NLS2013050, Submittal of Technical Specification Base Changes

From kanterella
Revision as of 20:17, 28 April 2019 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
Jump to navigation Jump to search
Submittal of Technical Specification Base Changes
ML13120A027
Person / Time
Site: Cooper Entergy icon.png
Issue date: 04/25/2013
From: VanDerkamp D W
Nebraska Public Power District (NPPD)
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
NLS2013050
Download: ML13120A027 (331)
v  d  e


Text

H Nebraska Public Power District NLS2013050 Always there when you need us April 25, 2013 U. S. Nuclear Regulatory Commission Attention:

Document Control Desk Washington, D.C. 20555-0001

Subject:

Technical Specification Bases Changes Cooper Nuclear Station, Docket No. 50-298, DPR-46

Dear Sir or Madam:

The purpose of this letter is to provide changes to the Cooper Nuclear Station (CNS) Technical Specification Bases implemented without prior Nuclear Regulatory Commission approval.

In accordance with the requirements of CNS Technical Specification 5.5.1 0.d, these changes are provided on a frequency consistent with 10 CFR 50.71(e).

The enclosed Bases changes are for the time period from September 17, 2011, through April 1, 2013. Also enclosed are filing instructions and an updated List of Effective Pages for the CNS Technical Specification Bases.This letter contains no commitments.

If you have any questions regarding this submittal, please contact me at (402) 825-2904.Sincerely, David W. Van Der Kamp Licensing Manager/lb

Enclosure:

Technical Specification Bases Changes cc: Regional Administrator, w/enclosure USNRC -Region IV Cooper Project Manager, w/enclosure USNRC -NRR Project Directorate IV-1 Senior Resident Inspector, w/enclosure (per controlled document distribution)

USNRC -CNS NPG Distribution, w/o enclosure CNS Records, w/enclosure COOPER NUCLEAR STATION P.O. Box 98 / Brownville, NE 68321-0098 Telephone:

(402) 825-3811 / Fax: (402) 825-5211 www.nppd.com NLS2013050 ENCLOSURE TECHNICAL SPECIFICATION BASES CHANGES FILING INSTRUCTIONS TECHNICAL SPECIFICATION BASES INSERT REMOVE List of Effective Pages -Bases I through 8 Bases Pages B 3.1-21 B 3.1-44 B 3.1-50 1 through 7 B B B 3.1-21 3.1-44 3.1-50 B 3.3-1 through B 3.3-2 10 B 3.3-1 through B 3.3-198 3.4-4 3.4-15 3.4-16 3.4-17 3.4-18 3.5-13 3.5-14 3.5-15 3.5-16 3.5-29 3.6-5 3.6-27 3.6-28 3.6-37 3.6-38 3.6-44 3.6-50 3.6-71 3.6-78 3.6-84 B B B B B B B B B B B B B B B B B B B B 3.4-4 3.4-15 3.4-16 3.4-17 3.4-18 3.5-13 3.5-14 3.5-15 3.5-16 3.5-29 3.6-5 3.6-27 3.6-28 3.6-37 3.6-38 3.6-44 3.6-50 3.6-71 3.6-78 3.6-84 B 3.7-1 through B 3.7-34 B 3.8-1 through B 3.8-75 B 3.7-1 through B 3.7-34 B 3.8-1 through B 3.8-66 LIST OF EFFECTIVE PAGES -BASES Page No.ii iii B 2.0-1 B 2.0-2 B 2.0-3 B 2.0-4 B 2.0-5 B 2.0-6 B 2.0-7 B 2.0-8 B 3.0-1 B 3.0-2 B 3.0-3 B 3.0-4 B 3.0-5 B 3.0-6 B 3.0-7 B 3.0-8 B 3.0-9 B 3.0-10 B 3.0-11 B 3.0-12 B 3.0-13 B 3.0-14 B 3.0-15 B 3.0-16 B 3.0-17 B 3.0-18 B 3.1-1 B 3.1-2 B 3.1-3 B 3.1-4 B 3.1-5 B 3.1-6 B 3.1-7 B 3.1-8 B 3.1-9 B 3.1-10 B 3.1-11 B 3.1-12 B 3.1-13 B 3.1-14 B 3.1-15 B 3.1-16 Revision No./Date 0 0 0 12/18/03 0 0 6/10/99 09/25/09 09/25/09 0 09/25/09 06/30/06 0 0 0 09/18/09 09/18/09 09/18/09 09/18/09 09/18/09 09/18/09 09/18/09 09/18/09 09/18/09 09/18/09 09/18/09 09/18/09 09/18/09 09/18/09 6/10/99 6/10/99 6/10/99 6/10/99 6/10/99 6/10/99 12/18/03 12/18/03 6/10/99 6/10/99 6/10/99 12/18/03 12/18/03 6/10/99 6/10/99 12/03/09 Page No.B 3.1-17 B 3.1-18 B 3.1-19 B 3.1-20 B 3.1-21 B 3.1-22 B 3.1-23 B 3.1-24 B 3.1-25 B 3.1-26 B 3.1-27 B 3.1-28 B 3.1-29 B 3.1-30 B 3.1-31 B 3.1-32 B 3.1-33 B 3.1-34 B 3.1-35 B 3.1-36 B 3.1-37 B 3.1-38 B 3.1-39 B 3.1-40 B 3.1-41 B 3.1-42 B 3.1-43 B 3.1-44 B 3.1-45 B 3.1-46 B 3.1-47 B 3.1-48 B 3.1-49 B 3.1-50 B 3.1-51 B 3.2-1 B 3.2-2 B 3.2-3 B 3.2-4 B 3.2-5 B 3.2-6 B 3.2-7 B 3.2-8 B 3.2-9 B 3.2-10 Revision No./Date 6/10/99 07/16/08 12/03/09 12/03/09 01/06/12 0 0 0 05/09/06 02/02/06 05/09/06 12/18/03 0 0 0 0 01/30/03 07/16/08 07/16/08 07/16/08 07/16/08 07/16/08 09/25/09 09/25/09 09/25/09 09/25/09 09/25/09 11/25/12 09/25/09 09/25/09 09/25/09 0 0 11/25/12 09/25/09 01/27/06 6/10/99 6/10/99 4/12/00 6/10/99 0 0 0 0 4/12/00 Cooper 1 02/07/13 LIST OF EFFECTIVE PAGES -BASES (continued)

Page No.B 3.3-1 B 3.3-2 B 3.3-3 B 3.3-4 B 3.3-5 B 3.3-6 B 3.3-7 B 3.3-8 B 3.3-9 B 3.3-10 B 3.3-11 B 3.3-12 B 3.3-13 B 3.3-14 B 3.3-15 B 3.3-16 B 3.3-17 B 3.3-18 B 3.3-19 B 3.3-20 B 3.3-21 B 3.3-22 B 3.3-23 B 3.3-24 B 3.3-25 B 3.3-26 B 3.3-27 B 3.3-28 B 3.3-29 B 3.3-30 B 3.3-31 B 3.3-32 B 3.3-33 B 3.3-34 B 3.3-35 B 3.3-36 B 3.3-37 B 3.3-38 B 3.3-39 B 3.3-40 B 3.3-41 B 3.3-42 B 3.3-43 B 3.3-44 B 3.3-45 B 3.3-46 B 3.3-47 B 3.3-48 Revision No./Date 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 Paqe No.B 3.3-49 B 3.3-50 B 3.3-51 B 3.3-52 B 3.3-53 B 3.3-54 B 3.3-55 B 3.3-56 B 3.3-57 B 3.3-58 B 3.3-59 B 3.3-60 B 3.3-61 B 3.3-62 B 3.3-63 B 3.3-64 B 3.3-65 B 3.3-66 B 3.3-67 B 3.3-68 B 3.3-69 B 3.3-70 B 3.3-71 B 3.3-72 B 3.3-73 B 3.3-74 B 3.3-75 B 3.3-76 B 3.3-77 B 3.3-78 B 3.3-79 B 3.3-80 B 3.3-81 B 3.3-82 B 3.3-83 B 3.3-84 B 3.3-85 B 3.3-86 B 3.3-87 B 3.3-88 B 3.3-89 B 3.3-90 B 3.3-91 B 3.3-92 B 3.3-93 B 3.3-94 B 3.3-95 B 3.3-96 Revision No./Date 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 Cooper 2 02/07/13 Cooper 2 02/07/13 LIST OF EFFECTIVE PAGES -BASES (continued)

Page No. Revision No./Date Page No. Revision No./Date B 3.3-97 11/25/12 B 3.3-144 11/25/12 B 3.3-98 11/25/12 B 3.3-145 11/25/12 B 3.3-99 11/25/12 B 3.3-146 11/25/12 B 3.3-100 11/25/12 B 3.3-147 11/25/12 B 3.3-101 11/25/12 B 3.3-148 11/25/12 B 3.3-102 11/25/12 B 3.3-149 11/25/12 B 3.3-103 11/25/12 B 3.3-150 11/25/12 B 3.3-104 11/25/12 B 3.3-151 11/25/12 B 3.3-105 11/25/12 B 3.3-152 11/25/12 B 3.3-106 11/25/12 B 3.3-153 11/25/12 B 3.3-107 11/25/12 B 3.3-154 11/25/12 B 3.3-108 11/25/12 B 3.3-155 11/25/12 B 3.3-109 11/25/12 B 3.3-156 11/25/12 B 3.3-110 11/25/12 B 3.3-157 11/25/12 B 3.3-111 11/25/12 B 3.3-158 11/25/12 B 3.3-112 11/25/12 B 3.3-159 11/25/12 B 3.3-113 11/25/12 B 3.3-160 11/25/12 B 3.3-114 11/25/12 B 3.3-161 11/25/12 B 3.3-115 11/25/12 B 3.3-162 11/25/12 B 3.3-116 11/25/12 B 3.3-163 11/25/12 B 3.3-117 11/25/12 B 3.3-164 11/25/12 B 3.3-118 11/25/12 B 3.3-165 11/25/12 B 3.3-119 11/25/12 B 3.3-166 11/25/12 B 3.3-120 11/25/12 B 3.3-167 11/25/12 B 3.3-121 11/25/12 B 3.3-168 11/25/12 B 3.3-122 11/25/12 B 3.3-169 11/25/12 B 3.3-123 11/25/12 B 3.3-170 11/25/12 B 3.3-124 11/25/12 B 3.3-171 11/25/12 B 3.3-125 11/25/12 B 3.3-172 11/25/12 B 3.3-126 11/25/12 B 3.3-173 11/25/12 B 3.3-127 11/25/12 B 3.3-174 11/25/12 B 3.3-128 11/25/12 B 3.3-175 11/25/12 B 3.3-129 11/25/12 B 3.3-176 11/25/12 B 3.3-130 11/25/12 B 3.3-177 11/25/12 B 3.3-131 11/25/12 B 3.3-178 11/25/12 B 3.3-132 11/25/12 B 3.3-179 11/25/12 B 3.3-133 11/25/12 B 3.3-180 11/25/12 B 3.3-134 11/25/12 B 3.3-181 11/25/12 B 3.3-135 11/25/12 B 3.3-182 11/25/12 B 3.3-136 11/25/12 B 3.3-183 11/25/12 B 3.3-137 11/25/12 B 3.3-184 11/25/12 B 3.3-138 11/25/12 B 3.3-185 11/25/12 B 3.3-139 11/25/12 B 3.3-186 11/25/12 B 3.3-140 11/25/12 B 3.3-187 11/25/12 B 3.3-141 11/25/12 B 3.3-188 11/25/12 B 3.3-142 11/25/12 B 3.3-189 11/25/12 B 3.3-143 11/25/12 B 3.3-190 11/25/12 Cooper 3 02/07/13 LIST OF EFFECTIVE PAGES -BASES (continued)

Page No.B 3.3-191 B 3.3-192 B 3.3-193 B 3.3-194 B 3.3-195 B 3.3-196 B 3.3-197 B 3.3-198 B 3.4-1 B 3.4-2 B 3.4-3 B 3.4-4 B 3.4-5 B 3.4-6 B 3.4-7 B 3.4-8 B 3.4-9 B 3.4-10 B 3.4-11 B 3.4-12 B 3.4-13 B 3.4-14 B 3.4-15 B 3.4-16 B 3.4-17 B 3.4-18 B 3.4-19 B 3.4-20 B 3.4-21 B 3.4-22 B 3.4-23 B 3.4-24 B 3.4-25 B 3.4-26 B 3.4-27 B 3.4-28 B 3.4-29 B 3.4-30 B 3.4-31 B 3.4-32 B 3.4-33 B 3.4-34 B 3.4-35 B 3.4-36 B 3.4-37 B 3.4-38 B 3.4-39 Revision No./Date 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 0 0 0 01/06/12 0 0 4/12/00 0 0 0 1 1 4/12/00 0 03/05/12 03/05/12 11/25/12 03/05/12 0 0 0 0 0 0 0 09/18/09 09/18/09 6/28/01 09/25/09 0 09/18/09 09/25/09 1 0 09/18/09 0 0 0 1 Pa~ge No.B 3.4-40 B 3.4-41 B 3.4-42 B 3.4-43 B 3.4-44 B 3.4-45 B 3.4-46 B 3.4-47 B 3.4-48 B 3.4-49 B 3.4-50 B 3.4-51 B 3.4-52 B 3.4-53 B 3.4-54 B 3.4-55 B 3.5-1 B 3.5-2 B 3.5-3 B 3.5-4 B 3.5-5 B 3.5-6 B 3.5-7 B 3.5-8 B 3.5-9 B 3.5-10 B 3.5-11 B 3.5-12 B 3.5-13 B 3.5-14 B 3.5-15 B 3.5-16 B 3.5-17 B 3.5-18 B 3.5-19 B 3.5-20 B 3.5-21 B 3.5-22 B 3.5-23 B 3.5-24 B 3.5-25 B 3.5-26 B 3.5-27 B 3.5-28 B 3.5-29 B 3.5-30 Revision No./Date 0 0 0 0 08/11/04 08/11/04 04/11/06 0 0 08/11/04 04/11/06 0 08/11/04 0 0 0 1 11/24/03 0 0 04/26/04 09/18/09 04/26/04 04/26/04 1 0 0 04/28/10 11/25/12 11/25/12 11/25/12 11/25/12 11/23/99 12/18/03 0 0 0 0 12/18/03 0 1 09/18/09 09/18/09 09/18/09 11/25/12 12/18/03 Cooper 4 02/07/13 LIST OF EFFECTIVE PAGES -BASES (continued)

Page No.B 3.6-1 B 3.6-2 B 3.6-3 B 3.6-4 B 3.6-5 B 3.6-6 B 3.6-7 B 3.6-8 B 3.6-9 B 3.6-10 B 3.6-11 B 3.6-12 B 3.6-13 B 3.6-14 B 3.6-15 B 3.6-16 B 3.6-17 B 3.6-18 B 3.6-19 B 3.6-20 B 3.6-21 B 3.6-22 B 3.6-23 B 3.6-24 B 3.6-25 B 3.6-26 B 3.6-27 B 3.6-28 B 3.6-29 B 3.6-30 B 3.6-31 B 3.6-32 B 3.6-33 B 3.6-34 B 3.6-35 B 3.6-36 B 3.6-37 B 3.6-38 B 3.6-39 B 3.6-40 B 3.6-41 B 3.6-42 B 3.6-43 B 3.6-44 B 3.6-45 B 3.6-46 B 3.6-47 B 3.6-48 Revision No./Date 3/8/00 09/30/08 3/8/00 11/06/06 11/25/12 0 09/30/08 0 0 0 0 3/8/00 09/30/08 3/8/00 0 1 0 0 11/28/01 11/28/01 11/28/01 11/28/01 11/28/01 1 1 3/8/00 11/25/12 11/25/12 09/25/09 09/30/08 09/30/08 12/27/02 12/27/02 12/14/01 0 0 11/25/12 11/25/12 0 0 0 0 0 11/25/12 0 6/10/99 0 0 Page No.B 3.6-49 B 3.6-50 B 3.6-51 B 3.6-52 B 3.6-53 B 3.6-54 B 3.6-55 B 3.6-56 B 3.6-57 B 3.6-58 B 3.6-59 B 3.6-60 B 3.6-61 B 3.6-62 B 3.6-63 B 3.6-64 B 3.6-65 B 3.6-66 B 3.6-67 B 3.6-68 B 3.6-69 B 3.6-70 B 3.6-71 B 3.6-72 B 3.6-73 B 3.6-74 B 3.6-75 B 3.6-76 B 3.6-77 B 3.6-78 B 3.6-79 B 3.6-80 B 3.6-81 B 3.6-82 B 3.6-83 B 3.6-84 B 3.7-1 B 3.7-2 B 3.7-3 B 3.7-4 B 3.7-5 B 3.7-6 B 3.7-7 B 3.7-8 B 3.7-9 B 3.7-10 B 3.7-11 Revision No./Date 0 11/25/12 0 8/13/02 0 0 8/13/02 8/13/02 0 0 0 0 0 0 04/28/10 0 0 0 10/05/06 10/05/06 10/05/06 10/05/06 11/25/12 10/05/06 10/05/06 10/05/06 3/8/00 10/05/06 12/18/03 11/25/12 12/18/03 10/05/06 10/05/06 10/05/06 10/05/06 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 12/21/12 11/25/12 11/25/12 11/25/12 11/25/12 Cooper 5 02/07/13 Cooper 5 02/07/13 LIST OF EFFECTIVE PAGES -BASES (continued)

Paqe No.B 3.7-12 B 3.7-13 B 3.7-14 B 3.7-15 B 3.7-16 B 3.7-17 B 3.7-18 B 3.7-19 B 3.7-20 B 3.7-21 B 3.7-22 B 3.7-23 B 3.7-24 B 3.7-25 B 3.7-26 B 3.7-27 B 3.7-28 B 3.7-29 B 3.7-30 B 3.7-31 B 3.7-32 B 3.7-33 B 3.7-34 B 3.8-1 B 3.8-2 B 3.8-3 B 3.8-4 B 3.8-5 B 3.8-6 B 3.8-7 B 3.8-8 B 3.8-9 B 3.8-10 B 3.8-11 B 3.8-12 B 3.8-13 B 3.8-14 B 3.8-15 B 3.8-16 B 3.8-17 B 3.8-18 B 3.8-19 B 3.8-20 B 3.8-21 B 3.8-22 B 3.8-23 B 3.8-24 Revision No./Date 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 11/25/12 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 Paqe No.B 3.8-25 B 3.8-26 B 3.8-27 B 3.8-28 B 3.8-29 B 3.8-30 B 3.8-31 B 3.8-32 B 3.8-33 B 3.8-34 B 3.8-35 B 3.8-36 B 3.8-37 B 3.8-38 B 3.8-39 B 3.8-40 B 3.8-41 B 3.8-42 B 3.8-43 B 3.8-44 B 3.8-45 B 3.8-46 B 3.8-47 B 3.8-48 B 3.8-49 B 3.8-50 B 3.8-51 B 3.8-52 B 3.8-53 B 3.8-54 B 3.8-55 B 3.8-56 B 3.8-57 B 3.8-58 B 3.8-59 B 3.8-60 B 3.8-61 B 3.8-62 B 3.8-63 B 3.8-64 B 3.8-65 B 3.8-66 B 3.9-1 B 3.9-2 B 3.9-3 B 3.9-4 B 3.9-5 Revision No./Date 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 02/07/13 12/18/03 0 05/09/06 05/09/06 05/09/06 Cooper 6 02/07/13 Cooper 6 02/07/13 LIST OF EFFECTIVE PAGES -BASES (continued)

Pagqe No.B 3.9-6 B 3.9-7 B 3.9-8 B 3.9-9 B 3.9-10 B 3.9-11 B 3.9-12 B 3.9-13 B 3.9-14 B 3.9-15 B 3.9-16 B 3.9-17 B 3.9-18 B 3.9-19 B 3.9-20 B 3.9-21 B 3.9-22 B 3.9-23 B 3.9-24 B 3.9-25 B 3.9-26 B 3.9-27 B 3.9-28 B 3.9-29 B 3.9-30 B 3.10-1 B 3.10-2 B 3.10-3 B 3.10-4 B 3.10-5 B 3.10-6 B 3.10-7 B 3.10-8 B 3.10-9 B 3.10-10 B 3.10-11 B 3.10-12 B 3.10-13 B 3.10-14 B 3.10-15 B 3.10-16 B 3.10-17 B 3.10-18 B 3.10-19 B 3.10-20 B 3.10-21 B 3.10-22 Revision No./Date 05/09/06 05/09/06 05/09/06 12/18/03 0 12/18/03 12/18/03 0 0 12/18/03 12/18/03 0 12/18/03 10/05/06 0 10/05/06 0 0 0 0 0 0 0 0 0 Pa.qe No.B 3.10-23 B 3.10-24 B 3.10-25 B 3.10-26 B 3.10-27 B 3.10-28 B 3.10-29 B 3.10-30 B 3.10-31 B 3.10-32 B 3.10-33 B 3.10-34 B 3.10-35 B 3.10-36 B 3.10-37 B 3.10-38 B 3.10-39 Revision No./Date 0 0 0 6/10/99 6/10/99 0 6/10/99 0 07/16/08 0 0 0 0 0 0 0 0 11/06/06 11/06/06 11/06/06 11/06/06 11/06/06 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Cooper 7 02/07/13 Cooper 7 02/07/13 Control Rod OPERABILITY B 3.1.3 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.1.3.5 Coupling verification is performed to ensure the control rod is connected to the CRDM and will perform its intended function when necessary.

The Surveillance requires verifying a control rod does not go to the withdrawn overtravel position.

The overtravel position feature provides a positive check on the coupling integrity since only an uncoupled CRD can reach the overtravel position.

The verification is required to be performed any time a control rod is withdrawn to the "full out" position (notch position 48)or prior to declaring the control rod OPERABLE after work on the control rod or CRD System that could affect coupling.

This includes control rods inserted one notch and then returned to the "full out" position during the performance of SR 3.1.3.3. This Frequency is acceptable, considering the low probability that a control rod will become uncoupled when it is not being moved and operating experience related to uncoupling events.REFERENCES

1. USAR, Appendix F, Section F-2.5.2. USAR, Section XIV-5.3.1 3. USAR, Section XIV-6.2.4. USAR, Appendix G.5. 10 CFR 50.36(c)(2)(ii).
6. NEDO-21231, "Banked Position Withdrawal Sequence," Section 7.2, January 1977.Cooper B 3.1-21 01/06/12 SLC System B 3.1.7 BASES SURVEILLANCE REQUIREMENTS (continued) positive reactivity effects encountered during power reduction, cooldown of the moderator, and xenon decay. This test confirms one point on the pump design curve and is indicative of overall performance.

Such inservice tests confirm component OPERABILITY, and detect incipient failures by indicating abnormal performance.

The Frequency of this Surveillance is in accordance with the Inservice Testing Program.SR 3.1.7.8 and SR 3.1.7.9 These Surveillances ensure that there is a functioning flow path from the boron solution storage tank to the RPV, including the firing of an explosive valve. The replacement charge for the explosive valve shall be from the same manufactured batch as the one fired or from another batch that has been certified by having one of that batch successfully fired. The pump and explosive valve tested should be alternated such that both complete flow paths are tested every 48 months at alternating 24 month intervals.

The Surveillance may be performed in separate steps to prevent injecting boron into the RPV. An acceptable method for verifying flow from the pump to the RPV is to pump demineralized water from a test tank through one SLC subsystem and into the RPV. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components usually pass the Surveillance when performed at the 24 month Frequency; therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

Demonstrating that all heat traced piping between the boron solution storage tank and the suction inlet to the injection pumps is unblocked ensures that there is a functioning flow path for injecting the sodium pentaborate solution.

An acceptable method for verifying that the suction piping is unblocked is to manually initiate the system, except the explosive valves, and pump from the storage tank to the test tank. Upon completion of this verification, the pump suction piping must be flushed with demineralized water to ensure piping between the storage tank and pump suction is unblocked.

The 24 month Frequency is acceptable since there is a low probability that the subject piping will be blocked due to precipitation of the boron from solution in the heat traced piping. This is especially true in light of the temperature verification of this piping Cooper B 3.1-44 11/25/12 SDV Vent and Drain Valves B 3.1.8 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.1.8.2 During a scram, the SDV vent and drain valves should close to contain the reactor water discharged to the SDV piping. Cycling each valve through its complete range of motion (closed and open) ensures that the valve will function properly during a scram. The 92 day Frequency is based on operating experience and takes into account the level of redundancy in the system design.SR 3.1.8.3 SR 3.1.8.3 is an integrated test of the SDV vent and drain valves to verify total system performance.

After receipt of a simulated or actual scram signal, the closure of the automatic SDV vent and drain valves is verified.The closure time of 30 seconds after receipt of a scram signal is based on the bounding leakage case evaluated in the accident analysis.Similarly, after receipt of a simulated or actual scram reset signal, the opening of the SDV vent and drain valves is verified.

The LOGIC SYSTEM FUNCTIONAL TEST in LCO 3.3.1.1 and the scram time testing of control rods in LCO 3.1.3, "Control Rod Operability," overlap this Surveillance to provide complete testing of the assumed safety function.The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components usually pass the Surveillance when performed at the 24 month Frequency; therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

Cooper B 3.1-50 11/25/12 RPS Instrumentation B 3.3.1.1 B 3.3 INSTRUMENTATION B 3.3.1.1 Reactor Protection System (RPS) Instrumentation BASES BACKGROUND The RPS initiates a reactor scram when one or more monitored parameters exceed their specified limits to preserve the integrity of the fuel cladding and the reactor coolant pressure boundary (RCPB) and minimize the energy that must be absorbed following a loss of coolant accident (LOCA). This can be accomplished either automatically or manually.The protection and monitoring functions of the RPS have been designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and equipment performance.

The Limiting Trip Setpoint (LTSP) is a predetermined setting for a protection channel chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the Safety Limit (SL) would not be exceeded.

As such, the LTSP accounts for uncertainties in setting the channel (e.g., calibration), uncertainties in how the channel might actually perform (e.g., repeatability), changes in the point of action of the channel over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments).

In this manner, the LTSP ensures that SLs are not exceeded.

Therefore, the LTSP meets the definition of an LSSS (Ref. 1).Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility.

Operable is defined in Technical Specifications as "...being capable of performing its safety function(s)." Relying solely on the LTSP to define OPERABILITY in Technical Specifications would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value of a protection channel setting during a Surveillance.

This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protective protection channel with a setting that has been found to be different from the LTSP due to some drift of the setting may still be OPERABLE because drift is to be expected.

This expected drift would have been specifically accounted for in the setpoint methodology for calculating the LTSP and thus the Cooper B 3.3-1 11/25/12 RPS Instrumentation B 3.3.1.1 BASES BACKGROUND (continued) automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protection channel.Therefore, the channel would still be OPERABLE because it would have performed its safety function and the only corrective action required would be to reset the channel within the established as-left tolerance around the LTSP to account for further drift during the next surveillance interval.Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria).

However, there is also some point beyond which the channel may not be able to perform its function due to, for example, greater than expected drift. This value needs to be specified in the Technical Specifications in order to define OPERABILITY of the channels and is designated as the Allowable Value.If the actual setting (as-found setpoint) of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE but degraded.

The degraded condition will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the LTSP (within the allowed tolerance), and evaluating the channel response.

If the channel is functioning as required and expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance.

After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

The RPS, as described in the USAR, Section VII-2 (Ref. 2), includes sensors, relays, bypass circuits, and switches that are necessary to cause initiation of a reactor scram. Functional diversity is provided by monitoring a wide range of dependent and independent parameters.

The input parameters to the scram logic are from instrumentation that monitors reactor vessel water level, reactor vessel pressure, neutron flux, main steam line isolation valve position, turbine control valve (TCV) fast closure, trip oil pressure, turbine stop valve (TSV) position, drywell pressure, and scram discharge volume (SDV) water level, as well as reactor mode switch in shutdown position and manual scram signals.There are at least four redundant sensor input signals from each of these parameters (with the exception of the manual scram signal and the reactor mode switch in shutdown scram signal). Most channels include instrumentation that compares measured input signals with pre-established setpoints.

When the setpoint is exceeded, the channel outputs an RPS trip signal to the trip logic.Cooper B 3.3-2 11/25/12 RPS Instrumentation B 3.3.1.1 BASES BACKGROUND (continued)

The RPS is comprised of two independent trip systems (A and B) with three logic channels in each trip system (logic channels Al, A2, and A3, B1, B2, and B3) as shown in Reference

2. Logic channels Al, A2, B1 and B2 contain automatic logic. The above mentioned parameters are represented by at least one input to each of these logic channels.

The outputs of the logic channels in a trip system are combined in a one-out-of-two logic so that either channel can trip the associated trip system.The tripping of both trip systems will produce a reactor scram. This logic arrangement is referred to as a one-out-of-two taken twice logic. In addition to the automatic logic channels, logic channels A3 and B3 (one logic channel per trip system) are provided for manual scram. Both channel push buttons must be depressed to initiate the manual trip function.

Each trip system can be reset by use of a reset switch. If a full scram occurs (both trip systems trip), a relay prevents reset of the trip systems for 10 seconds after the full scram signal is received.

This 10 second delay on reset ensures that the scram function will be completed.

Two scram pilot valves are located in the hydraulic control unit for each control rod drive (CRD). Each scram pilot valve is solenoid operated, with the solenoids normally energized.

The scram pilot valves control the air supply to the scram inlet and outlet valves for the associated CRD. When either scram pilot valve solenoid is energized, air pressure holds the scram valves closed and, therefore, both scram pilot valve solenoids must be de-energized to cause a control rod to scram. The scram valves control the supply and discharge paths for the CRD water during a scram. One of the scram pilot valve solenoids for each CRD is controlled by trip system A, and the other solenoid is controlled by trip system B.Any trip of trip system A in conjunction with any trip in trip system B results in de-energizing both solenoids, air bleeding off, scram valves opening, and control rod scram.The backup scram valves, which energize on a scram signal to depressurize the scram air header, are also controlled by the RPS.Additionally, the RPS System controls the SDV vent and drain valves such that when both trip systems trip, the SDV vent and drain valves close to isolate the SDV.APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY The actions of the RPS are assumed in the safety analyses of References 2, 3, 4, and 5. The RPS is required to initiate a reactor scram when monitored parameter values are exceeded to preserve the integrity Cooper B 3.3-3 11/25/12 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) of the fuel cladding, the reactor coolant pressure boundary (RCPB), and the containment by minimizing the energy that must be absorbed following a LOCA.RPS instrumentation satisfies Criterion 3 of 10 CFR 50.36 (c)(2)(ii) (Ref.6). Functions not specifically credited in the accident analysis are retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.Permissive and interlock setpoints allow the blocking of trips during plant startups, and restoration of trips when the permissive conditions are not satisfied, but they are not explicitly modeled in the Safety Analyses.These permissives and interlocks ensure that the starting conditions are consistent with the safety analysis, before preventive or mitigating actions occur. Because these permissives or interlocks are only one of multiple conservative starting assumptions for the accident analysis, they are generally considered as nominal values without regard to measurement accuracy.The OPERABILITY of the RPS is dependent on the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.1.1-1.

Each Function must have a required number of OPERABLE channels per RPS trip system, with their setpoints set within the setting tolerance of the LTSPs, where appropriate.

The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Each channel must also respond within its assumed response time, where appropriate.

Allowable Values for RPS Instrumentation Functions are specified in Table 3.3.1.1-1.

Limiting Trip Setpoints and the methodologies for calculation of the as-left and as-found tolerances are described in the Technical Requirements Manual. The LTSPs are selected to ensure that the actual setpoints remain conservative with respect to the as-found tolerance band between successive CHANNEL CALIBRATIONS.

After each calibration the trip setpoint shall be left within the as-left band around the LTSP.LTSPs are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device changes state. The analytical limits are derived from the limiting values of the process parameters obtained from the safety analysis or other appropriate documents.

The Allowable Values are derived from the analytical limits, corrected for calibration, process, and some of the instrument errors. The LTSPs are then determined Cooper B 3.3-4 11/25/12 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) accounting for the remaining instrument errors (e.g., drift). The LTSPs derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.The OPERABILITY of scram pilot valves and associated solenoids, backup scram valves, and SDV valves, described in the Background section, are not addressed by this LCO.The individual Functions are required to be OPERABLE in the MODES or other Conditions specified in the table, which may require an RPS trip to mitigate the consequences of a design basis accident or transient.

To ensure a reliable scram function, a combination of functions are required in each MODE to provide primary and diverse initiation signals.The only MODES specified in Table 3.3.1.1-1 are MODES I and 2 and MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies.

No RPS Function is required in MODES 3 and 4 since, all control rods are fully inserted and the Reactor Mode Switch Shutdown Position control rod withdrawal block (LCO 3.3.2.1) does not allow any control rod to be withdrawn.

In MODE 5, control rods withdrawn from a core cell containing no fuel assemblies do not affect the reactivity of the core and, therefore, are not required to have the capability to scram. Provided all other control rods remain inserted, no RPS Function is required.

In this condition, the required SDM (LCO 3.1.1) and refuel position one-rod-out interlock (LCO 3.9.2) ensure that no event requiring RPS will occur.The trip that results from the removal of a circuit card is a basic design feature of selected circuits.

This feature is excluded from periodic testing in order to minimize component wear and damage.The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.Intermediate Range Monitor (IRM)l.a. Intermediate Range Monitor Neutron Flux-High The IRMs monitor neutron flux levels from the upper range of the source range monitor (SRM) to the lower range of the average power range monitors (APRMs). The IRMs are capable of generating trip signals that Cooper B 3.3-5 11/25/12 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) can be used to prevent fuel damage resulting from abnormal operating transients in the intermediate power range. In this power range, the most significant source of reactivity change is due to control rod withdrawal.

The IRM provides diverse protection from the rod worth minimizer (RWM), which monitors and controls the movement of control rods at low power. The RWM prevents the withdrawal of an out of sequence control rod during startup that could result in an unacceptable neutron flux excursion (Ref. 3). The IRM provides mitigation of the neutron flux excursion.

To demonstrate the capability of the IRM System to mitigate control rod withdrawal events, generic analyses have been performed (Ref. 4) to evaluate the consequences of control rod withdrawal events during startup that are mitigated only by the IRM. The continuous rod withdrawal during reactor startup analysis (Refs. 3 and 4), which assumes that one IRM channel in each trip system is bypassed, demonstrates that the IRMs provide protection against local control rod withdrawal errors and results in peak fuel enthalpy below the 170 cal/gm fuel failure threshold criterion.

The IRMs are also capable of limiting other reactivity excursions during startup, such as cold water injection events, although no credit is specifically assumed.The IRM System is divided into two groups of IRM channels, with four IRM channels inputting to each trip system. The analysis of Reference 4 assumes that one channel in each trip system is bypassed.

Therefore, six channels with three channels in each trip system are required for IRM OPERABILITY to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. This trip is active in each of the 9 ranges of the IRM, which must be selected by the operator to maintain the neutron flux within the monitored level of an IRM range.The analysis of Reference 4 has adequate conservatism to permit an IRM Allowable Value of 121 divisions of a 125 division scale.The Intermediate Range Monitor Neutron Flux-High Function must be OPERABLE during MODE 2 when control rods may be withdrawn and the potential for criticality exists. In MODE 5, when a cell with fuel has its control rod withdrawn, the IRMs provide monitoring for and protection against unexpected reactivity excursions.

In MODE 1, the APRM System and the RWM provide protection against control rod withdrawal error events and the IRMs are not required.

An IRM is automatically bypassed when the mode switch is in the "Run" position and its companion APRM is above its downscale trip setpoint.Cooper B 3.3-6 11/25/12 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued) 1.b. Intermediate Range Monitor-Inop This trip signal provides assurance that a minimum number of IRMs are OPERABLE.

Anytime an IRM mode switch is moved to any position other than "Operate," the detector voltage drops below a preset level, loss of the negative or positive DC voltages, or when a module is not plugged in, an inoperative trip signal will be received by the RPS unless the IRM is bypassed.

Since only one IRM in each trip system may be bypassed, only one IRM in each RPS trip system may be inoperable without resulting in an RPS trip signal.This Function was not specifically credited in the accident analysis but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.Six channels of Intermediate Range Monitor-mnop with three channels in each trip system are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal.Since this Function is not assumed in the safety analysis, there is no Allowable Value for this Function.This Function is required to be OPERABLE when the Intermediate Range Monitor Neutron Flux-High Function is required.Average Power Range Monitor 2.a. Average Power Range Monitor Neutron Flux-High (Startup)The APRM channels receive input signals from the local power range monitors (LPRMs) within the reactor core that provide an indication of the power distribution and local power changes. The APRM channels average these LPRM signals to provide a continuous indication of average reactor power from a few percent to greater than RTP. For operation at low power (i.e., MODE 2), the Average Power Range Monitor Neutron Flux-High (Startup)

Function is capable of generating a trip signal that prevents fuel damage resulting from abnormal operating transients in this power range. For most operation at low power levels, the Average Power Range Monitor Neutron Flux-High (Startup)

Function will provide a secondary scram to the Intermediate Range Monitor Neutron Flux-High Function because of the relative setpoints.

With the IRMs at Range 9, it is possible that the Average Power Range Monitor Neutron Flux-High Cooper B 3.3-7 11/25/12 1 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued)(Startup)

Function will provide the primary trip signal for a core-wide increase in power.No specific safety analyses take direct credit for the Average Power Range Monitor Neutron Flux-High (Startup)

Function.

However, this Function indirectly ensures that before the reactor mode switch is placed in the run position, reactor power does not exceed 25% RTP (SL 2.1.1.1)when operating at low reactor pressure and low core flow. Therefore, it indirectly prevents fuel damage during significant reactivity increases with THERMAL POWER < 25% RTP.The APRM System is divided into two groups of channels with three APRM channel inputs to each trip system. The system is designed to allow one channel in each trip system to be bypassed.

Any one APRM channel in a trip system can cause the associated trip system to trip.Four channels of Average Power Range Monitor Neutron Flux-High (Startup) with two channels in each trip system are required to be OPERABLE to ensure that no single failure will preclude a scram from this Function on a valid signal. In addition, to provide adequate coverage of the entire core, at least 11 LPRM inputs are required for each APRM channel, with at least two LPRM inputs from each of the four axial levels at which the LPRMs are located.The Allowable Value is based on preventing significant increases in power when THERMAL POWER is < 25% RTP.The Average Power Range Monitor Neutron Flux-High (Startup)

Function must be OPERABLE during MODE 2 when control rods may be withdrawn since the potential for criticality exists.In MODE 1, the Average Power Range Monitor Neutron Flux-High (Fixed)Function provides protection against reactivity transients and the RWM and rod block monitor protect against control rod withdrawal error events.Function 2.a is bypassed when the reactor mode switch is in run.2.b. Average Power Range Monitor Neutron Flux-High (Flow Biased)The Average Power Range Monitor Neutron Flux-High (Flow Biased)Function monitors neutron flux to approximate the THERMAL POWER being transferred to the reactor coolant. The APRM neutron flux trip level is varied as a function of recirculation drive flow (i.e., at lower core flows, the setpoint is reduced proportional to the reduction in power experienced as core flow is reduced with a fixed control rod pattern. The Average Power Range Monitor Neutron Flux-High (Flow Biased) Function is not Cooper B 3.3-8 11/25/12 I RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued) specifically credited in the safety analyses, but is intended to provide protection against transients where THERMAL POWER increases slowly, and to provide protection for power oscillations which may result from reactor thermal hydraulic instability.

The APRM System is divided into two groups of channels with three APRM Channel inputs to each trip system. The system is designed to allow one channel in each trip system to be bypassed.

Any one APRM channel in a trip system can cause the associated trip system to trip.Four channels of Average Power Range Monitor Neutron Flux-High (Flow Biased) with two channels in each trip system arranged in a one-out-of-two logic are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. In addition, to provide adequate coverage of the entire core, at least 11 LPRM inputs are required for each APRM channel, with at least two LPRM inputs from each of the four axial levels at which the LPRMs are located. Each APRM channel receives a flow signal representative of total recirculation loop flow. The total recirculation loop drive flow signals are generated by two flow units, one of which supplies signals to the trip system A APRMs, while the other supplies signals to the trip system B APRMs. Each flow unit signal is provided by summing up the flow signals from the two recirculation loops. The instrumentation is an analog type with redundant flow signals that can be compared.

Each required Average Power Range Monitor Neutron Flux-High (Flow Biased) channel requires an input from one OPERABLE flow unit. If a flow unit is inoperable, the associated Average Power Range Monitor Neutron Flux-High (Flow Biased) channels must be considered inoperable.

The terms for the Allowable Value of the APRM Neutron Flux-High (Flow Biased) trip are defined as follows: S is the setting in percent rated power; W is the two loop recirculation flow rate in percent rated flow (rated loop recirculation flow rate is that recirculation flow rate which provides 100% core flow at 100% power); AW is the difference between two loop and single loop effective drive flow at the same core flow. AW equals zero for two recirculation loop operation.

The Average Power Range Monitor Neutron Flux-High (Flow Biased)Function is required to be OPERABLE in MODE 1 when there is the possibility of generating excessive THERMAL POWER and potentially exceeding the SL applicable to high pressure and core flow conditions (MCPR SL). During MODES 2 and 5, other IRM and APRM Functions provide protection for fuel cladding integrity.

Cooper B 3.3-9 11/25/12 1 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued) 2.c. Average Power Range Monitor Neutron Flux-High (Fixed)The APRM channels provide the primary indication of neutron flux within the core and respond almost instantaneously to neutron flux increases.

The Average Power Range Monitor Neutron Flux-High (Fixed) Function is capable of generating a trip signal to prevent fuel damage or excessive Reactor Coolant System (RCS) pressure.

For the overpressurization protection analysis of Reference 7, the Average Power Range Monitor Neutron Flux-High (Fixed) Function is assumed to terminate the main steam isolation valve (MSIV) closure event and, along with the safety/relief valves (SRVs), limits the peak reactor pressure vessel (RPV)pressure to less than the ASME Code limits. The control rod drop accident (CRDA) analysis (Ref. 8) takes credit for the Average Power Range Monitor Neutron Flux-High (Fixed) Function to terminate the CRDA.The APRM System is divided into two groups of channels with three APRM channels inputting to each trip system. The system is designed to allow one channel in each trip system to be bypassed.

Any one APRM channel in a trip system can cause the associated trip system to trip.Four channels of Average Power Range Monitor Neutron Flux-High (Fixed) with two channels in each trip system arranged in a one-out-of-two logic are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. In addition, to provide adequate coverage of the entire core, at least 11 LPRM inputs are required for each APRM channel, with at least two LPRM inputs from each of the four axial levels at which the LPRMs are located.The Allowable Value is based on the Analytical Limit assumed in the CRDA analyses.The Average Power Range Monitor Neutron Flux-High (Fixed) Function is required to be OPERABLE in MODE 1 where the potential consequences of the analyzed transients could result in the SLs (e.g., MCPR and RCS pressure) being exceeded.

Although the Average Power Range Monitor Neutron Flux-High (Fixed) Function is assumed in the CRDA analysis (Ref. 8), which is applicable in MODE 2, the Average Power Range Monitor Neutron Flux-High, (Startup)

Function conservatively bounds the assumed trip and, together with the assumed IRM trips, provides adequate protection.

Therefore, the Average Power Range Monitor Neutron Flux-High (Fixed) Function is not required in MODE 2.Cooper B 3.3-10 11/25/12 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued) 2.d. Average Power Ran-ge Monitor-Downscale This signal ensures that there is adequate Neutron Monitoring System protection if the reactor mode switch is placed in the run position prior to the APRMs coming on scale. With the reactor mode switch in run, an APRM downscale signal coincident with an associated Intermediate Range Monitor Neutron Flux-High or Inop signal generates a trip signal.This Function was not specifically credited in the accident analysis but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.The APRM System is divided into two groups of channels with three inputs into each trip system. The system is designed to allow one channel in each trip system to be bypassed.

Four channels of Average Power Range Monitor-Downscale with two channels in each trip system arranged in a one-out-of-two logic are required to be OPERABLE to ensure that no single failure will preclude a scram from this Function on a valid signal. The Intermediate Range Monitor Neutron Flux-High and Inop Functions are also part of the OPERABILITY of the Average Power Range Monitor-Downscale Function.

If either of these IRM Functions cannot send a signal to the Average Power Range Monitor-Downscale Function, either automatically when the trip conditions exist or manually when the IRM is inoperable (e.g., when the IRM is taken out of operate or bypassed), the associated Average Power Range Monitor-Downscale channel is considered inoperable.

The Allowable Value is based upon ensuring that the APRMs are on scale when transfers are made between APRMs and IRMs.This Function is required to be OPERABLE in MODE 1 since this is when the APRMs are the primary indicators of reactor power. This Function is automatically bypassed when the reactor mode switch is in the run position and the companion IRM instrumentation is OPERABLE and not upscale, and when the reactor mode switch is not in the run position.2.e. Average Power Range Monitor-Inop This signal provides assurance that a minimum number of APRMs are OPERABLE.

Anytime an APRM mode switch is moved to any position other than "Operate," an APRM module is unplugged or the APRM has too few LPRM inputs (< 11), an inoperative trip signal will be received by the RPS, unless the APRM is bypassed.

An APRM will be considered inoperable if there are less than two LPRM inputs per level. Since only one APRM in each trip system may be bypassed, only one APRM in each Cooper B 3.3-11 11/25/12 I RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued) trip system may be inoperable without resulting in an RPS trip signal.This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.Four channels of Average Power Range Monitor-mnop with two channels in each trip system are required to be OPERABLE to ensure that no single failure will preclude a scram from this Function on a valid signal.There is no Allowable Value for this Function.This Function is required to be OPERABLE in the MODES where the APRM Functions are required.3. Reactor Vessel Pressure-High An increase in the RPV pressure during reactor operation compresses the steam voids and results in a positive reactivity insertion.

This causes the neutron flux and THERMAL POWER transferred to the reactor coolant to increase, which could challenge the integrity of the fuel cladding and the RCPB. No specific safety analysis takes direct credit for this Function.

However, the Reactor Vessel Pressure-High Function initiates a scram for transients that result in a pressure increase, counteracting the pressure increase by rapidly reducing core power.For the overpressurization protection analysis of Reference 7, reactor scram (the analyses conservatively assume scram on the Average Power Range Monitor Neutron Flux-High (Fixed) signal, not the Reactor Vessel Pressure-High signal), along with the SRVs, limits the peak RPV pressure to less than the ASME Section III Code limits.High reactor pressure signals are initiated from four pressure switches that sense reactor pressure.

The Reactor Vessel Pressure-High Allowable Value is chosen to provide a sufficient margin to the ASME Section III Code limits during the event.Four channels of Reactor Vessel Pressure-High Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. The Function is required to be OPERABLE in MODES 1 and 2 when the RCS is pressurized and the potential for pressure increase exists.Cooper B 3.3-12 11/25/12 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued)

4. Reactor Vessel Water Level-Low (Level 3)Low RPV water level indicates the capability to cool the fuel may be threatened.

Should RPV water level decrease too far, fuel damage could result. Therefore, a reactor scram is initiated at Level 3 to substantially reduce the heat generated in the fuel from fission. The Reactor Vessel Water Level-Low (Level 3) Function is assumed in the analysis of a loss of feedwater flow (Ref. 9). The reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the Emergency Core Cooling Systems (ECCS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.Reactor Vessel Water Level-Low (Level 3) signals are initiated from four level switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.Four channels of Reactor Vessel Water Level-Low (Level 3) Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal.The Reactor Vessel Water Level-Low (Level 3) Allowable Value is selected to ensure that during normal operation the separator skirts are not uncovered (this protects available recirculation pump net positive suction head (NPSH) from significant carryunder) and, for transients involving loss of all normal feedwater flow, initiation of the low pressure ECCS subsystems at Reactor Vessel Water-Low Low Low (Level 1) will not be required.The Function is required in MODES 1 and 2 where considerable energy exists in the RCS resulting in the limiting transients and accidents.

ECCS initiations at Reactor Vessel Water Level-Low Low (Level 2) and Low Low Low (Level 1) provide sufficient protection for level transients in all other MODES.5. Main Steam Isolation Valve-Closure MSIV closure results in loss of the main turbine and the condenser as a heat sink for the nuclear steam supply system and indicates a need to shut down the reactor to reduce heat generation.

Therefore, a reactor scram is initiated on a Main Steam Isolation Valve-Closure signal before the MSIVs are completely closed in anticipation of the complete loss of the normal heat sink and subsequent overpressurization transient.

Cooper B 3.3-13 11/25/12 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued)

However, for the overpressurization protection analysis of Reference 7, the Average Power Range Monitor Neutron Flux-High (Fixed) Function, along with the SRVs, limits the peak RPV pressure to less than the ASME Code limits. That is, the direct scram on position switches for MSIV closure events is not assumed in the overpressurization analysis.The reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the ECCS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.MSIV closure signals are initiated from position switches located on each of the eight MSIVs. Each MSIV has two position switches; one inputs to RPS trip system A while the other inputs to RPS trip system B. Each RPS trip system receives an input from four Main Steam Isolation Valve-Closure channels, each consisting of two position switches (one for the inboard MSIV and one for the outboard MSIV in the same steam line)in series with a sensor relay. The logic for the Main Steam Isolation Valve-Closure Function is arranged such that either the inboard or outboard valve on three or more of the main steam lines must close in order for a scram to occur. The design permits closure of any two lines without a full scram being initiated.

The Main Steam Isolation Valve-Closure Allowable Value is specified to ensure that a scram occurs prior to a significant reduction in steam flow, thereby reducing the severity of the subsequent pressure transient.

Eight channels of the Main Steam Isolation Valve-Closure Function, with four channels in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude the scram from this Function on a valid signal. This Function is only required in MODE 1 since, with the MSIVs open and the heat generation rate high, a pressurization transient can occur if the MSIVs close. In MODE 2, the heat generation rate is low enough so that the other diverse RPS functions provide sufficient protection.

6. Drywell Pressure-High High pressure in the drywell could indicate a break in the RCPB. A reactor scram is initiated to minimize the possibility of fuel damage and to reduce the amount of energy being added to the coolant and the drywell.The Drywell Pressure-High Function is assumed to scram the reactor during large and intermediate break LOCAs inside primary containment.

The reactor scram reduces the amount of energy required to be absorbed Cooper B 3.3-14 11/25/12 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued) and along with the actions of the ECCS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.High drywell pressure signals are initiated from four pressure switches that sense drywell pressure.

The Allowable Value was selected to be as low as possible and indicative of a LOCA inside primary containment.

Four channels of Drywell Pressure-High Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. The Function is required in MODES 1 and 2 where considerable energy exists in the RCS, resulting in the limiting transients and accidents.

7a, 7b. Scram Discharge Volume Water Level-Hiqgh The north and south SDVs are independent with separate drain lines and isolation valves. Each SDV is a separate RPS Function, each Function consisting of both type 7.a and 7.b channels.

Each SDV accommodates approximately half of the water displaced by the motion of the CRD pistons during a reactor scram. Should either SDV fill to a point where there is insufficient volume to accept the displaced water, control rod insertion would be hindered.

Therefore, a reactor scram is initiated while the remaining free volumes are still sufficient to accommodate the water from a full core scram. No credit is taken for a scram initiated from these Functions for any of the design basis accidents or transients analyzed in the USAR. However, they are retained to ensure the RPS remains OPERABLE.SDV water level is measured by two diverse methods. The level in each of the two SDVs is measured by two float type level switches and two differential pressure transmitters for a total of eight level signals. The outputs of these devices are arranged so that there is a signal from a level switch and a differential pressure transmitter to each RPS trip system from each SDV. The level measurement instrumentation satisfies the recommendations of Reference 10.The Allowable Value is chosen low enough to ensure that there is sufficient volume in each SDV to accommodate the water from a full scram.For each Scram Discharge Volume Water Level-High Function (i.e., for each SDV), there is one channel of each type (type 7.a and 7.b) in each trip system. Since Table 3.3.1.1-1 provides the total number of required Cooper B 3.3-15 11/25/12 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued) channels per trip system for both SDVs, a total of two required channels of each type per trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from these Functions on a valid signal. These Functions are required in MODES 1 and 2, and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn.

At all other times, this Function may be bypassed.8. Turbine Stop Valve-Closure Closure of the TSVs results in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, a reactor scram is initiated at the start of TSV closure in anticipation of the transients that would result from the closure of these valves. The Turbine Stop Valve-Closure Function is the primary scram signal for the turbine trip and feedwater controller failure maximum demand events analyzed in Reference

3. For this event, the reactor scram reduces the amount of energy required to be absorbed and ensures that the MCPR SL is not exceeded.Turbine Stop Valve-Closure signals are initiated from position switches located on each of the two TSVs. Two independent position switches are associated with each stop valve. Both of the switches from one TSV provide input to RPS trip system A; the two switches from the other TSV provide input to RPS trip system B. Thus, each RPS trip system receives two Turbine Stop Valve-Closure channel inputs from a TSV, each consisting of one position switch assembly with two contacts, each inputting to a relay. The relays provide a parallel logic input to an RPS trip logic channel. The logic for the Turbine Stop Valve-Closure Function is such that both TSVs must be closed to produce a scram. Single valve closure will produce a half scram. This Function must be enabled at THERMAL POWER > 29.5% RTP as measured by turbine first stage pressure.

This is accomplished automatically by pressure switches sensing turbine first stage pressure; therefore, opening the turbine bypass valves may affect this Function.The Turbine Stop Valve-Closure Allowable Value is selected to detect imminent TSV closure, thereby reducing the severity of the subsequent pressure transient.

Four channels of Turbine Stop Valve-Closure Function, with two channels in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function if both Cooper B 3.3-16 11/25/12 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued)

TSVs should close. This Function is required, consistent with analysis assumptions, whenever THERMAL POWER is > 29.5% RTP. This Function is not required when THERMAL POWER is < 29.5% RTP since the Reactor Vessel Pressure-High and the Average Power Range Monitor Neutron Flux-High (Fixed) Functions are adequate to maintain the necessary safety margins.9. Turbine Control Valve Fast Closure, DEH Trip Oil Pressure-Low Fast closure of the TCVs results in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, a reactor scram is initiated on TCV fast closure in anticipation of the transients that would result from the closure of these valves. The Turbine Control Valve Fast Closure, DEH Trip Oil Pressure-Low Function is the primary scram signal for the generator load rejection event analyzed in Reference

3. For this event, the reactor scram reduces the amount of energy required to be absorbed and ensures that the MCPR SL is not exceeded.Turbine Control Valve Fast Closure, DEH Trip Oil Pressure-Low signals are initiated by low digital-electrohydraulic control (DEHC) fluid pressure in the emergency trip header for the control valves. There are four pressure switches which sense off the common header, with one pressure switch assigned to each separate RPS logic channel. This Function must be enabled at THERMAL POWER - 29.5% RTP as measured by turbine first stage pressure.

This is accomplished automatically by pressure switches sensing turbine first stage pressure;therefore, opening the turbine bypass valves may affect this Function.The Turbine Control Valve Fast Closure, DEH Trip Oil Pressure-Low Allowable Value is selected high enough to detect imminent TCV fast closure.Four channels of Turbine Control Valve Fast Closure, DEH Trip Oil Pressure-Low Function with two channels in each trip system arranged in a one-out-of-two logic are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. This Function is required, consistent with the analysis assumptions, whenever THERMAL POWER is -> 29.5% RTP. This Function is not required when THERMAL POWER is < 29.5% RTP, since the Reactor Vessel Pressure-High and the Average Power Range Monitor Neutron Flux-High (Fixed) Functions are adequate to maintain the necessary safety margins.Cooper B 3.3-17 11/25/12 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued)

10. Reactor Mode Switch-Shutdown Position The Reactor Mode Switch-Shutdown Position Function provides signals, via the manual scram logic channels, directly to the scram pilot solenoid power circuits.

These manual scram logic channels are redundant to the automatic protective instrumentation channels and provide manual reactor trip capability.

This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.The reactor mode switch is a keylock four-position, four-bank switch. The reactor mode switch will scram the reactor if it is placed in the shutdown position.

Scram signals from the reactor mode switch are input into each of the two RPS manual scram logic channels.There is no Allowable Value for this Function, since the channels are mechanically actuated based solely on reactor mode switch position.Two channels of Reactor Mode Switch-Shutdown Position Function, with one channel in each manual scram trip system, are available and required to be OPERABLE.

The Reactor Mode Switch-Shutdown Position Function is required to be OPERABLE in MODES 1 and 2, and MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn.

11. Manual Scram The Manual Scram push button channels provide signals, via the manual scram logic channels, directly to the scram pilot solenoid power circuits.These manual scram logic channels are redundant to the automatic protective instrumentation channels and provide manual reactor trip capability.

This Function was not specifically credited in the accident analysis but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.There is one Manual Scram push button channel for each of the two RPS manual scram logic channels.

In order to cause a scram it is necessary that the channel in both manual scram trip systems be actuated.There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons.Cooper B 3.3-18 11/25/12 I RPS Instrumentation B 3.3.1.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued)

Two channels of Manual Scram with one channel in each manual scram trip system are available and required to be OPERABLE in MODES 1 and 2, and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn.

ACTIONS A Note has been provided to modify the ACTIONS related to RPS instrumentation channels.

Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition.

Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition.

However, the Required Actions for inoperable RPS instrumentation channels provide appropriate compensatory measures for separate inoperable channels.

As such, a Note has been provided that allows separate Condition entry for each inoperable RPS instrumentation channel.A.1 and A.2 Because of the diversity of sensors available to provide trip signals and the redundancy of the RPS design, an allowable out of service time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> has been shown to be acceptable (Ref. 11) to permit restoration of any inoperable channel to OPERABLE status. However, this out of service time is only acceptable provided the associated Function's inoperable channel is in one trip system and the Function still maintains RPS trip capability (refer to Required Actions B. 1, B.2, and C. I Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel or the associated trip system must be placed in the tripped condition per Required Actions A.1 and A.2. Placing the inoperable channel in trip (or the associated trip system in trip) would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.

Alternatively, if it is not desired to place the channel (or trip system) in trip (e.g., as in the case where placing the inoperable channel in trip would result in a full scram), Condition D must be entered and its Required Action taken.I Cooper B 3.3-19 11/25/12 I RPS Instrumentation B 3.3.1.1 BASES ACTIONS (continued)

B.1 and B.2 Condition B exists when, for any one or more Functions, at least one required channel is inoperable in each trip system. In this condition, provided at least one channel per trip system is OPERABLE, the RPS still maintains trip capability for that Function, but cannot accommodate a single failure in either trip system. For Items 7.a and 7.b (Scram Discharge Volume Water Level -High, Level Transmitter and Level Switch), entry into Condition B is required when at least one channel (either an Item 7.a or 7.b channel) is inoperable in each trip system associated with one SDV.Required Actions B.1 and B.2 limit the time the RPS scram logic, for any Function, would not accommodate single failure in both trip systems (e.g., one-out-of-one and one-out-of-one arrangement for a typical four channel Function).

The reduced reliability of this logic arrangement was not evaluated in Reference 11 for the 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Completion Time. Within the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the associated Function will have all required channels OPERABLE or in trip (or any combination) in one trip system.Completing one of these Required Actions restores RPS to a reliability level equivalent to that evaluated in Reference 11, which justified a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowable out of service time as presented in Condition A. The trip system in the more degraded state should be placed in trip or, alternatively, all the inoperable channels in that trip system should be placed in trip (e.g., a trip system with two inoperable channels could be in a more degraded state than a trip system with four inoperable channels if the two inoperable channels are in the same Function while the four inoperable channels are all in different Functions).

The decision of which trip system is in the more degraded state should be based on prudent judgment and take into account current plant conditions (i.e., what MODE the plant is in). If this action would result in a scram, it is permissible to place the other trip system or its inoperable channels in trip.The 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Completion Time is judged acceptable based on the remaining capability to trip, the diversity of the sensors available to provide the trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of a scram.Alternately, if it is not desired to place the inoperable channels (or one trip system) in trip (e.g., as in the case where placing the inoperable channel or associated trip system in trip would result in a scram), Condition D must be entered and its Required Action taken.Cooper B 3.3-20 11/25/12 RPS Instrumentation B 3.3.1.1 BASES ACTIONS (continued)

C..1 Required Action C. I is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same trip system for the same Function result in the Function not maintaining RPS trip capability.

A Function is considered to be maintaining RPS trip capability when sufficient channels are OPERABLE or in trip (or the associated trip system is in trip), such that both trip systems will generate a trip signal from the given Function on a valid signal. For the typical Function with one-out-of-two taken twice logic and the IRM and APRM Functions, this would require both trip systems to have one channel OPERABLE or in trip (or the associated trip system in trip). For Function 5 (Main Steam Isolation Valve-Closure), this would require both trip systems to have each channel associated with the MSIVs in three main steam lines (not necessarily the same main steam lines for both trip systems) OPERABLE or in trip (or the associated trip system in trip). For Items 7.a and 7.b (Scram Discharge Volume Water Level -High, Level Transmitter and Level Switch), this would require both trip systems in each SDV to have one channel (either an Item 7.a or 7.b channel)OPERABLE or in trip (or the associated trip system in trip). For Function 8 (Turbine Stop Valve-Closure), this would require both trip systems to have two channels, each OPERABLE or in trip (or the associated trip system in trip). For Functions 10 (Reactor Mode Switch-Shutdown Position) and 11 (Manual Scram) this would require both trip systems to have one channel each OPERABLE or in trip (or the associated trip system in trip).The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities.

The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.D.1 Required Action D.1 directs entry into the appropriate Condition referenced in Table 3.3.1.1-1.

The applicable Condition specified in the Table is Function and MODE or other specified condition dependent and may change as the Required Action of a previous Condition is completed.

Each time an inoperable channel has not met any Required Action of Condition A, B, or C and the associated Completion Time has expired, Condition D will be entered for that channel and provides for transfer to the appropriate subsequent Condition.

Cooper B 3.3-21 11/25/12 1 RPS Instrumentation B 3.3.1.1 BASES ACTIONS (continued)

E.1, F.1, and G.1 If the channel(s) is not restored to OPERABLE status or placed in trip (or the associated trip system placed in trip) within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. The allowed Completion Times are reasonable, based on operating experience, to reach the specified condition from full power conditions in an orderly manner and without challenging plant systems. In addition, the Completion Time of Required Action E. 1 is consistent with the Completion Time provided in LCO 3.2.2,"MINIMUM CRITICAL POWER RATIO (MCPR)." H.1 If the channel(s) is not restored to OPERABLE status or placed in trip (or the associated trip system placed in trip) within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by immediately initiating action to fully insert all insertable control rods in core cells containing one or more fuel assemblies.

Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and are, therefore, not required to be inserted.

Action must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted.SURVEILLANCE REQUIREMENTS As noted at the beginning of the SRs, the SRs for each RPS instrument Function are located in the SRs column of Table 3.3.1.1-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, provided the associated Function maintains RPS trip capability.

Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 11) assumption of the average time required to perform channel Surveillances.

That analysis demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the RPS will trip when necessary.

Cooper B 3.3-22 11/25/12 RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred.

A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels.

It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift on one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability.

If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.SR 3.3.1.1.2 To ensure that the APRMs are accurately indicating the true core average power, the APRMs are calibrated to the reactor power calculated from a heat balance. The Frequency of once per 7 days is based on minor changes in LPRM sensitivity, which could affect the APRM reading between performances of SR 3.3.1.1.8.

A restriction to satisfying this SR when < 25% RTP is provided that requires the SR to be met only at > 25% RTP because it is difficult to accurately maintain APRM indication of core THERMAL POWER consistent with a heat balance when < 25% RTP. At low power levels, a high degree of accuracy is unnecessary because of the large, inherent margin to thermal limits (MCPR and APLHGR). At > 25% RTP, the Surveillance is required to have been satisfactorily performed within the last 7 days, in accordance with SR 3.0.2. A Note is provided which allows an increase in THERMAL POWER above 25% if the 7 day Frequency is not met per SR 3.0.2. In this event, the SR must be performed within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reaching or exceeding 25% RTP. Twelve hours is based on Cooper B 3.3-23 11/25/12 RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE REQUIREMENTS (continued) operating experience and in consideration of providing a reasonable time in which to complete the SR.SR 3.3.1.1.3 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function.

A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

As noted, SR 3.3.1.1.3 is not required to be performed when entering MODE 2 from MODE 1, since testing of the MODE 2 required IRM and APRM Functions cannot be performed in MODE 1 without utilizing jumpers, lifted leads, or movable links. This allows entry into MODE 2 if the 7 day Frequency is not met per SR 3.0.2. In this event, the SR must be performed within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after entering MODE 2 from MODE 1.Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR.A Frequency of 7 days provides an acceptable level of system average unavailability over the Frequency interval and is based on reliability analysis (Ref. 11).SR 3.3.1.1.4 There are four RPS channel test switches, one associated with each of the four automatic scram logic channels (Al, A2, B1, and B2). These keylock switches allow the operator to test the OPERABILITY of each individual logic channel (i.e., test through the K14 relay) without the necessity of using a scram function trip. This is accomplished by placing the RPS channel test switch in test, which will input a trip signal into the associated RPS logic channel. The RPS channel test switches are not specifically credited in the accident analysis.

However, because the Manual Scram Functions at CNS were not configured the same as the generic model in Reference 11, the RPS channel test switches were included in the analysis in Reference

12. Reference 12 concluded that the Cooper B 3.3-24 11/25/12 RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Surveillance Frequency extensions for RPS Functions, described in Reference 11, were not affected by the difference in configuration, since each automatic RPS channel has a test switch which is functionally the same as the manual scram switches in the generic model. As such, a functional test of each RPS channel test switch is required to be performed once every 7 days. The Frequency of 7 days is based on the reliability analysis of Reference 12.SR 3.3.1.1.5 and SR 3.3.1.1.6 These Surveillances are established to ensure that no gaps in neutron flux indication exist from subcritical to power operation for monitoring core reactivity status.The overlap between SRMs and IRMs is required to be demonstrated to ensure that reactor power will not be increased into a neutron flux region without adequate indication.

This is required prior to withdrawing SRMs from the fully inserted position since indication is being transitioned from the SRMs to the IRMs.The overlap between IRMs and APRMs is of concern when reducing power into the IRM range. On power increases, the system design will prevent further increases (by initiating a rod block) if adequate overlap is not maintained.

Overlap between IRMs and APRMs exists when sufficient IRMs and APRMs concurrently have onscale readings such that the transition between MODE 1 and MODE 2 can be made without either APRM downscale rod block, or IRM upscale rod block. On controlled shutdowns, the IRM reading 121/125 of full scale will be set equal to or less than 45% of rated power. All range scales above that scale on which the most recent IRM calibration was performed will be mechanically blocked. Overlap between SRMs and IRMs similarly exists when, prior to withdrawing the SRMs from the fully inserted position, all operable IRM channels shall be on scale.As noted, SR 3.3.1.1.6 is only required to be met during entry into MODE 2 from MODE 1. That is, after the overlap requirement has been met and indication has transitioned to the IRMs, maintaining overlap is not required (APRMs may be reading downscale once in MODE 2).If overlap for a group of channels is not demonstrated (e.g., IRM/APRM overlap), the reason for the failure of the Surveillance should be determined and the appropriate channel(s) declared inoperable.

Only those appropriate channels that are required in the current MODE or condition should be declared inoperable.

Cooper B 3.3-25 11/25/12 RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE REQUIREMENTS (continued)

A Frequency of 7 days is reasonable based on engineering judgment and the reliability of the IRMs and APRMs.SR 3.3.1.1.7 This SR ensures that the total loop drive flow signals from the flow units used to vary the setpoint is appropriately compared to a valid core flow signal to verify the flow signal trip setpoint and, therefore, the APRM Function accurately reflects the required setpoint as a function of flow. If the flow unit signal is not within the appropriate flow limit, the affected APRMs that receive an input from the inoperable flow unit must be declared inoperable.

The Frequency of 31 days is based on engineering judgment, operating experience, and the reliability of this instrumentation.

SR 3.3.1.1.8 LPRM gain settings are determined from the local flux profiles measured by the Traversing Incore Probe (TIP) System. When the measured local flux profile is unavailable, the predicted LPRM reading may be used. This establishes the relative local flux profile for appropriate representative input to the APRM System. The 1000 MWD/T Frequency is based on operating experience with LPRM sensitivity changes.SR 3.3.1.1.9 and SR 3.3.1.1.11 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function.

A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The 92 day Frequency of SR 3.3.1.1.9 is based on the reliability analysis of Reference 11.The 24 month Frequency of SR 3.3.1.1.11 is based on the need to perform some of the surveillance procedures which satisfy this SR under Cooper B 3.3-26 11/25/12 RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE REQUIREMENTS (continued) the conditions that apply during a plant outage and the potential for an unplanned transient if those particular procedures were performed with the reactor at power. Testing of Function 10 requires placing the mode switch in "Shutdown".

Operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency.

SR 3.3.1.1.9 for Function 3.3.1.1-1.2.d is modified by two Notes as identified in Table 3.3.1.1-1.

The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of channel performance will verify that the channel will continue to behave in accordance with safety analysis assumptions and the channel performance assumptions in the setpoint methodology.

The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service. For channels determined to be OPERABLE but degraded, after returning the channel to service the performance of these channels will be evaluated under the plant Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition.

The second Note requires that the as-left setting for the channel be within the as-left tolerance of the LTSP. Where a setpoint more conservative than the LTSP is used in the plant surveillance procedures (NTSP), the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint.

This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left channel setting cannot be returned to a setting within the as-left tolerance of the LTSP, then the channel shall be declared inoperable.

The second Note also requires that LTSPs and the methodologies for calculating the as-left and the as-found tolerances be in the Technical Requirements Manual.SR 3.3.1.1.10 and SR 3.3.1.1.12 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies that the channel responds to the measured parameter within the necessary range and accuracy.CHANNEL CALIBRATION leaves the channel adjusted to the LTSP within the as-left tolerance to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

Physical inspection of the position switches is performed in conjunction with SR 3.3.1.1.12 for Functions 5, 7.b, and 8 to ensure that the switches are not corroded or otherwise degraded.Cooper B 3.3-27 11/25/12 RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Note 1 of SR 3.3.1.1.10 and SR 3.3.1.1.12 states that neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Changes in neutron detector sensitivity are compensated for by performing the 7 day calorimetric calibration (SR 3.3.1.1.2) and the 1000 MWDJT LPRM calibration against the TIPs (SR 3.3.1.1.8).

Note 1 of SR 3.3.1.1.10 states that recirculation loop flow transmitters are excluded from CHANNEL CALIBRATION.

This exclusion is based on calculation results and site-specific instrument setpoint drift data, which alternately supports a 24 month calibration interval for the recirculation loop flow transmitters.

As such, the flow transmitters are calibrated on a 24 month frequency as required by SR 3.3.1.1.12 for Function 2b.A second Note to SR 3.3.1.1.12 is provided that requires the APRM and IRM SRs to be performed within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> of entering MODE 2 from MODE 1. Testing of the MODE 2 APRM and IRM Functions cannot be performed in MODE 1 without utilizing jumpers, lifted leads, or movable links. This Note allows entry into MODE 2 from MODE 1 if the associated Frequency is not met per SR 3.0.2. Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR.The Frequency of SR 3.3.1.1.10 is based upon the assumption of a 184 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

The Frequency of SR 3.3.1.1.12 is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.Numerous SR 3.3.1.1.10 and 12 functions are modified by two Notes as identified in Table 3.3.1.1-1.

The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of channel performance will verify that the channel will continue to behave in accordance with safety analysis assumptions and the channel performance assumptions in the setpoint methodology.

The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service. For channels determined to be OPERABLE but degraded, after returning the channel to service the performance of these channels will be evaluated under the plant Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition.

The second Note requires that the as-left setting for the channel be within the as-left tolerance of the LTSP. Where a setpoint Cooper B 3.3-28 11/25/12 RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE REQUIREMENTS (continued) more conservative than the LTSP is used in the plant surveillance procedures (NTSP), the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint.

This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left channel setting cannot be returned to a setting within the as-left tolerance of the LTSP, then the channel shall be declared inoperable.

The second Note also requires that LTSPs and the methodologies for calculating the as-left and the as-found tolerances be in the Technical Requirements Manual.SR 3.3.1.1.13 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The functional testing of control rods (LCO 3.1.3), and SDV vent and drain valves (LCO 3.1.8), overlaps this Surveillance to provide complete testing of the assumed safety function.The 24 month Frequency is based on the need to perform some of the surveillance procedures which satisfy this SR under the conditions that apply during a plant outage and the potential for an unplanned transient if those particular procedures were performed with the reactor at power.Operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency.

SR 3.3.1.1.14 This SR ensures that scrams initiated from the Turbine Stop Valve-Closure and Turbine Control Valve Fast Closure, Trip Oil Pressure-Low Functions will not be inadvertently bypassed when THERMAL POWER is> 29.5% RTP. This involves calibration of the bypass channels.Adequate margins for the instrument setpoint methodologies are incorporated into the actual setpoint.

Because main turbine bypass flow can affect this setpoint nonconservatively (THERMAL POWER is derived from turbine first stage pressure), the main turbine bypass valves must remain closed during an in-service calibration at THERMAL POWER >29.5% RTP to ensure that the calibration is valid.If any bypass channel's setpoint is nonconservative (i.e., the Functions are bypassed at > 29.5% RTP, then the affected Turbine Stop Valve-Closure and Turbine Control Valve Fast Closure, Trip Oil Pressure-Low Functions are considered inoperable.

Open main turbine bypass valve(s)Cooper B 3.3-29 11/25/12 RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE REQUIREMENTS (continued) can also affect these two functions.

Alternatively, the bypass channel can be placed in the conservative condition (nonbypass).

If placed in the nonbypass condition, this SR is met and the channel is considered OPERABLE.The Frequency of 24 months is based on engineering judgment and reliability of the components.

S R 3.3.1.1.15 This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the accident analysis.

This test may be performed in one measurement or in overlapping segments, with verification that all components are tested. The RPS RESPONSE TIME acceptance criteria are included in Reference 13.As noted, neutron detectors are excluded from RPS RESPONSE TIME testing because the principles of detector operation virtually ensure an instantaneous response time.The 24 month Frequency is consistent with the typical industry refueling cycle and is based upon plant operating experience, which shows that random failures of instrumentation components causing serious response time degradation, but not channel failure, are infrequent occurrences.

REFERENCES

1. Regulatory Guide 1.105, "Setpoints for Safety-Related Instrumentation," Revision 3.2. USAR, Section VII-2.3. USAR, Chapter XIV.4. NEDO-23842, "Continuous Control Rod Withdrawal in the Startup Range," April 18, 1978.5. USAR, Section VI-5.6. 10 CFR 50.36(c)(2)(ii).
7. USAR, Section IV-4.9.8. USAR, Section XIV-6.2.Cooper B 3.3-30 11/25/12 RPS Instrumentation B 3.3.1.1 BASES REFERENCES (conti nued)9. USAR, Section XIV-5.4.3.
10. P. Check (NRC) letter to G. Lainas (NRC), "BWR Scram Discharge System Safety Evaluation," December 1, 1980.11. NEDO-30851-P-A, "Technical Specification Improvement Analyses for BWR Reactor Protection System," March 1988.12. MDE-94-0485, "Technical Specification Improvement Analysis for the Reactor Protection System for Cooper Nuclear Station," April 1985.13. USAR, VII-2.3.9.10.

Cooper B 3.3-31 11/25/12 SRM Instrumentation B 3.3.1.2 B 3.3 INSTRUMENTATION B 3.3.1.2 Source Range Monitor (SRM) Instrumentation BASES BACKGROUND The SRMs provide the operator with information relative to the neutron flux level at very low flux levels in the core. As such, the SRM indication is used by the operator to monitor the approach to criticality and determine when criticality is achieved.

The SRMs are maintained fully inserted until the count rate is greater than a minimum allowed count rate (a control rod block is set at this condition).

After SRM to intermediate range monitor (IRM) overlap is demonstrated (as required by SR 3.3.1.1.5), the SRMs are normally fully withdrawn from the core.The SRM subsystem of the Neutron Monitoring System (NMS) consists of four channels.

Each of the SRM channels can be bypassed, but only one at any given time, by the operation of a bypass switch. Each channel includes one detector that can be physically positioned in the core. Each detector assembly consists of a miniature fission chamber with associated cabling, signal conditioning equipment, and electronics associated with the various SRM functions.

The signal conditioning equipment converts the current pulses from the fission chamber to analog DC currents that correspond to the count rate. Each channel also includes indication, alarm, and control rod blocks. However, this LCO specifies OPERABILITY requirements only for the monitoring and indication functions of the SRMs.During refueling, shutdown, and low power operations, the primary indication of neutron flux levels is provided by the SRMs or special movable detectors connected to the normal SRM circuits.

The SRMs provide monitoring of reactivity changes during fuel or control rod movement and give the control room operator early indication of unexpected subcritical multiplication that could be indicative of an approach to criticality.

APPLICABLE SAFETY ANALYSES Prevention and mitigation of prompt reactivity excursions during refueling and low power operation is provided by LCO 3.9.1, "Refueling Equipment Interlocks";

LCO 3.1.1, "SHUTDOWN MARGIN (SDM)"; LCO 3.3.1.1,"Reactor Protection System (RPS) Instrumentation";

IRM Neutron Flux-High and Average Power Range Monitor (APRM) Neutron Flux-High (Startup)

Functions; and LCO 3.3.2.1, "Control Rod Block Instrumentation." Cooper B 3.3-32 11/25/12 1 SRM Instrumentation B 3.3.1.2 BASES APPLICABLE SAFETY ANALYSES (continued)

The SRMs have no safety function and are not assumed to function during any USAR design basis accident or transient analysis.

However, the SRMs provide the only on-scale monitoring of neutron flux levels during startup and refueling.

Therefore, they are being retained in Technical Specifications.

LCO During startup in MODE 2, three of the four SRM channels are required to be OPERABLE to monitor the reactor flux level prior to and during control rod withdrawal, subcritical multiplication and reactor criticality, and neutron flux level and reactor period until the flux level is sufficient to maintain the IRMs on Range 3 or above. All but one of the channels are required in order to provide a representation of the overall core response during those periods when reactivity changes are occurring throughout the core.In MODES 3 and 4, with the reactor shut down, two SRM channels provide redundant monitoring of flux levels in the core.In MODE 5, during a spiral offload or reload, an SRM outside the fueled region will no longer be required to be OPERABLE, since it is not capable of monitoring neutron flux in the fueled region of the core. Thus, CORE ALTERATIONS are allowed in a quadrant with no OPERABLE SRM in an adjacent quadrant provided the Table 3.3.1.2-1, footnote (b), requirement that the bundles being spiral reloaded or spiral offloaded are all in a single fueled region containing at least one OPERABLE SRM is met. Spiral reloading and offloading encompass reloading or offloading a cell on the edge of a continuous fueled region (the cell can be reloaded or offloaded in any sequence).

In nonspiral routine operations, two SRMs are required to be OPERABLE to provide redundant monitoring of reactivity changes occurring in the reactor core. Because of the local nature of reactivity changes during refueling, adequate coverage is provided by requiring one SRM to be OPERABLE in the quadrant of the reactor core where CORE ALTERATIONS are being performed, and the other SRM to be OPERABLE in an adjacent quadrant containing fuel. These requirements ensure that the reactivity of the core will be continuously monitored during CORE ALTERATIONS.

Special movable detectors, according to footnote (c) of Table 3.3.1.2-1, may be used in place of the normal SRM nuclear detectors.

These special detectors must be connected to the normal SRM circuits in the NMS, such that the applicable neutron flux indication can be generated.

These special detectors provide more flexibility in monitoring reactivity Cooper B 3.3-33 11/25/12 1 SRM Instrumentation B 3.3.1.2 BASES LCO (continued) changes during fuel loading, since they can be positioned anywhere within the core during refueling.

They must still meet the location requirements of SR 3.3.1.2.2 and all other required SRs for SRMs.For an SRM channel to be considered OPERABLE, it must be providing neutron flux monitoring indication.

APPLICABILITY The SRMs are required to be OPERABLE in MODES 2, 3, 4, and 5 prior to the IRMs being on scale on Range 3 to provide for neutron monitoring.

In MODE 1, the APRMs provide adequate monitoring of reactivity changes in the core; therefore, the SRMs are not required.

In MODE 2, with IRMs on Range 3 or above, the IRMs provide adequate monitoring and the SRMs are not required.ACTIONS A.1 and B.1 In MODE 2, with the IRMs on Range 2 or below, SRMs provide the means of monitoring core reactivity and criticality.

With any number of the required SRMs inoperable, the ability to monitor neutron flux is degraded.

Therefore, a limited time is allowed to restore the inoperable channels to OPERABLE status.Provided at least one SRM remains OPERABLE, Required Action A.1 allows 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> to restore the required SRMs to OPERABLE status. This time is reasonable because there is adequate capability remaining to monitor the core, there is limited risk of an event during this time, and there is sufficient time to take corrective actions to restore the required SRMs to OPERABLE status or to establish alternate IRM monitoring capability.

During this time, control rod withdrawal and power increase is not precluded by this Required Action. Having the ability to monitor the core with at least one SRM, proceeding to IRM Range 3 or greater (with overlap required by SR 3.3.1.1.5), and thereby exiting the Applicability of this LCO, is acceptable for ensuring adequate core monitoring and allowing continued operation.

With three required SRMs inoperable, Required Action B.1 allows no positive changes in reactivity (control rod withdrawal must be immediately suspended) due to inability to monitor the changes. Required Action A. 1 still applies and allows 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> to restore monitoring capability prior to requiring control rod insertion.

This allowance is based on the limited risk of an event during this time, provided that no control rod withdrawals are allowed, and the desire to concentrate efforts on repair, rather than to immediately shut down, with no SRMs OPERABLE.Cooper B 3.3-34 11/25/12 I SRM Instrumentation B 3.3.1.2 BASES ACTIONS (continued)

C._ 1 In MODE 2, if the required number of SRMs is not restored to OPERABLE status within the allowed Completion Time, the reactor shall be placed in MODE 3. With all control rods fully inserted, the core is in its least reactive state with the most margin to criticality.

The allowed Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.D.1 and D.2 With one or more required SRMs inoperable in MODE 3 or 4, the neutron flux monitoring capability is degraded or nonexistent.

The requirement to fully insert all insertable control rods ensures that the reactor will be at its minimum reactivity level while no neutron monitoring capability is available.

Placing the reactor mode switch in the shutdown position prevents subsequent control rod withdrawal by maintaining a control rod block. The allowed Completion Time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is sufficient to accomplish the Required Action, and takes into account the low probability of an event requiring the SRM occurring during this interval.E.1 and E.2 With one or more required SRMs inoperable in MODE 5, the ability to detect local reactivity changes in the core during refueling is degraded.CORE ALTERATIONS must be immediately suspended and action must be immediately initiated to fully insert all insertable control rods in core cells containing one or more fuel assemblies.

Suspending CORE ALTERATIONS prevents the two most probable causes of reactivity changes, fuel loading and control rod withdrawal, from occurring.

Inserting all insertable control rods ensures that the reactor will be at its minimum reactivity given that fuel is present in the core. Suspension of CORE ALTERATIONS shall not preclude completion of the movement of a component to a safe, conservative position.Action (once required to be initiated) to insert control rods must continue until all insertable rods in core cells containing one or more fuel assemblies are inserted.Cooper B 3.3-35 11/25/12 I SRM Instrumentation B 3.3.1.2 BASES SURVEILLANCE REQUIREMENTS As noted at the beginning of the SRs, the SRs for each SRM Applicable MODE or other specified conditions are found in the SRs column of Table 3.3.1.2-1.

SR 3.3.1.2.1 and SR 3.3.1.2.3 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred.

A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on another channel. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability.

If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.The Frequency of once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for SR 3.3.1.2.1 is based on operating experience that demonstrates channel failure is rare. While in MODES 3 and 4, reactivity changes are not expected; therefore, the 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency is relaxed to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for SIR 3.3.1.2.3.

The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.SR 3.3.1.2.2 To provide adequate coverage of potential reactivity changes in the core when the fueled region encompasses more than one SRM, one SRM is required to be OPERABLE in the quadrant where CORE ALTERATIONS are being performed, and the other OPERABLE SRM must be in an adjacent quadrant containing fuel. Note 1 states that the SR is required to be met only during CORE ALTERATIONS.

It is not required to be met at other times in MODE 5 since core reactivity changes are not occurring.

This Surveillance consists of a review of plant logs to ensure that SRMs required to be OPERABLE for given CORE ALTERATIONS are, in fact, OPERABLE.

In the event that only one SRM is required to be OPERABLE (when the fueled region encompasses only one SRM), per Cooper B 3.3-36 11/25/12 I SRM Instrumentation B 3.3.1.2 BASES SURVEILLANCE REQUIREMENTS (continued)

Table 3.3.1.2-1, footnote (b), only the a. portion of this SR is required.Note 2 clarifies that more than one of the three requirements can be met by the same OPERABLE SRM. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency is based upon operating experience and supplements operational controls over refueling activities that include steps to ensure that the SRMs required by the LCO are in the proper quadrant.SR 3.3.1.2.4 This Surveillance consists of a verification of the SRM instrument readout to ensure that the SRM reading is greater than a specified minimum count rate with the detector full-in, which ensures that the detectors are indicating count rates indicative of neutron flux levels within the core.With few fuel assemblies loaded, the SRMs will not have a high enough count rate to satisfy the SR. Therefore, allowances are made for loading sufficient "source" material, in the form of irradiated fuel assemblies, to establish the minimum count rate.To accomplish this, the SR is modified by a Note that states that the count rate is not required to be met on an SRM that has less than or equal to four fuel assemblies adjacent to the SRM and no other fuel assemblies are in the associated core quadrant.

With four or less fuel assemblies loaded around each SRM and no other fuel assemblies in the associated core quadrant, even with a control rod withdrawn, the configuration will not be critical.

This SR does not require determination of the noise ratio.The Frequency is based upon channel redundancy and other information available in the control room, and ensures that the required channels are frequently monitored while core reactivity changes are occurring.

When no reactivity changes are in progress, the Frequency is relaxed from 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.SR 3.3.1.2.5 and SR 3.3.1.2.6 Performance of a CHANNEL FUNCTIONAL TEST demonstrates the associated channel will function properly.

A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay.This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

SR 3.3.1.2.5 is required in MODE 5, and the 7 day Cooper B 3.3-37 11/25/12 I SRM Instrumentation B 3.3.1.2 BASES SURVEILLANCE REQUIREMENTS (continued)

Frequency ensures that the channels are OPERABLE while core reactivity changes could be in progress.

This Frequency is reasonable, based on operating experience and on other Surveillances (such as a CHANNEL CHECK), that ensure proper functioning between CHANNEL FUNCTIONAL TESTS.SR 3.3.1.2.6 is required in MODE 2 with IRMs on Range 2 or below, and in MODES 3 and 4. Since core reactivity changes do not normally take place in MODES 3 and 4, and core reactivity changes are due only to control rod movement in MODE 2, the Frequency has been extended from 7 days to 31 days. The 31 day Frequency is based on operating experience and on other Surveillances (such as CHANNEL CHECK) that ensure proper functioning between CHANNEL FUNCTIONAL TESTS.Verification of the signal to noise ratio also ensures that the detectors are inserted to an acceptable operating level. In a fully withdrawn condition, the detectors are sufficiently removed from the fueled region of the core to essentially eliminate neutrons from reaching the detector.

Any count rate obtained while the detectors are fully withdrawn is assumed to be"noise" only. An alternative to fully withdrawing the detector is to configure the assembly cabling such that only the noise signal is observed.The Note to SR 3.3.1.2.6 allows the Surveillance to be delayed until entry into the specified condition of the Applicability (THERMAL POWER decreased to IRM Range 2 or below). The SR must be performed within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after IRMs are on Range 2 or below. The allowance to enter the Applicability with the 31 day Frequency not met is reasonable, based on the limited time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed after entering the Applicability and the inability to perform the Surveillance while at higher power levels.Although the Surveillance could be performed while on IRM Range 3, the plant would not be expected to maintain steady state operation at this power level. In this event, the 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency is reasonable, based on the SRMs being otherwise verified to be OPERABLE (i.e., satisfactorily performing the CHANNEL CHECK) and the time required to perform the Surveillances.

SR 3.3.1.2.7 Performance of a CHANNEL CALIBRATION at a Frequency of 24 months verifies the performance of the SRM detectors and associated circuitry.

The Frequency considers the plant conditions required to perform the test, the ease of performing the test, and the likelihood of a change in the system or component status. The neutron detectors are excluded from the CHANNEL CALIBRATION (Note 1) because they cannot readily be Cooper B 3.3-38 11125/12 SRM Instrumentation B 3.3.1.2 BASES SURVEILLANCE REQUIREMENTS (continued) adjusted.

The detectors are fission chambers that are designed to have a relatively constant sensitivity over the range and with an accuracy specified for a fixed useful life.Note 2 to the Surveillance allows the Surveillance to be delayed until entry into the specified condition of the Applicability.

The SR must be perforr'ied in MODE 2 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> of entering MODE 2 with IRMs on Range 2 or below. The allowance to enter the Applicability with the 24 month Frequency not met is reasonable, based on the limited time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed after entering the Applicability and the inability to perform the Surveillance while at higher power levels. Although the Surveillance could be performed while on IRM Range 3, the plant would not be expected to maintain steady state operation at this power level. In this event, the 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency is reasonable, based on the SRMs being otherwise verified to be OPERABLE (i.e., satisfactorily performing the CHANNEL CHECK) and the time required to perform the Surveillances.

There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found settings are consistent with those established by the setpoint methodology.

REFERENCES None.Cooper B 3.3-39 11/25/12 Control Rod Block Instrumentation B 3.3.2.1 B 3.3 INSTRUMENTATION B 3.3.2.1 Control Rod Block Instrumentation BASES -BACKGROUND Control rods provide the primary means for control of reactivity changes.Control rod block instrumentation includes channel sensors, logic circuitry, switches, and relays that are designed to ensure that specified fuel design limits are not exceeded for postulated transients and accidents.

During high power operation, the rod block monitor (RBM)provides protection for control rod withdrawal error events. During low power operations, control rod blocks from the rod worth minimizer (RWM)enforce specific control rod sequences designed to mitigate the consequences of the control rod drop accident (CRDA). During shutdown conditions, control rod blocks from the Reactor Mode Switch-Shutdown Position Function ensure that all control rods remain inserted to prevent inadvertent criticalities.

The protection and monitoring functions of the control rod block instrumentation have been designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and equipment performance.

Technical Specifications are required by 10 CFR 50.36 to include LSSS for variables that have significant safety functions.

LSSS are defined by the regulation as 'Where a LSSS is specified for a variable on which a safety limit has been placed, the setting must be chosen so that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that a Safety Limit (SL) is not exceeded.

Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded.

However, in practice, the actual settings for automatic protection channels must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.The Limiting Trip Setpoint (LTSP) is a predetermined setting for a protection channel chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded.

As such, the LTSP accounts for uncertainties in setting the channel (e.g., calibration), uncertainties in how the channel might actually perform (e.g., repeatability), changes in the point of action of the channel over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh Cooper B 3.3-40 11/25/12 Control Rod Block Instrumentation B 3.3.2.1 BASES BACKGROUND (continued) accident environments).

In this manner, the LTSP ensures that SLs are not exceeded.

Therefore, the LTSP meets the definition of an LSSS (Ref. 1).The Allowable Values specified in Table 3.3.2.1-1 serves as the LSSS such that a channel is OPERABLE if the trip setpoint is found not to exceed the Allowable Value. As such, the Allowable Value differs from the trip setpoint by an amount primarily equal to the expected instrument loop uncertainties, such as drift, during the surveillance interval.

In this manner, the actual setting of the device will still meet the LSSS definition and ensure that a SL is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval.Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility.

Operable is defined in Technical Specifications as "...being capable of performing its safety function(s)." Relying solely on the LTSP to define OPERABILITY in Technical Specifications would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as found" value of a protection channel setting during a Surveillance.

This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protection channel with a setting that has been found to be different from the LTSP due to some drift of the setting may still be OPERABLE because drift is to be expected.

This expected drift would have been specifically accounted for in the setpoint methodology for calculating the LTSP and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as found" setting of the protection channel. Therefore, the channel would still be OPERABLE because it would have performed its safety function and the only corrective action required would be to reset the channel within the established as-left tolerance around LTSP to account for further drift during the next surveillance interval.

Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria).

However, there is also some point beyond which the channel would have not been able to perform its function due to, for example, greater than expected drift. This value needs to be specified in the Technical Cooper B 3.3-41 11/25/12 Control Rod Block Instrumentation B 3.3.2.1 BASES BACKGROUND (continued)

Specifications in order to define OPERABILITY of the channels and is designated as the Allowable Value.If the actual setting (as-found setpoint) of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE, but degraded.

The degraded condition will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the LTSP (within the allowed tolerance), and evaluating the channel response.

If the channel is functioning as required and expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance.

After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

The purpose of the RBM is to limit control rod withdrawal if localized neutron flux exceeds a predetermined setpoint during control rod manipulations (Ref. 2). It is assumed to function to block further control rod withdrawal to preclude a MCPR Safety Limit (SL) violation.

One set of power referenced RBM upscale trip settings (Low Trip Set Point, LTSP;Intermediate Trip Set Point, ITSP; and High Trip Set Point, HTSP) is applied based on the Lowest Rated MCPR Limit given in the COLR. The RBM supplies a trip signal to the Reactor Manual Control System (RMCS)to appropriately inhibit control rod withdrawal during power operation above the low power range setpoint.

The RBM has two channels, either of which can initiate a control rod block when the channel output exceeds the control rod block setpoint.

One RBM channel inputs into one RMCS rod block circuit and the other RBM channel inputs into the second RMCS rod block circuit. The RBM channel signal is generated by averaging a set of local power range monitor (LPRM) signals at various core heights surrounding the control rod being withdrawn.

Upon selection of a certain rod for withdrawal or insertion, the conditioned LPRM signals around that rod are automatically fed into the two RBM channels.

Each channel averages two B-position, two D-position and the same four C-position LPRM inputs. The RBM Channel A is powered by the RPS power bus "A" and the RMB Channel B is powered by the RPS power bus "B". A-position LPRMs are not included in the RBM averaging but remain in the display and LPRM alarm logic. Assignment of power range detector assemblies to be used in RBM averaging is controlled by the selection of control rods. The minimum number of LPRM inputs required to each RBM channel to prevent an instrument inoperative alarm is four when using eight LPRM assemblies, three when using six LPRM assemblies, and two when using four LPRM assemblies.

The RBM is automatically bypassed and the output set to zero if a peripheral control rod is selected since the RBM function is not required for these rods. In addition, any Cooper B 3.3-42 11/25/12 Control Rod Block Instrumentation B 3.3.2.1 BASES BACKGROUND (continued) one of the two RBM channels can be manually bypassed.

If any LPRM detector assigned to a RBM is bypassed, the computed average signal is adjusted automatically to compensate for the number of LPRM input signals to average. When a control rod is selected, the signal conditioner gain is automatically adjusted so that the output level of the signal conditioner always corresponds to a constant level (relative to the initialization reference signal of 100/125 of full scale). The gain set will be held constant during the movement of that rod, thus providing an indication of the change in the relative local power level. Whenever the reactor power level is below the lowest RBM operating range, the RBM is zeroed and RBM outputs are bypassed.

If the indicated power increases above the preset limit, a rod block will occur. In addition, to preclude rod movement with an inoperable RBM, a downscale trip and an inoperative trip are provided.

A rod block signal is generated if an RBM downscale trip or an inoperable trip occurs, since this could indicate a problem with the RBM channel. The downscale trip will occur if the RBM channel signal decreases below the downscale trip setpoint after the RBM channel signal has been normalized.

The inoperable trip will occur during the nulling (normalization) sequence, if the RBM channel fails to null, too few LPRM inputs are available, a module is not plugged in, or the function switch is moved to any position other than "Operate." The purpose of the RWM is to control rod patterns during startup and shutdown, such that only specified control rod sequences and relative positions are allowed over the operating range from all control rods inserted to 9.85% RTP. The sequences effectively limit the potential amount and rate of reactivity increase during a CRDA. Prescribed control rod sequences are stored in the RWM, which will initiate control rod withdrawal and insert blocks when the actual sequence deviates beyond allowances from the stored sequence.

The RWM determines the actual sequence based position indication for each control rod. The RWM also uses feedwater flow and steam flow signals to determine when the reactor power is above the preset power level at which the RWM is automatically bypassed (Ref. 3). The RWM is a single channel system that provides input into both RMCS rod block circuits.With the reactor mode switch in the shutdown position, a control rod withdrawal block is applied to all control rods to ensure that the shutdown condition is maintained.

This Function prevents inadvertent criticality as the result of a control rod withdrawal during MODE 3 or 4, or during MODE 5 when the reactor mode switch is required to be in the shutdown position.

The reactor mode switch has two channels, each inputting into a separate RMCS rod block circuit. A rod block in either RMCS circuit will provide a control rod block to all control rods.Cooper B 3.3-43 11/25/12 Control Rod Block Instrumentation B 3.3.2.1 BASES BACKGROUND (continued)

Permissive and interlock setpoints allow the blocking of trips during plant startups, and restoration of trips when the permissive conditions are not satisfied, but they are not explicitly modeled in the Safety Analyses.These permissives and interlocks ensure that the starting conditions are consistent with the safety analysis, before preventive or mitigating actions occur. Because these permissives or interlocks are only one of multiple conservative starting assumptions for the accident analysis, they are generally considered as nominal values without regard to measurement accuracy.APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY Allowable Values are specified for each Rod Block Function specified in SR 3.3.2.1.5.

LTSPs and the methodologies for calculation of the as-left and as-found tolerances are described in the Technical Requirements Manual. The LTSPs are selected to ensure that the actual setpoints remain conservative with respect to the as-found tolerance band between successive CHANNEL CALIBRATIONS.

After each calibration the trip setpoint shall be left within the as-left band around the LTSP.LTSPs are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytical limits are derived from the limiting values of the process parameters obtained from the safety analysis.

The Allowable Values are derived from the analytical limits, corrected for calibration, process, and some of the instrument errors. The LTSPs are then determined accounting for the remaining instrument errors (e.g., drift). The LTSPs derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.Cooper B 3.3-44 11/25/12 Control Rod Block Instrumentation B 3.3.2.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

1. Rod Block Monitor The RBM is designed to prevent violation of the MCPR SL and the cladding 1% plastic strain fuel design limit that may result from a single control rod withdrawal error (RWE) event. The analytical methods and assumptions used in evaluating the RWE event are summarized in Reference
4. A statistical analysis of RWE events was performed to determine the RBM response for both channels for each event. From these responses, the fuel thermal performance as a function of RBM Allowable Value was determined.

The Allowable Values are chosen as a function of power level. Based on the specified Allowable Values, operating limits are established.

The RBM Function satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 5).Two channels of the RBM are required to be OPERABLE, with their setpoints within the appropriate Allowable Values, to ensure that no single instrument failure can preclude a rod block from this Function.

The actual setpoints are calibrated consistent with applicable setpoint methodology.

The RBM is assumed to mitigate the consequences of an RWE event when operating

> 30% RTP (analytical limit) and a peripheral control rod is not selected.

Below this power level or if a peripheral control rod is selected, the consequences of an RWE event will not exceed the MCPR SL and, therefore, the RBM is not required to be OPERABLE (Ref.4). When operating

< 90% RTP, analyses (Ref. 4) have shown that with an initial MCPR > 1.70, no RWE event will result in exceeding the MCPR SL. Also, the analyses demonstrate that when operating at :- 90% RTP with MCPR > 1.40, no RWE event will result in exceeding the MCPR SL (Ref. 4). Therefore, under these conditions, the RBM is also not required to be OPERABLE.2. Rod Worth Minimizer The RWM is a backup to operator control of the rod sequences.

The RWM enforces the banked position withdrawal sequence (BPWS) by alerting the operator when the rod pattern is not in accordance with BPWS. Compliance with BPWS ensures that the initial conditions of the CRDA analysis are not violated.The analytical methods and assumptions used in evaluating the CRDA are summarized in References 6 and 7. The BPWS requires that control Cooper B 3.3-45 11/25/12 Control Rod Block Instrumentation B 3.3.2.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) rods be moved in groups, with all control rods assigned to a specific group required to be within specified banked positions.

Requirements that the control rod sequence is in compliance with the BPWS are specified in LCO 3.1.6, "Rod Pattern Control." When performing a shutdown of the plant, an optional BPWS control rod sequence (Ref. 8) may be used if the coupling of each withdrawn control rod has been confirmed.

The rods may be inserted without the need to stop at intermediate positions.

When using the Reference 8 control rod insertion sequence for shutdown, the rod worth minimizer may be reprogrammed to enforce the requirements of the improved BPWS control rod insertion, or may be bypassed and the improved BPWS shutdown sequence implemented under the controls in Condition D.The RWM Function satisfies Criterion 3 of Reference 5.Since the RWM is a system designed to act as a backup to operator control of the rod sequences, only one channel of the RWM is available and required to be OPERABLE (Ref. 8). Special circumstances provided for in the Required Action of LCO 3.1.3, "Control Rod OPERABILITY," and LCO 3.1.6 may necessitate bypassing the RWM to allow continued operation with inoperable control rods, or to allow correction of a control rod pattern not in compliance with the BPWS. The RWM may be bypassed as required by these conditions, but then it must be considered inoperable and the Required Actions of this LCO followed.Compliance with the BPWS, and therefore OPERABILITY of the RWM, is required in MODES 1 and 2 when THERMAL POWER is < 9.85% RTP.When THERMAL POWER is > 9.85% RTP, there is no possible control rod configuration that results in a control rod worth that could exceed the 280 cal/gm fuel damage limit during a CRDA (Ref. 6). In MODES 3 and 4, all control rods are required to be inserted into the core; therefore, a CRDA cannot occur. In MODE 5, since only a single control rod can be withdrawn from a core cell containing fuel assemblies, adequate SDM ensures that the consequences of a CRDA are acceptable, since the reactor will be subcritical.

3. Reactor Mode Switch-Shutdown Position During MODES 3 and 4, and during MODE 5 when the reactor mode switch is required to be in the shutdown position, the core is assumed to be subcritical; therefore, no positive reactivity insertion events are analyzed.

The Reactor Mode Switch-Shutdown Position control rod Cooper B 3.3-46 11/25/12 Control Rod Block Instrumentation B 3.3.2.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) withdrawal block ensures that the reactor remains subcritical by blocking control rod withdrawal, thereby preserving the assumptions of the safety analysis.The Reactor Mode Switch-Shutdown Position Function satisfies Criterion 3 of Reference

5. Two channels are required to be OPERABLE to ensure that no single channel failure will preclude a rod block when required.There is no Allowable Value for this Function since the channels are mechanically actuated based solely on reactor mode switch position.During shutdown conditions (MODE 3, 4, or 5), no positive reactivity insertion events are analyzed because assumptions are that control rod withdrawal blocks are provided to prevent criticality.

Therefore, when the reactor mode switch is in the shutdown position, the control rod withdrawal block is required to be OPERABLE.

During MODE 5 with the reactor mode switch in the refueling position, the refuel position one-rod-out interlock (LCO 3.9.2, "Refuel Position One-Rod-Out Interlock")

provides the required control rod withdrawal blocks.ACTIONS A._1 With one RBM channel inoperable, the remaining OPERABLE channel is adequate to perform the control rod block function; however, overall reliability is reduced because a single failure in the remaining OPERABLE channel can result in no control rod block capability for the RBM. For this reason, Required Action A. 1 requires restoration of the inoperable channel to OPERABLE status. The Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is based on the low probability of an event occurring coincident with a failure in the remaining OPERABLE channel.B. 1 If Required Action A.1 is not met and the associated Completion Time has expired, the inoperable channel must be placed in trip within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.If both RBM channels are inoperable, the RBM is not capable of performing its intended function; thus, one channel must also be placed in trip. This initiates a control rod withdrawal block, thereby ensuring that the RBM function is met.The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities and is acceptable because it minimizes risk while allowing time for restoration or tripping of inoperable channels.Cooper B 3.3-47 11/25/12 Control Rod Block Instrumentation B 3.3.2.1 BASES ACTIONS (continued)

C.1, C.2.1.1, C.2.1.2, and C.2.2 With the RWM inoperable during a reactor startup, the operator is still capable of enforcing the prescribed control rod sequence.

However, the overall reliability is reduced because a single operator error can result in violating the control rod sequence.

Therefore, control rod movement must be immediately suspended except by scram. Alternatively, startup may continue if at least 12 control rods have already been withdrawn, or a reactor startup with an inoperable RWM during withdrawal of one or more of the first 12 rods was not performed in the last (current) calendar year.These requirements minimize the number of reactor startups initiated with the RWM inoperable.

Required Actions C.2.1.1 and C.2.1.2 require verification of these conditions by review of plant logs and control room indications.

Once Required Action C.2.1.1 or C.2.1.2 is satisfactorily completed, control rod withdrawal may proceed in accordance with the restrictions imposed by Required Action C.2.2. Required Action C.2.2 allows for the RWM Function to be performed manually and requires a double check of compliance with the prescribed rod sequence by a second licensed operator (Reactor Operator or Senior Reactor Operator)or other qualified member of the technical staff.The RWM may be bypassed under these conditions to allow continued operations.

In addition, Required Actions of LCO 3.1.3 and LCO 3.1.6 may require bypassing the RWM, during which time the RWM must be considered inoperable with Condition C entered and its Required Actions taken.D.1 With the RWM inoperable during a reactor shutdown, the operator is still capable of enforcing the prescribed control rod sequence.

Required Action D.1 allows for the RWM Function to be performed manually and requires a double check of compliance with the prescribed rod sequence by a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff. The RWM may be bypassed under these conditions to allow the reactor shutdown to continue.E.1 and E.2 With one Reactor Mode Switch-Shutdown Position control rod withdrawal block channel inoperable, the remaining OPERABLE channel is adequate to perform the control rod withdrawal block function.

However, since the Cooper B 3.3-48 11/25/12 I Control Rod Block Instrumentation B 3.3.2.1 BASES ACTIONS (continued)

Required Actions are consistent with the normal action of an OPERABLE Reactor Mode Switch-Shutdown Position Function (i.e., maintaining all control rods inserted), there is no distinction between having one or two channels inoperable.

In both cases (one or both channels inoperable), suspending all control rod withdrawal and initiating action to fully insert all insertable control rods in core cells containing one or more fuel assemblies will ensure that the core is subcritical with adequate SDM ensured by LCO 3.1.1. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and are therefore not required to be inserted.

Action must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted.SURVEILLANCE REQUIREMENTS As noted at the beginning of the SRs, the SRs for each Control Rod Block instrumentation Function are found in the SRs column of Table 3.3.2.1-1.

The Surveillances are modified by a second Note to indicate that when an RBM channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated Function maintains control rod block capability.

Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 10) assumption of the average time required to perform channel Surveillance.

That analysis demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that a control rod block will be initiated when necessary.

SR 3.3.2.1.1 A CHANNEL FUNCTIONAL TEST is performed for each RBM channel to ensure that the channel will perform the intended function.

It includes the Reactor Manual Control System input. It also includes the local alarm lights representing upscale and downscale trips, but no rod block will be produced at this time. A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Cooper B 3.3-49 11/25/12 Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on reliability analyses (Ref. 11).SR 3.3.2.1.2 and SR 3.3.2.1.3 A CHANNEL FUNCTIONAL TEST is performed for the RWM to ensure that the system will perform the intended function.

A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay.This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

The CHANNEL FUNCTIONAL TEST for the RWM includes performing the RWM computer on line diagnostic test satisfactorily, attempting to withdraw a control rod not in compliance with the prescribed sequence and verifying a control rod block occurs. For SR 3.3.2.1.2, the CHANNEL FUNCTIONAL TEST also includes attempting to select a control rod not in compliance with the prescribed sequence and verifying a selection error occurs. As noted in the SRs, SR 3.3.2.1.2 is not required to be performed until 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after any control rod is withdrawn in MODE 2. As noted, SR 3.3.2.1.3 is not required to be performed until 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after THERMAL POWER is -9.85% RTP in MODE 1. This allows entry into MODE 2 for SR 3.3.2.1.2, and entry into MODE 1 when THERMAL POWER is < 9.85% RTP for SR 3.3.2.1.3, to perform the required Surveillance if the 92 day Frequency is not met per SR 3.0.2.The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> allowance is based on operating experience and in consideration of providing a reasonable time in which to complete the SRs. The Frequencies are based on reliability analysis (Ref. 11).SR 3.3.2.1.4 The RBM power range setpoints control the enforcement of the appropriate upscale trips over the proper core thermal power range of the Applicability Notes (a), (b), (c), (d), and (e) of ITS Table 3.3.2.1-1.

The RBM Upscale Trip Function setpoints are automatically varied as a function of power. Three Allowable Values are specified in the COLR as denoted in Table 3.3.2.1-1, each within a specific power range. The power at which the control rod block Allowable Values automatically Cooper B 3.3-50 11/25/12 Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE REQUIREMENTS (continued) change are based on the reference APRM signal's input to each RBM channel. Below the minimum power setpoint of 27.5% RTP or when a peripheral control rod is selected, the RBM is automatically bypassed.These power Allowable Values must be verified periodically by determining that the power level setpoints are less than or equal to the specified values. If any power range setpoint is nonconservative, then the affected RBM channel is considered inoperable.

Alternatively, the power range channel can be placed in the conservative condition (i.e., enabling the proper RBM setpoint).

If placed in this condition, the SR is met and the RBM channel is not considered inoperable.

As noted, neutron detectors are excluded from the Surveillance because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Neutron detectors are adequately tested in SR 3.3.1.1.2 and SR 3.3.1.1.8.

The 184 day Frequency is based on the actual trip setpoint methodology utilized for these channels.SR 3.3.2.1.5 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

As noted, neutron detectors are excluded from the CHANNEL CALIBRATION because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Neutron detectors are adequately tested in SR 3.3.1.1.2 and SR 3.3.1.1.8.

The Frequency is based upon the assumption of a 184 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.SR 3.3.2.1.5 for Functions 3.3.2.1-1.1.a, 3.3.2.1-1.1.b and 3.3.2.1-1.1.c is modified by two Notes as identified in Table 3.3.2.1-1.

The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of channel performance will verify that the channel will continue to behave in accordance with safety analysis assumptions and the channel performance assumptions in the setpoint methodology.

The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service. For channels determined to be Cooper B 3.3-51 11/25/12 Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE REQUIREMENTS (continued)

OPERABLE but degraded, after returning the channel to service the performance of these channels will be evaluated under the plant Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition.

The second Note requires that the as-left setting for the channel be within the as-left tolerance of the LTSP. Where a setpoint more conservative than the LTSP is used in the plant surveillance procedures (NTSP), the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint.

This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left channel setting cannot be returned to a setting within the as-left tolerance of the LTSP, then the channel shall be declared inoperable.

The second Note also requires that LTSPs and the methodologies for calculating the as-left and the as-found tolerances be in the Technical Requirements Manual.SR 3.3.2.1.6 The RWM is automatically bypassed when power is above a specified value. The power level is determined from feedwater flow and steam flow signals. The setpoint where the automatic bypass feature is unbypassed must be verified periodically to be > 9.85% RTP. If the RWM low power setpoint is nonconservative, then the RWM is considered inoperable.

Alternately, the low power setpoint channel can be placed in the conservative condition (nonbypass).

If placed in the nonbypassed condition, the SR is met and the RWM is not considered inoperable.

The Frequency is based on the trip setpoint methodology utilized for the low power setpoint channel.SR 3.3.2.1.7 A CHANNEL FUNCTIONAL TEST is performed for the Reactor Mode Switch-Shutdown Position Function to ensure that the channel will perform the intended function.

A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

The CHANNEL FUNCTIONAL TEST for the Reactor Mode Switch-Shutdown Position Function is performed by attempting to withdraw any control rod with the reactor mode switch in the shutdown position and verifying a control rod block occurs.Cooper B 3.3-52 11/25/12 Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE REQUIREMENTS (continued)

As noted in the SR, the Surveillance is not required to be performed until 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after the reactor mode switch is in the shutdown position, since testing of this interlock with the reactor mode switch in any other position cannot be performed without using jumpers, lifted leads, or movable links.This allows entry into MODES 3 and 4 if the 24 month Frequency is not met per SR 3.0.2. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> allowance is based on operating experience and in consideration of providing a reasonable time in which to complete the SRs.The 24 month Frequency is based on the need to perform some of the surveillance procedures which satisfy this SR under the conditions that apply during a plant outage and the potential for an unplanned transient if those particular procedures were performed with the reactor at power.Operating experience has shown these components usually pass the Surveillance when performed at the 24 month Frequency.

SR 3.3.2.1.8 The RWM will only enforce the proper control rod sequence if the rod sequence is properly input into the RWM computer.

This SR ensures that the proper sequence is loaded into the RWM so that it can perform its intended function.

The Surveillance is performed once prior to declaring RWM OPERABLE following loading of sequence into RWM, since this is when rod sequence input errors are possible.REFERENCES

1. Regulatory Guide 1.105, "Setpoints for Safety-Related Instrumentation," Revision 3.2. USAR, Section VII-7.3. USAR, Section VII-16.3.3.
4. NEDC-31892P, "Extended Load Line Limit and ARTS Improvement Program Analyses for Cooper Nuclear Station," Rev.1, May 1991.5. 10 CFR 50.36(c)(2)(ii).
6. USAR, Section XIV-6.2.7. NEDO-21231, "Banked Position Withdrawal Sequence," January 1977.Cooper B 3.3-53 11/25/12 Control Rod Block Instrumentation B 3.3.2.1 BASES REFERENCES
8. NEDO 33091, Revision 2, "Improved BPWS Control Rod Insertion Process," April 2003.9. NRC SER, "Acceptance of Referencing of Licensing Topical Report NEDE-24011-P-A," "General Electric Standard Application for Reactor Fuel, Revision 8, Amendment 17," December 27, 2987.10. GENE-770-06-1, "Addendum to Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991.11. NEDC-30851-P-A, "Technical Specification Improvement Analysis for BWR Control Rod Block Instrumentation," October 1988.Cooper B 3.3-54 11/25/12 Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 B 3.3 INSTRUMENTATION B 3.3.2.2 Feedwater and Main Turbine High Water Level Trip Instrumentation BASES BACKGROUND The feedwater and main turbine high water level trip instrumentation is designed to detect a potential failure of the Feedwater Level Control System that causes excessive feedwater flow.With excessive feedwater flow, the water level in the reactor vessel rises toward the high water level, Level 8 reference point, causing the trip of the two feedwater pump turbines and the main turbine.Reactor Vessel Water Level-High, Level 8 signals are provided by level sensors that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level in the reactor vessel (variable leg). Three channels of Reactor Vessel Water Level-High, Level 8 instrumentation are provided as input to a two-out-of-three initiation logic that trips the two feedwater pump turbines and the main turbine. Each channel consists of a level transmitter loop and a trip relay that compares measured input signals with pre-established setpoints.

When the setpoint is exceeded, the channel outputs a main feedwater and main turbine trip signal to the trip logic.A trip of the feedwater pump turbines limits further increase in reactor vessel water level by limiting further addition of feedwater to the reactor vessel. A trip of the main turbine and closure of the stop and control valves protects the turbine from damage due to water entering the turbine.APPLICABLE SAFETY ANALYSES The feedwater and main turbine high water level trip instrumentation is assumed to be capable of providing a turbine trip in the design basis transient analysis for a feedwater controller failure, maximum demand event (Ref. 1). The Level 8 trip indirectly initiates a reactor scram from the main turbine trip (above 30% RTP) and trips the feedwater pumps, thereby terminating the event. The reactor scram mitigates the reduction in MCPR.Feedwater and main turbine high water level trip instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 2).Cooper B 3.3-55 11/25/12 I Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES LCO The LCO requires three channels of the Reactor Vessel Water Level-High, Level 8 instrumentation to be OPERABLE to ensure that no single instrument channel failure will prevent the feedwater pump turbines and main turbine trip on a valid Level 8 signal. Two of the three channels are needed to provide trip signals in order for the feedwater and main turbine trips to occur. Each channel must have its setpoint set within the specified Allowable Value of SR 3.3.2.2.2.

The Allowable Value is set to ensure that the thermal limits are not exceeded during the event. The actual setpoint is calibrated to be consistent with the applicable setpoint methodology assumptions.

Nominal trip setpoints are specified in the setpoint calculations.

The setpoint calculations are performed using methodology described in NEDC-31336P-A, "General Electric Instrument Setpoint Methodology," dated September 1996. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS.

Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable.

A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip relay) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis.

The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.APPLICABILITY The feedwater and main turbine high water level trip instrumentation is required to be OPERABLE at > 25% RTP to ensure that the fuel cladding integrity Safety Limit and the cladding 1% plastic strain limit are not violated during the feedwater controller failure, maximum demand event.As discussed in the Bases for LCO 3.2.1, "Average Planar Linear Heat Generation Rate (APLHGR)," and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)," sufficient margin to these limits exists below 25% RTP; therefore, these requirements are only necessary when operating at or above this power level.Cooper B 3.3-56 11/25/12 1 Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES ACTIONS A Note has been provided to modify the ACTIONS related to feedwater and main turbine high water level trip instrumentation channels.

Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition.

Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition.

However, the Required Actions for inoperable feedwater and main turbine high water level trip instrumentation channels provide appropriate compensatory measures for separate inoperable channels.

As such, a Note has been provided that allows separate Condition entry for each inoperable feedwater and main turbine high water level trip instrumentation channel.A.1 With one channel inoperable, the remaining two OPERABLE channels can provide the required trip signal. However, overall instrumentation reliability is reduced because a single failure in one of the remaining channels concurrent with feedwater controller failure, maximum demand event, may result in the instrumentation not being able to perform its intended function.

Therefore, continued operation is only allowed for a limited time with one channel inoperable.

If the inoperable channel cannot be restored to OPERABLE status within the Completion Time, the channel must be placed in the tripped condition per Required Action A.1.Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue with no further restrictions.

Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in a feedwater or main turbine trip), Condition C must be entered and its Required Action taken.The Completion Time of 7 days is based on the low probability of the event occurring coincident with a single failure in a remaining OPERABLE channel.B.1 With two or more channels inoperable, the feedwater and main turbine high water level trip instrumentation cannot perform its design function (feedwater and main turbine high water level trip capability is not maintained).

Therefore, continued operation is only permitted for a 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> period, during which feedwater and main turbine high water level trip capability must be restored.

The trip capability is considered maintained Cooper B 3.3-57 11/25/12 I Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES ACTIONS (continued) when sufficient channels are OPERABLE or in trip such that the feedwater and main turbine high water level trip logic will generate a trip signal on a valid signal. This requires two channels to each be OPERABLE or in trip. If the required channels cannot be restored to OPERABLE status or placed in trip, Condition C must be entered and its Required Action taken.The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Completion Time is sufficient for the operator to take corrective action, and takes into account the likelihood of an event requiring actuation of feedwater and main turbine high water level trip instrumentation occurring during this period. It is also consistent with the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Completion Time provided in LCO 3.2.2 for Required Action A.1, since this instrumentation's purpose is to preclude a MCPR violation.

C...With the required channels not restored to OPERABLE status or placed in trip, THERMAL POWER must be reduced to < 25% RTP within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.As discussed in the Applicability section of the Bases, operation below 25% RTP results in sufficient margin to the required limits, and the feedwater and main turbine high water level trip instrumentation is not required to protect fuel integrity during the feedwater controller failure, maximum demand event. The allowed Completion Time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is based on operating experience to reduce THERMAL POWER to < 25%RTP from full power conditions in an orderly manner and without challenging plant systems.SURVEILLANCE REQUIREMENTS The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated Function maintains feedwater and main turbine high water level trip capability.

Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 3) assumption that 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is the average time required to perform channel Surveillance.

That analysis demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the feedwater pump turbines and main turbine will trip when necessary.

Cooper B 3.3-58 11/25/12 1 Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.2.1 Performance of the CHANNEL CHECK once every 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> ensures that a gross failure of instrumentation has not occurred.

A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels.

It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels, or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability.

If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limits.The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel status during normal operational use of the displays associated with the channels required by the LCO.SR 3.3.2.2.2 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found settings are consistent with those established by the setpoint methodology.

The Frequency is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.Cooper B 3.3-59 11/25/12 Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.2.2.3 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the feedwater and main turbine valves is included as part of this Surveillance and overlaps the LOGIC SYSTEM FUNCTIONAL TEST to provide complete testing of the assumed safety function.

Therefore, if a valve is incapable of operating, the associated instrumentation would also be inoperable.

The 24 month Frequency is based on the need to perform some of the surveillance procedures which satisfy this SR under the conditions that apply during a plant outage and the potential for an unplanned transient if those particular procedures were performed with the reactor at power. Operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency.

I REFERENCES

1. USAR, Section XIV-5.8.1.
2. 10 CFR 50.36(c)(2)(ii).
3. GENE-770-06-1, "Bases for Changes to Surveillance Test Intervals and Allowed Out-Of-Service Times for Selected Instrumentation Technical Specifications," February 1991.Cooper B 3.3-60 11/25/12 PAM Instrumentation B 3.3.3.1 B 3.3 INSTRUMENTATION B 3.3.3.1 Post Accident Monitoring (PAM) Instrumentation BASES BACKGROUND The primary purpose of the PAM instrumentation is to display plant variables that provide information required by the control room operators during accident situations.

This information provides the necessary support for the operator to take the manual actions for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for Design Basis Events. The instruments that monitor these variables are designated as Type A, Category I, and non-Type A, Category I, in accordance with Regulatory Guide 1.97 (Ref. 1).The OPERABILITY of the accident monitoring instrumentation ensures that there is sufficient information available on selected plant parameters to monitor and assess plant status and behavior following an accident.This capability is consistent with the recommendations of Reference 1.APPLICABLE SAFETY ANALYSES The PAM instrumentation LCO ensures the OPERABILITY of Regulatory Guide 1.97, Type A variables so that the control room operating staff can: Perform the diagnosis specified in the Emergency Operating Procedures (EOPs). These variables are restricted to preplanned actions for the primary success path of Design Basis Accidents (DBAs), (e.g., loss of coolant accident (LOCA)), and Take the specified, preplanned, manually controlled actions for which no automatic control is provided, which are required for safety systems to accomplish their safety function.The PAM instrumentation LCO also ensures OPERABILITY of Category I, non-Type A, variables so that the control room operating staff can: 0 Determine whether systems important to safety are performing their intended functions; 0 Determine the potential for causing a gross breach of the barriers to radioactivity release;0 Determine whether a gross breach of a barrier has occurred; and 0 Initiate action necessary to protect the public and for an estimate of the magnitude of any impending threat.Cooper B 3.3-61 11/25/12 1 PAM Instrumentation B 3.3.3.1 BASES APPLICABLE SAFETY ANALYSES (continued)

The plant specific Regulatory Guide 1.97 Analysis (Refs. 2 and 3)documents the process that identified Type A and Category I, non-Type A, variables.

Accident monitoring instrumentation that satisfies the definition of Type A in Regulatory Guide 1.97 meets Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref.4). Category I, non-Type A, instrumentation is retained in Technical Specifications (TS) because they are intended to assist operators in minimizing the consequences of accidents.

Therefore, these Category I variables are important for reducing public risk.LCO LCO 3.3.3.1 requires two OPERABLE channels for all but one Function to ensure that no single failure prevents the operators from being presented with the information necessary to determine the status of the plant and to bring the plant to, and maintain it in, a safe condition following that accident.

Furthermore, provision of two channels allows a CHANNEL CHECK during the post accident phase to confirm the validity of displayed information.

The first exception to the two channel requirement is primary containment isolation valve (PCIV) position.

In this case, the important information is the status of the primary containment penetrations.

The LCO requires one position indicator for each active PCIV. This is sufficient to redundantly verify the isolation status of each isolable penetration either via indicated status of the active valve and prior knowledge of passive valve or via system boundary status. If a normally active PCIV is known to be closed and deactivated, position indication is not needed to determine status. Therefore, the position indication for valves in this state is not required to be OPERABLE.The second exception to the two channel requirement is Reactor Vessel Water Level-Steam Nozzle. This channel uses the reactor vessel head vent as a penetration.

In order to comply with the single failure requirement of Regulatory Guide 1.97, an additional vessel penetration would be needed for a redundant reference column for a second upper water level range channel. The centerline of the main steamlines is used as the upper end of the Regulatory Guide 1.97 recommended range in order to provide the operator with an indication of whether the reactor coolant has reached, and spilled into, the main steamlines.

All manual and automatic safety functions are initiated in the range covered by the safety-related wide range level instrumentation.

CNS has concluded that the existing reactor coolant level instrumentation meets the intent of the regulatory guide and that only a marginal improvement in plant safety Cooper B 3.3-62 11/25/12 I PAM Instrumentation B 3.3.3.1 BASES LCO (continued) would be achieved by installing a redundant upper water level range channel.The following list is a discussion of the specified instrument Functions listed in Table 3.3.3.1-1 in the accompanying LCO.1. Reactor Pressure Reactor pressure is a Category I variable provided to support monitoring of Reactor Coolant System (RCS) integrity and to verify operation of the Emergency Core Cooling Systems (ECCS). Two independent pressure transmitters with a range of 0 psig to 1500 psig monitor pressure and associated independent wide range recorders are the primary indication used by the operator during an accident.

Therefore, the PAM Specification deals specifically with these portions of the instrument channel.2. Reactor Vessel Water Level Reactor vessel water level is a Category I variable provided to support monitoring of core cooling and to verify operation of the ECCS. The reactor vessel water level channels provide the PAM Reactor Vessel Water Level Function.

The reactor vessel water level channels cover a range of -320 inches (just below the bottom of fuel) to +180 inches (referenced to the level instrument zero).Reactor vessel water level is measured by separate differential pressure transmitters.

Two fuel zone channels monitor the range from -320 inches to +60 inches (referenced to the level instrument zero). Each channel consists of a transmitter, an indicator, and a recorder.

Two wide range channels monitor the range from -155 inches to +60 inches (referenced to the instrument zero). Each channel consists of a transmitter, an indicator, and a recorder.

One steam nozzle channel monitors the range from 0 inches to 180 inches (referenced to the instrument zero). The channel consists of a transmitter and an indicator.

These transmitters and associated recorders and indicators are the primary indication used by the operator during an accident.

Therefore, the PAM Specification deals specifically with these portions of the instrument channel.The reactor vessel water level instruments are uncompensated for variation in, reactor water density and are calibrated to be most accurate at operational pressure and temperature.

Cooper B 3.3-63 11/25/12 I PAM Instrumentation B 3.3.3.1 BASES LCO (continued)

3. Suppression Pool Water Level (Wide Range)Suppression pool water level is a Category I variable provided to detect a breach in the reactor coolant pressure boundary (RCPB). This variable is also used to verify and provide long term surveillance of ECCS function.The wide range suppression pool water level measurement provides the operator with sufficient information to assess the status of both the RCPB and the water supply to the ECCS. The wide range water level instruments have a range of 0 feet to 30 feet; 0 feet corresponds to the bottom of the suppression chamber and 30 feet corresponds to 3 feet above the top of the suppression chamber. Two wide range suppression pool water level signals are transmitted from separate differential pressure transmitters and are continuously recorded on two recorders in the control room. These transmitters and recorders are the primary indication used by the operator during an accident.

Therefore, the PAM Specification deals specifically with these portions of the instrument channel.4. Primary Containment Gross Radiation Monitors The primary containment gross radiation monitors are provided to monitor the potential of significant radiation releases and to provide release assessment for use by operators in determining the need to invoke site emergency plans. Two radiation detectors with a range of 1 RPhr to 10E7R/hr are located inside the drywell above the 901'-6" elevation.

One detector is located near the personnel airlock area and the second detector is located 180 degrees from the airlock near the access ladder to the drywell second level. The detectors provide a signal to monitors located in the control room. The monitors provide a signal via optical isolators to a common recorder.

Both channels of radiation monitoring instrumentation are required to be OPERABLE for compliance with this LCO. The common recorder is not part of the channel requirements.

Therefore, the PAM Specification deals specifically with these portions of the instrument channels.5. Primary Containment Isolation Valve (PCIV) Position PCIV position is a Category I variable provided for verification of containment integrity.

In the case of PCIV position, the important information is the isolation status of the containment penetration.

The LCO requires one channel of valve position indication in the control room to be OPERABLE for each active PCIV in a containment penetration flow path, i.e., two total channels of PCIV position indication for a penetration Cooper B 3.3-64 11/25/12 I PAM Instrumentation B 3.3.3.1 BASES LCO (continued) flow path with two active valves. For containment penetrations with only one active PClV having control room indication, Note (b) requires a single channel of valve position indication to be OPERABLE.

This is sufficient to redundantly verify the isolation status of each isolable penetration via indicated status of the active valve, as applicable, and prior knowledge of passive valve or system boundary status. If a penetration flow path is isolated, position indication for the PCIV(s) in the associated penetration flow path is not needed to determine status. Therefore, the position indication for valves in an isolated penetration flow path is not required to be OPERABLE.The PCIV position PAM instrumentation consists of position switches, associated wiring and control room indicating lamps for active PCIVs (check valves and manual valves are not required to have position indication).

Therefore, the PAM Specification deals specifically with these instrument channels.6. Primary Containment Hydrogen and Oxygen Analyzers Primary containment hydrogen and oxygen analyzers are Category I instruments provided to detect high hydrogen or oxygen concentration conditions that represent a potential for containment breach. This variable is also important in verifying the adequacy of mitigating actions.The system consists of two analyzers which are divisionally separated.

Each analyzer contains a hydrogen and an oxygen detector.

While in service, the containment air is sampled from one of four sample streams.Points 1, 2, and 3 are from the drywell and point 4 is from the suppression chamber. The sample air passes through the Hydrogen Analyzer and Oxygen Analyzer in parallel.

Once the air has been analyzed, it is returned to the suppression chamber air space. During normal operation, the Division I analyzer is in standby and the Division II analyzer is in service. The analyzers are capable of determining oxygen concentration in the range of 0 to 10% (Div. 1) and 0 to 30% (Div. 2), and hydrogen concentration in the range of 0 to 30% (Divisions 1 and 2). The hydrogen and oxygen concentration from each analyzer may be displayed on its associated control room recorder.

Therefore, the PAM Specification deals specifically with these portions of the analyzer channels.Cooper B 3.3-65 11/25/12 1 PAM Instrumentation B 3.3.3.1 BASES LCO (continued)

The analyzer in standby is considered OPERABLE even though a warm-up period up to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> may be needed to place it in operation.

This is consistent with RG 1.7, Section 2.1 (8), that noted adoption of the functional requirements by licensees in lieu of the Post-TMI 30 minute requirement results in the hydrogen monitors being functional within 90 minutes after the initiation of safety injection.

This period of time includes equipment warm-up but not equipment calibration.

7. Primary Containment Pressure Primary containment pressure is a Category I variable provided to verify RCS and containment integrity and to verify the effectiveness of ECCS actions taken to prevent containment breach. Two drywell narrow range channels monitor a range of -5 psig to +70 psig. Two drywell wide range channels monitor a range of 0 psig to 250 psig. Two suppression chamber wide range channels monitor a range of -5 psig to +70 psig.Each of the six channels has a separate transmitter.

The six transmitters display their signals on recorders in the control room. These transmitters and recorders are the primary indication used by the operator during an accident.

Therefore, the PAM Specification deals specifically with these portions of the instrument channel.8. Suppression Pool Water Temperature Suppression pool water temperature is a Category I variable provided to detect a condition that could potentially lead to containment breach and to verify the effectiveness of ECCS actions taken to prevent containment breach. The suppression pool water temperature instrumentation allows operators to detect trends in suppression pool water temperature.

Suppression chamber water temperature is monitored by two redundant channels.

Each channel consists of a multipoint recorder with inputs from 8 resistance temperature detectors (RTDs) that monitor temperature over a range of 0°F to 250 0 F. The RTDs are mounted in thermowells installed in the suppression chamber shell below the minimum water level. A channel is considered OPERABLE with up to 4 RTDs inoperable, provided no 2 adjacent RTDs are inoperable.

This minimum requirement maintains temperature monitoring in each quadrant of the suppression chamber. This is acceptable based on engineering judgement considering the temperature response profile of the suppression chamber water volume for previously analyzed events and the most challenged RTDs inoperable.

Cooper B 3.3-66 11/25/12 I PAM Instrumentation B 3.3.3.1 BASES LCO (continued)

These detectors and recorders are the primary indications used by the operator during an accident.

Therefore, the PAM Specification deals specifically with these portions of the instrument channels.APPLICABILITY The PAM instrumentation LCO is applicable in MODES 1 and 2. These variables are related to the diagnosis and preplanned actions required to mitigate DBAs. The applicable DBAs are assumed to occur in MODES I and 2. In MODES 3, 4, and 5, plant conditions are such that the likelihood of an event that would require PAM instrumentation is extremely low; therefore, PAM instrumentation is not required to be OPERABLE in these MODES.ACTIONS A Note has been provided to modify the ACTIONS related to PAM instrumentation channels.

Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition.

Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition.

However, the Required Actions for inoperable PAM instrumentation channels provide appropriate compensatory measures for separate Functions and for separate penetration flow paths for the PCIV Position Function.

As such, a Note has been provided that allows separate Condition entry for each inoperable PAM Function, including separate Condition entry for each penetration flow path for the PCIV Position Function.A. 1 When one or more Functions have one required channel that is inoperable, the required inoperable channel must be restored to OPERABLE status within 30 days. The 30 day Completion Time is based on operating experience and takes into account the remaining OPERABLE channels (or, in the case of a Function that has only one required channel, other non-Regulatory Guide 1.97 instrument channels to monitor the Function), the passive nature of the instrument (no critical automatic action is assumed to occur from these instruments), and the low probability of an event requiring PAM instrumentation during this interval.Cooper B 3.3-67 11/25/12 I PAM Instrumentation B 3.3.3.1 BASES ACTIONS (continued)

B. 1 If a channel has not been restored to OPERABLE status in 30 days, this Required Action specifies initiation of action in accordance with Specification 5.6.6, which requires a written report to be submitted to the NRC. This report discusses the results of the root cause evaluation of the inoperability and identifies proposed restorative actions. This action is appropriate in lieu of a shutdown requirement, since alternative actions are identified before loss of functional capability, and given the likelihood of plant conditions that would require information provided by this instrumentation.

C._1 When one or more Functions have two required channels that are inoperable (i.e., two channels inoperable in the same Function) or when one Function 2.c (Reactor Vessel Water Level-Steam Nozzle) channel is inoperable, one channel in the Function should be restored to OPERABLE status within 7 days. The Completion Time of 7 days is based on the relatively low probability of an event requiring PAM instrument operation and the availability of alternate means to obtain the required information.

Continuous operation with two required channels inoperable in a Function or the one required channel inoperable in Function 2.c is not acceptable because the alternate indications may not fully meet all performance qualification requirements applied to the PAM instrumentation.

Therefore, requiring restoration of one inoperable channel of the Function limits the risk that the PAM Function will be in a degraded condition should an accident occur.D.1 This Required Action directs entry into the appropriate Condition referenced in Table 3.3.3.1-1.

The applicable Condition referenced in the Table is Function dependent.

Each time an inoperable channel has not met the Required Action of Condition C, and the associated Completion Time has expired, Condition D is entered for that channel and provides for transfer to the appropriate subsequent Condition.

Cooper B 3.3-68 11/25/12 I PAM Instrumentation B 3.3.3.1 BASES ACTIONS (continued)

E.1 For the majority of Functions in Table 3.3.3.1-1, if any Required Action and associated Completion Time of Condition C is not met, the plant must be brought to a MODE in which the LCO not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.F. 1 Since alternate means of monitoring primary containment area radiation have been developed and tested, the Required Action is not to shut down the plant, but rather to follow the directions of Specification

5.6.6. These

alternate means may be temporarily installed if the normal PAM channel cannot be restored to OPERABLE status within the allotted time. The report provided to the NRC should discuss the alternate means used, describe the degree to which the alternate means are equivalent to the installed PAM channels, justify the areas in which they are not equivalent, and provide a schedule for restoring the normal PAM channels.SURVEILLANCE REQUIREMENTS SR 3.3.3.1.1 Performance of the CHANNEL CHECK once every 31 days ensures that a gross failure of instrumentation has not occurred.

A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel against a similar parameter on other channels.

It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious.A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

The high radiation instrumentation should be compared to similar plant instruments located throughout the plant. The CHANNEL CHECK does not apply to the primary containment H 2 and 02 analyzer that is in a normal standby configuration.

Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including isolation, Cooper B 3.3-69 11/25/12 I PAM Instrumentation B 3.3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued) indication, and readability.

If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit.The Frequency of 31 days is based upon plant operating experience, with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one channel of a given Function in any 31 day interval is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of those displays associated with the channels required by the LCO.SR 3.3.3.1.2 and SR 3.3.3.1.3 These SRs require a CHANNEL CALIBRATION to be performed.

CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies the channel responds to measured parameter with the necessary range and accuracy.

There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found settings are consistent with those established by the setpoint methodology.

For the Primary Containment Gross Radiation Monitors, the CHANNEL CALIBRATION consists of an electronic calibration of the channel, excluding the detector, for range decades > 10 R/hour and a one point calibration check of the detector with an installed or portable gamma source for range decades< 10 R/hour. For the PCIV Position Function, the CHANNEL CALIBRATION consists of verifying the remote indication conforms to actual value position.The 92 day Frequency for CHANNEL CALIBRATION of the Primary Containment Hydrogen and Oxygen Analyzers is based on vendor recommendations.

The 24 month Frequency for CHANNEL CALIBRATION of all other PAM instrumentation of Table 3.3.3.1-1 is based on operating experience and consistency with the CNS refueling cycles.REFERENCES

1. Regulatory Guide 1.97, "Instrumentation for Light Water Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident, Revision 3," May 1985.2. Letter from G. A. Trevors (NPPD) to U.S. NRC dated April 12, 1990, "NUREG-0737, Supplement 1-Regulatory Guide 1.97 Response, Revision IX." Cooper B 3.3-70 11/25/12 PAM Instrumentation B 3.3.3.1 BASES REFERENCES (continued)
3. Letter from W. 0. Long (NRC) to J. M. Pilant (NPPD) dated October 27, 1986, "Emergency Response Capability-Conformance to Regulatory Guide 1.97, Revision 2." 4. 10 CFR 50.36(c)(2)(ii).

Cooper B 3.3-71 11/25/12 I Alternate Shutdown System B 3.3.3.2 B 3.3 INSTRUMENTATION B 3.3.3.2 Alternate Shutdown System BASES BACKGROUND The Alternate Shutdown System provides the control room operator with sufficient instrumentation and controls to place and maintain the plant in a safe shutdown condition from a location other than the control room. This capability is necessary to protect against the possibility of the control room becoming inaccessible.

With the plant in safe shutdown condition, the High Pressure Coolant Injection (HPCI) System, the safety/relief valves, the Reactor Equipment Cooling (REC) System, and the Residual Heat Removal (RHR) Shutdown Cooling System can be used to remove core decay heat and meet all safety requirements.

The long term supply of water for the HPCI System and the ability to operate shutdown cooling from outside the control room allow extended operation in a shutdown condition above 212 0 F.In the event that the control room becomes inaccessible, the operators can establish control at the alternate shutdown panel and place and maintain the plant in a safe shutdown condition.

Not all controls and necessary transfer switches are located at the alternate shutdown panel.Some controls and transfer switches will have to be operated locally at the switchgear, motor control panels, or other local stations.

Following a plant shutdown, the plant can be maintained in a safe shutdown condition for an extended period of time.The OPERABILITY of the Alternate Shutdown System control and instrumentation Functions ensures that there is sufficient information available on selected plant parameters to place and maintain the plant in a safe shutdown condition should the control room become inaccessible.

APPLICABLE SAFETY ANALYSES The Alternate Shutdown System is required to provide equipment at appropriate locations outside the control room with a design capability to promptly shut down the reactor, including the necessary instrumentation and controls, to maintain the plant in a safe shutdown condition.

The criteria governing the design and the specific system requirements of the Alternate Shutdown System are located in the USAR (Refs. 1 and 2).The Alternate Shutdown System is considered an important contributor to reducing the risk of accidents; as such, it meets Criterion 4 of 10 CFR 50.36(c)(2)(ii) (Ref. 3).Cooper B 3.3-72 11/25/12 I Alternate Shutdown System B 3.3.3.2 BASES LCO The Alternate Shutdown System LCO provides the requirements for the OPERABILITY of the instrumentation and controls necessary to place and maintain the plant in MODE 3 from a location other than the control room. The instrumentation and controls required are listed in Table B 3.3.3.2-1.

The controls, instrumentation, and transfer switches are those required for:* Reactor pressure vessel (RPV) pressure control;* Decay heat removal;0 RPV inventory control; and* Safety support systems for the above functions, including cooling water, and onsite power, including a diesel generator.

The Alternate Shutdown System is OPERABLE if all instrument and control channels needed to support the remote shutdown function are OPERABLE.

In some cases, the required information or control capability may be available from several alternate sources. In these cases, the Alternate Shutdown System is OPERABLE as long as one channel of any of the alternate information or control sources for each Function is OPERABLE.The Alternate Shutdown System instruments and control circuits covered by this LCO do not need to be energized to be considered OPERABLE.This LCO is intended to ensure that the instruments and control circuits will be OPERABLE if plant conditions require that the Alternate Shutdown System be placed in operation.

APPLICABILITY The Alternate Shutdown System LCO is applicable in MODES 1 and 2.This is required so that the plant can be placed and maintained in a safe shutdown condition for an extended period of time from a location other than the control room.This LCO is not applicable in MODES 3, 4, and 5. In these MODES, the plant is already subcritical and in a condition of reduced Reactor Coolant System energy. Under these conditions, considerable time is available to restore necessary instrument control Functions if control room instruments or control becomes unavailable.

Consequently, the LCO does not require OPERABILITY in MODES 3, 4, and 5.Cooper B 3.3-73 11/25/12 1 Alternate Shutdown System B 3.3.3.2 BASES ACTIONS A Note has been provided to modify the ACTIONS related to.Alternate Shutdown System Functions.

Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition.

Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition.

However, the Required Actions for inoperable Alternate Shutdown System Functions provide appropriate compensatory measures for separate Functions.

As such, a Note has been provided that allows separate Condition entry for each inoperable Alternate Shutdown System Function.A.1 Condition A addresses the situation where one or more required Functions of the Alternate Shutdown System is inoperable.

This includes any Function listed in Table B 3.3.3.2-1.

The Required Action is to restore the Function (both divisions, if applicable) to OPERABLE status within 30 days. The Completion Time is based on operating experience and the low probability of an event that would require evacuation of the control room.B. 1 If the Required Action and associated Completion Time of Condition A are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Time is reasonable, based on operating experience, to reach the required MODE from full power conditions in an orderly manner and without challenging plant systems.SURVEILLANCE REQUIREMENTS SR 3.3.3.2.1 Performance of the CHANNEL CHECK once every 31 days ensures that a gross failure of instrumentation has not occurred.

A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels.

It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the Cooper B 3.3-74 11/25/12 I Alternate Shutdown System B 3.3.3.2 BASES SURVEILLANCE REQUIREMENTS (continued) instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability.

If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. As specified in the Surveillance, a CHANNEL CHECK is only required for those channels that are normally energized.

The Frequency is based upon plant operating experience that demonstrates channel failure is rare.SR 3.3.3.2.2 SR 3.3.3.2.2 verifies each required Alternate Shutdown System transfer switch and control circuit performs the intended function.

This verification is performed from the alternate shutdown panel and locally, as appropriate.

Operation of the equipment from the alternate shutdown panel is not necessary.

The Surveillance can be satisfied by performance of a continuity check. This will ensure that if the control room becomes inaccessible, the plant can be placed and maintained in a safe shutdown condition from the alternate shutdown panel and the local control stations.However, this Surveillance is not required to be performed only during a plant outage. Operating experience demonstrates that Alternate Shutdown System control channels usually pass the Surveillance when performed at the 24 month Frequency.

SR 3.3.3.2.3 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. The test verifies the channel responds to measured parameter values with the necessary range and accuracy.

There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found settings are consistent with those established by the setpoint methodology.

The 24 month Frequency is based upon operating experience and consistency with the typical industry refueling cycle.Cooper B 3.3-75 11/25/12 Alternate Shutdown System B 3.3.3.2 BASES REFERENCES 1.2.3.USAR, Section VII-18.0.USAR, Section XIV-5.9.10 CFR 50.36(c)(2)(ii).

Cooper B 3.3-76 11/25/12 1 Alternate Shutdown System B 3.3.3.2 Table B 3.3.3.2-1 (page 1 of 2)Alternate Shutdown System Instrumentation/Controls FUNCTION REQUIRED NUMBER OF CHANNELS Instrument Parameter 1. HPCI Turbine Steam Inlet Pressure (Reactor Pressure) 1 2. HPCI Pump Discharge Flow 1 3. Fuel Zone Level 1 4. Wide Range Level 1 5. Torus Level 1 6. Emergency Condensate Storage Tank (ECST) Level 1 7. RHR System Loop B Flow 1 8. Torus Temperature 1 Transfer/Control Parameter 9. HPCI Turbine 1 10. HPCI Auxiliary Lube Oil Pump 1 11. HPCI Fan Coil Unit 1 12. HPCI Flow Controller 1 13. HPCI Flow Transmitter (FT-82) 1 14. HPCI Turbine Steam Supply Isolation, HPCI-MO-14 1 15. HPCI Steam Supply Inboard Isolation, HPCI-MO-15 1 16. HPCI Steam Supply Outboard Isolation, HPCI-MO-16 1 17. HPCI Pump Suction ECST, HPCI-MO-17 1 18. HPCI Injection HPCI-MO-19 1 19. HPCI Pump Discharge, HPCI-MO-20 1 20. HPCI Test Bypass to ECST, HPCI-MO-21 1 21. HPCI Test Bypass Shutoff, HPCI-MO-24 1 22. HPCI Minimum Flow Bypass, HPCI-MO-25 1 23. HPCI Pump Suction from Suppression Pool, HPCI-MO-58 1 24. RHR HX B Outlet, RHR-MO-12B 1 (continued)

Cooper B 3.3-77 11/25/12 I Alternate Shutdown System B 3.3.3.2 Table B 3.3.3.2-1 (page 2 of 2)Alternate Shutdown System Instrumentation/Controls FUNCTION REQUIRED NUMBER OF CHANNELS Transfer/Control Parameter (continued)

25. RHR Pump D Suction from Tors, RHR-MO-13D 1 26. RHR Pump D Shutdown Cooling Suction, RHR-MO-15D 1 27. RHR Pump B and D Minimum Flow, RHR-MO-16B 1 28. RHR Loop B Injection Outboard Throttle, RHR-MO-27B 1 29. Suppression Chamber Cooling Loop B Inboard Isolation, RHR-MO-34B 1 30. Suppression Chamber Cooling Loop B Outboard Isolation, RHR-MO-39B 1 31. RHR HX B Inlet, RHR-MO-65B 1 32. RHR HX B Bypass Throttle, RHR-MO-66B 1 33. REC Pump 1C 1 34. REC Pump ID 1 35. Safety Relief Valve Main Steamline-C, MS-RV-71 E 1 36. Safety Relief Valve Main Steamline-C, MS-RV-71 F 1 37. Safety Relief Valve Main Steamline-D, MS-RV-71 G 1 38. Diesel Generator No. 2 Engine -Local Isolation, Control and Indication 1 39. Diesel Generator No. 2 Generator Relay and Control -Local Isolation, 1 Control and Indication Cooper B 3.3-78 11/25/12 1 ATWS-RPT Instrumentation B 3.3.4.1 B 3.3 INSTRUMENTATION B 3.3.4.1 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT)

Instrumentation BASES BACKGROUND The ATWS-RPT System initiates an RPT, adding negative reactivity, following events in which a scram does not (but should) occur, to lessen the effects of an ATWS event. Tripping the recirculation pumps adds negative reactivity from the increase in steam voiding in the core area as core flow decreases.

When Reactor Vessel Water Level-Low Low (Level 2) or Reactor Pressure-High setpoint is reached, the Reactor Recirculation Motor Generator (RRMG) field breakers trip.The ATWS-RPT System (Ref. 1) includes sensors, relays, circuit breakers, and switches that are necessary to cause an RPT. The channels include electronic equipment (e.g., switches) that compares measured input signals with pre-established setpoints.

When the setpoint is exceeded, the channel output relay actuates, which then outputs an ATWS-RPT signal to the trip logic. High reactor pressure trips the RRMG field breakers immediately, but on low reactor vessel level, there is a 9 second time delay before the RRMG field breakers trip.The ATWS-RPT consists of two trip systems. There are two ATWS-RPT Functions:

Reactor Pressure-High and Reactor Vessel Water Level-Low Low (Level 2). Each trip system has two channels of Reactor Pressure-High and two channels of Reactor Vessel Water Level-Low Low (Level 2).Each ATWS-RPT trip system is a two-out-of-two logic for each Function.Thus, either two Reactor Water Level-Low Low (Level 2) or two Reactor Pressure-High signals are needed to trip a trip system. The outputs of the channels in a trip system are combined in a logic so that either trip system will trip both recirculation pumps (by tripping the respective RRMG field breakers).

Each RRMG field breaker has two independent trip coils. Each coil receives a trip signal from one of the two ATWS-RPT trip systems. Each trip system is independently powered by a separate critical 125 VDC bus.A trip of both Function channels in one trip system (i.e., two Reactor Vessel Water Level-Low Low (Level 2) channels or two Reactor Pressure-High channels) will actuate one of the trip coils in each RRMG field breaker, thus tripping both recirculation pumps.Cooper B 3.3-79 11/25/12 1 ATWS-RPT Instrumentation B 3.3.4.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY The ATWS-RPT initiates an RPT to aid in preserving the integrity of the fuel cladding following events in which a scram does not, but should, occur. Based on its contribution to the reduction of overall plant risk, however, the instrumentation meets Criterion 4 of 10 CFR 50.36(c)(2)(ii)(Ref. 2).The OPERABILITY of the ATWS-RPT is dependent on the OPERABILITY of the individual instrumentation channel Functions.

Each Function must have a required number of OPERABLE channels in each trip system, with their setpoints within the specified Allowable Value of SR 3.3.4.1.2.

The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Channel OPERABILITY also includes the associated RRMG field breakers.Allowable Values are specified for each ATWS-RPT Function specified in the LCO. Nominal trip setpoints are specified in the setpoint calculations.

The setpoint calculations are performed using methodology described in NEDC-31336P-A, "General Electric Instrument Setpoint Methodology," dated September 1996. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS.

Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable.

A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., switch) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis.

The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.The individual Functions are required to be OPERABLE in MODE 1 to protect against common mode failures of the Reactor Protection System by providing a diverse trip to mitigate the consequences of a postulated ATWS event. The Reactor Pressure-High and Reactor Vessel Water Level-Low Low (Level 2) Functions are required to be OPERABLE in MODE 1, since the reactor is producing significant power and the recirculation system could be at high flow. During this MODE, the Cooper B 3.3-80 11/25/12 I ATWS-RPT Instrumentation B 3.3.4.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued) potential exists for pressure increases or low water level, assuming an ATWS event. In MODE 2, the reactor is at low power and the recirculation system is at low flow; thus, the potential is low for a pressure increase or low water level, assuming an ATWS event. Therefore, the ATWS-RPT is not necessary.

In MODES 3 and 4, the reactor is shut down with all control rods inserted; thus, an ATWS event is not significant and the possibility of a significant pressure increase or low water level is negligible.

In MODE 5, the one rod out interlock ensures that the reactor remains subcritical; thus, an ATWS event is not significant.

In addition, the reactor pressure vessel (RPV) head is not fully tensioned and no pressure transient threat to the reactor coolant pressure boundary (RCPB) exists.The specific Applicable Safety Analyses and LCO discussions are listed below on a Function by Function basis.a. Reactor Vessel Water Level-Low Low (Level 2)Low RPV water level indicates that a reactor scram should have occurred and the capability to cool the fuel may be threatened.

Should RPV water level decrease too far, fuel damage could result. The ATWS-RPT System is initiated at Level 2 to assist in the mitigation of the ATWS event. The resultant reduction of core flow reduces the neutron flux and THERMAL POWER and, therefore, the rate of coolant boiloff.Reactor vessel water level signals are initiated from four level switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.Four channels of Reactor Vessel Water Level-Low Low (Level 2), with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure can preclude an ATWS-RPT from this Function on a valid signal. The Reactor Vessel Water Level-Low Low (Level 2) Allowable Value is chosen so that the system will not be initiated after a Level 3 scram with feedwater still available, and for convenience with the reactor core isolation cooling initiation.

Cooper B 3.3-81 11/25/12 1 ATWS-RPT Instrumentation B 3.3.4.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued)

b. Reactor Pressure-High Excessively high RPV pressure may rupture the RCPB. An increase in the RPV pressure during reactor operation compresses the steam voids and results in a positive reactivity insertion.

This increases neutron flux and THERMAL POWER, which could potentially result in fuel failure and overpressurization.

The Reactor Pressure-High Function initiates an RPT for transients that result in a pressure increase, counteracting the pressure increase by rapidly reducing core power generation.

For the overpressurization event, the RPT aids in the termination of the ATWS event and, along with the safety/relief valves, limits the peak RPV pressure to less than the ASME Section III limits.The Reactor Pressure-High signals are initiated from four pressure transmitters that monitor reactor steam dome pressure.Four channels of Reactor Pressure-High, with two channels in each trip system, are available and are required to be OPERABLE to ensure that no single instrument failure can preclude an ATWS-RPT from this Function on a valid signal. The Reactor Pressure-High Allowable Value is chosen to provide an adequate margin to the ASME Section III limits.ACTIONS A Note has been provided to modify the ACTIONS related to ATWS-RPT instrumentation channels.

Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition.

Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition.

However, the Required Actions for inoperable ATWS-RPT instrumentation channels provide appropriate compensatory measures for separate inoperable channels.As such, a Note has been provided that allows separate Condition entry for each inoperable ATWS-RPT instrumentation channel.A.1 and A.2 With one or more channels inoperable, but with ATWS-RPT capability for each Function maintained (refer to Required Actions B. 1 and C. 1 Bases), the ATWS-RPT System is capable of performing the intended function.However, the reliability and redundancy of the ATWS-RPT instrumentation is reduced, such that a single failure in the remaining trip Cooper B 3.3-82 11/25/12 I ATWS-RPT Instrumentation B 3.3.4.1 BASES ACTIONS (continued) system could result in the inability of the ATWS-RPT System to perform the intended function.

Therefore, only a limited time is allowed to restore the inoperable channels to OPERABLE status. Because of the diversity of sensors available to provide trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of ATWS-RPT, 14 days is provided to restore the inoperable channel (Required Action A.1).Alternately, the inoperable channel may be placed in trip (Required Action A.2), since this would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.

As noted, placing the channel in trip with no further restrictions is not allowed if the inoperable channel is the result of an inoperable breaker, since this may not adequately compensate for the inoperable breaker (e.g., the breaker may be inoperable such that it will not open). If it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel would result in an RPT), or if the inoperable channel is the result of an inoperable breaker, Condition D must be entered and its Required Actions taken.B.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in the Function not maintaining ATWS-RPT trip capability.

A Function is considered to be maintaining ATWS-RPT trip capability when sufficient channels are OPERABLE or in trip such that the ATWS-RPT System will generate a trip signal from the given Function on a valid signal, and both recirculation pumps can be tripped. This requires two channels of the Function in the same trip system to each be OPERABLE or in trip, and the RRMG field breakers to be OPERABLE or in trip.The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is sufficient for the operator to take corrective action (e.g., restoration or tripping of channels) and takes into account the likelihood of an event requiring actuation of the ATWS-RPT instrumentation during this period and that one Function is still maintaining ATWS-RPT trip capability.

C.1 Required Action C.1 is intended to ensure that appropriate Actions are taken if multiple, inoperable, untripped channels within both Functions result in both Functions not maintaining ATWS-RPT trip capability.

The Cooper B 3.3-83 11/25/12 1 ATWS-RPT Instrumentation B 3.3.4.1 BASES ACTIONS (continued) description of a Function maintaining ATWS-RPT trip capability is discussed in the Bases for Required Action B.1 above.The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is sufficient for the operator to take corrective action and takes into account the likelihood of an event requiring actuation of the ATWS-RPT instrumentation during this period.D.1 and D.2 With any Required Action and associated Completion Time not met, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (Required Action D.2). Alternately, the associated recirculation pump may be removed from service since this performs the intended function of the instrumentation (Required Action D.1). The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, both to reach MODE 2 from full power conditions and to remove a recirculation pump from service in an orderly manner and without challenging plant systems.SURVEILLANCE REQUIREMENTS The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into the associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated Function maintains ATWS-RPT trip capability.

Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 3) assumption of the average time required to perform channel Surveillance.

That analysis demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the recirculation pumps will trip When necessary.

SR 3.3.4.1.1 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function.

A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL Cooper B 3.3-84 11/25/12 I ATWS-RPT Instrumentation B 3.3.4.1 BASES SURVEILLANCE REQUIREMENTS (continued)

TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on the reliability analysis of Reference 3.SR 3.3.4.1.2 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found settings are consistent with those established by the setpoint methodology.

The Frequency is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.SR 3.3.4.1.3 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. For the Reactor Vessel Water Level-Low Low (Level 2) logic, this shall include the nominal 9 second time delay of the RRMG field breaker trip. The system functional test of the RRMG field breakers is included as part of this Surveillance and overlaps the LOGIC SYSTEM FUNCTIONAL TEST to provide complete testing of the assumed safety function.

Therefore, if an RRMG field breaker is incapable of operating, the associated instrument channel(s) would be inoperable.

The 24 month Frequency is based on the need to perform some of the surveillance procedures which satisfy this SR under the conditions that apply during a plant outage and the potential for an unplanned transient if those particular procedures were performed with the reactor at power.Cooper B 3.3-85 11/25/12 ATWS-RPT Instrumentation B 3.3.4.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Operating experience has shown these components usually pass the Surveillance when performed at the 24 month Frequency.

REFERENCES

1. USAR, Section VII-9.4.4.2.
2. 10 CFR 50.36(c)(2)(ii).
3. GENE-770-06-1, "Bases for Changes To Surveillance Test Intervals and Allowed Out-of-Service Times For Selected Instrumentation Technical Specifications," February 1991.Cooper B 3.3-86 11/25/12 ECCS Instrumentation B 3.3.5.1 B 3.3 INSTRUMENTATION B 3.3.5.1 Emergency Core Cooling System (ECCS) Instrumentation BASES BACKGROUND The purpose of the ECCS instrumentation is to initiate appropriate responses from the systems to ensure that the fuel is adequately cooled in the event of a design basis accident or transient.

This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the ECCS, as well as LCOs on other reactor system parameters and equipment performance.

Technical Specifications are required by 10 CFR 50.36 to include LSSS for variables that have significant safety functions.

LSSS are defined by the regulation as 'Where a LSSS is specified for a variable on which a safety limit has been placed, the setting must be chosen so that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that a Safety Limit (SL) is not exceeded.

Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded.

However, in practice, the actual settings for automatic protection channels must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.The Limiting Trip Setpoint (LTSP) is a predetermined setting for a protection channel chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded.

As such, the LTSP accounts for uncertainties in setting the channel (e.g., calibration), uncertainties in how the channel might actually perform (e.g., repeatability), changes in the point of action of the channel over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments).

In this manner, the LTSP ensures that SLs are not exceeded.

Therefore, the LTSP meets the definition of an LSSS (Ref.1).The Allowable Values specified in Table 3.3.5.1-1 serves as the LSSS such that a channel is OPERABLE if the trip setpoint is found not to exceed the Allowable Value. As such, the Allowable Value differs from the trip setpoint by an amount primarily equal to the expected instrument loop uncertainties, such as drift, during the surveillance interval.Cooper B 3.3-87 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND (continued)

In this manner, the actual setting of the device will still meet the LSSS definition and ensure that a SL is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval.Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility.

Operable is defined in Technical Specifications as "...being capable of performing its safety function(s)." Relying solely on the LTSP to define OPERABILITY in Technical Specifications would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value of a protection channel setting during a Surveillance.

This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protection channel with a setting that has been found to be different from the LTSP due to some drift of the setting may still be OPERABLE because drift is to be expected.

This expected drift would have been specifically accounted for in the setpoint methodology for calculating the LTSP and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protection channel. Therefore, the channel would still be OPERABLE because it would have performed its safety function and the only corrective action required would be to reset the channel within the established as-left tolerance around LTSP to account for further drift during the next surveillance interval.

Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria).

However, there is also some point beyond which the channel would have not been able to perform its function due to, for example, greater than expected drift. This value needs to be specified in the Technical Specifications in order to define OPERABILITY of the channels and is designated as the Allowable Value.If the actual setting (as-found setpoint) of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE, but degraded.

The degraded condition will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the LTSP (within the allowed tolerance), and evaluating the channel response.

If the channel is functioning as required and expected to pass Cooper B 3.3-88 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND (continued) the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance.

After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

For most abnormal operational transients and Design Basis Accidents (DBAs), a wide range of dependent and independent parameters are monitored.

The ECCS instrumentation actuates core spray (CS), low pressure coolant injection (LPCI), high pressure coolant injection (HPCI), Automatic Depressurization System (ADS), and the diesel generators (DGs). The equipment involved with each of these systems is described in the Bases for LCO 3.5.1, "ECCS-Operating." Core Spray System The CS System may be initiated by either automatic or manual means.Automatic initiation occurs for conditions of Reactor Vessel Water Level-Low Low Low (Level 1) or Drywell Pressure-High.

Each of these diverse variables is monitored by four redundant switches, which are connected to relays which send signals to two trip systems, with each trip system arranged in a one-out-of-two taken twice logic. Each trip system initiates one of the two CS pumps.Upon receipt of an initiation signal, if normal AC power is available, both CS pumps start after an approximate 10 second time delay. If a core spray initiation signal is received when normal AC power is not available, the CS pumps start approximately 10 seconds after the bus is energized by the DGs.The CS test line isolation valve, which is also a primary containment isolation valve (PCIV), is closed on a CS initiation signal to allow full system flow assumed in the accident analyses and maintain primary containment isolated in the event CS is not operating.

The CS pump discharge flow is monitored by a flow transmitter and trip unit. When the pump is running and discharge flow is low enough so that pump overheating may occur, the minimum flow return line valve is opened. The valve is automatically closed if flow is above the minimum flow setpoint.

It is not necessary for the minimum flow valve to close to achieve adequate system flow assumed in the accident analysis (Ref. 2).Cooper B 3.3-89 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND (continued)

The CS System also monitors the pressure in the reactor to ensure that, before the injection valves open, the reactor pressure has fallen to a value below the CS System's maximum design pressure.

The variable is monitored by four redundant pressure switches.

The outputs of the switches are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic.Low Pressure Coolant Injection System The LPCI is an operating mode of the Residual Heat Removal (RHR)System, with two LPCI subsystems.

The LPCI subsystems may be initiated by automatic or manual means. Automatic initiation occurs for conditions of Reactor Vessel Water Level-Low Low Low (Level 1); Drywell Pressure-High; or both. Each of these diverse variables is monitored by four redundant switches, which are connected to relays which send signals to two trip systems, with each trip system arranged in a one-out-of-two taken twice logic. Each trip system initiates two of the four LPCI pumps. Once an initiation signal is received by the LPCI control circuitry, the signal is sealed in until manually reset.Upon receipt of an initiation signal if normal AC power is available, the LPCI A and D pumps start in approximately

0.5 seconds

when power is available.

The LPCI B and C pumps are started after an approximate 5 second delay to limit the loading of the standby power sources. With a loss of off-site power LPCI pumps A and D start within approximately

0.5 seconds

on restoration of power, and pumps B and C start approximately 5 seconds after the restoration of power.Each LPCI subsystem's discharge flow is monitored by a differential pressure switch. When a pump is running and discharge flow is low enough so that pump overheating may occur, the respective minimum flow return line valve is opened. If flow is above the minimum flow setpoint, the valve is automatically closed. It is not necessary for the minimum flow valve to close to achieve adequate system flow assumed in the analyses (Ref. 3).The containment cooling return valves, suppression pool spray isolation valves, and containment spray isolation valves (which are also PCIVs)are also closed on a LPCI initiation signal to allow the full system flow assumed in the accident analyses and maintain primary containment isolated in the event LPCI is not operating.

Cooper B 3.3-90 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND (continued)

The LPCI System monitors the pressure in the reactor to ensure that, before an injection valve opens, the reactor pressure has fallen to a value below the LPCI System's maximum design pressure.

The variable is monitored by four redundant pressure switches, which are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic. Additionally, instruments are provided to close the recirculation pump discharge valves to ensure that LPCI flow does not bypass the core when it injects into the recirculation lines. The variable is monitored by four redundant pressure switches, which are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic.Low reactor water level in the shroud is detected by two additional instruments.

When level is greater than the low level setpoint, LPCI may no longer be required, therefore other modes of RHR (e.g., suppression pool cooling) are allowed. Manual overrides for the isolations below the low level setpoint are provided.High Pressure Coolant Iniection System The HPCI System may be initiated by either automatic or manual means.Automatic initiation occurs for conditions of Reactor Vessel Water Level-Low Low (Level 2) or Drywell Pressure-High.

Each of these variables is monitored by four redundant switches, which are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic for each Function.The HPCI pump discharge flow is monitored by a flow switch (only one trip system). When the pump is running and discharge flow is low enough so that pump overheating may occur, the minimum flow return line valve is opened. The valve is automatically closed if flow is above the minimum flow setpoint.

It is not necessary for the minimum flow valve to close to achieve adequate system flow assumed in the accident analysis (Ref. 4).The HPCI test line isolation valves are closed upon receipt of a HPCI initiation signal to allow the full system flow assumed in the accident analysis and maintain primary containment isolated in the event HPCI is not operating.

The HPCI System also monitors the water levels in the emergency condensate storage tanks (ECSTs) and the suppression pool because these are the two sources of water for HPCI operation.

Reactor grade water in the ECSTs is the normal source. The ECST suction source consists of two ECSTs connected in parallel to the HPCI pump suction.Upon receipt of a HPCI initiation signal, the ECST suction valve is Cooper B 3.3-91 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND (continued) automatically signaled to open (it is normally in the open position) unless the suppression pool suction valve is open. If the water level in the ECSTs falls below a preselected level, first the suppression pool suction valve automatically opens, and then the ECST suction valve automatically closes. Two level switches are used to detect low water level in the ECST. Either switch can cause the suppression pool suction valve to open and the ECST suction valve to close. The suppression pool suction valve also automatically opens and the ECST suction valve closes if high water level is detected in the suppression pool. Two level switches monitor the suppression pool water level. To prevent losing suction to the pump, the suction valves are interlocked so that one suction path must be full open before the other automatically closes.The HPCI provides makeup water to the reactor until the reactor vessel water level reaches the Reactor Vessel Water Level-High (Level 8)setting, at which time the HPCI turbine trips, which causes the turbine's stop valve to close. The logic is two-out-of-two to provide high reliability of the HPCI System (only one trip system). The HPCI System automatically restarts if a Reactor Vessel Water Level-Low Low (Level 2)signal is subsequently received.Automatic Depressurization System The ADS is initiated by automatic means. Automatic initiation occurs when signals indicating Reactor Vessel Water Level-Low Low Low (Level 1); confirmed Reactor Vessel Water Level-Low (Level 3); and CS or LPCI Pump Discharge Pressure-High are all present and the ADS Initiation Timer has timed out. There are two level switches each for Reactor Vessel Water Level-Low Low Low (Level 1), and one level switch for confirmed Reactor Vessel Water Level-Low (Level 3) in each of the two ADS trip systems. Each of these switches connects to a relay whose contacts form the initiation logic.Each ADS trip system includes a time delay between satisfying the initiation logic and the actuation of the ADS valves. The ADS Initiation Timer time delay setpoint chosen is long enough that the HPCI has sufficient operating time to recover to a level above Level 1, yet not so long that the LPCI and CS Systems are unable to adequately cool the fuel if the HPCI fails to maintain that level. An alarm in the control room is annunciated when either of the timers is timing. Resetting the ADS initiation signals resets the ADS Initiation Timers.The ADS also monitors the discharge pressures of the four LPCI pumps and the two CS pumps. Each ADS trip system includes two discharge Cooper B 3.3-92 11/25/12 I ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND (continued) pressure permissive switches from one CS and from two LPCI pumps in the associated Division (i.e., Division 1 CS subsystem A and LPCI subsystems A and C input to ADS trip system A, and Division 2 CS subsystem B and LPCI subsystems B and D input to ADS trip system B).The signals are used as a permissive for ADS actuation, indicating that there is a source of core coolant available once the ADS has depressurized the vessel. Any one of the six low pressure pumps is sufficient to permit automatic depressurization.

The switches associated with one ADS trip system also provide signals to the other ADS trip system, but these signals are not required for the other ADS trip system to be considered OPERABLE.The ADS logic in each trip system is arranged in two strings. Each string has a contact from Reactor Vessel Water Level-Low Low Low (Level 1).One of the two strings in each trip system must have a confirmed Reactor Vessel Water Level-Low (Level 3). The ADS initiation timer must time out and a CS or LPCI pump discharge pressure signal must also be present to initiate an ADS trip system. Either the A or B trip system will cause all the ADS relief valves to open. Once the ADS Low Water Level Actuation Timer or the ADS initiation signal is present, it is individually sealed in until manually reset.Manual inhibit switches are provided in the control room for the ADS;however, their function is not required for ADS OPERABILITY (provided ADS is not inhibited when required to be OPERABLE).

Diesel Generators The DGs may be initiated by either automatic or manual means.Automatic initiation occurs for conditions of Reactor Vessel Water Level-Low Low Low (Level 1) or Drywell Pressure-High.

Each of these diverse variables is monitored by four redundant switches, which are connected to relays whose contacts are connected to a one-out-of-two taken twice logic to initiate both DGs (DG-1 and DG-2). The DGs are also initiated upon loss of voltage signals. (Refer to the Bases for LCO 3.3.8.1, "Loss of Power (LOP) Instrumentation," for a discussion of these signals.)

The DGs receive their initiation signals from the CS System initiation logic.The DGs can also be started manually from the control room and locally from the associated DG room. The DG initiation signal is a sealed in signal and must be manually reset. The DG initiation logic is reset by resetting the associated ECCS initiation logic. Upon receipt of a loss of coolant accident (LOCA) initiation signal, each DG is automatically started, is ready to load in approximately 14 seconds, and will run in standby conditions (rated voltage and speed, with the DG output breaker Cooper B 3.3-93 11/25/12 I ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND (continued) open). The DGs will only energize their respective Engineered Safety Feature buses if a loss of offsite power occurs. (Refer to Bases for LCO 3.3.8.1.)APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY The actions of the ECCS are explicitly assumed in the safety analyses of References 6, 7, and 8. The ECCS is initiated to preserve the integrity of the fuel cladding by limiting the post LOCA peak cladding temperature to less than the 10 CFR 50.46 limits.ECCS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref.5). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

Permissive and interlock setpoints allow the blocking of trips during plant startups, and restoration of trips when the permissive conditions are not satisfied, but they are not explicitly modeled in the Safety Analysis.These permissives and interlocks ensure that the starting conditions are consistent with the safety analysis, before preventive or mitigating actions occur. Because these permissives or interlocks are only one of multiple conservative starting assumptions for the accident analysis, they are generally considered as nominal values without regard to measurement accuracy.The OPERABILITY of the ECCS instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.1-1.

Each Function must have a required number of OPERABLE channels, with their setpoints set within the setting tolerance of the specified LTSPs, where appropriate.

The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Table 3.3.5.1-1 contains several footnotes.

Footnote (a)clarifies that the associated functions are required to be OPERABLE in MODES 4 and 5 only when their supported ECCS are required to be OPERABLE per LCO 3.5.2, ECCS-Shutdown.

Footnote (b), is added to show that certain ECCS instrumentation Functions also perform DG initiation.

Allowable Values are specified for each ECCS Function specified in Table 3.3.5.1-1.

LTSPs and the methodologies for calculation of the as-found and as-left tolerances are described in the Technical Requirements Manual. The LTSPs are selected to ensure that the setpoints remain conservative with respect to the as-found tolerance band between CHANNEL CALIBRATIONS.

After each calibration the trip setpoint shall Cooper B 3.3-94 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued) be left within the as-left band around the LTSP. LTSPs are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., switch)changes state. The analytical limits are derived from the limiting values of the process parameters obtained from the safety analysis or other appropriate document.

The Allowable Values are derived from the analytical limits, corrected for calibration, process, and some of the instrument errors. The LTSPs are then determined, accounting for the remaining instrument errors (e.g., drift). The LTSPs derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for. For some Functions, the Allowable Values and the LTSPs are determined from historically accepted practice relative to the intended functions of the channels.

Such is the case for the Core Spray Pump Start-Time Delay Relay and for the LPCI Pump Start-Time Delay Relay.In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions that may require ECCS (or DG)initiation to mitigate the consequences of a design basis transient or accident.

To ensure reliable ECCS and DG function, a combination of Functions is required to provide primary and secondary initiation signals.The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.Core Spray and Low Pressure Coolant Iniection Systems 1 .a, 2.a. Reactor Vessel Water Level-Low Low Low (Level 1)Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened.

Should RPV water level decrease too far, fuel damage could result. The low pressure ECCS and associated DGs are initiated at Reactor Vessel Water Level-Low Low Low (Level 1) to ensure that core spray and flooding functions are available to prevent or minimize fuel damage. The DGs are initiated from Function 1.a signals. The Reactor Vessel Water Level-Low Low Low (Level 1) is one of the Functions assumed to be OPERABLE and capable of initiating the ECCS during the transients analyzed in References 6 and 8. In addition, the Reactor Vessel Water Level-Low Low Low (Level 1)Function is directly assumed in the analysis of the recirculation line break Cooper B 3.3-95 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued)(Ref. 7). The core cooling function of the ECCS, along with the scram action of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.Reactor Vessel Water Level-Low Low Low (Level 1) signals are initiated from four level switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.The Reactor Vessel Water Level-Low Low Low (Level 1) Allowable Value is chosen to allow time for the low pressure core flooding systems to activate and provide adequate cooling.Four channels of Reactor Vessel Water Level-Low Low Low (Level 1)Function are only required to be OPERABLE when the ECCS are required to be OPERABLE to ensure that no single instrument failure can preclude ECCS initiation.

Per Footnote (a) to Table 3.3.5.1 -1, this ECCS function is only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2, "ECCS-Shutdown," for Applicability Bases for the low pressure ECCS subsystems; LCO 3.8.1, "AC Sources-Operating";

and LCO 3.8.2, "AC Sources-Shutdown," for Applicability Bases for the DGs.l.b. 2.b. Drvwell Pressure-Hicqh High pressure in the drywell could indicate a break in the reactor coolant pressure boundary (RCPB). The low pressure ECCS and associated DGs are initiated upon receipt of the Drywell Pressure-High Function in order to minimize the possibility of fuel damage. The DGs are initiated from Function 1.b signals. The Drywell Pressure-High Function, along with the Reactor Water Level-Low Low Low (Level 1) Function, is directly assumed in the analysis of the recirculation line break (Ref. 8). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.High drywell pressure signals are initiated from four pressure switches that sense drywell pressure.

The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment.

The Drywell Pressure-High Function is required to be OPERABLE when the ECCS or DG is required to be OPERABLE in conjunction with times when the primary containment is required to be OPERABLE.

Thus, four Cooper B 3.3-96 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued) channels of the CS and LPCI Drywell Pressure-High Function are required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single instrument failure can preclude ECCS and DG initiation.

In MODES 4 and 5, the Drywell Pressure-High Function is not required, since there is insufficient energy in the reactor to pressurize the primary containment to Drywell Pressure-High setpoint.

Refer to LCO 3.5.1 for Applicability Bases for the low pressure ECCS subsystems and to LCO 3.8.1 for Applicability Bases for the DGs.1.c, 2.c. Reactor Pressure-Low (Injection Permissive)

Low reactor pressure signals are used as permissives for the low pressure ECCS subsystems.

This ensures that, prior to opening the injection valves of the low pressure ECCS subsystems, the reactor pressure has fallen to a value below these subsystems' maximum design pressure and a break in the RCPB has occurred, respectively.

The Reactor Pressure-Low is one of the Functions assumed to be OPERABLE and capable of permitting initiation of the ECCS during the transients analyzed in References 6 and 8. In addition, the Reactor Pressure-Low Function is directly assumed in the analysis of the recirculation line break (Ref. 7). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.The Reactor Pressure-Low signals are initiated from four pressure switches that sense the reactor dome pressure.The Allowable Value is low enough to prevent overpressuring the equipment in the low pressure ECCS, but high enough to ensure that the ECCS injection prevents the fuel peak cladding temperature from exceeding the limits of 10 CFR 50.46.Four channels of Reactor Pressure-Low Function are only required to be OPERABLE when the ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude ECCS initiation.

Per Footnote (a) to Table 3.3.5.1-1, this ECCS function is only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.

Cooper B 3.3-97 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued) 1 .d, 2.,(. Core Spray and Low Pressure Coolant Injection Pump Discharge Flow-Low (Bypass)The minimum flow instruments are provided to protect the associated low pressure ECCS pump from overheating when the pump is operating and the associated injection valve is not fully open. The minimum flow line valve is opened when low flow is sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump. The LPCI and CS Pump Discharge Flow-Low Functions are assumed to be OPERABLE.

The minimum flow valves for CS and LPCI are not required to close to ensure that the low pressure ECCS flows assumed during the transients and accidents analyzed in References 6, 7, and 8 are met.The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.One flow transmitter per CS pump and one differential pressure switch per LPCI subsystem are used to detect the associated subsystems' flow rates. The logic is arranged such that each switch or transmitter causes its associated minimum flow valve to open. The logic will close the minimum flow valve once the closure setpoint is exceeded.

The LPCI minimum flow valves are time delayed such that the valves will not open for approximately

3.5 seconds

after the switches detect low flow. The time delay is provided to limit reactor vessel inventory loss during the startup of the RHR shutdown cooling mode. The Pump Discharge Flow-Low Allowable Values are high enough to ensure that the pump flow rate is sufficient to protect the pump.Each channel of Pump Discharge Flow-Low Function (two CS channels and four LPCI channels) is only required to be OPERABLE when the associated ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude the ECCS function.

Per Footnote (a) to Table 3.3.5.1-1, this ECCS function is only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.

1.e. Core Spray Pump Start-Time Delay Relay The purpose of this time delay is to delay the start of the CS pumps to enable sequential loading of the appropriate AC source. This Function is necessary when power is being supplied from the offsite sources or the standby power sources (DG). The CS Pump Start-Time Delay Relays are assumed to be OPERABLE in the accident analyses requiring ECCS Cooper B 3.3-98 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued) initiation.

That is, the analyses assume that the pumps will initiate when required and excess loading will not cause failure of the power sources.There are two Core Spray Pump Start-Time Delay Relays, one for each CS pump. Each time delay relay is dedicated to a single pump start logic, such that a single failure of a Core Spray Pump Start-Time Delay Relay will not result in the failure of more than one CS pump. In this condition, one of the two CS pumps will remain OPERABLE; thus, the single failure criterion is met (i.e., loss of one instrument does not preclude ECCS initiation).

The Allowable Value for the Core Spray Pump Start-Time Delay Relays is chosen to be long enough so that the power source will not be overloaded and short enough so that ECCS operation is not degraded.Each channel of Core Spray Pump Start-Time Delay Relay Function is required to be OPERABLE only when the associated CS subsystem is required to be OPERABLE.

Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the CS subsystems.

2.d. Reactor Pressure-Low (Recirculation Discharge Valve Permissive)

Low reactor pressure signals are used as permissives for recirculation discharge valve closure. This ensures that the LPCI subsystems inject into the proper RPV location assumed in the safety analysis.

The Reactor Pressure-Low is one of the Functions assumed to be OPERABLE and capable of closing the valve during the transients analyzed in References 6 and 8. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Pressure-Low Function is directly assumed in the analysis of the recirculation line break (Ref. 7).The Reactor Pressure-Low signals are initiated from four pressure switches that sense the reactor dome pressure.The Allowable Value is chosen high enough that the valves close prior to when LPCI injection flow into the core is required (as assumed in the safety analysis) and low enough to avoid excessive differential pressures.

Four channels of the Reactor Pressure-Low Function are only required to be OPERABLE in MODES 1, 2, and 3 with the associated recirculation pump discharge valve open. With the valve(s) closed, the function of the instrumentation has been performed; thus, the Function is not required.In MODES 4 and 5, the loop injection location is not critical since LPCI Cooper B 3.3-99 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued) injection through the recirculation loop in either direction will still ensure that LPCI flow reaches the core (i.e., there is no significant reactor steam dome back pressure).

2.e. Reactor Vessel Shroud Level-Level 0 The Reactor Vessel Shroud Level-Level 0 Function is provided as a permissive to allow the RHR System to be manually aligned from the LPCI mode to the suppression pool cooling/spray or drywell spray modes.The reactor vessel shroud level permissive ensures that water in the vessel is approximately two thirds core height before the manual transfer is allowed. This ensures that LPCI is available to prevent or minimize fuel damage. This function may be and overridden during accident conditions as allowed by plant procedures.

Reactor Vessel Shroud Level-Level 0 Function is implicitly assumed in the analysis of the recirculation line break (Ref. 7) since the analysis assumes that no LPCI flow diversion occurs when reactor water level is below Level 0.Reactor Vessel Shroud Level-Level 0 signals are initiated from two level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Reactor Vessel Shroud Level-Level 0 Allowable Value of -193.19 inches referenced to instrument zero (which is equivalent to 35 inches below FZZ) is chosen to allow the low pressure core flooding systems to activate and provide adequate cooling before allowing a manual transfer.Two channels of the Reactor Vessel Shroud Level-Level 0 Function are only required to be OPERABLE in MODES 1, 2, and 3. In MODES 4 and 5, the specified initiation time of the LPCI subsystems is not assumed, and other administrative controls are adequate to control the valves associated with this Function (since the systems that the valves are opened for are not required to be OPERABLE in MODES 4 and 5 and are normally not used).2.f. Low Pressure Coolant Iniection Pump Start-Time Delay Relay The purpose of this time delay is to stagger the start of the LPCI pumps that are in each of Divisions 1 and 2, thus limiting the starting transients on the 4.16 kV emergency buses. This Function is only necessary when power is being supplied from the standby power sources (DG). However, since the time delay does not degrade ECCS operation, it remains in the pump start logic at all times. The LPCI Pump Start-Time Delay Relays Cooper B 3.3-100 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued) are assumed to be OPERABLE in the accident analyses requiring ECCS initiation.

That is, the analyses assume that the pumps will initiate when required and excess loading will not cause failure of the power sources.There are four LPCI Pump Start-Time Delay Relays, one in each of the RHR pump start logic circuits.

While each time delay relay is dedicated to a single pump start logic, a single failure of a LPCI Pump Start-Time Delay Relay could result in the failure of the two low pressure ECCS pumps, powered for the same ESF bus, to perform their intended function (e.g., as in the case where both ECCS pumps on one ESF bus start simultaneously due to an inoperable time delay relay). This still leaves four of the six low pressure ECCS pumps OPERABLE; thus, the single failure criterion is met (i.e., loss of one instrument does not preclude ECCS initiation).

The Allowable Value for the LPCI Pump Start-Time Delay Relays is chosen to be long enough so that most of the starting transient of the first pump is complete before starting the second pump on the same 4.16 kV emergency bus and short enough so that ECCS operation is not degraded.Each LPCI Pump Start-Time Delay Relay Function is required to be OPERABLE only when the associated LPCI subsystem is required to be OPERABLE.

Per Footnote (a) to Table 3.3.5.1-1, this ECCS function is only required to be OPERABLE in MODES 4 and 5 whenever the associated ECCS is required to be OPERABLE per LCO 3.5.2. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the LPCI subsystems.

High Pressure Coolant Iniection (HPCI) System 3.a. Reactor Vessel Water Level-Low Low (Level 2)Low RPV water level indicates that the capability to cool the fuel may be threatened.

Should RPV water level decrease too far, fuel damage could result. Therefore, the HPCI System is initiated at Level 2 to maintain level above fuel zone zero. The Reactor Vessel Water Level-Low Low (Level 2) is one of the Functions assumed to be OPERABLE and capable of initiating HPCI during the transients analyzed in References 6 and 8.Additionally, the Reactor Vessel Water Level-Low Low (Level 2) Function associated with HPCI is directly assumed in the analysis of the recirculation line break (Ref. 7). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.Cooper B 3.3-101 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued)

Reactor Vessel Water Level-Low Low (Level 2) signals are initiated from four level switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.The Reactor Vessel Water Level-Low Low (Level 2) Allowable Value is high enough such that for complete loss of feedwater flow, the Reactor Core Isolation Cooling (RCIC) System flow with HPCI assumed to fail will be sufficient to avoid initiation of low pressure ECCS at Reactor Vessel Water Level-Low Low Low (Level 1).Four channels of Reactor Vessel Water Level-Low Low (Level 2) Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation.

Refer to LCO 3.5.1 for HPCI Applicability Bases.3.b. Drywell Pressure-Higqh High pressure in the drywell could indicate a break in the RCPB. The HPCI System is initiated upon receipt of the Drywell Pressure-High Function in order to minimize the possibility of fuel damage. While HPCI is not assumed to be OPERABLE in any DBA or transient analysis, the Drywell Pressure-High Function, along with the Reactor Water Level-Low Low (Level 2) Function, is capable of initiating HPCI during a LOCA (Ref.8). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.High drywell pressure signals are initiated from four pressure switches that sense drywell pressure.

The Allowable Value was selected to be as low as possible to be indicative of a LOCA inside primary containment.

Four channels of the Drywell Pressure-High Function are required to be OPERABLE when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation.

Refer to LCO 3.5.1 for the Applicability Bases for the HPCI System.3.c. Reactor Vessel Water Level-High (Level 8)High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel.Therefore, the Level 8 signal is used to trip the HPCI turbine to prevent overflow into the main steam lines (MSLs). The Reactor Vessel Water Cooper B 3.3-102 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued)

Level-High (Level 8) Function is not assumed in the accident and transient analyses.

It was retained since it is a potentially significant contributor to risk.Reactor Vessel Water Level-High (Level 8) signals for HPCI are initiated from two level transmitters from the narrow range water level measurement instrumentation.

Both Level 8 signals are required in order to trip the HPCI turbine. This ensures that no single instrument failure can preclude HPCI initiation.

The Reactor Vessel Water Level-High (Level 8) Allowable Value is chosen to prevent flow from the HPCI System from overflowing into the MSLs.Two channels of Reactor Vessel Water Level-High (Level 8) Function are required to be OPERABLE only when HPCI is required to be OPERABLE.Refer to LCO 3.5.1 and LCO 3.5.2 for HPCI Applicability Bases.3.d. Emergency Condensate Storage Tank Level-Low Low level in the ECSTs indicates the unavailability of an adequate supply of makeup water from this normal source. Normally the suction valves between HPCI and the ECSTs is open and, upon receiving a HPCI initiation signal, water for HPCI injection would be taken from the ECSTs.However, if the water level in the ECSTs falls below a preselected level, first the suppression pool suction valve automatically opens, and then the ECST suction valve automatically closes. This ensures that an adequate supply of makeup water is available to the HPCI pump. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valve must be full open before the ECST suction valve automatically closes. The Function is implicitly assumed in the transient analyses (which take credit for HPCI) since the analyses assume that the HPCI suction source is the suppression pool.Emergency Condensate Storage Tank Level-Low signals are initiated from two level switches.

The logic is arranged such that either level switch can cause the suppression pool suction valve to open and the ECST suction valve to close. The Emergency Condensate Storage Tank Level-Low Function Allowable Value is high enough to ensure adequate pump suction head while water is being taken from the ECSTs.Two channels of the Emergency Condensate Storage Tank Level-Low Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source. Refer to LCO 3.5.1 for HPCI Applicability Bases.Cooper B 3.3-103 11/25/12 J ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued) 3.e. Suppression Pool Water Level-High Excessively high suppression pool water could result in the loads on the suppression pool exceeding design values should there be a blowdown of the reactor vessel pressure through the safety/relief valves. Therefore, signals indicating high suppression pool water level are used to transfer the suction source of HPCI from the ECSTs to the suppression pool to eliminate the possibility of HPCI continuing to provide additional water from a source outside containment.

To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valve must be open before the ECST suction valve automatically closes.This Function is implicitly assumed in the transient analyses (which take credit for HPCI) since the analyses assume that the HPCI suction source is the suppression pool.Suppression Pool Water Level-High signals are initiated from two level switches.

The logic is arranged such that either switch can cause the suppression pool suction valves to open and the ECST suction valve to close. The Allowable Value for the Suppression Pool Water Level-High Function is chosen to ensure that HPCI will be aligned for suction from the suppression pool to prevent HPCI from contributing any further increase in the suppression pool level.Two channels of Suppression Pool Water Level-High Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source. Refer to LCO 3.5.1 for HPCI Applicability Bases.3.f. High Pressure Coolant Iniection Pump Discharge Flow-Low (Bypass)The minimum flow instrument is provided to protect the HPCI pump from overheating when the pump is operating at reduced flow. The minimum flow line valve is opened when low flow is sensed and either 1) the pump is on, or 2) the system has initiated; and the valve is automatically closed when the flow rate is adequate to protect the pump. The High Pressure Coolant Injection Pump Discharge Flow-Low Function is assumed to be OPERABLE.

The minimum flow valve for HPCI is not required to close to ensure that the ECCS flow assumed during the transients analyzed in References 6, 7, and 8 are met. The core cooling function of the ECCS, Cooper B 3.3-104 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued) along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.One flow switch is used to detect the HPCI System's flow rate. The logic is arranged such that the switch causes the minimum flow valve to open.The logic will close the minimum flow valve once the closure setpoint is exceeded.The High Pressure Coolant Injection Pump Discharge Flow-Low Allowable Value is high enough to ensure that pump flow rate is sufficient to protect the pump.One channel is required to be OPERABLE when the HPCI is required to be OPERABLE.

Refer to LCO 3.5.1 for HPCI Applicability Bases.Automatic Depressurization System 4.a, 5.a. Reactor Vessel Water Level-Low Low Low (Level 1)Low RPV water level indicates that the capability to cool the fuel may be threatened.

Should RPV water level decrease too far, fuel damage could result. Therefore, ADS receives one of the signals necessary for initiation from this Function.

The Reactor Vessel Water Level-Low Low Low (Level 1) is one of the Functions assumed to be OPERABLE and capable of initiating the ADS during the accident analyzed in Reference

7. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.Reactor Vessel Water Level-Low Low Low (Level 1) signals are initiated from four level switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low Low Low (Level 1) Function are required to be OPERABLE only when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation.

Two channels input to ADS trip system A, while the other two channels input to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.The Reactor Vessel Water Level-Low Low Low (Level 1) Allowable Value is chosen to allow time for the low pressure core flooding systems to initiate and provide adequate cooling.Cooper B 3.3-105 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued) 4.b. 5.b. Automatic Depressurization System Initiation Timer The purpose of the Automatic Depressurization System Initiation Timer is to delay depressurization of the reactor vessel to allow the HPCI System time to maintain reactor vessel water level. Since the rapid depressurization caused by ADS operation is one of the most severe transients on the reactor vessel, its occurrence should be limited. By delaying initiation of the ADS Function, the operator is given the chance to monitor the success or failure of the HPCI System to maintain water level, and then to decide whether or not to allow ADS to initiate, to delay initiation further by recycling the timer, or to inhibit initiation permanently.

The Automatic Depressurization System Initiation Timer Function is assumed to be OPERABLE for the accident analysis of Reference 7 that requires ECCS initiation and assumes failure of the HPCI System.There are two Automatic Depressurization System Initiation Timer relays, one in each of the two ADS trip systems. The Allowable Value for the Automatic Depressurization System Initiation Timer is chosen so that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling.Two channels of the Automatic Depressurization System Initiation Timer Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. (One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.4.c, 5.c. Reactor Vessel Water Level-Low (Level 3)The Reactor Vessel Water Level-Low (Level 3) Function is used by the ADS only as a confirmatory low water level signal. ADS receives one of the signals necessary for initiation from Reactor Vessel Water Level-Low Low Low (Level 1) signals. In order to prevent spurious initiation of the ADS due to spurious Level 1 signals, a Level 3 signal must also be received before ADS initiation commences.

Reactor Vessel Water Level-Low (Level 3) signals are initiated from two level switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Allowable Value for Reactor Vessel Water Level-Low (Level 3) is selected to be above the RPS Level 3 scram Allowable Value for convenience.

Refer to LCO Cooper B 3.3-106 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued) 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," for the Bases discussion of this Function.Two channels of Reactor Vessel Water Level-Low (Level 3) Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation.

One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.4.4. 4.e, 5.d. 5.e. Core Spray and Low Pressure Coolant Iniection Pump Discharge Pressure-High The Pump Discharge Pressure-High signals from the CS and LPCI pumps are used as permissives for ADS initiation, indicating that there is a source of low pressure cooling water available once the ADS has depressurized the vessel. Pump Discharge Pressure-High is one of the Functions assumed to be OPERABLE and capable of permitting ADS initiation during the events analyzed in Reference 7 with an assumed HPCI failure. For these events the ADS depressurizes the reactor vessel so that the low pressure ECCS can perform the core cooling functions.

This core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.Pump discharge pressure signals are initiated from twelve pressure switches, two on the discharge side of each of the six low pressure ECCS pumps. In order to generate an ADS permissive in one trip system, it is necessary that only one pump (both channels for the pump) indicate the high discharge pressure condition.

The Pump Discharge Pressure-High Allowable Value is less than the pump discharge pressure when the pump is operating in a full flow mode and high enough to avoid any condition that results in a discharge pressure permissive when the CS and LPCI pumps are aligned for injection and the pumps are not running. The actual operating point of this function is not assumed in any transient or accident analysis.

However, this function is indirectly assumed to operate (in Reference

6) to provide the ADS permissive to depressurize the RCS to allow the ECCS low pressure systems to operate.Twelve channels of Core Spray and Low Pressure Coolant Injection Pump Discharge Pressure-High Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation.

Two CS Cooper B 3.3-107 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued) channels associated with CS pump A and four LPCI channels associated with LPCI pumps A and C are required for trip system A. Two CS channels associated with CS pump B and four LPCI channels associated with LPCI pumps B and D are required for trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.ACTIONS A Note has been provided to modify the ACTIONS related to ECCS instrumentation channels.

Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition.

Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition.

However, the Required Actions for inoperable ECCS instrumentation channels provide appropriate compensatory measures for separate inoperable Condition entry for each inoperable ECCS instrumentation channel.A.1 Required Action A. I directs entry into the appropriate Condition referenced in Table 3.3.5.1-1.

The applicable Condition referenced in the table is Function dependent.

Each time a channel is discovered inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.

B.1, B.2, and B.3 Required Actions B.1 and B.2 are intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in redundant automatic initiation capability being lost for the feature(s).

Required Action B.1 features would be those that are initiated by Functions 1.a, 1.b, 2.a, and 2.b (e.g., low pressure ECCS).The Required Action B.2 system would be HPCI. For Required Action B.1, redundant automatic initiation capability is lost if (a) two or more Function 1.a channels are inoperable and untripped such that both trip systems lose initiation capability, (b) two or more Function 2.a channels are inoperable and untripped such that both trip systems lose initiation capability, (c) two or more Function 1.b channels are inoperable and untripped such that both trip systems lose initiation capability, or (d) two or more Function 2.b channels are inoperable and untripped such that Cooper B 3.3-108 11/25/12 1 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued) both trip systems lose initiation capability.

For low pressure ECCS, since each inoperable channel would have Required Action B.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated system of low pressure ECCS and DGs to be declared inoperable.

However, since channels in both associated low pressure ECCS subsystems (e.g., both CS subsystems) are inoperable and untripped, and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in the associated low pressure ECCS and DGs being concurrently declared inoperable.

For Required Action B.2, automatic initiation capability is lost if the combination of Function 3.a or Function 3.b channels that are inoperable and untripped result in the inability to energize the Function's trip relay;i.e., parallel pair logic channels are untrippable.

In this situation (loss of automatic initiation capability), the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowance of Required Action B.3 is not appropriate and the HPCI System must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. As noted (Note 1 to Required Action B.1), Required Action B.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the low pressure ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of initiation capability for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (as allowed by Required Action B.3) is allowed during MODES 4 and 5. There is no similar Note provided for Required Action B.2 since HPCI instrumentation is not required in MODES 4 and 5; thus, a Note is not necessary.

Notes are also provided (Note 2 to Required Action B.1 and the Note to Required Action B.2) to delineate which Required Action is applicable for each Function that requires entry into Condition B if an associated channel is inoperable.

This ensures that the proper loss of initiation capability check is performed.

Required Action B.1 (the Required Action for certain inoperable channels in the low pressure ECCS subsystems) is not applicable to Function 2.e, since this Function provides backup to administrative controls ensuring that operators do not divert LPCI flow from injecting into the core when needed. Thus, a total loss of Function 2.e capability for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed, since the LPCI subsystems remain capable of performing their intended function.The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities.

This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action B.1, the Completion Time only begins upon discovery that a redundant feature in the same system (e.g., both CS subsystems) cannot be automatically initiated due to inoperable, untripped channels within the same Function as described Cooper B 3.3-109 11/25/12 1 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued) in the paragraph above. For Required Action B.2, the Completion Time only begins upon discovery that the HPCI System cannot be automatically initiated due to two inoperable, untripped channels for the associated Function in the same trip system. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been shown to be acceptable (Ref. 9) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action B.3. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken.C.1 and C.2 Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the same Function result in redundant automatic initiation capability being lost for the feature(s).

Required Action C.1 features would be those that are initiated by Functions 1.c, 1.e, 2.c, 2.d, and 2.f (i.e., low pressure ECCS). Redundant automatic initiation capability is lost if either (a) two Function 1 .c channels are inoperable such that both trip systems lose initiation capability, (b) two Function 1.e channels are inoperable, (c) two Function 2.c channels are inoperable such that both trip systems lose initiation capability, (d) two Function 2.d channels are inoperable such that both trip systems lose initiation capability, or (e) two or more Function 2.f channels are inoperable.

In this situation (loss of redundant automatic initiation capability), the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowance of Required Action C.2 is not appropriate and the feature(s) associated with the inoperable channels must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. Since each inoperable channel would have Required Action C.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated system to be declared inoperable.

However, since channels for both low pressure ECCS subsystems are inoperable (e.g., both CS subsystems), and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in both subsystems being concurrently declared Cooper B 3.3-110 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued) inoperable.

For Functions 1.c, 1.e, 2.d, and 2.f, the affected portions are the associated low pressure ECCS pumps. As noted (Note 1), Required Action C.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of automatic initiation capability for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (as allowed by Required Action C.2) is allowed during MODES 4 and 5.Note 2 states that Required Action C.1 is only applicable for Functions 1.c, 1.e, 2.c, 2.d, and 2.f. Required Action C.1 is not applicable to Function 3.c (which also requires entry into this Condition if a channel in this Function is inoperable), since the loss of one channel results in a loss of the Function (two-out-of-two logic). This loss was considered during the development of Reference 9 and considered acceptable for the 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowed by Required Action C.2.The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities.

This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action C.1, the Completion Time only begins upon discovery that the same feature in both subsystems (e.g., both CS subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been shown to be acceptable (Ref. 9) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would either cause the initiation or it would not necessarily result in a safe state for the channel in all events.D.1, D.2.1, and D.2.2 Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic component initiation capability for the HPCI System. Automatic component initiation capability is lost if two Function 3.d channels or two Function 3.e channels are inoperable and Cooper B 3.3-111 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued) untripped.

In this situation (loss of automatic suction swap), the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowance of Required Actions D.2.1 and D.2.2 is not appropriate and the HPCI System must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after discovery of loss of HPCI initiation capability.

As noted, Required Action D.1 is only applicable if the HPCI pump suction is not aligned to the suppression pool, since, if aligned, the Function is already performed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities.

This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action D. 1, the Completion Time only begins upon discovery that the HPCI System cannot be automatically aligned to the suppression pool due to two inoperable, untripped channels in the same Function.

The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been shown to be acceptable (Ref. 9) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1 or the suction source must be aligned to the suppression pool per Required Action D.2.2. Placing the inoperable channel in trip performs the intended function of the channel (shifting the suction source to the suppression pool). Performance of either of these two Required Actions will allow operation to continue.

If Required Action D.2.1 or D.2.2 is performed, measures should be taken to ensure that the HPCI System piping remains filled with water.Alternately, if it is not desired to perform Required Actions D.2.1 and D.2.2 (e.g., as in the case where shifting the suction source could drain down the HPCI suction piping), Condition H must be entered and its Required Action taken.E.1 and E.2 Required Action E. 1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the Core Spray and Low Pressure Coolant Injection Pump Discharge Flow-Low Bypass Functions result in redundant automatic initiation capability being lost for the feature(s).

For Required Action E.1, the features would be those that are initiated by Functions 1.d and 2.g (e.g., low pressure ECCS). Redundant automatic initiation capability is lost if (a) two Function 1 .d channels are Cooper B 3.3-112 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued) inoperable or (b) two Function 2.g channels are inoperable.

Since each inoperable channel would have Required Action E.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected low pressure ECCS pump to be declared inoperable.

However, since channels for more than one low pressure ECCS pump are inoperable, and the Completion Times started concurrently for the channels of the low pressure ECCS pumps, this results in the affected low pressure ECCS pumps being concurrently declared inoperable.

In this situation (loss of redundant automatic initiation capability), the 7 day allowance of Required Action E.2 is not appropriate and the subsystem associated with each inoperable channel must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. As noted (Note 1 to Required Action E.1), Required Action E.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of initiation capability for 7 days (as allowed by Required Action E.2) is allowed during MODES 4 and 5. A Note is also provided (Note 2 to Required Action E.1) to delineate that Required Action E.1 is only applicable to low pressure ECCS Functions.

Required Action E.1 is not applicable to HPCI Function 3.f since the loss of one channel results in a loss of the Function (one-out-of-one logic). This loss was considered during the development of Reference 9 and considered acceptable for the 7 days allowed by Required Action E.2.The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities.

This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action E.1, the Completion Time only begins upon discovery that a redundant feature in the same system (e.g., both CS subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.If the instrumentation that controls the pump minimum flow valve is inoperable, such that the valve will not automatically open, extended pump operation with no injection path available could lead to pump overheating and failure. If there were a failure of the instrumentation, such that the valve would not automatically close, a portion of the pump flow could be diverted from the reactor vessel injection path. These consequences can be averted by the operator's manual control of the Cooper B 3.3-113 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued) valve, which would be adequate to maintain ECCS pump protection and required flow. Furthermore, other ECCS pumps would be sufficient to complete the assumed safety function if no additional single failure were to occur. The 7 day Completion Time of Required Action E.2 to restore the inoperable channel to OPERABLE status is reasonable based on the remaining capability of the associated ECCS subsystems, the redundancy available in the ECCS design, and the low probability of a DBA occurring during the allowed out of service time. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.F.1 and F.2 Required Action F.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within similar ADS trip system A and B Functions result in redundant automatic initiation capability being lost for the ADS. Redundant automatic initiation capability is lost if either (a) one Function 4.a channel and one Function 5.a channel are inoperable and untripped or (b) one Function 4.c channel and one Function 5.c channel are inoperable and untripped.

In this situation (loss of automatic initiation capability), the 96 hour0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> or 8 day allowance, as applicable, of Required Action F.2 is not appropriate and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after discovery of loss of ADS initiation capability.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities.

This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action F.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable, untripped channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 9) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC Cooper B 3.3-114 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued) are OPERABLE.

If either HPCI or RCIC is inoperable, the time is shortened to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />. If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />, the 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> begins upon discovery of HPCI or RCIC inoperability.

However, the total time for an inoperable, untripped channel cannot exceed 8 days. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable, untripped channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action F.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken.G.1 and G.2 Required Action G.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within similar ADS trip system Functions result in automatic initiation capability being lost for the ADS.Automatic initiation capability is lost if either (a) one Function 4.b channel and one Function 5.b channel are inoperable, (b) a combination of Function 4.d, 4.e, 5.d, and 5.e channels are inoperable such that channels associated with five or more low pressure ECCS pumps are inoperable.

In this situation (loss of automatic initiation capability), the 96 hour0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> or 8 day allowance, as applicable, of Required Action G.2 is not appropriate, and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after discovery of loss of ADS initiation capability.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities.

This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action G.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 9) to permit restoration Cooper B 3.3-115 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS (continued) of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE (Required Action G.2). If either HPCI or RCIC is inoperable, the time shortens to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />. If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br />, the 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> begins upon discovery of HPCI or RCIC inoperability.

However, the total time for an inoperable channel cannot exceed 8 days.If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> to 8 days, the "time zero" for beginning the 8 day"clock" begins upon discovery of the inoperable channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.H..1 With any Required Action and associated Completion Time not met, the associated feature(s) may be incapable of performing the intended function, and the supported feature(s) associated with inoperable untripped channels must be declared inoperable immediately.

SURVEILLANCE REQUIREMENTS As noted in the beginning of the SRs, the SRs for each ECCS instrument Function are found in the SRs column of Table 3.3.5.1-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> as follows: (a) for Functions 3.c and 3.f; and (b) for Functions other than 3.c and 3.f provided the associated Function or redundant Function maintains ECCS initiation capability.

Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 9) assumption of the average time required to perform channel surveillance.

That analysis demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the ECCS will initiate when necessary.

Cooper B 3.3-116 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.5.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred.

A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels.

It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK guarantees that undetected outright channel failure is limited to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability.

If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.SR 3.3.5.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function.

A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on the reliability analyses of Reference 9.Cooper B 3.3-117 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.5.1.3 and SR 3.3.5.1.4 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency of SR 3.3.5.1.3 is based upon the assumption of a 92 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.The Frequency of SR 3.3.5.1.4 is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.SR 3.3.5.1.4 for selected functions is modified by two Notes as identified in Table 3.3.5.1-1.

The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of channel performance will verify that the channel will continue to behave in accordance with safety analysis assumptions and the channel performance assumptions in the setpoint methodology.

The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service. For channels determined to be OPERABLE but degraded, after returning the channel to service the performance of these channels will be evaluated under the plant Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition.

The second Note requires that the as-left setting for the channel be within the as-left tolerance of the LTSP. Where a setpoint more conservative than the LTSP is used in the plant surveillance procedures (NTSP), the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint.

This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left channel setting cannot be returned to a setting within the as-left tolerance of the LTSP, then the channel shall be declared inoperable.

The second Note also requires that LTSPs and the methodologies for calculating the as-left and the as-found tolerances be in the Technical Requirements Manual.Cooper B 3.3-118 11/25/12 ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.5.1.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic and simulated automatic actuation for a specific channel. The system functional testing performed in LCO 3.5.1, LCO 3.5.2, LCO 3.8.1, and LCO 3.8.2 overlaps this Surveillance to complete testing of the assumed safety function.The 24 month Frequency is based on the need to perform some of the surveillance procedures which satisfy this SR under the conditions that apply during a plant outage and the potential for an unplanned transient if those particular procedures were performed with the reactor at power.Operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency.

REFERENCES

1. Regulatory Guide 1.105, "Setpoints for Safety-Related Instrumentation," Revision 3.2. Amendment No. 7 to Facility License No DPR-46 for the Cooper Nuclear Station, February 6, 1975.3. Cooper Nuclear Station Design Change 94-332, December 1994.4. NEDC 97-023, "HPCI Minimum Flow Line Analysis." 5. 10 CFR 50.36(c)(2)(ii).
6. USAR, Section V-2.4.7. USAR, Section VI-5.0.8. USAR, Chapter XIV.9. NEDC-30936-P-A, "BWR Owners' Group Technical Specification Improvement Analyses for ECCS Actuation Instrumentation, Part 2," December 1988.Cooper B 3.3-119 11/25/12 RCIC System Instrumentation B 3.3.5.2 B 3.3 INSTRUMENTATION B 3.3.5.2 Reactor Core Isolation Cooling (RCIC) System Instrumentation BASES BACKGROUND The purpose of the RCIC System instrumentation is to initiate actions to ensure adequate core cooling when the reactor vessel is isolated from its primary heat sink (the main condenser) and normal coolant makeup flow from the Reactor Feedwater System is insufficient or unavailable, such that RCIC System initiation occurs and maintains sufficient reactor water level such that an initiation of the low pressure Emergency Core Cooling Systems (ECCS) pumps does not occur. A more complete discussion of RCIC System operation is provided in the Bases of LCO 3.5.3, "RCIC System." This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RCIC, as well as LCOs on other reactor system parameters and equipment performance.

Technical Specifications are required by 10 CFR 50.36 to include LSSS for variables that have significant safety functions.

LSSS are defined by the regulation as 'Where a LSSS is specified for a variable on which a safety limit has been placed, the setting must be chosen so that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded." The Analytical Limit is the limit of the process variable at which a safety action is initiated, as established by the safety analysis, to ensure that a Safety Limit (SL) is not exceeded.

Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded.

However, in practice, the actual settings for automatic protection channels must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur.The Limiting Trip Setpoint (LTSP) is a predetermined setting for a protection channel chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the SL would not be exceeded.

As such, the LTSP accounts for uncertainties in setting the channel (e.g., calibration), uncertainties in how the channel might actually perform (e.g., repeatability), changes in the point of action of the channel over time (e.g., drift during surveillance intervals), and any other factors which may influence its actual performance (e.g., harsh accident environments).

In this manner, the LTSP ensures that SLs are not exceeded.

Therefore, the LTSP meets the definition of an LSSS (Ref.1).The Allowable Values specified in Table 3.3.5.2-1 serve as the LSSS such that a channel is OPERABLE if the trip setpoint is found not to exceed the Allowable Value. As such, the Allowable Value differs from Cooper B 3.3-120 11/25/12 RCIC System Instrumentation B 3.3.5.2 BASES BACKGROUND (continued) the trip setpoint by an amount primarily equal to the expected instrument loop uncertainties, such as drift, during the surveillance interval.

In this manner, the actual setting of the device will still meet the LSSS definition and ensure that a SL is not exceeded at any given point of time as long as the device has not drifted beyond that expected during the surveillance interval.Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility.

Operable is defined in Technical Specifications as "... being capable of performing its safety function(s)." Relying solely on the LTSP to define OPERABILITY in Technical Specifications would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value of a protection channel setting during a Surveillance.

This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety. For example, an automatic protection channel with a setting that has been found to be different from the LTSP due to some drift of the setting may still be OPERABLE because drift is to be expected.

This expected drift would have been specifically accounted for in the setpoint methodology for calculating the LTSP and thus the automatic protective action would still have ensured that the SL would not be exceeded with the "as-found" setting of the protection channel. Therefore, the channel would still be OPERABLE because it would have performed its safety function and the only corrective action required would be to reset the channel within the established as-left tolerance around LTSP to account for further drift during the next surveillance interval.

Note that, although the channel is OPERABLE under these circumstances, the trip setpoint must be left adjusted to a value within the as-left tolerance, in accordance with uncertainty assumptions stated in the referenced setpoint methodology (as-left criteria), and confirmed to be operating within the statistical allowances of the uncertainty terms assigned (as-found criteria).

However, there is also some point beyond which the channel would have not been able to perform its function due to, for example, greater than expected drift. This value needs to be specified in the Technical Specifications in order to define OPERABILITY of the channels and is designated as the Allowable Value.If the actual setting (as-found setpoint) of the channel is found to be conservative with respect to the Allowable Value but is beyond the as-found tolerance band, the channel is OPERABLE, but degraded.

The degraded condition will be further evaluated during performance of the SR. This evaluation will consist of resetting the channel setpoint to the Cooper B 3.3-121 11/25/12 RCIC System Instrumentation B 3.3.5.2 BASES BACKGROUND (continued)

LTSP (within the allowed tolerance), and evaluating the channel response.

If the channel is functioning as required and expected to pass the next surveillance, then the channel is OPERABLE and can be restored to service at the completion of the surveillance.

After the surveillance is completed, the channel as-found condition will be entered into the Corrective Action Program for further evaluation.

The RCIC System may be initiated by either automatic or manual means.Automatic initiation occurs for conditions of Reactor Vessel Water Level-Low Low (Level 2). The variable is monitored by four level switches that are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic arrangement.

Once initiated, the RCIC logic seals in and can be reset by the operator only when the reactor vessel water level signals have cleared.The RCIC test line isolation valves are closed on a RCIC initiation signal to allow full system flow.The RCIC System also monitors the water level in the emergency condensate storage tanks (ECST) since this is the initial source of water for RCIC operation.

Reactor grade water in the ECSTs is the normal source. The ECST suction source consists of two ECSTs connected in parallel to the RCIC pump suction. Upon receipt of a RCIC initiation signal, the ECSTs suction valve is automatically signaled to open (it is normally in the open position) unless the pump suction from the suppression pool valve is open. If the water level in the ECSTs falls below a preselected level, first the suppression pool suction valve automatically opens, and then the ECSTs suction valve automatically closes. Two level switches are used to detect low water level in the ECSTs. Either switch can cause the suppression pool suction valve to open. The opening of the suppression pool suction valve causes the ECSTs suction valve to close.To prevent losing suction to the pump when automatically transferring suction from the ECSTs to the suppression pool on low ECST level, the suction valves are interlocked so that the suppression pool suction path must be open before the ECST suction path automatically closes.The RCIC System provides makeup water to the reactor until the reactor vessel water level reaches the high water level (Level 8) setting (two-out-of-two logic), at which time the RCIC turbine trip-throttle valve closes.The RCIC System restarts if vessel level again drops to the low level initiation point (Level 2).Cooper B 3.3-122 11/25/12 RCIC System Instrumentation B 3.3.5.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY The function of the RCIC System is to respond to transient events by providing makeup coolant to the reactor. The RCIC System is not an Engineered Safety Feature System and no credit is taken in the safety analyses for RCIC System operation.

Based on its contribution to the reduction of overall plant risk, however, the system, and therefore its instrumentation meets Criterion 4 of 10 CFR 50.36(c)(2)(ii) (Ref. 2).Permissive and interlock setpoints allow the blocking of trips during plant startups, and restoration of trips when the permissive conditions are not satisfied, but they are not explicitly modeled in the Safety Analysis.These permissives and interlocks ensure that the starting conditions are consistent with the safety analysis, before preventive or mitigating actions occur. Because these permissives or interlocks are only one of multiple conservative starting assumptions for the accident analysis, they are generally considered as nominal values without regard to measurement accuracy.The OPERABILITY of the RCIC System instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.2-1.

Each Function must have a required number of OPERABLE channels with their setpoints set within the setting tolerance of the LTSPs, where appropriate.

The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Each channel must also respond within its assumed response time.Allowable Values are specified for each RCIC System instrumentation Function specified in Table 3.3.5.2-1.

LTSPs and the methodologies for calculation of the as-left and as-found tolerances are described in the Technical Requirements Manual. The LTSPs are selected to ensure that the setpoints remain conservative to the as-left tolerance band between CHANNEL CALIBRATIONS.

After each calibration the trip setpoint shall be left within the as-left band around the LTSP.LTSPs are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., switch) changes state. The analytical limits are derived from the limiting values of the process parameters obtained from the safety analysis.

The Allowable Values are derived from the analytical limits, corrected for calibration, process, and some of the instrument errors. The LTSPs are then determined, accounting for the remaining instrument errors (e.g., drift). The LTSPs derived in this manner provide adequate protection because instrumentation uncertainties, process Cooper B 3.3-123 11/25/12 RCIC System Instrumentation B 3.3.5.2 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued) effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.The individual Functions are required to be OPERABLE in MODE 1, and in MODES 2 and 3 with reactor steam dome pressure > 150 psig since this is when RCIC is required to be OPERABLE. (Refer to LCO 3.5.3 for Applicability Bases for the RCIC System.)The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.1. Reactor Vessel Water Level-Low Low (Level 2)Low reactor pressure vessel (RPV) water level indicates that normal feedwater flow is insufficient to maintain reactor vessel water level and that the capability to cool the fuel may be threatened.

Should RPV water level decrease too far, fuel damage could result. Therefore, the RClC System is initiated at Level 2 to assist in maintaining water level above fuel zone zero.Reactor Vessel Water Level-Low Low (Level 2) signals are initiated from four level switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.The Reactor Vessel Water Level-Low Low (Level 2) Allowable Value is set high enough such that for complete loss of feedwater flow, the RCIC System flow with high pressure coolant injection assumed to fail will be sufficient to avoid initiation of low pressure ECCS at Level 1.Four channels of Reactor Vessel Water Level-Low Low (Level 2) Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC initiation.

Refer to LCO 3.5.3 for RCIC Applicability Bases.2. Reactor Vessel Water Level-High (Level 8)High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel.Therefore, the Level 8 signal is used to close the RCIC steam supply shutoff and turbine trip-throttle valves to prevent overflow into the main steam lines (MSLs).Cooper B 3.3-124 11/25/12 1 RCIC System Instrumentation B 3.3.5.2 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued)

Reactor Vessel Water Level-High (Level 8) signals for RCIC are initiated from two level switches from the narrow range water level measurement instrumentation, which sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Both Level 8 signals are required in order to trip the RCIC turbine trip throttle valve (only one trip system).The Reactor Vessel Water Level-High (Level 8) Allowable Value is high enough to preclude isolating the injection valve of the RClC during normal operation, yet low enough to trip the RCIC System prior to water overflowing into the MSLs.Two channels of Reactor Vessel Water Level-High (Level 8) Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC initiation.

Refer to LCO 3.5.3 for RCIC Applicability Bases.3. Emergency Condensate Storage Tank (ECST) Level-Low Low level in the ECSTs indicates the unavailability of an adequate supply of makeup water from this normal source. Normally, the suction valve between the RCIC pump and the ECSTs is open and, upon receiving a RCIC initiation signal, water for RCIC injection would be taken from the ECSTs. However, if the water level in either ECST falls below a preselected level, first the suppression pool suction valve automatically opens, and then the ECST suction valve automatically closes. This ensures that an adequate supply of makeup water is available to the RCIC pump. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the ECST suction valve automatically closes.Two level switches are used to detect low water level in theECSTs.

The ECST Level-Low Function Allowable Value is set high enough to ensure adequate pump suction head while water is being taken from the ECSTs.Two channels of ECST Level-Low Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC swap to suppression pool source. Refer to LCO 3.5.3 for RCIC Applicability Bases.Cooper B 3.3-125 11/25/12 1 RCIC System Instrumentation B 3.3.5.2 BASES ACTIONS A Note has been provided to modify the ACTIONS related to RCIC System instrumentation channels.

Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition.

Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition.

However, the Required Actions for inoperable RCIC System instrumentation channels provide appropriate compensatory measures for separate inoperable channels.

As such, a Note has been provided that allows separate Condition entry for each inoperable RCIC System instrumentation channel.A.1 Required Action A. 1 directs entry into the appropriate Condition referenced in Table 3.3.5.2-1.

The applicable Condition referenced in the Table is Function dependent.

Each time a channel is discovered to be inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.

B.1 and B.2 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic initiation capability for the RCIC System. In this case, automatic initiation capability is lost if two Function 1 channels in the same trip system are inoperable and untripped.

In this situation (loss of automatic initiation capability), the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowance of Required Action B.2 is not appropriate, and the RCIC System must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after discovery of loss of RCIC initiation capability.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities.

This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action B.1, the Completion Time only begins upon discovery that the RCIC System cannot be automatically initiated due to two inoperable, untripped Reactor Vessel Water Level-Low Low (Level 2) channels in the same trip system. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.Cooper B 3.3-126 11/25/12 I RCIC System Instrumentation B 3.3.5.2 BASES ACTIONS (continued)

Because of the redundancy of sensors available to provide initiation signals and the fact that the RCIC System is not assumed in any accident or transient analysis, an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action B.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition E must be entered and its Required Action taken.C._1 A risk based analysis was performed and determined that an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (Ref. 3) is acceptable to permit restoration of any inoperable channel to OPERABLE status (Required Action C.1). A Required Action (similar to Required Action B. 1) limiting the allowable out of service time, if a loss of automatic RCIC initiation capability exists, is not required.

This Condition applies to the Reactor Vessel Water Level-High (Level 8) Function whose logic is arranged such that any inoperable channel will result in a loss of automatic RCIC initiation capability (closure of the turbine trip-throttle valve). As stated above, this loss of automatic RCIC initiation capability was analyzed and determined to be acceptable.

The Required Action does not allow placing a channel in trip since this action would not necessarily result in a safe state for the channel in all events.D.1, D.2.1, and D.2.2 Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in automatic component initiation capability being lost for the feature(s).

For Required Action D.1, the RCIC System is the only associated feature. In this case, automatic initiation capability is lost if two Function 3 channels are inoperable and untripped.

In this situation (loss of automatic suction swap), the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> allowance of Required Actions D.2.1 and D.2.2 is not appropriate, and the RCIC System must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> from discovery of loss of RCIC initiation capability.

As noted, Required Action D.1 is only applicable if the RCIC Cooper B 3.3-127 11/25/12 RCIC System Instrumentation B 3.3.5.2 BASES ACTIONS (continued) pump suction is not aligned to the suppression pool since, if aligned, the Function is already performed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities.

This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action D.1, the Completion Time only begins upon discovery that the RCIC System cannot be automatically aligned to the suppression pool due to two inoperable, untripped channels in the same Function.

The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time from discovery of loss of. initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.Because of the redundancy of sensors available to provide initiation signals and the fact that the RCIC System is not assumed in any accident or transient analysis, an allowable out of service time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1, which performs the intended function of the channel (shifting the suction source to the suppression pool).Alternatively, Required Action D.2.2 allows the manual alignment of the RCIC suction to the suppression pool, which also performs the intended function.

If Required Action D.2.1 or D.2.2 is performed, measures should be taken to ensure that the RCIC System piping remains filled with water. If it is not desired to perform Required Actions D.2.1 and D.2.2 (e.g., as in the case where shifting the suction source could drain down the RCIC suction piping), Condition E must be entered and its Required Action taken.E. 1 With any Required Action and associated Completion Time not met, the RCIC System may be incapable of performing the intended function, and the RCIC System must be declared inoperable immediately.

SURVEILLANCE REQUIREMENTS As noted in the beginning of the SRs, the SRs for each RCIC System instrument Function are found in the SRs column of Table 3.3.5.2-1.

Cooper B 3.3-128 11/25/12 RCIC System Instrumentation B 3.3.5.2 BASES SURVEILLANCE REQUIREMENTS (continued)

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed as follows: (a) for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> for Function 2; and (b) for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> for Functions 1 and 3, provided the associated Function maintains trip capability.

Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 3)assumption of the average time required to perform channel surveillance.

That analysis demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the RCIC will initiate when necessary.

SR 3.3.5.2.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred.

A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a parameter on other similar channels.

It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability.

If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.SR 3.3.5.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function.

A successful test of the required contact(s) of a channel relay may be Cooper B 3.3-129 11/25/12 RCIC System Instrumentation B 3.3.5.2 BASES SURVEILLANCE REQUIREMENTS (continued) performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on the reliability analysis of Reference 3.SR 3.3.5.2.3 and SR 3.3.5.2.4 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency of SR 3.3.5.2.3 is based upon the assumption of a 92 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.The Frequency of SR 3.3.5.2.4 is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.SR 3.3.5.2.3 and SR 3.3.5.2.4 are modified by two Notes as identified in Table 3.3.5.2-1.

The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of channel performance will verify that the channel will continue to behave in accordance with safety analysis assumptions and the channel performance assumptions in the setpoint methodology.

The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service. For channels determined to be OPERABLE but degraded, after returning the channel to service the performance of these channels will be evaluated under the plant Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition.

The second Note requires that the as-left setting for the Cooper B 3.3-130 11/25/12 RCIC System Instrumentation B 3.3.5.2 BASES SURVEILLANCE REQUIREMENTS (continued) channel be within the as-left tolerance of the LTSP. Where a setpoint more conservative than the LTSP is used in the plant surveillance procedures (NTSP), the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint.

This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained.

If the as-left channel setting cannot be returned to a setting within the as-left tolerance of the LTSP, then the channel shall be declared inoperable.

The second Note also requires that LTSPs and the methodologies for calculating the as-left and the as-found tolerances be in the Technical Requirements Manual.SR 3.3.5.2.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.3 overlaps this Surveillance to provide complete testing of the safety function.

Simulated automatic actuation is performed each operating cycle.The 24 month Frequency is based on the need to perform some of the surveillance procedures which satisfy this SR under the conditions that apply during a plant outage and the potential for an unplanned transient if those particular procedures were performed with the reactor at power.Operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency.

REFERENCES

1. Regulatory Guide 1.105, "Setpoints for Safety-Related Instrumentation," Revision 3.2. 10 CFR 50.36(c)(2)(ii).
3. GENE-770-06-2, "Addendum to Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991.I Cooper B 3.3-131 11/25/12 Primary Containment Isolation Instrumentation B 3.3.6.1 B 3.3 INSTRUMENTATION B 3.3.6.1 Primary Containment Isolation Instrumentation BASES BACKGROUND The primary containment isolation instrumentation automatically initiates closure of appropriate primary containment isolation valves (PCIVs). The function of the PCIVs, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs). Primary containment isolation within the time limits specified for those isolation valves designed to close automatically ensures that the release of radioactive material to the environment will be consistent with the assumptions used in the analyses for a DBA.The isolation instrumentation includes the sensors, relays, and switches that are necessary to cause initiation of primary containment and reactor coolant pressure boundary (RCPB) isolation.

Most channels include electrical equipment (e.g., pressure switches) that compares measured input signals with pre-established setpoints.

When the setpoint is exceeded, the channel output relay actuates, which then outputs a primary containment isolation signal to the isolation logic. Functional diversity is provided by monitoring a wide range of independent parameters.

The input parameters to the isolation logics are (a) reactor vessel level, (b) drywell pressure, (c) main steam tunnel temperatures, (d)main steam line flow, (e) main steam line pressure, (f) condenser vacuum, (g) high pressure coolant injection (HPCI) and reactor core isolation cooling (RCIC) steam line flow, (h) HPCI and RCIC steam line pressure, (i) HPCI and RCIC steam line area temperatures, (j) reactor water cleanup (RWCU) flow, (k) RWCU area temperatures, (I) Standby Liquid Control (SLC) System initiation, (m) main steam line radiation, (n)reactor building ventilation exhaust plenum radiation, and (o) reactor pressure.

Redundant sensor input signals from each parameter are provided for initiation of isolation.

Primary containment isolation instrumentation has inputs to the trip logic of the isolation functions listed below.1. Main Steam Line Isolation Most MSL Isolation Functions receive inputs from four channels.

The outputs from these channels are combined in a one-out-of-two taken twice logic to initiate isolation of the Group I isolation valves (MSIVs and MSL drains). To initiate a Group I isolation valve closure, both trip system logics must be tripped.Cooper B 3.3-132 11/25/12 1 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND (continued)

The exceptions to this arrangement are the Main Steam Line Flow-High Function and Main Steam Tunnel Temperature-High Functions.

The Main Steam Line Flow-High Function uses 16 flow channels, four for each steam line. One channel from each steam line inputs to one of the four trip strings. Two trip strings make up each trip system and both trip systems must trip to cause an MSL isolation.

Each trip string has four inputs (one per MSL), any one of which will trip the trip string. The trip strings are arranged in a one-out-of-two taken twice logic. This is effectively a one-out-of-eight taken twice logic arrangement to initiate a Group I isolation.

The Main Steam Tunnel Temperature-High Function receives input from 16 temperature switches located in the steam tunnel. These switches are physically located along and in the vicinity of the steam lines in groups of eight (8). There are two locations in the steam tunnel (upper/east and lower/west).

For each location, four of the eight switches input into trip system A, the other four into trip system B. The four switches per location are electrically connected in series with switches in other locations and with normally energized trip relays. Any one switch tripping in its trip system plus any one switch tripping in the other trip system will result in isolation of the MSIVs and MSL drains. For purposes of this specification, each temperature switch is considered a "channel".

2. Primary Containment Isolation Most Primary Containment Isolation Functions receive inputs from four channels.

The outputs from these channels are arranged into two one-out-of-two taken twice trip system logics. One trip system logic initiates isolation of all inboard primary containment isolation valves, while the other trip system logic initiates isolation of all outboard primary containment isolation valves. Each logic closes one of the two valves on each penetration, so that operation of either logic isolates the penetration.

The exception to this arrangement is the Main Steam Line Radiation-High Function.

This Function has four channels, whose outputs are arranged in two, two-out-of-two trip system logics for the recirculation sample valves, and in one, one-out-of-two taken twice trip system logic for the mechanical vacuum pump and associated isolation valves. Each of the recirculation sample valve logics isolates one of the two valves. The single mechanical vacuum pump logic must actuate to trip both mechanical vacuum pumps and isolate the associated valves.The valves isolated by each of the Primary Containment Isolation Functions are listed in Reference 1.Cooper B 3.3-133 11/25/12 1 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND (continued)

3. 4. High Pressure Coolant Iniection System Isolation and Reactor Core Isolation Cooling System Isolation The Steam Line Flow-High Functions that isolate HPCI and RCIC receive input from two channels, with each channel comprising one trip system using a one-out-of-one logic. Each of the two trip system logics in each isolation group (HPCI and RCIC) is connected to one of the two valves on each associated penetration.

Each HPCI and RCIC steam Line Flow-High Channel has a time delay relay to prevent isolation due to flow transients during startup.The HPCI and RCIC Isolation Functions for Steam Supply Pressure-Low receive inputs from four channels.

The outputs from these channels are combined in two trip system logics, each with two-out-of-two logic to initiate isolation of the associated valves. One trip system logic isolates the inboard valve and the other trip system logic isolates the outboard valve.The HPCI Steam Line Space Temperature-High Function receives input from 32 bimetallic temperature switches physically located along and in the vicinity of the HPCI steam line. Additionally, 8 temperature switches located along and in the vicinity of the RHR steam condensing mode steam lines input into this Function.

These 40 switches are located in groups of eight (8). The 32 HPCI steam line switches cover four locations; RHR injection valve room, torus area west, SW quadrant, and the HPCI pump room. The 8 RHR steam condensing line switches are located in torus area NW. For each location, four switches input into trip system A, the other four switches input to trip system B. Each set of four switches is arranged in a one-of-two taken twice trip system logic. One trip system logic isolates the HPCI steam line inboard isolation valves and the other trip system logic isolates the HPCI steam line outboard valves.For purposes of this specification, each temperature switch is considered a "channel".

The RCIC Steam Line Space Temperature-High Function receives input from 16 bimetallic temperature switches located along and in the vicinity of the RCIC steam line; 8 switches are located in the torus area NE, the remaining 8 are located in the NE quadrant RCIC pump room. For each location, four switches input to trip system A, the other four switches input to trip system B. Each set of four switches is arranged in a one-out-of-two taken twice trip system logic. One trip system logic isolates the RCIC Steam Line Inboard Isolation Valve, and the other trip system logic isolates the RCIC Steam Line Outboard Isolation Valve. For purposes of this specification, each temperature switch is considered a "channel".

Cooper B 3.3-134 11/25/12 1 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND (continued)

The HPCI and RCIC Steam Line Flow-High Functions, Steam Supply Pressure-Low Functions, and Steam Line Space Temperature-High Functions isolate the associated steam supply. The Functions associated with HPCI close the HPCI pump suction valve from the suppression pool (if the ECST suction valve is open), close the HPCI turbine exhaust line drain pot drain valves, and cause a HPCI turbine trip which closes the HPCI minimum flow valve. The Functions associated with RCIC cause a RCIC turbine trip which closes the RCIC minimum flow valve.5. Reactor Water Cleanup System Isolation The Reactor Vessel Water Level-Low Low (Level 2) Isolation Function receives input from four reactor vessel water level channels.

The outputs from the reactor vessel water level channels are connected into two one-out-of-two taken twice trip system logics. The RWCU Flow-High Function receives input from two channels, each channel outputs to one trip system logic using a one-out-of-one logic, with one logic tripping the inboard RWCU isolation valve and one logic tripping the outboard RWCU isolation valve. The RWCU System Space Temperature-High Function receives input from 48 bimetallic temperature switches.

These switches are physically located along and in the vicinity of the RWCU system high temperature piping in groups of eight (8). Thus, there are six (6)locations; RWCU HX room NW (RWCU supply line), RWCU pump rooms (2 locations), RWCU HX room (pump discharge line to Regenerative HX), torus area south, and torus area east. For each location, four switches input into trip system A, the other four switches input into trip system B.Each set of four switches is arranged in a one-out-of-two taken twice logic in series with a normally deenergized trip relay. Actuation of the correct combination of two switches will initiate the corresponding trip system logic. Trip system logic A isolates the RWCU supply line inboard isolation valve, and trip system logic B isolates the RWCU supply line outboard isolation valve. For purposes of this specification, each temperature switch is considered a "channel".

The SLC System Isolation Function receives input from two channels (one channel in each trip system), arranged in a one-out-of-one logic. A channel consists of one of the two control room SLC pump start switches which inputs directly into one of the two RWCU isolation trip system logics. Placing the SLC Pump A control switch to "Start" will isolate the RWCU inboard isolation valve. Placing the SLC Pump B control switch to"Start" will isolate the RWCU outboard isolation valve.Cooper B 3.3-135 11/25/12 1 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND (continued)

6. Shutdown Coolinq System Isolation The Reactor Vessel Water Level-Low (Level 3) Function receives input from four reactor vessel water level channels.

The outputs from the reactor vessel water level channels are connected to two one-out-of-two taken twice trip system logics. Each of the two trip system logics is connected to one of the two valves on the RHR shutdown cooling pump suction penetration and one of the two inboard LPCI injection valves if in the shutdown cooling mode. The Reactor Vessel Pressure-High Function receives input from two channels, with each channel in one trip system using a one-out-of-one logic. Each of the two trip system logics is connected to one of the two valves on the RHR shutdown cooling pump suction penetration.

APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY The isolation signals generated by the primary containment isolation instrumentation are implicitly assumed in the safety analyses of Reference 2 to initiate closure of valves to limit offsite doses. Refer to LCO 3.6.1.3, "Primary Containment Isolation Valves (PClVs)," Applicable Safety Analyses Bases for more detail of the safety analyses.Primary containment isolation instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 3). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITY of the primary containment instrumentation is dependent on the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.6.1-1.

Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate.

A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Allowable Values are specified for each Primary Containment Isolation Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations.

The setpoint calculations are performed using methodology described in NEDC-31336P-A, "General Electric Instrument Setpoint Methodology," dated September 1996. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS.

Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Cooper B 3.3-136 11/25/12 1 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Allowable Value, is acceptable.

Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., switch) changes state.The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis or other appropriate documents.

The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.Certain Emergency Core Cooling Systems (ECCS) and RCIC valves (e.g., minimum flow) also serve the dual function of automatic PCIVs.The signals that isolate these valves are also associated with the automatic initiation of the ECCS and RCIC. The instrumentation requirements and ACTIONS associated with these signals are addressed in LCO 3.3.5.1, "Emergency Core Cooling Systems (ECCS)Instrumentation," and LCO 3.3.5.2, "Reactor Core Isolation Cooling (RCIC) System Instrumentation," and are not included in this LCO.In general, the individual Functions are required to be OPERABLE in MODES 1, 2, and 3 consistent with the Applicability for LCO 3.6.1.1,"Primary Containment." Functions that have different Applicabilities are discussed below in the individual Functions discussion.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.Main Steam Line Isolation l.a. Reactor Vessel Water Level-Low Low Low (Level 1)Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened.

Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of the MSIVs and other interfaces with the reactor vessel occurs to prevent offsite dose limits from being exceeded.

The Reactor Vessel Water Level-Low Low Low (Level 1) Function is one of the many Functions assumed to be OPERABLE and capable of providing isolation signals. The Cooper B 3.3-137 11/25/12 1 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Reactor Vessel Water Level-Low Low Low (Level 1) Function associated with isolation is assumed in the analysis of the recirculation line break (Ref. 4). The isolation of the MSLs on Level 1 supports actions to ensure that offsite dose limits are not exceeded for a DBA.Reactor vessel water level signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low Low Low (Level 1) Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.The Reactor Vessel Water Level-Low Low Low (Level 1) Allowable Value is chosen to be the same as the ECCS Level I Allowable Value (LCO 3.3.5.1) to ensure that the MSLs isolate on a potential loss of coolant accident (LOCA) to prevent offsite doses from exceeding 10 CFR 50.67 limits.This Function isolates the MSIVs and MSL drains.1.b. Main Steam Line Pressure-Low Low MSL pressure indicates that there may be a problem with the turbine pressure regulation, which could result in a low reactor vessel water level condition and the RPV cooling down more than 100°F/hr if the pressure loss is allowed to continue.

The Main Steam Line Pressure-Low Function is directly assumed in the analysis of the Digital Electro-Hydraulic (DEH)System pressure controller failure (Ref. 5). For this event, the closure of the MSIVs ensures that the RPV temperature change limit (100°F/hr) is not reached. In addition, this Function supports actions to ensure that Safety Limit 2.1.1.1 is not exceeded. (This Function closes the MSIVs prior to pressure decreasing below 785 psig, which results in a scram due to MSIV closure, thus reducing reactor power to < 25% RTP.)The MSL low pressure signals are initiated from four switches that are connected to the MSL header. The switches are arranged such that, even though physically separated from each other, each switch is able to detect low MSL pressure.

Four channels of Main Steam Line Pressure-Low Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.The Allowable Value was selected to be high enough to prevent excessive RPV depressurization.

Cooper B 3.3-138 11/25/12 1 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The Main Steam Line Pressure-Low Function is only required to be OPERABLE in MODE 1 since this is when the assumed transient has been analyzed (Ref. 5). In addition, this Function is interlocked with the reactor mode switch such that it is automatically bypassed when not in run.This Function isolates the MSIVs and MSL drains.1 .c. Main Steam Line Flow-High Main Steam Line Flow-High is provided to detect a break of the MSL and to initiate closure of the MSIVs. If the steam were allowed to continue flowing out of the break, the reactor would depressurize and the core could uncover. If the RPV water level decreases too far, fuel damage could occur. Therefore, the isolation is initiated on high flow to prevent or minimize core damage. The Main Steam Line Flow-High Function is directly assumed in the analysis of the main steam line break (MSLB)(Ref. 6). The isolation action, along with the scram function of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46 and offsite doses do not exceed the 10 CFR 100 limits.The MSL flow signals are initiated from 16 differential pressure switches that are connected to the four MSLs. The differential pressure switches are arranged such that, even though physically separated from each other, all four connected to one MSL would be able to detect the high flow. Four channels of Main Steam Line Flow-High Function for each MSL (two channels per trip system) are available and are required to be OPERABLE so that no single instrument failure will preclude detecting a break in any individual MSL.The Allowable Value is chosen to ensure that offsite dose limits are not exceeded due to the break.This Function isolates the MSIVs and MSL drains.1 .d. Condenser Vacuum-Low The Condenser Vacuum-Low Function is provided to prevent overpressurization of the main condenser in the event of a loss of the main condenser vacuum. Since the integrity of the condenser is an assumption in offsite dose calculations, the Condenser Vacuum-Low Function is assumed to be OPERABLE and capable of initiating closure Cooper B 3.3-139 11/25/12 1 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) of the MSIVs. The closure of the MSIVs is initiated to prevent the addition of steam that would lead to additional condenser pressurization and possible rupture of the diaphragm installed to protect the turbine exhaust hood, thereby preventing a potential radiation leakage path following an accident.Condenser vacuum pressure signals are derived from four pressure switches that sense the pressure in the condenser.

Four channels of Condenser Vacuum-Low Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.The Allowable Value is chosen to prevent damage to the condenser due to pressurization, thereby ensuring its integrity for offsite dose analysis.As noted (footnote (a) to Table 3.3.6.1-1), the channels are not required to be OPERABLE in MODES 2 and 3 when all turbine stop valves (TSVs)are closed, since the potential for condenser overpressurization is minimized.

Switches are provided to manually bypass the channels when all TSVs are closed.This Function isolates the MSIVs and MSL drains.1.e. Main Steam Tunnel Temperature-Higqh The Main Steam Tunnel Temperature-High Function is provided to detect a break in a main steam line and provides diversity to the high flow instrumentation.

High temperatures in the Main Steam Tunnel could indicate a breach of a main steam line. The automatic closure of the MSIVs and main steam line drains prevents excessive loss of reactor coolant and the release of significant amounts of radioactive material from the nuclear system process boundary.Main Steam Tunnel temperature signals are initiated from 16 steam tunnel temperature switch channels.

For each physical location of eight channels, two channels per trip system are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.The Allowable Value is chosen to detect a leak equivalent to between 1%and 10% rated steam flow.This Function isolates the MSIVs and MSL drains.Cooper B 3.3-140 11/25/12 I Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Primary Containment Isolation 2.a. Reactor Vessel Water Level-Low (Level 3)Low RPV water level indicates that the capability to cool the fuel may be threatened.

The valves whose penetrations communicate with the primary containment are isolated to limit the release of fission products.The isolation of the primary containment on Level 3 supports actions to ensure that offsite dose limits of 10 CFR 50.67 are not exceeded.

The Reactor Vessel Water Level-Low (Level 3) Function associated with isolation is implicitly assumed in the USAR analysis as these leakage paths are assumed to be isolated post LOCA.Reactor Vessel Water Level-Low (Level 3) signals are initiated from four vessel level instrument switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low (Level 3) Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.The Reactor Vessel Water Level-Low (Level 3) Allowable Value was chosen to be the same as the RPS Level 3 scram Allowable Value (LCO 3.3.1.1), since isolation of these valves is not critical to orderly plant shutdown.This Function isolates the Group 2 valves listed in Reference 1.2.b. Drywell Pressure-High High drywell pressure can indicate a break in the RCPB inside the primary containment.

The isolation of some of the primary containment isolation valves on high drywell pressure supports actions to ensure that offsite dose limits of 10 CFR 50.67 are not exceeded.

The Drywell Pressure-High Function, associated with isolation of the primary containment, is implicitly assumed in the USAR accident analysis as these leakage paths are assumed to be isolated post LOCA.High drywell pressure signals are initiated from four pressure switches that sense the pressure in the drywell. Four channels of Drywell Pressure-High are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.Cooper B 3.3-141 11/25/12 1 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The Allowable Value was selected to be the same as the ECCS Drywell Pressure-High Allowable Value (LCO 3.3.5.1), since this may be indicative of a LOCA inside primary containment.

This Function isolates the Group 2 and 6 valves listed in Reference 1.2.c. Reactor Building Ventilation Exhaust Plenum Radiation-High High secondary containment exhaust radiation is an indication of possible gross failure of the fuel cladding.

The release may have originated from the primary containment due to a break in the RCPB. When Reactor Building Exhaust Plenum Radiation-High is detected, primary containment vent and purge valves are isolated to limit the release of fission products.The Reactor Building Exhaust Plenum Radiation-High signals are initiated from radiation detectors that are located such that they can monitor the flow of gas through the reactor building plenum. The signal from each detector is input to an individual monitor whose trip outputs are assigned to an isolation channel. Four channels of Reactor Building Exhaust Plenum Radiation-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.The Allowable Values are chosen to promptly detect gross failure of the fuel cladding.These Functions isolate the Group 6 valves listed in Reference 1.2.d. Main Steam Line Radiation-High The Main Steam Line Radiation-High isolation signal has been removed from the MSIVs (Ref. 7); however, this isolation Function has been retained for other valves (e.g., recirculation sample valves and mechanical vacuum pump inlet and outlet valves) to ensure that the assumptions utilized to determine that acceptable offsite doses resulting from a control rod drop accident are maintained.

Main Steam Line Radiation-High signals are generated from four radiation elements and associated monitors, each of which is located near one of the main steam lines in the steam tunnel. Four instrumentation channels of the Main Steam Line Radiation-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can Cooper B 3.3-142 11/25/12 1 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) preclude the isolation function.

The Allowable Value was selected to be low enough that a high radiation trip results from the fission products released in the design basis control rod drop accident (which occurs at a low steam flow condition) and high enough above the background radiation level in the vicinity of the main steam lines so that spurious trips are avoided at rated power.The allowable value is stated in terms of a multiple of "normal full power background." With the injection of hydrogen into the RCS from Optimum Water Chemistry System, the background radiation levels seen by the radiation monitors will be greater than during periods of no hydrogen injection.

The allowable value is fixed at the normal full power background associated with hydrogen injection at the nominal rate. The allowable value is not adjusted during periods when hydrogen injection is not in service. This is acceptable since the setpoint will continue to provide automatic actuation protection in the event of a DBA Control Rod Drop Accident (CRDA). Even during periods of no hydrogen injection, the expected radiation levels in the event of a DBA-CRDA will exceed the higher allowable value that is based on full power with hydrogen injection.

This Function isolates the recirculation sample valves, trips the mechanical vacuum pumps, and closes the inlet and outlet valves to the mechanical vacuum pumps.2.e. Reactor Vessel Water Level -Low Low Low (Level 1)Low reactor water level indicates that the capability to cool the fuel may be threatened.

Should the water level decrease too far, fuel damage could result. Therefore, isolation of the recirculation sample line valves from the reactor vessel occurs as part of the isolation of Primary Containment to prevent offsite dose limits from being exceeded.

The Reactor Vessel Water Level -Low Low Low (Level 1) Function is one of the many Functions assumed to be OPERABLE and capable of providing isolation signals. This Function, associated with Primary Containment isolation, is assumed in the analysis of the recirculation line break (Ref.4). The isolation of the valves of the recirculation sample line on Level 1 supports actions to ensure that offsite dose limits are not exceeded for a DBA.Reactor vessel water level signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low Low Low (Level 1) Function are available and are required to Cooper B 3.3-143 11/25/12 I Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) be OPERABLE to ensure that no single instrument failure can preclude the isolation function.The Reactor Vessel Water Level-Low Low Low (Level 1) Allowable Value is chosen to be the same as the ECCS Level I Allowable Value (LCO 3.3.5.1) to ensure that the recirculation sample valves will isolate on a potential LOCA to prevent offsite doses from exceeding 10 CFR 50.67 limits.This Function isolates the recirculation sample valves. It may be bypassed using a key-locked switch during accident conditions to obtain a sample for Post Accident Sampling System (PASS).High Pressure Coolant Injection and Reactor Core Isolation Cooling Systems Isolation 3.a., 3.b., 4.a., 4.b. HPCI and RCIC Steam Line Flow-High and Time Delay Relays Steam Line Flow-High Functions are provided to detect a break of the RCIC or HPCI steam lines and initiate closure of the steam line isolation valves of the appropriate system. If the steam is allowed to continue flowing out of the break, the reactor will depressurize and the core can uncover. Therefore, the isolations are initiated on high flow to prevent or minimize core damage. The isolation action, along with the scram function of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Specific credit for these Functions is not assumed in any USAR accident analyses since the bounding analysis is performed for large breaks such as recirculation and MSL breaks. However, these instruments prevent the RCIC or HPCI steam line breaks from becoming bounding.The HPCI and RCIC Steam Line Flow-High signals are initiated from differential pressure switches (two for HPCI and two for RCIC) that are connected to the system steam lines. A time delay is provided to prevent HPCI or RCIC isolation due to high flow transients during HPCI or RCIC startup with one Time Delay Relay channel associated with each Steam Line Flow-High channel. Two channels of both HPCI and RCIC Steam Line Flow-High Functions and the associated Time Delay Relays are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.Cooper B 3.3-144 11/25/12 1 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The Allowable Values for the Steam Line Flow-High Function and associated Time Delay Relay Function are chosen to be low enough to ensure that the trip occurs to prevent fuel damage and maintains the MSLB event as the bounding event.These Functions isolate the Group 4 and 5 valves, as appropriate, as listed in Reference 1.3.c., 4.c. HPCI and RCIC Steam Supply Line Pressure-Low Low MSL pressure indicates that the pressure of the steam in the HPCI or RCIC turbine may be too low to continue operation of the associated system's turbine. These isolations are for equipment protection and are not assumed in any transient or accident analysis in the USAR. However, they also provide a diverse signal to indicate a possible system break.These instruments are included in Technical Specifications (TS) because of the potential for risk due to possible failure of the instruments preventing HPCI and RCIC initiations (Ref. 8).The HPCI and RCIC Steam Supply Line Pressure-Low signals are initiated from pressure switches (four for HPCI and four for RCIC) that are connected to the system steam line. Four channels of both HPCI and RCIC Steam Supply Line Pressure-Low Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.The Allowable Values are selected to be high enough to prevent damage to the system's turbine.These Functions isolate the Group 4 and 5 valves, as appropriate, as listed in Reference 1.3.d., 4.d., HPCI and RCIC Steam Line Space Temperature-High HPCI and RCIC Steam Line Space temperatures are provided to detect a leak from the associated system steam piping. The isolation occurs when a very small leak has occurred and is diverse to the high flow instrumentation.

If the small leak is allowed to continue without isolation, offsite dose limits may be reached. These Functions are not assumed in any USAR transient or accident analysis, since bounding analyses are performed for large breaks such as recirculation or MSL breaks.Cooper B 3.3-145 11/25/12 1 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

HPCI and RCIC Steam Line Space Temperature-High signals are initiated from temperature switches that are appropriately located to protect the system that is being monitored.

For each physical location of eight channels, only two channels per trip system are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

Since the logic configuration for a trip system is one-out-of-two taken twice, the two required OPERABLE channels per trip system must be in different trip strings; i.e., they must be connected such that isolation occurs when both required channels actuate (one of two parallel logic pairs of switch channels in one trip string must trip in combination with the tripping of one of two additional parallel logic switch channels in the other trip string in order to actuate the trip system).The Allowable Values are set low enough to provide timely detection of a RCIC or HPCI turbine steam line break.These Functions isolate the Group 4 and 5 valves, as appropriate, as listed in Reference 1.Reactor Water Cleanup System Isolation 5.a. RWCU Flow-High The high flow signal is provided to detect a break in the RWCU System.Should the reactor coolant continue to flow out of the break, offsite dose limits may be exceeded.

Therefore, isolation of the RWCU System is initiated when high flow is sensed to prevent exceeding offsite doses.This Function is not assumed in any USAR transient or accident analysis, since bounding analyses are performed for large breaks such as MSLBs.The high RWCU flow signals are initiated from differential pressure switches that are connected to an annubar on the inlet pump suction line of the RWCU System. Two channels of RWCU Flow-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.The RWCU Flow-High Allowable Value ensures that a break of the RWCU piping is detected.This Function isolates the Group 3 valves, as listed in Reference 1.Cooper B 3.3-146 11/25/12 1 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) 5.b. RWCU System Space Temperature-High RWCU System Space temperatures are provided to detect a leak from the RWCU System. The isolation occurs even when very small leaks have occurred and is diverse to the high flow instrumentation for the hot portions of the RWCU System. If the small leak continues without isolation, offsite dose limits may be reached. Credit for these instruments is not taken in any transient or accident analysis in the USAR, since bounding analyses are performed for large breaks such as recirculation or MSL breaks.RWCU System Space temperature signals are initiated from temperature switches (channels) located in the vicinity of high temperature RWCU piping. For each physical location of eight channels, only two channels per trip system are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

Since the logic configuration for a trip system is one-out-of-two taken twice, the two required OPERABLE channels per trip system must be in different trip strings, i.e., they must be connected such that isolation occurs when both required channels actuate (one of two parallel logic pairs of switch channels in one trip string must trip in combination with the tripping of one of two additional parallel logic switch channels in the other trip string in order to actuate the trip system.The RWCU System Space Temperature-High Allowable Values are set low enough to detect a leak.These Functions isolate the Group 3 valves, as listed in Reference 1.5.c. Standby Liquid Control (SLC) System Initiation The isolation of the RWCU System is required when the SLC System has been initiated to prevent dilution and removal of the boron solution by the RWCU System (Ref. 9). RWCU isolation signals from the SLC system actuation are initiated from the two control room SLC pump start signals.There is no Allowable Value associated with this Function since the channels are mechanically actuated based solely on the position of the SLC System initiation switch.Two channels of the SLC System Initiation Function are available and are required to be OPERABLE only in MODES 1 and 2, since these are the only MODES where the reactor can be critical.Cooper B 3.3-147 11/25/12 1 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

This Function isolates the inboard and outboard RWCU suction valves.5.d. Reactor Vessel Water Level-Low Low (Level 2)Low RPV water level indicates that the capability to cool the fuel may be threatened.

Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of some interfaces with the reactor vessel occurs to isolate the potential sources of a break. The isolation of the RWCU System on Level 2 supports actions to ensure that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Vessel Water Level-Low Low (Level 2) Function associated with RWCU isolation is not directly assumed in the USAR safety analyses because the RWCU System line break is bounded by breaks of larger systems (recirculation and MSL breaks are more limiting).

Reactor Vessel Water Level-Low Low (Level 2) signals are initiated from four level switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low Low (Level 2) Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.The Reactor Vessel Water Level-Low Low (Level 2) Allowable Value was chosen to be the same as the High Pressure Coolant Injection/Reactor Core Isolation Cooling (HPCI/RCIC)

Reactor Vessel Water Level-Low Low (Level 2) Allowable Value (LCO 3.3.5.1 and LCO 3.3.5.2), since this could indicate that the capability to cool the fuel may be threatened.

This Function isolates the Group 3 valves, as listed in Reference 1.Shutdown Cooling System Isolation 6.a. Reactor Pressure-High The Reactor Pressure-High Function is provided to isolate the shutdown cooling portion of the Residual Heat Removal (RHR) System. This Function is provided only for equipment protection to prevent an intersystem LOCA scenario, and credit for the interlock is not assumed in the accident or transient analysis in the USAR.The Reactor Pressure-High signals are initiated from two pressure Cooper B 3.3-148 11/25/12 1 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) switches that are connected to different taps on a recirculation pump suction line. Two channels of Reactor Pressure-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Function is only required to be OPERABLE in MODES 1, 2, and 3, since these are the only MODES in which the reactor can be pressurized; thus, equipment protection is needed. The Allowable Value was chosen to be low enough to protect the system equipment from overpressurization.

This Function isolates both RHR shutdown cooling pump suction valves.6.b. Reactor Vessel Water Level-Low (Level 3)Low RPV water level indicates that the capability to cool the fuel may be threatened.

Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of some reactor vessel interfaces occurs to begin isolating the potential sources of a break. The Reactor Vessel Water Level-Low (Level 3) Function associated with RHR Shutdown Cooling System isolation is not directly assumed in safety analyses because a break of the RHR Shutdown Cooling System is bounded by breaks of the recirculation and MSL. The RHR Shutdown Cooling System isolation on Level 3 supports actions to ensure that the RPV water level does not drop below fuel zone zero during a vessel draindown event caused by a leak (e.g., pipe break or inadvertent valve opening) in the RHR Shutdown Cooling System.Reactor Vessel Water Level-Low (Level 3) signals are initiated from four level switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels (two channels per trip system) of the Reactor Vessel Water Level-Low (Level 3) Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

As noted (footnote (b) to Table 3.3.6.1-1), only one trip system of the Reactor Vessel Water Level-Low (Level 3) Function is required to be OPERABLE in MODES 4 and 5, provided the RHR Shutdown Cooling System integrity is maintained.

System integrity is maintained provided the piping is intact and no maintenance is being performed that has the potential for draining the reactor vessel through the system.The Reactor Vessel Water Level-Low (Level 3) Allowable Value was chosen to be the same as the RPS Reactor Vessel Water Level-Low (Level 3) Allowable Value (LCO 3.3.1.1), since the capability to cool the fuel may be threatened.

Cooper B 3.3-149 11/25/12 I Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

The Reactor Vessel Water Level-Low (Level 3) Function is only required to be OPERABLE in MODES 3, 4, and 5 to prevent this potential flow path from lowering the reactor vessel level to the top of the fuel. In MODES 1 and 2, another isolation (i.e., Reactor Pressure-High) and administrative controls ensure that this flow path remains isolated to prevent unexpected loss of inventory via this flow path.This Function isolates both RHR shutdown cooling pump suction valves and the inboard LPCI injection valves.ACTIONS A Note has been provided to modify the ACTIONS related to primary containment isolation instrumentation channels.

Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition.

Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition.

However, the Required Actions for inoperable primary containment isolation instrumentation channels provide appropriate compensatory measures for separate inoperable channels.

As such, a Note has been provided that allows separate Condition entry for each inoperable primary containment isolation instrumentation channel.A._1 Because of the diversity of sensors available to provide isolation signals and the redundancy of the isolation design, an allowable out of service time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for Functions 2.a, 2.b, 5.d, and 6.b and 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for Functions other than Functions 2.a, 2.b, 5.d, and 6.b has been shown to be acceptable (Refs. 10 and 11) to permit restoration of any inoperable channel to OPERABLE status. This out of service time is only acceptable provided the associated Function is still maintaining isolation capability (refer to Required Action B.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A. 1.Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue with no further restrictions.

Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an isolation), Condition C must be entered and its Required Action taken.Cooper B 3.3-150 11/25/12 I Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS (continued)

B.. 1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in redundant isolation capability being lost for the associated penetration flow path(s) for those MSL, Primary Containment, HPCI and RCIC Isolation Functions where actuation of both trip systems is needed to isolate a penetration.

The Functions are considered to be maintaining isolation capability when sufficient channels are OPERABLE or in trip (or the associated trip system in trip), such that both trip systems will generate a trip signal from the given Function on a valid signal. For those Primary Containment, HPCI, RCIC, RWCU, and SDC Isolation Functions, where actuation of one trip system is needed to isolate a penetration, the Functions are considered to be maintaining isolation capability when sufficient channels are OPERABLE or in trip, such that one trip system will generate a trip signal from the given Function on a valid signal. This ensures that at least one of the PCIVs in the associated penetration flowpath can receive an isolation signal from the given Function.

For Functions 1.a, 1.b and 1.d, this would require both trip systems to have one channel OPERABLE or in trip. For Function 1.c, this would require both trip systems to have one channel, associated with each MSL, OPERABLE or in trip. For Functions 1.e, 3.d, 4.d and 5.b, each Function consists of channels that monitor several locations within a given area (e.g., different locations within the main steam tunnel area). Therefore, this would require both trip systems to have one channel per location OPERABLE or in trip for Function I.e, and would require one trip system to have two channels, each OPERABLE or in trip for Functions 3.d, 4.d, and 5.b. For Functions 3.a, 3.b, 4.a, 4.b, 5.a, 5.c, and 6.a, this would require one trip system to have one channel OPERABLE or in trip. For Functions 2.d, 2.e, 3.c, and 4.c, this would require one trip system to have two channels, each OPERABLE or in trip. For Functions 2.a, 2.b, 2.c, 5.d, and 6.b, this would require at least two channels OPERABLE or tripped to maintain isolation capability:

Channels A and B (parallel logic pairs), or Channels C and D (parallel logic pairs).The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities.

The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.Cooper B 3.3-151 11/25/12 I Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS (continued)

C.1 Required Action C.1 directs entry into the appropriate Condition referenced in Table 3.3.6.1-1.

The applicable Condition specified in Table 3.3.6.1-1 is Function and MODE or other specified condition dependent and may change as the Required Action of a previous Condition is completed.

Each time an inoperable channel has not met any Required Action of Condition A or B and the associated Completion Time has expired, Condition C will be entered for that channel and provides for transfer to the appropriate subsequent Condition.

D.1, D.2.1, and D.2.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and in MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> (Required Actions D.2.1 and D.2.2). Alternately, the associated MSLs may be isolated (Required Action D.11), and, if allowed (i.e., plant safety analysis allows operation with an MSL isolated), operation with that MSL isolated may continue.

Isolating the affected MSL accomplishes the safety function of the inoperable channel. The Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.E.1 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 2 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.The allowed Completion Time of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is reasonable, based on operating experience, to reach MODE 2 from full power conditions in an orderly manner and without challenging plant systems.F. 1 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, plant operations may continue if the affected penetration flow path(s) is isolated.

Isolating the affected Cooper B 3.3-152 11/25/12 1 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS (continued) penetration flow path(s) accomplishes the safety function of the inoperable channels.

Alternately, if it is not desired to isolate the affected penetration flow path(s) (e.g., as in the case where isolating the penetration flow path(s) could result in a reactor scram), Condition G must be entered and its Required Actions taken. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is acceptable because it minimizes risk while allowing sufficient time for plant operations personnel to isolate the affected penetration flow path(s).G.1 and G.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, or the Required Action of Condition F is not met and the associated Completion Time has expired, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and in MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.H.1 and H.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the associated SLC subsystem(s) is declared inoperable or the RWCU System is isolated.

Since this Function is required to ensure that the SLC System performs its intended function, sufficient remedial measures are provided by declaring the associated SLC subsystems inoperable or isolating the RWCU System.The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is acceptable because it minimizes risk while allowing sufficient time for personnel to isolate the RWCU System.1.1 and 1.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the associated penetration flow path should be closed. However, if the shutdown cooling function is needed to provide core cooling, these Required Actions allow the penetration flow path to remain unisolated provided action is immediately initiated to restore the channel to OPERABLE status or to isolate the RHR Shutdown Cooling System (i.e., provide alternate decay heat removal capabilities so Cooper B 3.3-153 11/25/12 1 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS (continued) the penetration flow path can be isolated).

Actions must continue until the channel is restored to OPERABLE status or the RHR Shutdown Cooling System is isolated.SURVEILLANCE REQUIREMENTS As noted at the beginning of the SRs, the SRs for each Primary Containment Isolation instrumentation Function are found in the SRs column of Table 3.3.6.1-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated Function maintains trip capability.

Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 10 and 11) assumption of the average time required to perform channel surveillance.

That analysis demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the PCIVs will isolate the penetration flow path(s) when necessary.

SR 3.3.6.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred.

A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels.

It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability.

If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.Cooper B 3.3-154 11/25/12 1 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES SURVEILLANCE REQUIREMENTS (continued)

The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.SR 3.3.6.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function.

A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The 92 day Frequency of SR 3.3.6.1.2 is based on the reliability analysis described in References 10 and 11.SR 3.3.6.1.3, SR 3.3.6.1.4 and SR 3.3.6.1.5 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy.

There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found settings are consistent with those established by the setpoint methodology.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

SR 3.3.6.1.5, however, is only a calibration of the radiation detectors using a standard radiation source.As noted for SR 3.3.6.1.4, the main steam line radiation detectors (Function 2.d) are excluded from CHANNEL CALIBRATION due to ALARA reasons (when the plant is operating, the radiation detectors are generally in a high radiation area; the steam tunnel). This exclusion is acceptable because the radiation detectors are passive devices, with minimal drift. The radiation detectors are calibrated in accordance with SR 3.3.6.1.5 on a 24 month Frequency using a standard current source Cooper B 3.3-155 11/25/12 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES SURVEILLANCE REQUIREMENTS (continued) and radiation source. The CHANNEL CALIBRATION of the remaining portions of the channel (SR 3.3.6.1.4) are performed using a standard current source.The Frequency of SR 3.3.6.1.3 is based on the assumption of a 92 day calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.

The Frequency of SR 3.3.6.1.4 and SR 3.3.6.1.5 is based on the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.SR 3.3.6.1.6 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required isolation logic for a specific channel. The system functional testing performed on PCIVs in LCO 3.6.1.3 overlaps this Surveillance to provide complete testing of the assumed safety function.

Simulated automatic actuation is performed each operating cycle. The 24 month Frequency is based on the need to perform some of the surveillance procedures which satisfy this SR under the conditions that apply during a plant outage and the potential for an unplanned transient if those particular procedures were performed with the reactor at power. Operating experience has shown these components usually pass the Surveillance when performed at the 24 month Frequency.

REFERENCES

1. USAR, Table V-2-2.2. USAR, Chapter XIV.3. 10 CFR 50.36(c)(2)(ii).
4. USAR, Section XIV-6.3.5. USAR, Section XIV-5.4.1.
6. USAR, Section XIV-6.5.7. USAR, Section XIV-6.7.1.
8. NEDO-31466, "Technical Specification Screening Criteria Application and Risk Assessment," November 1987.Cooper B 3.3-156 11/25/12 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES REFERENCES (continued)
9. USAR, Section IV-9.3.10. NEDC-31677P-A, "Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation," July 1990.11. NEDC-30851 P-A Supplement 2, "Technical Specifications Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation," March 1989.Cooper B 3.3-157 11/25/12 1 Secondary Containment Isolation Instrumentation B 3.3.6.2 B 3.3 INSTRUMENTATION B 3.3.6.2 Secondary Containment Isolation Instrumentation BASES BACKGROUND The secondary containment isolation instrumentation automatically initiates closure of appropriate secondary containment isolation valves (SCIVs) and starts the Standby Gas Treatment (SGT) System. The function of these systems, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs) (Ref. 1). Secondary containment isolation and establishment of vacuum with the SGT System within the required time limits ensures that fission products that leak from primary containment following a DBA, or are released outside primary containment, or are released during certain operations when primary containment is not required to be OPERABLE are maintained within applicable limits.The isolation instrumentation includes the sensors, relays, and switches that are necessary to cause initiation of secondary containment isolation.

Most channels include electrical equipment and/or electronic equipment (e.g., switches or trip units) that compares measured input signals with pre-established setpoints.

When the setpoint is exceeded, the channel output relay actuates, which then outputs a secondary containment isolation signal to the isolation logic. Functional diversity is provided by monitoring a wide range of independent parameters.

The input parameters to the isolation logic are (1) reactor vessel water level, (2)drywell pressure, and (3) reactor building ventilation exhaust plenum radiation.

Redundant sensor input signals from each parameter are provided for initiation of isolation.

The outputs of the channels in a trip system are arranged into two one-out-of-two taken twice trip system logics (each sensor sends a signal to both trip system logics). One trip system logic initiates isolation of one isolation valve (damper) and starts one SGT subsystem while the other trip system logic initiates isolation of the other isolation valve in the penetration and starts the other SGT subsystem.

Each logic closes one of the two valves on each penetration, starts one SGT subsystem, and initiates the other logic. Operation of either logic isolates the secondary containment and provides for the necessary filtration of fission products.Cooper B 3.3-158 11/25112 1 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY The isolation signals generated by the secondary containment isolation instrumentation are implicitly assumed in the safety analyses of References 1 and 2 to initiate closure of valves and start the SGT System to limit offsite doses.Refer to LCO 3.6.4.2, "Secondary Containment Isolation Valves (SCIVs)," and LCO 3.6.4.3, "Standby Gas Treatment (SGT) System," Applicable Safety Analyses Bases for more detail of the safety analyses.The secondary containment isolation instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 3). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITY of the secondary containment isolation instrumentation is dependent on the OPERABILITY of the individual instrumentation channel Functions.

Each Function must have the required number of OPERABLE channels with their setpoints set within the specified Allowable Values, as shown in Table 3.3.6.2-1.

The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.Allowable Values are specified for each Function specified in the Table.Nominal trip setpoints are specified in the setpoint calculations.

The setpoint calculations are performed using methodology described in NEDC-31336P-A, "General Electric Instrument Setpoint Methodology," dated September 1996. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS.

Operation with a trip setpoint less conservative than the nominal setpoint, but within its Allowable Value, is acceptable.

Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis or appropriate documents.

The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must Cooper B 3.3-159 11/25/12 I Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILTY function in harsh environments as defined by 10 CFR 50.49) are accounted for.In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions when SCIVs and the SGT System are required.The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.1. Reactor Vessel Water Level-Low Low (Level 2)Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened.

Should RPV water level decrease too far, fuel damage could result. An isolation of the secondary containment and actuation of the SGT System are initiated in order to minimize the potential of an offsite dose release. The Reactor Vessel Water Level-Low Low (Level 2) Function is one of the Functions assumed to be OPERABLE and capable of providing isolation and initiation signals.The isolation and initiation systems on Reactor Vessel Water Level-Low Low (Level 2) support actions to ensure that any offsite releases are within the limits calculated in the safety analysis.Reactor Vessel Water Level-Low Low (Level 2) signals are initiated from level switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low Low (Level 2) Function are available and are required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single instrument failure can preclude the isolation function.The Reactor Vessel Water Level-Low Low (Level 2) Allowable Value was chosen to be the same as the High Pressure Coolant Injection/

Reactor Core Isolation Cooling (HPCI/RCIC)

Reactor Vessel Water Level Low Low (Level 2) Allowable Value (LCO 3.3.5.1 and LCO 3.3.5.2) since this could indicate that the capability to cool the fuel is being threatened).

The Reactor Vessel Water Level-Low Low (Level 2) Function is required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists in the Reactor Coolant System (RCS); thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. In MODES 4 and 5, the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES; thus, this Function is not required.

In addition, the Cooper B 3.3-160 11/25/12 1 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILTY Function is also required to be OPERABLE during operations with a potential for draining the reactor vessel (OPDRVs) because the capability of isolating potential sources of leakage must be provided to ensure that offsite dose limits are not exceeded if core damage occurs.This function isolates the Group 6 valves listed in Reference

1.2. Drywell

Pressure-Higqh High drywell pressure can indicate a break in the reactor coolant pressure boundary (RCPB). An isolation of the secondary containment and actuation of the SGT System are initiated in order to minimize the potential of an offsite dose release. The isolation on high drywell pressure supports actions to ensure that any offsite releases are within the limits calculated in the safety analysis.

The Drywell Pressure-High Function associated with isolation is not assumed in any USAR accident or transient analyses, but will provide an isolation and initiation signal. It is retained for the overall redundancy and diversity of the secondary containment isolation instrumentation as required by the NRC approved licensing basis.High drywell pressure signals are initiated from pressure switches that sense the pressure in the drywell. Four channels of Drywell Pressure-High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude performance of the isolation function.The Allowable Value was chosen to be the same as the ECCS Drywell Pressure-High Function Allowable Value (LCO 3.3.5.1) since this is indicative of a loss of coolant accident (LOCA).The Drywell Pressure-High Function is required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists in the RCS; thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. This Function is not required in MODES 4 and 5 because the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES.3. Reactor Building Ventilation Exhaust Plenum Radiation-High High secondary containment exhaust radiation is an indication of possible gross failure of the fuel cladding.

The release may have originated from Cooper B 3.3-161 11/25/12 I Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILTY the primary containment due to a break in the RCPB or the refueling floor due to a fuel handling accident during refueling.

When Reactor Building Exhaust Plenum Radiation-High is detected, secondary containment isolation and actuation of the SGT System are initiated to limit the release of fission products as assumed in the USAR safety analyses (Ref. 4).The Reactor Building Exhaust Plenum Radiation-High signals are initiated from four radiation detectors that are located such that they can monitor the radioactivity of gas flowing through the reactor building exhaust plenum. The signal from each detector is input to an individual monitor whose trip outputs are assigned to an isolation channel in each trip system. Four channels of Reactor Building Ventilation Exhaust Plenum Radiation-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.The Allowable Values are chosen to promptly detect gross failure of the fuel cladding.The Reactor Building Ventilation Exhaust Plenum Radiation-High Functions are required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists; thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. In MODES 4 and 5, the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES; thus, these Functions are not required.

In addition, the Functions are also required to be OPERABLE during OPDRVs, and movement of recently irradiated fuel assemblies in the secondary containment, because the capability of detecting radiation releases due to fuel failures (due to fuel uncovery or dropped fuel assemblies) must be provided to ensure that offsite dose limits are not exceeded.

Due to radioactive decay, this Function is only required to isolate secondary containment during fuel handling accidents involving handling recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />).ACTIONS A Note has been provided to modify the ACTIONS related to secondary containment isolation instrumentation channels.

Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in Cooper B 3.3-162 11/25/12 1 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES ACTIONS (continued) separate entry into the Condition.

Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition.

However, the Required Actions for inoperable secondary containment isolation instrumentation channels provide appropriate compensatory measures for separate inoperable channels.

As such, a Note has been provided that allows separate Condition entry for each inoperable secondary containment isolation instrumentation channel.A._1 Because of the diversity of sensors available to provide isolation signals and the redundancy of the isolation design, an allowable out of service time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for Functions I and 2, and 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for Function 3, has been shown to be acceptable (Refs. 5 and 6) to permit restoration of any inoperable channel to OPERABLE status. This out of service time is only acceptable provided the associated Function is still maintaining isolation capability (refer to Required Action B.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an isolation), Condition C must be entered and its Required Actions taken.B._1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of isolation capability for the associated penetration flow path(s) or a complete loss of initiation capability for the SGT System. A Function is considered to be maintaining secondary containment isolation capability when sufficient channels are OPERABLE or in trip, such that one trip system will generate a trip signal from the given Function on a valid signal. This ensures that one of the two SCIVs in the associated penetration flow path and one SGT subsystem can be initiated on an isolation signal from the given Function.

For Functions 1, 2, and 3, this would require one trip system to have one channel OPERABLE or in trip in each trip string.Cooper B 3.3-163 11/25/12 1 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES ACTIONS (continued)

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities.

The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.C.1.1, C.1.2, C.2.1. and C.2.2 If any Required Action and associated Completion Time of Condition A or B are not met, the ability to isolate the secondary containment and start the SGT System cannot be ensured. Therefore, further actions must be performed to ensure the ability to maintain the secondary containment function.

Isolating the associated secondary containment penetration flow path(s) and starting the associated SGT subsystem (Required Actions C.1.1 and C.2.1) performs the intended function of the instrumentation and allows operation to continue.Alternately, declaring the associated SCIVs or SGT subsystem(s) inoperable (Required Actions C.1.2 and C.2.2) is also acceptable since the Required Actions of the respective LCOs (LCO 3.6.4.2 and LCO 3.6.4.3) provide appropriate actions for the inoperable components.

One hour is sufficient for plant operations personnel to establish required plant conditions or to declare the associated components inoperable without unnecessarily challenging plant systems.SURVEILLANCE REQUIREMENTS As noted at the beginning of the SRs, the SRs for each Secondary Containment Isolation instrumentation Function are located in the SRs column of Table 3.3.6.2-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated Function maintains secondary containment isolation capability.

Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 5 and 6) assumption of the average time required to perform channel surveillance.

That analysis demonstrated the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the SCIVs will Cooper B 3.3-164 11/25/12 1 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES SURVEILLANCE REQUIREMENTS (continued) isolate the associated penetration flow paths and that the SGT System will initiate when necessary.

SR 3.3.6.2.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred.

A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels.

It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability.

If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.The Frequency is based on operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel status during normal operational use of the displays associated with channels required by the LCO.SR 3.3.6.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function.

A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

Cooper B 3.3-165 11/25/12 I Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES SURVEILLANCE REQUIREMENTS (continued)

The Frequency of 92 days is based on the reliability analysis of References 5 and 6.SR 3.3.6.2.3 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy.

There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found settings are consistent with those established by the setpoint methodology.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency of SR 3.3.6.2.3 is based on the assumption of a 24 month calibration interval, respectively, in the determination of the magnitude of equipment drift in the setpoint analysis.SR 3.3.6.2.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required isolation logic for a specific channel. The system functional testing performed on SCIVs and the SGT System in LCO 3.6.4.2 and LCO 3.6.4.3, respectively, overlaps this Surveillance to provide complete testing of the assumed safety function.The 24 month Frequency is based on the need to perform some of the surveillance procedures which satisfy this SR under the conditions that apply during a plant outage and the potential for an unplanned transient if those particular procedures were performed with the reactor at power.Operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency.

REFERENCES

1. USAR, Section V-3.0.2. USAR, Chapter XIV.3. 10 CFR 50.36(c)(2)(ii).
4. USAR, Sections XIV-6.3 and XIV-6.4.Cooper B 3.3-166 11/25/12 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES REFERENCES (continued)
5. NEDC-31677P-A, "Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation," July 1990.6. NEDC-30851 P-A Supplement 2, "Technical Specifications Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation," March 1989.Cooper B 3.3-167 11/25/12 1 LLS Instrumentation B 3.3.6.3 B 3.3 INSTRUMENTATION B 3.3.6.3 Low-Low Set (LLS) Instrumentation BASES BACKGROUND The LLS logic and instrumentation is designed to mitigate the effects of postulated thrust loads on the safety/relief valve (SRV) discharge lines by preventing subsequent actuations with an elevated water leg in the SRV discharge line. It also mitigates the effects of postulated pressure loads on suppression chamber structural components by preventing multiple actuations in rapid succession of the SRVs subsequent to their initial actuation.

Upon initiation, the LLS logic will assign preset opening and closing setpoints to two preselected SRVs. These setpoints are selected such that the LLS SRVs will stay open longer; thus, releasing more steam (energy) to the suppression pool, and hence more energy (and time) will be required for repressurization and subsequent SRV openings.

The LLS logic increases the time between (or prevents) subsequent actuations to allow the high water leg created from the initial SRV opening to return to (or fall below) its normal water level; thus, reducing thrust loads from subsequent actuations to within their design limits. In addition, the LLS is designed to limit SRV subsequent actuations to one valve, so suppression chamber loads will also be reduced.There are two LLS logics (A and B), associated with the two SRVs actuated by LLS (Ref. 1). Each LLS logic channel (e.g., Logic A channel)controls one LLS valve. The LLS logic channels will not actuate their associated LLS valves at their LLS setpoints until the arming portion of the associated LLS logic is satisfied.

Arming occurs when any one of the 8 SRVs opens as indicated by a signal from the pressure switch located on its associated discharge line coincident with a high reactor pressure signal. Each LLS logic receives arming signals directly from four of the eight SRV discharge line pressure switches.

Each LLS logic (e.g., Logic A) receives the reactor pressure arming signal from two RPS Reactor Pressure-High channels in one-out-of-two logic (either channel tripping will arm the LLS logic). Due to the redundancy of the RPS Reactor Pressure-High channels, and the cross-arming design, only one of these channels per LLS logic is required to meet single failure requirements.

These arming signals seal in until reset. The arming logic from one LLS logic is sent to the other LLS logic, thus providing an indirect input from the other four SRV discharge line pressure switches and the other two Reactor Pressure-High arming circuits.Cooper B 3.3-168 11/25/12 I LLS Instrumentation B 3.3.6.3 BASES BACKGROUND (continued)

After arming, opening and closing of each LLS valve is by a logic containing two reactor pressure switches.

Upon increasing pressure, the high-set switch energizes a relay circuit which seals in and opens the LLS valve. As pressure decreases below the high-set switch reset setpoint, the relay circuit remains energized.

As pressure decreases to the low-set switch setpoint, the seal-in relay circuit is deenergized, thus closing the LLS valve.This logic arrangement prevents single instrument failures from preventing the functioning of at least one LLS SRV. The channels include electrical equipment (e.g., pressure switches) that compares measured input signals with pre-established setpoints.

When the setpoint is exceeded, the channel output relay actuates, which then outputs a LLS initiation signal to the initiation logic.APPLICABLE SAFETY ANALYSES The LLS instrumentation and logic function ensures that the containment loads remain within the primary containment design basis (Ref. 1).The LLS instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii)(Ref. 2).LCO The LCO requires OPERABILITY of sufficient LLS instrumentation channels to ensure successfully accomplishing the functioning of at least one LLS SRV assuming any single instrumentation channel failure within the LLS logic. Therefore, the OPERABILITY of the LLS instrumentation is dependent on the OPERABILITY of the instrumentation channel Function specified in Table 3.3.6.3-1.

Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Value. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Allowable Values are specified for each LLS actuation Function in Table 3.3.6.3-1.

Nominal trip setpoints are specified in the setpoint calculations.

The setpoint calculations are performed using methodology described in NEDC-31336P-A, "General Electric Instrument Setpoint Methodology," dated September 1996. The nominal setpoints are selected to ensure the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS.

Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable.

Cooper B 3.3-169 11/25/12 1 LLS Instrumentation B 3.3.6.3 BASES LCO (continued)

Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor pressure), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., switch) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis.

The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for. For some Functions, the Allowable Values and the trip setpoints are determined from historically accepted practice relative to the intended functions of the channels.

Such is the case for the Low-Low Set Pressure Setpoints.

The Discharge Line Pressure Switch Allowable Value is based on ensuring that a proper arming signal is sent to the LLS logic. That is, the pressure switch is initiated only when an SRV has opened.The Reactor Pressure-High was chosen to be the same as the Reactor Protection System (RPS) Reactor Vessel Pressure Allowable Value (LCO 3.3.1.1) because it would be expected that LLS would be needed for pressurization events. Providing LLS after a scram has been initiated would prevent false initiations of LLS at 100% power. The LLS valve open and close Allowable Values are based on the safety analysis performed in Reference 1.APPLICABILITY The LLS instrumentation is required to be OPERABLE in MODES 1, 2, and 3 since considerable energy is in the nuclear system and the SRVs may be needed to provide pressure relief. If the SRVs are needed, then the LLS function is required to ensure that the primary containment design basis is maintained.

In MODES 4 and 5, the reactor pressure is low enough that the overpressure limit cannot be approached by assumed operational transients or accidents.

Thus, LLS instrumentation and associated pressure relief is not required.Cooper B 3.3-170 11/25/12 1 LLS Instrumentation B 3.3.6.3 BASES ACTIONS A..1 The failure of any required Function 1, 2, or 3 channel for an individual LLS valve does not affect the ability of the other LLS SRV to perform its LLS function.

A LLS valve is OPERABLE if the associated logic, (e.g., Logic A), has one Function 1 channel, two Function 2 channels, and four Function 3 channels OPERABLE.

Therefore, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is provided to restore the inoperable channel(s) to OPERABLE status (Required Action A. 1). If the inoperable channel(s) cannot be restored to OPERABLE status within the allowable out of service time, Condition B must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action could result in an instrumented LLS valve actuation.

The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is considered appropriate because of the redundancy in the design (two LLS valves are provided and any one LLS valve can perform the LLS function) and the very low probability of multiple LLS instrumentation channel failures, which render the remaining LLS SRV inoperable, occurring together with an event requiring the LLS function during the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time is also based on the reliability analysis of Reference 3.B..1 If the Required Action and associated Completion Time of Condition A is not met, or both LLS valves are inoperable due to inoperable channels, the LLS valves may be incapable of performing their intended function.Therefore, the associated LLS valve must be declared inoperable immediately.

A LLS valve is OPERABLE if the associated logic (e.g., Logic A) has one Function 1 channel, two Function 2 channels, and four Function 3 channels OPERABLE.SURVEILLANCE REQUIREMENTS.

As noted at the beginning of the SRs, the SRs for each LLS instrumentation Function are located in the SRs column of Table 3.3.6.3-1.The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> provided the associated Function maintains LLS initiation capability.

LLS initiation capability is maintained provided one LLS valve can be initiated by the LLS instrumentation.

Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Cooper B 3.3-171 11/25/12 1 LLS Instrumentation B 3.3.6.3 BASES SURVEILLANCE REQUIREMENTS (continued)

Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 3) assumption of the average time required to perform channel surveillance.

That analysis demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the LLS valves will initiate when necessary.

SR 3.3.6.3.1.

SR 3.3.6.3.2.

and SR 3.3.6.3.3 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function.

A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The 92 day Frequency is based on the reliability analysis of Reference 3.A portion of the SRV discharge line pressure switch instrument channels are located inside the primary containment.

The Note for SR 3.3.6.3.2,"Only required to be performed prior to entering MODE 2 during each scheduled outage > 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> when entry is made into primary containment," is based on the location of these instruments and ALARA considerations.

SR 3.3.6.3.4 CHANNEL CALIBRATION is a complete check of the instrument loop and sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy.

There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found settings are consistent with those established by the setpoint methodology.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency of once every 24 months for SR 3.3.6.3.4 is based on the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.Cooper B 3.3-172 11/25/12 LLS Instrumentation B 3.3.6.3 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.6.3.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required actuation logic for a specified channel.The system functional testing performed in LCO 3.4.3, "Safety/Relief Valves (SRVs) and Safety Valves (SVs)" and LCO 3.6.1.6, "Low-Low Set (LLS) Safety/Relief Valves (SRVs)," for SRVs overlaps this test to provide complete testing of the assumed safety function.The Frequency of once every 24 months for SR 3.3.6.3.5 is based on the need to perform some of the surveillance procedures which satisfy this SR under the conditions that apply during a plant outage and the potential for an unplanned transient if those particular procedures were performed with the reactor at power. Operating experience has shown these components usually pass the Surveillance when performed at the 24 month Frequency.

I REFERENCES

1. USAR, Section IV-4.5.2.2. 10 CFR 50.36(c)(2)(ii).
3. GENE-770-06-1, "Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991.Cooper B 3.3-173 11/25/12 CREF System Instrumentation B 3.3.7.1 B 3.3 INSTRUMENTATION B 3.3.7.1 Control Room Emergency Filter (CREF) System Instrumentation BASES BACKGROUND The CREF System is designed to provide a radiologically controlled environment to ensure the habitability of the control room for the safety of control room operators under all plant conditions.

The instrumentation and controls for the CREF System automatically isolate the normal ventilation intake and initiate action to pressurize the main control room and filter incoming air to minimize the infiltration of radioactive material into the control room environment.

In the event of a loss of coolant accident (LOCA) signal (Reactor Vessel Water Level-Low Low, Level 2 or Drywell Pressure-High) or Reactor Building Ventilation Exhaust Plenum Radiation-High signal, the normal control room inlet supply damper closes and the CREF System is automatically started in the emergency bypass mode. The air drawn in from the outside passes through a high efficiency filter and a charcoal filter in sufficient volume to maintain the control room slightly pressurized with respect to the adjacent areas.The CREF System instrumentation has two trip systems. Each trip system includes the sensors, relays, and switches necessary to cause initiation of the CREF System. Each trip system receives input from each of the Functions listed above (each sensor sends a signal to both trip systems).

The Reactor Vessel Water Level-Low Low, Level 2, Drywell Pressure-High, and Reactor Building Ventilation Exhaust Plenum Radiation-High are each arranged in a one-out-of-two taken twice logic for each trip system. The channels include electronic and electrical equipment (e.g., switches and trip relays) that compares measured input signals with pre-established setpoints.

When the setpoint is exceeded, the channel output relay actuates, which then outputs a CREF System initiation signal to the initiation logic.APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY The ability of the CREF System to maintain the habitability of the control room is explicitly assumed for certain accidents as discussed in the USAR safety analyses (Refs. 1, 2, and 3). CREF System operation ensures that the radiation exposure of control room personnel, through the duration of any one of the postulated accidents that assume CREF System operation, does not exceed the limits set by GDC 19 of 10 CFR 50, Appendix A or 10 CFR 50.67 (Fuel Handling Accident and LOCA only).Cooper B 3.3-174 11/25/12 1 CREF System Instrumentation B 3.3.7.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued)

CREF System instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 4).The OPERABILITY of the CREF System instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.7.1-1.

Each Function must have the required number of OPERABLE channels, with their setpoints within the specified Allowable Values. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Allowable Values are specified for each CREF System Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations.

The setpoint calculations are performed using methodology described in NEDC-31336P-A, "General Electric Instrument Setpoint Methodology," dated September 1996. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS.

Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable.

Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip relay) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis.

The Allowable Values are derived from the analytic limit, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift).The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49)are accounted for.The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.1. Reactor Vessel Water Level-Low Low (Level 2)Low reactor pressure vessel (RPV) water level indicates that the capability of cooling the fuel may be threatened.

A low reactor vessel water level could indicate a LOCA and will automatically initiate the CREF Cooper B 3.3-175 11/25/12 1 CREF System Instrumentation B 3.3.7.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued)

System, since this could be a precursor to a potential radiation release and subsequent radiation exposure to control room personnel.

Reactor Vessel Water Level-Low Low (Level 2) signals are initiated from level switches that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low Low (Level 2) Function are available and are required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single instrument failure can preclude CREF System initiation.

The Reactor Vessel Water Level-Low Low (Level 2) Allowable Value was chosen to be the same as the Secondary Containment Isolation Allowable Value (LCO 3.3.6.2) to enable initiation of the CREF System at the earliest indication of a breach in the nuclear system process barrier, yet far enough below normal operational levels to avoid spurious initiation.

The Reactor Vessel Water Level-Low Low (Level 2) Function is required to be OPERABLE in MODES 1, 2, and 3, and during operations with a potential for draining the reactor vessel (OPDRVs) to ensure that the Control Room personnel are protected during a LOCA. In MODES 4 and 5 at times other than OPDRVs, the probability of a vessel draindown event resulting in the release of radioactive material to the environment is minimal. Therefore, this Function is not required in other MODES and specified conditions.

2. Drywell Pressure-High High drywell pressure can indicate a break in the reactor coolant pressure boundary.

A high drywell pressure signal could indicate a LOCA and will automatically initiate the CREF System, since this could be a precursor to a potential radiation release and subsequent radiation exposure to control room personnel.

Drywell Pressure-High signals are initiated from pressure switches that sense drywell pressure.

Four channels of Drywell Pressure-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude performance of the initiation function.

The Drywell Pressure-High Allowable Value was chosen to be the same as the ECCS Drywell Pressure-High Function Allowable Value (LCO 3.3.5.1).The Drywell Pressure-High Function is required to be OPERABLE in MODES 1, 2, and 3 to ensure that control room personnel are protected Cooper B 3.3-176 11/25/12 1 CREF System Instrumentation B 3.3.7.1 BASES APPLICABLE SAFETY ANALYSIS, LCO, and APPLICABILITY (continued) in the event of a LOCA. In MODES 4 and 5, the Drywell Pressure-High Function is not required since there is insufficient energy in the reactor to pressurize the drywell to the Drywell Pressure-High setpoint.3. Reactor Buildinq Ventilation Exhaust Plenum Radiation-High High radiation in the refueling floor area could be the result of a fuel handling accident.

A refueling floor high radiation signal will automatically initiate the CREF System, since this radiation release could result in radiation exposure to control room personnel.

The Reactor Building Exhaust Plenum Radiation-High signals are initiated from radiation detectors that are located such that they can monitor the radioactivity of gas flowing through the reactor building exhaust plenum.The signal from each detector is input to an individual monitor whose trip outputs are assigned to an isolation channel in each trip system. Four channels of Reactor Building Ventilation Exhaust Plenum Radiation-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the CREF System initiation.

The Allowable Value was chosen to promptly detect gross failure of the fuel cladding.The Reactor Building Ventilation Exhaust Plenum Radiation-High Function is required to be OPERABLE in MODES 1, 2, and 3 and during movement of lately irradiated fuel assemblies in the secondary containment and operations with a potential for draining the reactor vessel (OPDRVs), to ensure control room personnel are protected during a pipe break resulting in significant releases of radioactive steam and gas, fuel handling event, or vessel draindown event. During MODES 4 and 5, when these specified conditions are not in progress (e.g., OPDRVs), the probability of a pipe break resulting in significant releases of radioactive steam and gas or fuel damage is low; thus, the Function is not required.

Due to radioactive decay, this Function is only required to initiate the CREF System during fuel handling accidents involving handling lately irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 7 days). During the movement of lately irradiated fuel, Reactor Building ventilation exhaust flow (provided by either a Reactor Building ventilation exhaust fan or SGT fan) is a required support function.ACTIONS A Note has been provided to modify the ACTIONS related to CREF System instrumentation channels.

Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, Cooper B 3.3-177 11/25/12 1 CREF System Instrumentation B 3.3.7.1 BASES ACTIONS (continued) subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition.

Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition.

However, the Required Actions for inoperable CREF System instrumentation channels provide appropriate compensatory measures for separate inoperable channels.

As such, a Note has been provided that allows separate Condition entry for each inoperable CREF System instrumentation channel.A.1 Because of the diversity of sensors available to provide isolation signals and the common interface with the Secondary Containment isolation Instrumentation, allowable out of service time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for Functions 1 and 2, and 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for Function 3, has been shown to be acceptable (Refs. 5, 6, and 7) to permit restoration of any inoperable channel to OPERABLE status. However, this out of service time is only acceptable provided the associated Function is still maintaining CREF System initiation capability.

If the inoperable channel cannot be restored to OPERABLE status within the Completion Time, the channel must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure in the trip system, and allow operation to continue.

Alternately, if it is not desired to place the channel in trip, Condition C must be entered and its Required Actions taken.B._1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of CREF System initiation capability.

A Function is considered to be maintaining CREF System initiation capability when sufficient channels are OPERABLE or in trip, such that at least one trip system will generate a trip signal from the given Function on a valid signal.The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.Cooper B 3.3-178 11/25/12 1 CREF System Instrumentation B 3.3.7.1 BASES ACTIONS (continued)

If the CREF System initiation capability cannot be restored within the Completion Time, Condition C must be entered and its Required Actions taken.C._1 With any Required Action and associated Completion Time of Condition A or B not met, the CREF System must be placed in operation per Required Action C. A to ensure that control room personnel will be protected in the event of a Design Basis Accident which assumes a CREF System initiation.

The method used to place the CREF System in operation must provide for automatically re-initiating the system upon restoration of power following a loss of power to the CREF System.Alternatively, if it is not desired to start the CREF System, the CREF System must be declared inoperable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is intended to allow the operator time to place the CREF System in operation.

The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> completion time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels, for placing the CREF System in operation, or for entering the applicable Conditions and Required Actions for the inoperable CREF System.SURVEILLANCE REQUIREMENTS As noted at the beginning of the SRs, the SRs for each CREF System instrumentation Function are located in the SRs column of Table 3.3.7.1-1.The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, provided the associated Function maintains CREF System initiation capability.

Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 5, 6, and 7) assumption of the average time required to perform channel surveillance.

That analysis demonstrated that the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> testing allowance does not significantly reduce the probability that the CREF System will initiate when necessary.

Cooper B 3.3-179 11/25/12 I CREF System Instrumentation B 3.3.7.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.7.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that a gross failure of instrumentation has not occurred.

A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels.

It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability.

If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.The Frequency is based upon operating experience that demonstrates channel failure is rare. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel status during normal operational use of the displays associated with channels required by the LCO.SR 3.3.7.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function.

A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with applicable extensions.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 92 days is based on the reliability analyses of References 5, 6, and 7.Cooper B 3.3-180 11/25/12 1 CREF System Instrumentation B 3.3.7.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.7.1.3 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy.

There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found settings are consistent with those established by the setpoint methodology.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.SR 3.3.7.1.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.7.4, "Control Room Emergency Filter (CREF) System," overlaps this Surveillance to provide complete testing of the assumed safety function.The 24 month Frequency is based on the need to perform some of the surveillance procedures which satisfy this SR under the conditions that apply during a plant outage and the potential for an unplanned transient if those particular procedures were performed with the reactor at power.Operating experience has shown these components usually pass the Surveillance when performed at the 24 month Frequency.

REFERENCES

1. USAR, Section X-10.4.2. USAR, Section XIV-6.3.3. USAR, Section XIV-6.4.4. 10 CFR 50.36(c)(2)(ii).
5. GENE-770-06-1, "Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991.Cooper B 3.3-181 11/25/12 CREF System Instrumentation B 3.3.7.1 BASES REFERENCES (continued)
6. NEDC-31677P-A, "Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation," July 1990.7. NEDC-30851 P-A Supplement 2, "Technical Specifications Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation," March 1989.Cooper B 3.3-182 11/25/12 1 LOP Instrumentation B 3.3.8.1 B 3.3 INSTRUMENTATION B 3.3.8.1 Loss of Power (LOP) Instrumentation BASES BACKGROUND Successful operation of the required safety functions of the Emergency Core Cooling Systems (ECCS) is dependent upon the availability of adequate power sources for energizing the various components such as pump motors, motor operated valves, and the associated control components.

The LOP instrumentation monitors the 4.16 kV emergency buses and the power to the buses. Offsite power is the preferred source of power for the 4.16 kV emergency buses. If the monitors determine that insufficient power is available, the buses are disconnected from the offsite power sources and connected to the onsite diesel generator (DG) power sources.Each 4.16 kV emergency bus has its own independent LOP instrumentation and associated trip logic. The voltage for each bus is monitored at two levels, which can be considered as two different types of undervoltage protection:

Loss of Voltage and Degraded Voltage (Ref. 1).There are three Loss of Voltage relays associated with each 4.16 kV Emergency Bus or power supply to that bus constituting three separate Functions:

4.16 kV Emergency Bus Undervoltage (Loss of Voltage) -Function 1, 4.16 kV Emergency Bus Normal Supply Undervoltage (Loss of Voltage) -Function 2, and 4.16 kV Emergency Bus ESST (Emergency Station Service Transformer)

Supply Undervoltage (Loss of Voltage) -Function 3. These three Functions constitute the first level of undervoltage protection.

Voltage on 4.16 kV Emergency Bus 1F (1 G) is monitored by relay 27/1 F1 (27/1 G1) -Function 1; voltage on the normal supply bus tie to 4.16 kV Emergency Bus 1F (IG) is monitored by relay 27/1 FA1 (27/1GB1)

-Function 2; and voltage on the ESST supply bus tie to 4.16 kV Emergency Bus 1F (1G) is monitored by relay 27/ET1 (27/ET2) -Function 3. Upon sensing a loss of voltage to Emergency Bus 1 F (1 G), the Function 1 relay 27/1 F1 (27/1 G1) will initiate the following:

1. A start signal to DG1 (DG2).2. Load shedding of all motors on 4.16 kV Emergency Bus 1F (1G).3. Load shedding of the non-essential Motor Control Centers (MCC)and non-essential motors fed from Emergency 480 V Bus 1 F (1 G).The Function 2 undervoltage relay 27/1 FA1 (27/1GB1) will then trip breaker 1 FA (1GB) if the Emergency Bus 1 F (1 G) is being supplied from its normal source (either the normal station service transformer (NSST) or the startup station service transformer (SSST)); or the Function 3 Cooper B 3.3-183 11/25/12 I LOP Instrumentation B 3.3.8.1 BASES BACKGROUND (continued) undervoltage relay 27/ET1 (27/ET2) will trip breaker 1 FS (1GS) if the 4.16 kV Emergency Bus 1F (IG) is being supplied from its alternate source, the ESST. Opening breakers IFA (1GB) and IFS (1GS) will then allow the diesel generator, DG1 (DG2) to connect to 4.16 kV Emergency Bus 1F (1G).The second level of undervoltage protection is a Degraded Voltage scheme. Voltage on 4.16 kV Emergency Bus 1 F (1 G) is monitored by relay 27/1 F2 (27/1 G2) and voltage on the normal supply bus tie to emergency bus 1F (1G) is monitored by relay 27/1FA2 (27/1GB2).

When 4.16 kV Emergency Bus IF (1G) is energized from its normal source, a degraded voltage condition will be sensed by two relays 27/1 F2 (27/1 G2)and 27/1 FA2 (27/1GB2)

-Function 4. When 4.16 kV Emergency Bus 1F (1G) is energized from the ESST, a degraded voltage condition on 4.16 kV Emergency Bus 1 F (1 G) will be sensed by only one relay, 27/1 F2 (27/1G2) -Function 5. When 4.16 kV Emergency Bus IF (1G) is powered from the normal supply, a degraded voltage condition on 4.16 kV Emergency Bus 1F (1G) for approximately 12.5 seconds (Function 4.c) will trip the tie breaker 1 FA (1GB) unless an RHR initiation seal-in is present, in which case breaker 1 FA (1GB) will trip on a degraded voltage on bus 1 F (1 G) after approximately

7.5 seconds

(Function 4.b). When 4.16 kV Emergency Bus 1F (1G) is powered from the ESST, a degraded voltage condition on 4.16 kV Emergency Bus 1F (1G) for approximately 15 seconds (Function 5.b) will trip breaker 1 FS (1 GS). The three Loss of Voltage relays are each arranged in a one-out-of-one logic configuration (Functions 1, 2, and 3), while the Degraded Voltage relays are arranged in a two-out-of-two logic configuration if the emergency bus is powered from its normal source (Function 4), or in a one-out-of-one logic configuration if the emergency bus is powered from the ESST (Function 5). The channels include electronic equipment (e.g., internal relay contacts, coils, solid state logic, etc.) that compares measured input signals with pre-established setpoints.

When the setpoint is exceeded, the channel output relay actuates, which then outputs a LOP trip signal to the trip logic.APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY The LOP instrumentation is required for Engineered Safety Features to function in any accident with a loss of offsite power. The required channels of LOP instrumentation ensure that the ECCS and other assumed systems powered from the DGs, provide plant protection in the event of any of the Reference 2 analyzed accidents in which a loss of offsite power is assumed. The initiation of the DGs on loss of offsite Cooper B 3.3-184 11/25/12 1 LOP Instrumentation B 3.3.8.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) power, and subsequent initiation of the ECCS, ensure that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.Accident analyses credit the loading of the DG based on the loss of offsite power during a loss of coolant accident.

The diesel starting and loading times have been included in the delay time associated with each safety system component requiring DG supplied power following a loss of offsite power.The LOP instrumentation satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii)(Ref. 3).The OPERABILITY of the LOP instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.8.1-1.

Each Function must have a required number of OPERABLE channels per 4.16 kV emergency bus, with their setpoints within the specified Allowable Values. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

The Allowable Values are specified for each Function in the Table.Nominal trip setpoints are specified in the setpoint calculations.

The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS.

Operation with a trip setpoint less conservative than the nominal trip setpoint, but within the Allowable Value, is acceptable.

Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., degraded voltage), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., internal relay contact)changes state. The Allowable Values are derived from the limiting values of the process parameters obtained from the safety analysis.

For all LOP Instrumentation Functions, the Allowable Values and the trip setpoints are determined from historically accepted practice relative to the intended functions of the channels.The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.1.a, 1 .b 4.16 kV Emergency Bus Undervoltage (Loss of Voltaqe)Loss of voltage on a 4.16 kV emergency bus indicates that offsite power may be completely lost to the respective emergency bus and is unable to Cooper B 3.3-185 11/25/12 1 LOP Instrumentation B 3.3.8.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued) supply sufficient power for proper operation of the applicable equipment.

Therefore, the power supply to the bus is transferred from offsite power to DG power when the voltage on the bus drops below the Loss of Voltage Function Allowable Values (loss of voltage with a short time delay). This ensures that adequate power will be available to the required equipment.

Upon loss of voltage, relay 27/1 F1 (27/1G1) will initiate a start signal to DG 1 (DG2), load shedding of all motors on 4.16 kV Emergency Bus 1 F (1G), and load shedding of the non-essential Motor Control Centers (MCCs) and non-essential motors fed from critical 480 V Bus 1F (1G)The 4.16 kV Emergency Bus Undervoltage (Loss of Voltage) Allowable Value is low enough to prevent inadvertent power supply transfer, but high enough to ensure that power is available to the required equipment.

The Time Delay Allowable Values are long enough to provide time for the offsite power supply to recover to normal voltages, but short enough to ensure that power is available to the required equipment.

One channel of 4.16 kV Emergency Bus Undervoltage (Loss of Voltage)Function and Time Delay Function per associated 4.16 kV emergency bus is available and is only required to be OPERABLE when the associated DG is required to be OPERABLE.

Refer to LCO 3.8.1, "AC Sources-Operating," and 3.8.2, "AC Sources-Shutdown," for Applicability Bases for the DGs.2.a, 2.b 4.16 kV Emergency Bus Normal Supply Undervoltage (Loss of Voltage)Loss of voltage on the SWGR 1A to 1F (1 B to 1 G) bus tie indicates that offsite power is not available from the normal source (NSST or SSST).Therefore, in order to allow the emergency bus to be powered from the alternate offsite power source (ESST) or the DG, relay 27/1 FA-1 (27/1GB-1) will cause the normal supply breaker to the 4.16 kV emergency bus, 1FA (1GB) to trip following the actuation of the Function 1 channels following a short time delay.The 4.16 kV Emergency Bus Normal Supply Undervoltage (Loss of Voltage) Allowable Value is low enough to prevent inadvertent power supply transfer, but high enough to ensure that power is available to the required equipment.

The Time Delay Allowable Values are chosen to assure timely operation for a loss of voltage condition, but not allow spurious operation during momentary voltage dips created by motor starts.Cooper B 3.3-186 11/25/12 1 LOP Instrumentation B 3.3.8.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

One channel of 4.16 kV Emergency Bus Normal Supply Undervoltage (Loss of Voltage) Function and Time Delay Function per associated 4.16 kV emergency bus is available and is only required to be OPERABLE when the associated DG is required to be OPERABLE.

Refer to LCO 3.8.1, "AC Sources-Operating," and 3.8.2, "AC Sources-Shutdown," for Applicability Bases for the DGs.3.a, 3.b 4.16 kV Emer-gency Bus ESST Supply Undervoltaqge (Loss of Voltage)Loss of voltage on the ESST-1 F (1 G) bus tie indicates that offsite power is not available from the alternate offsite source (ESST). Therefore, in order to allow the 4.16 kV emergency bus to be powered from the DG following loss of the alternate offsite source, relay 27/ET-1 (27/ET-2) will cause the ESST-1 F (1 G) breaker 1 FS (1 GS) to trip following a short time delay, which in turn will allow the DG output breaker to close.The 4.16 kV Emergency Bus ESST Supply Undervoltage (Loss of Voltage) Allowable Value is low enough to prevent inadvertent power supply transfer, but high enough to ensure that power is available to the required equipment.

The Time Delay Allowable Values are long enough to provide time for the offsite power supply to recover to normal voltages, but short enough to ensure that power is available to the required equipment.

One channel of 4.16 kV Emergency Bus ESST Supply Undervoltage (Loss of Voltage) Function and Time Delay Function per associated 4.16 kV emergency bus is available and is only required to be OPERABLE when the associated DG is required to be OPERABLE.

Refer to LCO 3.8.1, "AC Sources-Operating," and 3.8.2, "AC Sources-Shutdown," for Applicability Bases for the DGs.4.a, 4.b. 4.c 4.16 kV Emergency Bus Undervoltage (Degraded Voltage)A reduced voltage condition on a 4.16 kV emergency bus indicates that, while offsite power may not be completely lost to the respective emergency bus, available power may be insufficient for starting large ECCS motors without risking damage to the motors that could disable the ECCS function.

Therefore, power supply to the bus is transferred from normal offsite power to alternate offsite power or to onsite DG power when the voltage on the bus drops below the Degraded Voltage Function Allowable Value (degraded voltage with a time delay).Cooper B 3.3-187 11/25/12 1 LOP Instrumentation B 3.3.8.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

This ensures that adequate power will be available to the required equipment.

A degraded voltage condition on 4.16 kV Emergency Bus 1F (1G) is monitored by relays 27/1F2 (27/1G2) and 27/1FA2 (27/1GB2).

Any momentary voltage dips caused by starting of large motors will not operate undervoltage relays. When 4.16 kV Emergency Bus 1F (1G) is powered from either the SSST or NSST, a degraded voltage on 4.16 kV Emergency Bus 1 F (1 G) below a nominal value of 3,880 V for approximately 12.5 seconds sensed by both relays 27/1 F2 (27/1 G2) and 27/1 FA2 (27/1 GB2) will trip the tie breaker 1 FA (1GB) unless a LOCA seal-in signal is present, in which case time delay relay 27X7/1 F (27X7/1G) will be bypassed and breaker 1FA (1GB) will trip if voltage on 4.16 kV Emergency Bus 1F (1G) is below a nominal value of 3,880 V for 7.5 seconds.The Bus Undervoltage Allowable Value is low enough to prevent inadvertent power supply transfer, but high enough to ensure that sufficient power is available to the required equipment.

The Time Delay Allowable Value is long enough to provide time for the offsite power supply to recover to normal voltages, but short enough to ensure that sufficient power is available to the required equipment.

Two channels of 4.16 kV Emergency Bus Undervoltage (Degraded Voltage) Function and Time Delay Function per associated bus are available and are required to be OPERABLE when the associated DG is required to be OPERABLE.

Refer to LCO 3.8.1 and LCO 3.8.2 for Applicability Bases for the DGs.5.a, 5.b 4.16 kV Emerqency Bus ESST Supply Undervoltace (Degqraded Voltagqe)A reduced voltage condition on a 4.16 kV emergency bus indicates that, while offsite power may not be completely lost to the respective emergency bus, available power may be insufficient for starting large ECCS motors without risking damage to the motors that could disable the ECCS function.

Therefore, power supply to the bus is transferred from the alternate offsite power source to onsite DG power when the voltage on the bus drops below the Degraded Voltage Function Allowable Value (degraded voltage with a time delay). This ensures that adequate power will be available to the required equipment.

When 4.16 kV Emergency Bus 1F (1G) is energized from the ESST, degraded voltages will be sensed by only one relay 27/1 F2 (27/1 G2).Cooper B 3.3-188 11/25/12 1 LOP Instrumentation B 3.3.8.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

Any momentary voltage dips caused by starting of large motors will not operate undervoltage relays. When 4.16 kV Emergency Bus 1F (1G) is powered from the ESST, a degraded voltage on 4.16 kV Emergency Bus IF (1G) for approximately 15 seconds will trip breaker IFS (1GS). The nominal 15 second time delay consists of the nominal 7.5 second time delay from relay 27/1 F2 (27/1G2) plus a nominal 7.5 second time delay from time delay relay 27X1 5/1F (27X15/1G).

After the ESST breaker 1FS (1GS) trips, the Loss of Voltage protection system will start the associated DG and will trip all 4,000 volt motor breakers and non-essential MCC breakers.

The 4.16 kV Emergency Bus Undervoltage (Degraded Voltage)Allowable Value is low enough to prevent inadvertent power supply transfer, but high enough to ensure that sufficient power is available to the required equipment.

The Time Delay Allowable Value is long enough to provide time for the offsite power supply to recover to normal voltages, but short enough to ensure that sufficient power is available to the required equipment.

One channel of 4.16 kV Emergency Bus Undervoltage (Degraded Voltage) Function and Time Delay Function per associated bus is available and is only required to be OPERABLE when the associated DG is required to be OPERABLE.

Refer to LCO 3.8.1 and LCO 3.8.2 for Applicability Bases for the DGs.ACTIONS A Note has been provided to modify the ACTIONS related to LOP instrumentation channels.

Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition.

Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition.

However, the Required Actions for inoperable LOP instrumentation channels provide appropriate compensatory measures for separate inoperable channels.

As such, a Note has been provided that allows separate Condition entry for each inoperable LOP instrumentation channel.A.1 With one or more channels of a Function inoperable, the Function is not capable of performing the intended function.

Therefore, only 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is allowed to restore the inoperable channel to OPERABLE status. If the channel is not restored to OPERABLE status in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, Condition B must be entered and its Required Action taken.Cooper B 3.3-189 11/25/12 1 LOP Instrumentation B 3.3.8.1 BASES ACTIONS (continued)

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities.

The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.B. 1 If any Required Action and associated Completion Time are not met, the associated Function is not capable of performing the intended function.Therefore, the associated DG(s) is declared inoperable immediately.

This requires entry into applicable Conditions and Required Actions of LCO 3.8.1 and LCO 3.8.2, which provide appropriate actions for the inoperable DG(s).SURVEILLANCE REQUIREMENTS As noted at the beginning of the SRs (Note 1), the SRs for each LOP instrumentation Function are located in the SRs column of Table 3.3.8.1-1.The Surveillances are further modified by a Note (Note 2) to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> provided the associated Function maintains initiation capability.

Initiation capability is maintained provided that the following can be initiated by the Function for one DG or emergency bus as applicable (if part of that Function):

DG start, disconnect from offsite power source, DG output breaker closure, and load shed. Upon completion of the Surveillance, or expiration of the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken.SR 3.3.8.1.1 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function.

A successful test of the required contact(s) of a channel relay may be performed by the verification of the change of state of a single contact of the relay. This clarifies what is an acceptable CHANNEL FUNCTIONAL TEST of a relay. This is acceptable because all of the other required contacts of the relay are verified by other Technical Specifications and non-Technical Specifications tests at least once per refueling interval with Cooper B 3.3-190 11/25/12 1 LOP Instrumentation B 3.3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued) applicable extensions.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency of 31 days is based on operating experience with regard to channel OPERABILITY and drift, which demonstrates that failure of more than one channel of a given Function in any 31 day interval is a rare event.SR 3.3.8.1.2 A CHANNEL CALIBRATION is a complete check of the relay circuitry and associated time delay relays. This test verifies the channel responds to the measured parameter within the necessary range and accuracy.There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found settings are consistent with those established by the setpoint methodology.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Frequency is based upon the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.SR 3.3.8.1.3 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required actuation logic for a specific channel. The system functional testing performed in LCO 3.8.1 and LCO 3.8.2 overlaps this Surveillance to provide complete testing of the assumed safety functions.

The 24 month Frequency is based on the need to perform some of the surveillance procedures which satisfy this SR under the conditions that apply during a plant outage and the potential for an unplanned transient if those particular procedures were performed with the reactor at power.Operating experience has shown these components usually pass the Surveillance when performed at the 24 month Frequency.

Cooper B 3.3-191 11/25/12 LOP Instrumentation B 3.3.8.1 BASES REFERENCES

1. USAR, Section VIII-4.6.2. USAR, Chapter XIV.3. 10 CFR 50.36(c)(2)(ii)

Cooper B 3.3-192 11/25/12 1 RPS Electric Power Monitoring B 3.3.8.2 B 3.3 INSTRUMENTATION B 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring BASES BACKGROUND RPS Electric Power Monitoring System is provided to isolate the RPS bus from the motor generator (MG) set or an alternate power supply in the event of overvoltage, undervoltage, or underfrequency.

This system protects the loads connected to the RPS bus against unacceptable voltage and frequency conditions (Ref. 1) and forms an important part of the primary success path of the essential safety circuits.

Some of the essential equipment powered from the RPS buses includes the RPS logic and scram solenoids.

RPS electric power monitoring assembly will detect any abnormal high or low voltage or low frequency condition 4n the outputs of the two MG sets or the alternate power supply and will de-energize its respective RPS bus, thereby causing all safety functions normally powered by this bus to de-energize.In the event of failure of an RPS Electric Power Monitoring System (e.g., both inseries electric power monitoring assemblies), the RPS loads may experience significant effects from the unregulated power supply.Deviation from the nominal conditions can potentially cause damage to the scram solenoids and other Class 1 E devices.In the event of a low voltage condition for an extended period of time, the scram solenoids can chatter and potentially lose their pneumatic control capability, resulting in a loss of primary scram action.In the event of an overvoltage condition, the RPS logic relays and scram solenoids may experience a voltage higher than their design voltage. If the overvoltage condition persists for an extended time period, it may cause equipment degradation and the loss of plant safety function.Two redundant Class 1 E circuit breakers are connected in series between each RPS bus and its MG set, and between each RPS bus and its alternate power supply. Each of these circuit breakers has an associated independent set of Class 1 E overvoltage, undervoltage, and underfrequency sensing logic. Together, a circuit breaker and its sensing logic constitute an electric power monitoring assembly.

If the output of the MG set or the alternate power supply exceeds predetermined limits of overvoltage, undervoltage, or underfrequency, a trip coil driven by this logic circuitry opens the circuit breaker, which removes the associated power supply from service.Cooper B 3.3-193 11/25/12 1 RPS Electric Power Monitoring B 3.3.8.2 BASES APPLICABLE SAFETY ANALYSES The RPS electric power monitoring is necessary to meet the assumptions of the safety analyses by ensuring that the equipment powered from the RPS buses can perform its intended function.

RPS electric power monitoring provides protection to the RPS components that receive power from the RPS buses, by acting to disconnect the RPS from the power supply under specified conditions that could damage the RPS bus powered equipment.

RPS electric power monitoring satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 2).LCO The OPERABILITY of each RPS electric power monitoring assembly is dependent on the OPERABILITY of the overvoltage, undervoltage, and underfrequency logic, as well as the OPERABILITY of the associated circuit breaker. Two electric power monitoring assemblies are required to be OPERABLE for each inservice power supply. This provides redundant protection against any abnormal voltage or frequency conditions to ensure that no single RPS electric power monitoring assembly failure can preclude the function of RPS components.

Each of the inservice electric power monitoring assembly trip logic setpoints is required to be within the specified Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Allowable Values are specified for each RPS electric power monitoring assembly trip logic (refer to SR 3.3.8.2.1).

Nominal trip setpoints are specified in the setpoint calculations.

The setpoint calculations are performed using methodology described in NEDC-31336P-A, "General Electric Instrument Setpoint Methodology," dated September 1996. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS.

Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable.

A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., overvoltage), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis.

The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined, accounting for the remaining instrument errors (e.g., drift).Cooper B 3.3-194 11/25/12 1 RPS Electric Power Monitoring B 3.3.8.2 BASES LCO (continued)

The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49)are accounted for.The Allowable Values for the instrument settings are based on the RPS providing

> 57 Hz, 120 V +/- 10% (to all equipment), and 115 V +/- 10 V (to scram solenoids).

The most limiting voltage requirement and associated line losses determine the settings of the electric power monitoring instrument channels.

The settings are calculated based on the loads on the buses and RPS MG set or alternate power supply being 120 VAC and 60 Hz.APPLICABILITY The operation of the RPS electric power monitoring assemblies is essential to disconnect the RPS components from the MG set or alternate power supply during abnormal voltage or frequency conditions.

Since the degradation of a nonclass I E source supplying power to the RPS bus can occur as a result of any random single failure, the OPERABILITY of the RPS electric power monitoring assemblies is required when the RPS components are required to be OPERABLE.

This results in the RPS Electric Power Monitoring System OPERABILITY being required in MODES 1 and 2; and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies.

ACTIONS A.1 If one RPS electric power monitoring assembly for an inservice power supply (MG set or alternate) is inoperable, or one RPS electric power monitoring assembly on each inservice power supply is inoperable, the OPERABLE assembly will still provide protection to the RPS components under degraded voltage or frequency conditions.

However, the reliability and redundancy of the RPS Electric Power Monitoring System is reduced, and only a limited time (72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />) is allowed to restore the inoperable assembly to OPERABLE status. If the inoperable assembly cannot be restored to OPERABLE status, the associated power supply(s) must be removed from service (Required Action A. 1). This places the RPS bus in a safe condition.

An alternate power supply with OPERABLE power monitoring assemblies may then be used to power the RPS bus.The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time takes into account the remaining OPERABLE electric power monitoring assembly and the low probability of an event requiring RPS electric power monitoring protection occurring Cooper B 3.3-195 11/25/12 I RPS Electric Power Monitoring B 3.3.8.2 BASES ACTIONS (continued) during this period. It allows time for plant operations personnel to take corrective actions or to place the plant in the required condition in an orderly manner and without challenging plant systems.Alternately, if it is not desired to remove the power supply from service (e.g., as in the case where removing the power supply(s) from service would result in a scram or isolation), Condition C or D, as applicable, must be entered and its Required Actions taken.B. 1 If both power monitoring assemblies for an inservice power supply (MG set or alternate) are inoperable or both power monitoring assemblies in each inservice power supply are inoperable, the system protective function is lost. In this condition, 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is allowed to restore one assembly to OPERABLE status for each inservice power supply. If one inoperable assembly for each inservice power supply cannot be restored to OPERABLE status, the associated power supply(s) must be removed from service within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required Action B.1). An alternate power supply with OPERABLE assemblies may then be used to power one RPS bus. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Completion Time is sufficient for the plant operations personnel to take corrective actions and is acceptable because it minimizes risk while allowing time for restoration or removal from service of the electric power monitoring assemblies.

Alternately, if it is not desired to remove the power supply(s) from service (e.g., as in the case where removing the power supply(s) from service would result in a scram or isolation), Condition C or D, as applicable, must be entered and its Required Actions taken.C.1 If any Required Action and associated Completion Time of Condition A or B are not met in MODE 1 or 2, a plant shutdown must be performed.

This places the plant in a condition where minimal equipment, powered through the inoperable RPS electric power monitoring assembly(s), is required and ensures that the safety function of the RPS (e.g., scram of control rods) is not required.

The plant shutdown is accomplished by placing the plant in MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Time is reasonable, based on operating experience, to reach the required plant conditions from full power condition in an orderly manner and without challenging plant systems.Cooper B 3.3-196 11/25/12 1 RPS Electric Power Monitoring B 3.3.8.2 BASES ACTIONS (continued)

D.. 1 If any Required Action and associated Completion Time of Condition A or B are not met in MODE 5, with any control rod withdrawn from a core cell containing one or more fuel assemblies, the operator must immediately initiate action to fully insert all insertable control rods in core cells containing one or more fuel assemblies.

Required Action D.1 results in the least reactive condition for the reactor core and ensures that the safety function of the RPS (e.g., scram of control rods) is not required.Action must continue until the Required Action is completed.

SURVEILLANCE REQUIREMENTS SR 3.3.8.2.1 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies that the channel responds to the measured parameter within the necessary range and accuracy.

There is a plant specific program which verifies that the instrument channel functions as required by verifying the as-left and as-found settings are consistent with those established by the setpoint methodology.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Frequency is based on the assumption of a 24 month calibration interval in the determination of the magnitude of equipment drift in the setpoint analysis.SR 3.3.8.2.2 Performance of a system functional test demonstrates that, with a required system actuation (simulated or actual) signal, the logic of the system will automatically trip open the associated power monitoring assembly.

The system functional test shall include actuation of the protective relays, tripping logic, and output circuit breakers.

Only one signal per power monitoring assembly is required to be tested. This Surveillance overlaps with the CHANNEL CALIBRATION to provide complete testing of the safety function.

The system functional test of the Class 1 E circuit breakers is included as part of this test to provide complete testing of the safety function.

If the breakers are incapable of operating, the associated electric power monitoring assembly would be inoperable.

Cooper B 3.3-197 11/25/12 RPS Electric Power Monitoring B 3.3.8.2 BASES SURVEILLANCE REQUIREMENTS (continued)

The 24 month Frequency is based on the need to perform some of the surveillance procedures which satisfy this SR under the conditions that apply during a plant outage and the potential for an unplanned transient if those particular procedures were performed with the reactor at power.Operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency.

REFERENCES

1. USAR, Section VII-2.3.2. 10 CFR 50.36(c)(2)(ii).

Cooper B 3.3-198 11/25/12 Recirculation Loops Operating B 3.4.1 BASES APPLICABLE SAFETY ANALYSES (continued) protected from regional mode oscillations through avoidance of the Stability Exclusion Region and administrative controls on reactor conditions which are primary factors affecting reactor stability.

Recirculation loops operating satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii) (Ref. 4).LCO Two recirculation loops are required to be in operation with their flows matched within the limits specified in SR 3.4.1.1 to ensure that during a LOCA caused by a break of the piping of one recirculation loop the assumptions of the LOCA analysis are satisfied.

Alternatively, with only one recirculation loop in operation, modifications to the required APLHGR limits (LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)"), MCPR limits (LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)"), and APRM Neutron Flux-High (Flow Biased)setpoint (LCO 3.3.1.1) must be applied to allow continued operation consistent with the assumptions of Reference

3. During single recirculation loop operation, the recirculation system controls are placed in the manual flow control mode. In addition, during two loop or single loop operation, core flow as a function of core THERMAL POWER must not be in the Stability Exclusion Region of the power/flow map specified in the COLR.APPLICABILITY In MODES 1 and 2, requirements for operation of the Reactor Coolant Recirculation System are necessary since there is considerable energy in the reactor core and the limiting design basis transients and accidents are assumed to occur.In MODES 3, 4, and 5, the consequences of an accident are reduced and the coastdown characteristics of the recirculation loops are not important.

Cooper B 3.4-4 01/06/12 SRVs and SVs B 3.4.3 BASES APPLICABLE SAFETY ANALYSES (continued analysis was performed assuming a setpoint tolerance of + 3% for the SRVs and SVs (Ref. 3 and Ref. 7). For the purpose of the current setpoint tolerance analysis, 7 of 8 SRVs and 3 SVs are assumed to operate in the safety mode. The analysis results demonstrate that the design SRV and SV capacity, with a setpoint tolerance of + 3%, is capable of maintaining reactor pressure below the ASME Code limit of 110% of vessel design pressure (110% x 1250 psig = 1375 psig). This LCO helps to ensure that the acceptance limit of 1375 psig is met during the most severe design basis pressure transient.

From an overpressure standpoint, the design basis events are bounded by the MSIV closure with flux scram event described above. Reference 4 discusses additional events that are expected to actuate the SRVs and SVs.SRVs and SVs satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 5).LCO The safety function of 7 of 8 SRVs and 3 SVs is required to be OPERABLE to satisfy the assumptions of the safety analysis (Ref. 3 and Ref. 7). The requirements of this LCO, as they apply to the SRVs, are applicable only to the capability of the SRVs to mechanically open to relieve excess pressure when the lift setpoint is exceeded (safety function).

The SRV and SV setpoints are established to ensure that the ASME Code limit on peak reactor pressure is satisfied.

The ASME Code specifications require the lowest safety valve setpoint to be at or below vessel design pressure (1250 psig) and the highest safety valve to be set so that the total accumulated pressure does not exceed 110% of the design pressure for overpressurization conditions.

The transient evaluations in Reference 3 are based on these setpoints, but also include the additional uncertainties of +/- 3% of the nominal setpoint to provide an added degree of conservatism.

Operation with fewer valves OPERABLE than specified, or with setpoints outside the ASME limits, could result in a more severe reactor response to a transient than predicted, possibly resulting in the ASME Code limit on reactor pressure being exceeded.Cooper B 3.4-15 03/05/12 SRVs and SVs B 3.4.3 BASES APPLICABILITY In MODES 1, 2, and 3, 7 of 8 SRVs and 3 SVs must be OPERABLE, since considerable energy may be in the reactor core and the limiting design basis transients are assumed to occur in these MODES. The SRVs and SVs may be required to provide pressure relief to limit peak reactor pressure.In MODE 4, decay heat is low enough for the RHR System to provide adequate cooling, and reactor pressure is low enough that the overpressure limit is unlikely to be approached by assumed operational transients or accidents.

In MODE 5, the reactor vessel head is unbolted or removed and the reactor is at atmospheric pressure.

The SRV and SV function is not needed during these conditions.

ACTIONS A.1 and A.2 With the safety function of one or more of the required SRVs or SVs inoperable, a transient may result in the violation of the ASME Code limit on reactor pressure.

If the safety function of one or more of the required SRVs or SVs is inoperable, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and to MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach required plant conditions from full power conditions in an orderly manner and without challenging plant systems.SURVEILLANCE REQUIREMENTS SR 3.4.3.1 This Surveillance requires that the SRVs and SVs will open at the pressures assumed in the safety analysis of Reference

3. The demonstration of the SRV and SV safety function lift settings must be performed during shutdown, since this is a bench test, to be done in accordance with the Inservice Testing Program. The lift setting pressure shall correspond to ambient conditions of the valves at nominal operating temperatures and pressures.

The SRV setpoint is +/- 3% for OPERABILITY; however, the valves are reset to +/- 1% during the Surveillance to allow for drift.Cooper B 3.4-16 03/05/12 SRVs and SVs B 3.4.3 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.4.3.2 A manual actuation of each SRV (until the main turbine bypass valves have closed to compensate for SRV opening) is performed to verify that, mechanically, the valve is functioning properly and no blockage exists in the valve discharge line. This can also be demonstrated by the response of the turbine control valves or bypass valves, by a change in the measured steam flow, or by any other method suitable to verify steam flow. Adequate reactor steam dome pressure must be available to perform this test to avoid damaging the valve. Also, adequate steam flow must be passing through the main turbine or turbine bypass valves to continue to control reactor pressure and steam flow when the SRVs divert steam flow upon opening. Sufficient time is therefore allowed after the required pressure and flow are achieved to perform this test.Adequate pressure at which this test is to be performed is 2 500 psig, consistent with the recommendations of the vendor. Adequate steam flow is represented by turbine bypass valves at least 30% open, or total steam flow > 106 lb/hr. Plant startup is allowed prior to performing this test because valve OPERABILITY and the setpoints for overpressure protection are verified, per ASME Code requirements, prior to valve installation.

Therefore, this SR is modified by a Note that states the Surveillance is not required to be performed until 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reactor steam pressure and flow are adequate to perform the test. The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for manual actuation after the required pressure and steam flow are reached is sufficient to achieve stable conditions for testing and provides a reasonable time to complete the SR. If a valve fails to actuate due only to the failure of the solenoid but is capable of opening on overpressure, the safety function of the SRV is not considered inoperable.

The 24 month Frequency was developed based on the SRV tests required by the ASME Code for Operation and Maintenance of Nuclear Power Plants (Ref. 6). Operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency.

Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

Cooper B 3.4-17 11/25/12 SRVs and SVs B 3.4.3 BASES REFERENCES

1. ASME Boiler and Pressure Vessel Code,Section III.2. USAR, Section IV-4.9.3. NEDC-31628P, SRV Setpoint Tolerance Analysis for Cooper Nuclear Station, October 1988.4. USAR,Section XIV.5. 10 CFR 50.36(c)(2)(ii).
6. ASME Code for Operation and Maintenance of Nuclear Power Plants.7. NEDC 10-032 Revision 1, Acceptance of GE SRV Out-of-Service Reports, October 29, 2010.Cooper B 3.4-18 03/05112 ECCS -Operating B 3.5.1 BASES SURVEILLANCE REQUIREMENTS (continued) should overcome the RPV pressure and associated discharge line losses.Adequate reactor pressure must be available to perform these tests.Additionally, adequate steam flow must be passing through the main turbine or turbine bypass valves to continue to control reactor pressure when the HPCI System diverts steam flow. Therefore, sufficient time is allowed after adequate pressure and flow are achieved to perform these tests. Adequate reactor steam pressure must be > 920 psig to perform SR 3.5.1.7 and > 145 psig to perform SR 3.5.1.8. Adequate steam flow is represented by turbine bypass valves at least 30% open, or total steam flow > 106 lb/hr. Reactor startup is allowed prior to performing the low pressure Surveillance test because the reactor pressure is low and the time allowed to satisfactorily perform the Surveillance test is short. The reactor pressure is allowed to be increased to normal operating pressure since it is assumed that the low pressure test has been satisfactorily completed and there is no indication or reason to believe that HPCI is inoperable.

Therefore, SR 3.5.1.7 and SR 3.5.1.8 are modified by Notes that state the Surveillances are not required to be performed until 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after the reactor steam pressure and flow are adequate to perform the test. The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for the flow tests after required pressure and flow are reached are sufficient to achieve stable conditions for testing and provides a reasonable time to complete the SRs. For SR 3.5.1.8, while adequate pressure can be reached prior to the required Applicability for HPCI, the 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowance of the Note would not apply until entering the Applicability

(>150 psig) with adequate steam flow.The Frequency for SR 3.5.1.6 and SR 3.5.1.7 is in accordance with the Inservice Testing Program requirements.

The 24 month Frequency for SR 3.5.1.8 is based on the need to perform the Surveillance under the conditions that apply just prior to or during a startup from a plant outage.Operating experience has shown that these components usually pass the SR when performed at the 24 month Frequency, which is based on the refueling cycle. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

Cooper B 3.5-13 11/25/12 ECCS -Operating B 3.5.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.5.1.9 The ECCS subsystems are required to actuate automatically to perform their design functions.

This Surveillance verifies that, with a required system initiation signal (actual or simulated), the automatic initiation logic of HPCI, CS, and LPCI will cause the systems or subsystems to operate as designed, including actuation of the system throughout its emergency operating sequence, automatic pump startup and actuation of all automatic valves to their required positions.

This SR also ensures that the HPCI System will automatically restart on an RPV low water level (Level 2) signal received subsequent to an RPV high water level (Level 8)trip and that the suction is automatically transferred from the ECSTs to the suppression pool. The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 overlaps this Surveillance to provide complete testing of the assumed safety function.The 24 month Frequency is based on the need to perform some of the surveillance procedures which satisfy this SR under the conditions that apply during a plant outage and the potential for an unplanned transient if those particular procedures were performed with the reactor at power.Operating experience has shown that these components usually pass the SR when performed at the 24 month Frequency, which is based on the refueling cycle. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

This SR is modified by Note 1 that says for HPCI only the Surveillance is not required to be performed until 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after the reactor steam pressure and flow are adequate to perform the test. The time allowed for this test after required pressure and flow are reached is sufficient to achieve stable conditions for testing and provides a reasonable time to complete the SR. Adequate reactor pressure must be available to perform this test. Additionally, adequate steam flow must be passing through the main turbine or turbine bypass valves to continue to control reactor pressure when the HPCI System diverts steam flow. Thus, sufficient time is allowed after adequate pressure and flow are achieved to perform this test. Adequate reactor steam pressure is > 145 psig.Adequate steam flow is represented by turbine bypass valves at least Cooper B 3.5-14 11/25/12 ECCS -Operating B 3.5.1 BASES SURVEILLANCE REQUIREMENTS (continued) 30% open, or a total steam flow of 106 lb/hr. Reactor startup is allowed prior to performing this test because the reactor pressure is low and the time allowed to satisfactorily perform the test is short. For SR 3.5.1.9, while adequate pressure can be reached prior to the required Applicability for HPCI, the 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowance of the Note would not apply until entering the Applicability

(>150 psig) with adequate steam flow.This SR is modified by Note 2 that excludes vessel injection/spray during the Surveillance.

Since all active components are testable and full flow can be demonstrated by recirculation through the test line, coolant injection into the RPV is not required during the Surveillance.

SR 3.5.1.10 The ADS designated SRVs are required to actuate automatically upon receipt of specific initiation signals. A system functional test is performed to demonstrate that the mechanical portions of the ADS function (i.e., solenoids) operate as designed when initiated either by an actual or simulated initiation signal, causing proper actuation of all the required components.

SR 3.5.1.11 and the LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 overlap this Surveillance to provide complete testing of the assumed safety function.The 24 month Frequency is based on the need to perform some of the surveillance procedures which satisfy this SR under the conditions that apply during a plant outage and the potential for an unplanned transient if those particular procedures were performed with the reactor at power.Operating experience has shown that these components usually pass the SR when performed at the 24 month Frequency, which is based on the refueling cycle. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

This SR is modified by a Note that excludes valve actuation since the valves are individually tested in accordance with SR 3.5.1.11.

This also prevents an RPV pressure blowdown.Cooper B 3.5-15 11/25/12 ECCS -Operating B 3.5.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.5.1.11 A manual actuation of each ADS valve is performed to verify that the valve and solenoid are functioning properly and that no blockage exists in the SRV discharge lines. This is demonstrated by the response of the turbine control or bypass valve or by a change in the measured flow or by any other method suitable to verify steam flow. Adequate reactor steam dome pressure must be available to perform this test to avoid damaging the valve. Also, adequate steam flow must be passing through the main turbine or turbine bypass valves to continue to control reactor pressure when the ADS valves divert steam flow upon opening. Sufficient time is therefore allowed after the required pressure and flow are achieved to perform this SR. Adequate pressure at which this SR is to be performed is -500 psig (consistent with the recommendations of the vendor).Adequate steam flow is represented by turbine bypass valves at least 30% open, or total steam flow > 106 lb/hr. Reactor startup is allowed prior to performing this SR because valve OPERABILITY and the setpoints for overpressure protection are verified, per ASME requirements, prior to valve installation.

Therefore, this SR is modified by a Note that states the Surveillance is not required to be performed until 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after reactor steam pressure and flow are adequate to perform the test. The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for manual actuation after the required pressure is reached is sufficient to achieve stable conditions and provides adequate time to complete the Surveillance.

SR 3.5.1.10 and the LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 overlap this Surveillance to provide complete testing of the assumed safety function.The Frequency is based on the need to perform the Surveillance under the conditions that apply just prior to or during a startup from a plant outage. Operating experience has shown that these components usually pass the SR when performed at the 24 month Frequency, which is based on the refueling cycle. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

REFERENCES

1. USAR, Section VI-4.3.2. USAR, Section VI-4.4.Cooper B 3.5-16 11/25/12 RCIC System B 3.5.3 BASES SURVEILLANCE REQUIREMENTS (continued) adequate to perform the test. The 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowed for the flow tests after the required pressure and flow are reached are sufficient to achieve stable conditions for testing and provides a reasonable time to complete the SRs. For SR 3.5.3.4, while adequate pressure can be reached prior to the required Applicability for RCIC, the 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> allowance of the Note would not apply until entering the Applicability

(>150 psig) with adequate steam flow.A 92 day Frequency for SR 3.5.3.3 is consistent with the Inservice Testing Program requirements.

The 24 month Frequency for SR 3.5.3.4 is based on the need to perform the Surveillance under conditions that apply just prior to or during a startup from a plant outage. Operating experience has shown that these components usually pass the SR when performed at the 24 month Frequency, which is based on the refueling cycle. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

SR 3.5.3.5 The RCIC System is required to actuate automatically in order to verify its design function satisfactorily.

This Surveillance verifies that, with a required system initiation signal (actual or simulated), the automatic initiation logic of the RCIC System will cause the system to operate as designed, including actuation of the system throughout its emergency operating sequence; that is, automatic pump startup and actuation of all automatic valves to their required positions.

This test also ensures the RCIC System will automatically restart on an RPV low water level (Level 2) signal received subsequent to an RPV high water level (Level 8)trip and that the suction is automatically transferred from the ECST to the suppression pool. The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.2 overlaps this Surveillance to provide complete testing of the assumed design function.The 24 month Frequency is based on the need to perform some of the surveillance procedures which satisfy this SR under the conditions that apply during a plant outage and the potential for an unplanned transient if those particular procedures were performed with the reactor at power.Operating experience has shown that these components usually pass the SR when performed at the 24 month Frequency, which is based on the refueling cycle. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

Cooper B 3.5-29 11/25/12 Primary Containment B 3.6.1.1 BASES SURVEILLANCE REQUIREMENTS (continued) does not change by more than the calculated amount per minute over a 10 minute period. The leakage test is performed every 24 months. The 24 month Frequency was developed considering it is prudent that this Surveillance be performed during a unit outage and also in view of the fact that component failures that might have affected this test are identified by other primary containment SRs. Two consecutive test failures, however, would indicate unexpected primary containment degradation; in this event, as the Note indicates, increasing the Frequency to once every 9 months is required until the situation is remedied as evidenced by passing two consecutive tests.REFERENCES

1. USAR, Section V-2.4.2. USAR, Section XIV-6.3.3. 10 CFR 50, Appendix J, Option B.4. 10 CFR 50.36(c)(2)(ii).
5. Safety Evaluation Report by U.S. Atomic Energy Commission dated February 14, 1973 (Section 6.2.1)Cooper B 3.6-5 11/25/12 PCIVs B 3.6.1.3 BASES SURVEILLANCE REQUIREMENTS (continued) calculated radiological consequences of these events remain within 10 CFR 100 limits. The Frequency of this SR is in accordance with the requirements of the Inservice Testing Program.SR 3.6.1.3.7 Automatic PCIVs close on a primary containment isolation signal to prevent leakage of radioactive material from primary containment following a DBA. This SR ensures that each automatic PCIV will actuate to its isolation position on a primary containment isolation signal. The LOGIC SYSTEM FUNCTIONAL TEST in LCO 3.3.6.1, "Primary Containment Isolation Instrumentation," overlaps this SR to provide complete testing of the safety function.

The 24 month Frequency was developed considering it is prudent that this Surveillance be performed only during a unit outage since isolation of penetrations would disrupt the normal operation of many critical components.

Operating experience has shown that these components usually pass this Surveillance when performed at the 24 month Frequency.

Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

SR 3.6.1.3.8 This SR requires a demonstration that a representative sample of reactor instrumentation line excess flow check valves (EFCVs) are OPERABLE by verifying that each valve actuates to the isolation position on an actual or simulated instrument line break. The representative sample consists of an approximately equal number of EFCVs, such that each EFCV is tested at least once every 10 years (nominal).

This SR provides assurance that the instrumentation line EFCVs will perform so that predicted radiological consequences will not be exceeded during the postulated instrument line break event. The 24 month Frequency is based on the need to perform the Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power.The nominal 10 year interval is based on other performance-based testing programs, such as Inservice Testing (snubbers) and Option B to 10 CFR 50, Appendix J. Furthermore, any EFCV failures will be evaluated to determine if additional testing in that test interval is warranted to ensure overall reliability is maintained.

Operating experience has demonstrated that these components are highly reliable and that failures to isolate are very infrequent.

Therefore, testing of a representative sample was concluded to be acceptable from a reliability standpoint.

Cooper B 3.6-27 11/25/12 PCIVs B 3.6.1.3 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.6.1.3.9 The TIP shear isolation valves are actuated by explosive charges. An in place functional test is not possible with this design. The explosive squib is removed and tested to provide assurance that the valves will actuate when required.

The replacement charge for the explosive squib shall be from the same manufactured batch as the one fired or from another batch that has been certified by having one of the batch successfully fired. The Frequency of 24 months on a STAGGERED TEST BASIS is considered adequate given the administrative controls on replacement charges and the frequent checks of circuit continuity (SR 3.6.1.3.4).

SR 3.6.1.3.10 The analyses in References 8 and 9 are based on leakage that is less than the specified leakage rate. A leakage rate of 150 scfh per Main Steam line at > Pa (58 psig) was assumed in the LOCA analyses.

The equivalent leakage rate at > Pt (29 psig) is 106 scfh. An "MSIV line" is each one of the four Main Steam lines with an inboard and an outboard Main Steam Isolation Valve (MSIV). The leakage rate to be measured is the Main Steam line "minimum path" leakage (the lesser actual pathway leakage of the two MSIVs in the Main Steam Line). The leakage limit is based on the analyses of References 11 and 12. The Frequency is in accordance with the Primary Containment Leakage Rate Testing Program.SR 3.6.1.3.11 Verifying each inboard 24 inch primary containment purge and vent valve (PC-230 MV, PC-231 MV, PC-232 MV, and PC-233 MV) is blocked to restrict the maximum opening angle to 600 is required to ensure that the valves can close under DBA conditions within the times assumed in the analysis of References 7 and 8. If a LOCA occurs, the purge and vent valves must close to maintain containment leakage within the values assumed in the accident analysis.

At other times, pressurization concerns are not present, thus the purge valves can be fully open. The 24 month Frequency is appropriate because the blocking devices may be removed during a refueling outage.SR 3.6.1.3.12 The Main Steam Pathway is the analyzed leakage path from the four Main Steam lines and the inboard Main Steam drain line to and including the condenser.

The leakage limit imposed on the Main Steam Pathway with this surveillance requirement applies to the total (aggregate) leakage for the Main Steam Pathway. The Main Steam Pathway leakage includes the total leakage of all four Main Steam line penetrations plus Cooper B 3.6-28 11/25/12 LLS Valves B 3.6.1.6 BASES ACTIONS (continued)

Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.SURVEILLANCE REQUIREMENTS SR 3.6.1.6.1 A manual actuation of each LLS valve is performed to verify that the valve and solenoids are functioning properly and no blockage exists in the valve discharge line. This can be demonstrated by the response of the turbine control or bypass valve, by a change in the measured steam flow, or by any other method that is suitable to verify steam flow.Adequate reactor steam dome pressure must be available to perform this test to avoid damaging the valve. Adequate pressure at which this test is to be performed is > 500 psig (consistent with the recommendations of the vendor). Also, adequate steam flow must be passing through the main turbine or turbine bypass valves to continue to control reactor pressure when the LLS valves divert steam flow upon opening. Adequate steam flow is represented by turbine bypass valves at least 30% open, or total steam flow > 106 lb/hr. The 24 month Frequency was based on the SRV tests required by the ASME Code for Operation and Maintenance of Nuclear Power Plants (Ref. 3). Operating experience has shown that these components usually pass the Surveillance when performed at the 24 month Frequency.

Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

Since steam pressure is required to perform the Surveillance, however, and steam may not be available during a unit outage, the Surveillance may be performed during the startup following a unit outage. Unit startup is allowed prior to performing the test because valve OPERABILITY and the setpoints for overpressure protection are verified by Reference 3 prior to valve installation.

After adequate reactor steam dome pressure and flow are reached, 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is allowed to prepare for and perform the test.Cooper B 3.6-37 11/25/12 LLS Valves B 3.6.1.6 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.6.1.6.2 The LLS designated SRVs are required to actuate automatically upon receipt of specific initiation signals. A system functional test is performed to verify that the mechanical portions (i.e., solenoids) of the LLS function operate as designed when initiated either by an actual or simulated automatic initiation signal. The LOGIC SYSTEM FUNCTIONAL TEST in LCO 3.3.6.3, "Low-Low Set (LLS) Instrumentation," overlaps this SR to provide complete testing of the safety function.The 24 month Frequency is based on the need to perform some of the surveillance procedures which satisfy this SR under the conditions that apply during a plant outage and the potential for an unplanned transient if those particular procedures were performed with the reactor at power.Operating experience has shown these components usually pass the Surveillance when performed at the 24 month Frequency.

Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

This SR is modified by a Note that excludes valve actuation.

This prevents a reactor pressure vessel pressure blowdown.REFERENCES

1. 10 CFR 50.36(c)(2)(ii).
2. NEDE-22197, Safety Relief Valve Low Low Set System and Lower MSIV Water Level Trip for Cooper Nuclear Station, Unit 1, December 1982.3. ASME Code for Operation and Maintenance of Nuclear Power Plants.Cooper B 3.6-38 11/25/12 Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.7 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.6.1.7.2 Each vacuum breaker must be cycled to ensure that it opens properly to perform its design function and returns to its fully closed position.

This ensures that the safety analysis assumptions are valid. The 92 day Frequency of this SR was developed based upon Inservice Testing Program requirements to perform valve testing at least once every 92 days.SR 3.6.1.7.3 Demonstration of vacuum breaker opening setpoint is necessary to ensure that the safety analysis assumption regarding vacuum breaker full open differential pressure of < 0.5 psid is valid. The 24 month Frequency is based on the need to perform some of the surveillance procedures which satisfy this SR under the conditions that apply during a plant outage and the potential for an unplanned transient if those particular procedures were performed with the reactor at power. For this unit, the 24 month Frequency has been shown to be acceptable, based on operating experience, and is further justified because of other Surveillances performed at shorter Frequencies that convey the proper functioning status of each vacuum breaker.REFERENCES

1. Bodega Bay Preliminary Hazards Summary Report, Appendix I, Docket 50-205, December 28, 1962.2. USAR, Section V-2.3.6.3. 10 CFR 50.36(c)(2)(ii).

Cooper B 3.6-44 11/25/12 Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.8 BASES SURVEILLANCE REQUIREMENTS (continued) requirements to perform valve testing at least once every 92 days. A 31 day Frequency was chosen to provide additional assurance that the vacuum breakers are OPERABLE, since they are located in a harsh environment (the suppression chamber airspace).

SR 3.6.1.8.3 Verification of the vacuum breaker setpoint for opening is necessary to ensure that the safety analysis assumption regarding vacuum breaker full open differential pressure of 0.5 psid is valid. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. The 24 month Frequency has been shown to be acceptable, based on operating experience, and is further justified because of other surveillances performed at shorter Frequencies that convey the proper functioning status of each vacuum breaker.REFERENCES

1. Bodega Bay Preliminary Hazards Summary Report, Appendix I, Docket 50-205, December 28, 1962.2. USAR, Section XIV-6.3.3. Deleted 4. USAR, Section V-2.3.6.5. 10 CFR 50.36(c)(2)(ii).
6. FSAR Question No. 5.17.Cooper B 3.6-50 11/25/12 Secondary Containment B 3.6.4.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.6.4.1.4 The SGT System exhausts the secondary containment atmosphere to the environment through appropriate treatment equipment.

SR 3.6.4.1.4 demonstrates that one SGT subsystem can maintain > 0.25 inches of vacuum water gauge for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> at a flow rate < 1780 cfm. The 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> test period allows secondary containment to be in thermal equilibrium at steady state conditions.

Therefore, this test is used to ensure secondary containment boundary integrity.

Since this SR is a secondary containment test, it need not be performed with each SGT subsystem.

The SGT subsystems are tested on a STAGGERED TEST BASIS, however, to ensure that in addition to the requirements of LCO 3.6.4.3, either SGT subsystem will perform this test. Operating experience has shown these components usually pass the Surveillance when performed at the 24 month Frequency.

Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

REFERENCES

1. USAR, Section XIV-6.3.2. USAR, Section XIV-6.4.3. 10 CFR 50.36(c)(2)(ii).

Cooper B 3.6-71 11/25/12 SCIVs B 3.6.4.2 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.6.4.2.3 Verifying that each automatic SCIV closes on a secondary containment isolation signal is required to minimize leakage of radioactive material from secondary containment following a DBA or other accidents.

This SR ensures that each automatic SCIV will actuate to the isolation position on a secondary containment isolation signal. The LOGIC SYSTEM FUNCTIONAL TEST in LCO 3.3.6.2, "Secondary Containment Isolation Instrumentation," overlaps this SR to provide complete testing of the safety function.

The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown these components usually pass the Surveillance when performed at the 24 month Frequency.

Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

REFERENCES

1. USAR, Section V-3.0.2. USAR, Section XIV-6.0.3. USAR, Section XIV-6.3.4. USAR, Section XIV-6.4 5. 10 CFR 50.36(c)(2)(ii).
6. Technical Requirements Manual.Cooper B 3.6-78 11/25/12 SGT System B 3.6.4.3 BASES SURVEILLANCE REQUIREMENTS (continued) fan motors and controls and the redundancy available in the system.SR 3.6.4.3.2 This SR verifies that the required SGT filter testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing HEPA filter performance, charcoal adsorber efficiency, minimum system flow rate, and the physical properties of the activated charcoal (general use and following specific operations).

Specific test frequencies and additional information are discussed in detail in the VFTP.SR 3.6.4.3.3 This SR verifies that each SGT subsystem starts on receipt of an actual or simulated initiation signal. While this Surveillance can be performed with the reactor at power, operating experience has shown that these components will pass the Surveillance when performed at the 24 month Frequency.

The LOGIC SYSTEM FUNCTIONAL TEST in LCO 3.3.6.2,"Secondary Containment Isolation Instrumentation," overlaps this SR to provide complete testing of the safety function.

Therefore, the Frequency was found to be acceptable from a reliability standpoint.

SR 3.6.4.3.4 This SR verifies that the SGT units cross tie damper is in the correct position, and that each SGT room air supply check valve and each air operated SGT dilution air shutoff valve open when required.

This ensures that the decay heat removal function of SGT System operation is available.

While this Surveillance can be performed with the reactor at power, operating experience has shown that these components will pass the Surveillance when performed at the 24 month Frequency, which is based on the refueling cycle. Therefore, the Frequency was found to be acceptable from a reliability standpoint.

REFERENCES

1. (Deleted)2. USAR, Section V-3.3.4.3. 10 CFR 50.36(c)(2)(ii).

Cooper B 3.6-84 11/25/12 RHRSWB System B 3.7.1 B 3.7 PLANT SYSTEMS B 3.7.1 Residual Heat Removal Service Water Booster (RHRSWB) System BASES BACKGROUND The RHRSWB System is designed to provide cooling water for the Residual Heat Removal (RHR) System heat exchangers, required for a safe reactor shutdown following a Design Basis Accident (DBA) or transient.

The RHRSWB System is operated whenever the RHR heat exchangers are required to operate in the shutdown cooling or suppression pool cooling mode.The RHRSWB System consists of two independent and redundant subsystems.

Each subsystem is made up of a header, two 4000 gpm pumps, a suction source, valves, piping, heat exchanger, and associated instrumentation.

Either of the two subsystems is capable of providing the required cooling capacity with one pump operating to maintain safe shutdown conditions.

The two subsystems are separated from each other by normally closed manually operated cross tie valves, so that failure of one subsystem will not affect the OPERABILITY of the other subsystem.

The RHRSWB System is designed with sufficient redundancy so that no single active component failure can prevent it from achieving its design function.

The RHRSWB System is described in the USAR, Section X-8.2, Reference 1.Normal cooling water is pumped by the RHRSWB pumps from the Service Water System through the tube side of the RHR heat exchangers, and discharges to the circulating water discharge canal.Minimum flow through the RHRSWB pumps is ensured by an interlock with their respective RHR heat exchanger discharge valves. When the pump control switch is taken to "Start", the associated discharge valve opens enough to pass approximately 2500 gpm, ensuring minimum flow through the pump. The pump will then start.The system is initiated manually from the control room. If operating during a loss of coolant accident (LOCA), the system is automatically tripped to allow the diesel generators to automatically power only that equipment necessary to reflood the core. The system is assumed in the analysis to be manually started 10 minutes after the LOCA (Ref. 2).APPLICABLE SAFETY ANALYSES The RHRSWB System removes heat from the suppression pool via the RHR System to limit the suppression pool temperature and primary containment pressure following a LOCA. This ensures that the primary containment can perform its function of limiting the release of radioactive Cooper B 3.7-1 11/25/12 I RHRSWB System B 3.7.1 BASES APPLICABLE SAFETY ANALYSIS (continued) materials to the environment following a LOCA. The ability of the RHRSWB System to support long term cooling of the reactor or primary containment is discussed in the USAR, Section X-8.2 and Chapter XIV (Refs. I and 3, respectively).

These analyses explicitly assume that the RHRSWB System will provide adequate cooling support to the equipment required for safe shutdown.

These analyses include the evaluation of the long term primary containment response after a design basis LOCA.The safety analyses for long term cooling were performed for various combinations of RHR System failures.

The worst case single failure that would affect the performance of the RHRSWB System is any failure that would disable one subsystem of the RHRSWB System. As discussed in the USAR, Chapter XIV (Ref. 3) for these analyses, manual initiation of the OPERABLE RHRSWB subsystem and the associated RHR System is assumed to occur 10 minutes after a DBA. The RHRSWB System flow assumed in the analyses is 4000 gpm per pump with one pump operating in one loop. In this case, the maximum suppression chamber water temperature and pressure are 196°F and 12.4 psig, respectively, well below the design temperature of 281 OF and maximum allowable pressure of 56 psig. However, to provide additional margin, two RHRSWB pumps per subsystem are required to be OPERABLE to satisfy the requirements of the LCO.The RHRSWB System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref.4).LCO Two RHRSWB subsystems are required to be OPERABLE to provide the required redundancy to ensure that the system functions to remove post accident heat loads, assuming the worst case single active failure occurs coincident with the loss of offsite power.An RHRSWB subsystem is considered OPERABLE when: a. Two pumps are OPERABLE; and b. An OPERABLE flow path is capable of taking suction from the Service Water System and transferring the water to the required RHR heat exchangers at the assumed flow rate; and c. The associated manual valve on the RHRSWB System cross tie piping (which allows the two RHRSWB subsystems to be connected) is closed.Cooper B 3.7-2 11/25/12 I RHRSWB System B 3.7.1 BASES LCO (continued)

An adequate suction source is not addressed in this LCO since the minimum net positive suction head (45 ft) is bounded by the service water pump requirements (LCO 3.7.2, "Service Water (SW) System and Ultimate Heat Sink (UHS)").APPLICABILITY In MODES 1, 2, and 3, the RHRSWB System is required to be OPERABLE to support the OPERABILITY of the RHR System for primary containment cooling (LCO 3.6.2.3, "Residual Heat Removal (RHR)Suppression Pool Cooling")

and decay heat removal (LCO 3.4.7,"Residual Heat Removal (RHR) Shutdown Cooling System-Hot Shutdown").

The Applicability is therefore consistent with the requirements of these systems.In MODES 4 and 5, the OPERABILITY requirements of the RHRSWB System are determined by the systems it supports and therefore, the requirements are not the same for all facets of operation in MODES 4 and 5. Thus, the LCOs of the RHR Shutdown Cooling System (LCO 3.4.8,"RHR Shutdown Cooling System-Cold Shutdown," LCO 3.9.7, "RHR-High Water Level," and LCO 3.9.8, "RHR-Low Water Level"), which require portions of the RHRSWB System to be OPERABLE, will govern RHRSWB System operation in MODES 4 and 5.ACTIONS A..1 With one RHRSW pump inoperable, the inoperable pump must be restored to OPERABLE status within 30 days. With the unit in this condition, the remaining OPERABLE RHRSW pumps are adequate to perform the RHRSW heat removal function.

However, the overall reliability is reduced because a single failure in the OPERABLE subsystem could result in reduced RHRSW capability.

The 30 day Completion Time is based on the remaining RHRSW heat removal capability, including enhanced reliability afforded by manual cross connect capability, and the low probability of a DBA with concurrent worst case single failure.B.1 With one RHRSWB subsystem inoperable for reasons other than Condition A, the inoperable RHRSWB subsystem must be restored to OPERABLE status within 7 days. With the unit in this condition, the remaining OPERABLE RHRSWB subsystem is adequate to perform the RHRSWB heat removal function.

However, the overall reliability is Cooper B 3.7-3 11/25/12 I RHRSWB System B 3.7.1 BASES ACTIONS (continued) reduced because a single failure in the OPERABLE RHRSWB subsystem could result in loss of RHRSWB function.

The Completion Time is based on the redundant RHRSWB capabilities afforded by the OPERABLE subsystem and the low probability of an event occurring requiring RHRSWB during this period.The Required Action is modified by a Note indicating that the applicable Conditions of LCO 3.4.7, be entered and Required Actions taken if an inoperable RHRSWB subsystem results in an inoperable RHR shutdown cooling subsystem.

This is an exception to LCO 3.0.6 and ensures the proper actions are taken for these components.

C..1 If the RHRSWB subsystems cannot be restored to OPERABLE status within the associated Completion Times or if both RHRSWB subsystems are inoperable, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and in MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.SURVEILLANCE REQUIREMENTS SR 3.7.1.1 Verifying the correct alignment for each manual and power operated valve in each RHRSWB subsystem flow path provides assurance that the proper flow paths will exist for RHRSWB operation.

This SR applies only to valves affecting the direct flow path. This SR excludes valves that, if mispositioned, would not affect system or subsystem OPERABILITY.

Also, this SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves are verified to be in the correct position prior to locking, sealing, or securing.

A valve is also allowed to be in the nonaccident position, and yet considered in the correct position, provided it can be realigned to its accident position.

This is acceptable because the RHRSWB System is a manually initiated system.This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are Cooper B 3.7-4 11/25/12 1 RHRSWB System B 3.7.1 BASES SURVEILLANCE REQUIREMENTS (continued) in the correct position.

This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions.

REFERENCES

1. USAR, Section X-8.2.2. USAR, Table VIII-5-1.3. USAR, Chapter XIV.4. 10 CFR 50.36(c)(2)(ii).

Cooper B 3.7-5 11/25/12 1 SW System and UHS B 3.7.2 B 3.7 PLANT SYSTEMS B 3.7.2 Service Water SW System and Ultimate Heat Sink (UHS)BASES BACKGROUND The SW System is designed to provide cooling water for the removal of heat from equipment, such as the diesel generators (DGs) and Reactor Equipment Cooling (REC) System heat exchangers, and to provide a supply of water for the Residual Heat Removal Service Water Heat Exchangers through the Residual Heat Removal Service Water Booster (RHRSWB) System pumps, required for a safe reactor shutdown following a Design Basis Accident (DBA) or transient.

The SW System also provides cooling to unit components, as required, during normal operation.

The SW System also provides cooling water to turbine building non-essential loads. If SW header pressure falls below 20 psig, the system automatically isolates the non-essential header by closing the discharge cross-tie valves. The SW system can be manually aligned as a backup to the REC System through remotely controlled motor operated valves. This configuration would be used in the event that the REC System becomes incapable of performing its essential cooling function and in this configuration the SW System provides cooling water to the room coolers for the Emergency Core Cooling System (Core Spray, RHR, HPCI) pump rooms and the RHR pump seal water coolers.The SW System consists of the Ultimate Heat Sink (UHS) and two independent and redundant subsystems.

Each of the two SW subsystems is made up of a header, two 8000 gpm pumps, a suction source, valves, piping and associated instrumentation.

Either of the two subsystems is capable of providing the required cooling capacity to support the required systems with one pump operating.

The two subsystems are separated from each other so failure of one subsystem will not affect the OPERABILITY of the other system.Cooling water is pumped from the Missouri River by the SW pumps to the essential components through the two main headers. After removing heat from the components, the water is collected into two discharge headers and routed to the discharge canal where the water is returned to the river. Service Water discharge from the turbine equipment cooling (TEC) heat exchangers is routed to the 1 A circulating water (CW)discharge tunnel.Cooper B 3.7-6 11/25/12 I SW System and UHS B 3.7.2 BASES APPLICABLE SAFETY ANALYSES Sufficient water level is available for all SW System post LOCA cooling requirements when the river level is at least 865 ft mean sea level with no additional makeup water source available (Ref. 1). A river level of 865 ft mean sea level equates to a level of at least 863.67 ft mean sea level in the SW pump bay under postulated worst case conditions.

This level exceeds the 863.60 ft mean sea level submergence requirements for necessary long term SW cooling under the postulated worst case conditions.

The ability of the SW System to support long term cooling of the reactor containment is assumed in evaluations of the equipment required for safe reactor shutdown presented in the USAR, Chapters V and XIV (Refs. 2 and 3, respectively).

These analyses include the evaluation of the long term primary containment response after a design basis LOCA.The ability of the SW System to provide adequate cooling to the identified safety equipment is an implicit assumption for the safety analyses evaluated in References 2 and 3. The ability to provide onsite emergency AC power is dependent on the ability of the SW System to cool the DGs.The long term cooling capability of the RHR, core spray, and RHRSWB pumps is also dependent on the cooling provided by the SW System. SW backup to REC is capable of performing the essential heat removal function as evaluated in Reference 5.The SW System, together with the UHS, satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 4).LCO The SW subsystems are independent of each other to the degree that each has separate controls, power supplies, and the operation of one does not depend on the other. In the event of a DBA, one subsystem of SW is required to provide the minimum heat removal capability assumed in the safety analysis for the system to which it supplies cooling water. To ensure this requirement is met, two subsystems of SW must be OPERABLE.

At least one subsystem will operate, if the worst single active failure occurs coincident with the loss of offsite power.A subsystem is considered OPERABLE when it has an OPERABLE UHS, two OPERABLE pumps, and an OPERABLE flow path capable of taking suction from the intake structure and transferring the water to the appropriate equipment.

The OPERABILITY of the UHS is based on having a minimum river water level of 865 ft mean sea level and a maximum water temperature of 95°F.Cooper B 3.7-7 12/21/12 SW System and UHS B 3.7.2 BASES LCO (continued)

The isolation of the SW System to components or systems may render those components or systems inoperable, but does not affect the OPERABILITY of the SW System.APPLICABILITY In MODES 1, 2, and 3, the SW System and UHS are required to be OPERABLE to support OPERABILITY of the equipment serviced by the SW System. Therefore, the SW System and UHS are required to be OPERABLE in these MODES.Under other plant conditions, the OPERABILITY requirements of the SW System and UHS are determined by the systems they support and therefore, the requirements are not the same for all facets of operation.

Thus, the LCOs of the RHR Shutdown Cooling System (LCO 3.4.8, "RHR Shutdown Cooling System-Cold Shutdown," LCO 3.5.2, "ECCS-Shutdown," LCO 3.8.2, "AC Sources-Shutdown," LCO 3.9.7, "RHR-High Water Level," and LCO 3.9.8, "RHR-Low Water Level"), which require portions of the SW System to be OPERABLE, will govern SW System operation in MODES 4 and 5.ACTIONS A.1 With one SW subsystem inoperable, the SW subsystem must be restored to OPERABLE status within 30 days. With the unit in this condition, the remaining OPERABLE SW subsystem is adequate to perform the heat removal function.

However, the overall reliability is reduced because a single failure in the OPERABLE SW subsystem could result in loss of SW function.The 30 day Completion Time is based on the redundant SW System capabilities afforded by the OPERABLE subsystem and the low probability of an accident occurring during this time period.Required Action A.1 is modified by two Notes indicating that the applicable Conditions of LCO 3.8.1, "AC Sources-Operating," LCO 3.4.7,"Residual Heat Removal (RHR) Shutdown Cooling System-Hot Shutdown," be entered and Required Actions taken if the inoperable SW subsystem results in an inoperable DG or RHR shutdown cooling subsystem, respectively.

This is in accordance with LCO 3.0.6 and ensures the proper actions are taken for these components.

Cooper B 3.7-8 11/25/12 I SW System and UHS B 3.7.2 BASES ACTIONS (continued)

B.1 and B.2 If the SW subsystem cannot be restored to OPERABLE status within the associated Completion Time, or both SW subsystems are inoperable, or the UHS is determined inoperable the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and in MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.SURVEILLANCE REQUIREMENTS SR 3.7.2.1 This SR verifies the river water level to be sufficient for the proper operation of the SW pumps (net positive suction head and pump vortexing are considered in determining this limit). The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is based on operating experience related to trending of the parameter variations during the applicable MODES.SR 3.7.2.2 Verification of the UHS temperature ensures that the heat removal capability of the SW System is within the assumptions of the DBA analysis.

The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is based on operating experience related to trending of the parameter variations during the applicable MODES.SR 3.7.2.3 Verifying the correct alignment for each manual, power operated, and automatic valve in each SW subsystem flow path provides assurance that the proper flow paths will exist for SW operation.

This SR applies only to valves affecting the direct flow path. This SR excludes valves that, if mispositioned, would not affect system or subsystem OPERABILITY.

Also, this SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing.

A valve is also allowed to be in the nonaccident position, and yet considered in the correct position, provided it can be automatically realigned to its accident Cooper B 3.7-9 11/25/12 I SW System and UHS B 3.7.2 BASES SURVEILLANCE REQUIREMENTS (continued) position within the required time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position.

This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.This SR is modified by a Note indicating that isolation of the SW System to components or systems may render those components or systems inoperable, but does not affect the OPERABILITY of the SW System. As such, when all SW pumps, valves, and piping are OPERABLE, but a branch connection off the main header is isolated, the SW System is still OPERABLE.The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions.

SR 3.7.2.4 This SR verifies that the automatic isolation valves of the SW System will automatically switch to the safety or emergency position to provide cooling water exclusively to the safety related equipment during an accident event. This is demonstrated by the use of an actual or simulated initiation signal. The initiation signal is caused by low SW header pressure (approximately 20 psig). This SR also verifies the automatic start capability of one of the two SW pumps in each subsystem.

Operating experience has shown that these components usually pass the SR when performed at the 24 month Frequency.

Therefore, this Frequency is concluded to be acceptable from a reliability standpoint.

REFERENCES

1. NEDC 94-255, "Hydraulic Evaluation of Opening in Intake Structure Guide Wall," June 14, 1995.2. USAR, Chapter V.3. USAR, Chapter XIV.4. 10 CFR 50.36(c)(2)(ii).
5. NEDC 00-095E, "CNS Reactor Building Post-LOCA Heating Analysis," May 28, 2010.Cooper B 3.7-10 11/25/12 REC System B 3.7.3 B 3.7 PLANT SYSTEMS B 3.7.3 Reactor Equipment Cooling (REC) System BASES BACKGROUND The REC System is designed to provide cooling water for the removal of heat from equipment, such as the room coolers for the core spray pump rooms, RHR pump rooms, and HPCI pump room, required for a safe reactor shutdown following a Design Basis Accident (DBA) or transient and the RHR pump seal water coolers (essential loads). The REC System also provides cooling to unit components, as required, during normal operation (non-essential loads). In the event of a loss of REC System pressure, automatic valving is provided to shut off all supply to nonessential loads, thus assuring supply to the essential loads.The REC System consists of two subsystems, each consisting of two 1350 gpm pumps, a heat exchanger, valves, piping and associated instrumentation.

A 550 gallon capacity surge tank, located at the highest point of the system, accommodates system volume changes, maintains static pressure in the loops to ensure adequate net positive suction head (NPSH), detects gross leaks in the REC System by providing a point to monitor inventory, and provides a means for adding water. Either of the two subsystems with one REC pump operating or the Service Water supply, is capable of providing the required cooling capacity to support the required essential systems. The two subsystems have sufficient redundancy and independence from each other such that no active component failure in one subsystem will affect the OPERABILITY of the other. Additionally, each subsystem is provided with Service Water supply and return valves to provide required component cooling in the event of REC leakage in excess of limits or a passive failure, such as a Class 1 E pipe break.The Service Water (SW) System provides two subsystems for backup to the REC critical loops. The Service Water supply is a fully qualified essential supply to the REC critical loops. This configuration would be used in the event that the REC system becomes incapable of performing its essential cooling function.

Because of the cross-tie capability in the critical REC loops either SW backup subsystem can supply the required cooling to the REC System.Cooling water is pumped by the REC pumps, delivered to the REC heat exchangers, which are cooled by the Service Water System, and then to the components through the two main headers. After removing heat from the components, the water is then recirculated back to the REC pump suction.Cooper B 3.7-11 11/25/12 I REC System B 3.7.3 BASES APPLICABLE SAFETY ANALYSIS Either REC loop has sufficient capacity with one pump operating to transfer the essential services design cooling heat load during postulated transient or accident conditions (Ref. 1). However, to provide additional margin, two REC pumps per loop are required to be OPERABLE to satisfy the requirements of the LCO.Through the intertie with the REC System, the SW System provides essential cooling equivalent to the critical loops of the REC System. The ability of the REC System, or the associated service water supply, to provide adequate cooling to the identified safety equipment is an implicit assumption for the safety analyses evaluated in Reference 1.The REC System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 2).LCO The REC subsystems are independent of each other to the degree that each has separate controls, power supplies, and the operation of one does not depend on the other. In the event of a DBA, one subsystem of REC is required to provide the minimum heat removal capability assumed in the safety analysis for the system to which it supplies cooling water. To ensure this requirement is met, two subsystems of REC must be OPERABLE.

At least one subsystem will operate, if the worst single active failure occurs coincident with the loss of offsite power.A subsystem is considered OPERABLE when it has two OPERABLE pumps, one OPERABLE heat exchanger, and an OPERABLE flow path capable of transferring the water to the appropriate equipment.

The OPERABILITY of the REC System is based on verifying a maximum supply water temperature of 100°F.An REC subsystem is considered inoperable if both of the following conditions exits: (1) leakage in excess of allowable limits, and (2) the subsystem of SW backup for the respective REC subsystem is inoperable.

The limits are based on having a 30-day supply of inventory in the REC surge tank without crediting makeup. Leakage in excess of limits by itself does not result in either the REC subsystems or the REC system being inoperable.

If it is determined that leakage exceeds these limits, then REC is considered degraded and SW backup is required to be OPERABLE to maintain the REC subsystem(s)

OPERABLE.

An OPERABLE SW backup subsystem requires an OPERABLE flow path from the SW System to the REC critical loops, an OPERABLE SW pump in the respective SW Subsystem, and the ability to align the SW backup valves in the REC System.Cooper B 3.7-12 11/25/12 I REC System B 3.7.3 BASES LCO (continued)

The isolation of the REC System to components or systems may render those components or systems inoperable, but does not affect the OPERABILITY of the REC System.APPLICABILITY In MODES 1, 2, and 3, the REC System is required to be OPERABLE to support OPERABILITY of the equipment serviced by the REC System.Therefore, the REC System is required to be OPERABLE in these MODES.In MODES 4 and 5, the OPERABILITY requirements of the REC System are determined by the systems it supports.ACTIONS A..1 Both REC subsystems are considered degraded if REC leakage exceeds limits. If REC leakage exceeds limits, in combination with one of the SW backup subsystems being inoperable, the REC System is considered OPERABLE but degraded and the remaining SW backup subsystem must be verified to be OPERABLE within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The limit on REC leakage is based on maintaining 30 days of inventory in the surge tank without makeup to the surge tank. Administrative means may be used to verify the remaining SW backup subsystem is OPERABLE.A.2.1 and A.2.2 These actions require returning the inoperable SW backup system to OPERABLE status or restoring REC leakage to within limits within 14 days. The overall reliability is reduced in this condition since a single failure in the OPERABLE SW backup subsystem could result in a loss of the REC heat removal function.The 14-day Completion Time is based on the plant risk being lower during this period of continued plant operation than the risk of shutting down and on the REC System remaining OPERABLE but degraded with REC leakage exceeding limits and one OPERABLE SW backup system during this period.B. 1 With one REC subsystem inoperable for reasons other than Condition A, the REC subsystem must be restored to OPERABLE status within 30 Cooper B 3.7-13 11/25/12 I REC System B 3.7.3 BASES ACTIONS (continued) days. With the unit in this condition, the remaining OPERABLE REC subsystem is adequate to perform the heat removal function.

However, the overall reliability is reduced because a single failure in the OPERABLE REC subsystem could result in loss of REC function.The 30 day Completion Time is based on the redundant REC System capabilities afforded by the OPERABLE subsystem and the low probability of an accident occurring during this time period.C.1 and C.2 If the REC subsystem cannot be restored to OPERABLE status within the associated Completion Time, leakage exceeds limits with both SW backup subsystems inoperable, or both REC subsystems are inoperable, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and in MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.SURVEILLANCE REQUIREMENTS SR 3.7.3.1 This SR verifies the water level in the REC surge tank to be sufficient for the proper operation of the REC System (system volume changes, static pressure in the loops, and potential leakage in the system are considered in determining this limit). If REC leakage exceeds limits, the REC subsystems are considered OPERABLE but degraded.

The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is based on operating experience related to trending of the parameter variations during the applicable MODES.This SR is modified by two Notes. Note 1 states that SR 3.0.1 is not applicable when both SW backup subsystems are OPERABLE.

Note 2 states that REC leakage beyond limits by itself is only a degraded condition and does not render the REC System inoperable.

These notes reflect that the REC System remains OPERABLE based on the ability to align the SW System to the REC System and supply the required cooling water to the critical loops of the REC System.Cooper B 3.7-14 11/25/12 I REC System B 3.7.3 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.7.3.2 Verification of the REC System temperature ensures that the heat removal capability of the REC System is within the assumptions of the DBA analysis.

The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Frequency is based on operating experience related to trending of the parameter variations during the applicable MODES.SR 3.7.3.3 Verifying the correct alignment for each manual, power operated, and automatic valve in each REC subsystem flow path provides assurance that the proper flow paths will exist for REC operation.

This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing.

A valve is also allowed to be in the nonaccident position, and yet considered in the correct position, provided it can be automatically realigned to its accident position within the required time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position.

This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.This SR is modified by a Note indicating that isolation of the REC System to components or systems may render those components or systems inoperable, but does not affect the OPERABILITY of the REC System.As such, when all REC pumps, valves, and piping are OPERABLE, but a branch connection off the main header is isolated, the REC System is still OPERABLE.The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions.

SR 3.7.3.4 This SR verifies that the automatic isolation valves of the REC System will automatically switch to the safety or emergency position to provide cooling water exclusively to the safety related equipment during an accident event. This is demonstrated by the use of an actual or simulated initiation signal. The initiation signal is caused by low REC heat exchanger outlet pressure (which has an analytically determined limit of 55 psig decreasing).

Also, a Group VI isolation signal will open the REC Cooper B 3.7-15 11/25/12 I REC System B 3.7.3 BASES SURVEILLANCE REQUIREMENTS (continued) heat exchanger service water outlet valves and the REC critical loop supply valves to provide cooling water to essential components.

Operating experience has shown that these components usually pass the SR when performed at the 24 month Frequency.

Therefore, this Frequency is concluded to be acceptable from a reliability standpoint.

I REFERENCES

1. USAR, Section X-6.2. 10 CFR 50.36(c)(2)(ii).
3. DC 93-057 4. NEDC 92-050X and NEDC 97-087 Cooper B 3.7-16 11/25/12 CREF System B 3.7.4 B 3.7 PLANT SYSTEMS B 3.7.4 Control Room Emergency Filter System BASES BACKGROUND The CREF System provides a protected environment from which occupants can control the unit following an uncontrolled release of radioactivity, hazardous chemicals, or smoke.The safety related function of the CREF System includes a single high efficiency air filtration system for emergency treatment of outside supply air and a CRE boundary that limits the inleakage of unfiltered air. The system consists of a prefilter, a high efficiency particulate air (HEPA)filter, an activated charcoal adsorber section, a supply fan, an emergency booster fan, an exhaust booster fan, and the associated ductwork, valves or dampers, doors, barriers, and instrumentation.

Prefilters and HEPA filters remove particulate matter, which may be radioactive.

The charcoal adsorbers provide a holdup period for gaseous iodine, allowing time for decay.The CRE is the area within the confines of the CRE boundary that contains the spaces that control room occupants inhabit to control the unit during normal and accident conditions.

This area encompasses the control room, and may encompass other non-critical areas to which frequent personnel access or continuous occupancy is not necessary in the event of an accident.

The CRE is protected during normal operation, natural events, and accident conditions.

The CRE boundary is the combination of walls, floor, roof, ducting, doors, penetrations, and equipment that physically form the CRE. The OPERABILITY of the CRE boundary must be maintained to ensure that the leakage of unfiltered air into the CRE will not exceed the inleakage assumed in the licensing basis analysis of design basis accident (DBA) (loss-of-coolant and fuel handling accidents only) consequences to CRE occupants.

The CRE and its boundary are defined in the Control Room Envelope Habitability Program.The CREF System is a standby system. Upon receipt of the initiation signal(s) (indicative of conditions that could result in radiation exposure to CRE occupants), the CREF System automatically switches to the emergency bypass mode of operation to minimize infiltration of contaminated air into the CRE. A system of dampers isolates the normal outside air intake path, and the outside air is routed through the filter system. Outside air is taken in at the normal ventilation intake.The CREF System is designed to maintain a habitable environment in the CRE for a 30-day continuous occupancy after a DBA without exceeding 5 rem whole body dose or its equivalent to any part of the body following a Cooper B 3.7-17 11/25/12 1 CREF System B 3.7.4 BASES BACKGROUND (continued) loss-of-coolant accident (LOCA) (Ref. 8) or 5 rem total effective dose equivalent (TEDE) following a fuel handling accident (FHA). The CREF System will pressurize the CRE relative to external areas adjacent to the CRE boundary to minimize infiltration of air from all surrounding areas adjacent to the CRE boundary.

CREF System operation in maintaining CRE habitability is discussed in the USAR, Chapters X and XIV, (Refs. 1 and 2, respectively).

APPLICABLE SAFETY ANALYSES The ability of the CREF System to maintain the habitability of the CRE is an explicit assumption for the safety analyses presented in the USAR, Chapters X and XIV (Refs. 1 and 2, respectively).

The CREF System is assumed to operate following a loss of coolant accident and a fuel handling accident involving handling lately irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 7 days).The CRE boundary provides protection from smoke and hazardous chemicals to the CRE occupants by manual isolation after detecting the presence of smoke and chemicals, thereby minimizing the quantity of inleakage.

The analysis of hazardous chemical releases demonstrates that the toxicity limits are not exceeded in the CRE following a hazardous chemical release. The evaluation of a smoke challenge demonstrates that it will not result in the inability of the CRE occupants to control the reactor either from the control room or from the remote shutdown panels (Ref. 5).The CREF System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 4).LCO The CREF System is required to be OPERABLE, since total system failure, such as from an inoperable CRE boundary, could result in exceeding a dose of 5 rem whole body dose or its equivalent to any part of the body following a LOCA or 5 rem TEDE following a FHA to the CRE occupants.

The CREF System is considered OPERABLE when the individual components necessary to limit CRE occupant exposure are OPERABLE.The system is considered OPERABLE when its associated:

a. Fans are OPERABLE (one supply fan, the emergency booster fan and the exhaust booster fan);Cooper B 3.7-18 11/25/12 I CREF System B 3.7.4 BASES LCO (continued)
b. HEPA filter and charcoal adsorber are not excessively restricting flow and are capable of performing their filtration functions; and c. Ductwork, valves, and dampers are OPERABLE, and air circulation can be maintained.

In order for the CREF System to be considered OPERABLE, the CRE boundary must be maintained such that the CRE occupant dose from a large radioactive release does not exceed the calculated dose in the licensing basis consequence analyses for DBAs, and that CRE occupants are protected from hazardous chemicals and smoke. The CRE boundary protects CRE occupants from sources of hazardous chemicals and smoke external to the CRE by minimizing inleakage when isolated.Because the CRE boundary provides no protection from internal sources, the CRE occupants are protected from internal sources by donning SCBAs.The LCO is modified by a Note allowing the CRE boundary to be opened intermittently under administrative controls.

This Note only applies to openings in the CRE boundary that can be rapidly restored to the design condition, such as doors, hatches, floor plugs, and access panels.Application of the Note allows the LCO to be considered as met because the boundary can be restored to its design condition by quickly closing the door, hatch, floor plug, or access panel. For entry and exit through doors, the administrative control of the opening is performed by the person(s) entering or exiting the area. For openings such as blocked-open doors, hatches, plugs, or access panels, these controls should be proceduralized and consist of stationing a dedicated individual at the opening who is in continuous communication with the operators in the CRE. This individual will have a method to rapidly close the opening and to restore the CRE boundary to a condition equivalent to the design condition when a need for CRE isolation is indicated.

For any other openings, such as holes and removed doors, the same controls should be implemented; however, the LCO is considered as not met, and the Conditions and Required Actions are to be entered.APPLICABILITY In MODES 1, 2, and 3, the CREF System must be OPERABLE to ensure that the CRE will remain habitable during and following a DBA, since the DBA could lead to a fission product release.In MODES 4 and 5, the probability and consequences of a DBA are reduced because of the pressure and temperature limitations in these MODES. Therefore, maintaining the CREF System OPERABLE is not Cooper B 3.7-19 11/25/12 1 CREF System B 3.7.4 BASES APPLICABILITY (continued) required in MODE 4 or 5, except for the following situations under which significant radioactive releases can be postulated:

a. During operations with a potential for draining the reactor vessel (OPDRVs);

and b. During movement of lately irradiated fuel assemblies in the secondary containment.

Due to radioactive decay, the CREF System is only required to be OPERABLE during fuel handling involving handling lately irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 7 days).ACTIONS A. 1 When inoperable for reasons other than an inoperable CRE boundary, the inoperable CREF System must be restored to OPERABLE status within 7 days. With the unit in this condition, there is no other system to perform the CRE occupant protection function.

The 7 day Completion Time is based on the low probability of a DBA occurring during this time period.B.1, B.2. and B3 If the unfiltered inleakage of potentially contaminated air past the CRE boundary and into the CRE can result in CRE occupant radiological dose greater than the calculated dose of the licensing basis analyses of DBA consequences (allowed to be up to 5 rem whole body or its equivalent to any part of the body following a LOCA or 5 rem TEDE following a FHA), or inadequate protection of CRE occupants from hazardous chemicals or smoke, the CRE boundary is inoperable.

Protection of CRE occupants from hazardous chemicals or smoke is inadequate if they are unable to remain in the CRE and perform their duties. The CRE boundary must be restored to OPERABLE status within 90 days.During the period that the CRE boundary is considered inoperable, action must be initiated to implement mitigating actions to lessen the effect on CRE occupants from the potential hazards of a radiological or chemical event or a challenge from smoke. Actions must be taken within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to verify that in the event of a DBA, the mitigating actions will ensure that CRE occupant radiological exposures will not exceed the calculated dose of the licensing basis analyses of DBA consequences, and that CRE occupants are protected from hazardous chemicals and smoke, i.e., the CRE occupants are able to remain in the CRE and perform their duties.Cooper B 3.7-20 11/25/12 I CREF System B 3.7.4 BASES ACTIONS (continued)

These mitigating actions (i.e., actions that are taken to offset the consequences of the inoperable CRE boundary) should be preplanned for implementation upon entry into the condition, regardless of whether entry is intentional or unintentional.

The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion time is reasonable based on the low probability of a DBA occurring during this time period, and the use of mitigating actions. The 90 day Completion Time is reasonable based on the determination that the mitigating actions will ensure protection of CRE occupants within analyzed limits while limiting the probability that CRE occupants will have to implement protective measures that may adversely affect their ability to control the reactor and maintain it in a safe shutdown condition in the event of a DBA. In addition, the 90 day Completion Time is a reasonable time to diagnose, plan, and possibly repair, and test most problems with the CRE boundary.C.1 and C.2 In MODE 1, 2, or 3, if the inoperable CREF System or the CRE boundary cannot be restored to OPERABLE status within the required Completion Time, the unit must be placed in a MODE that minimizes accident risk.To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and in MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.D.1, and D.2 The Required Actions of Condition D are modified by a Note indicating that LCO 3.0.3 does not apply. If moving lately irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations.

Therefore, inability to suspend movement of lately irradiated fuel assemblies is not sufficient reason to require a reactor shutdown.During movement of lately irradiated fuel assemblies in the secondary containment or during OPDRVs, if the inoperable CREF System cannot be restored to OPERABLE status within the required Completion Time, or with the CREF System inoperable due to an inoperable CRE boundary, activities that present a potential for releasing radioactivity that might require isolation of the CRE must be immediately suspended.

This places the unit in a condition that minimizes the accident risk.If applicable, movement of lately irradiated fuel assemblies in the secondary containment must be suspended immediately.

Suspension of Cooper B 3.7-21 11/25/12 1 CREF System B 3.7.4 BASES ACTIONS (continued) these activities shall not preclude completion of movement of a component to a safe position.

Also, if applicable, actions must be initiated immediately to suspend OPDRVs to minimize the probability of a vessel draindown and the subsequent potential for fission product release.Actions must continue until the OPDRVs are suspended.

SURVEILLANCE REQUIREMENTS SR 3.7.4.1 This SR verifies that the CREF System in a standby mode starts on demand and continues to operate. The system should be checked periodically to ensure that it starts and functions properly.

As the environmental and normal operating conditions of this system are not severe, testing the system once every month provides an adequate check on this system. Since the CREF System does not contain heaters, the system need only be operated for -15 minutes to demonstrate the function of the system. The 31 day Frequency is based on the known reliability of the equipment.

SR 3.7.4.2 This SR verifies that the required CREF testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing HEPA filter performance, charcoal adsorber efficiency, minimum system flow rate, and the physical properties of the activated charcoal (general use and following specific operations).

Specific test Frequencies and additional information are discussed in detail in the VFTP.SR 3.7.4.3 This SR verifies that on an actual or simulated initiation signal, the CREF System starts and operates.

The LOGIC SYSTEM FUNCTIONAL TEST in LCO 3.3.7.1, "Control Room Emergency Filter (CREF) System Instrumentation," overlaps this SR to provide complete testing of the safety function.

The Frequency of 24 months is based on industry operating experience and is consistent with the typical refueling cycle.Cooper B 3.7-22 11/25/12 CREF System B 3.7.4 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.7.4.4 This SR verifies the OPERABILITY of the CRE boundary by testing for unfiltered air inleakage past the CRE boundary and into the CRE. The details of this testing are specified in the Control Room Envelope Habitability Program.The CRE is considered habitable when the radiological dose to CRE occupants calculated in the licensing basis analyses of DBA consequences is no more than 5 rem whole body or its equivalent to any part of the body following a LOCA or 5 rem TEDE following a FHA and the CRE occupants are protected from hazardous chemicals and smoke.This SR verifies that the unfiltered air inleakage into the CRE is no greater than the flow rate assumed in the licensing basis analyses of DBA consequences.

When Unfiltered air inleakage is greater than the assumed flow rate, Condition B must be entered. Required Action B.3 allows time to restore the CRE boundary to OPERABLE status provided mitigating actions can ensure that the CRE remains within the licensing basis habitability limits for the occupants following an accident.Compensatory measures are discussed in Regulatory Guide 1.196, Section C.2.7.3, (Ref. 4) which endorses, with exceptions, NEI 99-03, Section 8.4 and Appendix F (Ref. 6). These compensatory measures may also be used as mitigating actions as required by Required Action B.2. Temporary analytical methods may also be used as compensatory measures to restore OPERABILITY (Ref. 7). Options for restoring the CRE boundary to OPERABLE status include changing the licensing basis DBA consequence analysis, repairing the CRE boundary, or a combination of these actions. Depending upon the nature of the problem and the corrective action, a full scope inleakage test may not be necessary to establish that the CRE boundary has been restored to OPERABLE status.REFERENCES

1. USAR, Chapter X.2. USAR, Chapter XIV.3. 10 CFR 50.36(c)(2)(ii).
4. Regulatory Guide 1.196.5. USAR, Section X-10.4.6.5.
6. NEI 99-03, "Control Room Habitability Assessment Guidance," June 2001.Cooper B 3.7-23 11/25/12 I CREF System B 3.7.4 BASES REFERENCES (continued)
7. Letter from Eric J. Leeds (NRC) to James W. Davis (NEI) dated January 30, 2004, "NEI Draft White Paper, Use of Generic Letter 91-18 Process and Alternative Source Terms in the Context of Control Room Habitability." (ADAMS Accession No.ML040160868).
8. Standard Review Plan (NUREG-0800, Rev. 2), Table 6.4-1, from Section 6.4.Cooper B 3.7-24 11/25/12 1 Air Ejector Offgas B 3.7.5 B 3.7 PLANT SYSTEMS B 3.7.5 Air Ejector Offgas BASES BACKGROUND During unit operation, steam from the low pressure turbine is exhausted directly into the main condenser.

Air and noncondensible gases are collected in the main condenser, then exhausted through the steam jet air ejectors (SJAEs) to the Air Ejector Offgas System, where they undergo a hold-up period of 30 minutes, and are then exhausted to the Augmented Offgas Treatment System. The offgas from the main condenser normally includes radioactive gases.The Augmented Offgas Treatment System has been incorporated into the unit design to reduce the gaseous radwaste emission.

This system uses a catalytic recombiner to recombine radiolytically dissociated hydrogen and oxygen. The gaseous mixture is cooled and dried to reduce the moisture content, passed through charcoal beds for delay and decay of noble gas activity, and exhausted through the Elevated Release Point (ERP) with proper dilution.

The radioactivity of the gaseous mixture exiting through the ERP is monitored by the ERP Exhaust Monitor Air Sampling System.APPLICABLE SAFETY ANALYSES A gross gamma activity rate limit of 0.39 Ci/sec noble gas release rate at the air ejectors (after 30 minute decay) is used as the source term for the accident analysis of the Augmented Offgas Treatment System. Using this source term, the maximum offsite total body dose would be < 0.5 rem (Ref. 1). However, a more restrictive limit of 1.0 Ci/sec (prior to 30 minute decay) has been established to provide an improved capability to detect fuel pin cladding failures to allow prevention of serious degradation of fuel pin cladding integrity which might result from plant operation with a misoriented or misloaded fuel assembly.

Therefore, the gross gamma activity rate ensures that serious degradation of fuel pin cladding integrity can be detected, while maintaining the calculated offsite doses well within the limits of 10 CFR 100 (Ref. 2).The air ejector offgas limits satisfy Criterion 2 of 10 CFR 50.36(c)(2)(ii)(Ref. 3).Cooper B 3.7-25 11/25/12 I Air Ejector Offgas B 3.7.5 BASES LCO To ensure compliance with the accident analysis for the Augmented Offgas Treatment System and to provide improved capability to detect fuel pin cladding failures, gross gamma activity rate of noble gases shall be < 1.0 Ci/sec (prior to 30 minute decay).APPLICABILITY The LCO is applicable when steam is being exhausted to the main condenser and the resulting noncondensibles are being processed via the Air Ejector Offgas System. This occurs during MODE 1, and during MODES 2 and 3 with any main steam line not isolated and the SJAE in operation.

In MODES 4 and 5, main steam is not being exhausted to the main condenser and the requirements are not applicable.

ACTIONS A..1 If the offgas radioactivity rate limit is exceeded, 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is allowed to restore the gross gamma activity rate to within the limit. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is reasonable, based on engineering judgment, the time required to complete the Required Action, the large margins associated with permissible dose and exposure limits, and the low probability of an Air Ejector Offgas System rupture.B.1, B.2, B.3.1. and B.3.2 If the gross gamma activity rate is not restored to within the limits in the associated Completion Time, all main steam lines or the SJAE must be isolated.

This isolates the Air Ejector Offgas System from significant sources of radioactive steam. The main steam lines are considered isolated if at least one main steam isolation valve in each main steam line is closed, and at least one main steam line drain primary containment isolation valve is closed. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Completion Time is reasonable, based on operating experience, to perform the actions from full power conditions in an orderly manner and without challenging unit systems.An alternative to Required Actions B.1 and B.2 is to place the unit in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and in MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.Cooper B 3.7-26 11/25/12 I Air Ejector Offgas B 3.7.5 BASES SURVEILLANCE REQUIREMENTS SR 3.7.5.1 This SR, on a 31 day Frequency, requires an isotopic analysis of a representative offgas sample to ensure that the required limits are satisfied.

The noble gases to be sampled are Xe-1 33, Xe-1 35, Xe-1 38, Kr-85m, Kr-87, and Kr-88. If the measured rate of radioactivity, as indicated by the Condenser Air Ejector Noble Gas Activity Monitor, increases significantly (by -- 50% after correcting for expected increases due to changes in THERMAL POWER), an isotopic analysis is also performed within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after the increase is noted, to ensure that the increase is not indicative of a sustained increase in the radioactivity rate.The 31 day Frequency is adequate in view of other instrumentation that continuously monitor the offgas, and is acceptable, based on operating experience.

This SR is modified by a Note indicating that the SR is not required to be performed until 31 days after any main steam line is not isolated and the SJAE is in operation.

Only in this condition can radioactive fission gases be in the Air Ejector Offgas System at significant rates.REFERENCES

1. Letter from J. M. Pilant (NPPD) to G. E. Lear (NRC) "Failed Fuel Pin Detection Capability," dated March 2, 1978.2. 10 CFR 100.3. 10 CFR 50.36(c)(2)(ii).

Cooper B 3.7-27 11/25/12 I Spent Fuel Storage Pool Water Level B 3.7.6 B 3.7 PLANT SYSTEMS B 3.7.6 Spent Fuel Storage Pool Water Level BASES BACKGROUND The minimum water level in the spent fuel storage pool meets the assumptions of iodine decontamination factors following a fuel handling accident.A general description of the spent fuel storage pool design is found in the USAR, Section X-3.0 (Ref. 1). The assumptions of the fuel handling accident are found in the USAR, Section XIV-6.4 (Ref. 2).APPLICABLE SAFETY ANALYSES The water level above the irradiated fuel assemblies is an implicit assumption of the fuel handling accident.

A fuel handling accident is evaluated to ensure that the radiological consequences (calculated total effective dose equivalent at the exclusion area and low population zone boundaries) are within 10 CFR 50.67 limits (Ref. 4). A fuel handling accident could release a fraction of the fission product inventory by breaching the fuel rod cladding as discussed in the Regulatory Guide 1.183 (Ref. 5).The fuel handling accident is evaluated for the dropping of an irradiated fuel assembly onto the reactor core. The consequences of a fuel handling accident over the spent fuel storage pool are no more severe than those of the fuel handling accident over the reactor core, as discussed in the USAR, Section XIV-6.1 (Ref. 6). The water level in the spent fuel storage pool provides for absorption of water soluble fission product gases and transport delays of soluble and insoluble gases that must pass through the water before being released to the secondary containment atmosphere.

This absorption and transport delay reduces the potential radioactivity of the release during a fuel handling accident.The spent fuel storage pool water level satisfies Criterion 2 of 10 CFR 50.36(c)(2)(ii) (Ref. 7).LCO The specified water level preserves the assumptions of the fuel handling accident analysis (Ref. 2). As such, it is the minimum required for fuel movement within the spent fuel storage pool.Cooper B 3.7-28 11/25/12 I Spent Fuel Storage Pool Water Level B 3.7.6 BASES APPLICABILITY This LCO applies during movement of irradiated fuel assemblies in the spent fuel storage pool since the potential for a release of fission products exists.ACTIONS A. 1 LCO 3.0.3 is not applicable while in MODE 4 or 5. However, because irradiated fuel assembly movement can occur in MODE 1, 2, or 3, Required Action A.1 is modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations.

Therefore, inability to suspend movement of irradiated fuel assemblies is not a sufficient reason to require a reactor shutdown.When the initial conditions for an accident cannot be met, action must be taken to preclude the accident from occurring.

If the spent fuel storage pool level is less than required, the movement of irradiated fuel assemblies in the spent fuel storage pool is suspended immediately.

Suspension of this activity shall not preclude completion of movement of an irradiated fuel assembly to a safe position.

This effectively precludes a spent fuel handling accident from occurring.

SURVEILLANCE REQUIREMENTS SR 3.7.6.1 This SR verifies that sufficient water is available in the event of a fuel handling accident.

The water level in the spent fuel storage pool must be checked periodically.

The 7 day Frequency is acceptable, based on operating experience, considering that the water volume in the pool is normally stable, and all water level changes are controlled by unit procedures.

REFERENCES

1. USAR, Section X-3.0.2. USAR, Section XIV-6.4.3. Not used.4. 10 CFR 50.67.5. Regulatory Guide 1.183, July 2000.Cooper B 3.7-29 11/25/12 I Spent Fuel Storage Pool Water Level B 3.7.6 BASES REFERENCES (continued) 6.7.USAR, Section XIV-6.1.10 CFR 50.36(c)(2)(ii).

Cooper B 3.7-30 11/25/12 1 Main Turbine Bypass System B 3.7.7 B 3.7 PLANT SYSTEMS B 3.7.7 Main Turbine Bypass System BASES BACKGROUND The Main Turbine Bypass System is designed to control steam pressure when reactor steam generation exceeds turbine requirements during unit startup, sudden load reduction, and cooldown.

It allows excess steam flow from the reactor to the condenser without going through the turbine.The bypass capacity of the system is 25% of the Nuclear Steam Supply System rated steam flow. Sudden load reductions within the capacity of the steam bypass can be accommodated without safety relief valves opening or a reactor scram. The Main Turbine Bypass System consists of three valves connected to the main steam lines between the main steam isolation valves and the turbine stop valves. Each of these three valves is operated by hydraulic cylinders.

The bypass valves are controlled by the pressure regulation function of the Turbine Digital Electro Hydraulic (DEH) Control System, as discussed in the USAR, Section VII-1 1.3 (Ref. 1). The bypass valves are normally closed, and the DEH Control System controls the turbine control valves that direct all steam flow to the turbine. If the speed governor or the load limiter restricts steam flow to the turbine, the DEH Control System controls the system pressure by opening the bypass valves. When the bypass valves open, the steam flows from the bypass chest, through connecting piping, to the pressure breakdown assemblies used to further reduce the steam pressure before the steam enters the condenser.

APPLICABLE SAFETY ANALYSES The Main Turbine Bypass System is assumed to function during the high energy line break analysis, as discussed in References 2 and 3, and the feedwater controller failure maximum demand transient, as discussed in Reference

4. However, the feedwater controller failure maximum demand transient defines the MCPR operating limits if one Main Turbine Bypass Valve is inoperable.

The Main Turbine Bypass System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 5).LCO The Main Turbine Bypass System is required to be OPERABLE to limit peak pressure in the main steam lines and maintain reactor pressure within acceptable limits during events that cause rapid pressurization, so that the Safety Limit MCPR is not exceeded.

With one Main Turbine Bypass Valve inoperable, modifications to the MCPR operating limits (LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)") may be Cooper B 3.7-31 11/25/12 I Main Turbine Bypass System B 3.7.7 BASES LCO (continued) applied to allow this LCO to be met. The MCPR operating limits for one inoperable Main Turbine Bypass Valve are specified in the COLR. An OPERABLE Main Turbine Bypass System requires all three bypass valves to open in response to increasing main steam line pressure.

This response is within the assumptions of the applicable analyses (Ref. 4).APPLICABILITY The Main Turbine Bypass System is required to be OPERABLE at > 25%RTP to ensure that the fuel cladding integrity Safety Limit and the cladding 1% plastic strain limit are not violated during the Applicable Safety Analyses transients.

As discussed in the Bases for TLCO 3.2.1,"LINEAR HEAT GENERATION RATE (LHGR)," and LCO 3.2.2, sufficient margin to these limits exists at < 25% RTP. Therefore, these requirements are only necessary when operating at or above this power level.ACTIONS A._1 If one Main Turbine Bypass Valve is inoperable, and the MCPR operating limits for one inoperable Main Turbine Bypass Valve, as specified in the COLR, are not applied, the assumptions of the design basis transient analyses may not be met. Under such circumstances, prompt action should be taken to restore the inoperable Main Turbine Bypass Valve to OPERABLE status or adjust the MCPR operating limits accordingly.

The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Completion Time is reasonable, based on the time to complete the Required Action and the low probability of an event occurring during this period requiring the Main Turbine Bypass System.B.1 If the inoperable Main Turbine Bypass Valve cannot be restored to OPERABLE status and the MCPR operating limits for one inoperable Main Turbine Bypass Valve are not applied within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, or two or more Main Turbine Bypass Valves are inoperable, THERMAL POWER must be reduced to < 25% RTP. As discussed in the Applicability section, operation at < 25% RTP results in sufficient margin to the required limits, and the Main Turbine Bypass System is not required to protect fuel integrity during the Applicable Safety Analyses transients.

The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.Cooper B 3.7-32 11/25/12 I Main Turbine Bypass System B 3.7.7 BASES SURVEILLANCE REQUIREMENTS SR 3.7.7.1 Cycling each main turbine bypass valve through at least half of one cycle of full travel (50% open) demonstrates that the valves are mechanically OPERABLE and will function when required.

The 31 day Frequency is based on engineering judgment, is consistent with the procedural controls governing valve operation, and ensures correct valve positions.

Operating experience has shown that these components usually pass the SR when performed at the 31 day Frequency.

Therefore, the Frequency is acceptable from a reliability standpoint.

SR 3.7.7.2 The Main Turbine Bypass System is required to actuate automatically to perform its design function.

This SR demonstrates that, with the required system initiation signals, the valves will actuate to their required position.The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a unit outage and because of the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown the 24 month Frequency, which is based on the refueling cycle, is acceptable from a reliability standpoint.

Cycling open a bypass valve at slightly above 29.5 RTP may affect the RPS Turbine Stop and Control Valve functions.

SR 3.7.7.3 This SR ensures that the TURBINE BYPASS SYSTEM RESPONSE TIME is in compliance with the assumptions of the appropriate safety analyses.

The response time limits are specified in the COLR. The 24 month Frequency is based on the need to perform this Surveillance under the conditions that apply during a unit outage and because of the potential for an unplanned transient if the Surveillance were performed with the reactor at power. Operating experience has shown the 24 month Frequency, which is based on the refueling cycle, is acceptable from a reliability standpoint.

Cooper B 3.7-33 11/25/12 Main Turbine Bypass System B 3.7.7 BASES REFERENCES 1.2.3.4.5.USAR, Section VII-1 1.3.Amendment 25 to the FSAR.NEDC 96-006, "Estimate of Steam Tunnel's HELB," March 3, 1996.USAR, Section XIV-5.8.1.

10 CFR 50.36(c)(2)(ii).

Cooper B 3.7-34 11/25/12 1 AC Sources -Operating B 3.8.1 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC Sources -Operating BASES BACKGROUND The unit AC Sources for the Class 1 E AC Electrical Power Distribution System consist of the offsite power sources (preferred power sources, normal and alternates), and the onsite standby power sources (diesel generators (DGs)). As summarized in the USAR, (Ref. 1), the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Feature (ESF) systems.The Class 1 E AC distribution system is divided into redundant load groups, so loss of any one group does not prevent the minimum safety functions from being performed.

Each load group has connections to two qualified offsite power supplies and a single DG.The offsite power sources are a startup station service transformer (SSST) which connects to the 161 kV switchyard and a separate emergency station service transformer (ESST) energized by a 69 kV line.The 161 kV switchyard is connected to one 161 kV line which terminates in a switchyard near Auburn, Nebraska, two 345/161 kV, 300 MVA auto-transformers (T2 and T5) which connect to the 345 kV switchyard, and one 161/69 kV 56MVA auto-transformer (T6) which can connect to the 69 kV system and serve as a source for the ESST. Either T2 or T5 is sufficient to power the 161/69 kV system. The 345 kV switchyard has five lines which terminate in switchyards near Tarkio, Missouri; Hallam, Nebraska; St. Joseph, Missouri; Fairport, Missouri; and Nebraska City, Nebraska.

The ESST is fed by either a 69 kV line which is part of a subtransmission grid of the Omaha Public Power District, or by the 161/69 kV auto-transformer (T6). If the normal station service transformer (NSST) (powered by the main generator) is lost, the SSST, which is normally energized, will automatically energize 4160 volt buses 1 A and 1 B, as well as their connected loads, including critical buses 1 F &1G. If the SSST fails to energize the critical buses, the ESST, which is normally energized, will automatically energize both critical buses. If the ESST were also to fail, the emergency diesel generators would automatically energize their respective buses. A detailed description of the offsite power network and circuits to the onsite Class 1 E critical buses is found in the USAR, Sections VIII-2.0 and VIII-3.O (Ref. 2).Cooper B 3.8-1 02/07/13 AC Sources -Operating B 3.8.1 BASES BACKGROUND (continued)

A qualified offsite circuit consists of all breakers, transformers, switches, interrupting devices (4.16 kV breakers), cabling, and controls required to transmit power from the offsite transmission network to the onsite Class 1 E critical buses. Specifically, the two qualified offsite circuits are defined as: a. The SSST, With incoming disconnect 1611-D closed, energizing the transformer from the offsite network (with all lines upstream of the disconnect considered part of the offsite network and not part of the Technical Specification required offsite circuit).

The offsite circuit also includes the circuit path to: i. 4.16 kV SWGR Bus 1 F via breakers 1AS, 4.16 kV SWGR Bus 1A, and breakers 1AF and 1FA; and ii. 4.16 kV SWGR Bus 1G via breakers 1BS, 4.16 kV SWGR Bus 1 B, and breakers 1BG and 1GB.b. The ESST, with incoming disconnect 5298 closed, energizing the transformer from the offsite network (with all lines upstream of the disconnect considered part of the offsite network and not part of the Technical Specification required offsite circuit).

The offsite circuit also includes the circuit path to: i. 4.16 kV SWGR Bus 1F via breaker 1FS; and ii. 4.16 kV SWGR Bus 1G via breakers 1GS.During plant operation, the critical buses 1 F and 1 G are energized from the NSST when the main generator is online via bus 1A or 1B. If the normal transformer fails or the main generator trips off the line, an automatic fast transfer of the loads to the SSST occurs. The SSST rating is sufficient such that the emergency service loads can be connected under accident conditions while the buses are supplying normal plant loads.In the event both the normal and startup power source are lost, the ESST will supply the critical buses 1 F and 1 G after a one second time delay to provide load shedding.

The ESST rating is sufficient such that, following load shedding, the emergency service loads can be sequentially connected under accident conditions.

The onsite standby power source for 4.16 WV critical buses 1F and 1G consists of two DGs. DG-1 and DG-2 are dedicated to critical buses 1 F and 1 G, respectively.

A DG starts automatically on a loss of coolant accident (LOCA) signal (i.e., low reactor water level signal or high drywell pressure signal) or on a critical bus degraded voltage or undervoltage Cooper B 3.8-2 02/07/13 AC Sources -Operating B 3.8.1 BASES BACKGROUND (continued) signal. After the DG has started, it automatically ties to its respective bus after offsite power is tripped as a consequence of critical bus undervoltage or degraded voltage, independent of or coincident with a LOCA signal. The DGs also start and operate in the standby mode without tying to the critical bus on a LOCA signal alone. Following the trip of offsite power, all loads are shed from the critical bus. When the DG is tied to the critical bus, loads are then sequentially connected to its respective critical bus. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading the DG.In the event of a loss of both offsite power sources, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a LOCA.Certain required plant loads are returned to service in a predetermined sequence in order to prevent overloading of the DGs in the process.Within 44 seconds after the initiating signal is received, all automatic and permanently connected loads needed to recover the unit or maintain it in a safe condition are returned to service. The failure of any one DG does not impair safe shutdown because each DG serves an independent, redundant 4.16 kV critical bus. The remaining DG and critical bus have sufficient capacity to mitigate the consequences of a DBA, support the shutdown of the unit, and maintain the unit in a safe condition.

Ratings for the DGs satisfy the requirements of Safety Guide 9 (Ref. 3).DG-1 and DG-2 have the following ratings: a. 4000 kW -continuous, b. 4400 kW -2 hours per day, c. 5000 kW -320 hours/total.

APPLICABLE SAFETY ANALYSES The initial conditions of DBA and transient analyses in the USAR, Chapter VI (Ref. 4) and Chapter XIV (Ref. 5), assume ESF systems are OPERABLE.

The AC electrical power sources are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded.These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.5, Emergency Core Cooling Systems Cooper B 3.8-3 02/07/13 I AC Sources -Operating B 3.8.1 BASES APPLICABLE SAFETY ANALYSIS (continued)(ECCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6, Containment Systems.The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining the onsite or offsite AC sources OPERABLE during accident conditions in the event of: a. An assumed loss of all offsite power or all onsite AC power; and b. A worst case single failure.AC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 6).LCO Two qualified circuits between the offsite transmission network and the onsite Class 1 E Distribution System and two separate and independent DGs (DG-1 and DG-2) ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an abnormal operational transient or a postulated DBA.Qualified offsite circuits are those that are described in the USAR, and are part of the licensing basis for the unit.Each offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while connected to the critical buses. Each offsite circuit consists of incoming disconnect to respective SSST or ESST, respective SSST and ESST transformers, and the respective circuit path including feeder breakers to the two 4.16 kV critical buses. For the SSST, the circuit also includes the intermediate non-critical bus.Each DG must be capable of starting, accelerating to rated speed and voltage, and connecting to its respective 4.16 kV critical bus on detection of bus undervoltage.

This sequence must be accomplished within 14 seconds. Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the ESF buses. These capabilities are required to be met from a variety of initial conditions, such as DG in standby with the engine hot and DG in standby with the engine at ambient condition.

Proper sequencing of loads, including load shedding, is a required function for DG OPERABILITY.

Cooper B 3.8-4 02/07/13 I AC Sources -Operating B 3.8.1 BASES LCO (continued)

The AC sources must be separate and independent (to the extent possible) of other AC sources. For the DGs, the separation and independence are complete.

For the offsite AC sources, the separation and independence are to the extent practical.

A circuit may be connected to more than one 4.16 kV critical bus, with fast transfer capability, as applicable, to the other circuit OPERABLE, and not violate separation criteria.

A circuit that is not connected to a critical bus is required to have OPERABLE automatic or fast transfer interlock mechanisms, as applicable, to both critical buses to support OPERABILITY of that circuit.That is, power can be supplied to both critical buses via the SSST provided that the automatic transfer capability to the ESST exists for both of the critical buses. However, if power is supplied to both critical buses via the ESST, then one offsite circuit is inoperable, since no automatic transfer capability from the ESST to the SSST exists.Additionally, power to the critical buses is allowed to be supplied from the NSST. In this case, the SSST offsite circuit is considered OPERABLE provided the automatic transfer capability from the NSST to the SSST is OPERABLE for both of the critical buses. For the ESST to be considered OPERABLE, the automatic transfer capability from the NSST to the ESST must be OPERABLE for both critical buses (the automatic transfer capability from the NSST to the ESST is allowed to go through an intermediate step of transferring to the first offsite source, i.e., SSST).A verification of OPERABILITY is an administrative check, by examination of appropriate plant records (logs, surveillance test records), to determine that a system, subsystem, train, component or device is not inoperable.

Such verification does not preclude the demonstration (testing) of a given system, subsystem, train, component or device to determine OPERABILITY.

APPLICABILITY The AC sources are required to be OPERABLE in MODES 1, 2, and 3 to ensure that: a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of abnormal operational transients; and b. Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.The AC power requirements for MODES 4 and 5 are covered in LCO 3.8.2, "AC Sources -Shutdown." Cooper B 3.8-5 02/07/13 1 AC Sources -Operating B 3.8.1 BASES ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable DG.There is an increased risk associated with entering a MODE or other specified' condition in the Applicability with an inoperable DG and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.

A.1 To ensure a highly reliable power source remains with one offsite circuit inoperable, it is necessary to verify the availability of the remaining offsite circuit on a more frequent basis. Since the Required Action only specifies"perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met. However, if the second circuit fails SR 3.8.1.1, the second offsite circuit is inoperable, and Condition C, for two offsite circuits inoperable, is entered.A.2 Required Action A.2, which only applies if the division cannot be powered from an offsite source, is intended to provide assurance that an event with a coincident single failure of the associated DG does not result in a complete loss of safety function of critical systems. These features are designed with redundant safety related divisions (i.e., single division systems are not included).

Redundant required features failures consist of inoperable features associated with a division redundant to the division that has no offsite power.The Completion Time for Required Action A.2 is intended to allow time for the operator to evaluate and repair any discovered inoperabilities.

This Completion Time also allows an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins on discovery that both: a. The division has no offsite power supplying its loads; and b. A redundant required feature on the other division is inoperable.

If, at any time during the existence of this Condition (one offsite circuit inoperable) a redundant required feature subsequently becomes inoperable, this Completion Time would begin to be tracked.Discovering no offsite power to one 4.16 kV critical bus of the onsite Class 1 E Power Distribution System coincident with one or more Cooper B 3.8-6 02/07/13 1 AC Sources -Operating B 3.8.1 BASES ACTIONS (continued) inoperable required support or supported features, or both, that are associated with any other Class 1 E bus that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours is acceptable because it minimizes risk while allowing time for restoration before the unit is subjected to transients associated with shutdown.The remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class 1 E Distribution System. Thus, on a component basis, single failure protection may have been lost for the required feature's function; however, function is not lost. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.A.3 The 4.16 kV critical bus design and loading is sufficient to allow operation to continue in Condition A for a period that should not exceed 7 days.With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the plant safety systems. In this condition, however, the remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class 1 E Distribution System.The 7 day Completion Time takes into account the redundancy, capacity and capability of the remaining AC sources, reasonable time for repairs, and the low probability of a DBA occurring during this period.The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a DG is inoperable, and that DG is subsequently returned OPERABLE, the LCO may already have been not met for up to 7 days. This situation could lead to a total of 14 days, since initial failure to meet the LCO, to restore the offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional 7 days (for a total of 21 days) allowed prior to complete restoration of the LCO. The 14 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are Cooper B 3.8-7 02/07/13 1 AC Sources -Operating B 3.8.1 BASES ACTIONS (continued) entered concurrently.

The "AND" connector between the 7 day and 14 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.Similar to Required Action A.2, the second Completion Time of Required Action A.3 allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the"time zero" at the time the LCO was initially not met, instead of at the time that Condition A was entered.B. 1 To ensure a highly reliable power source remains with one DG inoperable, it is necessary to verify the availability of the offsite circuits on a more frequent basis. Since the Required Action only specifies"perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable.

Upon offsite circuit inoperability, additional Conditions must then be entered.B.2 Required Action B.2 is intended to provide assurance that a loss of offsite power, during the period that a DG is inoperable, does not result in a complete loss of safety function of critical systems. These features are designed to be powered from redundant safety related divisions.

Redundant required features failures consist of inoperable features associated with a division redundant to the division that has an inoperable DG.The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities.

This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins on discovery that both: a. An inoperable DG exists; and b. A redundant required feature on the other division is inoperable.

If, at any time during the existence of this Condition (one DG inoperable), a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked.Cooper B 3.8-8 02/07/13 I AC Sources -Operating B 3.8.1 BASES ACTIONS (continued)

The Control Room Emergency Filter System (CREFS) is a single train system that has required redundant features consisting of a supply fan, and a manual transfer switch for aligning the emergency booster fan and the exhaust booster fan to one energized critical bus capable of being powered from an OPERABLE diesel generator.

Compliance with B.2 requires ensuring the redundant supply fan is in service, and manual transfer switch alignment of the other fans to the redundant critical bus within the 4-hour Completion Time.Discovering one DG inoperable coincident with one or more inoperable required support or supported features, or both, that are associated with the OPERABLE DG results in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time for restoration before subjecting the station to transients associated with shutdown.The remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1 E Distribution System. Thus, on a component basis, single failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature.Additionally, the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period.B.3.1 and B.3.2 Required Action B.3.1 provides an allowance to avoid unnecessary testing of OPERABLE DGs. If it can be determined that the cause of the inoperable DG does not exist on the OPERABLE DG, SR 3.8.1.2 does not have to be performed.

If the cause of inoperability exists on other DG(s), they are declared inoperable upon discovery, and Condition E of LCO 3.8.1 is entered. Once the failure is repaired, and the common cause failure no longer exists, Required Action B.3.1 is satisfied.

If the cause of the initial inoperable DG cannot be confirmed not to exist on the remaining DG, performance of SR 3.8.1.2 suffices to provide assurance of continued OPERABILITY of the remaining DG.Cooper B 3.8-9 02/07/13 I AC Sources -Operating B 3.8.1 BASES ACTIONS (continued)

In the event the inoperable DG is restored to OPERABLE status prior to completing either B.3.1 or B.3.2, the plant corrective action program will continue to evaluate the common cause possibility.

This continued evaluation, however, is no longer under the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> constraint imposed while in Condition B.According to Generic Letter 84-15 (Ref. 7), 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is a reasonable time to confirm that the OPERABLE DG is not affected by the same problem as the inoperable DG.B.4 In Condition B, the remaining OPERABLE DG and offsite circuits are adequate to supply electrical power to the onsite Class 1 E Distribution System. The 7 day Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period.The second Completion Time for Required Action B.4 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently restored OPERABLE, the LCO may already have been not met for up to 7 days.This situation could lead to a total of 14 days, since initial failure of the LCO, to restore the DG. At this time, an offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 7 days (for a total of 21 days) allowed prior to complete restoration of the LCO. The 14 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently.

The "AND" connector between the 7 day and 14 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive must be met.Similar to Required Action B.2, the second Completion Time of Required Action B.4 allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the"time zero" at the time that the LCO was initially not met, instead of the time that Condition B was entered.Cooper B 3.8-10 02/07/13 I AC Sources -Operating B 3.8.1 BASES ACTIONS (continued)

C.1 and C.2 Required Action C.1 addresses actions to be taken in the event of inoperability of redundant required features concurrent with inoperability of two offsite circuits.

Required Action C.1 reduces the vulnerability to a loss of function.

The Completion Time for taking these actions is reduced to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from that allowed with one division without offsite power (Required Action A.2). The rationale for the reduction to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is that Regulatory Guide 1.93 (Ref. 8) allows a Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for two required offsite circuits inoperable, based upon the assumption that two complete safety divisions are OPERABLE.

When a concurrent redundant required feature failure exists, this assumption is not the case, and a shorter Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is appropriate.

These features are designed with redundant safety related divisions, (i.e., single division systems are not included in the list). Redundant required features failures consist of any of these features that are inoperable because any inoperability is on a division redundant to a division with inoperable offsite circuits.The Completion Time for Required Action C.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities.

This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both: a. Both offsite circuits are inoperable; and b. A redundant required feature is inoperable.

If, at any time during the existence of this Condition (both offsite circuits inoperable), a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked.According to the recommendations in Regulatory Guide 1.93 (Ref. 8), operation may continue in Condition C for a period that should not exceed 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. This level of degradation means that the offsite electrical power system may not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded.

This level of degradation generally corresponds to a total loss of the immediately accessible offsite power sources.Cooper B 3.8-11 02/07/13 1 AC Sources -Operating B 3.8.1 BASES ACTIONS (continued)

Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more DGs inoperable.

However, two factors tend to decrease the severity of this degradation level: a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure; and b. The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source.With both of the offsite circuits inoperable, sufficient onsite AC sources are available to maintain the unit in a safe shutdown condition in the event of a DBA or transient.

In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case single failure were postulated as a part of the design basis in the safety analysis.

Thus, the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time in Required Action C.2 provides a period of time to effect restoration of one of the offsite circuits commensurate with the importance of maintaining an AC electrical power system capable of meeting its design criteria.According to the recommendations in Regulatory Guide 1.93 (Ref. 8), with the available offsite AC sources two less than required by the LCO, operation may continue for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If both offsite sources are restored within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, unrestricted operation may continue.

If only one offsite source is restored within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, power operation continues in accordance with Condition A.D.1 and D.2 Pursuant to LCO 3.0.6, the Distribution Systems -Operating ACTIONS would not be entered even if all AC sources to it were inoperable, resulting in de-energization.

Therefore, the Required Actions of Condition D are modified by a Note to indicate that when Condition D is entered with no AC source to any 4.16 kV critical bus, ACTIONS for LCO 3.8.7,"Distribution Systems -Operating," must be immediately entered. This allows Condition D to provide requirements for the loss of the offsite circuit and one DG without regard to whether a division is de-energized.

LCO 3.8.7 provides the appropriate restrictions for a de-energized 4.16 kV critical bus.Cooper B 3.8-12 02/07/13 1 AC Sources -Operating B 3.8.1 BASES ACTIONS (continued)

In Condition D, individual redundancy is lost in both the offsite electrical power system and the onsite AC electrical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of the power systems in this Condition may appear higher than that in Condition C (loss of both offsite circuits).

This difference in reliability is offset by the susceptibility of this power system configuration to a single bus or switching failure. The 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and the low probability of a DBA occurring during this period.E._1 With two DGs inoperable, there is no remaining standby AC source.Thus, with an assumed loss of offsite electrical power, insufficient standby AC sources are available to power the minimum required ESF functions.

Since the offsite electrical power system is the only source of AC power for the majority of ESF equipment at this level of degradation, the risk associated with continued operation for a very short time could be less than that associated with an immediate controlled shutdown. (The immediate shutdown could cause grid instability, which could result in a total loss of AC power.) Since any inadvertent unit generator trip could also result in a total loss of offsite AC power, however, the time allowed for continued operation is severely restricted.

The intent here is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation.

According to the recommendations in Regulatory Guide 1.93 (Ref. 8), with both DGs inoperable, operation may continue for a period that should not exceed 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.F.1 and F.2 If the inoperable AC electrical power sources cannot be restored to OPERABLE status within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and to MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.Cooper B 3.8-13 02/07/13 1 AC Sources -Operating B 3.8.1 BASES ACTIONS (continued)

G.1 Condition G corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function.

Therefore, no additional time is justified for continued operation.

The station is required by LCO 3.0.3 to commence a controlled shutdown.SURVEILLANCE REQUIREMENTS The AC sources are designed to permit inspection and testing of all important areas and features, especially those that have a standby function.

Periodic component tests are supplemented by extensive functional tests during refueling outages (under simulated accident conditions).

The SRs for demonstrating the OPERABILITY of the DGs are in general conformance with the recommendations of Regulatory Guide 1.9 (Ref. 9), Regulatory Guide 1.108 (Ref. 10), and Regulatory Guide 1.137 (Ref. 11).The minimum steady state output voltage of 3950 V is approximately 95%of the nominal 4160 V output voltage. This value, which is consistent with ANSI C84.1 (Ref. 12), allows for voltage drop to the terminals of 4000 V motors whose minimum operating voltage is specified as 90% or 3600 V.It also allows for voltage drops to motors and other equipment down through the 120 V level where minimum operating voltage is also usually specified as 90% of name plate rating. The specified maximum steady state output voltage of 4400 V is equal to the maximum operating voltage specified for 4000 V motors. It ensures that for a lightly loaded distribution system, the voltage at the terminals of 4000 V motors is no more than the maximum rated operating voltages.

The specified minimum and maximum frequencies of the DG are 58.8 Hz and 61.2 Hz, respectively.

These values are equal to +/- 2% of the 60 Hz nominal frequency and are derived from the recommendations found in Safety Guide 9 (Ref. 3).SR 3.8.1.1 This SR ensures proper circuit continuity for the offsite AC electrical power supply to the onsite distribution network and availability of offsite AC electrical power. The breaker alignment verifies that each breaker is in its correct position to ensure that distribution buses and loads are connected to their preferred power source and that appropriate Cooper B 3.8-14 02/07/13 1 AC Sources -Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued) independence of offsite circuits is maintained.

This can be accomplished by verifying that a critical bus is energized and that the status of offsite supply breakers displayed in the control room is correct. The 7 day Frequency is adequate since breaker position is not likely to change without the operator being aware of it and because its status is displayed in the control room.SR 3.8.1.2 and SR 3.8.1.7 These SRs help to ensure the availability of the standby electrical power supply to mitigate DBAs and transients and maintain the unit in a safe shutdown condition.

To minimize the wear on moving parts that do not get lubricated when the engine is not running, these SRs have been modified by a Note (Note 2 for SR 3.8.1.2 and Note 1 for SR 3.8.1.7) to indicate that all DG starts for these Surveillances may be preceded by an engine prelube period and (only for SR 3.8.1.2) followed by a warmup prior to loading.For the purposes of this testing, the DGs are manually started from standby conditions.

Standby conditions for a DG mean that the diesel engine coolant and oil are being periodically circulated and temperature is being maintained consistent with manufacturer recommendations.

In order to reduce stress and wear on diesel engines, the manufacturer recommends a modified start in which the starting speed of DGs is limited, warmup is limited to this lower speed, and the DGs are gradually accelerated to synchronous speed prior to loading. These start procedures are the intent of Note 3 to SR 3.8.1.2, which is only applicable when such modified start procedures are recommended by the manufacturer.

SR 3.8.1.7 requires that, at a 184 day Frequency, the DG starts from standby conditions and achieves required voltage and frequency within 14 seconds. The minimum voltage and frequency stated in the SR are those necessary to ensure the DG can accept DBA loading while maintaining acceptable voltage and frequency levels. Stable operation at the nominal voltage and frequency values is also essential to establishing DG OPERABILITY, but a time constraint is not imposed. This is because a typical DG will experience a period of voltage and frequency oscillations prior to reaching steady state operation if these oscillations are not dampened by load application.

This period may be extended beyond the 14 second acceptance criterion and could be cause for failing the SR. In lieu of a time constraint in the SR, monitoring and trending of the actual Cooper B 3.8-15 02/07/13 I AC Sources -Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued) time to reach steady state operation will be performed as a means of ensuring there is no voltage regulator or governor degradation which could cause a DG to become inoperable.

The 14 second start requirement supports the assumptions in the design basis LOCA analysis of USAR, Section VIII-5.2 (Ref. 13). The 14 second start requirement is not applicable to SR 3.8.1.2 (see Note 3 of SR 3.8.1.2), when a modified start procedure as described above is used. If a modified start is not used, the 14 second start requirement of SR 3.8.1.7 applies.Since SR 3.8.1.7 does require a 14 second start, it is more restrictive than SR 3.8.1.2, and it may be performed in lieu of SR 3.8.1.2. This procedure is the intent of Note 1 of SR 3.8.1.2.The 31 day Frequency for SR 3.8.1.2 is consistent with Regulatory Guide 1.9 (Ref. 9). The 184 day Frequency for SR 3.8.1.7 is a reduction in cold testing consistent with Generic Letter 84-15 (Ref. 7). These Frequencies provide adequate assurance of DG OPERABILITY, while minimizing degradation resulting from testing.SR 3.8.1.3 This Surveillance provides assurance that the DGs are capable of synchronizing and accepting greater than or equal to the equivalent of the maximum expected accident loads. A minimum run time of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> is required to stabilize engine temperatures, while minimizing the time that the DG is connected to the offsite source.Although no power factor requirements are established by this SR, the DG is normally operated at a power factor between 0.8 lagging and 1.0 while synchronized to the grid. Since the generator is rated at a particular KVA at 0.8 power factor, the 0.8 value is the design rating of the machine.The 1.0 value is an operational condition where the reactive power component is zero, which minimizes the reactive heating of the generator.

Operating the generator at a power factor between 0.8 lagging and 1.0 avoids adverse conditions associated with underexciting the generator and more closely represents the generator operating requirements when performing its safety function (running isolated on its associated critical bus). Because each DG is rated at 4000 kW at 0.8 power factor (pf), the required load band is > 3600 kW at > 0.8 pf (> 90% of rated load, in accordance with Regulatory Guide 1.9, Ref. 9) and less than or equal to rated load. This load band brackets the maximum expected accident loads. The load band is provided to avoid routine overloading of the DG.Cooper B 3.8-16 02/07/13 I AC Sources -Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY.

The 31 day Frequency for this Surveillance is consistent with Regulatory Guide 1.9 (Ref. 9).Note 1 modifies this Surveillance to indicate that diesel engine runs for this Surveillance may include gradual loading, as recommended by the manufacturer, so that mechanical stress and wear on the diesel engine are minimized.

Note 2 modifies this Surveillance by stating that momentary transients because of changing bus loads do not invalidate this test. Similarly, momentary power factor transients above the limit do not invalidate the test.Note 3 indicates that this Surveillance should be conducted on only one DG at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations.

Note 4 stipulates a prerequisite requirement for performance of this SR.A successful DG start must precede this test to credit satisfactory performance.

SR 3.8.1.4 This SR provides verification that the level of fuel oil in the day tank is at or above the level at which fuel oil is automatically added. The level is expressed as an equivalent volume in gallons, and is selected to ensure adequate fuel oil for approximately

3.9 hour1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br />s

of DG operation at full load.The 31 day Frequency is adequate to ensure that a sufficient supply of fuel oil is available, since low level alarms are provided and facility operators would be aware of any large uses of fuel oil during this period.SR 3.8.1.5 Microbiological fouling is a major cause of fuel oil degradation.

There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel oil day tanks once every 31 days eliminates the necessary environment for bacterial survival.

This is the most effective means of Cooper B 3.8-17 02/07/13 1 AC Sources -Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued) controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation.

Water may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and breakdown of the fuel oil by bacteria.

Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequency is consistent with Regulatory Guide 1.137 (Ref. 11). This SR is for preventive maintenance.

The presence of water does not necessarily represent a failure of this SR provided that accumulated water is removed during performance of this Surveillance.

SR 3.8.1.6 This Surveillance demonstrates that each required fuel oil transfer pump operates and automatically transfers fuel oil from the storage tanks to the associated day tank. It is required to support continuous operation of standby power sources. This Surveillance provides assurance that the fuel oil transfer pump is OPERABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the controls and control systems for automatic fuel transfer systems are OPERABLE.The Frequency for this SR corresponds to the testing requirements for pumps as contained in the ASME Code for Operation and Maintenance of Nuclear Power Plants (Ref. 14).SR 3.8.1.8 Transfer of each 4.16 kV critical bus power supply from the normal offsite circuit to the alternate offsite circuit demonstrates the OPERABILITY of the alternate circuit distribution network to power the shutdown loads.The 24 month Frequency of the Surveillance is based on engineering judgment taking into consideration the plant conditions required to perform the Surveillance, and is intended to be consistent with expected fuel cycle lengths. Operating experience has shown that these components usually pass the SR when performed on the 24 month Frequency.

Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

This SR is modified by a Note. The reason for the Note is that, during operation with the reactor critical, performance of this SR could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, plant safety systems.Cooper B 3.8-18 02/07/13 I AC Sources -Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

Credit may be taken for unplanned events that satisfy this SR.SR 3.8.1.9 Consistent with IEEE 387-1995 (Ref. 15), Section 7.5.9 and Table 3, this SR requires demonstration once per 24 months that the DGs can start and run continuously at full load capability for an interval of not less than 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> -6 hours of which is at a load equivalent to 90-100% of the continuous rating of the DG, and 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of which is at a load equivalent to 105% to 110% of the continuous duty rating of the DG. The DG starts for this Surveillance can be performed either from standby or hot conditions.

The provisions for prelube and warmup, discussed in SR 3.8.1.2, and for gradual loading, discussed in SR 3.8.1.3, are applicable to this SR.A load band of 90-100% accident load is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY.

Generator loadings less than 90%occurring during the first 10 seconds of accident loading are bounded by the test conditions of 90 to 100% load and are well within the generator capability curves.The 24 month Frequency is consistent with IEEE 387-1995 (Ref. 15), Section 7.5.9 and Table 3, which require this SR to be performed during refueling outages once per 24 months. The 24 month Frequency takes into consideration plant conditions required to perform the Surveillance; and is intended to be consistent with expected fuel cycle lengths.This Surveillance has been modified by three Notes. Note 1 states that momentary transients due to changing bus loads do not invalidate this test. Similarly, momentary power factor transients above the limit do not invalidate the test. The reason for Note 2 is that during operation with the reactor critical, performance of this Surveillance could cause perturbations to the electrical distribution systems that would challenge continued steady state operation and, as a result, plant safety systems.Note 3 ensures that the DG is tested under load conditions that are as close to worst case design basis conditions as possible.

When synchronized with offsite power, testing should be performed at a power factor of < 0.89. This power factor is representative of the actual inductive loading a DG would see under design basis accident conditions.

Under certain conditions, however, Note 3 allows the surveillance to be conducted at a power factor other than < 0.89. These conditions occur when grid voltage is high, and the additional field Cooper B 3.8-19 02/07/13 1 AC Sources -Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued) excitation needed to obtain a power factor of < 0.89 results in voltages on the emergency busses that are too high. Under these conditions, the power factor should be maintained as close as practicable to 0.89 while still maintaining acceptable voltage limits on the emergency busses. In other circumstances, the grid voltage may be such that the DG excitation levels needed to obtain a power factor of 0.89 may not cause unacceptable voltages on the emergency busses, but the excitation levels are in excess of those recommended for the DG. In such cases, the power factor shall be maintained as close as practicable to 0.89 without exceeding the DG excitation limits. Credit may be taken for unplanned events that satisfy this SR.SR 3.8.1.10 Under LOCA conditions and loss of offsite power, loads are sequentially connected to the bus by a timed logic sequence.

The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading of the DGs due to high motor starting currents.

The 10%load sequence time interval tolerance ensures that sufficient time exists for the DG to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding ESF equipment time delays are not violated.

Reference 2 provides a summary of the automatic loading of ESF buses.The Frequency of 24 months is consistent with the intent of the recommendations of Regulatory Guide 1.108 (Ref. 10), paragraph 2.a.(2);takes into consideration plant conditions required to perform the Surveillance; and is intended to be consistent with expected fuel cycle lengths.This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems.Credit may be taken for unplanned events that satisfy this SR.SR 3.8.1.11 In the event of a DBA coincident with a loss of offsite power, the DGs are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded.This Surveillance demonstrates DG operation during a loss of offsite power actuation test signal in conjunction with an ECCS initiation signal.Cooper B 3.8-20 02/07/13 I AC Sources -Operating B 3.8.1 BASES SURVEILLANCE REQUIREMENTS (continued)

This test verifies all actions encountered from the loss of offsite power and loss of coolant accident, including shedding of the nonessential loads and energization of the emergency buses and respective loads from the DG. It further demonstrates the capability of the DG to automatically maintain the required voltage and frequency.

The DG auto-start time of 14 seconds is. derived from requirements of the accident analysis for responding to a design basis large break LOCA.The Surveillance should be continued for a minimum of 5 minutes in order to demonstrate that all starting transients have decayed and stability has been achieved.The requirement to verify the connection and power supply of permanent and auto-connected loads is intended to satisfactorily show the relationship of these loads to the DG loading logic. In certain-circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation.

For instance, Emergency Core Cooling Systems (ECCS) injection valves are not desired to be stroked open, or systems are not capable of being operated at full flow. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable.

This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.The Frequency of 24 months takes into consideration plant conditions required to perform the Surveillance and is intended to be consistent with an expected fuel cycle length of 24 months.This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil being periodically circulated and temperature maintained consistent with manufacturer recommendations.

The reason for Note 2 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. Credit may be taken for unplanned events that satisfy this SR.REFERENCES

1. USAR, Section VIII-1.0.2. USAR, Section VIII-2.0 and VIII-3.0.3. Safety Guide 9, Revision 0, March 1971.Cooper B 3.8-21 02/07/13 I AC Sources -Operating B 3.8.1 BASES REFERENCES (conti nued)4. USAR, Chapter VI.5. USAR, Chapter XIV.6. 10 CFR 50.36(c)(2)(ii).
7. Generic Letter 84-15.8. Regulatory Guide 1.93.9. Regulatory Guide 1.9, Revision 3, July 1993.10. Regulatory Guide 1.108.11. Regulatory Guide 1.137.12. ANSI C84.1, 1970.13. USAR, Section VIII-5.2.14. ASME Code for Operation and Maintenance of Nuclear Power Plants.15. IEEE Standard 387, 1995.Cooper B 3.8-22 02/07/13 1 AC Sources -Shutdown B 3.8.2 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.2 AC Sources -Shutdown BASES BACKGROUND A description of the AC sources is provided in the Bases for LCO 3.8.1,"AC Sources -Operating." APPLICABLE SAFETY ANALYSES The OPERABILITY of the minimum AC sources during MODES 4 and 5, and during movement of irradiated fuel assemblies in the secondary containment ensures that: a. The facility can be maintained in the shutdown or refueling condition for extended periods;b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and c. Adequate AC electrical power is provided to mitigate events postulated during shutdown, such as an inadvertent draindown of the vessel or a fuel handling accident.In general, when the unit is shutdown the Technical Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents.

However, assuming a single failure and concurrent loss of all offsite or loss of all onsite power is not required.

The rationale for this is based on the fact that many Design Basis Accidents (DBAs) that are analyzed in MODES 1, 2, and 3 have no specific analyses in MODES 4 and 5. Postulated worst case bounding events are deemed not credible in MODES 4 and 5 because the energy contained within the reactor pressure boundary, reactor coolant temperature and pressure, and corresponding stresses result in the probabilities of occurrences significantly reduced or eliminated, and minimal consequences.

These deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems.During MODES 1, 2, and 3, various deviations from the analysis assumptions and design requirements are allowed within the ACTIONS.This allowance is in recognition that certain testing and maintenance activities must be conducted, provided an acceptable level of risk is not exceeded.

During MODES 4 and 5, performance of a significant number of required testing and maintenance activities is also required.

In MODES 4 and 5, the activities are generally planned and administratively Cooper B 3.8-23 02/07/13 1 AC Sources -Shutdown B 3.8.2 BASES APPLICABLE SAFETY ANALYSIS (continued) controlled.

Relaxations from typical MODES 1, 2, and 3 LCO requirements are acceptable during shutdown MODES, based on: a. The fact that time in an outage is limited. This is a risk prudent goal as well as a utility economic consideration.

b. Requiring appropriate compensatory measures for certain conditions.

These may include administrative controls, reliance on systems that do not necessarily meet typical design requirements applied to systems credited in operation MODE analyses, or both.c. Prudent utility consideration of the risk associated with multiple activities that could affect multiple systems.d. Maintaining, to the extent practical, the ability to perform required functions (even if not meeting MODES 1, 2, and 3 OPERABILITY requirements) with systems assumed to function during an event.In the event of an accident during shutdown, this LCO ensures the capability of supporting systems necessary for avoiding immediate difficulty, assuming either a loss of all offsite power or a loss of all onsite (diesel generator (DG)) power.The AC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 1).LCO One offsite circuit supplying the onsite Class 1 E power distribution subsystem(s) of LCO 3.8.8, "Distribution Systems -Shutdown," ensures that all required loads are powered from offsite power. An OPERABLE DG, associated with a 4.16 kV critical bus required OPERABLE by LCO 3.8.8, ensures that a diverse power source is available for providing electrical power support assuming a loss of the offsite circuit. Together, OPERABILITY of the required offsite circuit and DG ensures the availability of sufficient AC sources to operate the plant in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents and reactor vessel draindown).

Automatic initiation of the required DG during shutdown conditions is specified in LCO 3.3.5.1, ECCS Instrumentation, and LCO 3.3.8.1, LOP Instrumentation.

The qualified offsite circuit must be capable of maintaining rated frequency and voltage while connected to its respective critical bus, and of accepting required loads during an accident.

Qualified offsite circuits are those that are described in the USAR and are part of the licensing basis for the unit. The offsite circuit consists of incoming breaker and Cooper B 3.8-24 02/07/13 1 AC Sources -Shutdown B 3.8.2 BASES LCO (continued) disconnect to the startup or emergency station service transformer, associated startup or emergency station service transformer, and the respective circuit path including feeder breakers to all 4.16 kV critical buses required by LCO 3.8.8.The required DG must be capable of starting, accelerating to rated speed and voltage, connecting to its respective critical bus on detection of bus undervoltage, and accepting required loads. This sequence must be accomplished within 14 seconds. Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the critical buses. These capabilities are required to be met from a variety of initial conditions such as DG in standby with engine hot and DG in standby with engine at ambient conditions.

Proper sequencing of loads, including tripping of nonessential loads, is a required function for DG OPERABILITY.

The necessary portions of the Service Water System and Ultimate Heat Sink are also required to provide appropriate cooling to the required DGs.It is acceptable during shutdown conditions, for a single offsite power circuit to supply both 4.16 kV critical buses. No fast transfer capability is required for offsite circuits to be considered OPERABLE.APPLICABILITY The AC sources are required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment to provide assurance that: a. Systems providing adequate coolant inventory makeup are available for the irradiated fuel assemblies in the core in case of an inadvertent draindown of the reactor vessel;b. Systems needed to mitigate a fuel handling accident are available;

c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.

AC power requirements for MODES 1, 2, and 3 are covered in LCO 3.8.1.Cooper B 3.8-25 02/07/13 I AC Sources -Shutdown B 3.8.2 BASES ACTIONS LCO 3.0.3 is not applicable while in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2 or 3, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable.

If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations.

Therefore, in either case, inability to suspend movement or irradiated fuel assemblies would not be sufficient reason to require a reactor shutdown.A. 1 An offsite circuit is considered inoperable if it is not available to one required 4.16 kV critical bus. If two or more 4.16 kV critical buses are required per LCO 3.8.8, the remaining bus with offsite power available may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS, fuel movement, and operations with a potential for draining the reactor vessel. By the allowance of the option to declare required features inoperable with no offsite power, appropriate restrictions can be implemented in accordance with the required feature(s)

LCOs' ACTIONS. Required features remaining powered from a qualified offsite power circuit, even if that circuit is considered inoperable because it is not powering other required features, are not declared inoperable by this Required Action.A.2.1, A.2.2, A.2.3, A.2.4, B.1, B.2, B.3, and B.4 With the required offsite circuit not available to all required 4.16 kV critical buses, the option still exists to declare all required features inoperable per Required Action A.1. Since this option may involve undesired administrative efforts, the allowance for sufficiently conservative actions is made. With the required DG inoperable, the minimum required diversity of AC power sources is not available.

It is, therefore, required to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies in the secondary containment, and activities that could result in inadvertent draining of the reactor vessel.Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition.

These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC sources and to continue this action until restoration is accomplished in order to provide the necessary AC power to the plant safety systems.Cooper B 3.8-26 02/07/13 I AC Sources -Shutdown B 3.8.2 BASES ACTION (continued)

The Completion Time of immediatelyis consistent with the required times for actions requiring prompt attention.

The restoration of the required AC electrical power sources should be completed as quickly as possible in order to minimize the time during which the plant safety systems may be without sufficient power.Pursuant to LCO 3.0.6, the Distribution System ACTIONS would not be entered even if all AC sources to it are inoperable, resulting in de-energization.

Therefore, the Required Actions of Condition A have been modified by a Note to indicate that when Condition A is entered with no AC power to any required 4.16 kV critical bus, ACTIONS for LCO 3.8.8 must be immediately entered. This Note allows Condition A to provide requirements for the loss of the offsite circuit whether or not a division is de-energized.

LCO 3.8.8 provides the appropriate restrictions for the situation involving a de-energized division.SURVEILLANCE REQUIREMENTS SR 3.8.2.1 SR 3.8.2.1 requires the SRs from LCO 3.8.1 that are necessary for ensuring the OPERABILITY of the AC sources in other than MODES 1, 2, and 3. SR 3.8.1.8 is not required to be met since only one offsite circuit is required to be OPERABLE.

Refer to the corresponding Bases for LCO 3.8.1 for a discussion of each SR.This SR is modified by a Note. The reason for the Note is to preclude requiring the OPERABLE DG(s) from being paralleled with the offsite power network or otherwise rendered inoperable during the performance of SRs, and to preclude deenergizing a required 4.16 kV critical bus or disconnecting a required offsite circuit during performance of SRs. With limited AC sources available, a single event could compromise both the required circuit and the DG. It is the intent that these SRs must still be capable of being met, but actual performance is not required during periods when the DG and offsite circuit is required to be OPERABLE.Note 2 states SR 3.8.1.11 is considered to be met without the ECCS initiation signals OPERABLE when associated ECCS initiation signals are not required to be OPERABLE per Table 3.3.5.1-1.

This SR demonstrates the DG response to an ECCS signal in conjunction with a loss of power signal. When ECCS system(s) are not required to be OPERABLE per LCO 3.5.2, "ECCS -Shutdown," the DG is not required to start in response to ECCS initiation signals. This is consistent with the Cooper B 3.8-27 02/07/13 1 AC Sources -Shutdown B 3.8.2 BASES SURVEILLANCE REQUIREMENTS (continued)

ECCS instrumentation requirements.

However, the DG is still required to meet the other attributes of SIR 3.8.1.11 when associated ECCS initiation signals are not required to be OPERABLE per Table 3.3.5.1-1.

REFERENCES

1. 10 CFR 50.36(c)(2)(ii).

Cooper B 3.8-28 02/07/13 1 Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air BASES BACKGROUND The two diesel generators (DGs) are provided with two storage tanks having a fuel oil capacity sufficient to operate a single DG for a period of 7 days while that DG is supplying maximum post loss of coolant accident (LOCA) load demand discussed in USAR, Section Vi11-5.2 (Ref. 1). The maximum load demand is calculated using the assumption that only one DG is available.

This onsite fuel oil capacity is sufficient to operate the DGs for longer than the time to replenish the onsite supply from outside sources.Fuel oil is transferred from storage tanks to the day tanks by either of two transfer pumps associated with each storage tank. Redundancy of pumps and piping precludes the failure of one pump, or the rupture of any pipe or valve to result in the loss of more than one DG. The outside tanks, pumps, and piping are located underground.

For proper operation of the standby DGs, it is necessary to ensure the proper quality of the fuel oil. Regulatory Guide 1.137 (Ref. 2) addresses the recommended fuel oil practices as supplemented by ANSI N195 (Ref.3). The fuel oil properties governed by these SRs are the water and sediment content, the kinematic viscosity, specific gravity (or API gravity or absolute specific gravity), and impurity level.The DG lubrication system is designed to provide sufficient lubrication to permit proper operation of its associated DG under all loading conditions.

The system is required to circulate the lube oil to the diesel engine working surfaces and to remove excess heat generated by friction during operation.

The useable volume in each engine oil sump and onsite lube oil storage contain an inventory capable of supporting a minimum of 7 days of operation.

The onsite storage in addition to the useable volume in the engine oil sump is sufficient to ensure 7 days' continuous operation.

This supply is sufficient to allow the operator to replenish lube oil from outside sources.Each DG has an air start subsystem that includes two starting air receivers, each with adequate capacity for multiple start attempts on the DG without recharging the air start receiver(s).

Cooper B 3.8-29 02/07/13 I Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES APPLICABLE SAFETY ANALYSES The initial conditions of Design Basis Accident (DBA) and transient analyses in USAR, Chapter VI (Ref. 4), and Chapter XIV (Ref. 5), assume Engineered Safety Feature (ESF) systems are OPERABLE.

The DGs are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that fuel, Reactor Coolant System, and containment design limits are not exceeded.

These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.5, Emergency Core Cooling Systems (ECCS) and Reactor Core Isolation Cooling (RCIC)System; and Section 3.6, Containment Systems.Since diesel fuel oil, lube oil, and starting air subsystems support the operation of the standby AC power sources, they satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 6).LCO Stored diesel fuel oil is required in sufficient supply for 7 days of operation at maximum post-LOCA load demand. It is also required to meet specific standards for quality. Additionally, sufficient lube oil supply must be available to ensure the capability to operate for 7 days at maximum post-LOCA load demand. This requirement, in conjunction with an ability to obtain replacement supplies within 7 days, supports the availability of DGs required to shut down the reactor and to maintain it in a safe condition for an abnormal operational transient or a postulated DBA with loss of offsite power. DG day tank fuel oil requirements, as well as transfer capability from the storage tank to the day tank, are addressed in LCO 3.8.1, "AC Sources -Operating," and LCO 3.8.2, "AC Sources -Shutdown." The starting air system is required to have a minimum capacity for multiple DG start attempts in accordance with Reference 7, without recharging the air start receivers.

Only one air receiver (and associated airstart header) per DG is required, since each air receiver has the required capacity.APPLICABILITY The AC sources (LCO 3.8.1 and LCO 3.8.2) are required to ensure the availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an abnormal operational transient or a postulated DBA. Because stored diesel fuel oil, lube oil, and starting air subsystems support LCO 3.8.1 and LCO 3.8.2, stored diesel fuel oil, lube oil, and starting air are required to be within limits when the associated DG is required to be OPERABLE.Cooper B 3.8-30 02/07/13 I Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS The ACTIONS Table is modified by a Note indicating that separate Condition entry is allowed for each DG except for Conditions A, C, and D.This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable DG subsystem.

Complying with the Required Actions for one inoperable DG subsystem may allow for continued operation, and subsequent inoperable DG subsystem(s) governed by separate Condition entry and application of associated Required Actions. The Note does not apply to Conditions A, C and D since the CNS design has two fuel oil storage tanks that supply fuel oil to both DGs.A.1 With the combined fuel level < 49,500 gallons in the storage tanks, the 7 day fuel oil supply for both DGs is not available.

The 49,500 gallon limit is a conservative estimate of the required fuel oil based on worst case fuel consumption.

However, the Condition is restricted to fuel oil level reductions that maintain at least a 6 day supply (42,800 gallons).

These circumstances may be caused by events such as: a. Full load operation required for an inadvertent start while at minimum required level; or b. Feed and bleed operations that may be necessitated by increasing particulate levels or any number of other oil quality degradations.

This restriction allows sufficient time for obtaining the requisite replacement volume and performing the analyses required prior to addition of the fuel oil to the tank. A period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered sufficient to complete restoration of the required level prior to declaring the DGs inoperable.

This period is acceptable based on the remaining capacity (> 6 days), the fact that action will be initiated to obtain replenishment, and the low probability of an event during this brief period.B.1 With lube oil inventory

< 504 gal, sufficient lube oil to support 7 days of continuous DG operation at full load conditions may not be available.

However, the Condition is restricted to lube oil volume reductions that maintain at least a 6 day supply. This restriction allows sufficient time for obtaining the requisite replacement volume. A period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered sufficient to complete restoration of the required volume prior to declaring the DG inoperable.

This period is acceptable based on the remaining capacity (> 6 days), the low rate of usage, the fact that action Cooper B 3.8-31 02/07/13 1 Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS (continued) will be initiated to obtain replenishment, and the low probability of an event during this brief period.C.1 This Condition is entered as a result of a failure to meet the acceptance criterion for particulates.

Normally, trending of particulate levels allows sufficient time to correct high particulate levels prior to reaching the limit of acceptability.

Poor sample procedures (bottom sampling), contaminated sampling equipment, and errors in laboratory analysis can produce failures that do not follow a trend. Since the presence of particulates does not mean failure of the fuel oil to burn properly in the diesel engine, since particulate concentration is unlikely to change significantly between Surveillance Frequency intervals, and since proper engine performance has been recently demonstrated (within 31 days), it is prudent to allow a brief period prior to declaring the DGs inoperable.

The 7 day Completion Time allows for further evaluation, resampling, and re-analysis of the DG fuel oil.D.1 With the new fuel oil properties defined in the Bases for SR 3.8.3.3 not within the required limits, a period of 30 days is allowed for restoring the stored fuel oil properties.

This period provides sufficient time to test the stored fuel oil to determine that the new fuel oil, when mixed with previously stored fuel oil, remains acceptable, or to restore the stored fuel oil properties.

This restoration may involve feed and bleed procedures, filtering, or combination of these procedures.

Even if a DG start and load was required during this time interval and the fuel oil properties were outside limits, there is high likelihood that the DG would still be capable of performing its intended function.

If the new fuel has not yet been added to the fuel oil storage tanks, entry into this Condition is not necessary.

E. 1 With pressure at least 200 psig in at least one starting air receiver, sufficient capacity for multiple DG start attempts in accordance with References 7 and 9 exists. As long as the pressure is at least 125 psig in at least one starting air receiver, there is capacity for at least one start attempt, and the DG can be considered OPERABLE while the air receiver pressure is restored to the required limit. A period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered sufficient to complete restoration to the required pressure Cooper B 3.8-32 02/07/13 I Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS (continued) prior to declaring the DG inoperable.

This period is acceptable based on the remaining air start capacity, the fact that most DG starts are accomplished on the first attempt, and the low probability of an event during this brief period.F. 1 With a Required Action and associated Completion Time of Condition A, B, C, D, or E not met, or the stored diesel fuel oil, lube oil, or starting air subsystem not within limits for reasons other than addressed by Conditions A, B, C, D, or E, the associated DG(s) may be incapable of performing its intended function and must be immediately declared inoperable.

SURVEILLANCE REQUIREMENTS SR 3.8.3.1 This SR provides verification that there is an adequate inventory of fuel oil in the storage tanks to support a single DG's operation for 7 days at maximum post-LOCA load demand. The 7 day period is sufficient time to place the unit in a safe shutdown condition and to bring in replenishment fuel from an offsite location.The 31 day Frequency is adequate to ensure that a sufficient supply of fuel oil is available, since low level alarms are provided and unit operators would be aware of any large uses of fuel oil during this period.SR 3.8.3.2 This Surveillance ensures that sufficient lubricating oil inventory (combined inventory in the DG lube oil sump and in the warehouse) is available to support at least 7 days of operation for one DG at maximum post-LOCA load demand. The 504 gal requirement is based on a 3 gallon per hour consumption value for the run time of the DG. Implicit in this SR is the requirement to verify that adequate DG lube oil is stored onsite to ensure that sump level does not drop below the manufacturer's recommended minimum level.Cooper B 3.8-33 02/07/13 I Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE REQUIREMENTS (continued)

A 31 day Frequency is adequate to ensure that a sufficient lube oil supply is onsite, since DG starts and run time are closely monitored by the plant staff.S R 3.8.3.3 The tests of new fuel oil prior to addition to the storage tanks are a means of determining whether new fuel oil is of the appropriate grade and has not been contaminated with substances that would have an immediate detrimental impact on diesel engine combustion.

If results from these tests are within acceptable limits, the fuel oil may be added to the storage tanks without concern for contaminating the entire volume of fuel oil in the storage tanks. These tests are to be conducted prior to adding the new fuel to the storage tank(s), but in no case is the time between the sample (and corresponding test results) including receipt of new fuel and addition of new fuel oil to the storage tanks to exceed 31 days. The tests, limits, and applicable ASTM Standards are as follows: a. Sample the new fuel oil in accordance with ASTM D4057-1988 (Ref. 8);b. Verify in accordance with the tests specified in ASTM D975-1989a (Ref. 8) that: (1) the sample has an API gravity of within 0.30 at 60°F or a specific gravity of within 0.0016 at 60/601F, when compared to the supplier's certificate, or the sample has an absolute specific gravity at 60/601F of > 0.83 and < 0.89 or an API gravity at 601F of > 260 and < 380; (2) a kinematic viscosity at 40 0 C of ? 1.9 centistokes and 4.1 centistokes, or a Saybolt viscosity at 100°F of > 32.6 and < 40.1 if gravity was not determined by comparison with the supplier's certification; and (3)a flash point of > 125°F; and c. Verify that the new fuel oil has a clear and bright appearance with proper color when tested in accordance with ASTM D4176-1991 (Ref. 8) or a water and sediment content of < 0.05% volume when tested in accordance with ASTM D1 796-1983 (Ref. 8).Failure to meet any of the above limits is cause for rejecting the new fuel oil, but does not represent a failure to meet the LCO concern since the fuel oil is not added to the storage tanks.Cooper B 3.8-34 02/07/13 I Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE REQUIREMENTS (continued)

Following the initial new fuel oil sample, the new fuel oil is analyzed to establish that the other properties specified in Table 1 of ASTM D975-1989a (Ref. 8) are met for new fuel oil when tested in accordance with ASTM D975-1989a (Ref. 8), except that the analysis for sulfur may be performed in accordance with ASTM D1 552-1990 (Ref. 8) or ASTM D2622-1992 (Ref. 8). These additional analyses are required, by Specification 5.5.9, "Diesel Fuel Oil Testing Program," to be performed within 31 days following addition of new fuel oil. This 31 day requirement is intended to assure that: a. The new fuel oil sample is taken no more than 31 days old at the time of adding the new fuel oil to the DG storage tank; and b. The results of the new fuel oil sample are obtained within 31 days after addition of the new fuel oil to the DG storage tank.The 31 day period is acceptable because the fuel oil properties of interest, even if they were not within stated limits, would not have an immediate effect on DG operation.

This Surveillance ensures the availability of high quality fuel oil for the DGs.Fuel oil degradation during long term storage shows up as an increase in particulate, mostly due to oxidation.

The presence of particulate does not mean that the fuel oil will not burn properly in a diesel engine. The particulate can cause fouling of filters and fuel oil injection equipment, however, which can cause engine failure.Particulate concentrations should be determined in accordance with ASTM D2276-1989 (Ref. 8), Method A. This method involves a gravimetric determination of total particulate concentration in the fuel oil and has a limit of 10 mg/I. It is acceptable to obtain a field sample for subsequent laboratory testing in lieu of field testing. For the Cooper Nuclear Station design in which the total volume of stored fuel oil is contained in two interconnected tanks, each tank must be considered and tested separately.

The Frequency of this test takes into consideration fuel oil degradation trends that indicate that particulate concentration is unlikely to change significantly between Frequency intervals.

SIR 3.8.3.4 This Surveillance ensures that, without the aid of the refill compressor, sufficient air start capacity for each DG is available.

The system design Cooper B 3.8-35 02/07/13 I Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES SURVEILLANCE REQUIREMENTS (continued) requirements provide for multiple engine start cycles without recharging.

The pressure specified in this SR is intended to reflect the lowest value at which the requirements of Reference 7 can be satisfied.

The 31 day Frequency takes into account the capacity, capability, redundancy, and diversity of the AC sources and other indications available in the control room, including alarms, to alert the operator to below normal air start pressure.SR 3.8.3.5 Microbiological fouling is a major cause of fuel oil degradation.

There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel storage tanks once every 31 days eliminates the necessary environment for bacterial survival.

This is the most effective means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation.

Water may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and from breakdown of the fuel oil by bacteria.

Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequencies are consistent with Regulatory Guide 1.137 (Ref. 2), as supplemented by ANSI N195 (Ref.3). This SR is for preventive maintenance.

The presence of water does not necessarily represent failure of this SR, provided the accumulated water is removed to the extent possible during performance of the Surveillance.

REFERENCES

1. USAR, Section VIII-5.2.2. Regulatory Guide 1.137, Revision 1, October 1979.3. ANSI N195, Appendix B, 1976.4. USAR, Chapter VI.5. USAR, Chapter XIV.6. 10 CFR 50.36(c)(2)(ii).
7. USAR, Section Vill-5.3.3.

Cooper B 3.8-36 02/07/13 1 Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES REFERENCES (continued)

8. ASTM Standards:

D4057-1988E1; D975-1989a; D4176-1991; D1796-1983; D1552-1990; D2622-1992; and D2276-1989.

9. NEDC 11-072, DGSA Accumulator Sizing Basis Cooper B 3.8-37 02/07/13 I DC Sources -Operating B 3.8.4 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.4 DC Sources -Operating BASES BACKGROUND The DC electrical power system provides the AC emergency power system with control power. It also provides both motive and control power to selected safety related equipment.

The DC electrical power system is designed to have sufficient independence, redundancy, and testability to perform its safety functions, assuming a single failure (Ref.1). The DC electrical power system also conforms to the recommendations of Regulatory Guide 1.6 (Ref. 2) and IEEE-308 (Ref.3).The 125 V and 250 V DC power sources provide both motive and control power to selected safety related and nonsafety related equipment.

The Division 1 and Division 2 125 V DC subsystems each consist of a 125 V DC battery, a 125 V battery charger and associated 125 V DC distribution system. The Division 1 and Division 2 250 V DC subsystems each consist of a 250 V DC battery, a 250 V battery charger and associated 250 V DC distribution system. There is an additional 125 V battery charger and an additional 250 V battery charger which can be used as backups to supply either division if the normal battery charger is lost. The backup chargers can be supplied from either division to maintain proper divisional separation.

During normal operation, the DC loads are powered from the battery chargers with the batteries floating on the system. In case of loss of normal power to the battery charger, the DC loads are automatically powered from the batteries.

The DC power distribution system is described in more detail in Bases for LCO 3.8.7, "Distribution System -Operating," and LCO 3.8.8, "Distribution System -Shutdown." Each battery has adequate storage capacity to carry the required load continuously for approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.Each 125 V DC battery subsystem is separately housed along with the same division 250 V DC battery subsystem in a ventilated room apart from its charger and distribution centers. Each subsystem is located in an area separated physically and electrically from the other subsystems to ensure that a single failure in one subsystem does not cause a failure in a redundant subsystem.

There is no sharing between redundant Class 1 E subsystems such as batteries, battery chargers, or distribution panels.Cooper B 3.8-38 02/07/13 1 DC Sources -Operating B 3.8.4 BASES BACKGROUND (continued)

The batteries for DC electrical power subsystems are sized to produce required capacity at 90% of nameplate rating. The life of the batteries will be adjusted based on engineering evaluations of each battery's capacity trend data as the batteries age. The minimum design voltage limits are 105 V and 210 V for the 125 V DC and the 250 V DC subsystems, respectively.

Each DC electrical power subsystem battery charger has ample power output capacity for the steady state operation of connected loads required during normal operation, while at the same time maintaining its battery bank fully charged. Each station service battery charger has sufficient capacity to restore the battery from the design minimum charge to its fully charged state within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> while supplying normal steady state loads (Ref. 3).APPLICABLE SAFETY ANALYSES The initial conditions of Design Basis Accident (DBA) and transient analyses in the USAR, Chapter XIV (Ref. 4) assume that Engineered Safety Feature (ESF) systems are OPERABLE.

The DC electrical power system provides normal and emergency DC electrical power for the DGs, emergency auxiliaries, and control and switching during all MODES of operation.

The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining DC sources OPERABLE during accident conditions in the event of: a. An assumed loss of all offsite AC power or all onsite AC power;and b. A worst case single failure.The DC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 5).LCO The 125 V and 250 V DC electrical power subsystems, with each subsystem consisting of one battery, one battery charger, and the corresponding control equipment and interconnecting cabling supplying power to the associated bus, are required to be OPERABLE to ensure the availability of the required power to shut down the reactor and maintain it in a safe condition after an abnormal operational transient or a postulated DBA. Loss of any DC electrical power subsystem does not prevent the minimum safety function from being performed.

Cooper B 3.8-39 02/07/13 I DC Sources -Operating B 3.8.4 BASES APPLICABILITY The DC electrical power sources are required to be OPERABLE in MODES 1, 2, and 3 to ensure safe unit operation and to ensure that: a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of abnormal operational transients; and b. Adequate core cooling is provided, and containment integrity and other vital functions are maintained in the event of a postulated DBA.The DC electrical power requirements for MODES 4 and 5, and other conditions in which the DC electrical power sources are required are addressed in LCO 3.8.5, "DC Sources -Shutdown." ACTIONS A. 1 Condition A represents one 125 V DC division with a loss of ability to completely respond to an event, and a potential loss of ability to remain energized during normal operation.

It is therefore imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for complete loss of 125 V DC power to the affected division.

The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> limit is consistent with the allowed time for an inoperable DC Distribution System division.If one of the 125 V DC electrical power subsystems is inoperable (e.g., inoperable battery, inoperable battery charger(s), or inoperable battery charger and associated inoperable battery), the remaining 125 V DC electrical power subsystem has the capacity to support a safe shutdown and to mitigate an accident condition.

Since a subsequent worst case single failure could, however, result in the loss of minimum necessary 125 V DC electrical subsystems to mitigate a worst case accident, continued power operation should not exceed 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Completion Time is based on Regulatory Guide 1.93 (Ref. 6) and reflects a reasonable time to assess unit status as a function of the inoperable DC electrical power subsystem and, if the DC electrical power subsystem is not restored to OPERABLE status, to prepare to effect an orderly and safe unit shutdown.B.1 and B.2 If the 125 V DC electrical power subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and to MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are Cooper B 3.8-40 02/07/13 I DC Sources -Operating B 3.8.4 BASES ACTIONS (continued) reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. The Completion Time to bring the unit to MODE 4 is consistent with the time required in Regulatory Guide 1.93 (Ref. 6).C.1 With the Division 1 250 V DC electrical power subsystem inoperable, one LPCI subsystem is rendered inoperable.

Loss of the Division 2 250 V DC electrical power subsystem renders HPCI and the other LPCI subsystem inoperable.

Required Action C.1 therefore requires with one 250 V DC electrical power subsystem inoperable that the associated supported features be declared inoperable immediately.

This declaration also requires entry into applicable Conditions and Required Actions for the associated supported features.SURVEILLANCE REQUIREMENTS SR 3.8.4.1 Verifying battery terminal voltage while on float charge for the batteries helps to ensure the effectiveness of the charging system and the ability of the batteries to perform their intended function.

Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery (or battery cell) and maintain the battery (or battery cell) in a fully charged state. The voltage requirements are based on the nominal design voltage of the battery and are consistent with the initial voltages assumed in the battery sizing calculations.

Terminal voltage while on float charge is determined by multiplying the number of cells in the battery by minimum float voltage for the battery's nominal SG. At CNS, battery cells are designed for a nominal SG of 1.215 +/- 0.005. Minimum cell float voltage for SG of 1.215 is 2.17 volts per cell (Vpc). The 125 VDC systems have 58 cells connected in series and the 250 VDC systems have 120 cells connected in series. Multiplying 2.17 Vpc by 58 cells yields minimum voltage for 125 V batteries of 125.9. Multiplying 2.17 Vpc by 120 cells yields minimum voltage for 250 V batteries of 260.4. The 7 day Frequency is conservative when compared with the manufacturer's recommendations and IEEE-450 (Ref. 7).Cooper B 3.8-41 02/07/13 1 DC Sources -Operating B 3.8.4 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.8.4.2 Visual inspection to detect corrosion of the battery cells and connections, or measurement of the resistance of each inter-cell, inter-rack, inter-tier, and terminal connection, provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance.

The limits for battery connection resistance are specified in Table 3.8.4-1.For inter-cell, inter-tier, and terminal connections, the limits are 150 micro-ohm. For inter-rack connections, the limit is 280 micro-ohm.

The total resistance of the batteries is also monitored.

This total resistance is the sum of the inter-cell connectors, the inter-tier cables and connectors, the inter-rack cables and connectors, and the terminal connections.

The limits for total resistance in the load and voltage studies are 3355 micro-ohm for the 125 volt batteries (Ref. 11 and 12), 6595 micro-ohm for Division I of the 250 volt battery (Ref. 13), and 6775 micro-ohm for Division 2 of the 250 volt battery (Ref. 14). The total resistance limits in Table 3.8.4-1 are conservative two significant digit expressions of the calculated limits.The Frequency for these inspections, which can detect conditions that can cause power losses due to resistance heating, is 92 days. This Frequency is considered acceptable based on operating experience related to detecting corrosion trends.SR 3.8.4.3 Visual inspection of the battery cells, cell plates, and battery racks provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance.

The presence of physical damage or deterioration does not necessarily represent a failure of this SR, provided an evaluation determines that the physical damage or deterioration does not affect the Operability of the battery (its ability to perform its design function).

The 18 month Frequency for the Surveillance is based on engineering judgement.

Operating experience has shown that these components usually pass the SR when performed at the 18 month Frequency.

Therefore, the Frequency has been concluded to be acceptable from a reliability standpoint.

Cooper B 3.8-42 02/07/13 I DC Sources -Operating B 3.8.4 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.8.4.4 and SR 3.8.4.5 Visual inspection and resistance measurements of inter-cell, inter-rack, inter-tier, and terminal connections provides an indication of physical damage or abnormal deterioration that could indicate degraded battery condition.

The anti-corrosion material is used to help ensure good electrical connections and to reduce terminal deterioration.

The visual inspection for corrosion is not intended to require removal of and inspection under each terminal connection.

The removal of visible corrosion is a preventive maintenance SR. The presence of visible corrosion does not necessarily represent a failure of this SR, provided visible corrosion is removed during performance of this Surveillance.

The limits for battery connection resistance are specified in Table 3.8.4-1.For inter-cell, inter-tier, and terminal connections, the limits are 150 micro-ohm. For inter-rack connections, the limit is 280 micro-ohm.

The total resistance of the batteries is also monitored.

This total resistance is the sum of the inter-cell connectors, the inter-tier cables and connectors, the inter-rack cables and connectors, and the terminal connections.

The limits for total resistance in the load and voltage studies are 3355 micro-ohm for the 125 volt batteries (Ref. 11 and 12), 6595 micro-ohm for Division 1 of the 250 volt battery (Ref. 13), and 6775 micro-ohm for Division 2 of the 250 volt battery (Ref. 14). The total resistance limits in Table 3.8.4-1 are conservative two significant digit expressions of the calculated limits.The 18 month Frequency for the Surveillances is based on engineering judgment.

Operating experience has shown that these components usually pass the SR when performed at the 18 month Frequency.

Therefore, the Frequency has been concluded to be acceptable from a reliability standpoint.

SR 3.8.4.6 Battery charger capability requirements are based on the design capacity of the chargers (Ref. 3). According to Regulatory Guide 1.32 (Ref. 8), the battery charger supply is required to be based on the largest combined demands of the various steady state loads and the charging capacity to restore the battery from the design minimum charge state to the fully charged state, irrespective of the status of the unit during these demand Cooper B 3.8-43 02/07/13 I DC Sources -Operating B 3.8.4 BASES SURVEILLANCE REQUIREMENTS (continued) occurrences.

The minimum required amperes and duration ensures that these requirements can be satisfied.

The Frequency is acceptable, given the unit conditions required to perform the test and the other administrative controls existing to ensure adequate charger performance during these 24 month intervals.

In addition, this Frequency is intended to be consistent with expected fuel cycle lengths.SR 3.8.4.7 A battery service test is a special test of the battery's capability, as found, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The discharge rate and test length corresponds to the design duty cycle requirements as specified in design calculations.

The Frequency of 24 months is consistent with the intent of the recommendations of Regulatory Guide 1.32 (Ref. 8) and Regulatory Guide 1.129 (Ref. 9), which state that the battery service test should be performed during refueling operations or at some other outage.This SR is modified by two Notes. Note 1 allows the performance of a modified performance discharge test in lieu of a service test once per 60 months. The substitution is acceptable because a modified performance discharge test represents a more severe test of battery capacity than SR 3.8.4.7.The reason for Note 2 is that performing the Surveillance would remove a required DC electrical power subsystem from service, perturb the electrical distribution system, and challenge safety systems. Credit may be taken for unplanned events that satisfy the Surveillance.

SR 3.8.4.8 A battery performance discharge test is a test of constant current capacity of a battery, normally done in the as found condition, after having been in service, to detect any change in the capacity determined by the acceptance test. The test is intended to determine overall battery degradation due to age and usage.A battery modified performance discharge test is a simulated duty cycle consisting of just two rates; the one minute rate published for the battery or the largest current load of the duty cycle, followed by the test rate employed for the performance discharge test, both of which envelope the Cooper B 3.8-44 02/07/13 I DC Sources -Operating B 3.8.4 BASES SURVEILLANCE REQUIREMENTS (continued) duty cycle of the service test. Since the ampere-hours removed by a rated one minute discharge represents a very small portion of the battery capacity, the test rate can be changed to that for the performance test without compromising the results of the performance discharge test. The battery terminal voltage for the modified performance discharge test should remain above the minimum battery terminal voltage specified in the battery service test for the duration of time equal to that of the service test.A modified discharge test is a test of the battery capacity and its ability to provide a high rate, short duration load (usually the highest rate of the duty cycle). This will often confirm the battery's ability to meet the critical period of the load duty cycle, in addition to determining its percentage of rated capacity.

Initial conditions for the modified performance discharge test should be identical to those specified for a service test. Either the battery performance discharge test or the modified performance discharge test is acceptable for satisfying SR 3.8.4.8; however, only the modified performance discharge test may be used to satisfy SR 3.8.4.8 while satisfying the requirements of SR 3.8.4.7 at the same time.The acceptance criteria of > 90% capacity for this Surveillance is conservative with respect to IEEE-450 (Ref. 7) and IEEE-485 (Ref. 10).These references recommend that the battery be replaced if its capacity is below 80% of the manufacturer's rating. A capacity of 80% shows that the battery rate of deterioration is increasing, even if there is ample capacity to meet the load requirements.

The Frequency for this test is normally 60 months. If the battery shows degradation, or if the battery has reached 15 years (85% of its expected life) and capacity is < 100% of the manufacturer's rating, the Surveillance Frequency is reduced to 18 months. However, if the battery shows no degradation but has reached 85% of its expected life, the Surveillance Frequency is only reduced to 24 months for batteries that retain capacity> 100% of the manufacturer's rating. Degradation is indicated, according to IEEE-450 (Ref. 7), when the battery capacity drops by more than 10%relative to its capacity on the previous performance tests or when it is below 90% of the manufacturer's rating. However, at Cooper Nuclear Station degradation is defined when the battery capacity drops by more than 5% relative to the capacity on the previous performance test or when the battery capacity 5 95% of the manufacturer's rating. This more restrictive definition of degradation is necessary to ensure that the decision can be made for battery replacement before the > 90% capacity technical specification is violated.

The 60 month frequency is consistent with the recommendations in IEEE-450 (Ref. 7). The 18 month and 24 month Frequencies are derived from the recommendations in IEEE-450 (Ref. 7)Cooper B 3.8-45 02/07/13 I DC Sources -Operating B 3.8.4 BASES SURVEILLANCE REQUIREMENTS (continued)

This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required DC electrical power subsystem from service, perturb the electrical distribution system, and challenge safety systems. Credit may be taken for unplanned events that satisfy the Surveillance.

REFERENCES 1.2.3.4.5.6.7.8.9.10.11.12.13.14.USAR, Section VIII-6.2.Regulatory Guide 1.6.IEEE Standard 308, 1970.USAR, Chapter XIV.10 CFR 50.36(c)(2)(ii).

Regulatory Guide 1.93.IEEE Standard 450, 1995.Regulatory Guide 1.32, February 1977.Regulatory Guide 1.129, December 1974.IEEE Standard 485, 1983.NEDC 87-131C, 125 VDC Division I Load and Voltage Study.NEDC 87-131 D, 125 VDC Division II Load and Voltage Study.NEDC 87-131A, 250 VDC Division I Load and Voltage Study.NEDC 87-131 B, 250 VDC Division II Load and Voltage Study.Cooper B 3.8-46 02/07/13 1 DC Sources -Shutdown B 3.8.5 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.5 DC Sources -Shutdown BASES BACKGROUND A description of the DC sources is provided in the Bases for LCO 3.8.4,"DC Sources -Operating." APPLICABLE SAFETY ANALYSES The initial conditions of Design Basis Accident and transient analyses in the USAR, Chapter XIV (Ref. 1) assume that Engineered Safety Feature systems are OPERABLE.

The DC electrical power system provides normal and emergency DC electrical power for the diesel generators (DGs), emergency auxiliaries, and control and switching during all MODES of operation and during movement of irradiated fuel assemblies in the secondary containment.

The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum DC electrical power sources during MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment ensures that: a. The facility can be maintained in the shutdown or refueling condition for extended periods;b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and c. Adequate DC electrical power is provided to mitigate events postulated during shutdown, such as an inadvertent draindown of the vessel or a fuel handling accident.The DC sources satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 2).LCO The 125 V and 250 V DC electrical power subsystems, with each subsystem consisting of one battery, one battery charger, and the corresponding control equipment and interconnecting cabling supplying power to the associated bus are required to be OPERABLE to support required DC distribution subsystems required OPERABLE by LCO 3.8.8,"Distribution Systems -Shutdown." This requirement ensures the Cooper B 3.8-47 02/07/13 1 DC Sources -Shutdown B 3.8.5 BASES LCO (continued) availability of sufficient DC electrical power sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents and inadvertent reactor vessel draindown).

APPLICABILITY The DC electrical power sources required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment provide assurance that: a. Required features to provide adequate coolant inventory makeup are available for the irradiated fuel assemblies in the core in case of an inadvertent draindown of the reactor vessel;b. Required features needed to mitigate a fuel handling accident are available;

c. Required features necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.

The DC electrical power requirements for MODES 1, 2, and 3 are covered in LCO 3.8.4.ACTIONS LCO 3.0.3 is not applicable while in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2, or 3, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable.

If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations.

Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be sufficient reason to require a reactor shutdown.A.1, A.2.1, A.2.2, A.2.3, and A.2.4 If more than one DC distribution subsystem is required according to LCO 3.8.8, the DC electrical power subsystems remaining OPERABLE, with one or more DC electrical power subsystems inoperable, may be capable of supporting sufficient required features to allow continuation of CORE Cooper B 3.8-48 02/07/13 I DC Sources -Shutdown B 3.8.5 BASES ACTIONS (continued)

ALTERATIONS, fuel movement, and operations with a potential for draining the reactor vessel. By allowance of the option to declare required features inoperable with associated DC electrical power subsystems inoperable, appropriate restrictions are implemented in accordance with the affected system LCOs' ACTIONS. However, in many instances, this option may involve undesired administrative efforts.Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies in the secondary containment, and any activities that could result in inadvertent draining of the reactor vessel).Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition.

These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required DC electrical power subsystems and to continue this action until restoration is accomplished in order to provide the necessary DC electrical power to the plant safety systems.The Completion Time of immediately is consistent with the required times for actions requiring prompt attention.

The restoration of the required DC electrical power subsystems should be completed as quickly as possible in order to minimize the time during which the plant safety systems may be without sufficient power.SURVEILLANCE REQUIREMENTS SR 3.8.5.1 SR 3.8.5.1 specifies applicability of all Surveillances required by SR 3.8.4.1 through SR 3.8.4.8. Therefore, see the corresponding Bases for LCO 3.8.4 for a discussion of each SR.This SR is modified by a Note. The reason for the Note is to preclude requiring the OPERABLE DC sources from being discharged below their capability to provide the required power supply or otherwise rendered inoperable during the performance of SRs. It is the intent that these SRs must still be capable of being met, but actual performance is not required.REFERENCES

1. USAR, Chapter XIV.2. 10 CFR 50.36(c)(2)(ii).

Cooper B 3.8-49 02/07/13 1 Battery Cell Parameters B 3.8.6 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.6 Battery Cell Parameters BASES BACKGROUND This LCO delineates the limits on electrolyte temperature, level, float voltage, and specific gravity for the DC electrical power subsystems batteries.

A discussion of these batteries and their OPERABILITY requirements is provided in the Bases for LCO 3.8.4, "DC Sources -Operating," and LCO 3.8.5, "DC Sources -Shutdown." APPLICABLE SAFETY ANALYSES The initial conditions of Design Basis Accident (DBA) and transient analyses in USAR, Chapter XIV (Ref. 1) assume Engineered Safety Feature systems are OPERABLE.

The DC electrical power subsystems provide normal and emergency DC electrical power for the diesel generators (DGs), emergency auxiliaries, and control and switching during all MODES of operation.

The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit as discussed in the Bases for LCO 3.8.4 and LCO 3.8.5.Since battery cell parameters support the operation of the DC electrical power subsystems, they satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref.2).LCO Battery cell parameters must remain within acceptable limits to ensure availability of the required DC power to shut down the reactor and maintain it in a safe condition after an abnormal operational transient or a postulated DBA. Electrolyte limits are conservatively established, allowing continued DC electrical system function even with Category A and B limits not met.APPLICABILITY The battery cell parameters are required solely for the support of the associated DC electrical power subsystem.

Therefore, these cell parameters are only required when the associated DC electrical power subsystem is required to be OPERABLE.

Refer to the Applicability discussions in Bases for LCO 3.8.4 and LCO 3.8.5.Cooper B 3.8-50 02/07/13 I Battery Cell Parameters B 3.8.6 BASES ACTIONS A.1, A.2, and A.3 With parameters of one or more cells in one or more batteries not within limits (i.e., Category A limits not met or Category B limits not met, or Category A and B limits not met) but within the Category C limits specified in Table 3.8.6-1, the battery is degraded but there is still sufficient capacity to perform the intended function.

Therefore, the affected battery is not required to be considered inoperable solely as a result of Category A or B limits not met, and continued operation is permitted for a limited period.The pilot cell(s) electrolyte level and float voltage are required to be verified to meet the Category C limits within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (Required Action A.1).This check provides a quick indication of the status of the remainder of the battery cells. One hour provides time to inspect the electrolyte level and to confirm the float voltage of the pilot cell(s). One hour is considered a reasonable amount of time to perform the required verification.

Verification that the Category C limits are met (Required Action A.2)provides assurance that during the time needed to restore the parameters to the Category A and B limits, the battery is still capable of performing its intended function.

A period of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed to complete the initial verification because specific gravity measurements must be obtained for each connected cell. Taking into consideration both the time required to perform the required verification and the assurance that the battery cell parameters are not severely degraded, this time is considered reasonable.

The verification is repeated at 7 day intervals until the parameters are restored to Category A and B limits. This periodic verification is consistent with the normal Frequency of pilot cell Surveillances.

Continued operation is only permitted for 31 days before battery cell parameters must be restored to within Category A and B limits. Taking into consideration that, while battery capacity is degraded, sufficient capacity exists to perform the intended function and to allow time to fully restore the battery cell parameters to normal limits, this time is acceptable for operation prior to declaring the DC batteries inoperable.

B. 1 When any battery parameter is outside the Category C limit for any connected cell, sufficient capacity to supply the maximum expected load requirement is not ensured and the corresponding DC electrical power subsystem must be declared inoperable.

Additionally, other potentially extreme conditions, such as any Required Action of Condition A and associated Completion Time not met, or average electrolyte temperature Cooper B 3.8-51 02/07/13 I Battery Cell Parameters B 3.8.6 BASES ACTIONS (continued) of representative cells < 70 0 F, also are cause for immediately declaring the associated DC electrical power subsystem inoperable.

SURVEILLANCE REQUIREMENTS SR 3.8.6.1 This SR verifies that Category A battery cell parameters are consistent with IEEE-450 (Ref. 3), which recommends regular battery inspections (at least one per month) including voltage, specific gravity, and electrolyte temperature of pilot cells.SR 3.8.6.2 The quarterly inspection of specific gravity and voltage is consistent with IEEE-450 (Ref. 3). In addition, within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of a battery discharge< 105 V for a 125 V battery and < 210 V for a 250 V battery, or a battery overcharge

> 140 V for a 125 V battery or > 280 V for a 250 V battery, the affected battery must be demonstrated to meet Category B limits.Transients, such as motor starting transients, which may momentarily cause battery voltage to drop to < 105 v, or < 210 V, as applicable, do not constitute a battery discharge provided the battery terminal voltage and float current return to pre-transient values. This inspection is also consistent with IEEE-450 (Ref. 3), which recommends special inspections following a severe discharge or overcharge, to ensure that no significant degradation of the battery occurs as a consequence of such discharge or overcharge.

SR 3.8.6.3 This Surveillance verification that the average temperature of representative cells is within limits is consistent with a recommendation of IEEE-450 (Ref. 3) that states that the temperature of electrolytes in representative cells should be determined on a quarterly basis.Lower than normal temperatures act to inhibit or reduce battery capacity.This SR ensures that the operating temperatures remain within an acceptable operating range. This limit is based on manufacturer's recommendations and the battery sizing calculations.

Cooper B 3.8-52 02/07/13 1 Battery Cell Parameters B 3.8.6 BASES SURVEILLANCE REQUIREMENTS (continued)

Table 3.8.6-1 This Table delineates the limits on electrolyte level, float voltage, and specific gravity for three different categories.

The meaning of each category is discussed below.Category A defines the normal parameter limit for each designated pilot cell in each battery. The cells selected as pilot cells are those whose temperature, voltage, and electrolyte specific gravity approximate the state of charge of the entire battery.The Category A limits specified for electrolyte level are based on manufacturer's recommendations, and are consistent with the guidance in IEEE-450 (Ref. 3), with the extra 1/4 inch allowance above the high water level indication for operating margin to account for temperature and charge effects. In addition to this allowance, footnote (a) to Table 3.8.6-1 permits the electrolyte level to be temporarily above the specified maximum level during and following an equalizing charge (i.e., for up to several days following the completion of an equalize charge), provided it is not overflowing.

These limits ensure that the plates suffer no physical damage, and that adequate electron transfer capability is maintained in the event of transient conditions.

IEEE-450 (Ref. 3) recommends that electrolyte level readings should be made only after the battery has been at float charge for at least 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.The Category A limit specified for float voltage is > 2.13 V per cell. This value is based on manufacturer's recommendations, and on the recommendation of IEEE-450 (Ref. 3), which states that prolonged operation of cells below 2.13 V can reduce the life expectancy of cells.The Category A limit specified for specific gravity for each pilot cell is_> 1.205. This value is characteristic of a charged cell with adequate capacity.

According to IEEE-450 (Ref. 3), the specific gravity readings are based on a temperature of 771F (251C).The specific gravity readings are corrected for actual electrolyte temperature and level. For each 3 0 F (1.67 0 C) above 77°F (25°C), 1 point (0.001) is added to the reading; 1 point is subtracted for each 3 0 F below 77 0 F. The specific gravity of the electrolyte in a cell increases with a loss of water due to electrolysis or evaporation.

Level correction will be in accordance with manufacturer's recommendations.

Category B defines the normal parameter limits for each connected cell.The term "connected cell" excludes any battery cell that may be jumpered out.Cooper B 3.8-53 02/07/13 I Battery Cell Parameters B 3.8.6 BASES SURVEILLANCE REQUIREMENTS (continued)

The Category B limits specified for electrolyte level and float voltage are the same as those specified for Category A and have been discussed above. The Category B limit specified for specific gravity for each connected cell is > 1.200 with the average of all connected cells > 1.205.These values are based on manufacturer's recommendations.

The minimum specific gravity value required for each cell ensures that a cell with a marginal or unacceptable specific gravity is not masked by averaging with cells having higher specific gravities.

Category C defines the limits for each connected cell. These values, although reduced, provide assurance that sufficient capacity exists to perform the intended function and maintain a margin of safety. When any battery parameter is outside the Category C limits, the assurance of sufficient capacity described above no longer exists, and the battery must be declared inoperable.

The Category C limit specified for electrolyte level (above the top of the plates and not overflowing) ensures that the plates suffer no physical damage and maintain adequate electron transfer capability.

The Category C limit for voltage of 2.10 V is conservative, and is based on IEEE-450, Appendix C (Ref. 3), which states that a cell voltage of 2.07 V or below, under float conditions and not caused by elevated temperature of the cell, indicates internal cell problems and may require cell replacement.

The Category C limit on average specific gravity > 1.205, is based on manufacturer's recommendations.

In addition to that limit, it is required that the specific gravity for each connected cell must be no less than 0.020 below the average of all connected cells. This limit ensures that a cell with a marginal or unacceptable specific gravity is not masked by averaging with cells having higher specific gravities.

The footnotes to Table 3.8.6-1 that apply to specific gravity are applicable to Category A, B, and C specific gravity. Footnote (b) of Table 3.8.6-1 requires the above mentioned correction for electrolyte level and temperature, with the exception that level correction is not required when battery charging current, while on float charge, is < 2 amps. This current provides, in general, an indication of acceptable overall battery condition.

Because of specific gravity gradients that are produced during the recharging process, delays of several days may occur while waiting for the specific gravity to stabilize.

A stabilized charging current is an acceptable alternative to specific gravity measurement for determining the state of charge of the designated pilot cell. This phenomenon is discussed in IEEE-450 (Ref. 3). Footnote (c) to Table 3.8.6-1 allows the Cooper B 3.8-54 02/07/13 1 Battery Cell Parameters B 3.8.6 BASES SURVEILLANCE REQUIREMENTS (continued) float charge current to be used as an alternate to specific gravity for up to 7 days following a battery recharge.

Within 7 days, each connected cell's specific gravity must be measured to confirm the state of charge.Following a minor battery recharge (such as equalizing charge that does not follow a deep discharge) specific gravity gradients are not significant, and confirming measurements may be made in less than 7 days.REFERENCES

1. USAR, Chapter XIV.2. 10 CFR 50.36(c)(2)(ii).
3. IEEE Standard 450, 1987.Cooper B 3.8-55 02/07/13 1 Distribution Systems -Operating B 3.8.7 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.7 Distribution Systems -Operating BASES BACKGROUND The onsite Class 1 E AC and DC electrical power distribution system is divided into redundant and independent AC and DC electrical power distribution subsystems.

The primary AC distribution system consists of two 4.16 kV critical buses each having two offsite sources of power as well as a dedicated onsite diesel generator (DG) source. Each 4.16 kV critical bus is normally connected to a normal source through either the normal station service transformer or the startup station service transformer (which is one of the qualified offsite circuits).

During a loss of the normal offsite power source to the 4.16 kV critical buses, the critical buses may be supplied from the 69 kV line through the emergency station service transformer (which is the other qualified offsite circuit) after a one second delay. If all offsite sources are unavailable, the onsite emergency DGs supply power to the 4.16 kV critical buses.The secondary AC distribution system includes 480 VAC critical buses 1 F and 1 G and associated load centers, and transformers.

There are two independent 125 V DC and two independent 250 VDC station service electrical power distribution subsystems that support the necessary power for Engineered Safety Features (ESF) functions.

The list of required distribution buses is presented in Table 3.8.7-1.APPLICABLE SAFETY ANALYSES The initial conditions of Design Basis Accident (DBA) and transient analyses in the USAR, Chapter XIV (Ref. 1), assume ESF systems are OPERABLE.The AC and DC electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded.

These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.5, Emergency Core Cooling Systems (ECCS) and Reactor Core Isolation Cooling (RCIC)System; and Section 3.6 Containment Systems.Cooper B 3.8-56 02/07/13 1 Distribution Systems -Operating B 3.8.7 BASES APPLICABLE SAFETY ANALYSES (continued)

The OPERABILITY of the AC and DC electrical power distribution subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining distribution systems OPERABLE during accident conditions in the event of: a. An assumed loss of all offsite power or all onsite AC electrical power; and b. A postulated worst case single failure.The AC and DC electrical power distribution system satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 2).LCO The required electrical power distribution subsystems listed in Table 3.8.7-1 ensure the availability of AC and DC electrical power for the systems required to shut down the reactor and maintain it in a safe condition after an abnormal operational transient or a postulated DBA.The AC and DC electrical power distribution subsystems are required to be OPERABLE.Maintaining the Division 1 and 2 AC and DC electrical power distribution subsystems OPERABLE ensures that the redundancy incorporated into the design of ESF is not defeated.

Therefore, a single failure within any system or within the electrical power distribution subsystems will not prevent safe shutdown of the reactor.The AC electrical power distribution subsystems require the associated buses and electrical circuits to be energized to their proper voltages.OPERABLE DC electrical power distribution subsystems require the associated buses to be energized to their proper voltage from either the associated battery or charger.Based on the number of safety significant electrical loads associated with each bus listed in Table 3.8.7-1, if one or more of the buses becomes inoperable, entry into the appropriate ACTIONS of LCO 3.8.7 is required.Other buses, such as motor control centers (MCC) and distribution panels, which help comprise the AC and DC distribution systems are not listed in Table 3.8.7-1. The loss of electrical loads associated with these buses may not result in a complete loss of redundant safety function necessary to shut down the reactor and maintain it in a safe condition.

Therefore, should one or more of these buses become inoperable due to a failure not affecting the Operability of a bus listed in Table 3.8.7-1 (e.g., a breaker supplying a single MCC fails open), the individual loads on the Cooper B 3.8-57 02/07/13 I Distribution Systems -Operating B 3.8.7 BASES LCO (continued) bus would be considered inoperable, and the appropriate Conditions and Required Actions of the LCOs governing the individual loads would be entered. However, if one or more of these buses is inoperable due to a failure which also affects the Operability of a bus listed in Table 3.8.7-1 (e.g., loss of a 4.16 kV critical bus, which results in de-energization of all buses powered from the 4.16 kV critical bus), then although the individual loads are still considered inoperable, the Conditions and Required Actions of the LCO for the individual loads are not required to be entered, since LCO 3.0.6 allows this exception (i.e., the loads are inoperable due to the inoperability of a support system governed by a Technical Specification; the 4.16 kV critical bus).In addition, tie breakers between redundant safety related AC and DC power distribution subsystems, must be open. This prevents any electrical malfunction in any power distribution subsystem from propagating to the redundant subsystem, which could cause the failure of a redundant subsystem and a loss of essential safety function(s).

If any tie breakers are closed, the electrical power distribution subsystems that are not being powered from their normal source (i.e., they are being powered from their redundant electrical power distribution subsystem) are considered inoperable.

This applies to the onsite, safety related, redundant electrical power distribution subsystems.

It does not, however, preclude redundant Class IE 4.16 kV critical buses from being powered from the same offsite circuit.APPLICABILITY The electrical power distribution subsystems are required to be OPERABLE in MODES 1, 2, and 3 to ensure that: a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of abnormal operational transients; and b. Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA.Electrical power distribution subsystem requirements for MODES 4 and 5 and other conditions in which AC and DC electrical power distribution subsystems are required are covered in the Bases for LCO 3.8.8,"Distribution Systems -Shutdown." Cooper B 3.8-58 02/07/13 I Distribution Systems -Operating B 3.8.7 BASES ACTIONS A._1 With one AC electrical power distribution subsystem inoperable, the remaining AC electrical power distribution subsystem is capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining power distribution subsystem could result in the minimum required ESF functions not being supported.

Therefore, the required AC electrical power distribution subsystem must be restored to OPERABLE status within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.The Condition A worst scenario is one division without AC power (i.e., no offsite power to the division and the associated DG inoperable).

In this Condition, the unit is more vulnerable to a complete loss of AC power. It is, therefore, imperative that the unit operators' attention be focused on minimizing the potential for loss of power to the remaining division by stabilizing the unit, and on restoring power to the affected division.

The 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> time limit before requiring a unit shutdown in this Condition is acceptable because of: a. The potential for decreased safety if the unit operators' attention is diverted from the evaluations and actions necessary to restore power to the affected division to the actions associated with taking the unit to shutdown within this time limit.b. The potential for an event in conjunction with a single failure of a redundant component in the division with AC power. (The redundant component is verified OPERABLE in accordance with Specification 5.5.11, "Safety Function Determination Program (SFDP).")The second Completion Time for Required Action A.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a DC bus is inoperable and subsequently returned OPERABLE, this LCO may already have been not met for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. This situation could lead to a total duration of 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, since initial failure of this LCO, to restore the AC electrical power distribution system. At this time a DC bus could again become inoperable, and the AC electrical power distribution system could be restored OPERABLE.

This could continue indefinitely.

Cooper B 3.8-59 02/07/13 I Distribution Systems -Operating B 3.8.7 BASES ACTIONS (continued)

This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This results in establishing the "time zero" at the time this LCO was initially not met, instead of at the time Condition A was entered. The 16 hour1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely.

B.1 With one 125 V DC electrical power subsystem inoperable, the remaining 125 V DC electrical power distribution subsystem is capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining DC electrical power distribution subsystem would result in the minimum required ESF functions not being supported.

Therefore, the required 125 V DC electrical power subsystem must be restored to OPERABLE status within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> by powering the bus from the associated battery or charger.Condition B represents one division without adequate 125 V DC power, potentially with both the battery significantly degraded and the associated charger nonfunctioning.

In this situation the plant is significantly more vulnerable to a complete loss of all DC power. It is, therefore, imperative that the operator's attention focus on stabilizing the plant, minimizing the potential for loss of power to the remaining division, and restoring power to the affected division.This 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> limit is more conservative than Completion Times allowed for the majority of components that would be without power. Taking exception to LCO 3.0.2 for components without adequate DC power, which would have Required Action Completion Times shorter than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, is acceptable because of: a. The potential for decreased safety when requiring a change.in plant conditions (i.e., requiring a shutdown) while not allowing stable operations to continue;b. The potential for decreased safety when requiring entry into numerous applicable Conditions and Required Actions for components without DC power, while not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected division;Cooper B 3.8-60 02/07/13 I Distribution Systems -Operating B 3.8.7 BASES ACTIONS (continued)

c. The potential for an event in conjunction with a single failure of a redundant component.

The 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Completion Time for 125 V DC electrical power distribution subsystems is consistent with Regulatory Guide 1.93 (Ref. 3).The second Completion Time for Required Action B.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet this LCO. If Condition B is entered while, for instance, an AC bus is inoperable and subsequently restored OPERABLE, this LCO may already have been not met for up to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. This situation could lead to a total duration of 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, since initial failure of this LCO, to restore the DC electrical power distribution system. At this time, an AC bus could again become inoperable, and DC electrical power distribution could be restored OPERABLE.

This could continue indefinitely.

This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This allowance results in establishing the "time zero" at the time this LCO was initially not met, instead of at the time Condition B was entered. The 16 hour1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> Completion Time is an acceptable limitation on this potential of failing to meet the LCO indefinitely.

C.1 and C.2 If the inoperable distribution subsystem cannot be restored to OPERABLE status within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and to MODE 4 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.D.1 With the Division 1 250 V DC electrical power subsystem inoperable, one LPCI subsystem is rendered inoperable.

Loss of the Division 2 250 V DC electrical power subsystem renders HPCI and the other LPCI subsystem inoperable.

Required Action D.1 therefore requires with one 250 V DC electrical power subsystem inoperable that the associated supported features be declared inoperable immediately.

This declaration also Cooper B 3.8-61 02/07/13 I Distribution Systems -Operating B 3.8.7 BASES ACTIONS (continued) requires entry into applicable Conditions and Required Actions for the associated supported features.E. 1 Condition E corresponds to a level of degradation in the electrical power distribution system that causes a required safety function to be lost.When more than one AC or DC electrical power distribution subsystem is lost, and this results in the loss of a required function, the plant is in a condition outside the accident analysis.

Therefore, no additional time is justified for continued operation.

LCO 3.0.3 must be entered immediately to commence a controlled shutdown.SURVEILLANCE REQUIREMENTS SR 3.8.7.1 This Surveillance verifies that the AC and DC electrical power distribution systems are functioning properly, with the correct circuit breaker alignment.

The correct breaker alignment ensures the appropriate separation and independence of the electrical buses are maintained, and the appropriate voltage is available to each required bus. The verification of proper voltage availability on the buses ensures that the required voltage is readily available for motive as well as control functions for critical system loads connected to these buses. The 7 day Frequency takes into account the redundant capability of the AC and DC electrical power distribution subsystems, and other indications available in the control room that alert the operator to subsystem malfunctions.

REFERENCES

1. USAR, Chapter XIV.2. 10 CFR 50.36(c)(2)(ii).
3. Regulatory Guide 1.93, December 1974.Cooper B 3.8-62 02/07/13 I Distribution Systems -Shutdown B 3.8.8 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.8 Distribution Systems -Shutdown BASES BACKGROUND A description of the AC and DC electrical power distribution system is provided in the Bases for LCO 3.8.7, "Distribution Systems -Operating." APPLICABLE SAFETY ANALYSES The initial conditions of Design Basis Accident and transient analyses in the USAR, Chapter XIV (Ref. 1) assume Engineered Safety Feature (ESF) systems are OPERABLE.

The AC and DC electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded.The OPERABILITY of the AC and DC electrical power distribution system is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum AC and DC electrical power sources and associated power distribution subsystems during MODES 4 and 5, and during movement of irradiated fuel assemblies in the secondary containment ensures that: a. The facility can be maintained in the shutdown or refueling condition for extended periods;b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and c. Adequate power is provided to mitigate events postulated during shutdown, such as an inadvertent draindown of the vessel or a fuel handling accident.The AC and DC electrical power distribution systems satisfy Criterion 3 of 10 CFR 50.36(c)(2)(ii) (Ref. 2).LCO Various combinations of subsystems, equipment, and components are required OPERABLE by other LCOs, depending on the specific plant condition.

Implicit in those requirements is the required OPERABILITY of necessary support features.

This LCO explicitly requires energization of Cooper B 3.8-63 02/07/13 I Distribution Systems -Shutdown B 3.8.8 BASES LCO (continued) the portions of the electrical distribution system necessary to support OPERABILITY of Technical Specifications required systems, equipment, and components

-both specifically addressed by their own LCO, and implicitly required by the definition of OPERABILITY.

In addition, it is acceptable for required buses to be cross-tied during shutdown conditions, permitting a single source to supply multiple redundant buses, provided the source is capable of maintaining proper frequency (if required) and voltage.Maintaining these portions of the distribution system energized ensures the availability of sufficient power to operate the plant in a safe manner to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents and inadvertent reactor vessel draindown).

APPLICABILITY The AC and DC electrical power distribution subsystems required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment provide assurance that: a. Systems to provide adequate coolant inventory makeup are available for the irradiated fuel in the core in case of an inadvertent draindown of the reactor vessel;b. Systems needed to mitigate a fuel handling accident are available;

c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.

The AC and DC electrical power distribution subsystem requirements for MODES 1, 2, and 3 are covered in LCO 3.8.7.ACTIONS LCO 3.0.3 is not applicable while in MODE 4 or 5. However, since irradiated fuel assembly movement can occur in MODE 1, 2, or 3, the ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable.

If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations.

Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be sufficient reason to require a reactor shutdown.Cooper B 3.8-64 02/07/13 1 Distribution Systems -Shutdown B 3.8.8 BASES ACTIONS (continued)

A. 1, A.2.1, A.2.2, A.2.3, A.2.4, and A.2.5 Although redundant required features may require redundant divisions of electrical power distribution subsystems to be OPERABLE, one OPERABLE distribution subsystem division may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS, fuel movement, and operations with a potential for draining the reactor vessel. By allowing the option to declare required features associated with an inoperable distribution subsystem inoperable, appropriate restrictions are implemented in accordance with the affected distribution subsystem LCO's Required Actions. In many instances this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made, (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies in the secondary containment, and any activities that could result in inadvertent draining of the reactor vessel).Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition.

These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC and DC electrical power distribution subsystems and to continue this action until restoration is accomplished in order to provide the necessary power to the plant safety systems.Notwithstanding performance of the above conservative Required Actions, a required residual heat removal-shutdown cooling (RHR-SDC)subsystem may be inoperable.

In this case, Required Actions A.2.1 through A.2.4 do not adequately address the concerns relating to coolant circulation and heat removal. Pursuant to LCO 3.0.6, the RHR-SDC ACTIONS would not be entered. Therefore, Required Action A.2.5 is provided to direct declaring RHR-SDC inoperable, which results in taking the appropriate RHR-SDC ACTIONS.The Completion Time of immediately is consistent with the required times for actions requiring prompt attention.

The restoration of the required distribution subsystems should be completed as quickly as possible in order to minimize the time the plant safety systems may be without power.Cooper B 3.8-65 02/07/13 I Distribution Systems -Shutdown B 3.8.8 BASES SURVEILLANCE REQUIRMENTS SR 3.8.8.1 This Surveillance verifies that the AC and DC electrical power distribution subsystems are functioning properly, with the correct breaker alignment.

The correct breaker alignment ensures power is available to each required bus. The verification of proper voltage availability on the bus ensures that the required power is readily available for motive as well as control functions for critical system loads connected to these buses. The 7 day Frequency takes into account the redundant capability of the electrical power distribution subsystems, as well as other indications available in the control room that alert the operator to subsystem malfunctions.

REFERENCES

1. USAR, Chapter XIV.2. 10 CFR 50.36(c)(2)(ii).

Cooper B 3.8-66 02/07/13 1

Retrieved from "https://kanterella.com/w/index.php?title=NLS2013050,_Submittal_of_Technical_Specification_Base_Changes&oldid=1542760"