the (continued) cooling effectiveness of the Emergency Core Cooling System during the core reflood phase of a LOCA analysis increases with increasing
containment backpressure. Therefore, for the reflood phase, the
containment backpressure is calculated in a manner designed to
conservatively minimize, rather than maximize, the containment
pressure response in accordance with 10 CFR 50, Appendix K (Ref. 2).
Containment pressure satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO Maintaining containment pressure at less than or equal to the LCO upper pressure limit ensures that, in the event of a DBA, the resultant
peak containment accident pressure will remain below the
containment design pressure. Maintaining containment pressure at
greater than or equal to the LCO lower pressure limit ensures that the
containment will not exceed the design negative differential pressure
due to tornado induced atmospheric depressurization.
APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. Since maintaining containment pressure
within limits is essential to ensure initial conditions assumed in the
accident analyses are maintained, the LCO is applicable in MODES 1, 2, 3, and 4.
In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these
MODES. Therefore, maintaining containment pressure within the
limits of the LCO is not required in MODE 5 or 6.
Containment Pressure B 3.6.4 Farley Units 1 and 2 B 3.6.4-3 Revision 52 BASES ACTIONS A.1
When containment pressure is not within the limits of the LCO, it must be restored to within these limits within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The Required Action
is necessary to return operation to within the bounds of the
containment analysis. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is consistent with
the ACTIONS of LCO 3.6.1, "Containment," which requires that
containment be restored to OPERABLE status within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.
B.1 and B.2
If containment pressure cannot be restored to within limits within the required Completion Time, the plant must be brought to a MODE in
which the LCO does not apply. To achieve this status, the plant must
be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 5 within
36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on
operating experience, to reach the required plant conditions from full
power conditions in an orderly manner and without challenging plant systems.
SURVEILLANCE SR 3.6.4.1 REQUIREMENTS
Verifying that containment pressure is within limits ensures that unit operation remains within the limits assumed in the containment
analysis. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES 1. FSAR, Section 6.2.
Containment Air Temperature B 3.6.5 Farley Units 1 and 2 B 3.6.5-1 Revision 0
B 3.6 CONTAINMENT SYSTEMS
B 3.6.5 Containment Air Temperature
BASES BACKGROUND The containment structure serves to contain radioactive material that may be released from the reactor core following a Design Basis
Accident (DBA). The containment average air temperature is limited
during normal operation to preserve the initial conditions assumed in
the accident analyses for a loss of coolant accident (LOCA) or steam
line break (SLB).
The containment average air temper ature limit is derived from the input conditions used in the containment functional analyses and the
containment structure external pressure analyses. This LCO ensures
that initial conditions assumed in the analysis of containment
response to a DBA are not violated during unit operations. The total
amount of energy to be removed from containment by the
Containment Spray and Cooling systems during post accident
conditions is dependent upon the energy released to the containment
due to the event, as well as the initial containment temperature and
pressure. The higher the initial temperature, the more energy that
must be removed, resulting in higher peak containment pressure and
temperature. Exceeding containment design pressure may result in
leakage greater than that assumed in the accident analysis.
Operation with containment temperature in excess of the LCO limit
violates an initial condition assumed in the accident analysis.
APPLICABLE Containment average air temperature is an initial condition used in SAFETY ANALYSES the DBA analyses that establishes the containment environmental qualification operating envelope for both pressure and temperature.
The limit for containment average air temperature ensures that
operation is maintained within the assumptions used in the DBA
analyses for containment (Ref. 1).
The limiting DBAs considered relative to containment OPERABILITY are the LOCA and SLB. The DBA LOCA and SLB are analyzed using
computer codes designed to predict the resultant containment
(continued)
Containment Air Temperature B 3.6.5 Farley Units 1 and 2 B 3.6.5-2 Revision 5
BASES APPLICABLE pressure transients. No two DBAs are assumed to occur SAFETY ANALYSES simultaneously or consecutively. The postulated DBAs are analyzed (continued) with regard to Engineered Safety Feature (ESF) systems, assuming the loss of one ESF bus, which is the worst case single active failure, resulting in one train each of the Containment Spray System, Residual Heat Removal System, and Containment Cooling System being rendered inoperable.
The limiting DBA for the maximum peak containment air temperature
is a SLB. The initial containment average air temperature assumed in the design basis analyses (Ref. 1) is 127°F. This resulted in a
maximum containment air temperature of 367 F. The design air temperature is 378°F.
The temperature limit is used to establish the environmental qualification operating envelope for containment. The basis of the containment design air temperature is to ensure the performance of safety-related equipment inside containment (Ref. 2). Thermal
analyses show that the containment air temperature remains below the equipment design temperature. Therefore, it is concluded
that the calculated transient containment air temperature is
acceptable for the DBA SLB.
The temperature limit is also used in the depressurization analyses to ensure that the minimum pressure limit is maintained following an
inadvertent actuation of the Containment Spray System.
The containment pressure transient is sensitive to the initial air mass
in containment and, therefore, to the initial containment air temperature.
The limiting DBA for establishing the maximum peak containment
internal pressure is a SLB. The temperature limit is used in this
analysis to ensure that in the event of an accident the maximum
containment internal pressure will not be exceeded.
Containment average air temperature satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
Containment Air Temperature B 3.6.5 Farley Units 1 and 2 B 3.6.5-3 Revision 5 BASES LCO During a DBA, with an initial containment average air temperature less than or equal to the LCO temperature limit, the resultant
containment structure peak accident temperature is maintained below
the containment design temperature. As a result, the ability of
containment to perform its design function is ensured.
APPLICABILITY In MODES 1, 2, 3, and 4, a DBA could cause a release of radioactive material to containment. In MODES 5 and 6, the probability and
consequences of these events are reduced due to the pressure and
temperature limitations of these MODES. Therefore, maintaining
containment average air temperature within the limit is not required in
MODE 5 or 6.
ACTIONS A.1
When containment average air temperature is not within the limit of the LCO, it must be restored to within limit within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. This
Required Action is necessary to return operation to within the bounds
of the containment analysis. The 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> Completion Time is
acceptable considering the sensitivity of the analysis to variations in
this parameter and provides sufficient time to correct minor problems.
B.1 and B.2
If the containment average air temperature cannot be restored to within its limit within the required Completion Time, the plant must be
brought to a MODE in which the LCO does not apply. To achieve this
status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />
and to MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are
reasonable, based on operating experience, to reach the required
plant conditions from full power conditions in an orderly manner and
without challenging plant systems.
Containment Air Temperature B 3.6.5 Farley Units 1 and 2 B 3.6.5-4 Revision 52 BASES SURVEILLANCE SR 3.6.5.1 REQUIREMENTS
Verifying that containment average air temperature is within the LCO limit ensures that containment operation remains within the limit
assumed for the containment analyses. In order to determine the
containment average air temperat ure, an arithmetic average is calculated using measurements taken at four of the following sensor
locations with at least two being containment air cooler intake
sensors:
Instrument Number Sensor Location
TE3187 E, F, G, & H Containment Air Cooler Intake TE3188 H & I Lower Compartment TE3188 J Reactor (lower)
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES 1. FSAR, Section 6.2.
- 2. 10 CFR 50.49.
Containment Spray and Cooling Systems B 3.6.6 Farley Units 1 and 2 B 3.6.6-1 Revision 0
B 3.6 CONTAINMENT SYSTEMS
B 3.6.6 Containment Spray and Cooling Systems
BASES BACKGROUND The Containment Spray and Cont ainment Cooling systems provide containment atmosphere cooling to limit post accident pressure and
temperature in containment to less than the design values. Reduction
of containment pressure and the iodine removal capability of the spray
reduces the release of fission product radioactivity from containment
to the environment, in the event of a Design Basis Accident (DBA), to
within limits. The Containment Spray and Containment Cooling
systems are designed to meet the requirements of 10 CFR 50, Appendix A, GDC 38, "Containment Heat Removal," GDC 39, "Inspection of Containment Heat Removal Systems," GDC 40, "Testing of Containment Heat Removal Systems," GDC 41, "Containment Atmosphere Cleanup," GDC 42, "Inspection of
Containment Atmosphere Cleanup Systems," and GDC 43, "Testing
of Containment Atmosphere Cleanup Systems" (Ref. 1).
The Containment Cooling System and Containment Spray System are
Engineered Safety Feature (ESF) systems. They are designed to
ensure that the heat removal capability required during the post
accident period can be attained. The Containment Spray System and
the Containment Cooling System provide redundant cooling methods
to limit and maintain post accident conditions to less than the
containment design values.
Containment Spray System
The Containment Spray System consists of two separate trains of
equal capacity, each capable of meeting the design bases. Each train
includes a containment spray pump, spray headers, nozzles, valves, and piping. Each train is powered from a separate ESF bus. The
refueling water storage tank (RWST) supplies borated water to the
Containment Spray System during the injection phase of operation. In
the recirculation mode of operation, containment spray pump suction
is transferred from the RWST to the containment sump(s).
The Containment Spray System provides a spray of cold borated
water into the upper regions of containment to reduce the containment
pressure and temperature and to reduce fission products
(continued)
Containment Spray and Cooling Systems B 3.6.6 Farley Units 1 and 2 B 3.6.6-2 Revision 0 BASES BACKGROUND Containment Spray System (continued)
from the containment atmosphere during a DBA. The RWST solution
temperature is an important factor in determining the heat removal
capability of the Containment Spray System during the injection
phase. In the recirculation mode of operation, heat is removed from
the containment sump water by the residual heat removal heat
exchangers. Each train of the Containment Spray System provides
adequate spray coverage to meet the system design requirements for
containment heat removal.
The Containment Spray System is ac tuated either automatically by a containment High-3 pressure signal or manually. An automatic
actuation opens the containment spray pump discharge valves, starts
the two containment spray pumps, and begins the injection phase. A
manual actuation of the Containment Spray System requires the
operator to actuate two separate switches on the main control board
to begin the same sequence. The injection phase continues until an
RWST level Low-Low alarm is received. The Low-Low level alarm for
the RWST signals the operator to manually align the system to the
recirculation mode. The Containment Spray System in the
recirculation mode maintains an equilibrium temperature between the
containment atmosphere and the recirculated sump water. Operation
of the Containment Spray System in the recirculation mode is
controlled by the operator in accordance with the emergency
operating procedures.
Containment Cooling System
Two trains of containment cooling, each of sufficient capacity to
supply 100% of the design cooling requirement, are provided. Each
train consists of two fan units supplied with cooling water from a
separate train of service water (SW). However, under post-accident
conditions, a single fan unit with at least 600 gpm SW flow provides
sufficient cooling capacity to meet post accident heat removal
requirements. Air is drawn into the coolers through the fan and
discharged to the steam generator compartments, pressurizer
compartment, and outside the secondary shield in the lower areas of
containment.
During normal operation, up to four fan units are operating. The fans
are normally operated at high speed with SW supplied to the cooling
coils. The Containment Cooling System is designed to limit the
(continued)
Containment Spray and Cooling Systems B 3.6.6 Farley Units 1 and 2 B 3.6.6-3 Revision 5 BASES BACKGROUND Containment Cooling System (continued)
ambient containment air temperature during normal unit operation to
less than the limit specified in LCO 3.6.5, "Containment Air
Temperature." This temperature limitation ensures that the
containment temperature does not exceed the initial temperature
conditions assumed for the DBAs.
In post accident operation following an actuation signal, unless an
LOSP signal is present, the Containment Cooling System fans are
designed to start automatically in slow speed if not already running. If
an LOSP signal is present, only the two fans selected (one per train)
will receive an auto-start signal and will start in slow speed. If running
in high (normal) speed, the fans automatically shift to slow speed.
The fans are operated at the lower speed during accident conditions
to prevent motor overload from the higher mass atmosphere. In
addition, if temperature at the cooler discharge reaches 135°F, fusible
links holding dropout plates will open and the fan discharge will no
longer be directed through the common discharge header. This
function helps to protect the fans in a post-accident environment by
reducing the back pressure on the fans. The temperature of the SW
is an important factor in the heat removal capability of the fan units.
APPLICABLE The Containment Spray System and Containment Cooling System SAFETY ANALYSES limit the temperature and pressure that could be experienced following a DBA. The limiting DBAs considered are the loss of coolant
accident (LOCA) and the steam line break (SLB). The LOCA and
SLB are analyzed using computer codes designed to predict the
resultant containment pressure and temperature transients. No DBAs
are assumed to occur simultaneously or consecutively. The
postulated DBAs are analyzed with regard to containment ESF
systems, assuming the loss of one ESF bus, which is the worst case
single active failure and results in one train of the Containment Spray
System and Containment Cooling System being rendered inoperable.
The analysis and evaluation show that under the worst case scenario,
the highest peak containment pressure is 52.0 psig (experienced during a SLB). The analysis shows that the peak containment temperature is 367 F (experienced during a SLB). Both results meet the intent of the design basis. (See the Bases for LCO 3.6.4, "Containment Pressure," and LCO 3.6.5, "Containment Air Temperature," for a detailed discussion.)
(continued)
Containment Spray and Cooling Systems B 3.6.6 Farley Units 1 and 2 B 3.6.6-4 Revision 8 BASES APPLICABLE The analyses and evaluations assume a unit specific power level of SAFETY ANALYSES 102%, one containment spray train and one containment cooling (continued) fan operating, and initial (pre-accident) containment conditions of 127°F and -1.5 to +3.0 psig. The analyses also assume a response time delayed initiation to provide conservative peak calculated
containment pressure and temperature responses.
For certain aspects of transient accident analyses, maximizing the
calculated containment pressure is not conservative. In particular, the
effectiveness of the Emergency Core Cooling System during the core
reflood phase of a LOCA analysis increases with increasing
containment backpressure. For these calculations, the containment
backpressure is calculated in a manner designed to conservatively
minimize, rather than maximize, the calculated transient containment
pressures in accordance with 10 CFR 50, Appendix K (Ref. 2).
The effect of an inadvertent containment spray actuation has been
analyzed. An inadvertent spray actuation results in a -2.9 psig
containment pressure and is associated with the sudden cooling
effect in the interior of the leak tight containment. Additional
discussion is provided in the Bases for LCO 3.6.4.
The modeled Containment Spray System actuation from the
containment analysis is based on a response time associated with
exceeding the containment High-3 pressure safety analysis limit to achieving full flow through the containment spray nozzles. The
Containment Spray System total response time is a function of the LOCA (or MSLB) break size and depends on the timing of the containment High-1 (safety injection) and High-3 (containment spray) pressure signals with respect to diesel start and LOSP block loading.
For large break LOCAs which pressurize containment rapidly, the High-3 signal is processed prior to ESS loading step 2, so the delay time includes diesel generator start, ESS loading, containment spray pump startup, and spray discharge valve stroke. However, MSLBs and smaller LOCAs result in slower containment pressurization and, therefore, may delay High-1 and/or High-3 signal generation. If High-3 is delayed beyond ESS loading step 2, the spray pumps will not be energized until after loading step 6. These delays are reflected in the response time testing criteria (Ref. 4). The delay for spray line fill is conservatively accounted for in the containment analysis.
(continued)
HMS B 3.6.8 Farley Units 1 and 2 B 3.6.8-4 Revision 33 BASES ACTIONS B.1 and B.2 (continued)
With two HMS trains inoperable, the ability to perform the hydrogen control function via alternate capabilities must be verified by administrative means within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The alternate hydrogen control capability is provided by the containment Post Accident Hydrogen Purge System. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time allows a reasonable period of time to verify that a loss of hydrogen control function does not exist. Both the initial verification and all subsequent verifications may be performed as an administrative check, by examining logs or other information to determine the availability of the alternate hydrogen control system. It does not mean to perform the Surveillances needed to demonstrate OPERABILITY of the alternate hydrogen control system. If the ability to perform the hydrogen control function is maintained, continued operation is permitted with two HMS trains inoperable for up to 7 days. Seven days is a reasonable time to allow two HMS trains to be inoperable because the hydrogen control function is maintained and because of the low probability of the occurrence of a LOCA that would generate hydrogen in the amounts capable of exceeding the flammability limit.
C.1 If an inoperable HMS train cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.
HMS B 3.6.8 Farley Units 1 and 2 B 3.6.8-5 Revision 52
BASES SURVEILLANCE SR 3.6.8.1 REQUIREMENTS Operating each HMS train for 15 minutes ensures that each train is OPERABLE and that all associated controls (including starting from
the control room) are functioning properly. It also ensures that
blockage, fan and/or motor failure, or excessive vibration can be
detected for corrective action. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
Verifying that each HMS fan speed is 1320 rpm ensures that each train is capable of maintaining localized hydrogen concentrations below
the flammability limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
This SR ensures that each HMS train responds properly to a Safety Injection actuation signal. The Surveillance verifies that each fan starts
from the nonoperating condition. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES 1. Deleted
- 2. Deleted
- 3. Regulatory Guide 1.7, Revision 1.
- 4. WCAP 7901, Revision 1.
Reactor Cavity Hydrogen Dilution System B 3.6.9 Farley Units 1 and 2 B 3.6.9-3 Revision 33 BASES APPLICABILITY In MODE 3 or 4, both the hydrogen production rate and the total (continued) hydrogen produced after a LOCA would be less than that calculated for the DBA LOCA. Also, because of the limited time in these MODES, the probability of an accident requiring the RCHDS is low. Therefore, the RCHDS is not required in MODE 3 or 4.
In MODE 5 or 6, the probability and consequences of a LOCA or steam line break (SLB) are reduced due to the pressure and temperature limitations in these MODES. Therefore, the RCHDS is not required in these MODES.
ACTIONS A.1
With one RCHDS train inoperable, the inoperable train must be restored to OPERABLE status within 30 days. In this Condition, the remaining OPERABLE RCHDS train is adequate to perform the hydrogen mixing function. However, the overall reliability is reduced because a single failure in the OPERABLE train could result in reduced hydrogen mixing capability. The 30 day Completion Time is based on the availability of the other RCHDS train, the small probability of a LOCA or SLB occurring (that would generate an amount of hydrogen that exceeds the flammability limit), the amount of time available after a LOCA or SLB (should one occur) for operator action to prevent hydrogen accumulation from exceeding the flammability limit, and the availability of the Containment Spray System and the Post Accident Venting System.
B.1 If an inoperable RCHDS train cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a
(continued)
Reactor Cavity Hydrogen Dilution System B 3.6.9 Farley Units 1 and 2 B 3.6.9-4 Revision 59 BASES ACTIONS B.1 (continued)
MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.
SURVEILLANCE SR 3.6.9.1 REQUIREMENTS Operating each RCHDS train for 15 minutes ensures that each train is OPERABLE and that all associated controls are functioning properly and that each fan may be started by operator action from the control room. It also ensures that blockage, fan and/or motor failure, or excessive vibration can be detected for corrective action. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
Any change in the components being tested by this SR will require reevaluation of STI Evaluation Number 558904 in accordance with the Surveillance Frequency Control Program.
SR 3.6.9.2 This SR ensures that each RCHDS train responds properly to a Safety Injection signal. The Surveillance verifies that each fan starts from the non-operating condition. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES 1. Deleted
- 2. Deleted
- 3. Regulatory Guide 1.7, Revision 0.
MSSVs B 3.7.1 Farley Units 1 and 2 B 3.7.1-1 Revision 0 B 3.7 PLANT SYSTEMS
B 3.7.1 Main Steam Safety Valves (MSSVs)
BASES The primary purpose of the MSSVs is to provide overpressure
protection for the secondary system. The MSSVs also provide
protection against overpressurizing the reactor coolant pressure
boundary (RCPB) by providing a heat sink for the removal of energy
from the Reactor Coolant System (RCS) if the preferred heat sink, provided by the Condenser and Circulating Water System, is not
available.
Five MSSVs are located on each main steam header, outside containment, upstream of the main steam isolation valves, as described
in the FSAR, Section 10.3.7 (Ref. 1). The MSSVs must have sufficient
capacity to limit the secondary system pressure to 110% of the steam generator design pressure in order to meet the requirements of the
ASME Code, Section III (Ref. 2). The MSSV design includes staggered
setpoints, according to Table 3.7.1-2 in the accompanying LCO, so that
only the needed valves will actuate. Staggered setpoints reduce the
potential for valve chattering that is due to steam pressure insufficient to
fully open all valves following a turbine reactor trip. In addition, each
MSSV has a 16 sq. in. orifice to limit steam flow.
APPLICABLE The design basis for the MSSVs comes from Reference 2 and its SAFETY ANALYSES purpose is to limit the secondary system pressure to 110% of design pressure for any anticipated operational occurrence (AOO) or accident
considered in the Design Basis Accident (DBA) and transient analysis.
The events that challenge the relieving capacity of the MSSVs, and
thus RCS pressure, are those characterized as decreased heat
removal events, which are presented in the FSAR, Section 15.2 (Ref. 3). Of these, the full power turbine trip without steam dump is
typically the limiting AOO. This event also terminates normal
feedwater flow to the steam generators.
The safety analysis demonstrates that the transient response for
turbine trip occurring from full power without a direct reactor trip
presents no hazard to the integrity of the RCS or the Main Steam
System.
(continued)
MSSVs B 3.7.1 Farley Units 1 and 2 B 3.7.1-2 Revision 0 BASES APPLICABLE One turbine trip analysis is performed assuming primary system SAFETY ANALYSES pressure control via operation of the pressurizer relief valves and (continued) spray. This analysis demonstrates that the DNB design basis is met.
Another analysis is performed assuming no primary system pressure
control, but crediting reactor trip on high pressurizer pressure and
operation of the pressurizer safety valves. This analysis
demonstrates that RCS integrity is maintained by showing that the
maximum RCS pressure does not exceed 110% of the design
pressure. All cases analyzed demonstrate that the MSSVs maintain
Main Steam System integrity by limiting the maximum steam pressure
to less than 110% of the steam generator design pressure.
In addition to the decreased heat removal events, reactivity insertion events may also challenge the relieving capacity of the MSSVs. The
uncontrolled rod cluster control assembly (RCCA) bank withdrawal at
power event is characterized by an increase in core power and steam
generation rate until reactor trip occurs when either the
Overtemperature T or Power Range Neutron Flux-High setpoint is reached. Steam flow to the turbine will not increase from its initial value
for this event. The increased heat transfer to the secondary side
causes an increase in steam pressure and may result in opening of the
MSSVs prior to reactor trip, assuming no credit for operation of the
atmospheric or condenser steam dump valves. The FSAR Section
15.2.2 safety analysis of the RCCA bank withdrawal at power event for
a range of initial core power levels demonstrates that the MSSVs are
capable of preventing secondary side overpressurization for this AOO.
The FSAR safety analyses discussed above assume that all of the
MSSVs for each steam generator are OPERABLE. If there are
inoperable MSSV(s), it is necessary to limit the primary system power during steady state operation and AOOs to a value that does not result
in exceeding the combined steam flow capacity of the turbine (if
available) and the remaining OPERABLE MSSVs. The required
limitation on primary system power necessary to prevent secondary system overpressurization may be determined by system transient analyses or conservatively arrived at by simple heat balance
calculation. In some circumstances it is necessary to limit the primary
side heat generation that can be achieved during an AOO by reducing
the setpoint of the Power Range Neutron Flux-High reactor trip function.
For example, if more than one MSSV on a single SG is inoperable, an
uncontrolled RCCA bank withdrawal at power event occurring from a
partial power level may result in an increase in reactor power that
exceeds the combined steam flow capacity of the turbine and the
remaining OPERABLE MSSVs. Thus, for multiple inoperable (continued)
MSSVs B 3.7.1 Farley Units 1 and 2 B 3.7.1-4 Revision 0 BASES LCO This LCO provides assurance that the MSSVs will perform their (continued) designed safety functions to mitigate the consequences of accidents that could result in a challenge to the RCPB or Main Steam System
integrity.
APPLICABILITY In MODES 1, 2, and 3, five MSSVs per steam generator are required to be OPERABLE to prevent Main St eam System overpressurization.
In MODES 4 and 5, there are no credible transients requiring the
MSSVs. The steam generators are not normally used for heat
removal in MODES 5 and 6, and thus cannot be overpressurized;
there is no requirement for the MSSVs to be OPERABLE in these
MODES.
ACTIONS The ACTIONS table is modified by a Note indicating that separate Condition entry is allowed for each MSSV.
With one or more MSSVs inoperable, action must be taken so that the available MSSV relieving capacity meets Reference 2 requirements.
Operation with less than all five MSSVs OPERABLE for each steam generator is permissible, if THERMAL POWER is limited to the relief
capacity of the remaining MSSVs. This is accomplished by restricting
THERMAL POWER so that the energy transfer to the most limiting
steam generator is not greater than the available relief capacity in that
A.1 In the case of only a single inoperable MSSV on one or more steam
generators, when the Moderator Temperature Coefficient is not
positive, a reactor power reduction alone is sufficient to limit primary
side heat generation such that overpressurization of the secondary
side is precluded for any RCS heatup event. Furthermore, for this
case there is sufficient total steam flow capacity provided by the
(continued)
MSSVs B 3.7.1 Farley Units 1 and 2 B 3.7.1-5 Revision 0 BASES ACTIONS A.1 (continued)
turbine and the remaining OPERABLE MSSVs to preclude
overpressurization in the event of an increased reactor power due to
reactivity insertion, such as in the event of an uncontrolled RCCA
bank withdrawal at power. Therefore, Required Action A.1 requires
an appropriate reduction in power within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
The maximum THERMAL POWER corresponding to the heat removal
capacity of the remaining OPERABLE MSSVs is determined via a
conservative heat balance calculation as described in the attachment
to Reference 6, with an appropriate allowance for calorimetric power
uncertainty.
B.1 and B.2 In the case of multiple inoperable MSSVs on one or more steam
generators, with a reactor power reduction alone there may be
insufficient total steam flow capacity provided by the turbine and the
remaining OPERABLE MSSVs to preclude overpressurization in the
event of an increased reactor power due to reactivity insertion, such
as in the event of an uncontrolled RCCA bank withdrawal at power.
Furthermore, for a single inoperable MSSV on one or more steam
generators when the Moderator Temperature Coefficient is positive
the reactor power may increase as a result of an RCS heatup event
such that the flow capacity of the remaining OPERABLE MSSVs is
insufficient. Therefore, in addition to reducing THERMAL POWER
within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> as required by Required Action B.1, the Power Range
Neutron Flux-High trip setpoint must be reduced to less than or equal
to the applicable value corresponding to the number of OPERABLE
MSSVs specified in Table 3.7.1-1 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> as required by
Required Action B.2 (applicable in MODE 1 only). The safety analysis
of the loss of load/turbine trip event analyzed from part power
conditions to specifically support the requirements of Table 3.7.1-1, explicitly credits the Power Range Neutron Flux-High trip function to
ensure that the peak power does not exceed an acceptable level.
With two or more MSSVs inoperable on one or more steam
generators, the reduced Power Range Neutron Flux-High trip
setpoints will also limit the peak power to an acceptable level for an
RCCA withdrawal at power transient occurring from similar conditions.
The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time for Required Action B.1 is consistent
with A.1. An additional 32 hours3.703704e-4 days <br />0.00889 hours <br />5.291005e-5 weeks <br />1.2176e-5 months <br /> is allowed in Required Action B.2 to
reduce the setpoints. The Completion Time of 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> is based on a (continued)
MSIVs B 3.7.2 Farley Units 1 and 2 B 3.7.2-1 Revision 0 B 3.7 PLANT SYSTEMS
B 3.7.2 Main Steam Isolation Valves (MSIVs)
BASES BACKGROUND The MSIVs isolate steam flow from the secondary side of the steam generators following a high energy line break (HELB). MSIV closure
terminates flow from the unaffected (intact) steam generators.
Two MSIVs are located in each main steam line outside containment.
The MSIVs are downstream from the main steam safety valves (MSSVs) and auxiliary feedwater (AFW) pump turbine steam supply, to prevent MSSV and AFW isolation from the steam generators by
MSIV closure. Closing the MSIVs isolates each steam generator from
the others, and isolates the turbine, Steam Dump System, and other
auxiliary steam supplies fr om the steam generators.
The MSIVs close on a main steam isolation signal generated by either
high steam line flow coincident with low-low Tavg , low steam line pressure or high-high containment pressure.
Each MSIV is provided with a normally open, three-way solenoid
valve which, when deenergized, provides instrument air to the
actuator cylinder. As the solenoid valves are normally deenergized, loss of dc power will not cause the MSIV to close. An air reservoir is
also provided for each MSIV, to allow it to remain open upon loss of
instrument air. Each solenoid valve receives a separate signal from
the ESF actuation system and has a separate 125 V dc power supply.
When the solenoid valve is energized, it vents the air reservoir and
actuator cylinder to the atmosphere and closes the MSIV.
Each set of MSIVs has two series of MSIV bypass valves. Although
these bypass valves are normally closed, they receive the same
emergency closure signal as do their associated MSIVs. The MSIVs
may also be actuated manually.
A description of the MSIVs is found in the FSAR, Section 10.3 (Ref. 1).
APPLICABLE The design basis of the MSIVs is established by the containment SAFETY ANALYSES analysis for the large steam line break (SLB) inside containment,
(continued)
MSIVs B 3.7.2 Farley Units 1 and 2 B 3.7.2-2 Revision 0 BASES APPLICABLE discussed in the FSAR, Section 6.2 (Ref. 2). It is also affected by the SAFETY ANALYSES accident analysis of the secondary system pipe rupture events (continued) presented in the FSAR, Section 15.4.2 (Ref. 3). The design precludes the blowdown of more than one steam generator, assuming a single
active component failure (e.g., the failure of one MSIV to close on
demand). Since two MSIVs are available, the failure of a single MSIV
is not significant.
A large SLB inside containment at 102% power is the limiting case for the release of steam mass and energy resulting in a peak
containment temperature; a large SLB inside containment at 30%
power is the limiting case for the release of steam mass and energy
resulting in a peak containment pressure.
For SLB events at full power, the SG temperature is at its maximum, which maximizes the available energy release to containment. At
lower powers, the steam generator inventory is at its maximum, which
maximizes the available release to the containment. Since the MSIVs
stop flow only in the forward direction, the total energy release to
containment includes the entire steam piping volume downstream of
the isolation valves for the steam generators, including the steam line
header and steam piping. With the most reactive rod cluster control
assembly assumed stuck in the fully withdrawn position, there is an
increased possibility that the core will become critical and return to
power. The core is ultimately shut down by the boric acid injection
delivered by the Emergency Core Cooling System.
The accident analysis compares several different SLB events against different acceptance criteria. A large SLB at hot zero power is the
limiting cooldown case for a post trip return to power. The analysis
includes scenarios with offsite power available, and with a loss of
offsite power following turbine trip. With offsite power available, the
reactor coolant pumps continue to circulate coolant through the steam
generators, maximizing the Reactor Coolant System cooldown. With a
loss of offsite power, the response of mitigating systems is delayed.
Significant single failures considered include failure of one ECCS train.
The MSIVs serve only a safety function and remain open during power operation. These valves operate under the following situations:
- a. An HELB inside containment. For this accident scenario, steam is discharged into containment from all steam generators until the (continued)
MSIVs B 3.7.2 Farley Units 1 and 2 B 3.7.2-3 Revision 0 BASES APPLICABLE MSIVs close. After MSIV closure, steam is discharged into SAFETY ANALYSES containment only from the affected steam generator and from the (continued) residual steam in the main steam header downstream of the closed MSIVs in the unaffected loops. Closure of the MSIVs
isolates the break from the unaffected steam generators. A large
SLB inside containment at 102% power is the limiting case for the
release of steam mass and energy resulting in a peak
containment temperature; a large SLB inside containment at 30%
power is the limiting case for the release of steam mass and
energy resulting in a peak containment pressure. The analysis
includes the scenario with offsite power available in which the
reactor coolant pumps continue to circulate coolant through the
SGs, maximizing the primary to secondary heat transfer.
Significant single failures considered include failure of an ESF
train (one Containment Spray System train and one Containment
Air Cooler) and main feedwater flow control.
- b. A break outside of containment and upstream from the MSIVs is not a containment pressurization concern. The uncontrolled
blowdown of more than one steam generator must be prevented
to limit the potential for uncontrolled RCS cooldown and positive
reactivity addition. Closure of the MSIVs isolates the break and
limits the blowdown to a single steam generator.
- d. Following a steam generator tube rupture, closure of one MSIV and bypass valve isolates the ruptured steam generator from the
intact steam generators to minimize radiological releases.
The MSIVs satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO This LCO requires that all MSIVs in the steam lines be OPERABLE.
The MSIVs are considered OPERABLE when the isolation times are
within limits, and they close on an isolation actuation signal.
(continued)
MSIVs B 3.7.2 Farley Units 1 and 2 B 3.7.2-5 Revision 0 BASES ACTIONS B.1 (continued)
With two MSIVs inoperable in one or more steam lines in MODE 1, action must be taken to restore one MSIV to OPERABLE status in the
affected steam line(s) within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. In this Condition, the affected
steam line has no OPERABLE automatic isolation capability. The 4-
hour Completion Time allows for minor repairs or trouble shooting that
may prevent a unit shutdown to MODE 2 and is reasonable
considering the low probability of an accident occurring during this
time that would require the MSIVs to close and the reduced potential
for a plant transient (shutdown to MODE 2) provided by the 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />
allowed for restoration.
C.1 If the MSIV cannot be restored to OPERABLE status within the
required Completion Time, the unit must be placed in a Mode in which
the ACTIONS provide the option to close the inoperable MSIV and
accomplish the required safety function by isolating the affected
steam line. To achieve this status, the unit must be placed in MODE
2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and Condition D or E entered. The Completion Time
is reasonable, based on operating experience, to reach MODE 2 in an
orderly manner without challenging unit systems.
D.1 Required Action D.1 is applicable when one or more steam lines have
a single inoperable MSIV in MODE 2 or 3. Since the MSIVs are
required OPERABLE in MODES 2 and 3, the inoperable MSIV(s) may
either be restored to OPERABLE status or the affected steam line
isolated by closing at least one MSIV in that steam line. When
closed, the MSIVs are already in the position required by the
assumptions in the safety analysis.
The 7 day Completion Time is reasonable considering the plant
condition, the low probability of an event occurring that would require
the MSIV to close, and the remaining OPERABLE redundant MSIV in
the affected steam line(s).
For inoperable MSIVs that cannot be restored to OPERABLE status
within the specified Completion Time, and the affected steam line is
isolated by a closed MSIV, the MSIV must be verified on a periodic
basis to be closed. This is necessary to ensure that the assumptions
(continued)
MSIVs B 3.7.2 Farley Units 1 and 2 B 3.7.2-6 Revision 0 BASES ACTIONS D.1 (continued)
in the safety analysis remain valid. The 7-day Completion Time is
reasonable, based on engineering judgment, in view of MSIV status
indications available in the control room, and other administrative
controls, to ensure that these valves are in the closed position.
E.1 With two MSIVs inoperable in one or more steam lines in MODE 2 or
3, action must be taken to restore one MSIV to OPERABLE status or
verify one MSIV closed in the affected steam line(s) within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. In
this condition, the affected steam line has no OPERABLE automatic
isolation capability. Verifying one MSIV system closed ensures the
safety function is accomplished for that steam line. The 4-hour
Completion Time is reasonable considering the low probability of an
accident occurring during this time that would require a MSIV to close.
For inoperable MSIVs that cannot be restored to OPERABLE status
and are closed, the MSIV must be verified closed on a periodic basis.
Verification that the MSIV is closed on a periodic basis is necessary
to ensure that the safety analysis assumptions remain valid. The 7-
day Completion Time is reasonable, based on engineering judgment, considering the MSIV indications available in the control room, and
other administrative controls, to ensure that these valves are closed.
F.1 and F.2
If the MSIVs cannot be restored to OPERABLE status or are not
closed within the associated Completion Time, the unit must be
placed in a MODE in which the LCO does not apply. To achieve this
status, the unit must be placed at least in MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and
in MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are
reasonable, based on operating experience, to reach the required unit
conditions from MODE 2 conditions in an orderly manner and without
challenging unit systems.
SURVEILLANCE SR 3.7.2.1 REQUIREMENTS
This SR verifies that MSIV closure time is 7 seconds on an actual or simulated actuation signal. The MSIV closure time is assumed in the
(continued)
Main FW Stop Valves and MFRVs and Associated Bypass Valves B 3.7.3 Farley Units 1 and 2 B 3.7.3-1 Revision 0
B 3.7 PLANT SYSTEMS
B 3.7.3 Main Feedwater Stop Valves and Main Feedwater Regulation Valves (MFRVs) and Associated Bypass Valves
BASES BACKGROUND The MFRVs provide the primary main feedwater (MFW) flow isolation to the secondary side of the steam generators following a high energy
line break (HELB). The safety related function of the Main FW Stop
Valves is to provide a diverse backup isolation of MFW flow to the
secondary side of the steam generators following an HELB. Closure
of the MFRVs and associated bypass valves or Main FW Stop Valves
terminates flow to the steam generators, terminating the event for
feedwater line breaks (FWLBs) occurring upstream of the MFRVs or
Main FW Stop Valves. The consequences of events occurring in the
main steam lines or in the MFW lines downstream from the valves will
be mitigated by their closure. Closure of the MFRVs and associated
bypass valves, or Main FW Stop Valves, effectively terminates the
addition of feedwater to an affected steam generator, limiting the
mass and energy release for steam line breaks (SLBs) or FWLBs
inside containment, and reducing the cooldown effects for SLBs.
The Main FW Stop Valves isolate the nonsafety related portions from the safety related portions of the system. In the event of a secondary
side pipe rupture inside containment, the valves limit the quantity of
high energy fluid that enters containment through the break, and
provide a pressure boundary for the controlled addition of auxiliary
feedwater (AFW) to the intact loops.
One MFRV and associated bypass valve, and one Main FW Stop Valve, are located on each MFW line, outside containment. The Main
FW Stop Valves and MFRVs are located upstream of the AFW
injection point so that AFW may be supplied to the steam generators
following Main FW Stop Valve or MFRV closure. The piping volume
from these valves to the steam generators is accounted for in
calculating mass and energy releases, and refilled prior to AFW
reaching the steam generator following either an SLB or FWLB.
The MFRVs and associated bypass valves close on receipt of a T avg-Low coincident with reactor trip (P-4), Safety Injection, or steam generator water level-high high signal. The Main FW Stop Valves
close on a SGFP trip signal which is initaited by high-high SG water
level or SI. These valves may also be actuated manually. The (continued)
Main FW Stop Valves and MFRVs and Associated Bypass Valves B 3.7.3 Farley Units 1 and 2 B 3.7.3-2 Revision 0
BASES BACKGROUND MFRVs and associated bypass valves, or the Main FW Stop Valves (continued) isolate the feedwater line penetrating containment, and ensure that the consequences of events do not exceed the capacity of the
containment heat removal systems.
The MFRVs and the Main FW Stop Valves are part of the Condensate and Feedwater System as described in the FSAR, Section 10.4.7 (Ref. 1).
APPLICABLE The design basis of the MFRVs and Main FW Stop Valves is primarily SAFETY ANALYSES established by the analyses for the large SLB. Although the Main FW Stop Valves are not specifically credited in the accident analyses, these islation valves provide a diverse backup isolation function to the
MFRVs. Closure of the MFRVs and associated bypass valves, or
Main Feedwater Stop Valves, may also be relied on to terminate an
SLB for core response analysis and excess feedwater event upon the receipt of a steam generator water level-high high signal.
Failure of a Main FW Stop Valve and MFRV, or Main FW Stop Valve and MFRV bypass valve to close following an SLB or an excess
feedwater event can result in additional mass and energy being
delivered to the steam generators, contributing to cooldown. This
failure also results in additional mass and energy releases following
an SLB or FWLB event.
The MFRVs satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO This LCO ensures that the MFRVs and their associated bypass valves or Main FW Stop Valves will isolate MFW flow to the steam
generators, following an excess feedwater event or main steam line
break. These valves will also isolate the nonsafety related portions
from the safety related portions of the system.
This LCO requires that three MFRVs and associated bypass valves and three Main FW Stop Valves be OPERABLE. The MFRVs and the
associated bypass valves and the Main FW Stop Valves are
considered OPERABLE when isolation times are within limits and they
close on the appropriate signal(s).
(continued)
Main FW Stop Valves and MFRVs and Associated Bypass Valves B 3.7.3 Farley Units 1 and 2 B 3.7.3-3 Revision 0
BASES LCO Failure to meet the LCO requirements can result in additional mass (continued) and energy being released to containment following an SLB inside containment. If a feedwater isolation signal on high high steam
generator level is relied on to terminate an excess feedwater flow
event, failure to meet the LCO may result in the introduction of water
into the main steam lines.
APPLICABILITY The Main FW Stop Valves and MFRVs and their associated bypass valves must be OPERABLE whenever there is significant mass and
energy in the Reactor Coolant System and steam generators. This
ensures that, in the event of an HELB, a single failure cannot result in
the blowdown of more than one steam generator. In MODES 1 and 2, the Main FW Stop Valves and MFRVs and their associated bypass
valves are required to be OPERABLE to limit the amount of available
fluid that could be added to containment in the case of a secondary
system pipe break inside containment. When the valves are closed
and de-activated or isolated by a closed manual valve, they are
already performing their safety function.
In MODES 3, 4, 5, and 6, AFW and RHR are used for heat removal.
Therefore, the Main FW Stop Valves and the MFRVs and their
associated bypass valves are normally closed since MFW is not
required.
ACTIONS The ACTIONS table is modified by a Note indicating that separate Condition entry is allowed for each valve.
A.1 and A.2
With one Main FW Stop Valve in one or more flow paths inoperable, action must be taken to restore the affected valves to OPERABLE
status, or to close or isolate inoperable affected valves within
72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. When these valves are closed or isolated, they are
performing their required safety function.
The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time takes into account the redundancy
afforded by the remaining OPERABLE valves and the low probability
of an event occurring during this time period that would require (continued)
Main FW Stop Valves and MFRVs and Associated Bypass Valves B 3.7.3 Farley Units 1 and 2 B 3.7.3-4 Revision 0
BASES ACTIONS A.1 and A.2 (continued)
isolation of the MFW flow paths. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is
reasonable, based on operating experience.
Inoperable Main FW Stop Valves that are closed or isolated must be
verified on a periodic basis that they are closed or isolated. This is
necessary to ensure that the assumptions in the safety analysis
remain valid. The 7 day Completion Time is reasonable, based on
engineering judgment, in view of valve status indications available in
the control room, and other administrative controls, to ensure that
these valves are closed or isolated.
B.1 and B.2
With one MFRV in one or more flow paths inoperable, action must be
taken to restore the affected valves to OPERABLE status, or to close
or isolate inoperable affected valves within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. When these
valves are closed or isolated, they are performing their required safety
function.
The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time takes into account the redundancy
afforded by the remaining OPERABLE valves and the low probability
of an event occurring during this time period that would require
isolation of the MFW flow paths. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is
reasonable, based on operating experience.
Inoperable MFRVs, that are closed or isolated, must be verified on a
periodic basis that they are closed or isolated. This is necessary to
ensure that the assumptions in the safety analysis remain valid. The
7 day Completion Time is reasonable, based on engineering
judgment, in view of valve status indications available in the control
room, and other administrative controls, to ensure that the valves are
closed or isolated.
C.1 and C.2
With one associated bypass valve in one or more flow paths
inoperable, action must be taken to restore the affected valves to
OPERABLE status, or to close or isolate inoperable affected valves
within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. When these valves are closed or isolated, they are
performing their required safety function.
(continued)
Main FW Stop Valves and MFRVs and Associated Bypass Valves B 3.7.3 Farley Units 1 and 2 B 3.7.3-5 Revision 0
BASES ACTIONS C.1 and C.2 (continued)
The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time takes into account the redundancy
afforded by the remaining OPERABLE valves and the low probability
of an event occurring during this time period that would require
isolation of the MFW flow paths. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is
reasonable, based on operating experience.
Inoperable associated bypass valves that are closed or isolated must
be verified on a periodic basis that they are closed or isolated. This is
necessary to ensure that the assumptions in the safety analysis
remain valid. The 7 day Completion Time is reasonable, based on
engineering judgment, in view of valve status indications available in
the control room, and other administrative controls, to ensure that
these valves are closed or isolated.
D.1 With the combination of inoperable Main FW Stop Valves, MFRVs
and associated bypass valves such that a feedwater line has no
OPERABLE means of isolation, action must be taken to restore one of
the isolation valves to OPERABLE status or isolate the affected
feedwater line within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. The feedwater lines may be isolated by
either a single Main FW Stop Valve or the combination of a MFRV
and its associated bypass valve. With one means of isolation
restored to OPERABLE status, operation may continue with any of the
remaining inoperable valves being addressed by the appropriate
Condition(s) (A, B and/or C) of this LCO. With the affected feedwater
line isolated, the isolation safety function is accomplished and power
operation is limited accordingly. The Completion Time is reasonable
considering the low probability of an event occurring that would
require feedwater isolation during this time, and in most cases, the
only action necessary for feedwater line isolation would be to close
and deactivate the necessary valve(s).
E.1 and E.2
If the Main FW Stop Valves and MFRV(s) and their associated bypass
valve(s) cannot be restored to OPERABLE status, or closed, or
isolated within the associated Completion Time, the unit must be
placed in a MODE in which the LCO does not apply. To achieve this
status, the unit must be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
The allowed Completion Time is reasonable, based on operating (continued)
ARVs B 3.7.4 Farley Units 1 and 2 B 3.7.4-1 Revision 0
B 3.7 PLANT SYSTEMS
B 3.7.4 Atmospheric Relief Valves (ARVs)
BASES BACKGROUND The ARVs provide a method for cooling the unit to residual heat removal (RHR) entry conditions should the preferred heat sink via the
Steam Dump System to the condenser not be available, as discussed
in the FSAR, Section 10.3 (Ref. 1). This is done in conjunction with
the Auxiliary Feedwater System pr oviding cooling water from the condensate storage tank (CST). The ARVs may also be required to
meet the design cooldown rate during a cooldown when steam
pressure drops too low for maintenance of a vacuum in the condenser
to permit use of the Steam Dump System.
One ARV line for each of the three steam generators is provided.
Each ARV line consists of one ARV and two associated manual
isolation valves.
The ARVs are provided with upstream manual isolation valves to
provide an alternate means of isolation. The ARVs are equipped with
pneumatic controllers to permit control of the cooldown rate.
The ARVs are provided with an alternate air supply consisting of two
redundant air compressors which, on a loss of pressure in the normal
instrument air supply, may be aligned to supply air to the ARVs for
remote or local control of the valves.
A description of the ARVs is found in Reference 1. The ARVs are
OPERABLE when they can be operated remotely, either automatically or manually; or locally, either pneumatically or manually. Handwheels
are provided for local manual operation.
APPLICABLE The design basis (size) of the ARVs is established by the capability to SAFETY ANALYSES cool the unit to RHR entry conditions. The valve size is determined by the design cooldown rate in the last hour of plant cooldown when the
SG shell side pressure is reduced.
The ARVs provide the capability for the removal of reactor decay heat during periods when the main condenser is not available to cool down
(continued)
ARVs B 3.7.4 Farley Units 1 and 2 B 3.7.4-3 Revision 33
BASES LCO Failure to meet the LCO can result in the inability to cool the unit to (continued) RHR entry conditions following an event in which the condenser is unavailable for use with the Steam Dump System.
An ARV is considered OPERABLE (even if isolated) when it is capable of providing controlled relief of the main steam flow and
capable of fully opening and closing on demand, either remotely or
locally via manual control.
APPLICABILITY In MODES 1, 2, and 3, the ARVs are required to be OPERABLE.
In MODE 4, the pressure and temperature limitations are such that the probability of an SGTR event requiring ARV operation is low. In
addition, the RHR system is available to provide the decay heat
removal function in MODE 4. Therefore, the ARVs are not required to
be OPERABLE in MODE 4 to satisfy the safety analysis assumptions
of the DBA. However, the capability to remove decay heat from a SG
required to be OPERABLE in MODE 4 by LCO 3.4.6, "RCS Loops -
MODE 4" is implicit in the requirement for an OPERABLE SG and
may require the associated ARV be capable of removing that heat if
the normal decay heat removal system (steam dump) is not available.
In MODE 5 or 6, an SGTR is not a credible event.
ACTIONS A.1
With one required ARV line inoperable, action must be taken to restore OPERABLE status within 7 days. The 7 day Completion Time
allows for the redundant capability afforded by the remaining
OPERABLE ARV lines, a nonsafety grade backup in the Steam Dump
System, and MSSVs.
B.1 With two or more ARV lines inoperable, action must be taken to restore all but one ARV line to OPERABLE status. Since the manual
isolation valves can be closed to isolate an ARV, some repairs may (continued)
ARVs B 3.7.4 Farley Units 1 and 2 B 3.7.4-4 Revision 52
BASES ACTIONS B.1 (continued)
be possible with the unit at power. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is reasonable to repair inoperable ARV lines, based on the availability of
the Steam Dump System and MSSVs, and the low probability of an
event occurring during this period that would require the ARV lines.
C.1 and C.2
If the ARV lines cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in
which the LCO does not apply. To achieve this status, the unit must
be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and in MODE 4 within
18 hours2.083333e-4 days <br />0.005 hours <br />2.97619e-5 weeks <br />6.849e-6 months <br />. The allowed Completion Times are reasonable, based on
operating experience, to reach the required unit conditions from full
power conditions in an orderly manner and without challenging unit systems.
SURVEILLANCE SR 3.7.4.1 REQUIREMENTS
To perform a controlled cooldown of the RCS, the ARVs must be able to be opened either remotely or locally and throttled through their full
range. This SR ensures that the ARVs are tested through a full control
cycle at least once per fuel cycle. Performance of inservice testing or
use of an ARV during a unit cooldown may satisfy this requirement.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
The function of the manual isolation valve is to isolate a failed open ARV. Cycling the manual isolation valve both closed and open
demonstrates its capability to perform this function. Performance of
inservice testing or use of the manual isolation valve during unit
cooldown may satisfy this requirement. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
ARVs B 3.7.4 Farley Units 1 and 2 B 3.7.4-5 Revision 0
BASES REFERENCES 1. FSAR, Section 10.3.
- 2. FSAR, Section 15.4.3.
AFW System B 3.7.5 Farley Units 1 and 2 B 3.7.5-2 Revision 0 BASES BACKGROUND The design of the AFW system ensures that the RCS can be cooled (continued) down to less than 350°F (RHR entry conditions) from normal operating conditions in the event of any of the following incidents:
Loss of Normal Feedwater, Loss of Offsite Power, Feed Line Break, Main Steam Line Break, Accidental Depressurization of the SGs, SG Tube Rupture, High Energy Line Break, Small Break LOCA, Cooldown following a Reactor Trip, Station Blackout.
Each motor-driven AFW pump delivers a total of at least 285 gpm to
all SGs which are at a pressure of 1138 psia. The minimum flow
requirement for a motor-driven AFW pump is based on a high energy
line break in the steam supply line to the turbine-driven AFW pump.
In this scenario, only one motor-driven AFW pump will be the source
of AFW. The turbine-driven AFW pump delivers a total of at 350 gpm
to all SGs which are at a pressure of 1138 psia. The minimum
requirement for the turbine-driven AFW pump is based on a station
blackout event. In this scenario, the turbine-driven AFW pump will be
the only source of AFW. Additionally, any single AFW pump (turbine
or motor-driven) is capable of providing sufficient flow (350 gpm) to all
SGs at a pressure of 1020 psia to cooldown the RCS to RHR entry
conditions during a normal cooldown of the unit (not a reactor trip).
For all other incidents listed above, except for the high energy line
break in the steam supply to the turbine-driven AFW pump, the station
blackout event, and the normal unit cooldown discussed previously, two out of three AFW pumps (motor or turbine-driven combination)
are required to satisfy the flow demand.
The AFW System is designed to supply sufficient water to the steam generator(s) to remove decay heat with steam generator pressure at
the setpoint of the MSSVs. Subsequently, the AFW System supplies
sufficient water to cool the unit to RHR entry conditions, with steam
released through the ARVs.
The motor-driven AFW pumps actuate automatically on the following
signals: a. Trip of both SG main feedwater pumps;
(continued)
AFW System B 3.7.5 Farley Units 1 and 2 B 3.7.5-3 Revision 0 BASES BACKGROUND b. Low-low water level signals from two out of three level (continued) transmitters on any one SG;
- c. Safety Injection signal; and
- d. Loss of offsite power.
The steam supply to the turbine-driven AFW pump is automatically actuated on the following signals:
- a. Loss of power signal (two out of three reactor coolant pump bus undervoltage);
and b. Low-low water level signals from two out of three level transmitters on any two out of three SGs.
The AFW System is discussed in the FSAR, Section 6.5 (Ref. 1).
APPLICABLE The AFW System mitigates the consequences of any event with SAFETY ANALYSES loss of normal feedwater.
The design basis of the AFW System is to supply water to the steam generator to remove decay heat and other residual heat by delivering
at least the minimum required flow rate to the steam generators at
pressures corresponding to the lowest steam generator safety valve
set pressure plus 3% and setpoint tolerance plus any accumulation.
In addition, the AFW System must supply enough makeup water to replace steam generator secondary inventory lost as the unit cools to
MODE 4 conditions. Sufficient AFW flow must also be available to
account for flow losses such as pump recirculation and line breaks.
However, the operability of the AFW System in MODE 4 is not
assumed in the safety analysis.
The limiting Design Basis Accidents (DBAs) and transients for the AFW System are as follows:
- a. Feedwater Line Break (FWLB);
- b. Main Steam Line Break (MSLB); and
- c. Loss of MFW.
(continued)
AFW System B 3.7.5 Farley Units 1 and 2 B 3.7.5-4 Revision 0 BASES APPLICABLE Two of the three AFW pumps are required to ensure the flow demand SAFETY ANALYSES for the most limiting DBAs and transients is satisfied. In addition, the (continued) minimum available AFW flow and system characteristics are serious considerations in the analysis of a small break loss of coolant
accident (LOCA).
The AFW System design is such that it can perform its function following an FWLB between the MFW isolation valves and
containment, combined with a loss of offsite power following turbine
trip, and a single active failure. In such a case, the ESFAS logic may
not detect the affected steam generator if the backflow check valve to
the affected MFW header worked properly. The AFW flow delivered
to the broken MFW header is limited by the flow restrictor installed in
the AFW line until flow is terminated by the operator. Sufficient flow
would be delivered to the intact SGs after isolation.
The ESFAS automatically actuates the AFW turbine driven pump and associated power operated valves and controls when required to
ensure an adequate feedwater supply to the steam generators during
loss of power. DC solenoid air operated valves are provided for each
AFW line to control the AFW flow to each steam generator.
The AFW System satisfies the requirements of Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO This LCO provides assurance that the AFW System will perform its design safety function to mitigate the consequences of accidents that
could result in overpressurization of the reactor coolant pressure
boundary. Three independent AFW pumps in three diverse trains (steam and electrical power) are required to be OPERABLE to ensure
the availability of RHR capability for all events accompanied by a loss
of offsite power and a single failure. This is accomplished by
powering two of the pumps from independent emergency buses. The third AFW pump is powered by a different means, a steam driven
turbine supplied with steam from a source that is not isolated by
closure of the MSIVs.
The AFW System trains are configured into two flowpaths, one for the
motor-driven pumps and one for the turbine-driven pump. The AFW
System is considered OPERABLE when the components and flow
paths required to provide redundant AFW flow to the steam
(continued)
CST B 3.7.6 Farley Units 1 and 2 B 3.7.6-1 Revision 0
B 3.7 PLANT SYSTEMS
B 3.7.6 Condensate Storage Tank (CST)
BASES BACKGROUND The CST provides a safety grade source of water to the steam generators for removing decay and sensible heat from the Reactor
Coolant System (RCS). The CST provides a passive flow of water, by
gravity, to the Auxiliary Feedwater (AFW) System (LCO 3.7.5). The steam produced is released to the atmosphere by the main steam
safety valves or the atmospheric relief valves. The AFW pumps
operate with a continuous recirculation to the CST.
When the main steam isolation valves are open, the preferred means of heat removal is to discharge steam to the condenser by the
nonsafety grade path of the steam dump valves. The condensed
steam can be returned to the CST by a condensate pump. This has
the advantage of conserving condensate while minimizing releases to
the environment.
Because the CST is a principal component in removing residual heat from the RCS, it is designed to withstand earthquakes and other
natural phenomena, including missiles that might be generated by
natural phenomena. The CST is designed to Seismic Category I to
ensure availability of the feedwater supply. Feedwater is also
available from alternate sources.
A description of the CST is found in the FSAR, Section 9.2.6 (Ref. 1).
APPLICABLE The CST provides cooling water to remove decay heat and to cool SAFETY ANALYSES down the unit following all events in the accident analysis as discussed in the FSAR, Chapters 6 and 15 (Refs. 2 and 3, respectively). For anticipated operational occurrences and accidents
that do not affect the OPERABILITY of the steam generators, the
analysis assumption is generally 30 minutes at MODE 3, steaming
through the MSSVs, followed by a cooldown to residual heat removal (RHR) entry conditions at the design cooldown rate.
(continued)
CST B 3.7.6 Farley Units 1 and 2 B 3.7.6-2 Revision 64
BASES APPLICABLE The limiting event for the condensate volume is the large feedwater SAFETY ANALYSES line break coincident with a loss of offsite power. Single failures that (continued) also affect this event include the following:
- a. Failure of the diesel generator powering the motor driven AFW pump to the unaffected steam generator (requiring additional
steam to drive the remaining AFW pump turbine); and
- b. Failure of the steam driven AFW pump (requiring a longer time for cooldown using only one motor driven AFW pump).
These are not usually the limiting failures in terms of consequences for these events.
The CST inventory calculation includes an allowance for a break in the AFW pump recirculation line and 30 minutes for operator action to
reduce the break flow.
The CST satisfies Criteria 2 and 3 of 10 CFR 50.36(c)(2)(ii).
LCO To satisfy accident analysis assumptions, the CST must contain sufficient cooling water to remove decay heat for 30 minutes following
a reactor trip from 102% RTP, and then to cool down the RCS to RHR
entry conditions, assuming a coincident loss of offsite power and the
most adverse single failure. In doing this, it must retain sufficient
water to ensure adequate net positive suction head for the AFW
pumps during cooldown, as well as account for any losses from the
steam driven AFW pump turbine, or before isolating AFW to a broken
line.
The OPERABILITY of the CST is based on having sufficient water available to maintain the RCS in MODE 3 for 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> with steam
discharge to the atmosphere concurrent with a total loss of offsite
power. The CST minimum required water level of 164,000 gallons fulfills this requirement and bounds the design bases requirement of
holding the unit in MODE 3 for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, followed by a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> cooldown
to RHR entry conditions of 350°F at a rate of 50°F/hour (Refs. 4 and
5).
The OPERABILITY of the CST is determined by maintaining the tank level at or above the minimum required level.
CST B 3.7.6 Farley Units 1 and 2 B 3.7.6-3 Revision 0 BASES APPLICABILITY In MODES 1, 2, and 3, the CST is required to be OPERABLE.
In MODE 4, 5, or 6, the CST is not required because the AFW System is not required.
ACTIONS A.1 and A.2
If the CST is not OPERABLE, the OPERABILITY of the backup supply (Service Water System) should be verified by administrative means
within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter. OPERABILITY of
the backup feedwater supply must include verification that the flow
paths from the Service Water supply to the AFW pumps are
OPERABLE, and that the Service Water System is capable of
supplying water to the AFW pumps. The CST must be restored to
OPERABLE status within 7 days, because the Service Water System
does not supply the preferred quality of SG feedwater and may be
performing this function in addition to its normal functions. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />
Completion Time is reasonable, based on operating experience, to
verify the OPERABILITY of the backup water supply. Additionally, verifying the backup water supply every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is adequate to
ensure the backup water supply continues to be available. The 7 day
Completion Time is reasonable, based on an OPERABLE backup
water supply being available, and the low probability of an event
occurring during this time period requiring the CST.
B.1 and B.2
If the CST cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE in
which the LCO does not apply. To achieve this status, the unit must
be placed in at least MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and in MODE 4, within
12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are reasonable, based on
operating experience, to reach the required unit conditions from full
power conditions in an orderly manner and without challenging unit systems.
CST B 3.7.6 Farley Units 1 and 2 B 3.7.6-4 Revision 64 BASES SURVEILLANCE SR 3.7.6.1 REQUIREMENTS
This SR verifies that the CST contains the required volume of cooling water. The Surveillance Frequency is controlled under the
Surveillance Frequency Control Program.
REFERENCES 1. FSAR, Section 9.2.6.
- 2. FSAR, Chapter 6.
- 3. FSAR, Chapter 15.
- 4. AFW - FSD A-181010.
- 5. CALC. BM 95-0961-001, Rev. 5, Verification of CST Sizing Basis.
CCW System B 3.7.7 Farley Units 1 and 2 B 3.7.7-1 Revision 0
B 3.7 PLANT SYSTEMS
B 3.7.7 Component Cooling Water (CCW) System
BASES BACKGROUND The CCW System provides a heat sink for the removal of process and operating heat from safety related components during a Design Basis
Accident (DBA) or transient. During normal operation, the CCW
System also provides this function for various nonessential
components, as well as the spent fuel storage pool. The CCW System
serves as a barrier to the release of radioactive byproducts between
potentially radioactive systems and the Service Water System, and thus to the environment.
The CCW System is arranged as two independent, full capacity
cooling loops with one shared pump and spare heat exchanger, and
has isolatable nonsafety related components. Each safety related
train includes a full capacity pump, heat exchanger, piping, valves, instrumentation, and a shared surge tank, with a separate section to
serve each train. Each safety related train is powered from a
separate bus. An open surge tank in the system ensures that
sufficient net positive suction head is available. The pump in each
train is automatically started on receipt of a safety injection signal, and
all nonessential components are isolated.
Additional information on the design and operation of the system, along with a list of the components served, is presented in the FSAR, Section 9.2.2 (Ref. 1). The principal safety related function of the
CCW System is the removal of decay heat from the reactor via the
Residual Heat Removal (RHR) System. This may be during a normal
or post accident cooldown and shutdown.
APPLICABLE The design basis of the CCW System is for one CCW train to SAFETY ANALYSES remove the post loss of coolant accident (LOCA) heat load from the containment sump during the recirculation phase, with a
maximum CCW temperature of 135°F (Ref. 1). The Emergency Core
Cooling System (ECCS) LOCA and containment OPERABILITY
LOCA each model the maximum and minimum performance of the
CCW System, respectively. The normal temperature of the CCW is
105°F, and, during unit cooldown to MODE 5 (T cold < 200°F), a worst
(continued)
CCW System B 3.7.7 Farley Units 1 and 2 B 3.7.7-2 Revision 0
BASES APPLICABLE case maximum temperature of 132.8°F is assumed. This prevents SAFETY ANALYSES the containment sump fluid from increasing in temperature during the (continued) recirculation phase following a LOCA, and provides a gradual reduction in the temperature of this fluid as it is supplied to the
Reactor Coolant System (RCS) by the ECCS pumps.
The CCW System is designed to perform its function with a single
failure of any active component, assuming a loss of offsite power.
The CCW System also functions to cool the unit from RHR entry conditions (T cold < 350°F), to MODE 5 (T cold < 200°F), during normal and post accident operations. The time required to cool from 350°F to
200°F is a function of the number of CCW and RHR trains operating.
One CCW train is sufficient to remove decay heat during subsequent
operations with T cold < 200°F. This assumes a worst case post LOCA maximum service water temperature of 97.3°F occurring
simultaneously with the maximum heat loads on the system.
The CCW System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO The CCW trains are independent of each other to the degree that each has separate controls and power supplies and the operation of
one does not depend on the other. In the event of a DBA, one CCW
train is required to provide the minimum heat removal capability
assumed in the safety analysis for the systems to which it supplies
cooling water. To ensure this requirement is met, two trains of CCW
must be OPERABLE. At least one CCW train will operate assuming
the worst case single active failure occurs coincident with a loss of
offsite power.
A CCW train is considered OPERABLE when:
- a. The pump and associated surge tank section are OPERABLE; and
- b. The associated piping, valves, heat exchanger, and instrumentation and controls required to perform the safety related
function are OPERABLE.
The isolation of CCW from other components or systems not required for safety may render those components or systems inoperable but
does not affect the OPERABILITY of the CCW System.
SWS B 3.7.8 Farley Units 1 and 2 B 3.7.8-1 Revision 0
B 3.7 PLANT SYSTEMS
B 3.7.8 Service Water System (SWS)
BASES BACKGROUND The SWS provides a heat sink for the removal of process and operating heat from safety related components during a Design Basis
Accident (DBA) or transient. During normal operation, and a normal
shutdown, the SWS also provides this function for various safety
related and nonsafety related components. The safety related
function is covered by this LCO.
The SWS consists of two separate, 100% capacity, safety related, cooling water trains. Each train consists of two 50% capacity pumps, one shared 50% capacity spare pump, piping, valving, and
instrumentation. The pumps and valves are remote and manually
aligned, except in the unlikely event of a loss of coolant accident (LOCA). The pumps are automatically started upon receipt of a safety
injection signal or a loss of offsite power (LOSP) signal, and all
essential valves are aligned to their post accident positions. The
SWS also provides emergency makeup to the Diesel Generator
Jacket Water Systems and is the backup water supply to the Auxiliary
Feedwater System.
Additional information about the design and operation of the SWS, along with a list of the components served, is presented in the FSAR, Section 9.2.1 (Ref. 1). The principal safety related function of the
SWS is the removal of decay heat from the reactor via the CCW
System.
APPLICABLE The design basis of the SWS is for one SWS train, in conjunction with SAFETY ANALYSES the CCW System and a 100% capacity containment cooling system, to remove core decay heat following a design basis LOCA as
discussed in the FSAR, Section 6.2 (Ref. 2). This prevents the
containment sump fluid from increasing in temperature during the
recirculation phase following a LOCA and provides for a gradual
reduction in the temperature of this fluid as it is supplied to the
Reactor Coolant System by the ECCS pumps. The SWS is designed
to perform its function with a single failure of any active component, assuming the loss of offsite power.
(continued)
SWS B 3.7.8 Farley Units 1 and 2 B 3.7.8-2 Revision 0
BASES APPLICABLE The SWS, in conjunction with the CCW System, also cools the unit SAFETY ANALYSES from residual heat removal (RHR), as discussed in the FSAR, (continued) Sections 5.1 and 9.2.1, (Refs. 3 and 1) entry conditions to MODE 5 during normal and post accident operations. The time required for
this evolution is a function of the number of CCW and RHR System
trains that are operating. One SWS train is sufficient to remove decay
heat during subsequent operations in MODES 5 and 6. This assumes
a worst case maximum post LOCA SWS Temperature of 97.3°F, which bounds the maximum normal operating SWS temperature of
95°F, occurring simultaneously with maximum heat loads on the system.
The SWS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO Two SWS trains are required to be OPERABLE to provide the required redundancy to ensure that the system functions to remove
post accident heat loads, assuming that the worst case single active
failure occurs coincident with the loss of offsite power.
An SWS train is considered OPERABLE during MODES 1, 2, 3, and 4 when:
- a. Two pumps are OPERABLE; and
- b. The associated piping, valves, and instrumentation and controls required to perform the safety related function are OPERABLE.
APPLICABILITY In MODES 1, 2, 3, and 4, the SWS is a normally operating system that is required to support the OPERABILITY of the equipment
serviced by the SWS and required to be OPERABLE in these
MODES.
In MODES 5 and 6, the OPERABILITY requirements of the SWS are determined by the systems it supports.
UHS B 3.7.9 Farley Units 1 and 2 B 3.7.9-1 Revision 0 B 3.7 PLANT SYSTEMS
B 3.7.9 Ultimate Heat Sink (UHS)
BASES BACKGROUND The UHS, or Service Water Pond, provides a heat sink for processing and operating heat from safety related components during a transient
or accident, as well as during normal operation. This is done by
utilizing the Service Water System (SWS) and the Component
Cooling Water (CCW) System.
The UHS storage pond as discussed in the FSAR, Section 9.2.5 (Ref. 1) provides two principal functions: the dissipation of residual
heat after reactor shutdown; and dissipation of residual heat after an
accident.
The basic performance requirements are that a 30 day supply of water be available, and that the design basis temperatures of safety
related equipment not be exceeded.
Additional information on the design and operation of the system, along with a list of components served, can be found in Reference 1.
APPLICABLE The UHS is the sink for heat removed from the reactor core following SAFETY ANALYSES all accidents and anticipated operational occurrences in which the unit is cooled down and placed on residual heat removal (RHR) operation.
After the unit switches from injection to recirculation, the containment
cooling systems and RHR are required to remove the core decay heat.
The operating limits are based on conservative heat transfer analyses for the worst case LOCA. Reference 1 provides the details of the
assumptions used in the analysis, which include worst expected
meteorological conditions, conservative uncertainties when
calculating decay heat, and worst case single active failure (e.g.,
single failure of a train). The UHS is designed in accordance with
Regulatory Guide 1.27 (Ref. 2), which requires a 30 day supply of
cooling water in the UHS.
The UHS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
CRACS B 3.7.11 Farley Units 1 and 2 B 3.7.11-1 Revision 0
B 3.7 PLANT SYSTEMS
B 3.7.11 Control Room Air Conditioning System (CRACS)
BASES BACKGROUND The CRACS provides temperature control for the control room following isolation of the control room. The Unit 1 and 2 control room
is a common room served by a shared CRACS.
The CRACS consists of two independent and redundant trains that provide cooling of recirculated control room air. Each train consists of
cooling coils, instrumentation, and controls to provide for control room
temperature control. The CRACS is a subsystem providing air
temperature control for the control room.
The CRACS is a normal and emergency system. A single train will provide the required temperature control. The CRACS operation in
maintaining the control room temperature is discussed in the FSAR, Section 6.4 (Ref. 1).
APPLICABLE The design basis of the CRACS is to maintain the control room SAFETY ANALYSES temperature for 30 days of continuous occupancy.
The CRACS components are arranged in redundant, safety related trains. During emergency operation, the CRACS maintains the
temperature at or below the continuous duty rating for equipment and
instrumentation. A single active failure of a component of the
CRACS, with a loss of offsite power, does not impair the ability of the
system to perform its design function. Redundant detectors and
controls are provided for control room temperature control. The
CRACS is designed in accordance with Seismic Category I
requirements. The CRACS is capable of removing sensible and latent
heat loads from the control room, which include consideration of
equipment heat loads and personnel occupancy requirements, to
ensure equipment OPERABILITY.
The CRACS satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).
CRACS B 3.7.11 Farley Units 1 and 2 B 3.7.11-2 Revision 0
BASES LCO Two independent and redundant trains of the CRACS are required to be OPERABLE to ensure that at least one is available, assuming a
single failure disabling the other train. Total system failure could
result in the equipment operating temperature exceeding limits in the
event of an accident.
The CRACS is considered to be OPERABLE when the individual components necessary to maintain the control room temperature are
OPERABLE in both trains. These components include the cooling
coils and associated temperature control instrumentation. In addition, the CRACS must be operable to the extent that air circulation can be
maintained. CRACS recirculation provides the motive force for heat
removal and control room filtration cleanup in conjunction with the
CREFS recirculation and filtration units. The loss of CRACS cooling
on only one train will not degrade the associated train of CREFS
cleanup filtration.
APPLICABILITY With either unit in MODES 1, 2, 3, 4, or during movement of irradiated fuel assemblies or during CORE ALTERATIONS, the CRACS must be
OPERABLE to ensure that the control room temperature will not
exceed equipment operational requirements following isolation of the
control room.
ACTIONS A.1
With one CRACS train inoperable, action must be taken to restore
OPERABLE status within 30 days. In this Condition, the remaining
OPERABLE CRACS train is adequate to maintain the control room
temperature within limits. However, the overall reliability is reduced
because a single failure in the OPERABLE CRACS train could result
in loss of CRACS function. The 30 day Completion Time is based on
the low probability of an event requiring control room isolation, the
consideration that the remaining train can provide the required
protection, and that alternate safety or nonsafety related cooling
means are available.
(continued)
PRF B 3.7.12 Farley Units 1 and 2 B 3.7.12-1 Revision 0 B 3.7 PLANT SYSTEMS
B 3.7.12 Penetration Room Filtration (PRF) System
BASES BACKGROUND The PRF System filters airborne radioactive particulates from the area of the fuel pool following a fuel handling accident or ECCS pump
rooms and penetration area of the Auxiliary Building following a loss
of coolant accident (LOCA).
The PRF System consists of two independent and redundant trains.
Each train consists of a heater, a prefilter, a high efficiency particulate
air (HEPA) filter, an activated charcoal adsorber section for removal of
gaseous activity (principally iodines), and a recirculation fan and an
exhaust fan. Ductwork, valves or dampers, and instrumentation also
form part of the system. The heater is not credited in the analysis but
serves to reduce the relative humidity of the air stream. The system
initiates filtered ventilation of the spent fuel pool room following receipt
of a high radiation signal or a low air flow signal from the normal
ventilation system. The system init iates filtered ventilation of the ECCS pump rooms and penetration area following receipt of a
containment isolation actuation system (CIAS) Phase B signal and
manual isolation of the spent fuel pool room.
The PRF System is a standby system normally aligned to filter the spent fuel pool room. During emergency operation the PRF System
filters the spent fuel pool room or the ECCS pump rooms and
penetration area with fan actuation signals and damper re-alignments
to the ECCS pump rooms and penetration area (to support each
respective area). Upon receipt of the actuating Engineering Safety
Feature Actuation System signal for post LOCA conditions or upon
receipt of a high radiation signal or a low air flow signal from the
normal spent fuel pool room ventilation system, the PRF fans are
started and the ventilation air stream discharges through the system
filter trains.
The PRF System is discussed in the FSAR, Sections 6.2.3, 9.4.2, and 15.4 (Refs. 1, 2, and 3, respectively) which detail the post
accident, atmospheric cleanup functions. The prefilters remove any
large particles in the air to prevent excessive loading of the HEPA
filters and charcoal adsorbers.
PRF B 3.7.12 Farley Units 1 and 2 B 3.7.12-3 Revision 21 BASES LCO b. HEPA filter and charcoal adsorber are not excessively restricting (continued) flow, and are capable of performing their filtration function; and
- c. Ductwork, valves, and dampers ar e OPERABLE, and air circulation can be maintained.
The LCO is modified by a Note allowing the PRF or spent fuel pool room (SFPR) boundary to be opened intermittently under administrative controls without requiring entry into Conditions B or E for an inope rable pressure boundary. For entry and exit through doors, the administrative control of the opening is performed by the person(s) entering or exiting the area. For other openings, such as hatches and inspection ports, these controls consist of stationin g a dedicated individual at the opening who is in continuous communication with the control room.
This individual will have a me thod to rapidly close the opening when a need for PRF or SFPR ventilation actuation is ind icated. Breaches that would pre vent successful completion of SR 3.7.12.6 render the SFPR boundary inoperable. When the SFPR boundary is inoperable, Condition E wil l prohibit movement of irradiated fuel. For loads other than irradiated fuel, administrative controls will prevent movement of loads over irradiated fuel unless adequate decay time for the irradiated fuel has elapsed such that occurrence of a fuel handling accident without air filtration will not exceed dose limits. Calculations show that a decay time of 676 hours0.00782 days <br />0.188 hours <br />0.00112 weeks <br />2.57218e-4 months <br /> is sufficient.
APPLICABILITY In MODE 1, 2, 3, or 4, the PRF System is required to be OPERABLE to provide fission product removal associated with ECCS leaks due
to a LOCA.
In MODE 5 or 6, the PRF System is not required to be OPERABLE since the ECCS is not required to be OPERABLE.
During movement of irradiated fuel in the spent fuel pool area, two
trains of PRF are required to be OPERABLE and aligned to the spent
fuel pool room to alleviate the consequences of a fuel handling
accident.
ACTIONS A.1 With one PRF tra in inoperable, action must be taken to restore OPERABLE status within 7 days. During this period, the remaining
OPERABLE train is adequate to perform the PRF function. The
7 day Completion Time is based on the risk from an event occurring
requiring the i noperable PRF train, and the remaining PRF train
providing the required protection.
(continued)
Fuel Storage Pool Water Level B 3.7.13 (continued)
Farley Units 1 and 2 B 3.7.13-2 Revision 52 BASES LCO The fuel storage pool water level is required to be 23 ft over the top of irradiated fuel assemblies seated in the storage racks. The
specified water level preserves the assumptions of the fuel handling
accident analysis (Ref. 3). As such, it is the minimum required for fuel
storage and movement within the fuel storage pool.
APPLICABILITY This LCO applies during movement of irradiated fuel assemblies in the fuel storage pool, since the potential for a release of fission
products exists.
ACTIONS A.1
Required Action A.1 is modified by a Note indicating that LCO 3.0.3 does not apply.
When the initial conditions for prevention of an accident cannot be met, steps should be taken to preclude the accident from occurring.
When the fuel storage pool water level is lower than the required
level, the movement of irradiated fuel assemblies in the fuel storage
pool is immediately suspended to a safe position. This action
effectively precludes the occurrence of a fuel handling accident. This
does not preclude movement of a fuel assembly to a safe position.
If moving irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies
while in MODES 1, 2, 3, and 4, the fuel movement is independent of
reactor operations. Therefore, inability to suspend movement of
irradiated fuel assemblies is not sufficient reason to require a reactor
shutdown.
SURVEILLANCE SR 3.7.13.1 REQUIREMENTS
This SR verifies sufficient fuel storage pool water is available in the event of a fuel handling accident. The water level in the fuel storage
pool must be checked periodically. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
Fuel Storage Pool Boron Concentration B 3.7.14 Farley Units 1 and 2 B 3.7.14-1 Revision 0 B 3.7 PLANT SYSTEMS
B 3.7.14 Fuel Storage Pool Boron Concentration
BASES BACKGROUND Fuel assemblies are stored in high density racks. The spent fuel storage racks contain storage locations for 1407 fuel assemblies.
Westinghouse 17X17 fuel assemblies with initial enrichments less
than or equal to 5.0 weight percent U-235 can be stored in any
location in the spent fuel storage pool provided the fuel burnup-
enrichment combinations are within the limits specified in Figure
3.7.15-1 of the Technical Specifications. Fuel assemblies that do not
meet the burnup-enrichment combination of Figure 3.7.15-1 may be
stored in the spent fuel storage pool in accordance with the patterns
described in Figures 4.3.1-1 through 4.3.1-5. The acceptable storage
configurations are based on the "Westinghouse Spent Fuel Rack
Criticality Analysis Methodology", WCAP-14416-NP-A, Rev. 1, (Ref.
- 4) as implemented in the "Farley Units 1 and 2 Spent Fuel Rack
Criticality Analysis Using Soluble Boron Credit," CAA-97-138, Rev. 1 (Ref. 7).
This methodology ensures that the spent fuel pool storage rack multiplication factor, K eff , is less than or equal to 0.95, as recommended by ANSI 57.2-1983 (Ref. 3) and NRC Guidance (Refs.
1, 2, and 6). A storage configuration is defined using K eff calculations to ensure that K eff will be less than 1.0 with no soluble boron under normal storage conditions including tolerances and uncertainties.
Soluble boron credit is then used to maintain K eff less than or equal to 0.95. A spent fuel pool boron concentration of 400 ppm will ensure
that K eff will be less than or equal to 0.95 for all analyzed combinations of storage patterns, enrichments, and burnups. The
treatment of reactivity equivalencing uncertainties, as well as the
calculation of postulated accidents crediting soluble boron is
described in Ref.4.
The above methodology was used to evaluate storage of Westinghouse 17X17 fuel assemblies with initial enrichments less
than or equal to 5.0 weight percent U-235 in the FNP spent fuel
storage pool. The resulting enrichment and burnup limits are shown
in Figure 3.7.15-1. Checkerboard loading patterns are defined to
allow storage of fuel assemblies that are not within the acceptable
burnup domain of Figure 3.7.15-1. These storage requirements are
shown in Technical Specification Figures 4.3.1-1 through 4.3.1-5. A (continued)
Fuel Storage Pool Boron Concentration B 3.7.14 Farley Units 1 and 2 B 3.7.14-2 Revision 0 BASES BACKGROUND spent fuel pool boron concentration of 2000 ppm ensures that no (continued) credible boron dilution event will result in a K eff greater than 0.95.
Eleven damaged Westinghouse 17X17 fuel assemblies can be stored in the Unit 1 spent fuel storage pool in the 12 storage cell
configuration shown in Technical Specification Figure 4.3.1-6. The 11
fuel assemblies contain a nominal enrichment of 3.0 weight percent
APPLICABLE Three accidents can be postulated for each storage configuration SAFETY ANALYSES which could increase reactivity beyond the analyzed condition. The three postulated accidents include a loss of the spent fuel pool cooling
system, dropping a fuel assembly into an already loaded storage cell, and the misloading of a fuel assembly into a cell for which the
restrictions on location, enrichment, or burnup are not satisfied.
An increase in the temperature of the water passing through the stored fuel assemblies causes a decrease in water density which
would normally result in an addition of negative reactivity. However, since Boraflex is not considered to be present in the criticality
analysis, and the spent fuel pool water contains a high concentration
of boron, a density decrease results in a positive reactivity addition.
The effect of an increase in reactivity due to an increase in
temperature is bounded by the misload accident.
In the case of a fuel assembly dropped into an already loaded storage cell, the upward axial leakage of that cell will be reduced. However, the overall effect on the storage rack activity would be insignificant, since only the upward axial leakage of a single cell is minimized. In
addition, the neutronic coupling between the dropped fuel assembly
and the already loaded assembly will be low due to a several inch
separation of the active fuel regions due to the fuel assembly bottom
nozzle. The effects of this accident are also bounded by the misload
accident.
The fuel assembly misloading accident involves the placement of a fuel assembly into a storage location for which the requirements on
location, enrichment, or burnup are not met. This misload would result
in a positive reactivity addition increasing K eff toward 0.95. The amount of soluble boron required to compensate for the positive
reactivity added is 850 ppm, which is well below the LCO limit of
2000 ppm. (continued)
Fuel Storage Pool Boron Concentration B 3.7.14 Farley Units 1 and 2 B 3.7.14-3 Revision 0 BASES APPLICABLE A spent fuel pool boron dilution evaluation determined that the volume SAFETY ANALYSES of water necessary to dilute the spent fuel pool from the LCO limit of (continued) 2000 ppm to 400 ppm (the boron concentration required to maintain K eff less than or equal to 0.95) is approximately 480,000 gallons. A spent fuel pool dilution of this volume is not a credible event, since it
would require this large volume of water to be transferred from a
source to the spent fuel pool, ultimately overflowing the pool. This
event would be detected and terminated by plant personnel prior to
exceeding a K eff of 0.95.
The concentration of dissolved boron in the fuel storage pool satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO The fuel storage pool boron concentration is required to be 2000 ppm. The specified concentration of dissolved boron in the fuel storage pool preserves the assumptions used in the analyses of the potential criticality accident scenarios as described in
Reference 5. The specified boron concentration of 2000 ppm ensures
that the spent fuel pool K eff will remain less than or equal to 0.95 due to a postulated fuel assembly misload accident (850 ppm) or boron
dilution event (400 ppm).
APPLICABILITY This LCO applies whenever fuel assemblies are stored in the spent fuel storage pool.
ACTIONS A.1 and A.2
The Required Actions are modified by a Note indicating that LCO 3.0.3 does not apply.
When the concentration of boron in the fuel storage pool is less than required, immediate action must be taken to preclude the occurrence
of an accident or to mitigate the consequences of an accident in
progress. This is most efficiently achieved by immediately
suspending the movement of fuel assemblies. Action is also initiated
to restore the concentration of boron simultaneously with suspending
movement of fuel assemblies.
(continued)
Fuel Storage Pool Boron Concentration B 3.7.14 Farley Units 1 and 2 B 3.7.14-4 Revision 52 BASES ACTIONS A.1 and A.2 (continued)
If the LCO is not met while moving irradiated fuel assemblies in MODE 5 or 6, LCO 3.0.3 would not be applicable. If moving irradiated
fuel assemblies while in MODE 1, 2, 3, or 4, the fuel movement is
independent of reactor operation. Therefore, inability to suspend
movement of fuel assemblies is not sufficient reason to require a
reactor shutdown.
SURVEILLANCE SR 3.7.14.1 REQUIREMENTS
This SR verifies that the concentration of boron in the fuel storage pool is within the required limit. As long as this SR is met, the
analyzed accidents are fully addressed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES 1. USNRC Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants, LWR Edition, NUREG-0800, June, 1987.
- 2. USNRC Spent Fuel Storage Facility Design Bases (for Comment)
Proposed Revision 2, 1981.
- 3. ANS, Design Requirements for Light Water Reactor Spent Fuel Storage Facilities at Nuclear Power Stations, ANSI/ANS-57.2-1983.
- 4. WCAP-14416-NP-A, Rev. 1, Westinghouse Spent Fuel Rack Criticality Analysis Methodology, November, 1996.
- 5. FSAR, Section 4.3.2.7.2.
- 6. NRC, Letter to all Power Reactor Licensees from B.K. Grimes, OT Position for Review and Acceptance of Spent Fuel Storage and Handling Applications, April 14, 1978.
- 7. Farley Units 1 and 2 Spent Fuel Rack Criticality Analysis Using Soluble Boron Credit, CAA-97-138, Rev. 1.
Spent Fuel Assembly Storage B 3.7.15 Farley Units 1 and 2 B 3.7.15-1 Revision 0 B 3.7 PLANT SYSTEMS
B 3.7.15 Spent Fuel Assembly Storage
BASES BACKGROUND Fuel assemblies are stored in high density racks. The spent fuel storage racks contain storage locations for 1407 fuel assemblies.
Westinghouse 17X17 fuel assemblies with initial enrichments less
than or equal to 5.0 weight percent U-235 can be stored in any
location in the spent fuel storage pool provided the fuel burnup-
enrichment combinations are within the limits specified in Figure
3.7.15-1 of the Technical Specifications. Fuel assemblies that do not
meet the burnup-enrichment combination of Figure 3.7.15-1 may be
stored in the spent fuel storage pool in accordance with the patterns
described in Figures 4.3.1-1 through 4.3.1-5. The acceptable storage
configurations are based on the Westinghouse Spent Fuel Rack Criticality Analysis Methodology, WCAP-14416-NP-A, Rev. 1, (Ref.
- 1) as implemented in Farley Units 1 and 2 Spent Fuel Rack Criticality Analysis Using Soluble Boron Credit, CAA-97-138, Rev. 1 (Ref. 2).
The following storage configurations and enrichment limits were
evaluated in the spent fuel rack criticality analysis:
Westinghouse 17X17 fuel assemblies with nominal enrichments less
than or equal to 2.15 weight percent U-235 can be stored in any cell
location as shown if Figure 4.3.1-2. Fuel assemblies with initial
nominal enrichments greater than these limits must satisfy a minimum
burnup requirement as shown in Figure 3.7.15-1.
Westinghouse 17X17 fuel assemblies with nominal enrichments less
than or equal to 5.0 weight percent U-235 can be stored in a 2 out of
4 checkerboard arrangement as shown in Figure 4.3.1-2. In the 2 out
of 4 checkerboard storage arrangement, 2 fuel assemblies can be
stored corner adjacent with empty storage cells.
Westinghouse 17X17 fuel assemblies can be stored in a burned/fresh checkerboard arrangement of a 2X2 matrix of storage cells as shown in Figure 4.3.1-2. In the burned/fresh 2X2 checkerboard
arrangement, three of the fuel assemblies must have an initial nominal
enrichment less than or equal to 1.6 weight percent U-235, or satisfy a
minimum burnup requirement for higher initial enrichments as shown
in Figure 4.3.1-1.
(continued)
Spent Fuel Assembly Storage B 3.7.15 Farley Units 1 and 2 B 3.7.15-2 Revision 0 BASES BACKGROUND The fourth fuel assembly must have an initial nominal enrichment less (continued) than or equal to 3.9 weight percent U-235, or satisfy a minimum Integral Fuel Burnable Absorber requirement for higher initial enrichments to maintain the reference fuel assembly K less than or equal to 1.455 at 68 F. Eleven damaged Westinghouse 17X17 fuel assemblies can be stored
in the Unit 1 spent fuel storage pool in a 12 storage cell configuration
surrounded by empty cells as shown in Technical Specification Figure
4.3.1-6. The 11 fuel assemblies contain a nominal enrichment of 3.0
weight percent U-235.
APPLICABLE Three accidents can be postulated for each storage configuration SAFETY ANALYSES which could increase reactivity beyond the analyzed condition. The three postulated accidents include a loss of the spent fuel pool cooling
system, dropping a fuel assembly into an already loaded storage cell, and the misloading of a fuel assembly into a cell for which the
restrictions on location, enrichment, or burnup are not satisfied.
An increase in the temperature of the water passing through the stored fuel assemblies causes a decrease in water density which
would normally result in an addition of negative reactivity. However, since Boraflex is not considered to be present in the criticality
analysis, and the spent fuel pool water contains a high concentration
of boron, a density decrease results in a positive reactivity addition.
The effect of an increase in reactivity due to an increase in
temperature is bounded by the misload accident.
In the case of a fuel assembly dropped into an already loaded storage cell, the upward axial leakage of that cell will be reduced. However, the overall effect on the storage rack activity would be insignificant, since only the upward axial leakage of a single cell is minimized. In
addition, the neutronic coupling between the dropped fuel assembly
and the already loaded assembly will be low due to a several inch
separation of the active fuel regions due to the fuel assembly bottom
nozzle. The effects of this accident are also bounded by the misload
accident.
(continued)
Spent Fuel Assembly Storage B 3.7.15 Farley Units 1 and 2 B 3.7.15-3 Revision 0 BASES APPLICABLE The fuel assembly misloading accident involves the placement of a SAFETY ANALYSES fuel assembly into a storage location for which the requirements on (continued) location, enrichment, or burnup are not met. This misload would result in a positive reactivity addition increasing K eff toward 0.95. The amount of soluble boron required to compensate for the positive
reactivity added is 850 ppm, which is well below the LCO limit of 2000
ppm.
The configuration of fuel assemblies in the fuel storage pool satisfies
Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO The restrictions on the placement of fuel assemblies within the spent fuel pool ensure the K eff of the spent fuel storage pool will always remain < 0.95, assuming the pool to be flooded with borated water.
The combination of initial enrichment and burnup are specified in
Figure 3.7.15-1 for the All Cell Storage Configuration. Other
acceptable enrichment, burnup, and checkerboard storage
configurations are specified in Figures 4.3.1-1 through 4.3.1-6.
APPLICABILITY This LCO applies whenever any fuel assembly is stored in the spent fuel storage pool.
ACTIONS A.1
Required Action A.1 is modified by a Note indicating that LCO 3.0.3
does not apply.
When the configuration of fuel assemblies stored in the spent fuel
storage pool is not in accordance with the acceptable combination of
initial enrichments, burnup, and storage configurations, the immediate
action is to initiate action to make the necessary fuel assembly
movement(s) to bring the configuration into compliance with
Figure 3.7.15-1 or Specification 4.3.1.1.
If unable to move irradiated fuel assemblies while in MODE 5 or 6, LCO 3.0.3 would not be applicable. If unable to move irradiated fuel
assemblies while in MODE 1, 2, 3, or 4, the action is independent of
reactor operation. Therefore, inability to move fuel assemblies is not
sufficient reason to require a reactor shutdown.
Spent Fuel Assembly Storage B 3.7.15 Farley Units 1 and 2 B 3.7.15-4 Revision 0 BASES SURVEILLANCE SR 3.7.15.1 REQUIREMENTS
This SR verifies by administrative means (e.g., Core Loading Plan, Tote computer code output or TrackWorks program) that the initial
enrichment and burnup of the fuel assembly is within the acceptable
burnup domain of Figure 3.7.15-1. For fuel assemblies in the
unacceptable range of Figure 3.7.15-1, performance of this SR will
also ensure compliance with Specification 4.3.1.1.
The frequency of within 7 days following the relocation or addition of
fuel assemblies to the spent fuel storage pool ensures that fuel
assemblies are stored within the configuration analyzed in the spent
fuel rack criticality analysis. This surveillance would be performed
after all of the fuel handling is completed during a refueling outage, or
new fuel assemblies are placed into the spent fuel pool.
This SR does not have to be performed following interruptions in fuel
handling during defined fuel movements as described above (i.e., it is
only required after all fuel movement associated with refueling
operations is completed) or if only certain fuel assemblies are
relocated to different storage locations within the pool (only the moved assemblies must be verified).
The 7 day allowance for completion of this Surveillance provides adequate time for completion of a spent fuel pool inventory verification
while minimizing the time that a fuel assembly could be misloaded
during a refueling or the placement of new fuel assemblies into the
spent fuel pool. The boron concentration required by Specification
3.7.14 ensures that the spent fuel rack K eff remains within limits until the spent fuel pool inventory verification is performed.
REFERENCES 1. WCAP-14416-NP-A, Rev. 1, Westinghouse Spent Fuel Rack Criticality Analysis Methodology, November, 1996.
- 2. "Farley Units 1 and 2 Spent Fuel Rack Criticality Analysis Using Soluble Boron Credit," CAA-97-138, Rev. 1.
-
Cask Storage Area Boron Concentration Cask Loading Operations B 3.7.17 Farley Units 1 and 2 B 3.7.17-3 Revision 30 BASES APPLICABLE placement of a fresh Westinghouse Optimized Fuel Assembly (OFA)
SAFETY ANALYSES fuel assembly enriched to 5.0 weight percent (containing no burnable (continued) poisons) into a cask center cell storage location. This misload would result in a positive reactivity addition increasing K eff toward 0.95. The amount of soluble boron required to compensate for the positive reactivity added is 659 ppm, which is well below the LCO limit of 2000 ppm.
As described in Bases for LCO 3.7.14, a spent fuel pool boron dilution evaluation determined that the volume of water necessary to dilute the spent fuel pool from the LCO limit of 2000 ppm to 400 ppm (the boron concentration required to maintain K eff less than or equal to 0.95) is approximately 480,000 gallons. A spent fuel pool dilution of this volume is not a credible event, since it would require this large volume of water to be transferred from a source to the spent fuel pool, ultimately overflowing the pool. This event would be detected and terminated by plant personnel prior to exceeding a K eff of 0.95.
During cask loading operations, the active volume of the spent fuel pool will be increased by the volume of the transfer canal and the cask storage area. This has the effect of reducing the rate of dilution of the pool, therefore, the dilution evaluation for the spent fuel pool remains bounding for cask loading operations.
The concentration of dissolved boron in the cask storage area satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii).
LCO The cask storage area boron concentration is required to be 2000 ppm. The specified concentration of dissolved boron in the fuel storage pool preserves the assumptions used in the analyses of the potential criticality accident scenarios as described in Reference 5. The specified boron concentration of 2000 ppm ensures that the spent fuel cask K eff will remain less than or equal to 0.95 due to a postulated fuel assembly misload accident (659 ppm) or boron dilution event (400 ppm).
The LCO is modified by a note that requires the spent fuel transfer canal gate and the cask storage area gate to both be open during cask loading operations except during the brief period when moving the spent fuel cask into or out of the cask storage area. This is to ensure that the boron dilution evaluation for the spent fuel pool remains bounding for cask loading operations.
Cask Storage Area Boron Concentration Cask Loading Operations B 3.7.17 Farley Units 1 and 2 B 3.7.17-4 Revision 52 BASES APPLICABILITY This LCO applies whenever any fuel assembly is stored in the cask storage area of the spent fuel pool.
ACTIONS A.1 and A.2 The Required Actions are modified by a Note indicating that LCO 3.0.3 does not apply.
When the concentration of boron in the fuel storage pool (including the transfer canal and cask storage area) is less than required, immediate action must be taken to preclude the occurrence of an accident or to mitigate the consequences of an accident in progress.
This is most efficiently achieved by immediately suspending the movement of fuel assemblies. Action is also initiated to restore the concentration of boron simultaneously with suspending movement of fuel assemblies.
If the LCO is not met while moving irradiated fuel assemblies in MODE 5 or 6, LCO 3.0.3 would not be applicable. If moving irradiated fuel assemblies while in MODE 1, 2, 3, or 4, the fuel movement is independent of reactor operation. Therefore, inability to suspend movement of fuel assemblies is not sufficient reason to require a reactor shutdown.
SURVEILLANCE SR 3.7.17.1 REQUIREMENTS
The boron concentration in the spent fuel cask storage area water must be verified to be within limit within four hours prior to entering the Applicability of the LCO. For loading operations, this means within four hours of loading the first fuel assembly into the cask.
For unloading operations, this means verifying the concentration of the borated water source to be used to re-flood the spent fuel cask within four hours of commencing re-flooding operations. This ensures that when the LCO is applicable (upon introducing water into the spent fuel cask), the LCO will be met.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
When both the transfer canal gate and the cask storage area gate are open, the boron concentration measurement may be performed by sampling in accordance with SR 3.7.14.1. When at least one gate is closed, the sample is to be taken in the cask storage area.
ESF Room Coolers B 3.7.19 Farley Units 1 and 2 B 3.7.19-1 Revision 43 B 3.7 PLANT SYSTEMS
B 3.7.19 Engineered Safety Feature (ESF) Room Coolers
BASES BACKGROUND Room cooling for Technical Specifications (TS) ESF equipment is provided by the ESF Room Coolers. The Room Coolers are divided into subsystems and each subsystem has two 100 %
capacity trains. The ESF Room Cooler subsystems are:
Motor Driven Auxiliary Feedwater (MDAFW) Pump Rooms Charging Pump Rooms Containment Spray (CS) Pump Rooms Residual Heat Removal (RHR) Pump Rooms Component Cooling Water (CCW) Pumps Room
Auxiliary Building DC Switchgear / Battery Charger Rooms Load Control Center (LCC) Rooms (LCC D and E Rooms)
The ESF Room Coolers are considered support equipment for ESF equipment in these rooms with the exception of the CCW Pumps Room (see discussion under Applicable Safety Analysis).
Each ESF Room Cooler subsystem consists of two 100 %
capacity trains which include cooling coils, electric fans, piping, manual valves, and instrumentation. The ESF Room Coolers provide cooling to ESF equipment rooms during accident, and post accident conditions. The ESF Room Coolers supplement the normal Heating / Ventilation and Air Conditioning (HVAC) system in cooling certain rooms during normal operations. The Service Water system supplies water to the cooling coils for ESF Room
Coolers.
The ESF Room Coolers are designed to maintain the ambient air temperature within the continuous-duty rating of the ESF equipment served by the system. Each equipment room is cooled by a fan cooler that is powered from the same ESF train as that associated with the equipment in the room. Thus, a power failure or other single failure to one cooling system train will not prevent the cooling of redundant ESF equipment in the other train.
In addition to a manual start / run capability, automatic cooling of ESF equipment rooms is initiated by two possible signals: high room temperature or an equipment running signal, depending on the Room Cooler.
The ESF Room Coolers are seismic category I and remain operational during and after a safe shutdown earthquake.
ESF Room Coolers B 3.7.19 (continued)
Farley Units 1 and 2 B 3.7.19-2 Revision 43 BASES APPLICABLE The design basis of the ESF Room Coolers is to maintain air SAFETY ANALYSES temperatures as require d in rooms containing safety-related equipment during and after a design basis loss of coolant accident (LOCA) with a loss of offsite power.
The ESF Room Coolers are required to start when the associated equipment is running or based on the temperature of the associated equipment room. Each Room Cooler Fan can also be placed in Run mode locally. With the Room Cooler in the Run mode, the automatic starting functions are being met and the Room Cooler is considered OPERABLE. The system is designed to perform its function with a single failure of any active component, assuming the loss of offsite power. One train of an ESF Room Cooler subsystem provides 100 %
of the required cooling for the associated ESF equipment.
Analyses were performed to determine how room temperature was affected during a design basis accident (DBA) event. The DBA heat
loads and service water temperature were used and the resulting room temperatures were compared against the continuous-duty rating of the ESF TS equipment in the rooms. The analyses showed that the Room Cooler arrangement at FNP is effective in mitigating the consequences of a DBA.
This TS requires ESF Room Coolers to be OPERABLE when associated ESF equipment is required to be OPERABLE. With the condition of one required ESF Room Cooler subsystem train inoperable, the required action is to restore the Room Cooler to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. If the Room Cooler cannot be restored to OPERABLE status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or if two trains of an ESF Room Cooler subsystem are inoperable, the actions will require the plant to be placed in Mode 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and Mode 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.
The major maintenance activities that require a significant amount of time are repair or replacement of the fan motor or cooling coils.
This is based on the time required to access the Room Cooler motor, remove the motor from the cooler housing, order and receive replacement parts, repair the motor, install the motor back in the cooler housing, and test the cooler. Access to these Room Coolers is limited and requires significant rigging to remove and install the housing and motor. Similarly, repair or replacement of the cooler coil is also limited by available space and rigging requirements. Based on the history of maintenance activities that have been required on the plant Room Coolers, a Completion Time of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is reasonable and allows maintenance activities to be
completed without requiring unnecessary plant transients.
ESF Room Coolers B 3.7.19 (continued)
Farley Units 1 and 2 B 3.7.19-3 Revision 43 BASES APPLICABLE MDAFW, Charging, CS and RHR Pump Rooms Subsystems SAFETY ANALYSES (continued) In accordance with TS, when both trains of these ESF pumps are required to be OPERABLE, a single train of each ESF pump system is allowed to be out of service for up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> before shutdown actions are required. This Completion Time is consistent with the Completion Time in this TS for ESF Room Coolers and will allow sufficient time for maintenance or repair activities to be completed without requiring unnecessary plant transients. In the event of a design basis accident during the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time, the opposite non-affected train ESF Pump and Room Cooler are available to support the ESF equipment for mitigation of the accident.
CCW Pumps Room Subsystem Calculations show that with the safety-related Room Coolers out of service under accident conditions, temperature of the CCW pumps room will not exceed the continuous-duty rating of the ESF TS equipment in the room. Thus the associated safety-related Room Coolers are not considered support equipment for the ESF TS equipment in this room and as such, are not required for the ESF TS equipment in the room to remain OPERABLE. Therefore, other than for pressure boundary integrity, the safety-related Room Coolers for the CCW Pumps Room are not considered a required ESF Room Cooler subsystem.
Auxiliary Building DC Switchgear / Battery Charger Rooms Subsystem FNP has three Room Coolers and three battery chargers servicing two trains of Auxiliary Building DC Switchgear / Battery Charger.
Analysis has determined that aligning the swing battery charger and Room Cooler power supply, cooling water supply and fan discharge (by opening the room door), to the switchgear train room with an inoperable Room Cooler will provide adequate cooling to the switchgear / battery charger room. In the event that a connecting door is opened to align the fan discharge into the affected switchgear train room, plant procedures ensure that the door is secured in the open position and periodically verified. During the times when two trains of Auxiliary Building DC Switchgear / Battery Charger are required, only two of three Room Coolers are required with one Room Cooler aligned to each train room. This 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time allows sufficient time for maintenance activities to be completed without requiring unnecessary plant transients. In the event of a design basis accident during the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time, the opposite non-affected train Auxiliary Building DC Switchgear /
ESF Room Coolers B 3.7.19 (continued)
Farley Units 1 and 2 B 3.7.19-4 Revision 43 BASES APPLICABLE Battery Charger and Room Cooler are available to support the SAFETY ANALYSES ESF equipment to mitigate the accident. (continued)
Load Control Center (LCC) Rooms (LCC D and E) Subsystem FNP has one Room Cooler servicing each LCC room. Analysis has determined that each Room Cooler will provide adequate cooling to the given LCC room.
This 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time allows sufficient time for maintenance activities to be completed without requiring unnecessary plant transients. In the event of a design basis accident during the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time, the opposite non-affected train LCC and Room Cooler are available to support the
ESF equipment to mitigate the accident.
The ESF Room Coolers satisfy Criterion 4 of 10 CFR
50.36(c)(2)(ii).
LCO ESF Room Coolers are required to be OPERABLE to ensure that the system functions to remove heat from the ESF equipment rooms during and after an accident assuming the worst case single failure occurs coincident with the loss of offsite power.
An ESF Room Cooler train is considered OPERABLE when the cooling coils, electrical fans, piping, manual valves, instrumentation, and cooling water supply required to perform the safety-related
function is OPERABLE.
APPLICABILITY The ESF Room Coolers must be OPERABLE to provide a safety-related cooling function consistent with the OPERABILITY requirements of the ESF equipment they support.
ACTIONS The actions table is modified by a Note indicating that separate Condition entry is allowed for each ESF Room Cooler subsystem.
This is acceptable since each ESF Room Cooler subsystem supports a separate ESF system. Having separate condition entry is consistent with the TS governing the associated ESF equipment, which allows concurrent inoperabilities of the separate ESF systems.
AC Sources-Operating B 3.8.1 Farley Units 1 and 2 B 3.8.1-1 Revision 11 B 3.8 ELECTRICAL POWER SYSTEMS
B 3.8.1 AC Sources-Operating
BASES BACKGROUND The unit Class 1E AC Electrical Power Distribution System AC sources consist of the offsite power sources (preferred power
sources, normal and alternate), and the onsite standby power sources (Train A and Train B diesel generators (DGs)). As required by
10 CFR 50, Appendix A, GDC 17 (Ref. 1), the design of the AC
electrical power system provides independence and redundancy to
ensure an available source of power to the Engineered Safety Feature (ESF) systems.
The onsite Class 1E AC Distribution System is divided into redundant load groups (trains) so that the loss of any one group does not
prevent the minimum safety functions from being performed. Each
train has connections to two preferred offsite power sources and a
single DG set. DG set A consists of the 1-2A and 1C DGs. DG set B
consists of the 1B DG (Unit 1) and the 2B DG (Unit 2).
Offsite power is supplied to the 230 kV and 500 kV switchyard(s) from the transmission network by six transmission lines. From the 230 kV switchyard, two electrically and physi cally separated circuits provide AC power, through startup auxiliary transformers, to the 4.16 kV ESF
buses. A detailed description of the offsite power network and the
circuits to the Class 1E ESF buses is found in the FSAR, Chapter 8 (Ref. 2).
An offsite circuit consists of all breakers, transformers, switches, interrupting devices, cabling, and controls required to transmit power
from the offsite transmission network to the onsite Class 1E ESF
bus(es).
In addition to providing a pre-determined sequence of loading the
DGs, the train A and train B automatic load sequencers also function
to actuate the required ESF loads on the offsite circuits. When offsite
power is available, the automatic load sequencers function to
simultaneously start the required ESF loads upon receipt of an SI
actuation signal.
The onsite standby power source is provided from 4 DGs (1-2A, 1B, 2B, and 1C). The DGs are of two different sizes. The 1B, 2B, and (continued)
AC Sources-Operating B 3.8.1 Farley Units 1 and 2 B 3.8.1-2 Revision 0 BASES BACKGROUND 1-2A DGs are rated at 4075 kW and the 1C DG is rated at 2850 kW.
(continued) DG 1-2A and 1-C are assigned to the redundant load group train A.
The train A load group is supplied from 4160V emergency Buses, F, H, and K. The 4160V H bus does not supply any design basis
required loads by itself but is required to support the operation of DG
1C to supply the emergency Buses F and K which in turn supply
design basis required loads. DGs 1B and 2B are assigned to the
redundant load group train B. The train B load group is supplied from
4160V emergency Buses G, J, and L. The 4160V bus J does not
supply any design basis required loads and is only required for the
response to a station blackout which is not a design basis accident.
DGs 1B and 2B are dedicated to train B of Unit 1 and Unit 2, respectively, and each DG comprises a required DG set for its
associated unit. DGs 1-2A and 1C are dedicated to train A but are
shared between both units and together comprise a required DG set
for both units. However, there are no design basis events in which
DG 1-2A or 1C are required to supply power to the safety loads of
both units simultaneously. In all events, DG 1-2A and 1C are
assigned to only one of the two units depending on the event.
The 4.16 kV emergency busses required to supply equipment essential for safe shutdown of the plant at F, G, H, J, K, and L for
each unit. These are supplied by two startup transformers on each
unit connected to the offsite source during normal and emergency
operating conditions. In the event one startup transformer on a unit
fails, three of the emergency busses on that unit will be de-energized
with their loss annunciated in the Main Control Room. The respective
busses Diesel Generators will start and LOSP loads will be
sequenced on to those busses. In the event Diesels fail, manual
action will be required to re-energize the affected busses from the
other startup transformer for that unit.
A DG starts automatically on a safety injection (SI) signal (i.e., low pressurizer pressure or high containment pressure signals) or on an
ESF bus degraded voltage or undervoltage signal (refer to LCO 3.3.5, "Loss of Power (LOP) Diesel Generator (DG) Start Instrumentation").
After the DG has started, it will automatically tie to its respective bus
after offsite power is tripped as a consequence of ESF bus
undervoltage or degraded voltage, independent of or coincident with
an SI signal. The DGs will also start and operate in the standby mode
without tying to the ESF bus on an SI signal alone. Following the trip
of offsite power, a sequencer strips nonpermanent loads from the ESF
(continued)
AC Sources-Operating B 3.8.1 Farley Units 1 and 2 B 3.8.1-3 Revision 49 BASES BACKGROUND bus. When the DG is tied to the ESF bus, loads are then sequentially (continued) connected to its respective ESF bus by the automatic load sequencer.
The sequencing logic controls the permissive and starting signals to
motor breakers to prevent overloading the DG by automatic load
application.
In the event of a loss of preferred power, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for
safe reactor shutdown and to mitigate the consequences of a Design
Basis Accident (DBA) such as a loss of coolant accident (LOCA).
Certain required unit loads are returned to service in a predetermined sequence in order to prevent overloading the DG in the process. Within 1 minute after the initiating signal is received, all loads needed to recover
the unit or maintain it in a safe condition are returned to service.
Ratings for Train A and Train B DGs satisfy the requirements of Regulatory Guide 1.9 (Ref. 3). The continuous service rating of each
DG is 2850 kW for DG 1C and 4075 kW for DGs 1-2A, 1B, and 2B.
DG 1C has a 2000 hour0.0231 days <br />0.556 hours <br />0.00331 weeks <br />7.61e-4 months <br /> rating of 3100 kW and overload permissible
up to 3250 kW for 300 hours0.00347 days <br />0.0833 hours <br />4.960317e-4 weeks <br />1.1415e-4 months <br /> per year. DGs 1-2A, 1B, and 2B have a
2000 hour0.0231 days <br />0.556 hours <br />0.00331 weeks <br />7.61e-4 months <br /> rating of 4353 kW and overload permissible up to 4474 kW
for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> in any 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period with a maximum of 300 hours0.00347 days <br />0.0833 hours <br />4.960317e-4 weeks <br />1.1415e-4 months <br />
cumulative per year. The ESF loads that are powered from the
4.16 kV ESF buses are listed in Reference 2.
Each diesel generator (DG) is connected to a shared fuel oil storage and transfer system. The shared fuel oil storage system consists of five underground storage tanks interconnected with piping, valves and redundant capacity fuel transfer pumps. This configuration allows for pumping diesel fuel oil from any DG fuel oil storage tank to any DG day tank or to any other DG fuel oil storage tank. The deliverable capacity of four tanks is sufficient to operate the required DGs for a period of 7 days while the DGs are supplying maximum single train, post loss of coolant accident load demands discussed in the FSAR.
The diversity and defense in depth of the fuel oil transfer system ensures that even with one DG fuel oil transfer pump out of service on a single DG fuel oil storage tank, the capability still exists to maintain the DG Day Tank using multiple fuel transfer pumps. Therefore, one fuel transfer pump can be out of service on any given DG and the DG is still capable of meeting its design function.
AC Sources-Operating B 3.8.1 Farley Units 1 and 2 B 3.8.1-4 Revision 49 BASES APPLICABLE The initial conditions of DBA and transient analyses in the SAFETY ANALYSES FSAR, Chapter 6 (Ref. 4) and Chapter 15 (Ref. 5), assume ESF systems are OPERABLE. The AC electrical power sources are
designed to provide sufficient capacity, capability, redundancy, and
reliability to ensure the availability of necessary power to ESF
systems so that the fuel, Reactor Coolant System (RCS), and
containment design limits are not exceeded. These limits are
discussed in more detail in the Bases for Section 3.2, Power
Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and
Section 3.6, Containment Systems.
The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the Accident analyses and is based
upon meeting the design basis of the unit. This results in maintaining
at least one train of the onsite or offsite AC sources OPERABLE
during Accident conditions in the event of:
- a. An assumed loss of all offsite power or all onsite AC power; and
- b. A worst case single failure.
The AC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO Two qualified circuits (i.e., consistent with the requirements of GDC 17) consisting of two physically independent transmission lines
from the offsite transmission network to the switchyard and two
independent circuits between the switchyard and the onsite Class 1E
Electrical Power System along with separate and independent DG
sets for each train ensure availability of the required power to shut
down the reactor and maintain it in a safe shutdown condition after an
anticipated operational occurrence (AOO) or a postulated DBA.
Qualified offsite circuits are those that are described in the FSAR and are part of the licensing basis for the unit.
In addition, one automatic load sequencer per train must be OPERABLE (B1F, B2F, B1G, and B2G).
Each offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while
connected to the ESF buses.
(continued)
AC Sources-Operating B 3.8.1 Farley Units 1 and 2 B 3.8.1-5 Revision 49 BASES LCO Two physically independent circuits between the transmission network (continued) and the onsite system may consist of any combination that includes two of the six transmission lines normally supplying the 230 and 500 kV
switchyards and both independent circuits from the 230 kV switchyard to
the Class 1E buses via Startup Auxiliary Transformers 1A (2A) and 1B
(2B). The two of six combination of transmission lines may be shared
between Unit 1 and 2. If either of the transmission lines are 500 kV, one
500/230 kV Autotransformer connecting the 500 and 230 kV switchyards
is available. If both of the transmission lines are 500 kV, both 500/230 kV
Autotransformers connecting the 500 and 230 kV switchyards are
available. Any combination of 500 and 230 kV circuit breakers required to
complete the independent circuits is permissible.
Each DG must be capable of starting, accelerating to rated speed and voltage, and connecting to its respective ESF bus on detection of bus
undervoltage. This will be accomplished within 12 seconds. Each DG
must also be capable of accepting required loads within the assumed
loading sequence intervals, and continue to operate until offsite power
can be restored to the ESF buses. For DG 1C this capability requires
the support of the 4160 V H bus to enable DG 1C to supply the
4160 V buses F and K. These capabilities are required to be met
from a variety of initial conditions such as DG in standby with the
engine hot and DG in standby with the engine at ambient conditions.
Additional DG capabilities must be demonstrated to meet required
Surveillance, e.g., capability of the DG to revert to standby status on
an ECCS signal while operating in parallel test mode.
Proper sequencing of loads, including tripping of nonessential loads, is a required function for DG OPERABILITY.
The AC sources in one train must be separate and independent (to the extent possible) of the AC sources in the other train. For the DGs, separation and independence are complete.
For the offsite AC sources, separation and independence are to the extent practical. All ESF buses, with two power sources available, have their supply breakers interlocked such that the buses can
receive power from only one source at a time.
APPLICABILITY The AC sources and sequencers are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:
(continued)
AC Sources-Operating B 3.8.1 Farley Units 1 and 2 B 3.8.1-6 Revision 49 BASES APPLICABILITY a. Acceptable fuel design limits and reactor coolant pressure (continued) boundary limits are not exceeded as a result of AOOs or abnormal transients; and
- b. Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the
event of a postulated DBA.
The AC power requirements for MODES 5 and 6 are covered in LCO 3.8.2, "AC Sources-Shutdown."
ACTIONS A Note prohibits the application of LCO 3.0.4b to an inoperable DG.
There is an increased risk associated with entering a MODE or other
specified condition in the Applicability with an inoperable DG and the
provisions of LCO 3.0.4b, which allow entry into a MODE or other
specified condition in the Applicability with the LCO not met after
performance of a risk assessment addressing inoperable systems and
components, should not be applied in this circumstance.
A.1 To ensure a highly reliable power source remains with one offsite circuit inoperable, it is necessary to verify the OPERABILITY of the
remaining required offsite circuit on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met.
However, if a second required circuit fails SR 3.8.1.1, the second
offsite circuit is inoperable, and Condition C, for two offsite circuits
inoperable, is entered.
A.2 Required Action A.2, which only applies if the train cannot be powered from an offsite source, is intended to provide assurance that an event
coincident with a single failure of the associated DG will not result in a
complete loss of safety function of critical redundant required
features. These features are powered from the redundant AC
electrical power train. The redundant required features referred to in
this Required Action include the motor driven auxiliary feedwater
pump as well as the turbine driv en auxiliary feedwater pump. One motor driven auxiliary feedwater pum p does not provide 100% of the auxiliary feedwater flow assumed in the safety analyses. Therefore, in order to ensure the auxiliary feedwater safety function, the turbine (continued)
AC Sources-Operating B 3.8.1 Farley Units 1 and 2 B 3.8.1-7 Revision 49 BASES ACTIONS A.2 (continued)
driven auxiliary feedwater pump must be considered a redundant required feature addressed by this Required Action.
The Completion Time for Required Action A.2 is intended to allow the operator time to evaluate and repair any discovered inoperabilities.
This Completion Time also allows for an exception to the normal "time
zero" for beginning the allowed outage time "clock." In this Required
Action, the Completion Time only begins on discovery that both:
- a. The train has no offsite power supplying it loads; and
- b. A required feature on the other train is inoperable.
If at any time during the existence of Condition A (one offsite circuit inoperable) a redundant required feature subsequently becomes
inoperable, this Completion Time begins to be tracked.
Discovering no offsite power to one train of the onsite Class 1E Electrical Power Distribution System coincident with one or more
inoperable required support or supported features, or both, that are
associated with the other train that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours is acceptable because it minimizes risk while allowing time for
restoration before subjecting the unit to transients associated with
shutdown.
The remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to Train A and Train B of the onsite Class 1E
Distribution System. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time takes into account
the component OPERABILITY of the redundant counterpart to the
inoperable required feature. Additionally, the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion
Time takes into account the capacity and capability of the remaining
AC sources, a reasonable time for repairs, and the low probability of a
DBA occurring during this period.
A.3 According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition A for a period that should not exceed 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. With one
offsite circuit inoperable, the reliability of the offsite system is
degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the unit safety systems. In (continued)
AC Sources-Operating B 3.8.1 Farley Units 1 and 2 B 3.8.1-9 Revision 49 BASES ACTIONS B.1 (continued)
To ensure a highly reliable power source remains with an inoperable DG set, it is necessary to verify the availability of the offsite circuits on
a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in
a Required Action being not met. However, if a circuit fails to pass
SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and Required Actions must then be entered.
B.2 Required Action B.2 is intended to provide assurance that a loss of offsite power, during the period that a DG set is inoperable, does not
result in a complete loss of safety function of critical systems. These
features are designed with redundant safety related trains. The
redundant required features referred to in this Required Action include
the motor driven auxiliary feedwater pump as well as the turbine
driven auxiliary feedwater pump.
One motor driven auxiliary feedwater pump does not provide 100% of the auxiliary feedwater
flow assumed in the safety analyses. Therefore, in order to ensure
the auxiliary feedwater safety func tion, the turbine driven auxiliary feedwater pump must be considered a redundant required feature
addressed by this Required Action. Redundant required feature
failures consist of inoperable features associated with a train, redundant to the train that has an inoperable DG set.
The Completion Time for Required Action B.2 is intended to allow the
operator time to evaluate and repair any discovered inoperabilities.
This Completion Time also allows for an exception to the normal "time
zero" for beginning the allowed outage time "clock." In this Required
Action, the Completion Time only begins on discovery that both:
- a. An inoperable DG set exists; and
- b. A required feature on the other train (Train A or Train B) is inoperable.
If at any time during the existence of this Condition (one DG set
inoperable) a required feature subsequently becomes inoperable, this
Completion Time would begin to be tracked.
Discovering one required DG set inoperable coincident with one or
more inoperable required support or supported features, or both, that (continued)
AC Sources-Operating B 3.8.1 Farley Units 1 and 2 B 3.8.1-10 Revision 49 BASES ACTIONS B.2 (continued)
are associated with the OPERABLE DG set, results in starting the Completion Time for the Required Action. Four hours from the
discovery of these events existing concurrently is Acceptable because
it minimizes risk while allowing time for restoration before subjecting
the unit to transients associated with shutdown.
In this Condition, the remaining OPERABLE DG set and offsite
circuits are adequate to supply electrical power to the onsite Class 1E
Distribution System. Thus, on a component basis, single failure
protection for the required feature's function may have been lost;
however, function has not been lost. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time
takes into account the OPERABILITY of the redundant counterpart to
the inoperable required feature. Additionally, the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time takes into account the capacity and capability of the remaining
AC sources, a reasonable time for repairs, and the low probability of a
DBA occurring during this period.
B.3.1 and B.3.2
Required Action B.3.1 provides an allowance to avoid unnecessary testing of OPERABLE DG(s). If it can be determined that the cause of
the inoperable DG set does not exist on the OPERABLE DG set, SR 3.8.1.6 does not have to be performed. If the cause of
inoperability exists on other DG(s), the other DG set would be
declared inoperable upon discovery and Condition E of LCO 3.8.1
would be entered. Once the failure is repaired, the common cause
failure no longer exists, and Required Action B.3.1 is satisfied. If the
cause of the initial inoperable DG set cannot be confirmed not to exist
on the remaining DG set, performance of SR 3.8.1.6 suffices to
provide assurance of continued OPERABILITY of that DG set.
In the event the inoperable DG set is restored to OPERABLE status
prior to completing either B.3.1 or B.3.2, the plant corrective action
program will continue to evaluate the common cause possibility. This
continued evaluation, however, is no longer under the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />
constraint imposed while in Condition B.
According to Generic Letter 84-15 (Ref. 7), 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is reasonable to
confirm that the OPERABLE DG set is not affected by the same
problem as the inoperable DG set.
(continued)
AC Sources-Operating B 3.8.1 Farley Units 1 and 2 B 3.8.1-12 Revision 49 BASES ACTIONS C.1 and C.2 (continued)
circuits inoperable, based upon the assumption that two complete safety trains are OPERABLE. When a concurrent redundant required
feature failure exists, this assumption is not the case, and a shorter
Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is appropriate. These features are
powered from redundant AC safety trains. The redundant required
features referred to in this Required Action include the motor driven
auxiliary feedwater pump as well as the turbine driven auxiliary
feedwater pump. One motor dr iven auxiliary feedwater pump does not provide 100% of the auxiliary feedwater flow assumed in the
safety analyses. Therefore, in order to ensure the auxiliary feedwater safety function, the turbine driven auxiliary feedwater pump must be considered a redundant required feature addressed by this
Required Action.
The Completion Time for Required Action C.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities.
This Completion Time also allows for an exception to the normal "time
zero" for beginning the allowed outage time "clock." In this Required
Action the Completion Time only begins on discovery that both:
- a. All required offsite circuits are inoperable; and
- b. A required feature is inoperable.
If at any time during the existence of Condition C (two offsite circuits inoperable) a required feature becomes inoperable, this Completion
Time begins to be tracked.
According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition C for a period that should not exceed 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. This
level of degradation means that the offsite electrical power system
does not have the capability to effect a safe shutdown and to mitigate
the effects of an accident; however, the onsite AC sources have not
been degraded. This level of degradation generally corresponds to a
total loss of the immediately accessible offsite power sources.
Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other
combinations of two AC sources inoperable that involve one or more
DGs inoperable. However, two factors tend to decrease the severity
of this level of degradation:
(continued)
AC Sources-Operating B 3.8.1 Farley Units 1 and 2 B 3.8.1-13 Revision 0 BASES ACTIONS C.1 and C.2 (continued)
- a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or
switching failure; and
- b. The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect
and restore an unavailable onsite AC source.
With both of the required offsite circuits inoperable, sufficient onsite
AC sources are available to maintain the unit in a safe shutdown
condition in the event of a DBA or transient. In fact, a simultaneous
loss of offsite AC sources, a LOCA, and a worst case single failure
were postulated as a part of the design basis in the safety analysis.
Thus, the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time provides a period of time to effect
restoration of one of the offsite circuits commensurate with the
importance of maintaining an AC electrical power system capable of
meeting its design criteria.
According to Reference 6, with the available offsite AC sources, two
less than required by the LCO, operation may continue for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
If two offsite sources are restored within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, unrestricted
operation may continue. If only one offsite source is restored within
24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, power operation continues in accordance with Condition A.
D.1 and D.2
Pursuant to LCO 3.0.6, the Distribution System ACTIONS would not
be entered even if all AC sources to it were inoperable, resulting in
de-energization. Therefore, the Required Actions of Condition D are
modified by a Note to indicate that when Condition D is entered with
no AC source to any train, the Conditions and Required Actions for LCO 3.8.9, "Distribution Systems-Operating," must be immediately
entered. This allows Condition D to provide requirements for the loss
of one offsite circuit and one DG, without regard to whether a train is
de-energized. LCO 3.8.9 provides the appropriate restrictions for a
de-energized train.
Operation may continue in Condition D for a period that should not
exceed 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
(continued)
AC Sources-Operating B 3.8.1 Farley Units 1 and 2 B 3.8.1-14 Revision 0 BASES ACTIONS D.1 and D.2 (continued)
In Condition D, individual redundancy is lost in both the offsite electrical
power system and the onsite AC electr ical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of the power systems in this Condition may
appear higher than that in Condition C (loss of both required offsite
circuits). This difference in reliability is offset by the susceptibility of this
power system configuration to a single bus or switching failure. The
24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time takes into account the capacity and capability
of the remaining AC sources, a reasonable time for repairs, and the low
probability of a DBA occurring during this period.
E.1 With all or part of Train A DG set and Train B DG set inoperable, the
capacity of the remaining standby AC sources is reduced depending
on which combination of individual DGs is affected. Thus, with an
assumed loss of offsite electrical power, standby AC sources may be
insufficient to power the minimum required ESF functions. Since the
offsite electrical power system is the only source of AC power for this
level of degradation, the risk associated with continued operation for a
very short time could be less than that associated with an immediate
controlled shutdown (the immediate shutdown could cause grid
instability, which could result in a total loss of AC power). Since any
inadvertent generator trip could also result in a total loss of offsite AC
power, however, the time allowed for continued operation is severely
restricted. The intent here is to avoid the risk associated with an
immediate controlled shutdown and to minimize the risk associated
with this level of degradation.
With all or part of each train of DG sets inoperable, operation may
continue for a given unit for different periods of time depending on the
combination of individual DGs that are inoperable. The length of time
allowed increases with decreasing severity in the combinations of
inoperable DGs. One set must be restored to operable status in 2
hours if DGs 1-2A, 1C, and 1B on Unit 1 or DGs 1-2A, 1C, and 2B on
Unit 2 are inoperable. Operability of one set must be restored in 8
hours if DGs 1-2A and 1B on Unit 1 or DGs 1-2A and 2B on Unit 2 are
inoperable. Operability of one set must be restored in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> if DGs
1C and 1B on Unit 1 or DGs 1C and 2B on Unit 2 are inoperable.
(continued)
AC Sources-Shutdown B 3.8.2 Farley Units 1 and 2 B 3.8.2-1 Revision 0 B 3.8 ELECTRICAL POWER SYSTEMS
B 3.8.2 AC Sources-Shutdown
BASES BACKGROUND A description of the AC sources is provided in the Bases for LCO 3.8.1, "AC Sources-Operating."
APPLICABLE The OPERABILITY of the minimum AC sources during MODES 5 SAFETY ANALYSES and 6 and during movement of irradiated fuel assemblies ensures that:
- a. The unit can be maintained in the shutdown or refueling condition for extended periods;
- b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and
- c. Adequate AC electrical power is provided to mitigate events postulated during shutdown, such as a fuel handling accident.
In general, when the unit is shut down, the Technical Specifications requirements ensure that the unit has the capability to mitigate the
consequences of postulated accidents. However, assuming a single
failure and concurrent loss of all offsite or all onsite power is not
required. The rationale for this is based on the fact that many Design
Basis Accidents (DBAs) that are analyzed in MODES 1, 2, 3, and 4
have no specific analyses in MODES 5 and 6. Worst case bounding
events are deemed not credible in MODES 5 and 6 because the
energy contained within the reactor pressure boundary, reactor
coolant temperature and pressure, and the corresponding stresses
result in the probabilities of occurrence being significantly reduced or
eliminated, and in minimal consequences. These deviations from
DBA analysis assumptions and design requirements during shutdown
conditions are allowed by the LCO for required systems.
During MODES 1, 2, 3, and 4, various deviations from the analysis assumptions and design requirements are allowed within the
Required Actions. This allowance is in recognition that certain testing
(continued)
AC Sources-Shutdown B 3.8.2 Farley Units 1 and 2 B 3.8.2-2 Revision 0 BASES APPLICABLE and maintenance activities must be conducted provided an SAFETY ANALYSES acceptable level of risk is not exceeded. During MODES 5 and 6, (continued) performance of a significant number of required testing and maintenance activities is also required. In MODES 5 and 6, the
activities are generally planned and administratively controlled.
Relaxations from MODE 1, 2, 3, and 4 LCO requirements are
acceptable during shutdown modes based on:
- a. The fact that time in an outage is limited. This is a risk prudent goal as well as a utility economic consideration.
- b. Requiring appropriate compensatory measures for certain conditions. These may include administrative controls, reliance on
systems that do not necessarily meet typical design requirements
applied to systems credited in operating MODE analyses, or both.
- c. Prudent utility consideration of the risk associated with multiple activities that could affect multiple systems.
- d. Maintaining, to the extent practical, the ability to perform required functions (even if not meeting MODE 1, 2, 3, and 4 OPERABILITY
requirements) with systems assumed to function during an event.
In the event of an accident during shutdown, this LCO ensures the capability to support systems necessary to avoid immediate difficulty, assuming either a loss of all offsite power or a loss of all onsite diesel
generator (DG) power.
The AC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO One offsite circuit capable of supplying the onsite Class 1E power distribution subsystem(s) of LCO 3.8.10, "Distribution Systems-
Shutdown," ensures that all required loads are powered from offsite
power. An OPERABLE DG (1-2A, 1C, or 1(2)B), associated with the
distribution system train required to be OPERABLE by LCO 3.8.10, ensures a diverse power source is available to provide electrical
power support, assuming a loss of the offsite circuit. Together, OPERABILITY of the required offsite circuit and DG ensures the
availability of sufficient AC sources to operate the unit in a safe
manner and to mitigate the consequences of postulated events during
shutdown (e.g., fuel handling accidents).
(continued)
AC Sources-Shutdown B 3.8.2 Farley Units 1 and 2 B 3.8.2-4 Revision 0 BASES APPLICABILITY a. Systems to provide adequate coolant inventory makeup are (continued) available for the irradiated fuel assemblies in the core;
- b. Systems needed to mitigate a fuel handling accident are available;
- c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and
- d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling
condition.
The AC power requirements for MODES 1, 2, 3, and 4 are covered in LCO 3.8.1.
ACTIONS A.1
An offsite circuit would be considered inoperable if it were not
available to one required ESF train. Although two trains are required
by LCO 3.8.10, the one train with offsite power available may be
capable of supporting sufficient required features to allow continuation
of CORE ALTERATIONS and fuel movement. By the allowance of
the option to declare required features inoperable, with no offsite
power available, appropriate restrictions will be implemented in
accordance with the affected required features LCO's ACTIONS.
A.2.1, A.2.2, A.2.3, A.2.4, B.1, B.2, B.3, and B.4
With the offsite circuit not available to all required trains, the option
would still exist to declare all required features inoperable. Since this
option may involve undesired administrative efforts, the allowance for
sufficiently conservative actions is made. With the required DG
inoperable, the minimum required diversity of AC power sources is not
available. It is, therefore, required to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies, and operations involving
positive reactivity additions. The Required Action to suspend positive
reactivity additions does not preclude actions to maintain or increase
reactor vessel inventory provided the required SDM is maintained.
(continued)
AC Sources-Shutdown B 3.8.2 Farley Units 1 and 2 B 3.8.2-5 Revision 0 BASES ACTIONS A.2.1, A.2.2, A.2.3, A.2.4, B.1, B.2, B.3, and B.4 (continued)
Suspension of these activities does not preclude completion of
actions to establish a safe conservative condition. These actions
minimize the probability or the occurrence of postulated events. It is
further required to immediately initiate action to restore the required
AC sources and to continue this action until restoration is
accomplished in order to provide the necessary AC power to the unit safety systems.
The Completion Time of immediately is consistent with the required
times for actions requiring prompt attention. The restoration of the
required AC electrical power sources should be completed as quickly
as possible in order to minimize the time during which the unit safety
systems may be without sufficient power.
Pursuant to LCO 3.0.6, the Distribution System's ACTIONS would not
be entered even if all AC sources to it are inoperable, resulting in
de-energization. Therefore, the Required Actions of Condition A are
modified by a Note to indicate that when Condition A is entered with
no AC power to any required ESF bus, the ACTIONS for LCO 3.8.10
must be immediately entered. This Note allows Condition A to
provide requirements for the loss of the offsite circuit, whether or not a
train is de-energized. LCO 3.8.10 would provide the appropriate
restrictions for the situation involving a de-energized train.
SURVEILLANCE SR 3.8.2.1 REQUIREMENTS
SR 3.8.2.1 requires the SRs from LCO 3.8.1 that are necessary for
ensuring the OPERABILITY of the AC sources in other than
MODES 1, 2, 3, and 4. SR 3.8.1.7 is not required to be met since
only one offsite circuit is required to be OPERABLE. SR 3.8.1.3 is not
required to be met because the required OPERABLE DG(s) is not
required to undergo periods of being synchronized to the offsite
circuit. SR 3.8.1.19 is excepted because starting independence is not
required with the DG(s) that is not required to be operable. In
addition, SR 3.8.1.9.C.2, SR 3.8.1.10, SR 3.8.1.15, SR 3.8.1.16, and
SR 3.8.1.17 are not required to be met because the required operable
DG is not required to respond to an SI signal or to have loads
automatically sequenced on the associated ESF bus during MODES 5
and 6.
(continued)
AC Sources-Shutdown B 3.8.2 Farley Units 1 and 2 B 3.8.2-6 Revision 0 BASES SURVEILLANCE SR 3.8.2.1 (continued)
REQUIREMENTS
This SR is modified by a Note. The reason for the Note is to preclude
requiring the OPERABLE DG(s) from being paralleled with the offsite
power network or otherwise rendered inoperable during performance
of SRs, and to preclude deenergizing a required 4160 V ESF bus or
disconnecting a required offsite circuit during performance of SRs.
With limited AC sources available, a single event could compromise
both the required circuit and the DG. It is the intent that these SRs
must still be capable of being met, but actual performance is not
required during periods when the DG and offsite circuit is required to
be OPERABLE. Therefore, if the surveillance were not performed
within the required frequency (plus the extension allowed by SR 3.0.2)
but the DG was required OPERABLE to meet LCO 3.8.2, it would not
constitute a failure of the SR or failure to meet the LCO as described
in Example 1.4-3 in Section 1.4 of these Technical Specifications.
Refer to the corresponding Bases for LCO 3.8.1 for a discussion of
each SR.
REFERENCES None.
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 Farley Units 1 and 2 B 3.8.3-1 Revision 17 B 3.8 ELECTRICAL POWER SYSTEMS
B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air
BASES BACKGROUND Each diesel generator (DG) is connected to a shared fuel oil storage and transfer system. The shared fuel oil storage system consists of 5 underground storage tanks interconnected with piping, valves and redundant capacity fuel transfer pumps. This configuration allows for pumping diesel fuel to the DG day tanks or from any storage tank to any other storage tank. The deliverable capacity of 4 tanks is sufficient to operate the required DGs for a period of 7 days while the DGs are
supplying maximum post loss of coolant accident load demand
discussed in the FSAR, Section 8.3.1.1.7 (Ref. 1). The maximum load
demand is calculated using the assumption that a minimum of any two
DGs are available. This onsite fuel oil capacity is sufficient to operate
the DGs for longer than the time to replenish the onsite supply from
outside sources.
Fuel oil is transferred from a storage tank by either of two transfer pumps associated with each storage tank. The automatically controlled transfer pump, normally aligned to it s DG day tank, is powered from a MCC supplied by the associated diesel, while the manually operated pump is powered from a MCC associated with another diesel. With the exception of transfer pumps for the tank associated with the station blackout diesel (2C), the pumps are powered from opposite trains. The opposite train power supplies ensure fuel in the associated storage tank can be transferred considering a design basis single failure. The transfer pumps for the station blackout diesel storage tank are supplied by train B power only. The automatic transfer pump can be fed from buses supplied by either DG 1B or 2B (in addition to DG 2C) and the manual transfer pump is fed from buses supplied by DG 2B. Therefore, the 2C fuel oil storage tank and associated transfer pumps may be available during design basis events to be used and credited as a manual supply to either B train design basis diesel (1B or 2B) when all applicable Technical Specification requirements are met. Operator actions are required to transfer fuel between storage tanks and day tank using the manually operated fuel transfer pumps.
(continued)
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 Farley Units 1 and 2 B 3.8.3-2 Revision 48 BASES BACKGROUND The usable fuel in a storage tank is the amount above the transfer (continued) pump suction nozzles that is available for transfer from a storage tank to a day tank. The amount of usable fuel is determined by correlating
control room percent level indication to the applicable tank curve.
Redundancy of pumps and piping precludes the failure of one pump, or
the rupture of any day tank transfer pipe, valve or day tank to result in
the loss of more than one DG. All outside tanks, pumps, and piping are
located underground.
For proper operation of the standby DGs, it is necessary to ensure the
proper quality of the fuel oil. ASTM-D4057-06 (Ref. 2) addresses the recommended fuel oil practices as supplemented by ASTM-D975-07 (Ref. 3). The fuel oil properties governed by these SRs are the water
and sediment content, the kinematic viscosity, and specific gravity (or
API gravity).
The DG lubrication system is designed to provide sufficient lubrication to permit proper operation of its associated DG under all loading
conditions. The system is required to circulate the lube oil to the diesel
engine working surfaces and to remove excess heat generated by
friction during operation. The onsite storage in addition to the engine oil
sump is sufficient to ensure 7 days of continuous operation. This
supply is sufficient to allow the operator to replenish lube oil from
outside sources.
Each DG has an air start system with adequate capacity for five successive start attempts on the DG without recharging the air start
receiver(s). Each air start system consists of redundant air receivers.
Each receiver has sufficient capacity to perform the required number of
DG starts.
APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the FSAR, Chapter 6 (Ref. 4), and in
the FSAR, Chapter 15 (Ref. 5), assume Engineered Safety Feature (ESF) systems are OPERABLE. The DGs are designed to provide
sufficient capacity, capability, redundancy, and reliability to ensure the
availability of necessary power to ESF systems so that fuel, Reactor
Coolant System and containment design limits are not exceeded.
These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS);
and Section 3.6, Containment Systems.
(continued)
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 Farley Units 1 and 2 B 3.8.3-3 Revision 17 BASES APPLICABLE SAFETY Since diesel fuel oil, lube oil, and the air start subsystem support the
ANALYSES operation of the standby AC power sources, they satisfy Criterion 3 of (continued) 10 CFR 50.36(c)(2)(ii).
LCO Stored diesel fuel oil is required to have sufficient useable supply for 7 days operation of the required DGs supplying the required loads. It is
also required to meet specific standards for quality. Additionally, sufficient lubricating oil supply must be available to ensure the
capability to operate at full load for 7 days. This requirement, in
conjunction with an ability to obtain replacement supplies within 7 days, supports the availability of DGs required to shut down the reactor and to
maintain it in a safe condition for an anticipated operational occurrence (AOO) or a postulated DBA with loss of offsite power. DG day tank fuel
requirements, as well as transfer capability from the storage tank to the
day tank, are addressed in LCO 3.8.1, "AC Sources - Operating," and
LCO 3.8.2, "AC Sources - Shutdown."
The starting air system is required to have a minimum capacity for five successive DG start attempts without recharging the air start receivers.
A single air receiver on each DG is sufficient to meet this operability
requirement.
APPLICABILITY The AC sources (LCO 3.8.1 and LCO 3.8.2) are required to ensure the availability of the required power to shut down the reactor and maintain
it in a safe shutdown condition after an AOO or a postulated DBA.
Since stored diesel fuel oil, lube oil, and the starting air subsystem
support LCO 3.8.1 and LCO 3.8.2, stored diesel fuel oil, lube oil, and
starting air are required to be within limits when the associated DG is
required to be OPERABLE.
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 Farley Units 1 and 2 B 3.8.3-4 Revision 17 BASES ACTIONS The ACTIONS Table is modified by a Note indicating that separate Condition entry is allowed for each DG. This is acceptable, since the
Required Actions for each Condition provide appropriate compensatory
actions for each inoperable DG subsystem. Complying with the
Required Actions for one inoperable DG subsystem may allow for
continued operation, and subsequent inoperable DG subsystem(s) are
governed by separate Condition entry and application of associated
Required Actions.
A.1 In this Condition, the 7 day fuel oil supply for the required DG(s) is not available. However, the Condition is restricted to fuel oil level
reductions that maintain at least a 6 day supply. These circumstances
may be caused by events, such as full load operation required after an
inadvertent start while at minimum required level, or feed and bleed
operations, which may be necessitated by increasing particulate levels
or any number of other oil quality degradations. This restriction allows
sufficient time for obtaining the requisite replacement volume and
performing the analyses required prior to addition of fuel oil to the tank.
A period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered sufficient to complete restoration of
the required level prior to declaring the DG inoperable. This period is
acceptable based on the remaining capacity (> 6 days), the fact that
procedures will be initiated to obtain replenishment, and the low
probability of an event during this brief period.
B.1 With lube oil inventory < 238 gallons for a large DG or < 167 gallons for a small DG, sufficient lubricating oil to support 7 days of continuous DG
operation at full load conditions may not be available. However, the
Condition is restricted to lube oil volume reductions that maintain at
least a 6 day supply (204 gallons for a large DG and 143 gallons for a
small DG). This restriction allows sufficient time to obtain the requisite
replacement volume. A period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered sufficient to
complete restoration of the required volume prior to declaring the DG
inoperable. This period is acceptable based on the remaining capacity
(> 6 days), the low rate of usage, the fact that procedures will be
initiated to obtain replenishment, and the low probability of an event
during this brief period.
(continued)
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 Farley Units 1 and 2 B 3.8.3-5 Revision 17 BASES ACTIONS C.1 (continued)
This Condition is entered as a result of a failure to meet the acceptance criterion of SR 3.8.3.3. Normally, trending of particulate levels allows
sufficient time to correct high particulate levels prior to reaching the limit
of acceptability. Poor sample procedures (bottom sampling),
contaminated sampling equipment, and errors in laboratory analysis
can produce failures that do not follow a trend. Since the presence of
particulates does not mean failure of the fuel oil to burn properly in the
diesel engine, and particulate concentration is unlikely to change
significantly between Surveillance Frequency intervals, and proper
engine performance has been recently demonstrated (within 31 days), it
is prudent to allow a brief period prior to declaring the associated DG
inoperable. The 7 day Completion Time allows for further evaluation, resampling and re-analysis of the DG fuel oil.
D.1 With the new fuel oil properties defined in the Bases for SR 3.8.3.3 not within the required limits, a period of 30 days is allowed for restoring the
stored fuel oil properties. This period provides sufficient time to test the
stored fuel oil to determine that the new fuel oil, when mixed with
previously stored fuel oil, remains acceptable, or to restore the stored
fuel oil properties. This restoration may involve feed and bleed
procedures, filtering, or combinations of these procedures. Even if a
DG start and load was required during this time interval and the fuel oil
properties were outside limits, there is a high likelihood that the DG
would still be capable of performing its intended function.
E.1 With both starting air receiver pressures on a DG < 350 psig for the 4075 kW DGs or < 200 psig for DG 1C, sufficient capacity for five
successive DG start attempts does not exist. However, as long as at
least one receiver pressure per DG is > 150 psig for the 4075 kW DGs
or 90 psig for DG 1C, there is adequate capacity for at least one start
attempt, and the DG can be considered OPERABLE while the air
(continued)
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 (continued)
Farley Units 1 and 2 B 3.8.3-6 Revision 52 BASES ACTIONS E.1 (continued)
receiver pressure is restored to the required limit. A period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered sufficient to complete restoration to the required pressure
prior to declaring the DG inoperable. This period is acceptable based
on the remaining air start capacity, the fact that most DG starts are
accomplished on the first attempt, and the low probability of an event
during this brief period.
F.1 With a Required Action and associated Completion Time not met, or one or more DG's fuel oil, lube oil, or starting air subsystem not within
limits for reasons other than addressed by Conditions A through D, the
associated DG may be incapable of performing its intended function
and must be immediately declared inoperable.
SURVEILLANCE SR 3.8.3.1 REQUIREMENTS
This SR provides verification that there is an adequate inventory of useable fuel oil in the shared storage tanks (25,000 gallons each) to
support the operation of the required DG(s) for 7 days at full load. The
7 day period is sufficient time to place the unit in a safe shutdown
condition and to bring in replenishment fuel from an offsite location.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
This Surveillance ensures that sufficient lube oil inventory is available to support at least 7 days of full load operation for each DG. The inventory
may consist of a combination of lube oil in storage and the useable sump volume above the manufacturer recommended minimum sump level or a total volume of lube oil in storage that is in addition to the lube
oil normally maintained in each DG sump. The 238 gal requirement for
the 4075 kW DGs and the 167 gal requirement for DG 1C are based on
the DG manufacturer consumption values for 7 days of operation at full
rated load. Implicit in this SR is the requirement to verify the capability
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 (continued)
Farley Units 1 and 2 B 3.8.3-7 Revision 52 BASES SURVEILLANCE SR 3.8.3.2 (continued)
REQUIREMENTS
to transfer the lube oil from its storage location to the DG, when the DG lube oil sump does not hold adequate inventory for 7 days of full load
operation without the level reaching the manufacturer recommended
minimum level.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.8.3.3 The tests listed below are a means of determining whether new fuel oil
is of the appropriate grade and has not been contaminated with
substances that would have an immediate, detrimental impact on diesel
engine combustion. If results from these tests are within acceptable
limits, the fuel oil may be added to the storage tanks without concern for
contaminating the entire volume of fuel oil in the storage tanks. These
tests are to be conducted prior to adding the new fuel to the storage
tank(s), but in no case is the time between receipt of new fuel and
conducting the tests to exceed 31 days. The tests, limits, and
applicable ASTM Standards are as follows:
- a. Sample the new fuel oil in accordance with ASTM D4057-06 (Ref. 2)
- b. Verify in accordance with the tests specified in ASTM D975-07 (Ref.
- 3) that the sample has an absolute specific gravity at 60/60°F of 0.83 and 0.89 or an API gravity at 60°F of 27° and 39° when tested in accordance with ASTM D1298-99 (Ref. 6), a kinematic
viscosity at 40°C of 1.9 centistokes and 4.1 centistokes, and a flash point of 125°F; and
- c. Verify that the new fuel oil has a clear and bright appearance with proper color when tested in accordance with ASTM D4176-04 (Ref.
- 7) or a water and sediment content within limits when tested in
accordance with ASTM D2709-96 (Ref. 8)
Failure to meet any of the above limits is cause for rejecting the new
fuel oil, but does not represent a failure to meet the LCO concern since
the fuel oil is not added to the storage tanks.
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 Farley Units 1 and 2 B 3.8.3-8 Revision 58 BASES SURVEILLANCE SR 3.8.3.3 (continued)
REQUIREMENTS Within 31 days following the initial new fuel oil sample, the fuel oil is
analyzed to establish that the other properties specified in Table 1 of
ASTM D975-07 are met for new fuel oil when tested in accordance with
ASTM D975-07, except that the analysis for sulfur may be performed in
accordance with ASTM D1552-07 (Ref. 9), ASTM D2622-07 (Ref. 10),
or ASTM D4294-03 (Ref. 11). The 31 day period is acceptable because
the fuel oil properties of interest, even if they were not within stated
limits, would not have an immediate effect on DG operation. This
Surveillance ensures the availability of high quality fuel oil for the DGs.
Fuel oil degradation during long term storage shows up as an increase
in particulate, due mostly to oxidation. The presence of particulate does
not mean the fuel oil will not burn properly in a diesel engine. The
particulate can cause fouling of filters and fuel oil injection equipment, however, which can cause engine failure.
Particulate concentrations should be determined in accordance with
ASTM D6217-98 (Ref. 12). This method involves a gravimetric determination of total particulate concentration in the fuel oil and has a
limit of 10mg/l. It is acceptable to obtain a field sample for subsequent
laboratory testing in lieu of field testing. Each tank must be considered
and tested separately.
The Frequency of this test takes into consideration fuel oil degradation
trends that indicate that total particulate concentration is unlikely to
change significantly between Frequency intervals.
This Surveillance ensures that, without the aid of the refill compressor, sufficient air start capacity for each DG is available. A single air
receiver per DG has the capacity to meet the starting requirements.
Therefore, only one receiver must be verified within the pressure limit
per DG. The system design requirements provide for a minimum of five
engine start cycles without recharging. A start cycle is defined by the
DG vendor, but usually is measured in terms of time (seconds of
cranking) or engine cranking speed. The pressure specified in this SR
is intended to reflect the lowest value at which the five starts can be
accomplished.
(continued)
Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 Farley Units 1 and 2 B 3.8.3-9 Revision 58 BASES SURVEILLANCE SR 3.8.3.4 (continued)
REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance
Frequency Control Program.
REFERENCES 1. FSAR, Section 8.3.1.1.7.
- 2. ASTM-D4057-06.
- 3. ASTM-D975-07.
- 4. FSAR, Chapter 6.
- 5. FSAR, Chapter 15.
- 6. ASTM D1298-99.
- 7. ASTM D4176-04.
- 8. ASTM D2709-96.
- 9. ASTM D1552-07.
- 10. ASTM D2622-07.
- 11. ASTM D4294-03.
- 12. ASTM D6217-98.
DC Sources-Operating B 3.8.4 Farley Units 1 and 2 B 3.8.4-1 Revision 0 B 3.8 ELECTRICAL POWER SYSTEMS
B 3.8.4 DC Sources-Operating
BASES BACKGROUND The station DC electrical power system provides the AC emergency power system with control power. It also provides both motive and
control power to selected safety related equipment and preferred AC
vital bus power (via inverters). As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1), the DC electrical power system is
designed to have sufficient independence, redundancy, and testability
to perform its safety functions, assuming a single failure. The DC
electrical power system also conforms to the recommendations of
Regulatory Guide 1.6 (Ref. 2) and IEEE-308 (Ref. 3).
The 125 VDC electrical power system consists of two main systems.
The Auxiliary Building System and the Service Water Intake Structure (SWIS) System. The Auxiliary Build ing 125 VDC system consists of two independent and redundant subsystems (Train A and Train B)
which supply DC power to various ESF systems throughout the plant.
Each Auxiliary Building subsystem (train) consists of a 125 VDC
battery, an associated full capacity battery charger and all associated
control equipment and interconnecting cabling. Each Auxiliary
Building 125 VDC train is normally supplied by the associated battery
charger (A or B). In the event of an A or B battery charger failure, battery charger C, the full capacity swing battery charger, may supply
power to either train. Either train may be considered OPERABLE
when supplied from battery charger C. Battery charger C input and
output breakers are interlocked to prevent supplying power to a DC
bus from the opposite train. Both the Auxiliary Building 125 VDC
source subsystems (Train A and B) are required OPERABLE by this
LCO.
The SWIS 125 VDC system provides a reliable source of power for controls, power loads, annunciation and alarms primarily for the
safety-related Service Water Sy stem. The SWIS 125 VDC system consists of four battery/battery c harger subsystems. Each subsystem consists of a 125 VDC battery and full capacity battery charger. The
subsystems are divided into Train A and Train B which are shared
between the two units. Each of the 4 subsystems can supply 100% of
the required capacity for the associated train. Subsystems 1 and 2
are associated with Train A, with subsystem 1 being the normal
(continued)
DC Sources-Operating B 3.8.4 Farley Units 1 and 2 B 3.8.4-2 Revision 0 BASES BACKGROUND supply, and subsystem 2 the standby supply. Subsystems 3 and 4 (continued) are associated with Train B, with subsystem 3 being the normal supply and subsystem 4 the standby supply. Each train has a manual
transfer switch which is used to select which of the two available
SWIS subsystems supplies that train. One SWIS subsystem is
required OPERABLE for each train.
During normal operation, the 125 VDC load is powered from the battery chargers with the batteries floating on the system. In case of
loss of normal power to the battery charger, the DC load is
automatically powered from the station batteries.
The Train A and Train B DC electrical power subsystems provide the control power for its associated Class 1E AC power load group, 4.16 kV switchgear, and 600 V load centers. The DC electrical power
subsystems also provide DC electrical power to the inverters, which in
turn power the AC vital buses.
The DC power distribution system is described in more detail in Bases for LCO 3.8.9, "Distribution System-Operating," and LCO 3.8.10, "Distribution Systems-Shutdown."
Each train of 125 VDC batteries is separately housed in a ventilated room apart from its charger and distribution centers. Each subsystem
is located in an area separated physically and electrically from the
other subsystem to ensure that a single failure in one subsystem does
not cause a failure in a redundant subsystem. There is no sharing
between redundant Class 1E subsystems, such as batteries, battery
chargers, or distribution panels.
The Auxiliary Building batteries are stationary type consisting of 60 individual lead-calcium cells electrically connected in series to
establish a nominal 125VDC power supply. Under both normal and
accident conditions the batteries are capable of providing the required
voltage for component operation considering an aging factor of 25%
and minimum electrolyte temperature of 60°F. The battery float
voltage is 2.20V per cell average and 132V total terminal voltage.
During an LOSP or LOSP with SI, the Auxiliary Building batteries
supply safety-related loads for a period of less than one minute
duration without charger support. The design is such that subsequent
to LOSP, the battery chargers are re-energized by the Diesel
Generators within one minute.
(continued)
DC Sources-Operating B 3.8.4 Farley Units 1 and 2 B 3.8.4-3 Revision 0 BASES BACKGROUND Although not a requirement for the mitigation of design basis events, (continued) each battery is capable of providing LOSP or LOSP plus SI loads for a period of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> assuming the single failure loss of the battery
charger aligned at the onset of the event. During such an occurrence, the redundant train battery with its connected charger remains fully
capable of providing DC power to redundant train safety-related loads.
The batteries also have the capacity to supply normal operating loads
for a period of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> without charger support as discussed in the
FSAR Chapter 8.3 (Ref. 4). The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> period of time is adequate to
allow alignment of the spare battery charger to the affected battery
without disrupting continued operation.
The SWIS batteries are stationary type consisting of individual lead-calcium cells electrically connected in series to establish a nominal 125 VDC power supply. They are sized to furnish the anticipated vital
loads without dropping below a total battery voltage of 105 V. Under
both normal and accident conditions the batteries are capable of
providing the required voltage for component operation considering an
aging factor of 25% and a minimum electrolyte temperature of 35°F.
The battery float voltage is 2.20 V per cell average and 132 V total.
Each SWIS battery subsystem has adequate capacity to carry its
loads without charger support for a period of at least 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> as
discussed in the FSAR, Chapter 8.3 (Ref. 4).
Each Train A and Train B DC electrical power subsystem has ample power output capacity for the steady state operation of connected
loads required during normal operation, while at the same time
maintaining its battery bank fully charged. Each battery charger has
adequate capacity to restore its battery to full charge after the battery
has been discharged while carrying steady-state normal or
emergency loads. The time required to recharge the battery to full
charge is compatible with the recommendation of the battery
manufacturer (Ref. 4).
APPLICABLE The initial conditions of Design Basis Accident (DBA) and SAFETY ANALYSES transient analyses in the FSAR, Chapter 6 (Ref. 6), and in
the FSAR, Chapter 15 (Ref. 7), assume that Engineered Safety Feature (ESF) systems are OPERABLE. The DC electrical power
system provides normal and emergency DC electrical power for the
DGs, emergency auxiliaries, and control and switching during all
MODES of operation.
(continued)
DC Sources-Operating B 3.8.4 Farley Units 1 and 2 B 3.8.4-4 Revision 0 BASES APPLICABLE The OPERABILITY of the DC sources is consistent with the initial SAFETY ANALYSES assumptions of the accident analyses and is based upon meeting the (continued) design basis of the unit. This includes maintaining the DC sources OPERABLE during accident conditions in the event of:
- b. A worst case single failure.
The DC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO Both the Auxiliary Building 125 VDC source subsystems (Train A and B) and two SWIS 125 VDC source subsystems (one in each train)
including a battery charger for each Auxiliary Building and SWIS
battery and the corresponding control equipment and interconnecting
cabling supplying power to the associated bus within the train are
required to be OPERABLE to ensure the availability of the required
power to shut down the reactor and maintain it in a safe condition
after an anticipated operational occurrence (AOO) or a postulated
DBA. Loss of any train DC electrical power subsystem does not
prevent the minimum safety function from being performed (Ref. 4).
An OPERABLE DC electrical power subsystem requires all required batteries and respective chargers to be operating and connected to
the associated DC bus(es).
APPLICABILITY The DC electrical power sources are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure safe unit operation and to ensure
that:
- a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal
transients; and
- b. Adequate core cooling is provided, and containment integrity and other vital functions are maintained in the event of a postulated
DBA.
The DC electrical power requirements for MODES 5 and 6 are addressed in the Bases for LCO 3.8.5, "DC Sources- Shutdown."
DC Sources-Shutdown B 3.8.5 Farley Units 1 and 2 B 3.8.5-1 Revision 0 B 3.8 ELECTRICAL POWER SYSTEMS
B 3.8.5 DC Sources-Shutdown
BASES BACKGROUND A description of the DC sources is provided in the Bases for LCO 3.8.4, "DC Sources-Operating."
APPLICABLE The initial conditions of Design Basis Accident and transient analyses SAFETY ANALYSES in the FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume that Engineered Safety Feature systems are OPERABLE. The DC
electrical power system provides normal and emergency DC electrical
power for the diesel generators, emergency auxiliaries, and control
and switching during all MODES of operation.
The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and the requirements for the
supported systems' OPERABILITY.
The OPERABILITY of the minimum DC electrical power sources during MODES 5 and 6 and during movement of irradiated fuel
assemblies ensures that:
- a. The unit can be maintained in the shutdown or refueling condition for extended periods;
- b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and
- c. Adequate DC electrical power is provided to mitigate events postulated during shutdown, such as a fuel handling accident.
The DC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO The DC electrical power sources required to support the necessary portions of AC, DC, and AC vital bus electrical power distribution subsystems required by LCO 3.8.10, "Distribution Systems-
Shutdown," shall be OPERABLE. At a minimum, at least one train
(continued)
DC Sources-Shutdown B 3.8.5 Farley Units 1 and 2 B 3.8.5-2 Revision 0 BASES LCO of DC electrical power source from the Auxiliary Building (Train A or (continued) B) and Service Water Intake Structure (Train A or B) consisting of one battery, one battery charger, and the corresponding control equipment
and interconnecting cabling within the train, is required operable.
In the case where the requirements of LCO 3.8.10 call for portions of a second train of the distribution subsystems to be OPERABLE (e.g.,
to support two trains of RHR, two trains of CREFS, or instrumentation
such as source range indication, containment purge and exhaust
isolation actuation, or CREFS actuation), the required DC buses
associated with the second train of distribution systems are
OPERABLE if energized to the proper voltage from either:
An OPERABLE DC Source consisting of one battery, one battery charger, and the corresponding control equipment and
interconnecting cabling associated with that train, or
A battery charger using the corresponding control equipment and interconnecting cabling within the train.
The above requirements ensure the availability of sufficient DC
electrical power sources to operate the unit in a safe manner and to
mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents.)
APPLICABILITY The DC electrical power sources required to be OPERABLE in MODES 5 and 6, and during movement of irradiated fuel assemblies, provide assurance that:
- a. Required features needed to mitigate a fuel handling accident are available;
- b. Required features necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and
- c. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling
condition.
The DC electrical power requirements for MODES 1, 2, 3, and 4 are covered in LCO 3.8.4.
DC Sources-Shutdown B 3.8.5 Farley Units 1 and 2 B 3.8.5-3 Revision 0 BASES ACTIONS A.1, A.2.1, A.2.2, A.2.3, and A.2.4
If two subsystems are required by LCO 3.8.10, the remaining
subsystem with DC power available may be capable of supporting
sufficient systems to allow continuation of CORE ALTERATIONS and
fuel movement. By allowing the option to declare required features
inoperable with the associated DC power source(s) inoperable, appropriate restrictions will be implemented in accordance with the
affected required features LCO ACTIONS. In many instances, this
option may involve undesired administrative efforts. Therefore, the
allowance for sufficiently conservative actions is made (i.e., to
suspend CORE ALTERATIONS, movement of irradiated fuel
assemblies, and operations involving positive reactivity additions).
The Required Action to suspend positive reactivity additions does not
preclude actions to maintain or increase reactor vessel inventory, provided the required SDM is maintained.
Suspension of these activities shall not preclude completion of actions
to establish a safe conservative condition. These actions minimize
probability of the occurrence of postulated events. It is further
required to immediately initiate action to restore the required DC
electrical power subsystems and to continue this action until
restoration is accomplished in order to provide the necessary DC
electrical power to the unit safety systems.
The Completion Time of immediately is consistent with the required
times for actions requiring prompt attention. The restoration of the
required DC electrical power subsystems should be completed as
quickly as possible in order to minimize the time during which the unit
safety systems may be without sufficient power.
SURVEILLANCE SR 3.8.5.1 REQUIREMENTS
SR 3.8.5.1 requires performance of all Surveillances required by
SR 3.8.4.1 through SR 3.8.4.8. Therefore, see the corresponding
Bases for LCO 3.8.4 for a discussion of each SR.
This SR is modified by a Note. The reason for the Note is to preclude
requiring the OPERABLE DC sources from being discharged below
their capability to provide the required power supply or otherwise
rendered inoperable during the performance of SRs. It is the intent
that these SRs must still be capable of being met, but actual
performance is not required.
DC Sources-Shutdown B 3.8.5 Farley Units 1 and 2 B 3.8.5-4 Revision 0 BASES REFERENCES 1. FSAR, Chapter 6.
- 2. FSAR, Chapter 15.
Battery Cell Parameters B 3.8.6 Farley Units 1 and 2 B 3.8.6-1 Revision 0 B 3.8 ELECTRICAL POWER SYSTEMS
B 3.8.6 Battery Cell Parameters
BASES BACKGROUND This LCO delineates the limits on electrolyte temperature, level, float voltage, and specific gravity for the DC power source batteries. A
discussion of these batteries and their OPERABILITY requirements is provided in the Bases for LCO 3.8.4, "DC Sources-Operating," and LCO 3.8.5, "DC Sources-Shutdown."
APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY ANALYSES analyses in the FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume Engineered Safety Feature systems are OPERABLE. The
DC electrical power system provides normal and emergency DC
electrical power for the diesel generators, emergency auxiliaries, and
control and switching during all MODES of operation.
The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the
design basis of the unit. This includes maintaining at least one train
of DC sources OPERABLE during accident conditions, in the event of:
- b. A worst case single failure.
Battery cell parameters satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO Battery cell parameters must remain within acceptable limits to ensure availability of the required DC power to shut down the reactor and
maintain it in a safe condition after an anticipated operational
occurrence or a postulated DBA. Electrolyte limits are conservatively
established, allowing continued DC electrical system function even
with Category A and B limits not met.
Battery Cell Parameters B 3.8.6 Farley Units 1 and 2 B 3.8.6-2 Revision 0 BASES APPLICABILITY The battery cell parameters are required solely for the support of the associated DC electrical power subsystems. Therefore, the battery
electrolyte limits of this LCO are only required to be met when the DC
power source is required to be OPERABLE. Refer to the Applicability
discussion in Bases for LCO 3.8.4 and LCO 3.8.5.
ACTIONS A.1, A.2, and A.3
With one or more cells in one or more required batteries not within
limits (i.e., Category A limits not met, Category B limits not met, or
Category A and B limits not met) but within the Category C limits
specified in Table 3.8.6-1 in the accompanying LCO, the battery is
degraded but there is still sufficient capacity to perform the intended
function. Therefore, the affected battery is not required to be
considered inoperable solely as a result of Category A or B limits not
met and operation is permitted for a limited period.
The pilot cell electrolyte level and float voltage are required to be
verified to meet the Category C limits within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> (Required
Action A.1). This check will provide a quick indication of the status of
the remainder of the battery cells. Two hours provides time to inspect
the electrolyte level and to confirm the float voltage of the pilot cells.
Two hours is considered a reasonable amount of time to perform the
required verification.
Verification that the Category C limits are met (Required Action A.2)
provides assurance that during the time needed to restore the
parameters to the Category A and B limits, the battery is still capable
of performing its intended function. A period of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed to
complete the initial verification because specific gravity
measurements must be obtained for each connected cell. Taking into
consideration both the time required to perform the required
verification and the assurance that the battery cell parameters are not
severely degraded, this time is considered reasonable. The
verification is repeated at 7 day intervals until the parameters are
restored to Category A or B limits. This periodic verification is
consistent with the normal Frequency of pilot cell Surveillances.
(continued)
Battery Cell Parameters B 3.8.6 (continued)
Farley Units 1 and 2 B 3.8.6-3 Revision 52 BASES ACTIONS A.1, A.2, and A.3 (continued)
Continued operation is only permitted for 31 days before battery cell parameters must be restored to within Category A and B limits. With
the consideration that, while battery capacity is degraded, sufficient
capacity exists to perform the intended function and to allow time to
fully restore the battery cell parameters to normal limits, this time is
acceptable prior to declaring the battery inoperable.
B.1 With one or more required batteries with one or more battery cell parameters outside the Category C limit for any connected cell, sufficient capacity to supply the maximum expected load requirement
is not assured and the corresponding DC electrical power subsystem
must be declared inoperable. Additionally, other potentially extreme
conditions, such as not completing the Required Actions of
Condition A within the required Completion Time or average
electrolyte temperature of representative cells falling below the
minimum temperature limit, or the average cell float voltage 2.13 volts, which is equivalent to overall battery terminal voltage 127.8 volts, are also cause for immediately declaring the associated DC
electrical power subsystem inoperable.
SURVEILLANCE SR 3.8.6.1 REQUIREMENTS
This SR verifies that Category A battery cell parameters are consistent with the values specified in Table 3.8.6-1. IEEE-450 (Ref. 3) recommends regular battery inspections including voltage, specific gravity, and electrolyte temperature of pilot cells. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
The inspection of specific gravity and voltage is consistent with IEEE-450 (Ref. 3). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. In addition, within 7 days of a battery discharge < 110 V or a battery overcharge
> 150 V, the battery must be demonstrated to meet
Battery Cell Parameters B 3.8.6 (continued)
Farley Units 1 and 2 B 3.8.6-4 Revision 52 BASES SURVEILLANCE SR 3.8.6.2 (continued)
REQUIREMENTS
Category B limits. Transients, such as motor starting transients, which may momentarily cause battery voltage to drop to 110 V, do not constitute a battery discharge provided the battery terminal
voltage and float current return to pre-transient values. This
inspection is also consistent with IEEE-450 (Ref. 3), which
recommends special inspections following a severe discharge or
overcharge, to ensure that no significant degradation of the battery
occurs as a consequence of such discharge or overcharge.
This Surveillance verification that the average temperature of 10 connected representative cells is 60°F for the Auxiliary Building batteries and 35°F for the SWIS batteries, is consistent with a recommendation of IEEE-450 (Ref. 3), that states that the
temperature of electrolytes in representative cells should be
determined. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
Lower than normal temperatures act to inhibit or reduce battery capacity. This SR ensures that the operating temperatures remain
within an acceptable operating range. This limit is based on design
considerations.
Table 3.8.6-1 This table delineates the limits on electrolyte level, float voltage, and specific gravity for three different categories. The meaning of each
category is discussed below.
Category A defines the normal parameter limit for each designated pilot cell in each battery. The cells selected as pilot cells are those
with the lowest specific gravity and voltage from the previous quarterly
surveillance.
The Category A limits specified for electrolyte level are based on manufacturer recommendations and are consistent with the guidance
in IEEE-450 (Ref. 3), with the extra 1/4 inch allowance above the high
water level indication for operating margin to account for temperatures
and charge effects. In addition to this allowance, footnote a to
Battery Cell Parameters B 3.8.6 (continued)
Farley Units 1 and 2 B 3.8.6-5 Revision 52 BASES SURVEILLANCE Table 3.8.6-1 (continued)
REQUIREMENTS
Table 3.8.6-1 permits the electrolyte level to be above the specified maximum level during equalizing charge, provided it is not
overflowing. These limits ensure that the plates suffer no physical
damage, and that adequate electron transfer capability is maintained
in the event of transient conditions. IEEE-450 (Ref. 3) recommends
that electrolyte level readings should be made only after the battery
has been at float charge for at least 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.
The Category A limit specified for float voltage is 2.08 V per cell.
This value is based on operating experience. This experience has
shown numerous instances when at least one cell was measured at
less than 2.13 volts DC at FNP. In such instances, the minimum
average specific gravity was 1.197 equating to approximately 90%
capacity which is well above that required by the design load profile.
In addition, the float voltage limit of 2.08V is acceptable based on: 1)
float voltage by itself not being a comprehensive indicator of the state
of charge of a battery; 2) pilot cells exhibiting 2.13V not eliminating battery capability to perform design function; and 3) IEEE 450-1980
Appendix C1 does not consider a cell potentially degraded unless its
voltage on float charge is 2.07V.
The Category A limit specified for specific gravity for each pilot cell is 1.195. The manufacturers recommended fully charged specific gravity is 1.215 for the Auxiliary Building and 1.210 for the SWIS
batteries. The value of 0.015 below the manufacturers recommended
fully charged value for SWIS batteries has been adopted as the
Category A minimum for both the Auxiliary Building and SWIS
batteries. This value is characteristic of a charged cell with adequate
capacity. According to IEEE-450 (Ref. 3), the specific gravity
readings are based on a temperature of 77°F (25°C).
The specific gravity readings are corrected for actual electrolyte temperature and level. For each 3°F (1.67°C) above 77°F (25°C),
1 point (0.001) is added to the reading; 1 point is subtracted for each
3°F below 77°F. The specific gravity of the electrolyte in a cell
increases with a loss of water due to electrolysis or evaporation.
Category B defines the normal parameter limits for each connected cell. The term "connected cell" excludes any battery cell that may be
jumpered out.
Battery Cell Parameters B 3.8.6 (continued)
Farley Units 1 and 2 B 3.8.6-6 Revision 52 BASES SURVEILLANCE Table 3.8.6-1 (continued)
REQUIREMENTS
The Category B limits specified for electrolyte level and float voltage are the same as those specified for Category A and have been
discussed above. The Category B limit specified for specific gravity
for each connected cell is 1.190 with the average for all connected cells 1.195. The manufacturers recommended fully charged specific gravity is 1.215 for the Auxiliary Building and 1.210 for the
SWIS batteries. The value of 0.020 below the manufacturers
recommended fully charged value for SWIS batteries has been
adopted as the Category B minimum for each connected cell for both
the Auxiliary Building and SWIS batteries. The minimum specific
gravity value required for each cell ensures that the effects of a highly
charged or newly installed cell will not mask overall degradation of the
battery.
Category C defines the limits for each connected cell. These values, although reduced, provide assurance that sufficient capacity exists to
perform the intended function and maintain a margin of safety. When
any battery parameter is outside the Category C limits, the assurance
of sufficient capacity described above no longer exists, and the
battery must be declared inoperable.
The Category C limits specified for electrolyte level (above the top of the plates and not overflowing) ensure that the plates suffer no
physical damage and maintain adequate electron transfer capability.
The Category C limits for float voltage are based on operating
experience, which has shown that a cell voltage of 2.02 V or below, under float conditions and not caused by elevated temperature of the
cell, indicates internal cell problems and may require cell
replacement.
The Category C limit of average specific gravity 1.190 is based on operating experience. In addition to that limit, if a cell is < 1.190, then
it shall not have decreased more than 0.080 from the previous test.
The footnotes to Table 3.8.6-1 are applicable to Category A, B, and C specific gravity. Footnote (b) to Table 3.8.6-1 requires the above
mentioned correction for electrolyte level and temperature, with the
exception that level correction is not required when battery charging
current is < 2 amps on float charge. This current provides, in general, an indication of overall battery condition.
Battery Cell Parameters B 3.8.6 Farley Units 1 and 2 B 3.8.6-7 Revision 0
BASES SURVEILLANCE Table 3.8.6-1 (continued)
REQUIREMENTS
Because of specific gravity gradients that are produced during the
recharging process, delays of several days may occur while waiting
for the specific gravity to stabilize. A stabilized charger current is an
acceptable alternative to specific gravity measurement for determining
the state of charge. This phenomenon is discussed in IEEE-450 (Ref. 3). Footnote (c) to Table 3.8.6-1 allows the float charge current
to be used as an alternate to specific gravity.
REFERENCES 1. FSAR, Chapter 6.
- 2. FSAR, Chapter 15.
- 3. IEEE-450-1980.
Inverters-Operating B 3.8.7 Farley Units 1 and 2 B 3.8.7-1 Revision 0 B 3.8 ELECTRICAL POWER SYSTEMS
B 3.8.7 Inverters-Operating
BASES BACKGROUND The inverters are the preferred source of power for the AC vital buses because of the stability and reliability they achieve. The function of the inverter is to provide AC electrical power to the vital buses.
There are four Class 1E inverters that supply the four vital AC distribution panels. Each inverter is connected independently to one
distribution panel. The power for the inverters is from the Class 1E
125 VDC Train A and B Auxiliary Building station batteries or their
associated chargers when the batteries are on float. The four
Class 1E inverters provide the preferred source of 120 V, 60 Hz
power for the reactor protection system, the engineered safety feature
actuation system, the nuclear steam supply system control and
instrumentation, the post accident monitoring system, and the safety
related radiation monitoring system.
Each distribution panel can be connected to an alternate source of Class 1E 120 VAC power. The backup power source is an
emergency 600 V MCC supplying a 120 V regulated panel through a
constant voltage transformer (CVT). Should the normal distribution
panel source fail, the inverter static transfer switch will function to
supply the vital AC distribution panels from this alternate source.
Specific details on inverters and their operating characteristics are found in FSAR, Chapter 8 (Ref. 1).
APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY ANALYSES analyses in the FSAR, Chapter 6 (Ref. 2) and Chapter 15 (Ref. 3), assume Engineered Safety Feature systems are OPERABLE. The
inverters are designed to provide the required capacity, capability, redundancy, and reliability to ensure the availability of necessary
power to the RPS and ESFAS instrumentation and controls so that
the fuel, Reactor Coolant System, and containment design limits are
not exceeded. These limits are discussed in more detail in the Bases
for Section 3.2, Power Distribution Limits; Section 3.4, Reactor
Coolant System (RCS); and Secti on 3.6, Containment Systems.
(continued)
Inverters-Operating B 3.8.7 Farley Units 1 and 2 B 3.8.7-2 Revision 0 BASES APPLICABLE The OPERABILITY of the inverters is consistent with the initial SAFETY ANALYSES assumptions of the accident analyses and is based on meeting the (continued) design basis of the unit. This includes maintaining required AC vital buses OPERABLE during accident conditions in the event of:
- b. A worst case single failure.
Inverters are a part of the distribution system and, as such, satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO The inverters ensure the availability of AC electrical power for the systems instrumentation required to shut down the reactor and
maintain it in a safe condition after an anticipated operational
occurrence (AOO) or a postulated DBA.
Maintaining the required inverters OPERABLE ensures that the redundancy incorporated into the design of the RPS and ESFAS
instrumentation and controls is maintained. The four inverters (two
per train) ensure an uninterruptible supply of AC electrical power to
the AC vital buses even if the 4.16 kV safety buses are de-energized.
Operable inverters require the associated vital bus to be powered by the inverter with output voltage and frequency within tolerances, and
power input to the inverter from a 125 VDC station battery.
This LCO is modified by a Note that allows two inverters to be disconnected from a common battery for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, if the vital bus(es) are powered from a Class 1E alternate power source
consisting of the inverters static transfer switch and the associated
CVT during the period and all other inverters are OPERABLE. This
allows an equalizing charge to be placed on the associated battery.
These provisions minimize the loss of equipment that would occur in
the event of a loss of offsite power. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> time period for the
allowance minimizes the time during which a loss of offsite power
could result in the loss of equipment energized from the affected AC
vital bus while taking into consideration the time required to perform
an equalizing charge on the battery bank.
(continued)
Inverters-Operating B 3.8.7 Farley Units 1 and 2 B 3.8.7-3 Revision 0 BASES LCO The intent of this Note is to limit the number of inverters that may be (continued) disconnected. Only those inverters associated with the single battery undergoing an equalizing charge may be disconnected. All other
inverters must be aligned to their associated batteries, regardless of
the number of inverters or unit design.
APPLICABILITY The inverters are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:
- a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal
transients; and
- b. Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in the
event of a postulated DBA.
Inverter requirements for MODES 5 and 6 are covered in the Bases for LCO 3.8.8, Inverters-Shutdown.
ACTIONS A.1
With a required inverter inoperable, its associated AC vital bus becomes inoperable until it is re-energized from its Class 1E CVT.
For this reason a Note has been included in Condition A requiring the entry into the Conditions and Required Actions of LCO 3.8.9, "Distribution Systems-Operating." This ensures that the vital bus is
re-energized within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. The associated static transfer switch
normally provides a bumpless transfer of power to the alternate AC
source (Class 1E CVT).
Required Action A.1 allows 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to fix the inoperable inverter and return it to service. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> limit is based upon engineering
judgment, taking into consideration the time required to repair an
inverter and the additional risk to which the unit is exposed because
of the inverter inoperability. This has to be balanced against the risk
of an immediate shutdown, along with the potential challenges to
safety systems such a shutdown might entail. When the AC vital bus
(continued)
Inverters-Shutdown B 3.8.8 Farley Units 1 and 2 B 3.8.8-1 Revision 0 B 3.8 ELECTRICAL POWER SYSTEMS
B 3.8.8 Inverters-Shutdown
BASES BACKGROUND A description of the inverters is provided in the Bases for LCO 3.8.7, "Inverters-Operating."
APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY ANALYSES analyses in the FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume Engineered Safety Feature systems are OPERABLE. The
DC to AC inverters are designed to provide the required capacity, capability, redundancy, and reliability to ensure the availability of
necessary power to the Reactor Protection System and Engineered
Safety Features Actuation System instrumentation and controls so
that the fuel, Reactor Coolant System, and containment design limits
are not exceeded.
The OPERABILITY of the inverters is consistent with the initial assumptions of the accident analyses and the requirements for the
supported systems' OPERABILITY.
The OPERABILITY of the minimum inverters to each AC vital bus during MODES 5 and 6 ensures that:
- a. The unit can be maintained in the shutdown or refueling condition for extended periods;
- b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and
- c. Adequate power is available to mitigate events postulated during shutdown, such as a fuel handling accident.
The inverters were previously identified as part of the distribution system and, as such, satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
Inverters-Shutdown B 3.8.8 Farley Units 1 and 2 B 3.8.8-2 Revision 0 BASES LCO The inverters ensure the availability of electrical power for the instrumentation for systems required to shut down the reactor and
maintain it in a safe condition after an anticipated operational
occurrence or a postulated DBA. Per LCO 3.8.10, "Distribution Systems-Shutdown," the necessary portions of the necessary AC
vital bus electrical power distribution subsystems shall be OPERABLE
to support equipment required to be OPERABLE. At a minimum, at
least one train of AC vital bus electrical power subsystems energized
from the associated inverters connected to the respective DC bus is
required to be OPERABLE.
In the case where the requirements of LCO 3.8.10 call for portions of a second train of the distribution subsystems to be OPERABLE (e.g.,
to support two trains of RHR, two trains of CREFS, or instrumentation
such as source range indication, containment purge and exhaust
isolation actuation, or CREFS actuation), the required portions of the
second train of AC vital bus electrical power distribution subsystems
may be energized from the associated inverter(s) connected to the
respective DC bus, or the alternate Class 1E power source consisting
of the inverter static transfer switch and the associated constant
voltage transformer. Class 1E power and distribution systems are
normally used because these systems are available and reliable.
However, due to events such as maintenance or modification, portions of the Class 1E system may be temporarily unavailable. In
such an instance the plant staff assesses the alternate systems to
ensure that defense in depth is maintained and that risk is minimized.
This ensures the availability of sufficient inverter power sources to operate the unit in a safe manner and to mitigate the consequences of
postulated events during shutdown (e.g., fuel handling accidents).
APPLICABILITY The inverters required to be OPERABLE in MODES 5 and 6 and during movement of irradiated fuel assemblies provide assurance
that:
- a. Systems needed to mitigate a fuel handling accident are available;
- b. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and
- c. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling
condition.
(continued)
Inverters-Shutdown B 3.8.8 Farley Units 1 and 2 B 3.8.8-3 Revision 0 BASES APPLICABILITY Inverter requirements for MODES 1, 2, 3, and 4 are covered in (continued) LCO 3.8.7.
ACTIONS A.1, A.2.1, A.2.2, A.2.3, and A.2.4
If two trains are required by LCO 3.8.10, "Distribution Systems-Shutdown," the remaining OPERABLE Inverters may be capable of
supporting sufficient required features to allow continuation of CORE
ALTERATIONS, fuel movement, and operations with a potential for
positive reactivity additions. By the allowance of the option to declare
required features inoperable with the associated inverter(s)
inoperable, appropriate restrictions will be implemented in accordance
with the affected required features LCOs' Required Actions. In many
instances, this option may involve undesired administrative efforts.
Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel
assemblies, and operations involving positive reactivity additions).
The Required Action to suspend positive reactivity additions does not
preclude actions to maintain or increase reactor vessel inventory, provided the required SDM is maintained.
Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize
the probability of the occurrence of postulated events. It is further
required to immediately initiate action to restore the required inverters
and to continue this action until restoration is accomplished in order to provide the necessary inverter power to the unit safety systems.
The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the
required inverters should be completed as quickly as possible in order
to minimize the time the unit safety systems may be without power or
powered from a constant voltage source transformer.
SURVEILLANCE SR 3.8.8.1 REQUIREMENTS
This Surveillance verifies that the inverters are functioning properly with all required circuit breakers closed and AC vital buses energized
from the inverter. The verification of proper voltage and frequency
(continued)
Inverters-Shutdown B 3.8.8 Farley Units 1 and 2 B 3.8.8-4 Revision 52 BASES SURVEILLANCE SR 3.8.8.1 (continued)
REQUIREMENTS output ensures that the required power is readily available for the instrumentation connected to the AC vital buses. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES 1. FSAR, Chapter 6.
- 2. FSAR, Chapter 15.
Distribution Systems-Operating B 3.8.9 Farley Units 1 and 2 B 3.8.9-1 Revision 0 B 3.8 ELECTRICAL POWER SYSTEMS
B 3.8.9 Distribution Systems-Operating
BASES BACKGROUND The onsite Class 1E AC, DC, and AC vital bus electrical power distribution systems are divided into two redundant and independent
AC, DC, and AC vital bus electrical power distribution trains.
The AC electrical power subsystem fo r each train consists of a primary Engineered Safety Feature (ESF) 4.16 kV bus and secondary 600 and
208/120 V buses, distribution panels, motor control centers and load
centers. Each train of 4.16 kV ESF buses has at least one separate
and independent offsite source of power as well as an onsite diesel
generator (DG) source. Each 4.16 kV ESF bus is normally connected
to a preferred offsite source. If all offsite sources are unavailable, the
onsite emergency DG supplies power to the 4.16 kV ESF bus(es).
Control power for the 4.16 kV breakers is supplied from the Class 1E
batteries. Additional description of this system may be found in the Bases for LCO 3.8.1, "AC Sources-Operating," and the Bases for LCO 3.8.4, "DC Sources-Operating."
The secondary AC electrical power distribution system for each train
includes the safety related load centers, motor control centers, and
distribution panels shown in Table B 3.8.9-1.
The 120 VAC vital buses are arranged in two load groups per train and
are normally powered from the inverters. The alternate power supply
for the vital buses are Class 1E constant voltage source transformers
powered from the same train as the associated inverter, and its use is governed by LCO 3.8.7, "Inverters-Operating." Each constant
voltage source transformer is powered from a Class 1E AC bus.
There are two independent 125 VDC electrical power distribution
subsystems (one for each train).
The list of all required distribution buses is presented in Table B 3.8.9-1.
APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY ANALYSES analyses in the FSAR, Chapter 6 (Ref. 1), and in the FSAR, Chapter 15 (Ref. 2), assume ESF systems are OPERABLE. The AC, (continued)
Distribution Systems-Operating B 3.8.9 Farley Units 1 and 2 B 3.8.9-2 Revision 0 BASES APPLICABLE DC, and AC vital bus electrical power distribution systems are SAFETY ANALYSES designed to provide sufficient capacity, capability, redundancy, and (continued) reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design
limits are not exceeded. These limits are discussed in more detail in
the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.
The OPERABILITY of the AC, DC, and AC vital bus electrical power distribution systems is consistent with the initial assumptions of the
accident analyses and is based upon meeting the design basis of the
unit. This includes maintaining power distribution systems OPERABLE
during accident conditions in the event of:
- a. An assumed loss of all offsite power or all onsite AC electrical power; and
- b. A worst case single failure.
The distribution systems satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO The required power distribution subsystems listed in Table B 3.8.9-1 ensure the availability of AC, DC, and AC vital bus electrical power for
the systems required to shut down the reactor and maintain it in a safe
condition after an anticipated operational occurrence (AOO) or a
postulated DBA. The AC, DC, and AC vital bus electrical power
distribution subsystems are required to be OPERABLE.
Maintaining the Train A and Train B AC, DC, and AC vital bus electrical power distribution subsystems OPERABLE ensures that the redundancy
incorporated into the design of ESF is not defeated. Therefore, a single
failure within any system or within the electrical power distribution
subsystems will not prevent safe shutdown of the reactor.
OPERABLE AC electrical power distribution subsystems require the associated buses, load centers, motor control centers, and distribution
panels to be energized to their proper voltages. OPERABLE DC
electrical power distribution subsystems require the associated buses
to be energized to their proper voltage from either the associated
(continued)
Distribution Systems-Shutdown B 3.8.10 Farley Units 1 and 2 B 3.8.10-1 Revision 0 B 3.8 ELECTRICAL POWER SYSTEMS
B 3.8.10 Distribution Systems-Shutdown
BASES BACKGROUND A description of the AC, DC, and AC vital bus electrical power distribution systems is provided in the Bases for LCO 3.8.9, "Distribution Systems-Operating."
APPLICABLE The initial conditions of Design Basis Accident and transient SAFETY ANALYSES analyses in the FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume Engineered Safety Feature (ESF) systems are OPERABLE.
The AC, DC, and AC vital bus electrical power distribution systems
are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF
systems so that the fuel, Reacto r Coolant System, and containment design limits are not exceeded.
The OPERABILITY of the AC, DC, and AC vital bus electrical power
distribution system is consistent with the initial assumptions of the
accident analyses and the requirements for the supported systems'
OPERABILITY.
The OPERABILITY of the minimum AC, DC, and AC vital bus
electrical power distribution subsystems during MODES 5 and 6, and
during movement of irradiated fuel assemblies ensures that:
- a. The unit can be maintained in the shutdown or refueling condition for extended periods;
- b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and
- c. Adequate power is provided to mitigate events postulated during shutdown, such as a fuel handling accident.
The AC and DC electrical power distribution systems satisfy
Criterion 3 of 10 CFR 50.36(c)(2)(ii).
Distribution Systems-Shutdown B 3.8.10 Farley Units 1 and 2 B 3.8.10-2 Revision 0 BASES LCO Various combinations of subsystems, equipment, and components are required OPERABLE by other LCOs, depending on the specific
plant condition. Implicit in those requirements is the required
OPERABILITY of necessary support required features. This LCO
explicitly requires energization of the portions of the electrical
distribution system necessary to support OPERABILITY of required systems, equipment, and components-a ll specifically addressed in each LCO.
The necessary portions of the AC electrical power distribution
subsystems are considered OPERABLE if they are energized to their
proper voltages.
The necessary portions of the DC electrical power subsystems are
considered OPERABLE if the following criteria are satisfied:
At least one train of the necessary portions of DC electrical subsystems is energized to the proper voltage by an OPERABLE
train of DC sources consisting of one battery, one battery charger, and the corresponding control equipment and interconnecting
cabling associated with that train; and
In the case where portions of a second train of the DC electrical subsystems are required OPERABLE (to support two trains of
RHR, two trains of CREFS, or instrumentation such as source
range indication, containment purge and exhaust isolation
actuation, or CREFS actuation), the required portions of the
second train of DC electrical subsystems are OPERABLE when
energized to the proper voltage from either:
an OPERABLE train of DC sources consisting of one battery, one battery charger, and the corresponding control equipment
and interconnecting cabling associated with that train, or a battery charger using the corresponding control equipment and interconnecting cabling within the train.
(continued)
Distribution Systems-Shutdown B 3.8.10 Farley Units 1 and 2 B 3.8.10-3 Revision 0 BASES LCO The necessary portions of the AC vital bus subsystems are (continued) considered OPERABLE if the following criteria are satisfied:
At least one train of the necessary portions of AC vital bus electrical power subsystems is energized to the proper voltage by
OPERABLE inverters connected to the respective DC bus; or
In the case where portions of a second train of AC vital bus subsystems are required OPERABLE (to support two trains of
RHR, two trains of CREFS, or instrumentation such as source
range indication, containment purge and exhaust isolation
actuation, or CREFS actuation), the required portions of the
second train of AC vital bus electrical power distribution
subsystems are OPERABLE when energized to the proper voltage
from either:
OPERABLE inverter(s) connected to the respective DC bus, or the alternate Class 1E power source consisting of the inverter static transfer switch and the associated constant
voltage transformer.
Class 1E power and distribution systems are normally used because
these systems are available and reliable. However due to events
such as maintenance or modification, portions of the Class 1E system
may be temporarily unavailable. In such an instance the plant staff
assesses the alternate systems to ensure that defense in depth is
maintained and that risk is minimized.
Maintaining these portions of the distribution system energized
ensures the availability of sufficient power to operate the unit in a safe
manner to mitigate the consequences of postulated events during
shutdown (e.g., fuel handling accidents).
APPLICABILITY The AC and DC electrical power distribution subsystems required to be OPERABLE in MODES 5 and 6, and during movement of
irradiated fuel assemblies, provide assurance that:
- a. Systems to provide adequate coolant inventory makeup are available for the irradiated fuel in the core;
(continued)
Distribution Systems-Shutdown B 3.8.10 Farley Units 1 and 2 B 3.8.10-4 Revision 0 BASES APPLICABILITY b. Systems needed to mitigate a fuel handling accident are available; (continued)
- c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and
- d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition and
refueling condition.
The AC, DC, and AC vital bus electrical power distribution subsystems requirements for MODES 1, 2, 3, and 4 are covered in
ACTIONS A.1, A.2.1, A.2.2, A.2.3, A.2.4, and A.2.5
Although redundant required features may require redundant trains of
electrical power distribution subsystems to be OPERABLE, one
OPERABLE distribution subsystem train may be capable of
supporting sufficient required features to allow continuation of CORE
ALTERATIONS and fuel movement. By allowing the option to declare
required features associated with an inoperable distribution
subsystem inoperable, appropriate restrictions are implemented in
accordance with the affected distribution subsystem LCO's Required
Actions. In many instances, this option may involve undesired
administrative efforts. Therefore, the allowance for sufficiently
conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies, and operations involving
positive reactivity additions).
Suspension of these activities does not preclude completion of
actions to establish a safe conservative condition. These actions
minimize the probability of the occurrence of postulated events. It is
further required to immediately initiate action to restore the required
AC and DC electrical power distribution subsystems and to continue
this action until restoration is accomplished in order to provide the
necessary power to the unit safety systems.
Notwithstanding performance of the above conservative Required
Actions, a required residual heat removal (RHR) subsystem may be
inoperable. In this case, Required Actions A.2.1 through A.2.4 do not
adequately address the concerns relating to coolant circulation and
(continued)
Distribution Systems-Shutdown B 3.8.10 Farley Units 1 and 2 B 3.8.10-5 Revision 52 BASES ACTIONS A.1, A.2.1, A.2.2, A.2.3, A.2.4, and A.2.5 (continued)
heat removal. Pursuant to LCO 3.0.6, the RHR ACTIONS would not be entered. Therefore, Required Action A.2.5 is provided to direct
declaring RHR inoperable, which results in taking the appropriate
RHR actions.
The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the
required distribution subsystems should be completed as quickly as
possible in order to minimize the time the unit safety systems may be
without power.
SURVEILLANCE SR 3.8.10.1 REQUIREMENTS
This Surveillance verifies that the AC, DC, and AC vital bus electrical power distribution subsystems are functioning properly, with all the
buses energized. The verification of proper voltage availability on the
buses ensures that the required power is readily available for motive
as well as control functions for critical system loads connected to
these buses. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES 1. FSAR, Chapter 6.
- 2. FSAR, Chapter 15.
Boron Concentration B 3.9.1 Farley Units 1 and 2 B 3.9.1-1 Revision 0 B 3.9 REFUELING OPERATIONS
B 3.9.1 Boron Concentration
BASES
BACKGROUND The limit on the boron concentrations of the filled portions of the Reactor Coolant System (RCS), the refueling canal, and the refueling
cavity during refueling ensures that the reactor remains subcritical
during MODE 6. Refueling boron concentration is the soluble boron
concentration in the coolant in each of these volumes having direct
access to the reactor core during refueling.
The soluble boron concentration offsets the core reactivity and is measured by chemical analysis of a representative sample of the
coolant in each of the volumes having direct access to the reactor
core. The refueling boron concentration limit specified in the COLR
ensures that an overall core reactivity of k eff 0.95 is maintained during fuel handling, with control rods and fuel assemblies in the most
adverse configuration (least negative reactivity) consistent with the
assumptions of the applicable safety analysis.
GDC 26 of 10 CFR 50, Appendix A, requires that two independent
reactivity control systems of different design principles be provided (Ref. 1). One of these systems must be capable of holding the
reactor core subcritical under cold conditions. The Chemical and
Volume Control System (CVCS) is the system capable of maintaining
the reactor subcritical in cold conditions by maintaining the boron
concentration.
The reactor is brought to shutdown conditions before beginning
operations to open the reactor vessel for refueling. After the RCS is
cooled and depressurized and the vessel head is unbolted, the head
is slowly removed to form the refueling cavity. The refueling canal
and the refueling cavity are then flooded with borated water from the
refueling water storage tank through the open reactor vessel by
gravity feeding or by the use of the Residual Heat Removal (RHR)
System pumps.
The pumping action of the RHR System in the RCS and the natural
circulation due to thermal driving heads in the reactor vessel and
refueling cavity mix the added concentrated boric acid with the water
in the refueling canal. The RHR System is in operation during (continued)
Boron Concentration B 3.9.1 Farley Units 1 and 2 B 3.9.1-2 Revision 0 BASES BACKGROUND refueling (see LCO 3.9.4, "Residual Heat Removal (RHR) and (continued) Coolant Circulation - High Water Level," and LCO 3.9.5, "Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level") to
provide forced circulation in the RCS and assist in maintaining the
boron concentrations in the RCS, the refueling canal, and the
refueling cavity above the COLR limit.
APPLICABLE During refueling operations, the reactivity condition of the SAFETY ANALYSES core is consistent with the initial conditions assumed for the boron dilution accident in the accident analysis and is
conservative for MODE 6. The boron concentration limit specified in
the COLR is based on the core reactivity at the beginning of each fuel
cycle (the end of refueling) and includes an uncertainty allowance.
The required boron concentration and the plant refueling procedures that verify the correct fuel loading plan (including full core mapping)
ensure that the k eff of the core will remain 0.95 during the refueling operation. Hence, at least a 5% k/k margin to criticality is
established during refueling.
During refueling, the water volume in the spent fuel pool, the transfer canal, the refueling canal, the refueling cavity, and the reactor vessel
form a single mass. As a result, the soluble boron concentration is
relatively the same in each of these volumes.
The boron dilution event analyzed for refueling MODE requires that
manual action be taken to mitigate the dilution event and prevent a
loss of SHUTDOWN MARGIN. The audible count rate from the
source range neutron flux monitors required OPERABLE in LCO 3.9.2
provides prompt and definite indication of any boron dilution. The
count rate increase is proportional to the subcritical multiplication
factor and allows operations to recognize the initiation of a boron
dilution event in time to isolate the primary water makeup source
before SHUTDOWN MARGIN is lost (Ref. 2).
The RCS boron concentration satisfies Criterion 2 of 10 CFR
50.36(c)(2)(ii).
LCO The LCO requires that a minimum boron concentration be maintained in the filled portions of the RCS, the refueling canal, and the refueling cavity that have direct access to the core while in MODE 6. The (continued)
Nuclear Instrumentation B 3.9.2 Farley Units 1 and 2 B 3.9.2-1 Revision 3 B 3.9 REFUELING OPERATIONS
B 3.9.2 Nuclear Instrumentation
BASES BACKGROUND The source range neutron flux monitors are used during refueling operations to monitor the core reactivity condition. The installed source range neutron flux monitors are part of the Nuclear
Instrumentation System (NIS). These detectors are located external
to the reactor vessel and detect neutrons leaking from the core.
Temporary neutron flux detectors which provide equivalent indication
may be utilized in place of installed instrumentation.
Two installed Westinghouse source range neutron flux monitors are BF3 detectors operating in the proportional region of the gas filled
detector characteristic curve. The detectors monitor the neutron flux
in counts per second. The instrument range covers six decades of
neutron flux with a 5% instrument accuracy. The detectors also provide continuous visual indication in the control room and an
audible count rate to alert operators to a possible dilution accident.
The operator may select either installed Westinghouse source range neutron flux monitor as the signal source for the audio indication. The NIS is designed consistent with the intent of the criteria presented in
Reference 1.
The installed source range Gamma-Metrics post accident neutron flux monitor is an enriched U-235 fission chamber operating in the ion chamber region of the gas filled detector characteristic curve. The detector monitors the neutron flux in counts per second. The instrument range covers six decades of neutron flux with a 2%
instrument accuracy. The detector also provides continuous visual indication in the control room.
Three installed source range neutron flux monitors are available, only two are required to be operable. Two of the three installed source range neutron flux monitors OPERABLE will satisfy L.C.O. 3.9.2 as long as one channel of audible count rate is OPERABLE and continuous visual indication in the control room is available from at least two monitors.
Nuclear Instrumentation B 3.9.2 Farley Units 1 and 2 B 3.9.2-2 Revision 3 BASES APPLICABLE Two OPERABLE source range neutron flux monitors are required SAFETY ANALYSES to provide a signal to alert the operator to unexpected changes in core reactivity. The audible count rate from the source range neutron flux
monitors provides prompt and definite indication of any boron dilution.
The count rate increase is proportional to the subcritical multiplication
factor and allows operators to promptly recognize the initiation of a
boron dilution event. Prompt recognition of the initiation of a boron
dilution event is consistent with the assumptions of the safety analysis
and is necessary to assure sufficient time is available for isolation of
the primary water makeup source before SHUTDOWN MARGIN is
lost (Ref. 2). The High-Flux at Shutdown Alarm, because of the delay
for the neutron flux to reach the alarm setpoint, does not provide
prompt indication of the initiation of a boron dilution event and the
delay introduced by the alarm setpoint is not consistent with the
assumptions of the safety analysis.
The source range neutron flux monitors satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii).
LCO This LCO requires that two source range neutron flux monitors be OPERABLE to ensure that redundant monitoring capability is
available to detect changes in core reactivity. To be OPERABLE
each channel of source range instrumentation must provide visual
indication in the control room. In addition, one channel of audible
count rate must be available to alert the operators to the initiation of a
boron dilution event. The preferred location of the required audible
count rate is in the control room. In the case where the required
audible count rate is only available in containment, it is acceptable to
station a licensed operator in containment to communicate with the
control room and alert the operators to a possible dilution accident. In
the event that the required channel of audible count rate is lost, all
unborated water sources must be isolated. The isolation of unborated
water sources precludes a boron dilution accident. Once actions are
initiated to isolate the unborated water sources, they must be
continued until all the necessary flow paths are isolated. Movement of
fuel may continue provided two channels of source range visual
indication are available in the control room.
Nuclear Instrumentation B 3.9.2 Farley Units 1 and 2 B 3.9.2-3 Revision 3 BASES APPLICABILITY In MODE 6, two source range neutron flux monitors must be OPERABLE to determine changes in core reactivity. There are no
other direct means available to check core reactivity levels. In other
MODES, the OPERABILITY requirements for the Westinghouse installed source range detectors and circuitry are addressed by
LCO 3.3.1, "Reactor Trip System (RTS) Instrumentation." The source range neutron flux monitors have no control function in MODE 6 and are assured to alarm (visual indication and audio) only during an FSAR design basis accident or transient. The source range neutron flux monitors provide the only on-scale monitoring of the neutron flux during refueling. Therefore, they are being retained in the Technical Specifications.
In MODES 1-3, the operability requirements for the installed source range Gamma-Metrics post accident neutron flux monitor are addressed by LCO 3.3.4, "Remote Shutdown System." ACTIONS A.1 and A.2 With only one source range neutron flux monitor OPERABLE (providing visual indication in the control room), redundancy has been
lost. Since these instruments are the only direct means of monitoring
core reactivity conditions, CORE ALTERATIONS and positive
reactivity additions must be suspended immediately. Performance of
Required Action A.1 shall not preclude completion of movement of a
component to a safe position or normal cooling of the coolant volume
for the purpose of maintaining system temperature.
B.1 With no required source range neutron flux monitor OPERABLE (providing visual indication in the control room), action to restore a monitor to OPERABLE status shall be initiated immediately. Once initiated, action shall be continued until a source range neutron flux monitor is restored to OPERABLE status.
(continued)
Nuclear Instrumentation B 3.9.2 Farley Units 1 and 2 B 3.9.2-4 Revision 3 BASES ACTIONS B.2 (continued)
With no required source range neutron flux monitor OPERABLE (providing visual indication in the control room), there are no direct
means of detecting changes in core reactivity. However, since CORE
ALTERATIONS and positive reactivity additions are not to be made, the core reactivity condition is stabilized until the source range
neutron flux monitors are OPERABLE. This stabilized condition is
determined by performing SR 3.9.1.1 to ensure that the required
boron concentration exists.
The Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is sufficient to obtain and analyze a
reactor coolant sample for boron concentration and ensures that
unplanned changes in boron concentration would be identified. The
12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Completion Time is reasonable, considering the low
probability of a change in core reactivity during this time period.
C.1 With no audible count rate available, prompt and definite indication of a
boron dilution event, consistent with the assumptions of the safety
analysis, is lost. In this situation, the boron dilution event may not be
detected quickly enough to assure sufficient time is available for
operations to manually isolate the unborated water sources and stop the
dilution prior to the loss of SHUTDOWN MARGIN. Therefore, action must
be taken to prevent an inadvertent boron dilution event from occurring.
This is accomplished by isolating all the unborated water flow paths to the
reactor coolant system from the Reactor Makeup Water System and the
Demineralized Water System. Isolating these flow paths ensures that an
inadvertent dilution of the reactor coolant boron concentration is
prevented. The Completion Time of "immediately" assures a prompt
response by operations and requires an operator to initiate actions to
isolate an affected flow path immediately. Once actions are initiated, they
must be continued until all the necessary flow paths are isolated.
Movement of fuel may continue provided two channels of visual indication
are available in the control room.
Nuclear Instrumentation B 3.9.2 Farley Units 1 and 2 B 3.9.2-5 Revision 52 BASES SURVEILLANCE SR 3.9.2.1 REQUIREMENTS SR 3.9.2.1 is the performance of a CHANNEL CHECK, which is a comparison of the parameter indicated on one channel to a similar
parameter on other channels. It is based on the assumption that the
two indication channels should be consistent with core conditions.
Changes in fuel loading and core geometry can result in significant
differences between source range channels, but each channel should
be consistent with its local conditions.
The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
SR 3.9.2.2 is the performance of a CHANNEL CALIBRATION every 18 months. This SR is modified by a Note stating that neutron
detectors are excluded from the CHANNEL CALIBRATION. The
CHANNEL CALIBRATION for the source range neutron flux monitors
consists of obtaining the detector plateau or preamp discriminator
curves and evaluating those curves. The CHANNEL CALIBRATION
for the Westinghouse monitors also includes verification of the audible
count rate function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.
REFERENCES 1. 10 CFR 50, Appendix A, GDC 13, GDC 26, GDC 28, and GDC 29.
- 2. FSAR, Section 15.2.4.2.2.
Containment Penetrations B 3.9.3 Farley Units 1 and 2 B 3.9.3-2 Revision 44 BASES BACKGROUND when refueling integrity is not required, the door interlock mechanism (continued) may be disabled, allowing both doors of an air lock to remain open for extended periods when frequent containment entry is necessary.
During CORE ALTERATIONS or movement of irradiated fuel
assemblies within containment, refueling integrity is required;
therefore, the door interlock mechanism may remain disabled, but one
air lock door must always remain capable of being closed.
The requirements for refueling integrity ensure that a release of
fission product radioactivity within containment will be limited to maintain dose consequences within regulatory limits.
The Containment Purge and Exhaust System includes two
subsystems. The normal subsystem includes a 48-inch purge
penetration and a 48-inch exhaust penetration. The second
subsystem, a minipurge system, includes an 8-inch purge and an
8 inch exhaust line that utilize the 48-inch penetrations. During
MODES 1, 2, 3, and 4, the two 48-inch purge valves in each of the
normal purge and exhaust penetrations are secured in the closed
position. The two 8-inch minipurge valves in each of the two
minipurge lines may be opened in these MODES in accordance with
LCO 3.6.3, "Containment Isolation Valves," but are closed automatically by the Engineered Safety Features Actuation System (ESFAS) instrumentation specified in LCO 3.3.6, "Containment Purge
and Exhaust Isolation Instrumentation." Neither of the subsystems is
subject to a Specification in MODE 5.
In MODE 6, large air exchanges are necessary to conduct refueling
operations. The normal 48-inch purge system is used for this
purpose, and all four valves are closed by the ESFAS instrumentation
specified in LCO 3.3.6, "Containment Purge and Exhaust Isolation
Instrumentation."
The minipurge system is not normally used in MODE 6. However, if
the minipurge valves are opened they are capable of being closed
automatically by the instrumentation specified in LCO 3.3.6, "Containment Purge and Exhaust Isolation Instrumentation."
The other containment penetrations that provide direct access from
containment atmosphere to outside atmosphere must be isolated on
at least one side. Isolation may be achieved by a closed automatic
(continued)
RHR and Coolant Circulation - High Water Level B 3.9.4 Farley Units 1 and 2 B 3.9.4-1 Revision 0 B 3.9 REFUELING OPERATIONS
B 3.9.4 Residual Heat Removal (RHR) and Coolant Circulation - High Water Level
BASES BACKGROUND The purpose of the RHR System in MODE 6 is to remove decay heat and sensible heat from the Reactor Coolant System (RCS), as
required by GDC 34, to provide mixing of borated coolant and to
prevent boron stratification (Ref. 1). Heat is removed from the RCS
by circulating reactor coolant through the RHR heat exchanger(s),
where the heat is transferred to the Component Cooling Water
System. The coolant is then returned to the RCS via the RCS cold
leg(s). Operation of the RHR System for normal cooldown or decay
heat removal is manually accomplished from the control room. The
heat removal rate is adjusted by controlling the flow of reactor coolant
through the RHR heat exchanger(s) and the bypass. Mixing of the
reactor coolant is maintained by this continuous circulation of reactor
coolant through the RHR System.
APPLICABLE If the reactor coolant temperature is not maintained below SAFETY ANALYSES 200°F, boiling of the reactor coolant could result. This could lead to a loss of coolant in the reactor vessel. Additionally, boiling of the
reactor coolant could lead to a reduction in boron concentration in the
coolant due to boron plating out on components near the areas of the
boiling activity. The loss of reactor coolant and the reduction of boron
concentration in the reactor coolant would eventually challenge the
integrity of the fuel cladding, which is a fission product barrier. One
train of the RHR System is required to be OPERABLE and in
operation in MODE 6, with the water level 23 ft above the top of the reactor vessel flange, to prevent this challenge. The LCO does permit
de-energizing the RHR pump for short durations, under the condition
that the boron concentration is not diluted. This conditional
de-energizing of the RHR pump does not result in a challenge to the
fission product barrier.
The RHR and Coolant Circulation - High Water Level specification
satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).
RHR and Coolant Circulation - High Water Level B 3.9.4 Farley Units 1 and 2 B 3.9.4-3 Revision 0 BASES ACTIONS RHR loop requirements are met by having one RHR loop OPERABLE and in operation, except as permitted in the Note to the LCO.
A.1 If RHR loop requirements are not met, there will be no forced circulation to provide mixing to establish uniform boron
concentrations. Reduced boron concentrations can occur by the
addition of water with a lower boron concentration than the required
boron concentration specified in the COLR. Therefore, actions that
could result in the addition of water to the RCS with a boron
concentration less than the required boron concentration specified in
the COLR must be suspended immediately.
A.2 If RHR loop requirements are not met, actions shall be taken immediately to suspend loading of irradiated fuel assemblies in the
core. With no forced circulation cooling, decay heat removal from the
core occurs by natural convection to the heat sink provided by the
water above the core. A minimum refueling water level of 23 ft above
the reactor vessel flange provides an adequate available heat sink.
Suspending any operation that would increase decay heat load, such
as loading a fuel assembly, is a prudent action under this condition.
A.3 If RHR loop requirements are not met, actions shall be initiated and continued in order to satisfy RHR loop requirements. With the unit in
MODE 6 and the refueling water level 23 ft above the top of the reactor vessel flange, corrective actions shall be initiated immediately.
A.4, A.5, A.6.1, and A.6.2 If no RHR is in operation, the following actions must be taken:
a) the equipment hatch must be closed and secured with four bolts; b) one door in each air lock must be closed; and c) each penetration providing direct access from the containment atmosphere to the outside atmosphere must be either closed by
a manual or automatic isolation valve, blind flange, or equivalent, or verified to be capable of being closed by an OPERABLE
Containment Purge and Exhaust Isolation System.
(continued)
RHR and Coolant Circulation-Low Water Level B 3.9.5 Farley Units 1 and 2 B 3.9.5-1 Revision 0 B 3.9 REFUELING OPERATIONS
B 3.9.5 Residual Heat Removal (RHR) and Coolant Circulation-Low Water Level
BASES BACKGROUND The purpose of the RHR System in MODE 6 is to remove decay heat and sensible heat from the Reactor Coolant System (RCS), as required by GDC 34, to provide mixing of borated coolant, and to
prevent boron stratification (Ref. 1). Heat is removed from the RCS
by circulating reactor coolant through the RHR heat exchanger(s)
where the heat is transferred to the Component Cooling Water
System. The coolant is then returned to the RCS via the RCS cold
leg(s). Operation of the RHR System for normal cooldown decay heat
removal is manually accomplished from the control room. The heat
removal rate is adjusted by controlling the flow of reactor coolant
through the RHR heat exchanger(s) and the bypass lines. Mixing of
the reactor coolant is maintained by this continuous circulation of
reactor coolant through the RHR System.
APPLICABLE If the reactor coolant temperature is not maintained below 200°F, SAFETY ANALYSES boiling of the reactor coolant could result. This could lead to a loss of coolant in the reactor vessel. Additionally, boiling of the reactor
coolant could lead to a reduction in boron concentration in the coolant
due to the boron plating out on components near the areas of the
boiling activity. The loss of reactor coolant and the reduction of boron
concentration in the reactor coolant will eventually challenge the
integrity of the fuel cladding, which is a fission product barrier. Two
trains of the RHR System are required to be OPERABLE, and one
train in operation, in order to prevent this challenge.
The RHR and Coolant Circulation - Low Water Level specification
satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).
LCO In MODE 6, with the water level < 23 ft above the top of the reactor vessel flange, both RHR loops must be OPERABLE. Additionally, one loop of RHR must be in operation in order to provide:
- a. Removal of decay heat;
- b. Mixing of borated coolant to minimize the possibility of criticality; and
- c. Indication of reactor coolant temperature.
(continued)
Reactor Cavity Water Level B 3.9.6 Farley Units 1 and 2 B 3.9.6-2 Revision 0 BASES LCO A minimum refueling cavity water level of 23 ft above the reactor vessel flange is required to ensure that the radiological consequences
of a postulated fuel handling accident inside containment are within
acceptable limits, as provided by the guidance of Reference 3.
APPLICABILITY LCO 3.9.6 is applicable during CORE ALTERATIONS, except during latching and unlatching of control rod drive shafts, and when moving irradiated fuel assemblies within containment. Unlatching and
latching of control rod drive shafts includes drag testing of the
associated rod cluster control assembly. The LCO minimizes the
possibility of a fuel handling accident in containment that is beyond
the assumptions of the safety analysis. If irradiated fuel assemblies
are not present in containment, there can be no significant
radioactivity release as a result of a postulated fuel handling accident.
Requirements for fuel handling accidents in the spent fuel pool are
covered by LCO 3.7.13, "Fuel Storage Pool Water Level." ACTIONS A.1 and A.2 With a water level of < 23 ft above the top of the reactor vessel flange, all operations involving CORE ALTERATIONS or movement of
irradiated fuel assemblies within the containment shall be suspended
immediately to ensure that a fuel handling accident cannot occur.
The suspension of CORE ALTERATIONS and fuel movement shall
not preclude completion of movement of a component to a safe
position.
SURVEILLANCE SR 3.9.6.1 REQUIREMENTS Verification of a minimum water level of 23 ft above the top of the
reactor vessel flange ensures that the design basis for the analysis of
the postulated fuel handling accident during refueling operations is
met. Water at the required level above the top of the reactor vessel
flange limits the consequences of damaged fuel rods that are
postulated to result from a fuel handling accident inside containment (Ref. 2).
(continued)