{{Adams | number = ML16244A411 | issue date = 08/25/2016 | title = Edwin I. Hatch, Units 1 and 2, Updated Final Safety Analysis Report, Technical Specifications Bases Changes. Part 5 of 22 | author name = | author affiliation = Southern Nuclear Operating Co, Inc | addressee name = | addressee affiliation = NRC/NRR | docket = 05000321, 05000366 | license number = | contact person = | case reference number = NL-16-1245 | package number = ML16244A386 | document type = Technical Specification, Bases Change, Updated Final Safety Analysis Report (UFSAR) | page count = 1322 }}

Text

{{#Wiki_filter:(continued) HATCH UNIT 1 i REVISION 67 TABLE OF CONTENTS B 2.0 SAFETY LIMITS (SLs).......................................................................... B 2.0-1 B 2.1.1 Reactor Core SLs .................................................................................. B 2.0-1 B 2.1.2 Reactor Coolant System (RCS) Pressure SL ........................................ B 2.0-5 B 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY ... B 3.0-1 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY .................. B 3.0-9 B 3.1 REACTIVITY CONTROL SYSTEMS .................................................... B 3.1-1 B 3.1.1 SHUTDOWN MARGIN (SDM) ............................................................... B 3.1-1 B 3.1.2 Reactivity Anomalies ............................................................................. B 3.1-7 B 3.1.3 Control Rod OPERABILITY ................................................................... B 3.1-11 B 3.1.4 Control Rod Scram Times ..................................................................... B 3.1-19 B 3.1.5 Control Rod Scram Accumulators ......................................................... B 3.1-25 B 3.1.6 Rod Pattern Control ............................................................................... B 3.1-30 B 3.1.7 Standby Liquid Control (SLC) System ................................................... B 3.1-35 B 3.1.8 Scram Discharge Volume (SDV) Vent and Drain Valves ...................... B 3.1-42 B 3.2 POWER DISTRIBUTION LIMITS .......................................................... B 3.2-1 B 3.2.1 AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR) ................................................................................... B 3.2-1 B 3.2.2 MINIMUM CRITICAL POWER RATIO (MCPR) .................................... B 3.2-5 B 3.2.3 LINEAR HEAT GENERATION RATE (LHGR) ...................................... B 3.2-9

(continued) HATCH UNIT 1 ii Revision 1 TABLE OF CONTENTS B 3.3 INSTRUMENTATION ............................................................................ B 3.3-1 B 3.3.1.1 Reactor Protection System (RPS) Instrumentation ............................... B 3.3-1 B 3.3.1.2 Source Range Monitor (SRM) Instrumentation ..................................... B 3.3-33 B 3.3.2.1 Control Rod Block Instrumentation ........................................................ B 3.3-42 B 3.3.2.2 Feedwater and Main Turbine High Water Level Trip Instrumentation ............................................................................ B 3.3-53 B 3.3.3.1 Post Accident Monitoring (PAM) Instrumentation .................................. B 3.3-59 B 3.3.3.2 Remote Shutdown System .................................................................... B 3.3-70 B 3.3.4.1 End of Cycle Recirculation Pump Trip (EOC-RPT) Instrumentation ............................................................................ B 3.3-75 B 3.3.4.2 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT) Instrumentation ...................................................... B 3.3-84 B 3.3.5.1 Emergency Core Cooling System (ECCS) Instrumentation .................. B 3.3-92 B 3.3.5.2 Reactor Core Isolation Cooling (RCIC) System Instrumentation ........... B 3.3-125 B 3.3.6.1 Primary Containment Isolation Instrumentation..................................... B 3.3-135 B 3.3.6.2 Secondary Containment Isolation Instrumentation ................................ B 3.3-161 B 3.3.6.3 Low-Low Set (LLS) Instrumentation ...................................................... B 3.3-171 B 3.3.7.1 Main Control Room Environmental Control (MCREC) System Instrumentation ............................................................................ B 3.3-179 B 3.3.8.1 Loss of Power (LOP) Instrumentation ................................................... B 3.3-185 B 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring ............... B 3.3-193 (continued) HATCH UNIT 1 iii Revision 69 TABLE OF CONTENTS B 3.4 REACTOR COOLANT SYSTEM (RCS) ............................................... B 3.4-1 B 3.4.1 Recirculation Loops Operating .............................................................. B 3.4-1 B 3.4.2 Jet Pumps ............................................................................................. B 3.4-6 B 3.4.3 Safety/Relief Valves (S/RVs) ................................................................. B 3.4-10 B 3.4.4 RCS Operational LEAKAGE.................................................................. B 3.4-13 B 3.4.5 RCS Leakage Detection Instrumentation .............................................. B 3.4-18 B 3.4.6 RCS Specific Activity ............................................................................. B 3.4-24 B 3.4.7 Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown .............................................................................. B 3.4-28 B 3.4.8 Residual Heat Removal (RHR) Shutdown Cooling System - Cold Shutdown ............................................................................ B 3.4-34 B 3.4.9 RCS Pressure and Temperature (P/T) Limits ........................................ B 3.4-39 B 3.4.10 Reactor Steam Dome Pressure............................................................. B 3.4-49

B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM ............... B 3.5-1 B 3.5.1 ECCS - Operating ................................................................................. B 3.5-1 B 3.5.2 ECCS - Shutdown ................................................................................. B 3.5-14 B 3.5.3 RCIC System ......................................................................................... B 3.5-21 (continued) HATCH UNIT 1 iv REVISION 70 TABLE OF CONTENTS B 3.6 CONTAINMENT SYSTEMS .................................................................. B 3.6-1 B 3.6.1.1 Primary Containment ............................................................................. B 3.6-1 B 3.6.1.2 Primary Containment Air Lock ............................................................... B 3.6-6 B 3.6.1.3 Primary Containment Isolation Valves (PCIVs) ..................................... B 3.6-13 B 3.6.1.4 Drywell Pressure ................................................................................... B 3.6-27 B 3.6.1.5 Drywell Air Temperature ........................................................................ B 3.6-29 B 3.6.1.6 Low-Low Set (LLS) Valves .................................................................... B 3.6-32 B 3.6.1.7 Reactor Building-to-Suppression Chamber Vacuum Breakers ............. B 3.6-35 B 3.6.1.8 Suppression Chamber-to-Drywell Vacuum Breakers ............................ B 3.6-41 B 3.6.2.1 Suppression Pool Average Temperature .............................................. B 3.6-47 B 3.6.2.2 Suppression Pool Water Level .............................................................. B 3.6-52 B 3.6.2.3 Residual Heat Removal (RHR) Suppression Pool Cooling ................... B 3.6-55 B 3.6.2.4 Residual Heat Removal (RHR) Suppression Pool Spray ...................... B 3.6-59 B 3.6.2.5 Residual Heat Removal (RHR) Drywell Spray ...................................... B 3.6-63 B 3.6.3.1 Containment Atmosphere Dilution (CAD) System ................................. B 3.6-67 B 3.6.3.2 Primary Containment Oxygen Concentration ........................................ B 3.6-72 B 3.6.4.1 Secondary Containment ........................................................................ B 3.6-75 B 3.6.4.2 Secondary Containment Isolation Valves (SCIVs) ................................ B 3.6-81 B 3.6.4.3 Standby Gas Treatment (SGT) System ................................................. B 3.6-88 (continued) HATCH UNIT 1 v REVISION 70 TABLE OF CONTENTS B 3.7 PLANT SYSTEMS ................................................................................ B 3.7-1 B 3.7.1 Residual Heat Removal Service Water (RHRSW) System ................... B 3.7-1 B 3.7.2 Plant Service Water (PSW) System and Ultimate Heat Sink (UHS) ........................................................................................... B 3.7-7 B 3.7.3 Diesel Generator (DG) 1B Standby Service Water (SSW) System ......................................................................................... B 3.7-14 B 3.7.4 Main Control Room Environmental Control (MCREC) System ............. B 3.7-17 B 3.7.5 Control Room Air Conditioning (AC) System ......................................... B 3.7-25 B 3.7.6 Main Condenser Offgas ........................................................................ B 3.7-31 B 3.7.7 Main Turbine Bypass System ................................................................ B 3.7-34 B 3.7.8 Spent Fuel Storage Pool Water Level ................................................... B 3.7-38 B 3.7.9 Turbine Building Ventilation (TB HVAC) Exhaust System Fans ............ B 3.7-41 B 3.8 ELECTRICAL POWER SYSTEMS ....................................................... B 3.8-1 B 3.8.1 AC Sources - Operating ........................................................................ B 3.8-1 B 3.8.2 AC Sources - Shutdown ........................................................................ B 3.8-38 B 3.8.3 Diesel Fuel Oil and Transfer, Lube Oil, and Starting Air ....................... B 3.8-44 B 3.8.4 DC Sources - Operating ........................................................................ B 3.8-52 B 3.8.5 DC Sources - Shutdown ........................................................................ B 3.8-63 B 3.8.6 Battery Cell Parameters ........................................................................ B 3.8-67 B 3.8.7 Distribution Systems - Operating ........................................................... B 3.8-73 B 3.8.8 Distribution Systems - Shutdown........................................................... B 3.8-82 HATCH UNIT 1 vi Revision 69 TABLE OF CONTENTS (continued)

B 3.9 REFUELING OPERATIONS ................................................................. B 3.9-1 B 3.9.1 Refueling Equipment Interlocks ............................................................. B 3.9-1 B 3.9.2 Refuel Position One-Rod-Out Interlock ................................................. B 3.9-5 B 3.9.3 Control Rod Position ............................................................................. B 3.9-8 B 3.9.4 Control Rod Position Indication ............................................................. B 3.9-10 B 3.9.5 Control Rod OPERABILITY - Refueling ................................................ B 3.9-13 B 3.9.6 Reactor Pressure Vessel (RPV) Water Level ........................................ B 3.9-16 B 3.9.7 Residual Heat Removal (RHR) - High Water Level ............................... B 3.9-19 B 3.9.8 Residual Heat Removal (RHR) - Low Water Level ................................ B 3.9-24 B 3.10 SPECIAL OPERATIONS ...................................................................... B 3.10-1 B 3.10.1 Inservice Leak and Hydrostatic Testing Operation ................................ B 3.10-1 B 3.10.2 Reactor Mode Switch Interlock Testing ................................................. B 3.10-6 B 3.10.3 Single Control Rod Withdrawal - Hot Shutdown .................................... B 3.10-10 B 3.10.4 Single Control Rod Withdrawal - Cold Shutdown .................................. B 3.10-14 B 3.10.5 Single Control Rod Drive (CRD) Removal - Refueling .......................... B 3.10-19 B 3.10.6 Multiple Control Rod Withdrawal - Refueling ......................................... B 3.10-23 B 3.10.7 Control Rod Testing - Operating............................................................ B 3.10-26 B 3.10.8 SHUTDOWN MARGIN (SDM) Test - Refueling .................................... B 3.10-30

LIST OF FIGURES B 3.5.2-1 Top of Irradiated Fuel Assembly .......................................................... B 3.5-20 Reactor Core SLs B 2.1.1 (continued) HATCH UNIT 1 B 2.0-1 REVISION 0 B 2.0 SAFETY LIMITS (SLs) B 2.1.1 Reactor Core SLs

BASES BACKGROUND GDC 10 (Ref. 1) requires, and SLs ensure, that specified acceptable fuel design limits are not exceeded during steady state operation, normal operational transients, and anticipated operational occurrences (AOOs). The fuel cladding integrity SL is set such that no fuel damage is calculated to occur if the limit is not violated. Because fuel damage is not directly observable, a stepback approach is used to establish an SL, such that the MCPR is not less than the limit specified in Specification 2.1.1.2 for General Electric (GE) Company fuel. MCPR greater than the specified limit represents a conservative margin relative to the conditions required to maintain fuel cladding integrity. The fuel cladding is one of the physical barriers that separate the radioactive materials from the environs. The integrity of this cladding barrier is related to its relative freedom from perforations or cracking. Although some corrosion or use related cracking may occur during the life of the cladding, fission product migration from this source is incrementally cumulative and continuously measurable. Fuel cladding perforations, however, can result from thermal stresses, which occur from reactor operation significantly above design conditions. While fission product migration from cladding perforation is just as measurable as that from use related cracking, the thermally caused cladding perforations signal a threshold beyond which still greater thermal stresses may cause gross, rather than incremental, cladding deterioration. Therefore, the fuel cladding SL is defined with a margin to the conditions that would produce onset of transition boiling (i.e., MCPR = 1.00). These conditions represent a significant departure from the condition intended by design for planned operation. The MCPR fuel cladding integrity SL ensures that during normal operation and during AOOs, at least 99.9% of the fuel rods in the core do not experience transition boiling. Operation above the boundary of the nucleate boiling regime could result in excessive cladding temperature because of the onset of transition boiling and the resultant sharp reduction in heat transfer coefficient. Inside the steam film, high cladding temperatures are reached, and a cladding water (zirconium water) reaction may take place. This chemical reaction results in oxidation of the fuel cladding

Reactor Core SLs B 2.1.1 (continued) HATCH UNIT 1 B 2.0-2 REVISION 75 BASES BACKGROUND to a structurally weaker form. This weaker form may lose its integrity, (continued) resulting in an uncontrolled release of activity to the reactor coolant.

The reactor vessel water level SL ensures that adequate core cooling capability is maintained during all MODES of reactor operation. Establishment of Emergency Core Cooling System initiation setpoints higher than this safety limit provides margin such that the safety limit will not be reached or exceeded.

APPLICABLE The fuel cladding must not sustain damage as a result of normal SAFETY ANALYSES operation and AOOs. The reactor core SLs are established to preclude violation of the fuel design criterion that a MCPR limit is to be established, such that at least 99.9% of the fuel rods in the core would not be expected to experience the onset of transition boiling. The Reactor Protection System setpoints [LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation"], in combination with the other LCOs, are designed to prevent any anticipated combination of transient conditions for Reactor Coolant System water level, pressure, and THERMAL POWER level that would result in reaching the MCPR SL.

2.1.1.1 Fuel Cladding Integrity GE critical power correlations are applicable for all critical power calculations at pressures 685 psig and core flows 10% of rated flow. For operation at low pressures or low flows, another basis is used, as follows: Since the pressure drop in the bypass region is essentially all elevation head, the core pressure drop at low power and flows will always be > 4.5 psi. Analyses (Ref. 2) show that with a bundle flow of 28 x 103 lb/hr, bundle pressure drop is nearly independent of bundle power and has a value of 3.5 psi. Thus, the bundle flow with a 4.5 psi driving head will be > 28 x 103 lb/hr. Full scale ATLAS test data taken at pressures from 14.7 psia to 800 psia indicate that the fuel assembly critical power at this flow is approximately 3.35 MWt. With the design peaking factors, this corresponds to a THERMAL POWER > 50% RTP. Thus, a THERMAL POWER limit of 24% RTP for reactor pressure < 685 psig is conservative. Reactor Core SLs B 2.1.1 (continued) HATCH UNIT 1 B 2.0-3 REVISION 22 BASES APPLICABLE 2.1.1.2 MCPR SAFETY ANALYSES (continued) The fuel cladding integrity SL is set such that no fuel damage is calculated to occur if the limit is not violated. Since the parameters that result in fuel damage are not directly observable during reactor operation, the thermal and hydraulic conditions that result in the onset of transition boiling have been used to mark the beginning of the region in which fuel damage could occur. Although it is recognized that the onset of transition boiling would not result in damage to BWR fuel rods, the critical power at which boiling transition is calculated to occur has been adopted as a convenient limit. However, the uncertainties in monitoring the core operating state and in the procedures used to calculate the critical power result in an uncertainty in the value of the critical power. Therefore, the fuel cladding integrity SL is defined as the critical power ratio in the limiting fuel assembly for which more than 99.9% of the fuel rods in the core are expected to avoid boiling transition, considering the power distribution within the core and all uncertainties. The MCPR SL is determined using a statistical model that combines all the uncertainties in operating parameters and the procedures used to calculate critical power. The probability of the occurrence of boiling transition is determined using the approved General Electric Critical Power correlations. Details of the fuel cladding integrity SL calculation are given in Reference 2. Reference 2 also includes a tabulation of the uncertainties used in the determination of the MCPR SL and of the nominal values of the parameters used in the MCPR SL statistical analysis. 2.1.1.3 Reactor Vessel Water Level During MODES 1 and 2, the reactor vessel water level is required to be above the top of the active fuel to provide core cooling capability. With fuel in the reactor vessel during periods when the reactor is shut down, consideration must be given to water level requirements due to the effect of decay heat. If the water level should drop below the top of the active irradiated fuel during this period, the ability to remove decay heat is reduced. This reduction in cooling capability could lead to elevated cladding temperatures and clad perforation in the event that the water level becomes < 2/3 of the core height. The reactor vessel water level SL has been established at the top of the active irradiated fuel to provide a reference point and to also provide adequate margin for effective action. The top of active fuel is 158.44 inches below instrument zero for fuel assemblies with a fuel length of 150 inches (e.g., GE9 through GE12 fuel types). The top of Reactor Core SLs B 2.1.1 HATCH UNIT 1 B 2.0-4 REVISION 70 BASES APPLICABLE 2.1.1.3 Reactor Vessel Water Level (continued) SAFETY ANALYSES active fuel must be adjusted for assemblies with a fuel length not 150 inches. For example, the top of the active fuel for GE13 fuel is 162.44 inches below instrument zero since the fuel length for this fuel type is 146 inches. The Core Operating Limits Report identifies fuel types and fuel lengths used in the current operating cycle. SAFETY LIMITS The reactor core SLs are established to protect the integrity of the fuel clad barrier to the release of radioactive materials to the environs. SL 2.1.1.1 and SL 2.1.1.2 ensure that the core operates within the fuel design criteria. SL 2.1.1.3 ensures that the reactor vessel water level is greater than the top of the active irradiated fuel in order to prevent elevated clad temperatures and resultant clad perforations. APPLICABILITY SLs 2.1.1.1, 2.1.1.2, and 2.1.1.3 are applicable in all MODES. SAFETY LIMIT Exceeding an SL may cause fuel damage and create a potential for VIOLATIONS radioactive doses in excess of 10 CFR 50.67 limits (Ref. 3). Therefore, it is required to insert all insertable control rods and restore compliance with the SLs within 2 hours. The 2 hour Completion Time ensures that the operators take prompt remedial action and also ensures that the probability of an accident occurring during this period is minimal. REFERENCES 1. 10 CFR 50, Appendix A, GDC 10.

2. NEDE-24011-P-A, "General Electric Standard Application for Reactor Fuels" (revision specified in the COLR).

3. 10 CFR 50.67.

RCS Pressure SL B 2.1.2 (continued) HATCH UNIT 1 B 2.0-5 REVISION 70 B 2.0 SAFETY LIMITS (SLs) B 2.1.2 Reactor Coolant System (RCS) Pressure SL

BASES BACKGROUND The SL on reactor steam dome pressure protects the RCS against overpressurization. In the event of fuel cladding failure, fission products are released into the reactor coolant. The RCS then serves as the primary barrier in preventing the release of fission products into the atmosphere. Establishing an upper limit on reactor steam dome pressure ensures continued RCS integrity. Per 10 CFR 50, Appendix A, GDC 14, "Reactor Coolant Pressure Boundary," and GDC 15, "Reactor Coolant System Design" (Ref. 1), the reactor coolant pressure boundary (RCPB) shall be designed with sufficient margin to ensure that the design conditions are not exceeded during normal operation and anticipated operational occurrences (AOOs). During normal operation and AOOs, RCS pressure is limited from exceeding the design pressure by more than 10%, in accordance with Section III of the ASME Code (Ref. 2). To ensure system integrity, all RCS components are hydrostatically tested at 125% of design pressure, in accordance with ASME Code requirements, prior to initial operation when there is no fuel in the core. Any further hydrostatic testing with fuel in the core may be done under LCO 3.10.1, "Inservice Leak and Hydrostatic Testing Operation." Following inception of unit operation, RCS components shall be pressure tested in accordance with the requirements of ASME Code, Section XI (Ref. 3). Overpressurization of the RCS could result in a breach of the RCPB, reducing the number of protective barriers designed to prevent radioactive doses from exceeding the limits specified in 10 CFR 50.67 (Ref. 4). If this occurred in conjunction with a fuel cladding failure, fission products could enter the containment atmosphere. APPLICABLE The RCS safety/relief valves and the Reactor Protection System SAFETY ANALYSES Reactor Vessel Steam Dome Pressure - High Function have settings established to ensure that the RCS pressure SL will not be exceeded. The RCS pressure SL has been selected such that it is at a pressure below which it can be shown that the integrity of the system is not endangered. The reactor pressure vessel is designed to Section III of the ASME Boiler and Pressure Vessel Code, 1965 Edition, including RCS Pressure SL B 2.1.2 HATCH UNIT 1 B 2.0-6 REVISION 70 BASES APPLICABLE Addenda through the Winter of 1966 (Ref. 5), which permits a SAFETY ANALYSES maximum pressure transient of 110%, 1375 psig, of design pressure (continued) 1250 psig. The SL of 1325 psig, as measured in the reactor steam dome, is equivalent to 1375 psig at the lowest elevation of the RCS. The RCS is designed to the USAS Nuclear Power Piping Code, Section B31.1, 1967 Edition, including Addenda A, C, and D (Ref. 6), for the reactor recirculation piping, which permits a maximum pressure transient of 120% of design pressures of 1150 psig for suction piping and 1325 psig for discharge piping. The RCS pressure SL is selected to be the lowest transient overpressure allowed by the applicable codes. SAFETY LIMITS The maximum transient pressure allowable in the RCS pressure vessel under the ASME Code, Section III, is 110% of design pressure. The maximum transient pressure allowable in the RCS piping, valves, and fittings is 120% of design pressures of 1150 psig for suction piping and 1325 psig for discharge piping. The most limiting of these two allowances is the 110% of the reactor vessel design pressure; therefore, the SL on maximum allowable RCS pressure is established at 1325 psig as measured at the reactor steam dome. APPLICABILITY SL 2.1.2 applies in all MODES.

SAFETY LIMIT Exceeding the RCS pressure SL may cause immediate RCS failure VIOLATIONS and create a potential for radioactive doses in excess of 10 CFR 50.67 limits (Ref. 4). Therefore, it is required to insert all insertable control rods and restore compliance with the SL within 2 hours. The 2 hour Completion Time ensures that the operators take prompt remedial action. (continued)

RCS Pressure SL B 2.1.2 HATCH UNIT 1 B 2.0-7 REVISION 70 BASES (continued) REFERENCES 1. 10 CFR 50, Appendix A, GDC 14 and GDC 15.

2. ASME, Boiler and Pressure Vessel Code, Section III, Article NB-7000.

3. ASME, Boiler and Pressure Vessel Code, Section XI, Article IW-5000.

4. 10 CFR 50.67. 5. ASME, Boiler and Pressure Vessel Code, Section III, 1965 Edition, Addenda Winter of 1966. 6. ASME, USAS, Nuclear Power Piping Code, Section B31.1, 1967 Edition, Addenda A, C, and D.

LCO Applicability B 3.0 (continued) HATCH UNIT 1 B 3.0-2 REVISION 0 BASES LCO 3.0.2 case, compliance with the Required Actions provides an acceptable (continued) level of safety for continued operation.

Completing the Required Actions is not required when an LCO is met or is no longer applicable, unless otherwise stated in the individual Specifications. The nature of some Required Actions of some Conditions necessitates that, once the Condition is entered, the Required Actions must be completed even though the associated Condition no longer exists. The individual LCO's ACTIONS specify the Required Actions where this is the case. An example of this is in LCO 3.4.9, "RCS Pressure and Temperature (P/T) Limits." The Completion Times of the Required Actions are also applicable when a system or component is removed from service intentionally. The reasons for intentionally relying on the ACTIONS include, but are not limited to, performance of Surveillances, preventive maintenance, corrective maintenance, or investigation of operational problems. Entering ACTIONS for these reasons must be done in a manner that does not compromise safety. Intentional entry into ACTIONS should not be made for operational convenience. Alternatives that would not result in redundant equipment being inoperable should be used instead. Doing so limits the time both subsystems/divisions of a safety function are inoperable and limits the time other conditions exist which result in LCO 3.0.3 being entered. Individual Specifications may specify a time limit for performing an SR when equipment is removed from service or bypassed for testing. In this case, the Completion Times of the Required Actions are applicable when this time limit expires, if the equipment remains removed from service or bypassed. When a change in MODE or other specified condition is required to comply with Required Actions, the unit may enter a MODE or other specified condition in which another Specification becomes applicable. In this case, the Completion Times of the associated Required Actions would apply from the point in time that the new Specification becomes applicable and the ACTIONS Condition(s) are entered.

LCO Applicability B 3.0 (continued) HATCH UNIT 1 B 3.0-3 REVISION 0 BASES (continued) LCO 3.0.3 LCO 3.0.3 establishes the actions that must be implemented when an LCO is not met and: a. An associated Required Action and Completion Time is not met and no other Condition applies; or

b. The condition of the unit is not specifically addressed by the associated ACTIONS. This means that no combination of Conditions stated in the ACTIONS can be made that exactly corresponds to the actual condition of the unit. Sometimes, possible combinations of Conditions are such that entering LCO 3.0.3 is warranted; in such cases, the ACTIONS specifically state a Condition corresponding to such combinations and also that LCO 3.0.3 be entered immediately.

This Specification delineates the time limits for placing the unit in a safe MODE or other specified condition when operation cannot be maintained within the limits for safe operation as defined by the LCO and its ACTIONS. It is not intended to be used as an operational convenience that permits routine voluntary removal of redundant systems or components from service in lieu of other alternatives that would not result in redundant systems or components being inoperable. Upon entering LCO 3.0.3, 1 hour is allowed to prepare for an orderly shutdown before initiating a change in unit operation. This includes time to permit the operator to coordinate the reduction in electrical generation with the load dispatcher to ensure the stability and availability of the electrical grid. The time limits specified to reach lower MODES of operation permit the shutdown to proceed in a controlled and orderly manner that is well within the specified maximum cooldown rate and within the capabilities of the unit, assuming that only the minimum required equipment is OPERABLE. This reduces thermal stresses on components of the Reactor Coolant System and the potential for a plant upset that could challenge safety systems under conditions to which this Specification applies. The use and interpretation of specified times to complete the actions of LCO 3.0.3 are consistent with the discussion of Section 1.3, "Completion Times." A unit shutdown required in accordance with LCO 3.0.3 may be terminated and LCO 3.0.3 exited if any of the following occurs: a. The LCO is now met.

LCO Applicability B 3.0 (continued) HATCH UNIT 1 B 3.0-4 REVISION 0 BASES LCO 3.0.3 b. A Condition exists for which the Required Actions have now (continued) been performed.

c. ACTIONS exist that do not have expired Completion Times. These Completion Times are applicable from the point in time that the Condition is initially entered and not from the time LCO 3.0.3 is exited.

The time limits of Specification 3.0.3 allow 37 hours for the unit to be in MODE 4 when a shutdown is required during MODE 1 operation. If the unit is in a lower MODE of operation when a shutdown is required, the time limit for reaching the next lower MODE applies. If a lower MODE is reached in less time than allowed, however, the total allowable time to reach MODE 4, or other applicable MODE, is not reduced. For example, if MODE 2 is reached in 2 hours, then the time allowed for reaching MODE 3 is the next 11 hours, because the total time for reaching MODE 3 is not reduced from the allowable limit of 13 hours. Therefore, if remedial measures are completed that would permit a return to MODE 1, a penalty is not incurred by having to reach a lower MODE of operation in less than the total time allowed. In MODES 1, 2, and 3, LCO 3.0.3 provides actions for Conditions not covered in other Specifications. The requirements of LCO 3.0.3 do not apply in MODES 4 and 5 because the unit is already in the most restrictive Condition required by LCO 3.0.3. The requirements of LCO 3.0.3 do not apply in other specified conditions of the Applicability (unless in MODE 1, 2, or 3) because the ACTIONS of individual Specifications sufficiently define the remedial measures to be taken. Exceptions to LCO 3.0.3 are provided in instances where requiring a unit shutdown, in accordance with LCO 3.0.3, would not provide appropriate remedial measures for the associated condition of the unit. An example of this is in LCO 3.7.8, "Spent Fuel Storage Pool Water Level." LCO 3.7.8 has an Applicability of "During movement of irradiated fuel assemblies in the spent fuel storage pool." Therefore, this LCO can be applicable in any or all MODES. If the LCO and the Required Actions of LCO 3.7.8 are not met while in MODE 1, 2, or 3, there is no safety benefit to be gained by placing the unit in a shutdown condition. The Required Action of LCO 3.7.8 of "Suspend movement of irradiated fuel assemblies in the spent fuel storage pool" is the appropriate Required Action to complete in lieu of the actions of LCO 3.0.3. These exceptions are addressed in the individual Specifications. LCO Applicability B 3.0 (continued) HATCH UNIT 1 B 3.0-5 REVISION 49 BASES (continued) LCO 3.0.4 LCO 3.0.4 establishes limitations on changes in MODES or other specified conditions in the Applicability when an LCO is not met. It allows placing the unit in a MODE or other specified condition stated in that Applicability (e.g., the Applicability desired to be entered) when unit conditions are such that the requirements of the LCO would not be met, in accordance with LCO 3.0.4.a, LCO 3.0.4.b, or LCO 3.0.4.c. LCO 3.0.4.a allows entry into a MODE or other specified condition in the Applicability with the LCO not met when the associated ACTIONS to be entered permit continued operation in the MODE or other specified condition in the Applicability for an unlimited period of time. Compliance with Required Actions that permit continued operation of the unit for an unlimited period of time in a MODE or other specified condition provides an acceptable level of safety for continued operation. This is without regard to the status of the unit before or after the MODE change. Therefore, in such cases, entry into a MODE or other specified condition in the Applicability may be made in accordance with the provisions in the Required Actions. LCO 3.0.4.b allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering the MODE or other specified condition in the Applicability, and establishment of risk management actions, if appropriate. The risk assessment may use quantitative, qualitative, or blended approaches, and the risk assessment will be conducted using the plant program, procedures, and criteria in place to implement 10 CFR 50.65(a)(4), which requires that risk impacts of maintenance activities be assessed and managed. The risk assessment, for the purposes of LCO 3.0.4.b, must take into account all inoperable Technical Specification equipment regardless of whether the equipment is included in the normal 10 CFR 50.65(a)(4) risk assessment scope. The risk assessments will be conducted using the procedures and guidance endorsed by Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." Regulatory Guide 1.182 endorses the guidance in Section 11 of NUMARC 93-01, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants." These documents address general guidance for conduct of the risk assessment, quantitative and qualitative guidelines for establishing risk management actions, and example risk management actions. These include actions to plan and conduct other activities in a manner that controls overall risk, increased risk awareness by shift and management personnel, actions to reduce the duration of the LCO Applicability B 3.0 (continued) HATCH UNIT 1 B 3.0-6 REVISION 49 BASES LCO 3.0.4 condition, actions to minimize the magnitude of risk increases (continued) (establishment of backup success paths or compensatory measures), and determination that the proposed MODE change is acceptable. Consideration should also be given to the probability of completing restoration such that the requirements of the LCO would be met prior to the expiration of ACTIONS Completion Times that would require exiting the Applicability. LCO 3.0.4.b may be used with single or multiple systems and components unavailable. NUMARC 93-01 provides guidance relative to consideration of simultaneous unavailability of multiple systems and components. The results of the risk assessment shall be considered in determining the acceptability of entering the MODE or other specified condition in the Applicability, and any corresponding risk management actions. The LCO 3.0.4.b risk assessments do not have to be documented. The Technical Specifications allow continued operation with equipment unavailable in MODE 1 for the duration of the Completion Time. Since this is allowable, and since in general the risk impact in that particular mode bounds the risk of transitioning into and through the applicable MODES or other specified conditions in the Applicability of the LCO, the use of the LCO 3.0.4.b allowance should be generally acceptable, as long as the risk is assessed and managed as stated above. However, there is a small subset of systems and components that have been determined to be more important to risk, and use of the LCO 3.0.4.b is prohibited. The LCOs governing these systems and components contain Notes prohibiting the use of LCO 3.0.4.b by stating that LCO 3.0.4.b is not applicable. LCO 3.0.4.c allows entry into a MODE or other specified condition of the Applicability with the LCO not met based on a Note in the Specification which states LCO 3.0.4.c is applicable. These specific allowances permit entry into MODES or other specified conditions in the Applicability when the associated ACTIONS to be entered do not provide for continued operation for an unlimited period of time and a risk assessment has not been performed. This allowance may apply to all the ACTIONS or to a specific Required Action of a Specification. The risk assessments performed to justify the use of LCO 3.0.4.b usually only consider systems and components. For this reason, LCO 3.0.4.c is typically applied to Specifications which describe values and parameters (e.g., Drywell Air Temperature, Drywell Pressure, MCPR) and may be applied to other Specifications based on NRC plant-specific approval. LCO Applicability B 3.0 (continued) HATCH UNIT 1 B 3.0-7 REVISION 49 BASES LCO 3.0.4 The provisions of this Specification should not be interpreted as (continued) endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability. The provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unit shutdown. In this context, a unit shutdown is defined as a change in MODE or other specified condition in the Applicability associated with transitioning from MODE 1 to MODE 2, MODE 2 to MODE 3, and MODE 3 to MODE 4. Upon entry into a MODE or other specified condition in the Applicability with the LCO not met, LCO 3.0.1 and LCO 3.0.2 require entry into the applicable Conditions and Required Actions until the Condition is resolved, until the LCO is met, or until the unit is not within the Applicability of the Technical Specification. Surveillances do not have to be performed on the associated inoperable equipment (or on variables outside the specified limits) as permitted by SR 3.0.1. Therefore, utilizing LCO 3.0.4 is not a violation of SR 3.0.1 or SR 3.0.4 for any Surveillances that have not been performed on inoperable equipment. However, SRs must be met to ensure OPERABILITY prior to declaring the associated equipment OPERABLE (or variable within limits) and restoring compliance with the affected LCO. LCO 3.0.5 LCO 3.0.5 establishes the allowance for restoring equipment to service under administrative controls when it has been removed from service or declared inoperable to comply with ACTIONS. The sole purpose of this Specification is to provide an exception to LCO 3.0.2 [e.g., to not comply with the applicable Required Action(s)] to allow the performance of SRs to demonstrate: a. The OPERABILITY of the equipment being returned to service; or b. The OPERABILITY of other equipment. The administrative controls ensure the time the equipment is returned to service in conflict with the requirements of the ACTIONS is limited to the time absolutely necessary to perform the allowed SRs. This Specification does not provide time to perform any other preventive or corrective maintenance. LCO Applicability B 3.0 (continued) HATCH UNIT 1 B 3.0-8 REVISION 49 BASES LCO 3.0.5 An example of demonstrating the OPERABILITY of the equipment (continued) being returned to service is reopening a containment isolation valve that has been closed to comply with Required Actions and must be reopened to perform the SRs. An example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to prevent the trip function from occurring during the performance of an SR on another channel in the other trip system. A similar example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to permit the logic to function and indicate the appropriate response during the performance of an SR on another channel in the same trip system. LCO 3.0.6 LCO 3.0.6 establishes an exception to LCO 3.0.2 for support systems that have an LCO specified in the Technical Specifications (TS). This exception is provided because LCO 3.0.2 would require that the Conditions and Required Actions of the associated inoperable supported system LCO be entered solely due to the inoperability of the support system. This exception is justified because the actions that are required to ensure the plant is maintained in a safe condition are specified in the support system LCO's Required Actions. These Required Actions may include entering the supported system's Conditions and Required Actions or may specify other Required Actions. When a support system is inoperable and there is an LCO specified for it in the TS, the supported system(s) are required to be declared inoperable if determined to be inoperable as a result of the support system inoperability. However, it is not necessary to enter into the supported systems' Conditions and Required Actions unless directed to do so by the support system's Required Actions. The potential confusion and inconsistency of requirements related to the entry into multiple support and supported systems LCOs' Conditions and Required Actions are eliminated by providing all the actions that are necessary to ensure the plant is maintained in a safe condition in the support system's Required Actions. However, there are instances where a support system's Required Action may either direct a supported system to be declared inoperable or direct entry into Conditions and Required Actions for the supported system. This may occur immediately or after some specified delay to perform some other Required Action. Regardless of whether it is immediate or after some delay, when a support system's Required Action directs a supported system to be declared inoperable or directs LCO Applicability B 3.0 (continued) HATCH UNIT 1 B 3.0-9 REVISION 49 BASES LCO 3.0.6 entry into Conditions and Required Actions for a supported system, (continued) the applicable Conditions and Required Actions shall be entered in accordance with LCO 3.0.2. Specification 5.5.10, "Safety Function Determination Program (SFDP)," ensures loss of safety function is detected and appropriate actions are taken. Upon failure to meet two or more LCOs concurrently, an evaluation shall be made to determine if loss of safety function exists. Additionally, other limitations, remedial actions, or compensatory actions may be identified as a result of the support system inoperability and corresponding exception to entering supported system Conditions and Required Actions. The SFDP implements the requirements of LCO 3.0.6. Cross division checks to identify a loss of safety function for those support systems that support safety systems are required. The cross division check verifies that the supported systems of the redundant OPERABLE support system are OPERABLE, thereby ensuring safety function is retained. If this evaluation determines that a loss of safety function exists, the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists are required to be entered. LCO 3.0.7 There are certain special tests and operations required to be performed at various times over the life of the unit. These special tests and operations are necessary to demonstrate select unit performance characteristics, to perform special maintenance activities, and to perform special evolutions. Special Operations LCOs in Section 3.10 allow specified TS requirements to be changed to permit performances of these special tests and operations, which otherwise could not be performed if required to comply with the requirements of these TS. Unless otherwise specified, all the other TS requirements remain unchanged. This will ensure all appropriate requirements of the MODE or other specified condition not directly associated with or required to be changed to perform the special test or operation will remain in effect. The Applicability of a Special Operations LCO represents a condition not necessarily in compliance with the normal requirements of the TS. Compliance with Special Operations LCOs is optional. A special operation may be performed either under the provisions of the appropriate Special Operations LCO or under the other applicable TS requirements. If it is desired to perform the special operation under the provisions of the Special Operations LCO, the requirements of the LCO Applicability B 3.0 (continued) HATCH UNIT 1 B 3.0-10 REVISION 68 BASES LCO 3.0.7 Special Operations LCO shall be followed. When a Special (continued) Operations LCO requires another LCO to be met, only the requirements of the LCO statement are required to be met regardless of that LCO's Applicability (i.e., should the requirements of this other LCO not be met, the ACTIONS of the Special Operations LCO apply, not the ACTIONS of the other LCO). However, there are instances where the Special Operations LCO's ACTIONS may direct the other LCO's ACTIONS be met. The Surveillances of the other LCO are not required to be met, unless specified in the Special Operations LCO. If conditions exist such that the Applicability of any other LCO is met, all the other LCO's requirements (ACTIONS and SRs) are required to be met concurrent with the requirements of the Special Operations LCO.

LCO 3.0.8 LCO 3.0.8 establishes conditions under which systems are considered to remain capable of performing their intended safety function when associated snubbers are not capable of providing their associated support function(s). This LCO states that the supported system is not considered to be inoperable solely due to one or more snubbers not capable of performing their associated support function(s). This is appropriate because a limited length of time is allowed for maintenance, testing, or repair of one or more snubbers not capable of performing their associated support function(s) and appropriate compensatory measures are specified in the snubber requirements, which are located outside of the Technical Specifications (TS) under licensed control. The snubber requirements do not meet the criteria in 10 CFR 50.36(c)(2)(ii), and, as such, are appropriate for control by the licensee. Every time the provisions of LCO 3.0.8 are used, it must be confirmed that at least one train (or subsystem) of systems supported by the inoperable snubbers would remain capable of performing their required safety or support functions for postulated design loads other than seismic loads. LCO 3.0.8 does not apply to snubbers with only non-seismic loads. If the allowed time expires and the snubber(s) are unable to perform their associated support function(s), the affected supported system's LCO(s) must be declared not met and the Conditions and Required Actions entered in accordance with LCO 3.0.2.

LCO 3.0.8.a applies when one or more snubbers are not capable of providing their associated support function(s) to a single train or subsystem of a multiple train or subsystem supported system or to a single train or subsystem supported system. LCO 3.0.8.a allows 72 hours to restore the snubber(s) before declaring the supported system inoperable. The 72 hour Completion Time is reasonable

SDM B 3.1.1 (continued) HATCH UNIT 1 B 3.1-1 REVISION 0 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.1 SHUTDOWN MARGIN (SDM) BASES BACKGROUND SDM requirements are specified to ensure:

a. The reactor can be made subcritical from all operating conditions and transients and Design Basis Events; b. The reactivity transients associated with postulated accident conditions are controllable within acceptable limits; and

c. The reactor will be maintained sufficiently subcritical to preclude inadvertent criticality in the shutdown condition. These requirements are satisfied by the control rods, as described in GDC 26 (Ref. 1), which can compensate for the reactivity effects of the fuel and water temperature changes experienced during all operating conditions.

APPLICABLE SHUTDOWN MARGIN is an explicit assumption in several of the SAFETY ANALYSES evaluations contained in FSAR Chapter 14. The control rod drop accident (CRDA) analysis (Refs. 2 and 3) assumes the core is subcritical with the highest worth control rod withdrawn. Typically, the first control rod withdrawn has a very high reactivity worth and, should the core be critical during the withdrawal of the first control rod, the consequences of a CRDA could exceed the fuel damage limits for a CRDA (see Bases for LCO 3.1.6, "Rod Pattern Control"). Also, SDM is assumed as an initial condition for the control rod removal error during refueling (Ref. 4) and fuel assembly insertion error during refueling (Ref. 5) accidents. The analysis of these reactivity insertion events assumes the refueling interlocks are OPERABLE when the reactor is in the refueling mode of operation. These interlocks prevent the withdrawal of more than one control rod from the core during refueling. (Special consideration and requirements for multiple control rod withdrawal during refueling are covered in Special Operations LCO 3.10.6, "Multiple Control Rod Withdrawal - Refueling.") The analysis assumes this condition is acceptable since the core will be shut down with the highest worth control rod withdrawn, if adequate SDM has been demonstrated.

SDM B 3.1.1 (continued) HATCH UNIT 1 B 3.1-2 REVISION 0 BASES APPLICABLE Prevention or mitigation of reactivity insertion events is necessary to SAFETY ANALYSES limit energy deposition in the fuel to prevent significant fuel damage, (continued) which could result in undue release of radioactivity. Adequate SDM ensures inadvertent criticalities and potential CRDAs involving high worth control rods (namely the first control rod withdrawn) will not cause significant fuel damage. SDM satisfies Criterion 2 of the NRC Policy Statement (Ref. 9). LCO The specified SDM limit accounts for the uncertainty in the demonstration of SDM by testing. Separate SDM limits are provided for testing where the highest worth control rod is determined analytically or by measurement. This is due to the reduced uncertainty in the SDM test when the highest worth control rod is determined by measurement. When SDM is evaluated by calculations not associated with a test (e.g., to confirm SDM during the fuel loading sequence), additional margin is included to account for uncertainties in the calculation. To ensure adequate SDM during the design process, a design margin is included to account for uncertainties in the design calculations (Ref. 6).

APPLICABILITY In MODES 1 and 2, SDM must be provided because subcriticality with the highest worth control rod withdrawn is assumed in the CRDA analysis (Ref. 2). In MODES 3 and 4, SDM is required to ensure the reactor will be held subcritical with margin for a single withdrawn control rod. SDM is required in MODE 5 to prevent an open vessel, inadvertent criticality during the withdrawal of a single control rod from a core cell containing one or more fuel assemblies (Ref. 4) or fuel assembly insertion error (Ref. 5).

ACTIONS A.1 With SDM not within the limits of the LCO in MODE 1 or 2, SDM must be restored within 6 hours. Failure to meet the specified SDM may be caused by a control rod that cannot be inserted. The allowed Completion Time of 6 hours is acceptable, considering that the reactor can still be shut down, assuming no failures of additional control rods to insert, and the low probability of an event occurring during this interval. SDMB 3.1.1(continued)HATCH UNIT 1B 3.1-3REVISION 1BASESACTIONSB.1(continued)If the SDM cannot be restored, the plant must be brought to MODE 3in 12 hours, to prevent the potential for further reductions in availableSDM (e.g., additional stuck control rods). The allowed Completion Time of 12 hours is reasonable, based on operating experience, toreach MODE 3 from full power conditions in an orderly manner andwithout challenging plant systems.C.1With SDM not within limits in MODE 3, the operator must immediatelyinitiate action to fully insert all insertable control rods. Action mustcontinue until all insertable control rods are fully inserted. This actionresults in the least reactive condition for the core.D.1, D.2, D.3, and D.4With SDM not within limits in MODE 4, the operator must immediatelyinitiate action to fully insert all insertable control rods. Action must continue until all insertable control rods are fully inserted. This actionresults in the least reactive condition for the core. Action must also beinitiated within 1 hour to provide means for control of potentialradioactive releases. This includes ensuring: 1) secondarycontainment (at least including the Unit 1 reactor building zone) is OPERABLE; 2) sufficient Standby Gas Treatment (SGT) subsystem(s)are OPERABLE to maintain the secondary containment at a negativepressure with respect to the environment (dependent on secondarycontainment configuration, refer to Reference 8; single failureprotection is not required while in this ACTION); and 3) secondary containment isolation capability is available in each associatedsecondary containment penetration flow path not isolated that isassumed to be isolated to mitigate radioactive releases (i.e., at leastone secondary containment isolation valve and associatedinstrumentation are OPERABLE, or other acceptable administrativecontrols to assure isolation capability. The administrative controls canconsist of stationing a dedicated operator, who is in continuous communication with the control room, at the controls of the isolationdevice. In this way, the penetration can be rapidly isolated when aneed for secondary containment isolation is indicated.). This may beperformed as an administrative check, by examining logs or otherinformation, to determine if the components are out of service for maintenance or other reasons. It is not necessary to perform theSurveillances needed to demonstrate the OPERABILITY of the SDM B 3.1.1 (continued) HATCH UNIT 1 B 3.1-4 REVISION 1 BASES ACTIONS D.1, D.2, D.3, and D.4 (continued) components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, SRs may need to be performed to restore the component to OPERABLE status. Actions must continue until all required components are OPERABLE.

E.1, E.2, E.3, E.4, and E.5 With SDM not within limits in MODE 5, the operator must immediately suspend CORE ALTERATIONS that could reduce SDM, (e.g., insertion of fuel in the core or the withdrawal of control rods). Suspension of these activities shall not preclude completion of movement of a component to a safe condition. Inserting control rods will reduce the total reactivity and therefore, is excluded from the suspended actions. Removing fuel, while allowable under these Required Actions, should be evaluated for axial reactivity effects before removal. Action must also be immediately initiated to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Action must continue until all insertable control rods in core cells containing one or more fuel assemblies have been fully inserted. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and therefore do not have to be inserted. Action must also be initiated within 1 hour to provide means for control of potential radioactive releases. This includes ensuring:

1) secondary containment (at least including the common refueling floor zone) is OPERABLE; 2) sufficient SGT subsystem(s) are OPERABLE to maintain the secondary containment at a negative pressure with respect to the environment (dependent on secondary containment configuration, refer to Reference 8; single failure protection is not required while in this ACTION); and 3) secondary containment isolation capability is available in each associated secondary containment penetration flow path not isolated that is assumed to be isolated to mitigate radioactivity releases (i.e., at least one secondary containment isolation valve and associated instrumentation are OPERABLE, or other acceptable administrative controls to assure isolation capability. The administrative controls can consist of stationing a dedicated operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated.). This may be performed as an administrative check, by examining logs or other SDM B 3.1.1 (continued) HATCH UNIT 1 B 3.1-5 REVISION 1 BASES ACTIONS E.1, E.2, E.3, E.4, and E.5 (continued) information, to determine if the components are out of service for maintenance or other reasons. It is not necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, SRs may need to be performed to restore the component to OPERABLE status.

Action must continue until all required components are OPERABLE. SURVEILLANCE SR 3.1.1.1 REQUIREMENTS Adequate SDM must be verified to ensure that the reactor can be made subcritical from any initial operating condition. This can be accomplished via a test, an evaluation, or a combination of the two. Adequate SDM is demonstrated by testing before or during the first startup after fuel movement or shuffling within the reactor pressure vessel, or control rod replacement. Control rod replacement refers to the decoupling and removal of a control rod from a core location, and subsequent replacement with a new control rod or a control rod from another core location. Since core reactivity will vary during the cycle as a function of fuel depletion and poison burnup, the beginning of cycle (BOC) test must also account for changes in core reactivity during the cycle. Therefore, to obtain the SDM, the initial value must be changed by the value, "R", which is the difference between the calculated value of minimum SDM during the operating cycle and the calculated BOC SDM. If the value of R is positive (that is, BOC is the point in the cycle with the minimum SDM), no correction to the BOC measured value is required (Ref. 7). For the SDM demonstrations where the highest worth rod is determined solely on calculation, additional margin (0.10% k/k) must be added to the SDM limit of 0.28% k/k to account for uncertainties in the calculation of the highest worth control rod. The SDM may be demonstrated during an in-sequence control rod withdrawal, in which the highest worth control rod is analytically determined, or during local criticals, where the highest worth control rod is determined by testing. Local critical tests require the withdrawal of out of sequence control rods. This testing would therefore require bypassing of the Rod Worth Minimizer to allow the out of sequence withdrawal, and therefore additional requirements must be met (see LCO 3.10.7, "Control Rod Testing - Operating").

Reactivity Anomalies B 3.1.2 (continued)HATCH UNIT 1 B 3.1-7 REVISION 66 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.2 Reactivity Anomalies

BASES BACKGROUND In accordance with GDC 26, GDC 28, and GDC 29 (Ref. 1), reactivity shall be controllable such that subcriticality is maintained under cold conditions and specified acceptable fuel design limits are not exceeded during normal operation and anticipated operational occurrences. Therefore, reactivity anomaly is used as a measure of the predicted versus measured (i.e., monitored) core reactivity during power operation. The continual confirmation of core reactivity is necessary to ensure that the Design Basis Accident (DBA) and transient safety analyses remain valid. A large reactivity anomaly could be the result of unanticipated changes in fuel reactivity or control rod worth or operation at conditions not consistent with those assumed in the predictions of core reactivity, and could potentially result in a loss of SDM or violation of acceptable fuel design limits. Comparing predicted versus measured core reactivity validates the nuclear methods used in the safety analysis and supports the SDM demonstrations (LCO 3.1.1, "SHUTDOWN MARGIN (SDM)") in assuring the reactor can be brought safely to cold, subcritical conditions. When the reactor core is critical or in normal power operation, a reactivity balance exists and the net reactivity is zero. A comparison of predicted and measured reactivity is convenient under such a balance, since parameters are being maintained relatively stable under steady state power conditions. The positive reactivity inherent in the core design is balanced by the negative reactivity of the control components, thermal feedback, neutron leakage, and materials in the core that absorb neutrons, such as burnable poison, producing zero net reactivity. In order to achieve the required fuel cycle energy output, the uranium enrichment in the new fuel loading and the fuel loaded in the previous cycles provide excess positive reactivity beyond that required to sustain steady state operation at the beginning of cycle (BOC). When the reactor is critical at RTP and operating moderator temperature, the excess positive reactivity is compensated by burnable poisons (e.g., gadolinia), control rods, and whatever neutron poisons (mainly xenon and samarium) are present in the fuel. The predicted core reactivity, as represented by core keffective (keff), is calculated by a 3D core simulator code as a function of cycle exposure. This calculation is performed for projected operating states and conditions throughout the cycle. The monitored core keff is calculated by the core monitoring system for actual plant conditions and is then compared to the predicted value for the cycle exposure. Reactivity Anomalies B 3.1.2 (continued) HATCH UNIT 1 B 3.1-8 REVISION 66 BASES (continued) APPLICABLE Accurate prediction of core reactivity is either an explicit or implicit SAFETY ANALYSES assumption in the accident analysis evaluations (Ref. 2). In particular, SDM and reactivity transients, such as control rod withdrawal accidents or rod drop accidents, are very sensitive to accurate prediction of core reactivity. These accident analysis evaluations rely on computer codes that have been qualified against available test data, operating plant data, and analytical benchmarks. Monitoring reactivity anomaly provides additional assurance that the nuclear methods provide an accurate representation of the core reactivity. The comparison between measured and predicted initial core reactivity provides a normalization for the calculational models used to predict core reactivity. If the measured and predicted core keff(s) for identical core conditions at BOC do not reasonably agree, then the assumptions used in the reload cycle design analysis or the calculation models used to predict core keff may not be accurate. If reasonable agreement between measured and predicted core reactivity exists at BOC, then the prediction may be normalized to the measured value. Thereafter, any significant deviations in the measured core keff from the predicted core keff that develop during fuel depletion may be an indication that the assumptions of the DBA and transient analyses are no longer valid, or that an unexpected change in core conditions has occurred. Reactivity anomalies satisfy Criterion 2 of the NRC Policy Statement (Ref. 3). LCO The reactivity anomaly limit is established to ensure plant operation is maintained within the assumptions of the safety analyses. Large differences between monitored and predicted core reactivity may indicate that the assumptions of the DBA and transient analyses are no longer valid, or that the uncertainties in the "Nuclear Design Methodology" are larger than expected. A limit on the difference between the monitored core keff and the predicted core keff of +/- 1% k/k has been established based on engineering judgment. A > 1% deviation in reactivity from that predicted is larger than expected for normal operation and should therefore be evaluated. APPLICABILITY In MODE 1, most of the control rods are withdrawn and steady state operation is typically achieved. Under these conditions, the comparison between predicted and monitored core reactivity provides an effective measure of the reactivity anomaly. In MODE 2, control rods are typically being withdrawn during a startup. In MODES 3 and 4, all control rods are fully inserted and therefore the reactor is in the least reactive state, where monitoring core reactivity is not Reactivity Anomalies B 3.1.2 (continued) HATCH UNIT 1 B 3.1-9 REVISION 66 BASES APPLICABILITY necessary. In MODE 5, fuel loading results in a continually changing (continued) core reactivity. SDM requirements (LCO 3.1.1) ensure that fuel movements are performed within the bounds of the safety analysis, and an SDM demonstration is required during the first startup following operations that could have altered core reactivity (e.g., fuel movement, control rod replacement, shuffling). The SDM test, required by LCO 3.1.1, provides a direct comparison of the predicted and monitored core reactivity at cold conditions; therefore, reactivity anomaly is not required during these conditions. ACTIONS A.1 Should an anomaly develop between measured and predicted core reactivity, the core reactivity difference must be restored to within the limit to ensure continued operation is within the core design assumptions. Restoration to within the limit could be performed by an evaluation of the core design and safety analysis to determine the reason for the anomaly. This evaluation normally reviews the core conditions to determine their consistency with input to design calculations. Measured core and process parameters are also normally evaluated to determine that they are within the bounds of the safety analysis, and safety analysis calculational models may be reviewed to verify that they are adequate for representation of the core conditions. The required Completion Time of 72 hours is based on the low probability of a DBA occurring during this period, and allows sufficient time to assess the physical condition of the reactor and complete the evaluation of the core design and safety analysis. B.1 If the core reactivity cannot be restored to within the 1% k/k limit, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.1.2.1 REQUIREMENTS Verifying the reactivity difference between the monitored and predicted core keff(s) is within the limits of the LCO provides added assurance that plant operation is maintained within the assumptions Reactivity Anomalies B 3.1.2 HATCH UNIT 1 B 3.1-10 REVISION 66 BASES SURVEILLANCE SR 3.1.2.1 (continued) REQUIREMENTS of the DBA and transient analyses. The core monitoring system calculates the core keff for the reactor conditions obtained from plant instrumentation. A comparison of the monitored core keff to the predicted core keff at the same cycle exposure is used to calculate the reactivity difference. The comparison is required when the core reactivity has potentially changed by a significant amount. This may occur following a refueling in which new fuel assemblies are loaded, fuel assemblies are shuffled within the core, or control rods are replaced or shuffled. Control rod replacement refers to the decoupling and removal of a control rod from a core location, and subsequent replacement with a new control rod or a control rod from another core location. Also, core reactivity changes during the cycle. The 24 hour interval after reaching equilibrium conditions following a startup is based on the need for equilibrium xenon concentrations in the core, such that an accurate comparison between the monitored and predicted core keff(s) can be made. For the purposes of this SR, the reactor is assumed to be at equilibrium conditions when steady state operations (no control rod movement or core flow changes) at 75% RTP have been obtained. The 1000 MWD/T (short ton) Frequency was developed, considering the relatively slow change in core reactivity with exposure and operating experience related to variations in core reactivity. This comparison requires the core to be operating at power levels which minimize the uncertainties and measurement errors, in order to obtain meaningful results. Therefore, the comparison is only done when in MODE 1. REFERENCES 1. 10 CFR 50, Appendix A, GDC 26, GDC 28, and GDC 29. 2. FSAR, Chapter 14.

3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Control Rod OPERABILITY B 3.1.3 (continued) HATCH UNIT 1 B 3.1-11 REVISION 0 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.3 Control Rod OPERABILITY

BASES BACKGROUND Control rods are components of the Control Rod Drive (CRD) System, which is the primary reactivity control system for the reactor. In conjunction with the Reactor Protection System, the CRD System provides the means for the reliable control of reactivity changes to ensure under conditions of normal operation, including anticipated operational occurrences, that specified acceptable fuel design limits are not exceeded. In addition, the control rods provide the capability to hold the reactor core subcritical under all conditions and to limit the potential amount and rate of reactivity increase caused by a malfunction in the CRD System. The CRD System is designed to satisfy the requirements of GDC 26, GDC 27, GDC 28, and GDC 29 (Ref. 1). The CRD System consists of 137 locking piston control rod drive mechanisms (CRDMs) and a hydraulic control unit for each drive mechanism. The locking piston type CRDM is a double acting hydraulic piston, which uses condensate water as the operating fluid. Accumulators provide additional energy for scram. An index tube and piston, coupled to the control rod, are locked at fixed increments by a collet mechanism. The collet fingers engage notches in the index tube to prevent unintentional withdrawal of the control rod, but without restricting insertion. This Specification, along with LCO 3.1.4, "Control Rod Scram Times," and LCO 3.1.5, "Control Rod Scram Accumulators," ensure that the performance of the control rods in the event of a Design Basis Accident (DBA) or transient meets the assumptions used in the safety analyses of References 2, 3, and 4. APPLICABLE The analytical methods and assumptions used in the evaluations SAFETY ANALYSES involving control rods are presented in References 2, 3, and 4. The control rods provide the primary means for rapid reactivity control (reactor scram), for maintaining the reactor subcritical and for limiting the potential effects of reactivity insertion events caused by malfunctions in the CRD System. The capability to insert the control rods provides assurance that the assumptions for scram reactivity in the DBA and transient analyses are not violated. Since the SDM ensures the reactor will be subcritical with the highest worth control rod withdrawn (assumed single failure), Control Rod OPERABILITY B 3.1.3 (continued) HATCH UNIT 1 B 3.1-12 REVISION 0 BASES APPLICABLE the additional failure of a second control rod to insert, if required, SAFETY ANALYSES could invalidate the demonstrated SDM and potentially limit the ability (continued) of the CRD System to hold the reactor subcritical. If the control rod is stuck at an inserted position and becomes decoupled from the CRD, a control rod drop accident (CRDA) can possibly occur. Therefore, the requirement that all control rods be OPERABLE ensures the CRD System can perform its intended function. The control rods also protect the fuel from damage which could result in release of radioactivity. The limits protected are the MCPR Safety Limit (SL) [see Bases for SL 2.1.1, "Reactor Core SLs," and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)"], the 1% cladding plastic strain fuel design limit [see Bases for LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)"], and the fuel damage limit (see Bases for LCO 3.1.6, "Rod Pattern Control") during reactivity insertion events. The negative reactivity insertion (scram) provided by the CRD System provides the analytical basis for determination of plant thermal limits and provides protection against fuel damage limits during a CRDA. The Bases for LCO 3.1.4, LCO 3.1.5, and LCO 3.1.6 discuss in more detail how the SLs are protected by the CRD System. Control rod OPERABILITY satisfies Criterion 3 of the NRC Policy Statement (Ref. 6). LCO The OPERABILITY of an individual control rod is based on a combination of factors, primarily, the scram insertion times, the control rod coupling integrity, and the ability to determine the control rod position. Accumulator OPERABILITY is addressed by LCO 3.1.5. The associated scram accumulator status for a control rod only affects the scram insertion times; therefore, an inoperable accumulator does not immediately require declaring a control rod inoperable. Although not all control rods are required to be OPERABLE to satisfy the intended reactivity control requirements, strict control over the number and distribution of inoperable control rods is required to satisfy the assumptions of the DBA and transient analyses. APPLICABILITY In MODES 1 and 2, the control rods are assumed to function during a DBA or transient and are therefore required to be OPERABLE in these MODES. In MODES 3 and 4, with the mode switch in shutdown, control rod block prevents withdrawal of control rods. This Control Rod OPERABILITY B 3.1.3 (continued) HATCH UNIT 1 B 3.1-13 REVISION 0 BASES APPLICABILITY provides adequate requirements for control rod OPERABILITY during (continued) these conditions. Control rod requirements in MODE 5 are located in LCO 3.9.5, "Control Rod OPERABILITY - Refueling."

ACTIONS The ACTIONS Table is modified by a Note indicating that a separate Condition entry is allowed for each control rod. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable control rod. Complying with the Required Actions may allow for continued operation, and subsequent inoperable control rods are governed by subsequent Condition entry and application of associated Required Actions. A.1, A.2, and A.3 A control rod is considered stuck if it will not insert by either CRD drive water or scram pressure. With a fully inserted control rod stuck, no actions are required as long as the control rod remains fully inserted. The Required Actions are modified by a Note, which allows the rod worth minimizer (RWM) to be bypassed if required to allow continued operation. LCO 3.3.2.1, "Control Rod Block Instrumentation," provides additional requirements when the RWM is bypassed to ensure compliance with the CRDA analysis. With one withdrawn control rod stuck, the associated control rod drive must be disarmed in 2 hours. The allowed Completion Time of 2 hours is acceptable, considering the reactor can still be shut down, assuming no additional control rods fail to insert, and provides a reasonable time to perform the Required Action in an orderly manner. The control rod must be isolated from both scram and normal insert and withdraw pressure. Isolating the control rod from scram and normal insert and withdraw pressure prevents damage to the CRDM. The control rod should be isolated from scram and normal insert and withdraw pressure, while maintaining cooling water to the CRD. Monitoring of the insertion capability of each withdrawn control rod must also be performed within 24 hours. SR 3.1.3.2 and SR 3.1.3.3 perform periodic tests of the control rod insertion capability of withdrawn control rods. Testing each withdrawn control rod ensures that a generic problem does not exist. The allowed Completion Time of 24 hours provides a reasonable time to test the control rods, considering the potential for a need to reduce power to perform the tests. Required Action A.2 is modified by a Note, which states that the requirement is not applicable when THERMAL POWER is less than or equal to the actual low power setpoint (LPSP) of the RWM Control Rod OPERABILITY B 3.1.3 (continued) HATCH UNIT 1 B 3.1-14 REVISION 0 BASES ACTIONS A.1, A.2, and A.3 (continued) since the notch insertions may not be compatible with the requirements of rod pattern control (LCO 3.1.6) and the RWM (LCO 3.3.2.1). To allow continued operation with a withdrawn control rod stuck, an evaluation of adequate SDM is also required within 72 hours. Should a DBA or transient require a shutdown, to preserve the single failure criterion, an additional control rod would have to be assumed to fail to insert when required. Therefore, the original SDM demonstration may not be valid. The SDM must therefore be evaluated (by measurement or analysis) with the stuck control rod at its stuck position and the highest worth OPERABLE control rod assumed to be fully withdrawn. The allowed Completion Time of 72 hours to verify SDM is adequate, considering that with a single control rod stuck in a withdrawn position, the remaining OPERABLE control rods are capable of providing the required scram and shutdown reactivity. Failure to reach MODE 4 is only likely if an additional control rod adjacent to the stuck control rod also fails to insert during a required scram. Even with the postulated additional single failure of an adjacent control rod to insert, sufficient reactivity control remains to reach and maintain MODE 3 conditions (Ref. 5). B.1 and B.2 With two or more withdrawn control rods stuck, the stuck control rods must be isolated from scram pressure within 2 hours and the plant brought to MODE 3 within 12 hours. The control rods must be isolated from both scram and normal insert and withdraw pressure. Isolating the control rod from scram and normal insert and withdraw pressure prevents damage to the CRDM. The control rod should be isolated from scram and normal insert and withdraw pressure, while maintaining cooling water to the CRD. The allowed Completion Time is acceptable, considering the low probability of a CRDA occurring during this interval. The occurrence of more than one control rod stuck at a withdrawn position increases the probability that the reactor cannot be shut down if required. Insertion of all insertable control rods eliminates the possibility of an additional failure of a control rod to insert. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

Control Rod OPERABILITY B 3.1.3 (continued) HATCH UNIT 1 B 3.1-15 REVISION 0 BASES ACTIONS C.1 and C.2 (continued) With one or more control rods inoperable for reasons other than being stuck in the withdrawn position, operation may continue, provided the control rods are fully inserted within 3 hours and disarmed (electrically or hydraulically) within 4 hours. Inserting a control rod ensures the shutdown and scram capabilities are not adversely affected. The control rod is disarmed to prevent inadvertent withdrawal during subsequent operations. The control rods can be hydraulically disarmed by closing the drive water and exhaust water isolation valves. The control rods can be electrically disarmed by disconnecting power from all four directional control valve solenoids. Required Action C.1 is modified by a Note, which allows the RWM to be bypassed if required to allow insertion of the inoperable control rods and continued operation. LCO 3.3.2.1 provides additional requirements when the RWM is bypassed to ensure compliance with the CRDA analysis. The allowed Completion Times are reasonable, considering the small number of allowed inoperable control rods, and provide time to insert and disarm the control rods in an orderly manner and without challenging plant systems.

D.1 and D.2 Out of sequence control rods may increase the potential reactivity worth of a dropped control rod during a CRDA. At 10% RTP, the generic licensing basis banked position withdrawal sequence (BPWS) analysis (Ref. 5) assumes inserted control rods not in compliance with BPWS to be separated by at least two OPERABLE control rods in all directions, including the diagonal. Plant specific BPWS analysis may justify relaxed requirements on inoperable control rod separability. Therefore, if two or more inoperable control rods are not in compliance with BPWS (and not separated by at least two OPERABLE control rods, unless the plant specific analysis relaxes this requirement), action must be taken to restore compliance with BPWS or restore the control rod(s) to OPERABLE status. Condition D is modified by a Note indicating that the Condition is not applicable when > 10% RTP, since the BPWS is not required to be followed under these conditions, as described in the Bases for LCO 3.1.6. The allowed Completion Time of 4 hours is acceptable, considering the low probability of a CRDA occurring. Control Rod OPERABILITY B 3.1.3 (continued) HATCH UNIT 1 B 3.1-16 REVISION 69 BASES ACTIONS E.1 (continued) If any Required Action and associated Completion Time of Condition A, C, or D are not met, or there are nine or more inoperable control rods, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours. This ensures all insertable control rods are inserted and places the reactor in a condition that does not require the active function (i.e., scram) of the control rods. The number of control rods permitted to be inoperable when operating above 10% RTP (e.g., no CRDA considerations) could be more than the value specified, but the occurrence of a large number of inoperable control rods could be indicative of a generic problem, and investigation and resolution of the potential problem should be undertaken. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.1.3.1 REQUIREMENTS The position of each control rod must be determined to ensure adequate information on control rod position is available to the operator for determining control rod OPERABILITY and controlling rod patterns. Control rod position may be determined by the use of OPERABLE position indicators, by moving control rods to a position with an OPERABLE indicator, or by the use of other appropriate methods. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.1.3.2 and SR 3.1.3.3 Control rod insertion capability is demonstrated by inserting each partially or fully withdrawn control rod at least one notch and observing that the control rod moves. The control rod may then be returned to its original position. This ensures the control rod is not stuck and is free to insert on a scram signal. These Surveillances are not required when THERMAL POWER is less than or equal to the actual LPSP of the RWM, since the notch insertions may not be compatible with the requirements of the Banked Position Withdrawal Sequence (BPWS) (LCO 3.1.6) and the RWM (LCO 3.3.2.1). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Control Rod OPERABILITY B 3.1.3 (continued) HATCH UNIT 1 B 3.1-17 REVISION 69 BASES SURVEILLANCE SR 3.1.3.2 and SR 3.1.3.3 (continued) REQUIREMENTS At any time, if a control rod is immovable, a determination of that control rod's tripability (capable of insertion by scram, i.e., OPERABILITY) must be made and appropriate action taken. These SRs are each modified by a Note that allows 7 days and 31 days, respectively, after withdrawal of the control rod and THERMAL POWER is greater than the LPSP to perform the Surveillance. This acknowledges that the control rod must first be withdrawn and THERMAL POWER must be greater than the LPSP before performance of the Surveillance, and therefore avoids potential conflicts with SR 3.0.3 and SR 3.0.4. SR 3.1.3.4 Verifying that the scram time for each control rod to notch position 06 is 7 seconds provides reasonable assurance that the control rod will insert when required during a DBA or transient, thereby completing its shutdown function. This SR is performed in conjunction with the control rod scram time testing of SR 3.1.4.1, SR 3.1.4.2, SR 3.1.4.3, and SR 3.1.4.4. The LOGIC SYSTEM FUNCTIONAL TEST in LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," and the functional testing of SDV vent and drain valves in LCO 3.1.8, "Scram Discharge Volume (SDV) Vent and Drain Valves," overlap this Surveillance to provide complete testing of the assumed safety function. The associated Frequencies are acceptable, considering the more frequent testing performed to demonstrate other aspects of control rod OPERABILITY and operating experience, which shows scram times do not significantly change over an operating cycle.

SR 3.1.3.5 Coupling verification is performed to ensure the control rod is connected to the CRDM and will perform its intended function when necessary. The Surveillance requires verifying a control rod does not go to the withdrawn overtravel position. The overtravel position feature provides a positive check on the coupling integrity since only an uncoupled CRD can reach the overtravel position. Control Rod OPERABILITY B 3.1.3 HATCH UNIT 1 B 3.1-18 REVISION 69 BASES SURVEILLANCE SR 3.1.3.5 (continued) REQUIREMENTS The verification is required to be performed any time a control rod is withdrawn to the full-out position (notch position 48) or prior to declaring the control rod OPERABLE after work on the control rod or CRD System that could affect coupling. This includes control rods inserted one notch and then returned to the full-out position during the performance of SR 3.1.3.2. This Frequency is acceptable, considering the low probability that a control rod will become uncoupled when it is not being moved and operating experience related to uncoupling events. REFERENCES 1. 10 CFR 50, Appendix A, GDC 26, GDC 27, GDC 28, and GDC 29. 2. FSAR, Section 3.4.

3. FSAR, Appendix M. 4. FSAR, Sections 14.3 and 14.4. 5. NEDO-21231, "Banked Position Withdrawal Sequence," Section 7.2, January 1977. 6. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Control Rod Scram Times B 3.1.4 (continued) HATCH UNIT 1 B 3.1-19 REVISION 0 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.4 Control Rod Scram Times

BASES BACKGROUND The scram function of the Control Rod Drive (CRD) System controls reactivity changes during abnormal operational transients to ensure that specified acceptable fuel design limits are not exceeded (Ref. 1). The control rods are scrammed by positive means using hydraulic pressure exerted on the CRD piston. When a scram signal is initiated, control air is vented from the scram valves, allowing them to open by spring action. Opening the exhaust valve reduces the pressure above the main drive piston to atmospheric pressure, and opening the inlet valve applies the accumulator or reactor pressure to the bottom of the piston. Since the notches in the index tube are tapered on the lower edge, the collet fingers are forced open by cam action, allowing the index tube to move upward without restriction because of the high differential pressure across the piston. As the drive moves upward and the accumulator pressure reduces below the reactor pressure, a ball check valve opens, letting the reactor pressure complete the scram action. If the reactor pressure is low, such as during startup, the accumulator will fully insert the control rod in the required time without assistance from reactor pressure. APPLICABLE The analytical methods and assumptions used in evaluating the SAFETY ANALYSES control rod scram function are presented in References 2, 3, and 4. The Design Basis Accident (DBA) and transient analyses assume that all of the control rods scram at a specified insertion rate. The resulting negative scram reactivity forms the basis for the determination of plant thermal limits (e.g., the MCPR). Other distributions of scram times (e.g., several control rods scramming slower than the average time with several control rods scramming faster than the average time) can also provide sufficient scram reactivity. Surveillance of each individual control rod's scram time ensures the scram reactivity assumed in the DBA and transient analyses can be met. The scram function of the CRD System protects the MCPR Safety Limit (SL) [see Bases for SL 2.1.1, "Reactor Core SLs," and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)"] and the 1% cladding plastic strain fuel design limit [see Bases for LCO 3.2.1, Control Rod Scram Times B 3.1.4 (continued) HATCH UNIT 1 B 3.1-20 REVISION 0 BASES APPLICABLE "AVERAGE PLANAR LINEAR HEAT GENERATION RATE SAFETY ANALYSES (APLHGR)"], which ensure that no fuel damage will occur if these (continued) limits are not exceeded. Above 800 psig, the scram function is designed to insert negative reactivity at a rate fast enough to prevent the actual MCPR from becoming less than the MCPR SL, during the analyzed limiting power transient. Below 800 psig, the scram function is assumed to perform during the control rod drop accident (Ref. 5) and, therefore, also provides protection against violating fuel damage limits during reactivity insertion accidents (see Bases for LCO 3.1.6, "Rod Pattern Control"). For the reactor vessel overpressure protection analysis, the scram function, along with the safety/relief valves, ensures that the peak vessel pressure is maintained within the applicable ASME Code limits. Control rod scram times satisfy Criterion 3 of the NRC Policy Statement (Ref. 8). LCO The scram times specified in Table 3.1.4-1 (in the accompanying LCO) are required to ensure that the scram reactivity assumed in the DBA and transient analysis is met (Ref. 6). To account for single failures and "slow" scramming control rods, the scram times specified in Table 3.1.4-1 are faster than those assumed in the design basis analysis. The scram times have a margin that allows up to approximately 7% of the control rods (e.g., 137 x 7% 10) to have scram times exceeding the specified limits (i.e., "slow" control rods) assuming a single stuck control rod (as allowed by LCO 3.1.3, "Control Rod OPERABILITY") and an additional control rod failing to scram per the single failure criterion. The scram times are specified as a function of reactor steam dome pressure to account for the pressure dependence of the scram times. The scram times are specified relative to measurements based on reed switch positions, which provide the control rod position indication. The reed switch closes ("pickup") when the index tube passes a specific location and then opens ("dropout") as the index tube travels upward. Verification of the specified scram times in Table 3.1.4-1 is accomplished through measurement of the "dropout" times. To ensure that local scram reactivity rates are maintained within acceptable limits, no more than two of the allowed "slow" control rods may occupy adjacent locations. Table 3.1.4-1 is modified by two Notes, which state that control rods with scram times not within the limits of the Table are considered "slow" and that control rods with scram times > 7 seconds are considered inoperable as required by SR 3.1.3.4.

Control Rod Scram Times B 3.1.4 (continued) HATCH UNIT 1 B 3.1-21 REVISION 0 BASES LCO This LCO applies only to OPERABLE control rods since inoperable (continued) control rods will be inserted and disarmed (LCO 3.1.3). Slow scramming control rods may be conservatively declared inoperable and not accounted for as "slow" control rods. APPLICABILITY In MODES 1 and 2, a scram is assumed to function during transients and accidents analyzed for these plant conditions. These events are assumed to occur during startup and power operation; therefore, the scram function of the control rods is required during these MODES. In MODES 3 and 4, with the mode switch in shutdown, control rod block prevents withdrawal of control rods. This provides adequate requirements for control rod scram capability during these conditions. Scram requirements in MODE 5 are contained in LCO 3.9.5, "Control Rod OPERABILITY - Refueling." ACTIONS A.1 When the requirements of this LCO are not met, the rate of negative reactivity insertion during a scram may not be within the assumptions of the safety analysis. Therefore, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE The four SRs of this LCO are modified by a Note stating that during REQUIREMENTS a single control rod scram time Surveillance, the CRD pumps shall be isolated from the associated scram accumulator. With the CRD pump isolated, (i.e., charging valve closed) the influence of the CRD pump head does not affect the single control rod scram times. During a full core scram, the CRD pump head would be seen by all control rods and would have a negligible effect on the scram insertion times.

SR 3.1.4.1 The scram reactivity used in DBA and transient analyses is based on an assumed control rod scram time. Measurement of the scram times with reactor steam dome pressure 800 psig demonstrates Control Rod Scram Times B 3.1.4 (continued) HATCH UNIT 1 B 3.1-22 REVISION 69 BASES SURVEILLANCE SR 3.1.4.1 (continued) REQUIREMENTS acceptable scram times for the transients analyzed in References 3 and 4. Maximum scram insertion times occur at a reactor steam dome pressure of approximately 800 psig because of the competing effects of reactor steam dome pressure and stored accumulator energy. Therefore, demonstration of adequate scram times at reactor steam dome pressure 800 psig ensures that the measured scram times will be within the specified limits at higher pressures. Limits are specified as a function of reactor pressure to account for the sensitivity of the scram insertion times with pressure and to allow a range of pressures over which scram time testing can be performed. To ensure that scram time testing is performed within a reasonable time following fuel movement within the reactor pressure vessel or after a shutdown 120 days or longer, control rods are required to be tested before exceeding 40% RTP. In the event fuel movement is limited to selected core cells, it is the intent of this SR that only those CRDs associated with the core cells affected by the fuel movements are required to be scram time tested. This Frequency is acceptable considering the additional surveillances performed for control rod OPERABILITY, the frequent verification of adequate accumulator pressure, and the required testing of control rods affected by work on control rods or the CRD System.

SR 3.1.4.2 Additional testing of a sample of control rods is required to verify the continued performance of the scram function during the cycle. A representative sample contains at least 10% of the control rods. The sample remains representative if no more than 7.5% of the control rods in the sample tested are determined to be "slow". With more than 7.5% of the sample declared to be "slow" per the criteria in Table 3.1.4-1, additional control rods are tested until this 7.5% criterion (i.e., 7.5% of the entire sample size) is satisfied, or until the total number of "slow" control rods (throughout the core, from all Surveillances) exceeds the LCO limit. For planned testing, the control rods selected for the sample should be different for each test. Data from inadvertent scrams should be used whenever possible to avoid unnecessary testing at power, even if the control rods with data may have been previously tested in a sample. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Control Rod Scram Times B 3.1.4 (continued) HATCH UNIT 1 B 3.1-23 REVISION 69 BASES SURVEILLANCE SR 3.1.4.3 REQUIREMENTS (continued) When work that could affect the scram insertion time is performed on a control rod or the CRD System, testing must be done to demonstrate that each affected control rod retains adequate scram performance over the range of applicable reactor pressures from zero to the maximum permissible pressure. The scram testing must be performed once before declaring the control rod OPERABLE. The required scram time testing must demonstrate the affected control rod is still within acceptable limits. The limits for reactor pressures < 800 psig, required by footnote (b), are included in the Technical Requirements Manual (Ref. 7) and are established based on a high probability of meeting the acceptance criteria at reactor pressures 800 psig. The limits for reactor pressures 800 psig are found in Table 3.1.4-1. If testing demonstrates the affected control rod does not meet these limits, but is within the 7 second limit of Table 3.1.4-1, Note 2, the control rod can be declared OPERABLE and "slow." Specific examples of work that could affect the scram times are (but are not limited to) the following: removal of any CRD for maintenance or modification; replacement of a control rod; and maintenance or modification of a scram solenoid pilot valve, scram valve, accumulator, isolation valve or check valve in the piping required for scram. The Frequency of once prior to declaring the affected control rod OPERABLE is acceptable because of the capability to test the control rod over a range of operating conditions and the more frequent surveillances on other aspects of control rod OPERABILITY.

SR 3.1.4.4 When work that could affect the scram insertion time is performed on a control rod or CRD System, testing must be done to demonstrate each affected control rod is still within the limits of Table 3.1.4-1 with the reactor steam dome pressure 800 psig. Where work has been performed at high reactor pressure, the requirements of SR 3.1.4.3 and SR 3.1.4.4 can be satisfied with one test. However, for a control rod affected by work performed while shutdown, a zero pressure test and a high pressure test may be required. This testing ensures that, prior to withdrawing the control rod for continued operation, the control rod scram performance is acceptable for operating reactor pressure conditions. Alternatively, a control rod scram test during hydrostatic pressure testing could also satisfy both criteria.

Control Rod Scram Times B 3.1.4 HATCH UNIT 1 B 3.1-24 REVISION 69 BASES SURVEILLANCE SR 3.1.4.4 (continued) REQUIREMENTS The Frequency of once prior to exceeding 40% RTP is acceptable because of the capability to test the control rod over a range of operating conditions and the more frequent surveillances on other aspects of control rod OPERABILITY. This test is also used to demonstrate control rod OPERABILITY when 40% RTP after work that could affect the scram insertion time is performed on the CRD system. REFERENCES 1. 10 CFR 50, Appendix A, GDC 10.

2. FSAR, Section 3.4. 3. FSAR, Appendix M.

4. FSAR, Sections 14.3 and 14.4. 5. NEDE-24011-P-A, "General Electric Standard Application for Reactor Fuel," (revision specified in the COLR). 6. Letter from R. F. Janecek (BWROG) to R. W. Starostecki (NRC), "BWR Owners' Group Revised Reactivity Control Systems Technical Specifications", BWROG-8754, September 17, 1987.

7. Technical Requirements Manual, Table T5.0-1.

8. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Control Rod Scram Accumulators B 3.1.5 (continued) HATCH UNIT 1 B 3.1-25 REVISION 0 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.5 Control Rod Scram Accumulators

BASES BACKGROUND The control rod scram accumulators are part of the Control Rod Drive (CRD) System and are provided to ensure that the control rods scram under varying reactor conditions. The control rod scram accumulators store sufficient energy to fully insert a control rod at any reactor vessel pressure. The accumulator is a hydraulic cylinder with a free floating piston. The piston separates the water used to scram the control rods from the nitrogen, which provides the required energy. The scram accumulators are necessary to scram the control rods within the required insertion times of LCO 3.1.4, "Control Rod Scram Times." APPLICABLE The analytical methods and assumptions used in evaluating the SAFETY ANALYSES control rod scram function are presented in References 1, 2, and 3. The Design Basis Accident (DBA) and transient analyses assume that all of the control rods scram at a specified insertion rate. OPERABILITY of each individual control rod scram accumulator, along with LCO 3.1.3, "Control Rod OPERABILITY," and LCO 3.1.4, ensures that the scram reactivity assumed in the DBA and transient analyses can be met. The existence of an inoperable accumulator may invalidate prior scram time measurements for the associated control rod. The scram function of the CRD System, and therefore the OPERABILITY of the accumulators, protects the MCPR Safety Limit [see Bases for SL 2.1.1, "Reactor Core SLs," and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)"] and 1% cladding plastic strain fuel design limit [see Bases for LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)"], which ensure that no fuel damage will occur if these limits are not exceeded (see Bases for LCO 3.1.4). In addition, the scram function at low reactor vessel pressure (i.e., startup conditions) provides protection against violating fuel damage limits during reactivity insertion accidents (see Bases for LCO 3.1.6, "Rod Pattern Control"). Control rod scram accumulators satisfy Criterion 3 of the NRC Policy Statement (Ref. 4).

Control Rod Scram Accumulators B 3.1.5 (continued) HATCH UNIT 1 B 3.1-26 REVISION 0 BASES (continued) LCO The OPERABILITY of the control rod scram accumulators is required to ensure that adequate scram insertion capability exists when needed over the entire range of reactor pressures. The OPERABILITY of the scram accumulators is based on maintaining adequate accumulator pressure. APPLICABILITY In MODES 1 and 2, the scram function is required for mitigation of DBAs and transients, and therefore the scram accumulators must be OPERABLE to support the scram function. In MODES 3 and 4, with the mode switch in shutdown, control rod block prevents withdrawal of control rods. This provides adequate requirements for control rod scram accumulator OPERABILITY during these conditions. Requirements for scram accumulators in MODE 5 are contained in LCO 3.9.5, "Control Rod OPERABILITY - Refueling." ACTIONS The ACTIONS Table is modified by a Note indicating that a separate Condition entry is allowed for each control rod scram accumulator. This is acceptable since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable accumulator. Complying with the Required Actions may allow for continued operation and subsequent inoperable accumulators governed by subsequent Condition entry and application of associated Required Actions.

A.1 and A.2 With one control rod scram accumulator inoperable and the reactor steam dome pressure 900 psig, the control rod may be declared "slow," since the control rod will still scram at the reactor operating pressure but may not satisfy the required scram times in Table 3.1.4-1. Required Action A.1 is modified by a Note indicating that declaring the control rod "slow" only applies if the associated control scram time was within the limits of Table 3.1.4-1 during the last scram time test. Otherwise, the control rod would already be considered "slow" and the further degradation of scram performance with an inoperable accumulator could result in excessive scram times. In this event, the associated control rod is declared inoperable (Required Action A.2) and LCO 3.1.3 is entered. This would result in requiring the affected control rod to be fully inserted and disarmed, thereby satisfying its intended function, in accordance with ACTIONS of LCO 3.1.3. Control Rod Scram Accumulators B 3.1.5 (continued) HATCH UNIT 1 B 3.1-27 REVISION 0 BASES ACTIONS A.1 and A.2 (continued) The allowed Completion Time of 8 hours is reasonable, based on the large number of control rods available to provide the scram function and the ability of the affected control rod to scram only with reactor pressure at high reactor pressures.

B.1, B.2.1, and B.2.2 With two or more control rod scram accumulators inoperable and reactor steam dome pressure 900 psig, adequate pressure must be supplied to the charging water header. With inadequate charging water pressure, all of the accumulators could become inoperable, resulting in a potentially severe degradation of the scram performance. Therefore, within 20 minutes from discovery of charging water header pressure < 940 psig concurrent with Condition B, adequate charging water header pressure must be restored. The allowed Completion Time of 20 minutes is reasonable to place a CRD pump into service to restore the charging water header pressure, if required. This Completion Time is based on the ability of the reactor pressure alone to fully insert all control rods. The control rod may be declared "slow," since the control rod will still scram using only reactor pressure, but may not satisfy the times in Table 3.1.4-1. Required Action B.2.1 is modified by a Note indicating that declaring the control rod "slow" only applies if the associated control scram time is within the limits of Table 3.1.4-1 during the last scram time test. Otherwise, the control rod would already be considered "slow" and the further degradation of scram performance with an inoperable accumulator could result in excessive scram times. In this event, the associated control rod is declared inoperable (Required Action B.2.2) and LCO 3.1.3 entered. This would result in requiring the affected control rod to be fully inserted and disarmed, thereby satisfying its intended function in accordance with ACTIONS of LCO 3.1.3. The allowed Completion Time of 1 hour is reasonable, based on the ability of only the reactor pressure to scram the control rods and the low probability of a DBA or transient occurring while the affected accumulators are inoperable.

Control Rod Scram Accumulators B 3.1.5 (continued) HATCH UNIT 1 B 3.1-28 REVISION 69 BASES ACTIONS C.1 and C.2 (continued) With one or more control rod scram accumulators inoperable and the reactor steam dome pressure < 900 psig, the pressure supplied to the charging water header must be adequate to ensure that accumulators remain charged. With the reactor steam dome pressure < 900 psig, the function of the accumulators in providing the scram force becomes much more important since the scram function could become severely degraded during a depressurization event or at low reactor pressures. Therefore, immediately upon discovery of charging water header pressure < 940 psig concurrent with Condition C, all control rods associated with inoperable accumulators must be verified to be fully inserted. Withdrawn control rods with inoperable accumulators may fail to scram under these low pressure conditions. The associated control rods must also be declared inoperable within 1 hour. The allowed Completion Time of 1 hour is reasonable for Required Action C.2, considering the low probability of a DBA or transient occurring during the time that the accumulator is inoperable. D.1 The reactor mode switch must be immediately placed in the shutdown position if either Required Action and associated Completion Time associated with the loss of the CRD charging pump (Required Actions B.1 and C.1) cannot be met. This ensures that all insertable control rods are inserted and that the reactor is in a condition that does not require the active function (i.e., scram) of the control rods. This Required Action is modified by a Note stating that the action is not applicable if all control rods associated with the inoperable scram accumulators are fully inserted, since the function of the control rods has been performed. SURVEILLANCE SR 3.1.5.1 REQUIREMENTS SR 3.1.5.1 requires that the accumulator pressure be checked periodically to ensure adequate accumulator pressure exists to provide sufficient scram force. The primary indicator of accumulator OPERABILITY is the accumulator pressure. A minimum accumulator pressure is specified, below which the capability of the accumulator to perform its intended function becomes degraded and the accumulator is considered inoperable. The minimum accumulator pressure of 940 psig is well below the expected pressure of 1100 psig (Ref. 1). Control Rod Scram Accumulators B 3.1.5 (continued) HATCH UNIT 1 B 3.1-29 REVISION 69 BASES SURVEILLANCE SR 3.1.5.1 (continued) REQUIREMENTS Declaring the accumulator inoperable when the minimum pressure is not maintained ensures that significant degradation in scram times does not occur. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 3.4. 2. FSAR, Appendix M.

3. FSAR, Sections 14.3 and 14.4. 4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Rod Pattern Control B 3.1.6 (continued) HATCH UNIT 1 B 3.1-30 REVISION 0 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.6 Rod Pattern Control

BASES BACKGROUND Control rod patterns during startup conditions are controlled by the operator and the rod worth minimizer (RWM) (LCO 3.3.2.1, "Control Rod Block Instrumentation"), so that only specified control rod sequences and relative positions are allowed over the operating range of all control rods inserted to 10% RTP. The sequences limit the potential amount of reactivity addition that could occur in the event of a Control Rod Drop Accident (CRDA). This Specification assures that the control rod patterns are consistent with the assumptions of the CRDA analyses of References 1 and 2. APPLICABLE The analytical methods and assumptions used in evaluating the SAFETY ANALYSES CRDA are summarized in References 1 and 2. CRDA analyses assume that the reactor operator follows prescribed withdrawal sequences. These sequences define the potential initial conditions for the CRDA analysis. The RWM (LCO 3.3.2.1) provides backup to operator control of the withdrawal sequences to ensure that the initial conditions of the CRDA analysis are not violated. Prevention or mitigation of positive reactivity insertion events is necessary to limit the energy deposition in the fuel, thereby preventing significant fuel damage which could result in the undue release of radioactivity. Since the failure consequences for UO2 have been shown to be insignificant below fuel energy depositions of 300 cal/gm (Ref. 3), the fuel damage limit of 280 cal/gm provides a margin of safety from significant core damage which would result in release of radioactivity (Refs. 4 and 5). Generic evaluations (Refs. 1 and 6) of a design basis CRDA (i.e., a CRDA resulting in a peak fuel energy deposition of 280 cal/gm) have shown that if the peak fuel enthalpy remains below 280 cal/gm, then the maximum reactor pressure will be less than the required ASME Code limits (Ref. 7) and the calculated offsite doses will be well within the required limits (Ref. 5). Control rod patterns analyzed in Reference 1 follow the banked position withdrawal sequence (BPWS). The BPWS is applicable from the condition of all control rods fully inserted to 10% RTP (Ref. 2). For the BPWS, the control rods are required to be moved in groups, with all control rods assigned to a specific group required to be within specified banked positions (e.g., between notches 08 and 12). The Rod Pattern Control B 3.1.6 (continued) HATCH UNIT 1 B 3.1-31 REVISION 61 BASES APPLICABLE banked positions are established to minimize the maximum SAFETY ANALYSES incremental control rod worth without being overly restrictive during (continued) normal plant operation. Generic analysis of the BPWS (Ref. 1) has demonstrated that the 280 cal/gm fuel damage limit will not be violated during a CRDA while following the BPWS mode of operation. The evaluation provided by the generic BPWS analysis (Ref. 8) allows a limited number (i.e., eight) and corresponding distribution of fully inserted, inoperable control rods that are not in compliance with the sequence. This analysis may be modified by plant specific evaluations. When performing a shutdown of the plant, an optional BPWS control rod sequence (Ref. 10) may be used provided that all withdrawn control rods have been confirmed to be coupled. The rods may be inserted without the need to stop at intermediate positions since the possibility of a CRDA is eliminated by the confirmation that withdrawn control rods are coupled. When using the Reference 10 control rod sequence for shutdown, the rod worth minimizer may be reprogrammed to enforce the requirements of the improved BPWS control rod insertion process, or bypassed in accordance with the allowance provided in the Applicability Note for the Rod Worth Minimizer in Table 3.3.2.1-1. In order to use the Reference 10 BPWS shutdown process, an extra check is required in order to consider a control rod to be "confirmed" to be coupled. This extra check ensures that no Single Operator Error can result in an incorrect coupling check. For purposes of this shutdown process, the method for confirming that control rods are coupled varies depending on the position of the control rod in the core. Details on this coupling confirmation requirement are provided in Reference 10. If the requirements for use of the BPWS control rod insertion process contained in Reference 10 are followed, the plant is considered to be in compliance with BPWS requirements, as required by LCO 3.1.6. Rod pattern control satisfies Criterion 3 of the NRC Policy Statement (Ref. 9). LCO Compliance with the prescribed control rod sequences minimizes the potential consequences of a CRDA by limiting the initial conditions to those consistent with the BPWS. This LCO only applies to OPERABLE control rods. For inoperable control rods required to be inserted, separate requirements are specified in LCO 3.1.3, "Control Rod OPERABILITY," consistent with the allowances for inoperable control rods in the BPWS. Rod Pattern Control B 3.1.6 (continued) HATCH UNIT 1 B 3.1-32 REVISION 61 BASES (continued) APPLICABILITY In MODES 1 and 2, when THERMAL POWER is 10% RTP, the CRDA is a Design Basis Accident and, therefore, compliance with the assumptions of the safety analysis is required. When THERMAL POWER is > 10% RTP, there is no credible control rod configuration that results in a control rod worth that could exceed the 280 cal/gm fuel damage limit during a CRDA (Ref. 2). In MODES 3, 4, and 5, since the reactor is shutdown and only a single control rod can be withdrawn from a core cell containing fuel assemblies, adequate SDM ensures that the consequences of a CRDA are acceptable, since the reactor will remain subcritical with a single control rod withdrawn. ACTIONS A.1 and A.2 With one or more OPERABLE control rods not in compliance with the prescribed control rod sequence, actions may be taken to either correct the control rod pattern or declare the associated control rods inoperable within 8 hours. Noncompliance with the prescribed sequence may be the result of "double notching," drifting from a control rod drive cooling water transient, leaking scram valves, or a power reduction to 10% RTP before establishing the correct control rod pattern. The number of OPERABLE control rods not in compliance with the prescribed sequence is limited to eight, to prevent the operator from attempting to correct a control rod pattern that significantly deviates from the prescribed sequence. When the control rod pattern is not in compliance with the prescribed sequence, all control rod movement must be stopped except for moves needed to correct the rod pattern, or scram if warranted. Required Action A.1 is modified by a Note which allows the RWM to be bypassed to allow the affected control rods to be returned to their correct position. LCO 3.3.2.1 requires verification of control rod movement by a second licensed operator or other qualified member of the technical staff. This ensures that the control rods will be moved to the correct position. A control rod not in compliance with the prescribed sequence is not considered inoperable except as required by Required Action A.2. The allowed Completion Time of 8 hours is reasonable, considering the restrictions on the number of allowed out of sequence control rods and the low probability of a CRDA occurring during the time the control rods are out of sequence. B.1 and B.2 If nine or more OPERABLE control rods are out of sequence, the control rod pattern significantly deviates from the prescribed sequence. Rod Pattern Control B 3.1.6 (continued) HATCH UNIT 1 B 3.1-33 REVISION 69 BASES ACTIONS B.1 and B.2 (continued) Control rod withdrawal should be suspended immediately to prevent the potential for further deviation from the prescribed sequence. Control rod insertion to correct control rods withdrawn beyond their allowed position is allowed since, in general, insertion of control rods has less impact on control rod worth than withdrawals have. Required Action B.1 is modified by a Note which allows the RWM to be bypassed to allow the affected control rods to be returned to their correct position. LCO 3.3.2.1 requires verification of control rod movement by a second licensed operator or other qualified member of the technical staff. When nine or more OPERABLE control rods are not in compliance with BPWS, the reactor mode switch must be placed in the shutdown position within 1 hour. With the mode switch in shutdown, the reactor is shut down, and as such, does not meet the applicability requirements of this LCO. The allowed Completion Time of 1 hour is reasonable to allow insertion of control rods to restore compliance, and is appropriate relative to the low probability of a CRDA occurring with the control rods out of sequence. SURVEILLANCE SR 3.1.6.1 REQUIREMENTS The control rod pattern is periodically verified to be in compliance with the BPWS to ensure the assumptions of the CRDA analyses are met. The RWM provides control rod blocks to enforce the required sequence and is required to be OPERABLE when operating at 10% RTP. REFERENCES 1. NEDE-24011-P-A-US, "General Electric Standard Application for Reactor Fuel, Supplement for United States," (revision specified in the COLR). 2. Letter from T. A. Pickens (BWROG) to G. C. Lainas (NRC), "Amendment 17 to General Electric Licensing Topical Report NEDE-24011-P-A," BWROG-8644, August 15, 1988.

3. NUREG-0979, Section 4.2.1.3.2, April 1983.

4. NUREG-0800, Section 15.4.9, Revision 2, July 1981.

Rod Pattern Control B 3.1.6 HATCH UNIT 1 B 3.1-34 REVISION 70 BASES REFERENCES 5. 10 CFR 50.67. (continued)

6. NEDO-21778-A, "Transient Pressure Rises Affected Fracture Toughness Requirements for Boiling Water Reactors,"

December 1978.

7. ASME, Boiler and Pressure Vessel Code. 8. NEDO-21231, "Banked Position Withdrawal Sequence," January 1977. 9. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. 10. NEDO-33091-A, Revision 2, "Improved BPWS Control Rod Insertion Process," July 2004.

SLC System B 3.1.7 (continued) HATCH UNIT 1 B 3.1-35 REVISION 70 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.7 Standby Liquid Control (SLC) System

BASES BACKGROUND The SLC System provides the capability of bringing the reactor, at any time in a fuel cycle, from full power and minimum control rod inventory (which is at the peak of the xenon transient) to a subcritical condition with the reactor in the most reactive, xenon free state without taking credit for control rod movement. Additionally, the SLC system provides sufficient buffering agent to maintain the suppression pool pH at or above 7.0 following a Design Basis Accident (DBA) LOCA involving fuel damage. Maintaining the suppression pool pH at or above 7.0 will preclude the re-evolution of iodine from the suppression pool water following a DBA LOCA. The SLC System satisfies the requirements of 10 CFR 50.62 (Ref. 1) on anticipated transient without scram. The SLC System consists of a sodium pentaborate solution storage tank, two positive displacement pumps, two explosive valves that are provided in parallel for redundancy, and associated piping and valves used to transfer borated water from the storage tank to the reactor pressure vessel (RPV). The borated solution is discharged near the bottom of the core shroud, where it then mixes with the cooling water rising through the core. A smaller tank containing demineralized water is provided for testing purposes. APPLICABLE The SLC System is manually initiated from the main control room, SAFETY ANALYSES as directed by the emergency operating procedures, if the operator believes the reactor cannot be shut down, or kept shut down, with the control rods. The SLC System is used in the event that enough control rods cannot be inserted to accomplish shutdown and cooldown in the normal manner. The SLC System injects borated water into the reactor core to add negative reactivity to compensate for all of the various reactivity effects that could occur during plant operations. To meet this objective, it is necessary to inject a quantity of boron, which produces a concentration of 800 ppm of natural boron equivalent, in the reactor coolant at 70°F. To allow for potential leakage and imperfect mixing in the reactor system, an amount of boron equal to 25% of the amount cited above is added (Ref. 2). The Region A volume versus concentration limits in Figure 3.1.7-1 and the Region A temperature versus concentration limits in Figure 3.1.7-2 are calculated such that the required concentration is achieved accounting for dilution in the RPV with high water level and including the water volume in the residual heat removal shutdown cooling piping and in the SLC System B 3.1.7 (continued) HATCH UNIT 1 B 3.1-36 REVISION 70 BASES APPLICABLE recirculation loop piping. This quantity of borated solution is the SAFETY ANALYSES amount that is above the pump suction shutoff level in the boron (continued) solution storage tank. No credit is taken for the portion of the tank volume that cannot be injected. The SLC system is also used to control suppression pool pH in the event of a DBA LOCA by injecting sodium pentaborate into the reactor vessel. The sodium pentaborate is then transported to the suppression pool and mixed by ECCS flow recirculation through the reactor, out of the break, and into the suppression chamber. The amount of sodium pentaborate solution that must be available for injection following a DBA LOCA is determined as part of the DBA LOCA radiological analysis. This quantity is maintained in the storage tank as specified in the Technical Specifications. The SLC System satisfies Criterion 4 of the NRC Policy Statement (Ref. 3). LCO The OPERABILITY of the SLC System provides backup capability for reactivity control independent of normal reactivity control provisions provided by the control rods and provides sufficient buffering agent to maintain the suppression pool pH at or above 7.0 following a DBA LOCA involving fuel damage. The OPERABILITY of the SLC System is based on the conditions of the borated solution in the storage tank and the availability of a flow path to the RPV, including the OPERABILITY of the pumps and valves. Two SLC subsystems are required to be OPERABLE; each contains an OPERABLE pump, an explosive valve, and associated piping, valves, and instruments and controls to ensure an OPERABLE flow path.

APPLICABILITY In MODES 1 and 2, shutdown capability is required. In MODES 3 and 4, with the mode switch in shutdown, control rod block prevents withdrawal of control rods. This provides adequate controls to ensure that the reactor remains subcritical. In MODE 5, only a single control rod can be withdrawn from a core cell containing fuel assemblies. Demonstration of adequate SDM [LCO 3.1.1, "SHUTDOWN MARGIN (SDM)"] ensures that the reactor will not become critical. Therefore, the SLC System is not required to be OPERABLE when only a single control rod can be withdrawn. SLC System B 3.1.7 (continued) HATCH UNIT 1 B 3.1-37 REVISION 70 BASES (continued) ACTIONS A.1 If the sodium pentaborate solution concentration is not within the 10 CFR 50.62 limits (not within Region A of Figure 3.1.7-1 or 3.1.7-2), but greater than original licensing basis limits (within Region B of Figure 3.1.7-1 or 3.1.7-2), the solution must be restored to within Region A limits in 72 hours. It should be noted that the lowest acceptable concentration in Region B is 5%. It is not necessary under these conditions to enter Condition C for both SLC subsystems inoperable, since the SLC subsystems are capable of performing their original design basis functions. Because of the low probability of an event and the fact that the SLC System capability still exists for vessel injection under these conditions, the allowed Completion Time of 72 hours is acceptable and provides adequate time to restore concentration to within limits. The second Completion Time for Required Action A.1 establishes a limit on the maximum time allowed for any combination of concentration out of limits or inoperable SLC subsystems during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, an SLC subsystem is inoperable and that subsystem is subsequently returned to OPERABLE, the LCO may already have been not met for up to 7 days. This situation could lead to a total duration of 10 days (7 days in Condition B, followed by 3 days in Condition A), since initial failure of the LCO, to restore the SLC System. Then an SLC subsystem could be found inoperable again, and concentration could be restored to within limits. This could continue indefinitely. This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock," resulting in establishing the "time zero" at the time the LCO was initially not met instead of at the time Condition A was entered. The 10 day Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely.

B.1 If one SLC subsystem is inoperable for reasons other than Condition A, the inoperable subsystem must be restored to OPERABLE status within 7 days. In this condition, the remaining OPERABLE subsystem is adequate to perform the shutdown function and provide adequate buffering agent to the suppression pool. However, the overall reliability is reduced because a single failure in the remaining OPERABLE subsystem could result in reduced SLC System capability. The 7 day Completion Time is based on the availability of an OPERABLE subsystem capable of performing the SLC System B 3.1.7 (continued) HATCH UNIT 1 B 3.1-38 REVISION 70 BASES ACTIONS B.1 (continued) intended SLC System functions and the low probability of a DBA or severe transient occurring requiring SLC injection. The second Completion Time for Required Action B.1 establishes a limit on the maximum time allowed for any combination of concentration out of limits or inoperable SLC subsystems during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, concentration is out of limits, and is subsequently returned to within limits, the LCO may already have been not met for up to 3 days. This situation could lead to a total duration of 10 days (3 days in Condition A, followed by 7 days in Condition B), since initial failure of the LCO, to restore the SLC System. Then concentration could be found out of limits again, and the SLC subsystem could be restored to OPERABLE. This could continue indefinitely. This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock," resulting in establishing the "time zero" at the time the LCO was initially not met instead of at the time Condition B was entered. The 10 day Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely.

C.1 If both SLC subsystems are inoperable for reasons other than Condition A, at least one subsystem must be restored to OPERABLE status within 8 hours. The allowed Completion Time of 8 hours is considered acceptable given the low probability of a DBA or transient occurring requiring SLC injection.

D.1 If any Required Action and associated Completion Time is not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. SLC System B 3.1.7 (continued) HATCH UNIT 1 B 3.1-39 REVISION 70 BASES (continued) SURVEILLANCE SR 3.1.7.1, SR 3.1.7.2, and SR 3.1.7.3 REQUIREMENTS SR 3.1.7.1 through SR 3.1.7.3 verify certain characteristics of the SLC System (e.g., the volume and temperature of the borated solution in the storage tank), thereby ensuring SLC System OPERABILITY without disturbing normal plant operation. These Surveillances ensure that the proper borated solution volume and temperature, including the temperature of the pump suction piping, are maintained (within Region A limits of Figures 3.1.7-1 and 3.7.1-2). Maintaining a minimum specified borated solution temperature is important in ensuring that the boron remains in solution and does not precipitate out in the storage tank or in the pump suction piping. The temperature versus concentration curve of Figure 3.1.7-2 ensures that a 10°F margin will be maintained above the saturation temperature. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.1.7.4 and SR 3.1.7.6 SR 3.1.7.4 verifies the continuity of the explosive charges in the injection valves to ensure that proper operation will occur if required. Other administrative controls, such as those that limit the shelf life of the explosive charges, must be followed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.1.7.6 verifies that each valve in the system is in its correct position, but does not apply to the squib (i.e., explosive) valves. Verifying the correct alignment for manual and power operated valves in the SLC System flow path provides assurance that the proper flow paths will exist for system operation. A valve is also allowed to be in the nonaccident position provided it can be aligned to the accident position from the control room, or locally by a dedicated operator at the valve control. This is acceptable since the SLC System is a manually initiated system. This Surveillance also does not apply to valves that are locked, sealed, or otherwise secured in position since they are verified to be in the correct position prior to locking, sealing, or securing. This verification of valve alignment does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SLC System B 3.1.7 (continued) HATCH UNIT 1 B 3.1-40 REVISION 70 BASES SURVEILLANCE SR 3.1.7.5 REQUIREMENTS (continued) This Surveillance requires an examination of the sodium pentaborate solution by using chemical analysis to ensure that the proper concentration of boron exists in the storage tank (within Region A limits of Figures 3.1.7-1 and 3.1.7-2). SR 3.1.7.5 must be performed any time sodium pentaborate or water is added to the storage tank solution to determine that the boron solution concentration is within the specified limits. SR 3.1.7.5 must also be performed any time the temperature is restored to within the Region A limits of Figure 3.1.7-2, to ensure that no significant boron precipitation occurred. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.1.7.7 Demonstrating that each SLC System pump develops a flow rate 41.2 gpm at a discharge pressure 1232 psig ensures that pump performance has not degraded during the fuel cycle. This minimum pump flow rate requirement ensures that, when combined with the sodium pentaborate solution concentration requirements, the rate of negative reactivity insertion from the SLC System will adequately compensate for the positive reactivity effects encountered during power reduction, cooldown of the moderator, and xenon decay. Additionally, the minimum pump flow rate requirement ensures that adequate buffering agent will reach the suppression pool to maintain pH at or above 7.0 post-LOCA. This test confirms one point on the pump design curve and is indicative of overall performance. Such inservice inspections confirm component OPERABILITY, trend performance, and detect incipient failures by indicating abnormal performance. The Frequency of this Surveillance is in accordance with the Inservice Testing Program.

SR 3.1.7.8 and SR 3.1.7.9 These Surveillances ensure that there is a functioning flow path from the sodium pentaborate solution storage tank to the RPV, including the firing of an explosive valve. The replacement charge for the explosive valve shall be from the same manufactured batch as the one fired or from another batch that has been certified by having one of that batch successfully fired. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The Surveillance may be performed in separate steps to prevent injecting boron into the RPV. An acceptable method for verifying flow from the pump to the RPV is to pump demineralized water from a test tank SLC System B 3.1.7 HATCH UNIT 1 B 3.1-41 REVISION 70 BASES SURVEILLANCE SR 3.1.7.8 and SR 3.1.7.9 (continued) REQUIREMENTS through one SLC subsystem and into the RPV. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Demonstrating that all heat traced piping between the sodium pentaborate solution storage tank and the suction inlet to the injection pumps is unblocked ensures that there is a functioning flow path for injecting the sodium pentaborate solution. An acceptable method for verifying that the suction piping is unblocked is to pump from the storage tank to the test tank. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This is especially true in light of the temperature verification of this piping required by SR 3.1.7.3. However, if, in performing SR 3.1.7.3, it is determined that the temperature of this piping has fallen below the specified minimum, SR 3.1.7.9 must be performed once within 24 hours after the piping temperature is restored to within the Region A limits of Figure 3.1.7-2.

SR 3.1.7.10 Enriched sodium pentaborate solution is made by mixing granular, enriched sodium pentaborate with water. Isotopic tests on the granular sodium pentaborate to verify the actual B-10 enrichment must be performed prior to addition to the SLC tank in order to ensure that the proper B-10 atom percentage is being used. REFERENCES 1. 10 CFR 50.62.

2. FSAR, Section 3.8.4. 3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

SDV Vent and Drain Valves B 3.1.8 (continued) HATCH UNIT 1 B 3.1-42 REVISION 70 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.8 Scram Discharge Volume (SDV) Vent and Drain Valves

BASES BACKGROUND The SDV vent and drain valves are normally open and discharge any accumulated water in the SDV to ensure that sufficient volume is available at all times to allow a complete scram. During a scram, the SDV vent and drain valves close to contain reactor water. The SDV is a volume of header piping that connects to each hydraulic control unit (HCU) and drains into an instrument volume. There are two SDVs (headers) and two instrument volumes, each receiving approximately one half of the control rod drive (CRD) discharges. The two instrument volumes are connected to a common drain line with two valves in series. Each header is connected to a common vent line with two valves in series for a total of four vent valves. The header piping is sized to receive and contain all the water discharged by the CRDs during a scram. The design and functions of the SDV are described in Reference 1.

APPLICABLE The Design Basis Accident and transient analyses assume all of the SAFETY ANALYSES control rods are capable of scramming. The acceptance criteria for the SDV vent and drain valves are that they operate automatically to: a. Close during scram to limit the amount of reactor coolant discharged so that adequate core cooling is maintained and offsite doses remain within the limits of 10 CFR 50.67 (Ref. 2); and

b. Open on scram reset to maintain the SDV vent and drain path open so that there is sufficient volume to accept the reactor coolant discharged during a scram.

Isolation of the SDV can also be accomplished by manual closure of the SDV valves. Additionally, the discharge of reactor coolant to the SDV can be terminated by scram reset or closure of the HCU manual isolation valves. For a bounding leakage case, the offsite doses are well within the limits of 10 CFR 50.67 (Ref. 2), and adequate core cooling is maintained (Ref. 3). The SDV vent and drain valves allow continuous drainage of the SDV during normal plant operation to ensure that the SDV has sufficient capacity to contain the reactor coolant discharge during a full core scram. To automatically ensure this capacity, a reactor scram [LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation"] is initiated if the SDV water level in SDV Vent and Drain Valves B 3.1.8 (continued) HATCH UNIT 1 B 3.1-43 REVISION 61 BASES APPLICABLE the instrument volume exceeds a specified setpoint. The setpoint is SAFETY ANALYSES chosen so that all control rods are inserted before the SDV has (continued) insufficient volume to accept a full scram. SDV vent and drain valves satisfy Criterion 3 of the NRC Policy Statement (Ref. 4). LCO The OPERABILITY of all SDV vent and drain valves ensures that the SDV vent and drain valves will close during a scram to contain reactor water discharged to the SDV piping. Since the vent and drain lines are provided with two valves in series, the single failure of one valve in the open position will not impair the isolation function of the system. Additionally, the valves are required to open on scram reset to ensure that a path is available for the SDV piping to drain freely at other times. APPLICABILITY In MODES 1 and 2, scram may be required; therefore, the SDV vent and drain valves must be OPERABLE. In MODES 3 and 4, with the mode switch in shutdown, control rod block prevents withdrawal of control rods. This provides adequate controls to ensure that only a single control rod can be withdrawn. Also, during MODE 5, only a single control rod can be withdrawn from a core cell containing fuel assemblies. Therefore, the SDV vent and drain valves are not required to be OPERABLE in these MODES since the reactor is subcritical and only one rod may be withdrawn and subject to scram. ACTIONS The ACTIONS Table is modified by Note 1 indicating that a separate Condition entry is allowed for each SDV vent and drain line. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable SDV line. Complying with the Required Actions may allow for continued operation, and subsequent inoperable SDV lines are governed by subsequent Condition entry and application of associated Required Actions. When a line is isolated, the potential for an inadvertent scram due to high SDV level is increased. During these periods, the line may be unisolated under administrative control. This allows any accumulated water in the line to be drained, to preclude a reactor scram on SDV high level. This is acceptable since the administrative controls ensure the valve can be closed quickly, by a dedicated operator, if a scram occurs with the valve open. SDV Vent and Drain Valves B 3.1.8 (continued) HATCH UNIT 1 B 3.1-44 REVISION 61 BASES ACTIONS A.1 (continued) When one SDV vent or drain valve is inoperable in one or more lines, the associated line must be isolated to contain the reactor coolant during a scram. The 7 day Completion Time is reasonable, given the level of redundancy in the lines and the low probability of a scram occurring during the time the valve(s) are inoperable and the line is not isolated. The SDV is still isolable since the redundant valve in the affected line is OPERABLE. During these periods, the single failure criterion may not be preserved, and a higher risk exists to allow reactor water out of the primary system during a scram.

B.1 If both valves in a line are inoperable, the line must be isolated to contain the reactor coolant during a scram. The 8 hour Completion Time to isolate the line is based on the low probability of a scram occurring while the line is not isolated and unlikelihood of significant CRD seal leakage. C.1 If any Required Action and associated Completion Time is not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.1.8.1 REQUIREMENTS During normal operation, the SDV vent and drain valves should be in the open position (except when performing SR 3.1.8.2) to allow for drainage of the SDV piping. Verifying that each valve is in the open position ensures that the SDV vent and drain valves will perform their SDV Vent and Drain Valves B 3.1.8 (continued) HATCH UNIT 1 B 3.1-45 REVISION 69 BASES SURVEILLANCE SR 3.1.8.1 (continued) REQUIREMENTS intended functions during normal operation. This SR does not require any testing or valve manipulation; rather, it involves verification that the valves are in the correct position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.1.8.2 During a scram, the SDV vent and drain valves should close to contain the reactor water discharged to the SDV piping. Cycling each valve through its complete range of motion (closed and open) ensures that the valve will function properly during a scram. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.1.8.3 SR 3.1.8.3 is an integrated test of the SDV vent and drain valves to verify total system performance. After receipt of a simulated or actual scram signal, the closure of the SDV vent and drain valves is verified. The closure time of 45 seconds after receipt of a scram signal is based on the bounding leakage case evaluated in the accident analysis (Ref. 1). Similarly, after receipt of a simulated or actual scram reset signal, the opening of the SDV vent and drain valves is verified. Although not explicitly stated in the SR, the valves are required to open prior to receipt of a control rod block on high SDV level. This criterion ensures the valves can open in time to preclude a scram on SDV high level and maintain sufficient volume in the SDV to receive and contain the water discharged by the control rod drives during a scram per the requirements of the applicable safety analysis (Ref.1). The LOGIC SYSTEM FUNCTIONAL TEST in LCO 3.3.1.1 and the scram time testing of control rods in LCO 3.1.3 overlap this Surveillance to provide complete testing of the assumed safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SDV Vent and Drain Valves B 3.1.8 HATCH UNIT 1 B 3.1-46 REVISION 70 BASES (continued) REFERENCES 1. FSAR, Section 3.4.

2. 10 CFR 50.67. 3. NUREG-0803, "Generic Safety Evaluation Report Regarding Integrity of BWR Scram System Piping," August 1981. 4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

APLHGR B 3.2.1 (continued) HATCH UNIT 1 B 3.2-1 REVISION 37 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.1 AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)

BASES BACKGROUND The APLHGR is a measure of the average LHGR of all the fuel rods in a fuel assembly at any axial location. Limits on the APLHGR are specified to ensure that the peak cladding temperature (PCT) during the postulated design basis loss of coolant accident (LOCA) does not exceed the limits specified in 10 CFR 50.46. APPLICABLE The analytical methods and assumptions used in evaluating LOCA SAFETY ANALYSES and normal operation that determine the APLHGR limits are presented in References 1, 3, 4, 6, 9, and 10. APLHGR limits are developed as a function of exposure and operating states to ensure adherence to 10 CFR 50.46 during the limiting LOCA (Refs. 6, 7, 9, and 10). LOCA analyses are performed to ensure that the above determined APLHGR limits are adequate to meet the PCT and maximum oxidation limits of 10 CFR 50.46. The analysis is performed using calculational models that are consistent with the requirements of 10 CFR 50, Appendix K. A complete discussion of the analysis code is provided in Reference 10. The PCT following a postulated LOCA is a function of the average heat generation rate of all the rods of a fuel assembly at any axial location and is not strongly influenced by the rod to rod power distribution within an assembly. The APLHGR limits specified are equivalent to the LHGR of the highest powered fuel rod assumed in the LOCA analysis divided by an assumed conservatively small local peaking factor. Some off-rated operating states require the reduction or set down of the rated APLHGR limit through multiplier factors (MAPFACs). A flow dependent multiplier, MAPFACf , is necessary at core flows below 61% to provide protection for LOCA events (Ref. 12). For single recirculation loop operation, the MAPFACf multiplier is limited to a maximum value specified in the Core Operating Limits Report (COLR). This maximum limit is due to the conservative analysis assumption of an earlier departure from nucleate boiling with one recirculation loop available, resulting in a more severe cladding heatup during a LOCA.

APLHGR B 3.2.1 (continued) HATCH UNIT 1 B 3.2-2 REVISION 37 BASES APPLICABLE The APLHGR satisfies Criterion 2 of the NRC Policy Statement SAFETY ANALYSES (Ref. 11).

(continued)

LCO The APLHGR limits specified in the COLR are the result of the LOCA analyses. The limit is determined by multiplying the MAPFACf factor times the exposure dependent APLHGR limits. For single recirculation loop operation, the MAPFACf multiplier is limited to a maximum value specified in the Core Operating Limits Report (COLR). APPLICABILITY The APLHGR limits are primarily derived from fuel design evaluations and LOCA analyses that are assumed to occur at high power levels. Design calculations (Ref. 7) and operating experience have shown that as power is reduced, the margin to the required APLHGR limits increases. This trend continues down to the power range of 5% to 15% RTP when entry into MODE 2 occurs. When in MODE 2, the intermediate range monitor scram function provides prompt scram initiation during any significant transient, thereby effectively removing any APLHGR limit compliance concern in MODE 2. Therefore, at THERMAL POWER levels 24% RTP, the reactor is operating with substantial margin to the APLHGR limits; thus, this LCO is not required. ACTIONS A.1 If any APLHGR exceeds the required limits, an assumption regarding an initial condition of the LOCA may not be met. Therefore, prompt action should be taken to restore the APLHGR(s) to within the required limits such that the plant operates within analyzed conditions and within design limits of the fuel rods. The 2 hour Completion Time is sufficient to restore the APLHGR(s) to within its limits and is acceptable based on the low probability of a LOCA occurring simultaneously with the APLHGR out of specification. APLHGR B 3.2.1 (continued) HATCH UNIT 1 B 3.2-3 REVISION 69 BASES ACTIONS B.1 (continued) If the APLHGR cannot be restored to within its required limits within the associated Completion Time, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, THERMAL POWER must be reduced to < 24% RTP within 4 hours. The allowed Completion Time is reasonable, based on operating experience, to reduce THERMAL POWER to < 24% RTP in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.2.1.1 REQUIREMENTS APLHGRs are required to be initially calculated within 12 hours after THERMAL POWER is 24% RTP and periodically thereafter. They are compared to the specified limits in the COLR to ensure that the reactor is operating within the assumptions of the safety analysis. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The 12 hour allowance after THERMAL POWER 24% RTP is achieved is acceptable given the large inherent margin to operating limits at low power levels. REFERENCES 1. NEDE-24011-P-A "General Electric Standard Application for Reactor Fuel," (revision specified in the COLR). 2. (Not used) 3. FSAR, Chapter 6. 4. FSAR, Chapter 15, Unit 2. 5. (Not used) 6. NEDC-32749P, "Extended Power Uprate Safety Analysis Report for Edwin I. Hatch Units 1 and 2," July 1997. 7. NEDC-30474-P "Average Power Range Monitor, Rod Block Monitor and Technical Specification Improvements (ARTS) Program for E.I. Hatch Nuclear Plant, Units 1 and 2," December 1983. 8. (Not used) APLHGR B 3.2.1 HATCH UNIT 1 B 3.2-4 REVISION 37 BASES REFERENCES 9. NEDC-32720P, "Hatch Units 1 and 2 SAFER/GESTR-LOCA (continued) Loss of Coolant Accident Analysis," March 1997.

10. GE-NE-0000-0000-9200-02P, "Hatch Units 1 and 2 ECCS-LOCA Evaluation for GE14," March 2002. 11. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. 12. Letter from Global Nuclear Fuel, M. E. Harding to E. B. Gibson, January 22, 2004, "Plant Hatch Technical Specification Modification to include LHGR."

MCPR B 3.2.2 HATCH UNIT 1 B 3.2-5 REVISION 0 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.2 MINIMUM CRITICAL POWER RATIO (MCPR)

BASES BACKGROUND MCPR is a ratio of the fuel assembly power that would result in the onset of boiling transition to the actual fuel assembly power. The MCPR Safety Limit (SL) is set such that 99.9% of the fuel rods are expected to avoid boiling transition if the limit is not violated (refer to the Bases for SL 2.1.1.2). The operating limit MCPR is established to ensure that no fuel damage results during anticipated operational occurrences (AOOs). Although fuel damage does not necessarily occur if a fuel rod actually experienced boiling transition (Ref. 1), the critical power at which boiling transition is calculated to occur has been adopted as a fuel design criterion. The onset of transition boiling is a phenomenon that is readily detected during the testing of various fuel bundle designs. Based on these experimental data, correlations have been developed to predict critical bundle power (i.e., the bundle power level at the onset of transition boiling) for a given set of plant parameters (e.g., reactor vessel pressure, flow, and subcooling). Because plant operating conditions and bundle power levels are monitored and determined relatively easily, monitoring the MCPR is a convenient way of ensuring that fuel failures due to inadequate cooling do not occur. APPLICABLE The analytical methods and assumptions used in evaluating the SAFETY ANALYSES AOOs to establish the operating limit MCPR are presented in References 2, 3, 4, 5, 6, 7, and 8. To ensure that the MCPR SL is not exceeded during any transient event that occurs with moderate frequency, limiting transients have been analyzed to determine the largest reduction in critical power ratio (CPR). The types of transients evaluated are loss of flow, increase in pressure and power, positive reactivity insertion, and coolant temperature decrease. The limiting transient yields the largest change in CPR (CPR). When the largest CPR is added to the MCPR SL, the required operating limit MCPR is obtained. The MCPR operating limits derived from the transient analysis are dependent on the operating core flow and power state (MCPRf and MCPRp, respectively) to ensure adherence to fuel design limits during the worst transient that occurs with moderate frequency (Refs. 6, 7, and 8). Flow dependent MCPR limits are determined by steady state thermal hydraulic methods with key physics response inputs MCPR B 3.2.2 HATCH UNIT 1 B 3.2-6 REVISION 36 BASES APPLICABLE benchmarked using the three dimensional BWR simulator code SAFETY ANALYSES (Ref. 9) to analyze slow flow runout transients. The operating limit is (continued) dependent on the maximum core flow limiter setting in the Recirculation Flow Control System. Power dependent MCPR limits (MCPRp) are determined mainly by the one dimensional transient code (Ref. 10). Due to the sensitivity of the transient response to initial core flow levels at power levels below those at which the turbine stop valve closure and turbine control valve fast closure scrams are bypassed, high and low flow MCPRp operating limits are provided for operating between 24% RTP and the previously mentioned bypass power level. The MCPR satisfies Criterion 2 of the NRC Policy Statement (Ref. 11). LCO The MCPR operating limits specified in the COLR are the result of the Design Basis Accident (DBA) and transient analysis. The operating limit MCPR is determined by the larger of the MCPRf and MCPRp limits. APPLICABILITY The MCPR operating limits are primarily derived from transient analyses that are assumed to occur at high power levels. Below 24% RTP, the reactor is operating at a minimum recirculation pump speed and the moderator void ratio is small. Surveillance of thermal limits below 24% RTP is unnecessary due to the large inherent margin that ensures that the MCPR SL is not exceeded even if a limiting transient occurs. Statistical analyses indicate that the nominal value of the initial MCPR expected at 24% RTP is > 3.5. Studies of the variation of limiting transient behavior have been performed over the range of power and flow conditions. These studies encompass the range of key actual plant parameter values important to typically limiting transients. The results of these studies demonstrate that a margin is expected between performance and the MCPR requirements, and that margins increase as power is reduced to 24% RTP. This trend is expected to continue to the 5% to 15% power range when entry into MODE 2 occurs. When in MODE 2, the intermediate range monitor provides rapid scram initiation for any significant power increase transient, which effectively eliminates any MCPR compliance concern. Therefore, at THERMAL POWER levels < 24% RTP, the reactor is operating with substantial margin to the MCPR limits and this LCO is not required MCPR B 3.2.2 HATCH UNIT 1 B 3.2-7 REVISION 69 BASES (continued) ACTIONS A.1 If any MCPR is outside the required limits, an assumption regarding an initial condition of the design basis transient analyses may not be met. Therefore, prompt action should be taken to restore the MCPR(s) to within the required limits such that the plant remains operating within analyzed conditions. The 2 hour Completion Time is normally sufficient to restore the MCPR(s) to within its limits and is acceptable based on the low probability of a transient or DBA occurring simultaneously with the MCPR out of specification. B.1 If the MCPR cannot be restored to within its required limits within the associated Completion Time, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, THERMAL POWER must be reduced to < 24% RTP within 4 hours. The allowed Completion Time is reasonable, based on operating experience, to reduce THERMAL POWER to < 24% RTP in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.2.2.1 REQUIREMENTS The MCPR is required to be initially calculated within 12 hours after THERMAL POWER is 24% RTP and periodically thereafter. It is compared to the specified limits in the COLR to ensure that the reactor is operating within the assumptions of the safety analysis. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The 12 hour allowance after THERMAL POWER 24% RTP is achieved is acceptable given the large inherent margin to operating limits at low power levels.

SR 3.2.2.2 Because the transient analysis takes credit for conservatism in the scram speed performance, it must be demonstrated that the specific scram speed distribution is consistent with that used in the transient analysis. SR 3.2.2.2 determines the value of , which is a measure of the actual scram speed distribution compared with the assumed distribution. The MCPR operating limit is then determined based on an interpolation between the applicable limits for Option A (scram MCPR B 3.2.2 HATCH UNIT 1 B 3.2-8 REVISION 0 BASES SURVEILLANCE SR 3.2.2.2 (continued) REQUIREMENTS times of LCO 3.1.4, "Control Rod Scram Times") and Option B (realistic scram times) analyses. The parameter must be determined once within 72 hours after each set of scram time tests required by SR 3.1.4.1 and SR 3.1.4.2 because the effective scram speed distribution may change during the cycle. The 72 hour Completion Time is acceptable due to the relatively minor changes in expected during the fuel cycle. REFERENCES 1. NUREG-0562, June 1979. 2. NEDE-24011-P-A, "General Electric Standard Application for Reactor Fuel," (revision specified in the COLR).

3. FSAR, Chapter 3.

4. FSAR, Chapter 6.

5. FSAR, Chapter 14.

6. NEDO-24205, "E. I. Hatch Nuclear Plant Units 1 and 2 Single-Loop Operation," August 1989.

7. NEDO-24395, "Load Line Limit Analysis," October 1980.

8. NEDC-30474-P, "Average Power Range Monitor, Rod Block Monitor and Technical Specification Improvements (ARTS)

Program for E. I. Hatch Nuclear Plant, Units 1 and 2," December 1983. 9. NEDO-30130-A, "Steady State Nuclear Methods," May 1985.

10. NEDO-24154, "Qualification of the One-Dimensional Core Transient Model for Boiling Water Reactors," October 1978.

11. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

LHGR B 3.2.3 (continued) HATCH UNIT 1 B 3.2-9 REVISION 70 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.3 LINEAR HEAT GENERATION RATE (LHGR)

BASES BACKGROUND The LHGR is a measure of the heat generation rate of a fuel rod in a fuel assembly at any axial location. Limits on LHGR are specified to ensure that fuel thermal-mechanical design limits are not exceeded anywhere in the core during normal operation, including anticipated operational occurrences (AOOs), and to ensure that the peak clad temperature (PCT) during postulated design basis loss of coolant accident (LOCA) does not exceed the limits specified in 10 CFR 50.46. Exceeding the LHGR limit could potentially result in fuel damage and subsequent release of radioactive materials into the reactor coolant. Fuel design limits are specified to ensure that fuel system damage, fuel rod failure, or inability to cool the fuel does not occur during the anticipated operating conditions identified in Reference 2. APPLICABLE The analytical methods and assumptions used in evaluating the SAFETY ANALYSES fuel system design limits are presented in References 1 and 2. The analytical methods and assumptions used in evaluating AOOs and normal operation that determine the LHGR limits are presented in Reference 2. The fuel assembly is designed to ensure (in conjunction with the core nuclear and thermal hydraulic design, plant equipment, instrumentation, and protection systems) that fuel damage will not result in the release of radioactive materials in excess of the guidelines of 10 CFR, Parts 20 and 50. The mechanisms that could cause fuel damage during operational transients and that are considered in fuel evaluations include: a. Rupture of the fuel rod cladding caused by strain from the relative expansion of the UO2 pellet and cladding. b. Severe overheating of the fuel rod cladding caused by inadequate cooling. A value of 1% plastic strain of the fuel cladding has been defined as the limit below which fuel damage caused by overstraining of the fuel cladding is not expected to occur (Ref. 3). Fuel design evaluations have been performed and demonstrate that the 1% fuel cladding plastic strain design limit and certain other fuel design limits described in reference 1 are not exceeded during LHGR B 3.2.3 (continued) HATCH UNIT 1 B 3.2-10 REVISION 37 BASES APPLICABLE continuous operation with LHGRs up to the operating limit specified in SAFETY ANALYSES the Core Operating Limits Report (COLR). The analysis also includes (continued) allowances for short-term transient operation above the operating limit to account for AOOs, plus an allowance for densification power spiking. LHGR limits are developed as a function of exposure and the various operating core flow and power states to ensure adherence to fuel design limits during the limiting AOOs (Refs. 4 and 5). Off-rated operating states require the reduction or set down of the rated LHGR limit through multiplier factors (LHGRFACs) (Ref. 9). Flow dependent multipliers, LHGRFACf, are determined (Ref. 5) using the three dimensional BWR simulator code (Ref. 6) to analyze slow flow runout transients. The flow dependent multiplier is dependent on the maximum core flow runout capability. The maximum runout flow is dependent on the existing setting of the core flow limiter in the Recirculation Flow Control System. Based on analyses of limiting plant transients (other than core flow increases) over a range of power and flow conditions, power dependent multipliers, LHGRFACp, also are generated. Due to the sensitivity of the transient response to initial core flow levels at power levels below those at which turbine stop valve closure and turbine control valve fast closure scram trips are bypassed, both high and low core flow LHGRFACp limits are provided for operation at power levels between 24% RTP and the previously mentioned bypass power level. The exposure dependent LHGR limits are reduced by LHGRFACp and LHGRFACf at various operating conditions to ensure that all fuel design criteria are met for normal operation and AOOs. A complete discussion of the analysis code is provided in Reference 7. LOCA analyses are performed to ensure that the above determined LHGR limits are adequate to meet the PCT and maximum oxidation limits of 10 CFR 50.46. See Section B 3.2.1 for more details. For single recirculation loop operation, the LHGR operating limit is as specified in the COLR, and the LHGRFAC multiplier is limited to a maximum as specified in the COLR. The maximum limit is due to the conservative analysis assumption of an earlier departure from nucleate boiling with one recirculation loop available, resulting in a more severe cladding heatup during a LOCA. The LHGR satisfies Criterion 2 of the NRC Policy Statement (Ref. 8). LHGR B 3.2.3 (continued) HATCH UNIT 1 B 3.2-11 REVISION 37 BASES (continued) LCO The LHGR is a basic assumption in the fuel design analysis. The fuel has been designed to operate at rated core power with sufficient design margin to the LHGR limit calculated to cause a 1% fuel cladding plastic strain as well as the other design limits described in Ref. 1. For two recirculation loops operating, the limit is determined by multiplying the smaller of the LHGRFACf and LHGRFACp factors times the exposure dependent LHGR limits. These values are specified in the COLR. With only one recirculation loop in operation, in conformance with the requirements of LCO 3.4.1, "Recirculation Loops Operating," the limit is determined by multiplying the exposure dependent LHGR limit by the smaller of either LHGRFACf, LHGRFACp, and a maximum value allowed during single loop operation as specified in the COLR.

APPLICABILITY The LHGR limits are derived from fuel design analysis that is limiting at high power level conditions. At core thermal power levels < 24% RTP, the reactor is operating with a substantial margin to the LHGR limits and, therefore, the specification is only required when the reactor is operating at 24% RTP. ACTIONS A.1 If any LHGR exceeds its required limit, an assumption regarding an initial condition of the fuel design analysis is not met. Therefore, prompt action should be taken to restore the LHGR(s) to within its required limits such that the plant is operating within analyzed conditions and within the design limits of the fuel rods. The 2 hour Completion Time is normally sufficient to restore the LHGR(s) to within its limits and is acceptable based on the low probability of a transient or LOCA occurring simultaneously with the LHGR out of specification. B.1 If the LHGR cannot be restored to within its required limits within the associated Completion Time, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, THERMAL POWER is reduced to < 24% RTP within 4 hours. The allowed Completion Time is reasonable, based on operating experience, to reduce THERMAL POWER to < 24% RTP in an orderly manner and without challenging plant systems. LHGR B 3.2.3 HATCH UNIT 1 B 3.2-12 REVISION 69 BASES (continued) SURVEILLANCE SR 3.2.3.1 REQUIREMENTS The LHGR is required to be initially calculated within 12 hours after THERMAL POWER is 24% RTP and periodically thereafter. It is compared to the specified limits in the COLR to ensure that the reactor is operating within the assumptions of the safety analysis. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The 12 hour allowance after THERMAL POWER 24% RTP is achieved is acceptable given the large inherent margin to operating limits at lower power levels. REFERENCES 1. NEDE-24011-P-A "General Electric Standard Application for Reactor Fuel."

2. FSAR, Chapter 15 (Unit 2).

3. NUREG-0800, Section II.A.2(g), Revision 2, July 1981. 4. NEDC-32749P, "Extended Power Uprate Safety Analysis Report for Edwin I. Hatch Units 1 and 2," July 1997. 5. NEDC-30474-P, "Average Power Range Monitor, Rod Block Monitor and Technical Specification Improvements (ARTS)

Program for E. I. Hatch Nuclear Plant, Units 1 and 2," December 1983. 6. NRC approval of "Amendment 26 to GE Licensing Topical Report NEDE-24011-P-A, "GESTAR II"-Implementing Improved GE Steady-State Methods (TAC No. MA6481)," November 10, 1999. 7. NEDO-24154-A, "Qualification of the One-Dimensional Core Transient Model (ODYN) for Boiling Water Reactors," August 1986, and NEDE-24154-P-A, Supplement 1, Volume 4, Revision 1, February 2000. 8. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. 9. Letter from Global Nuclear Fuel, M. E. Harding to E. B. Gibson, January 22, 2004, "Plant Hatch Technical Specification Modification to include LHGR." RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-1 REVISION 0 B 3.3 INSTRUMENTATION B 3.3.1.1 Reactor Protection System (RPS) Instrumentation

BASES BACKGROUND The RPS initiates a reactor scram when one or more monitored parameters exceed their specified limits, to preserve the integrity of the fuel cladding and the Reactor Coolant System (RCS) and minimize the energy that must be absorbed following a loss of coolant accident (LOCA). This can be accomplished either automatically or manually. The protection and monitoring functions of the RPS have been designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and equipment performance. The LSSS are defined in this Specification as the Allowable Values, which, in conjunction with the LCOs, establish the threshold for protective system action to prevent exceeding acceptable limits, including Safety Limits (SLs) during Design Basis Accidents (DBAs). The RPS, as shown in the FSAR, Section 7.2 (Ref. 1), includes sensors, relays, bypass circuits, and switches that are necessary to cause initiation of a reactor scram. Functional diversity is provided by monitoring a wide range of dependent and independent parameters. The input parameters to the scram logic are from instrumentation that monitors reactor vessel water level; reactor vessel pressure; neutron flux; main steam line isolation valve position; turbine control valve (TCV) fast closure, trip oil pressure; turbine stop valve (TSV) position; drywell pressure; and scram discharge volume (SDV) water level; as well as reactor mode switch in shutdown position and manual scram signals. There are at least four redundant sensor input signals from each of these parameters (with the exception of the reactor mode switch in shutdown and manual scram push button scram signals). Most channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs an RPS trip signal to the trip logic. The RPS is comprised of two independent trip systems (A and B) with two logic channels in each trip system (logic channels A1 and A2, B1 and B2) as shown in Reference 1. The outputs of the logic channels in a trip system are combined in a one-out-of-two logic so that either channel can trip the associated trip system. The tripping of both trip systems will produce a reactor scram. This logic arrangement is RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-2 REVISION 0 BASES BACKGROUND referred to as a one-out-of-two taken twice logic. Each trip system (continued) can be reset by use of a reset switch. If a full scram occurs (both trip systems trip), a relay prevents reset of the trip systems for 10 seconds after the full scram signal is received. This 10 second delay on reset ensures that the scram function will be completed. Two scram pilot valves are located in the hydraulic control unit for each control rod drive (CRD). Each scram pilot valve is solenoid operated, with the solenoids normally energized. The scram pilot valves control the air supply to the scram inlet and outlet valves for the associated CRD. When either scram pilot valve solenoid is energized, air pressure holds the scram valves closed and, therefore, both scram pilot valve solenoids must be de-energized to cause a control rod to scram. The scram valves control the supply and discharge paths for the CRD water during a scram. One of the scram pilot valve solenoids for each CRD is controlled by trip system A, and the other solenoid is controlled by trip system B. Any trip of trip system A in conjunction with any trip in trip system B results in de-energizing both solenoids, air bleeding off, scram valves opening, and control rod scram. The backup scram valves, which energize on a full scram signal to depressurize the scram air header, are also controlled by the RPS. Additionally, the RPS System controls the SDV vent and drain valves such that when both trip systems trip, the SDV vent and drain valves close to isolate the SDV. APPLICABLE The actions of the RPS are assumed in the safety analyses of SAFETY ANALYSES, References 2, 3, and 4. The RPS initiates a reactor scram when LCO, and monitored parameter values exceed the Allowable Values, specified APPLICABILITY by the setpoint methodology and listed in Table 3.3.1.1-1 to preserve the integrity of the fuel cladding, the reactor coolant pressure boundary (RCPB), and the containment by minimizing the energy that must be absorbed following a LOCA. RPS instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 11). Functions not specifically credited in the accident analysis are retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis. The OPERABILITY of the RPS is dependent on the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.1.1-1. Each Function must have a required number of OPERABLE channels per RPS trip system, with their setpoints within RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-3 REVISION 36 BASES APPLICABLE the specified Allowable Value, where appropriate. The setpoint is SAFETY ANALYSES calibrated consistent with applicable setpoint methodology LCO, and assumptions (nominal trip setpoint). Each channel must also respond APPLICABILITY within its assumed response time, where appropriate. (continued) Allowable Values are specified for each RPS Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the actual setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for. The OPERABILITY of scram pilot valves and associated solenoids, backup scram valves, and SDV valves, described in the Background section, are not addressed by this LCO. The individual Functions are required to be OPERABLE in the MODES or other specified conditions specified in the Table, which may require an RPS trip to mitigate the consequences of a design basis accident or transient. To ensure a reliable scram function, a combination of Functions are required in each MODE to provide primary and diverse initiation signals. The only MODES specified in Table 3.3.1.1-1 are MODES 1 (which encompasses 27.6% RTP) and 2, and MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies. No RPS Function is required in MODES 3 and 4 since all control rods are fully inserted and the Reactor Mode Switch Shutdown Position control rod withdrawal block RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-4 REVISION 30 BASES APPLICABLE (LCO 3.3.2.1) does not allow any control rod to be withdrawn. In SAFETY ANALYSES MODE 5, control rods withdrawn from a core cell containing no fuel LCO, and assemblies do not affect the reactivity of the core and, therefore, are APPLICABILITY not required to have the capability to scram. Provided all other control (continued) rods remain inserted, no RPS Function is required. In this condition, the required SDM (LCO 3.1.1) and refuel position one-rod-out interlock (LCO 3.9.2) ensure that no event requiring RPS will occur. The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

1. Intermediate Range Monitor (IRM) 1.a. Intermediate Range Monitor Neutron Flux - High The IRMs monitor neutron flux levels from the upper range of the source range monitor (SRM) to the lower range of the average power range monitors (APRMs). The IRMs are capable of generating trip signals that can be used to prevent fuel damage resulting from abnormal operating transients in the intermediate power range. In this power range, the most significant source of reactivity change is due to control rod withdrawal. The IRM mitigates control rod withdrawal error events and is diverse from the rod worth minimizer (RWM), which monitors and controls the movement of control rods at low power. The RWM prevents the withdrawal of an out of sequence control rod during startup that could result in an unacceptable neutron flux excursion (Ref. 5). The IRM provides mitigation of the neutron flux excursion. To demonstrate the capability of the IRM System to mitigate control rod withdrawal events, generic analyses have been performed (Ref. 6) to evaluate the consequences of control rod withdrawal events during startup that are mitigated only by the IRM. This analysis, which assumes that one IRM channel in each trip system is bypassed, demonstrates that the IRMs provide protection against local control rod withdrawal errors and results in peak fuel energy depositions below the 170 cal/gm fuel failure threshold criterion. Reference 19 provides a more recent analysis which shows that even with reduced IRM OPERABILITY requirements, the 170 cal/gm criterion is still satisfied.

The IRMs are also capable of limiting other reactivity excursions during startup, such as cold water injection events, although no credit is specifically assumed. The IRM System is divided into two groups of IRM channels, with four IRM channels inputting to each trip system. The analysis of RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-5 REVISION 35 BASES APPLICABLE 1.a. Intermediate Range Monitor Neutron Flux - High (continued) SAFETY ANALYSES, LCO, and Reference 6 assumes that one channel in each trip system is APPLICABILITY bypassed. However, as previously described, Reference 19 provides more recent analysis which shows that, even with two IRMs operable per trip system, adequate protection is provided for activity events in the intermediate range. This trip is active in each of the 10 ranges of the IRM, which must be selected by the operator to maintain the neutron flux within the monitored level of an IRM range. The analysis of Reference 6 has adequate conservatism to permit an IRM Allowable Value of 120 divisions of a 125 division scale. The Intermediate Range Monitor Neutron Flux - High Function must be OPERABLE during MODE 2 when control rods may be withdrawn and the potential for criticality exists. In MODE 5, when a cell with fuel has its control rod withdrawn, the IRMs provide monitoring for and protection against unexpected reactivity excursions. In MODE 1, the APRM System and the RWM provide protection against control rod withdrawal error events and the IRMs are not required.

1.b. Intermediate Range Monitor - Inop This trip signal provides assurance that a minimum number of IRMs are OPERABLE. Any time an IRM mode switch is moved to any position other than "Operate," the detector voltage drops below a preset level, or when a module is not plugged in, an inoperative trip signal will be received by the RPS unless the IRM is bypassed. This Function was not specifically credited in the accident analysis but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis. Four channels of Intermediate Range Monitor - Inop with two channels in each trip system are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. Since this Function is not assumed in the safety analysis, there is no Allowable Value for this Function. This Function is required to be OPERABLE when the Intermediate Range Monitor Neutron Flux - High Function is required. RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-6 REVISION 16 BASES APPLICABLE 2. Average Power Range Monitor (APRM) SAFETY ANALYSES, LCO, and The APRM channels provide the primary indication of neutron flux APPLICABILITY within the core and respond almost instantaneously to neutron flux (continued) increases. The APRM channels receive input signals from the local power range monitors (LPRMs) within the reactor core to provide an indication of the power distribution and local power changes. The APRM channels average these LPRM signals to provide a continuous indication of average reactor power from a few percent to greater than RTP. Each APRM also includes an Oscillation Power Range Monitor (OPRM) Upscale Function which monitors small groups of LPRM signals to detect thermal-hydraulic instabilities. The APRM System is divided into 4 APRM channels and 4 two-out-of-four voter channels. Each APRM channel provides inputs to each of the four voter channels. The four voter channels are divided into two groups of two each, with each group of two providing inputs to one RPS trip system. The APRM System is designed to allow one APRM channel, but no voter channels, to be bypassed. A trip from any one unbypassed APRM will result in a "half-trip" in all four voter channels, but no trip inputs to either RPS trip system. APRM trip Functions 2.a, 2.b, 2.c, or 2.d are voted independently of OPRM Upscale Function 2.f. Therefore, any Function 2.a, 2.b, 2.c, or 2.d trip from any two unbypassed APRM channels will result in a full-trip in each of the four voter channels, which in turn results in two trip inputs into each RPS trip logic channel (A1, A2, B1, and B2). Similarly, a Function 2.f trip from any two unbypassed APRM channels will result in a full-trip from each of the four voter channels. Three of the four APRM channels and all four of the voter channels are required to be OPERABLE to ensure that no single failure will preclude a scram on a valid signal In addition, to provide adequate coverage of the entire core, consistent with the design bases for APRM Functions 2.a, 2.b, and 2.c, at least 17 LPRM inputs, with at least three LPRM inputs from each of the four axial levels at which the LPRMs are located, are required for each APRM channel. For APRM Function 2.F, OPRM Upscale, LPRMs are assigned to "cells" of three detectors with a minimum of one detector per cell. The minimum number of LPRM inputs for APRM Functions 2.a, 2.b, and 2.c must be met for OPRM Upscale Function 2.f to be OPERABLE. 2.a. Average Power Range Monitor Neutron Flux - High (Setdown) For operation at low power (i.e., MODE 2), the Average Power Range Monitor Neutron Flux - High (Setdown) Function is capable of generating a trip signal that prevents fuel damage resulting from RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-7 REVISION 36 BASES APPLICABLE 2.a. Average Power Range Monitor Neutron Flux - High (Setdown) SAFETY ANALYSES (continued) LCO, and APPLICABILITY abnormal operating transients in this power range. For most operation at low power levels, the Average Power Range Monitor Neutron Flux - High (Setdown) Function will provide a secondary scram to the Intermediate Range Monitor Neutron Flux - High Function because of the relative setpoints. With the IRMs at Range 9 or 10, it is possible that the Average Power Range Monitor Neutron Flux - High (Setdown) Function will provide the primary trip signal for a corewide increase in power. No specific safety analyses take direct credit for the Average Power Range Monitor Neutron Flux - High (Setdown) Function. However, this Function indirectly ensures that before the reactor mode switch is placed in the run position, reactor power does not exceed 24% RTP (SL 2.1.1.1) when operating at low reactor pressure and low core flow. Therefore, it indirectly prevents fuel damage during significant reactivity increases with THERMAL POWER < 24% RTP. The Allowable Value is based on preventing significant increases in power when THERMAL POWER is < 24% RTP. The Average Power Range Monitor Neutron Flux - High (Setdown) Function must be OPERABLE during MODE 2 when control rods may be withdrawn since the potential for criticality exists. In MODE 1, the Average Power Range Monitor Neutron Flux - High Function provides protection against reactivity transients and the RWM and rod block monitor protect against control rod withdrawal error events.

2.b. Average Power Range Monitor Simulated Thermal Power - High The Average Power Range Monitor Simulated Thermal Power - High Function monitors neutron flux to approximate the THERMAL POWER being transferred to the reactor coolant. The APRM neutron flux is electronically filtered with a time constant representative of the fuel heat transfer dynamics to generate a signal proportional to the THERMAL POWER in the reactor. The trip level is varied as a function of recirculation drive flow (i.e., at lower core flows, the setpoint is reduced proportional to the reduction in power experienced as core flow is reduced with a fixed control rod pattern) but is clamped at an upper limit that is always lower than the Average Power Range Monitor Neutron Flux - High Function Allowable Value. RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-8 REVISION 16 BASES APPLICABLE 2.b. Average Power Range Monitor Simulated Thermal Power - High SAFETY ANALYSES (continued) LCO, and APPLICABILITY The Average Power Range Monitor Simulated Thermal Power - High Function provides protection against transients where THERMAL POWER increases slowly (such as the loss of feedwater heating event) and protects the fuel cladding integrity by ensuring that the MINIMUM CRITICAL POWER RATIO (MCPR) Safety Limit (SL) is not exceeded. During these events, the THERMAL POWER increase does not significantly lag the neutron flux response and, because of a lower trip setpoint, will initiate a scram before the high neutron flux scram. For rapid neutron flux increase events, the THERMAL POWER lags the neutron flux and the Average Power Range Monitor Neutron Flux - High Function will provide a scram signal before the Average Power Range Monitor Simulated Thermal Power - High Function setpoint and associated time delay are exceeded. Each APRM channel uses one total drive flow signal representative of total core flow. The total drive flow signal is generated by the flow processing logic, which is part of the APRM channel. The flow is calculated by summing two flow transmitter signals, one from each of the two recirculation loop flows. The flow processing logic OPERABILITY is part of the APRM channel OPERABILITY requirements for this Function. The clamped Allowable Value is based on analyses that take credit for the Average Power Range Monitor Simulated Thermal Power - High Function for the mitigation of the loss of feedwater heating event. The time constant is based on the fuel heat transfer dynamics and provides a signal proportional to the THERMAL POWER. The Average Power Range Monitor Simulated Thermal Power - High Function is required to be OPERABLE in MODE 1 when there is the possibility of generating excessive THERMAL POWER and potentially exceeding the SL applicable to high pressure and core flow conditions (MCPR SL). During MODES 2 and 5, other IRM and APRM Functions provide protection for fuel cladding integrity. 2.c. Average Power Range Monitor Neutron Flux - High The Average Power Range Monitor Neutron Flux - High Function is capable of generating a trip signal to prevent fuel damage or excessive RCS pressure. For the overpressurization protection analysis of Reference 4, the Average Power Range Monitor Neutron RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-9 REVISION 16 BASES APPLICABLE 2.c. Average Power Range Monitor Neutron Flux - High (continued) SAFETY ANALYSES, LCO, and Flux - High Function is assumed to terminate the main steam isolation APPLICABILITY valve (MSIV) closure event and, along with the safety/relief valves (S/RVs), limits the peak reactor pressure vessel (RPV) pressure to less than the ASME Code limits. The control rod drop accident (CRDA) analysis (Ref. 7) takes credit for the Average Power Range Monitor Neutron Flux - High Function to terminate the CRDA. The Allowable Value is based on the Analytical Limit assumed in the CRDA analyses. The Average Power Range Monitor Neutron Flux - High Function is required to be OPERABLE in MODE 1 where the potential consequences of the analyzed transients could result in the SLs (e.g., MCPR and RCS pressure) being exceeded. Although the Average Power Range Monitor Neutron Flux - High Function is assumed in the CRDA analysis, which is applicable in MODE 2, the Average Power Range Monitor Neutron Flux - High (Setdown) Function conservatively bounds the assumed trip and, together with the assumed IRM trips, provides adequate protection. Therefore, the Average Power Range Monitor Neutron Flux - High Function is not required in MODE 2. 2.d. Average Power Range Monitor - Inop This Function (Inop) provides assurance that the minimum number of APRM channels is OPERABLE. For any APRM channel, any time: 1) its mode switch is in any position other than "Operate," 2) an APRM module is unplugged, or

3) the automatic self-test system detects a critical fault with the APRM channel, an Inop trip signal is sent to all four voter channels. Inop trips from two or more unbypassed APRM channels result in a trip output from all four voter channels to their associated trip system.

This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis. There is no Allowable Value for this Function. This Function is required to be OPERABLE in the MODES where the APRM Functions are required. RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-10 REVISION 16 BASES APPLICABLE 2.e. Two-out-of-Four Voter SAFETY ANALYSES LCO, and The Two-out-of-Four Voter Function provides the interface between APPLICABILITY the APRM Functions, including the OPRM Upscale Function, and the (continued) final RPS trip system logic. As such, it is required to be OPERABLE in the MODES where the APRM Functions are required and is necessary to support the safety analysis applicable to each of those Functions. Therefore, the Two-out-of-Four Voter Function is required to be OPERABLE in MODES 1 and 2. All four voter channels are required to be OPERABLE. Each voter channel also incudes self-diagnostic functions. If any voter channel detects a critical fault in its own processing, an Inop trip is issued from that voter channel to the associated trip system. The Two-out-of-Four Voter Function votes APRM Functions 2.a, 2.b, 2.c, and 2.d independently of Function 2.f. The voter also includes separate outputs to the RPS for the two independently voted sets of Functions, each of which is redundant (flour total inputs). Voter Function 2.e must be declared inoperable if any of its funtionality is inoperable. However, due to the independent voting of APRM trips and the redundancy of outputs, there may be conditions where Voter Function 2.e is inoperable, but trip capability for one or more of the other APRM Functions through that voter is still maintained. This may be considered when determining the condition of other APRM Functions resulting from partial inoperability of Voter Function 2.e. There is no Allowable Value for this Function. 2.f. Oscillation Power Range Monitor (OPRM) Upscale The OPRM Upscale Function provides compliance with GDC 10 and GDC 12, thereby providing protection from exceeding the fuel MCPR SL due to anticipated thermal-hydraulic power oscillations. References 13, 14, and 15 describe three algorithms for detecting thermal-hydraulic instability related neutron flux oscillations: the period based detection algorithm, the amplitude based algorithm, and the growth rate algorithm. All three are implemented in the OPRM Upscale Function, but the safety analysis takes credit only for the period based detection algorithm. The remaining algorithms provide defense in depth and additional protection against unanticipated oscillations. OPRM Upscale Function OPERABILITY for Technical Specifications purposes is based only on the period based detection algorithm. RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-11 REVISION 16 BASES APPLICABLE 2.f Oscillation Power Range Monitor (OPRM) Upscale (continued) SAFETY ANALYSES LCO, and The OPRM Upscale Function receives input signals from the LPRMs APPLICABILITY within the reactor core, which are combined into "cells" for evaluation by the OPRM algorithms. The OPRM Upscale Function is required to be OPERABLE when the plant is in MODE 1. Within the region of power-flow operation where anticipated events could lead to thermal-hydraulic instability and related neutron flux oscillations, the automatic trip is enabled when THERMAL POWER, as indicated by APRM Simulated Thermal Power, is 25% RTP and reactor core flow, as indicated by recirculation drive flow, is < 60% of rated flow. An OPRM Upscale trip is issued from an APRM channel when the period based detection algorithm in that channel detects oscillatory changes in the neutron flux, indicated by the combined signals of the LPRM detectors in a cell, with period confirmations and relative cell amplitude exceeding specified setpoints. One or more cells in a channel exceeding the trip conditions will result in a channel trip. An OPRM Upscale trip is also issued from the channel if either the growth rate or amplitude based algorithm detects growing oscillatory changes in the neutron flux for one or more cells in that channel. Three of the four channels are required to be OPERABLE. Each channel is capable of detecting thermal-hydraulic instabilities by detecting the related neutron flux oscillations and issuing a trip signal before the MCPR SL is exceeded. There is no Allowable Value for this Function.

3. Reactor Vessel Steam Dome Pressure - High An increase in the RPV pressure during reactor operation compresses the steam voids and results in a positive reactivity insertion. This causes the neutron flux and THERMAL POWER transferred to the reactor coolant to increase, which could challenge the integrity of the fuel cladding and the RCPB. No specific safety analysis takes direct credit for this Function. However, the Reactor Vessel Steam Dome Pressure - High Function initiates a scram for transients that result in a pressure increase, counteracting the pressure increase by rapidly reducing core power. For the overpressurization protection analysis of Reference 4, reactor scram (the analyses conservatively assume scram on the Average Power Range Monitor Neutron Flux - High signal, not the Reactor Vessel Steam Dome Pressure - High signal),

RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-12 REVISION 16 BASES APPLICABLE 3. Reactor Vessel Steam Dome Pressure - High (continued) SAFETY ANALYSES, LCO, and along with the S/RVs, limits the peak RPV pressure to less than the APPLICABILITY ASME Section III Code limits. High reactor pressure signals are initiated from four pressure transmitters that sense reactor pressure. The Reactor Vessel Steam Dome Pressure - High Allowable Value is chosen to provide a sufficient margin to the ASME Section III Code limits during the event. Four channels of Reactor Vessel Steam Dome Pressure - High Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. The Function is required to be OPERABLE in MODES 1 and 2 when the RCS is pressurized and the potential for pressure increase exists.

4. Reactor Vessel Water Level - Low, Level 3 Low RPV water level indicates the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, a reactor scram is initiated at Level 3 to substantially reduce the heat generated in the fuel from fission. The Reactor Vessel Water Level - Low, Level 3 Function is assumed in the analysis of the recirculation line break (Ref. 3). The reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the Emergency Core Cooling Systems (ECCS),

ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Reactor Vessel Water Level - Low, Level 3 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low, Level 3 Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. The Reactor Vessel Water Level - Low, Level 3 Allowable Value is selected to ensure that: (a) during normal operation the steam dryer skirt is not uncovered (this protects available recirculation pump net RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-13 REVISION 14 BASES APPLICABLE 4. Reactor Vessel Water Level - Low, Level 3 (continued) SAFETY ANALYSES, LCO, and positive suction head (NPSH) from significant carryunder) and, APPLICABILITY (b) for transients involving loss of all normal feedwater flow, initiation of the low pressure ECCS subsystems at Reactor Vessel Water - Low Low Low, Level 1 will not be required. The Function is required in MODES 1 and 2 where considerable energy exists in the RCS resulting in the limiting transients and accidents. ECCS initiations at Reactor Vessel Water Level - Low Low, Level 2 and Low Low Low, Level 1 provide sufficient protection for level transients in all other MODES.

5. Main Steam Isolation Valve - Closure MSIV closure results in loss of the main turbine and the condenser as a heat sink for the nuclear steam supply system and indicates a need to shut down the reactor to reduce heat generation. Therefore, a reactor scram is initiated on a Main Steam Isolation Valve - Closure signal before the MSIVs are completely closed in anticipation of the complete loss of the normal heat sink and subsequent overpressurization transient. However, for the overpressurization protection analysis of Reference 4, the Average Power Range Monitor Neutron Flux - High Function, along with the S/RVs, limits the peak RPV pressure to less than the ASME Code limits. That is, the direct scram on position switches for MSIV closure events is not assumed in the overpressurization analysis. Additionally, MSIV closure is assumed in the transients analyzed in Reference 2 (e.g., low steam line pressure, manual closure of MSIVs, high steam line flow). The reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the ECCS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. MSIV closure signals are initiated from position switches located on each of the eight MSIVs. Each MSIV has two position switches; one inputs to RPS trip system A while the other inputs to RPS trip system B. Thus, each RPS trip system receives an input from eight Main Steam Isolation Valve - Closure channels, each consisting of one position switch. The logic for the Main Steam Isolation Valve - Closure Function is arranged such that either the inboard or outboard valve on three or more of the main steam lines must close in order for a scram to occur. In addition, certain combinations of valves closed in two lines will result in a half-scram.

RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-14 REVISION 14 BASES APPLICABLE 5. Main Steam Isolation Valve - Closure (continued) SAFETY ANALYSES, LCO, and The Main Steam Isolation Valve - Closure Allowable Value is specified APPLICABILITY to ensure that a scram occurs prior to a significant reduction in steam flow, thereby reducing the severity of the subsequent pressure transient. Sixteen channels of the Main Steam Isolation Valve - Closure Function, with eight channels in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude the scram from this Function on a valid signal. This Function is only required in MODE 1 since, with the MSIVs open and the heat generation rate high, a pressurization transient can occur if the MSIVs close. In MODE 2, the heat generation rate is low enough so that the other diverse RPS functions provide sufficient protection.

6. Drywell Pressure - High High pressure in the drywell could indicate a break in the RCPB. A reactor scram is initiated to minimize the possibility of fuel damage and to reduce the amount of energy being added to the coolant and the drywell. The Drywell Pressure - High Function is a secondary scram signal to Reactor Vessel Water Level - Low, Level 3 for LOCA events inside the drywell. However, no credit is taken for a scram initiated from this Function for any of the DBAs analyzed in the FSAR. This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

High drywell pressure signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and indicative of a LOCA inside primary containment. Four channels of Drywell Pressure - High Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. The Function is required in MODES 1 and 2 where considerable energy exists in the RCS, resulting in the limiting transients and accidents.

RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-15 REVISION 14 BASES APPLICABLE 7.a., 7.b. Scram Discharge Volume Water Level - High SAFETY ANALYSES, LCO, and The SDV receives the water displaced by the motion of the CRD APPLICABILITY pistons during a reactor scram. Should this volume fill to a point (continued) where there is insufficient volume to accept the displaced water, control rod insertion would be hindered. Therefore, a reactor scram is initiated while the remaining free volume is still sufficient to accommodate the water from a full core scram. The two types of Scram Discharge Volume Water Level - High Functions are an input to the RPS logic. No credit is taken for a scram initiated from these Functions for any of the design basis accidents or transients analyzed in the FSAR. However, they are retained to ensure the RPS remains OPERABLE. SDV water level is measured by two diverse methods. The level in each of the two SDVs is measured by two float type level switches and two thermal probes for a total of eight level signals. The outputs of these devices are arranged so that there is a signal from a level switch and a thermal probe to each RPS logic channel. The level measurement instrumentation satisfies the recommendations of Reference 8. The Allowable Value is chosen low enough to ensure that there is sufficient volume in the SDV to accommodate the water from a full scram. Four channels of each type of Scram Discharge Volume Water Level - High Function, with two channels of each type in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from these Functions on a valid signal. These Functions are required in MODES 1 and 2, and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn. At all other times, this Function may be bypassed. 8. Turbine Stop Valve - Closure Closure of the TSVs results in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, a reactor scram is initiated on a TSV - Closure signal before the TSVs are completely closed in anticipation of the transients that would result from the closure of these valves. The Turbine Stop Valve - Closure Function is the primary scram signal for the turbine trip event analyzed in Reference 2. For this event, the RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-16 REVISION 36 BASES APPLICABLE 8. Turbine Stop Valve - Closure (continued) SAFETY ANALYSES, LCO, and reactor scram reduces the amount of energy required to be absorbed APPLICABILITY and, along with the actions of the End of Cycle Recirculation Pump Trip (EOC-RPT) System, ensures that the MCPR SL is not exceeded. Turbine Stop Valve - Closure signals are initiated from position switches located on each of the four TSVs. Two independent position switches are associated with each stop valve. One of the two switches provides input to RPS trip system A; the other, to RPS trip system B. Thus, each RPS trip system receives an input from four Turbine Stop Valve - Closure channels, each consisting of one position switch. The logic for the Turbine Stop Valve - Closure Function is such that three or more TSVs must be closed to produce a scram. In addition, certain combinations of two valves closed will result in a half-scram. This Function must be enabled at THERMAL POWER 27.6% RTP. This is normally accomplished automatically by pressure switches sensing turbine first stage pressure; therefore, opening of the turbine bypass valves may affect this Function. The Turbine Stop Valve - Closure Allowable Value is selected to be high enough to detect imminent TSV closure, thereby reducing the severity of the subsequent pressure transient. Eight channels of Turbine Stop Valve - Closure Function, with four channels in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function if the TSVs should close. This Function is required, consistent with analysis assumptions, whenever THERMAL POWER is 27.6% RTP. This Function is not required when THERMAL POWER is < 27.6% RTP since the Reactor Vessel Steam Dome Pressure - High and the Average Power Range Monitor Neutron Flux - High Functions are adequate to maintain the necessary safety margins. 9. Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Fast closure of the TCVs results in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, a reactor scram is initiated on TCV fast closure in anticipation of the transients that would result from the closure of these valves. The Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Function is the primary scram signal for the generator load rejection event analyzed in Reference 2. For this event, the reactor scram reduces the amount of energy required to be RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-17 REVISION 36 BASES APPLICABLE 9. Turbine Control Valve Fast Closure, Trip Oil Pressure - Low SAFETY ANALYSES, (continued) LCO, and APPLICABILITY absorbed and, along with the actions of the EOC-RPT System, ensures that the MCPR SL is not exceeded. Turbine Control Valve Fast Closure, Trip Oil Pressure - Low signals are initiated by the electrohydraulic control (EHC) fluid pressure at each control valve. One pressure switch is associated with each control valve, and the signal from each switch is assigned to a separate RPS logic channel. This Function must be enabled at THERMAL POWER 27.6% RTP. This is normally accomplished automatically by pressure switches sensing turbine first stage pressure; therefore, opening of the turbine bypass valves may affect this Function. The Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Allowable Value is selected high enough to detect imminent TCV fast closure. Four channels of Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Function with two channels in each trip system arranged in a one-out-of-two logic are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. This Function is required, consistent with the analysis assumptions, whenever THERMAL POWER is 27.6% RTP. This Function is not required when THERMAL POWER is < 27.6% RTP, since the Reactor Vessel Steam Dome Pressure - High and the Average Power Range Monitor Neutron Flux - High Functions are adequate to maintain the necessary safety margins.

10. Reactor Mode Switch - Shutdown Position The Reactor Mode Switch - Shutdown Position Function provides signals, via the manual scram logic channels, directly to the scram pilot solenoid power circuits. These manual scram logic channels are redundant to the automatic protective instrumentation channels and provide manual reactor trip capability. This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis. The reactor mode switch is a single switch with two channels, each of which provides input into one of the RPS manual scram logic channels.

RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-18 REVISION 14 BASES APPLICABLE 10. Reactor Mode Switch - Shutdown Position (continued) SAFETY ANALYSES, LCO, and There is no Allowable Value for this Function, since the channels are APPLICABILITY mechanically actuated based solely on reactor mode switch position.

Two channels of Reactor Mode Switch - Shutdown Position Function, with one channel in each manual scram trip system, are available and required to be OPERABLE. The Reactor Mode Switch - Shutdown Position Function is required to be OPERABLE in MODES 1 and 2, and MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn. 11. Manual Scram The Manual Scram push button channels provide signals, via the manual scram logic channels, directly to the scram pilot solenoid power circuits. These manual scram logic channels are redundant to the automatic protective instrumentation channels and provide manual reactor trip capability. This Function was not specifically credited in the accident analysis but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis. There is one Manual Scram push button channel for each of the two RPS manual scram logic channels. In order to cause a scram it is necessary that each channel in both manual scram trip systems be actuated. There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons. Two channels of Manual Scram with one channel in each manual scram trip system are available and required to be OPERABLE in MODES 1 and 2, and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn. ACTIONS A Note has been provided to modify the ACTIONS related to RPS instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-19 REVISION 16 BASES ACTIONS discovered to be inoperable or not within limits, will not result in (continued) separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable RPS instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable RPS instrumentation channel.

A.1 and A.2 Because of the diversity of sensors available to provide trip signals and the redundancy of the RPS design, an allowable out of service time of 12 hours has been shown to be acceptable (Refs. 9, 12, and

16) to permit restoration of any inoperable channel to OPERABLE status. However, this out of service time is only acceptable provided the associated Function's inoperable channel is in one trip system and the Function still maintains RPS trip capability (refer to Required Actions B.1, B.2, and C.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel or the associated trip system must be placed in the tripped condition per Required Actions A.1 and A.2. Placing the inoperable channel in trip (or the associated trip system in trip) would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.

Alternatively, if it is not desired to place the channel (or trip system) in trip (e.g., as in the case where placing the inoperable channel in trip would result in a full scram), Condition D must be entered and its Required Action taken. As noted, Required Action A.2 is not applicable for APRM Functions 2.a, 2.b, 2.c, 2.d and 2.f. Inoperability of one required APRM channel affects both trip systems; thus, Required Action A.1 must be satisfied. This is the only action (other than restoring OPERABILITY) that will restore capability to accommodate a single failure. Inoperability of more than one required APRM channel of the same trip function results in loss of trip capability and entry into Condition C, as well as entry into Condition A for each channel. B.1 and B.2 Condition B exists when, for any one or more Functions, at least one required channel is inoperable in each trip system. In this condition, RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-20 REVISION 36 BASES ACTIONS B.1 and B.2 (continued) provided at least one channel per trip system is OPERABLE, the RPS still maintains trip capability for that Function, but cannot accommodate a single failure in either trip system. Required Actions B.1 and B.2 limit the time the RPS scram logic, for any Function, would not accommodate single failure in both trip systems (e.g., one-out-of-one and one-out-of-one arrangement for a typical four channel Function). The reduced reliability of this logic arrangement was not evaluated in References 9, 12, and 16 for the 12 hour Completion Time. Within the 6 hour allowance, the associated Function will have all required channels OPERABLE or in trip (or any combination) in one trip system. Completing one of these Required Actions restores RPS to a reliability level equivalent to that evaluated in References 9, 12, and 16 which justified a 12 hour allowable out of service time as presented in Condition A. The trip system in the more degraded state should be placed in trip or, alternatively, all the inoperable channels in that trip system should be placed in trip (e.g., a trip system with two inoperable channels could be in a more degraded state than a trip system with four inoperable channels if the two inoperable channels are in the same Function while the four inoperable channels are all in different Functions). The decision of which trip system is in the more degraded state should be based on prudent judgment and take into account current plant conditions (i.e., what MODE the plant is in). If this action would result in a scram or RPT, it is permissible to place the other trip system or its inoperable channels in trip. The 6 hour Completion Time is judged acceptable based on the remaining capability to trip, the diversity of the sensors available to provide the trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of a scram. Alternately, if it is not desired to place the inoperable channels (or one trip system) in trip (e.g., as in the case where placing the inoperable channel or associated trip system in trip would result in a scram or RPT), Condition D must be entered and its Required Action taken. As noted, Condition B is not applicable for APRM Functions 2.a, 2.b, 2.c, 2.d, and 2.f. Inoperability of an APRM channel affects both trip systems and is not associated with a specific trip system as are the APRM two-out-of-four voter and other non-APRM channels for which Condition B applies. For an inoperable APRM channel, Required RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-21 REVISION 36 BASES ACTIONS B.1 and B.2 (continued) Action A.1 must be satisfied, and is the only action (other than restoring OPERABILITY) that will restore capability to accommodate a single failure. Inoperability of a Function in more than one required APRM channel results in loss of trip capability for that Function and entry into Condition C, as well as entry into Condition A for each channel. Because Conditions A and C provide Required Actions that are appropriate for the inoperability of APRM Functions 2.a, 2.b, 2.c, 2.d, and 2.f, and these Functions are not associated with specific trip systems as are the APRM two-out-of-four voter and other non-APRM channels, Condition B does not apply. C.1 Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same trip system for the same Function result in the Function not maintaining RPS trip capability. A Function is considered to be maintaining RPS trip capability when sufficient channels are OPERABLE or in trip (or the associated trip system is in trip), such that both trip systems will generate a trip signal from the given Function on a valid signal. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

D.1 Required Action D.1 directs entry into the appropriate Condition referenced in Table 3.3.1.1-1. The applicable Condition specified in the Table is Function and MODE or other specified condition dependent and may change as the Required Action of a previous Condition is completed. Each time an inoperable channel has not met any Required Action of Condition A, B, or C and the associated Completion Time has expired, Condition D will be entered for that channel and provides for transfer to the appropriate subsequent Condition.

RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-22 REVISION 36 BASES ACTIONS E.1, F.1, G.1, and J.1 (continued) If the channel(s) is not restored to OPERABLE status or placed in trip (or the associated trip system placed in trip) within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. The allowed Completion Times are reasonable, based on operating experience, to reach the specified condition from full power conditions in an orderly manner and without challenging plant systems. In addition, the Completion Times of Required Actions E.1 and J.1 are consistent with the Completion Time provided in LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)." H.1 If the channel(s) is not restored to OPERABLE status or placed in trip (or the associated trip system placed in trip) within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by immediately initiating action to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and are, therefore, not required to be inserted. Action must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted. I.1 If OPRM Upscale trip capability is not maintained, Condition I exists. Reference 12 justifies use of an alternate method to detect and suppress oscillations for a limited period of time. The alternate method is procedurally established consistent with the guidelines identified in Reference 17 requiring manual operator action to scram the plant if certain predefined events occur. The 12 hour Completion Time is based on engineering judgment to allow orderly transition to the alternate method while limiting the period of time during which no automatic or alternate detect and suppress trip capability is formally in place. Based on the small probability of an instability event occurring, the 12 hour Completion Time is judged to be reasonable.

RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-23 REVISION 69 BASES ACTIONS I.2 (continued) The alternate method to detect and suppress oscillations implemented in accordance with Required Action I.1 was evaluated based on use up to 120 days (Ref. 12). The evaluation, based on engineering judgment, concluded that the likelihood of an instability event that could not be adequately handled by the alternate method during this 120 day period is negligibly small. The 120 day period is intended to be an outside limit to allow for the case where design changes or extensive analysis may be required to understand or correct some unanticipated characteristic of the instability detection algorithm or equipment. This action is not intended to be, and was not evaluated as, a routine alternative to returning failed or inoperable equipment to OPERABLE status. Correction of routine equipment failure or inoperability is expected to normally be accomplished within the Completion Times allowed for Required Actions for Conditions A and B. SURVEILLANCE As noted at the beginning of the SRs, the SRs for each RPS REUIREMENTS instrumentation Function are located in the SRs column of Table 3.3.1.1-1. The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours, provided the associated Function maintains RPS trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 9) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the RPS will trip when necessary.

SR 3.3.1.1.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-24 REVISION 69 BASES SURVEILLANCE SR 3.3.1.1.1 (continued) REUIREMENTS between instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO. SR 3.3.1.1.2 To ensure that the APRMs are accurately indicating the true core average power, the APRMs are calibrated to the reactor power calculated from a heat balance. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. A restriction to satisfying this SR when < 24% RTP is provided that requires the SR to be met only at 24% RTP because it is difficult to accurately maintain APRM indication of core THERMAL POWER consistent with a heat balance when < 24% RTP. At low power levels, a high degree of accuracy is unnecessary because of the large, inherent margin to thermal limits (MCPR and APLHGR). At 24% RTP, the Surveillance is required to have been satisfactorily performed in accordance with SR 3.0.2. A Note is provided which allows an increase in THERMAL POWER above 24% if the Frequency is not met per SR 3.0.2. In this event, the SR must be performed within 12 hours after reaching or exceeding 24% RTP. Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR.

RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-25 REVISION 69 BASES SURVEILLANCE SR 3.3.1.1.3 REQUIREMENTS (continued) (Not used.) SR 3.3.1.1.4 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. As noted, SR 3.3.1.1.4 is not required to be performed when entering MODE 2 from MODE 1, since testing of the MODE 2 required IRM Functions cannot be performed in MODE 1 without utilizing jumpers, lifted leads, or movable links. This allows entry into MODE 2 if the Frequency is not met per SR 3.0.2. In this event, the SR must be performed within 12 hours after entering MODE 2 from MODE 1. Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.1.1.5 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.1.6 and SR 3.3.1.1.7 These Surveillances are established to ensure that no gaps in neutron flux indication exist from subcritical to power operation for monitoring core reactivity status. The overlap between SRMs and IRMs is required to be demonstrated to ensure that reactor power will not be increased into a neutron flux region without adequate indication. This is required prior to RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-26 REVISION 69 BASES SURVEILLANCE SR 3.3.1.1.6 and SR 3.3.1.1.7 (continued) REQUIREMENTS withdrawing SRMs from the fully inserted position since indication is being transitioned from the SRMs to the IRMs. The overlap between IRMs and APRMs is of concern when reducing power into the IRM range. On power increases, the system design will prevent further increases (by initiating a rod block) if adequate overlap is not maintained. Overlap between IRMs and APRMs exists when sufficient IRMs and APRMs concurrently have onscale readings such that the transition between MODE 1 and MODE 2 can be made without either APRM downscale rod block, or IRM upscale rod block. Overlap between the SRMs and IRMs similarly exists when, prior to withdrawing an SRM from the fully inserted position, its associated IRMs have cleared their downscale rod block Allowable Values, prior to the SRM having reached its upscale rod block Allowable Value. Plant procedures should be consulted to determine the associated detectors. As noted, SR 3.3.1.1.7 is only required to be met during entry into MODE 2 from MODE 1. That is, after the overlap requirement has been met and indication has transitioned to the IRMs, maintaining overlap is not required (APRMs may be reading downscale once in MODE 2). If overlap for a group of channels is not demonstrated (e.g., IRM/APRM overlap), the reason for the failure of the Surveillance should be determined and the appropriate channel(s) declared inoperable. Only those appropriate channels that are required in the current MODE or condition should be declared inoperable. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.1.1.8 LPRM gain settings are determined from the local flux profiles measured by the Traversing Incore Probe (TIP) System. This establishes the relative local flux profile for appropriate representative input to the APRM System. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-27 REVISION 69 BASES SURVEILLANCE SR 3.3.1.1.9 and SR 3.3.1.1.12 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.1.1.10 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. For the APRM Functions, this test supplements the automatic self-test functions that operate continuously in the APRM and voter channels. The APRM CHANNEL FUNCTIONAL TEST covers the APRM channels (including recirculation flow processing - applicable to Function 2.b only), the two-out-of-four voter channels, and the interface connections to the RPS trip systems from the voter channels. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. For Function 2.a, a Note that requires this SR to be performed within 12 hours of entering MODE 2 from MODE 1 is provided. Testing of the MODE 2 APRM Function cannot be performed in MODE 1 without utilizing jumpers or lifted leads. This Note allows entry into MODE 2 from MODE 1 if the associated Frequency is not met per SR 3.0.2.

SR 3.3.1.1.11 This SR ensures that scrams initiated from the Turbine Stop Valve - Closure and Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Functions will not be inadvertently bypassed when THERMAL RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-28 REVISION 69 BASES SURVEILLANCE SR 3.3.1.1.11 (continued) REQUIREMENTS POWER is 27.6% RTP. This involves calibration of the bypass channels. Adequate margins for the instrument setpoint methodologies are incorporated into the actual setpoint. Because main turbine bypass flow can affect this setpoint nonconservatively (THERMAL POWER is derived from turbine first stage pressure), the main turbine bypass valves must remain closed during the calibration at THERMAL POWER 27.6% RTP to ensure that the calibration is valid. If any bypass channel's setpoint is nonconservative (i.e., the Functions are bypassed at 27.6% RTP, either due to open main turbine bypass valve(s) or other reasons), then the affected Turbine Stop Valve - Closure and Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Functions are considered inoperable. Alternatively, the bypass channel can be placed in the conservative condition (nonbypass). If placed in the nonbypass condition (Turbine Stop Valve - Closure and Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Functions are enabled), this SR is met and the channel is considered OPERABLE. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.1.1.13 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies that the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. For MSIV - Closure, SDV Water Level - High (Float Switch), and TSV - Closure Functions, this SR also includes a physical inspection and actuation of the switches. For the APRM Simulated Thermal Power - High Function, this SR also includes calibrating the associated recirculation loop flow channel. Note 1 states that neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Changes in neutron detector sensitivity are compensated for by performing the calorimetric calibration (SR 3.3.1.1.2) and the LPRM calibration against the TIPs (SR 3.3.1.1.8). A second Note is provided that requires the IRM SRs to be performed within 12 hours of RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-29 REVISION 69 BASES SURVEILLANCE SR 3.3.1.1.13 (continued) REQUIREMENTS entering MODE 2 from MODE 1. Testing of the MODE 2 IRM Functions cannot be performed in MODE 1 without utilizing jumpers, lifted leads or movable links. This Note allows entry into MODE 2 from MODE 1 if the associated Frequency is not met per SR 3.0.2. Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.1.1.14 (Not used.)

SR 3.3.1.1.15 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The functional testing of control rods (LCO 3.1.3), and SDV vent and drain valves (LCO 3.1.8), overlaps this Surveillance to provide complete testing of the assumed safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The LOGIC SYSTEM FUNCTIONAL TEST for APRM Function 2.e simulates APRM and OPRM trip conditions at the two-out-of-four voter channel inputs to check all combinations of two tripped inputs to the two-out-of-four logic in the voter channels and APRM related redundant RPS relays. SR 3.3.1.1.16 This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the accident RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-30 REVISION 69 BASES SURVEILLANCE SR 3.3.1.1.16 (continued) REQUIREMENTS analysis. This test may be performed in one measurement or in overlapping segments, with verification that all components are tested. The RPS RESPONSE TIME acceptance criteria are included in Reference 10. RPS RESPONSE TIME for APRM Two-out-of-Four Voter Function 2.e includes the output relays of the voter and the associated RPS relays and contactors. (The digital portions of the APRM and two-out-of-four voter channels are excluded from RPS RESPONSE TIME testing because self-testing and calibration check the time base of the digital electronics.) Confirmation of the time base is adequate to assure required response times are met. Neutron detectors are excluded from RPS RESPONSE TIME testing because the principles of detector operation virtually ensure an instantaneous response time. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.1.1.17 This SR ensures that scrams initiated from OPRM Upscale Function 2.f will not be inadvertently bypassed when THERMAL POWER, as indicated by APRM Simulated Thermal Power, is 25% RTP and core flow, as indicated by recirculation drive flow, is < 60% rated core flow. This normally involves confirming the bypass setpoints. Adequate margins for the instrument setpoint methodologies are incorporated into the actual setpoint. The actual Surveillance ensures that the OPRM Upscale Function is enabled (not bypassed) for the correct values of APRM Simulated Thermal Power and recirculation drive flow. Other Surveillances ensure that the APRM Simulated Thermal Power and recirculation flow properly correlate with THERMAL POWER and core flow, respectively. If any bypass setpoint is nonconservative (i.e., the OPRM Upscale Function is bypassed when APRM Simulated Thermal Power is 25% and recirculation drive flow is < 60% rated), the affected channel is considered inoperable for the OPRM Upscale Function. RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 1 B 3.3-31 REVISION 78 BASES SURVEILLANCE SR 3.3.1.1.17 (continued) REQUIREMENTS Alternatively, the bypass setpoint may be adjusted to place the channel in a conservative condition (unbypass). If placed in the unbypass condition, this SR is met and the channel is considered OPERABLE. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 7.2.

2. Unit 2 FSAR, Chapter 15. 3. Unit 2 FSAR, Section 6.3.3.

4. Unit 2 FSAR, Supplement 5A. 5. Unit 2 FSAR, Section 15.2.6.1. 6. NEDO-23842, "Continuous Control Rod Withdrawal in the Startup Range," April 18, 1978. 7. Unit 2 FSAR, Section 15.3.2. 8. P. Check (NRC) letter to G. Lainas (NRC), "BWR Scram Discharge System Safety Evaluation," December 1, 1980.

9. NEDO-30851-P-A, "Technical Specification Improvement Analyses for BWR Reactor Protection System," March 1988.

10. Technical Requirements Manual, Table T5.0-1.

11. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

12. NEDC-32410P-A, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function," October 1995.

13. NEDO-31960-A, "BWR Owners' Group Long-Term Stability Solutions Licensing Methodology," November 1995.

RPS Instrumentation B 3.3.1.1 HATCH UNIT 1 B 3.3-32 REVISION 69 BASES REFERENCES 14. NEDO-31960-A, Supplement 1, "BWR Owners' Group (continued) Long-Term Stability Solutions Licensing Methodology," November 1995. 15. NEDO-32465-A, "BWR Owners' Group Long-Term Stability Detect and Suppress Solutions Licensing Basis Methodology and Reload Applications," March 1996.

16. NEDO-32410P-A, Supplement 1, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function,"

November 1997. 17. Letter, L.A. England (BWROG) to M.J. Virgilio, "BWR Owners' Group Guidelines for Stability Interim Corrective Action," June 6, 1994.

18. Not used.

19. GE Letter NSA 02-250, "Plant Hatch IRM Technical Specifications," April 19, 2002.

SRM Instrumentation B 3.3.1.2 (continued) HATCH UNIT 1 B 3.3-33 REVISION 14 B 3.3 INSTRUMENTATION

B 3.3.1.2 Source Range Monitor (SRM) Instrumentation

BASES BACKGROUND The SRMs provide the operator with information relative to the neutron flux level at very low flux levels in the core. As such, the SRM indication is used by the operator to monitor the approach to criticality and determine when criticality is achieved. The SRMs are maintained fully inserted until the count rate is greater than a minimum allowed count rate (a control rod block is set at this condition). After SRM to intermediate range monitor (IRM) overlap is demonstrated (as required by SR 3.3.1.1.6), the SRMs are normally fully withdrawn from the core. The SRM subsystem of the Neutron Monitoring System (NMS) consists of four channels. Each of the SRM channels can be bypassed, but only one at any given time, by the operation of a bypass switch. Each channel includes one detector that can be physically positioned in the core. Each detector assembly consists of a miniature fission chamber with associated cabling, signal conditioning equipment, and electronics associated with the various SRM functions. The signal conditioning equipment converts the current pulses from the fission chamber to analog DC currents that correspond to the count rate. Each channel also includes indication, alarm, and control rod blocks. However, this LCO specifies OPERABILITY requirements only for the monitoring and indication functions of the SRMs. During refueling, shutdown, and low power operations, the primary indication of neutron flux levels is provided by the SRMs or special movable detectors connected to the normal SRM circuits. The SRMs provide monitoring of reactivity changes during fuel or control rod movement and give the control room operator early indication of subcritical multiplication that could be indicative of an approach to criticality. APPLICABLE Prevention and mitigation of prompt reactivity excursions during SAFETY ANALYSES refueling and low power operation is provided by LCO 3.9.1, "Refueling Equipment Interlocks"; LCO 3.1.1, "SHUTDOWN MARGIN (SDM)"; LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation"; IRM Neutron Flux - High and Average Power Range Monitor (APRM) Neutron Flux - High (Setdown) Functions; and LCO 3.3.2.1, "Control Rod Block Instrumentation." SRM Instrumentation B 3.3.1.2 (continued) HATCH UNIT 1 B 3.3-34 REVISION 0 BASES APPLICABLE The SRMs have no safety function and are not assumed to function SAFETY ANALYSES during any FSAR design basis accident or transient analysis. (continued) However, the SRMs provide the only on scale monitoring of neutron flux levels during startup and refueling. Therefore, they are being retained in Technical Specifications. LCO During startup in MODE 2, three of the four SRM channels are required to be OPERABLE to monitor the reactor flux level prior to and during control rod withdrawal, subcritical multiplication and reactor criticality, and neutron flux level and reactor period until the flux level is sufficient to maintain the IRMs on Range 3 or above. All but one of the channels are required in order to provide a representation of the overall core response during those periods when reactivity changes are occurring throughout the core. In MODES 3 and 4, with the reactor shut down, two SRM channels provide redundant monitoring of flux levels in the core. In MODE 5, during a spiral offload or reload, an SRM outside the fueled region will no longer be required to be OPERABLE, since it is not capable of monitoring neutron flux in the fueled region of the core. Thus, CORE ALTERATIONS are allowed in a quadrant with no OPERABLE SRM in an adjacent quadrant provided the Table 3.3.1.2 1, footnote (b), requirement that the bundles being spiral reloaded or spiral offloaded are all in a single fueled region containing at least one OPERABLE SRM is met. Spiral reloading and offloading encompass reloading or offloading a cell on the edge of a continuous fueled region (the cell can be reloaded or offloaded in any sequence). In nonspiral routine operations, two SRMs are required to be OPERABLE to provide redundant monitoring of reactivity changes occurring in the reactor core. Because of the local nature of reactivity changes during refueling, adequate coverage is provided by requiring one SRM to be OPERABLE in the quadrant of the reactor core where CORE ALTERATIONS are being performed, and the other SRM to be OPERABLE in an adjacent quadrant containing fuel. These requirements ensure that the reactivity of the core will be continuously monitored during CORE ALTERATIONS. Special movable detectors, according to footnote (c) of Table 3.3.1.2-1, may be used in place of the normal SRM nuclear detectors. These special detectors must be connected to the normal SRM circuits in the NMS, such that the applicable neutron flux SRM Instrumentation B 3.3.1.2 (continued) HATCH UNIT 1 B 3.3-35 REVISION 0 BASES LCO indication can be generated. These special detectors provide more (continued) flexibility in monitoring reactivity changes during fuel loading, since they can be positioned anywhere within the core during refueling. They must still meet the location requirements of SR 3.3.1.2.2 and all other required SRs for SRMs. For an SRM channel to be considered OPERABLE, it must be providing neutron flux monitoring indication.

APPLICABILITY The SRMs are required to be OPERABLE in MODES 2, 3, 4, and 5 prior to the IRMs being on scale on Range 3 to provide for neutron monitoring. In MODE 1, the APRMs provide adequate monitoring of reactivity changes in the core; therefore, the SRMs are not required. In MODE 2, with IRMs on Range 3 or above, the IRMs provide adequate monitoring and the SRMs are not required. ACTIONS A.1 and B.1 In MODE 2, with the IRMs on Range 2 or below, SRMs provide the means of monitoring core reactivity and criticality. With any number of the required SRMs inoperable, the ability to monitor neutron flux is degraded. Therefore, a limited time is allowed to restore the inoperable channels to OPERABLE status. Provided at least one SRM remains OPERABLE, Required Action A.1 allows 4 hours to restore the required SRMs to OPERABLE status. This time is reasonable because there is adequate capability remaining to monitor the core, there is limited risk of an event during this time, and there is sufficient time to take corrective actions to restore the required SRMs to OPERABLE status or to establish alternate IRM monitoring capability. During this time, control rod withdrawal and power increase is not precluded by this Required Action. Having the ability to monitor the core with at least one SRM, proceeding to IRM Range 3 or greater (with overlap required by SR 3.3.1.1.6), and thereby exiting the Applicability of this LCO, is acceptable for ensuring adequate core monitoring and allowing continued operation. With three required SRMs inoperable, Required Action B.1 allows no positive changes in reactivity (control rod withdrawal must be immediately suspended) due to inability to monitor the changes. Required Action A.1 still applies and allows 4 hours to restore SRM Instrumentation B 3.3.1.2 (continued) HATCH UNIT 1 B 3.3-36 REVISION 0 BASES ACTIONS A.1 and B.1 (continued) monitoring capability prior to requiring control rod insertion. This allowance is based on the limited risk of an event during this time, provided that no control rod withdrawals are allowed, and the desire to concentrate efforts on repair, rather than to immediately shut down, with no SRMs OPERABLE. C.1 In MODE 2, if the required number of SRMs is not restored to OPERABLE status within the allowed Completion Time, the reactor shall be placed in MODE 3. With all control rods fully inserted, the core is in its least reactive state with the most margin to criticality. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. D.1 and D.2 With one or more required SRMs inoperable in MODE 3 or 4, the neutron flux monitoring capability is degraded or nonexistent. The requirement to fully insert all insertable control rods ensures that the reactor will be at its minimum reactivity level while no neutron monitoring capability is available. Placing the reactor mode switch in the shutdown position prevents subsequent control rod withdrawal by maintaining a control rod block. The allowed Completion Time of 1 hour is sufficient to accomplish the Required Action, and takes into account the low probability of an event requiring the SRM occurring during this interval. E.1 and E.2 With one or more required SRMs inoperable in MODE 5, the ability to detect local reactivity changes in the core during refueling is degraded. CORE ALTERATIONS must be immediately suspended and action must be immediately initiated to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Suspending CORE ALTERATIONS prevents the two most probable causes of reactivity changes, fuel loading and control rod withdrawal, from occurring. Inserting all insertable control rods ensures that the reactor will be at its minimum reactivity given that fuel is present in the SRM Instrumentation B 3.3.1.2 (continued) HATCH UNIT 1 B 3.3-37 REVISION 15 BASES ACTIONS E.1 and E.2 (continued) core. Suspension of CORE ALTERATIONS shall not preclude completion of the movement of a component to a safe, conservative position. Action (once required to be initiated) to insert control rods must continue until all insertable rods in core cells containing one or more fuel assemblies are inserted. SURVEILLANCE As Noted at the beginning of the SRs, the SRs for each SRM REQUIREMENTS Applicable MODE or other specified conditions are found in the SRs column of Table 3.3.1.2-1. The Surveillances are modified by a second Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours, provided the other required channel (or channels when 3 channels are required) is OPERABLE. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. The Note is based upon a NRC Safety Evaluation Report (Ref. 1) which concluded that the 6 hour testing allowance does not significantly reduce the probability of detecting power changes, when necessary.

SR 3.3.1.2.1 and SR 3.3.1.2.3 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on another channel. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including SRM Instrumentation B 3.3.1.2 (continued) HATCH UNIT 1 B 3.3-38 REVISION 69 BASES SURVEILLANCE SR 3.3.1.2.1 and SR 3.3.1.2.3 (continued) REQUIREMENTS indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO. SR 3.3.1.2.2 To provide adequate coverage of potential reactivity changes in the core when the fueled region encompasses more than one SRM, one SRM is required to be OPERABLE in the quadrant where CORE ALTERATIONS are being performed, and the other OPERABLE SRM must be in an adjacent quadrant containing fuel. Note 1 states that the SR is required to be met only during CORE ALTERATIONS. It is not required to be met at other times in MODE 5 since core reactivity changes are not occurring. This Surveillance consists of a review of plant logs to ensure that SRMs required to be OPERABLE for given CORE ALTERATIONS are, in fact, OPERABLE. In the event that only one SRM is required to be OPERABLE (when the fueled region encompasses only one SRM), per Table 3.3.1.2-1, footnote (b), only the a. portion of this SR is required. Note 2 clarifies that more than one of the three requirements can be met by the same OPERABLE SRM. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.1.2.4 This Surveillance consists of a verification of the SRM instrument readout to ensure that the SRM reading is greater than a specified minimum count rate, which ensures that the detectors are indicating count rates indicative of neutron flux levels within the core. This surveillance also requires the signal to noise ratio to be verified to be 2:1. A signal to noise ratio that meets this requirement ensures the detectors are inserted to an acceptable operating level. Therefore, to meet this portion of the surveillance, it is necessary only to verify the

SRM Instrumentation B 3.3.1.2 (continued) HATCH UNIT 1 B 3.3-39 REVISION 69 BASES SURVEILLANCE SR 3.3.1.2.4 (continued) REQUIREMENTS detectors are inserted to the same operating level as they were when SR 3.3.1.2.5 and SR 3.3.1.2.6 were performed satisfactorily. SR 3.3.1.2.5 and SR 3.3.1.2.6 require the actual ratio (and hence, an acceptable operating level) to be determined periodically while the detectors are required to be OPERABLE. With few fuel assemblies loaded, the SRMs will not have a high enough count rate to satisfy the SR. Therefore, allowances are made for loading sufficient "source" material, in the form of irradiated fuel assemblies, to establish the minimum count rate. To accomplish this, the SR is modified by a Note (Note 1) that states that the count rate is not required to be met on an SRM that has less than or equal to four fuel assemblies adjacent to the SRM and no other fuel assemblies are in the associated core quadrant. With four or fewer fuel assemblies loaded around each SRM and no other fuel assemblies in the associated core quadrant, even with a control rod withdrawn, the configuration will not be critical. In addition, Note 2 states that this requirement does not have to be met during spiral unloading. If the core is being unloaded in this manner, the various core configurations encountered will not be critical. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.1.2.5 and SR 3.3.1.2.6 Performance of a CHANNEL FUNCTIONAL TEST demonstrates the associated channel will function properly. SR 3.3.1.2.5 is required in MODE 5, and ensures that the channels are OPERABLE while core reactivity changes could be in progress. This Frequency is reasonable, based on operating experience and on other Surveillances (such as a CHANNEL CHECK), that ensure proper functioning between CHANNEL FUNCTIONAL TESTS. SR 3.3.1.2.6 is required in MODE 2 with IRMs on Range 2 or below, and in MODES 3 and 4. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Determination of the signal to noise ratio also ensures that the detectors are inserted to an acceptable operating level. In a fully withdrawn condition, the detectors are sufficiently removed from the fueled region of the core to essentially eliminate neutrons from reaching the detector. Any count rate obtained while the detectors are fully withdrawn is assumed to be "noise" only. SRM Instrumentation B 3.3.1.2 (continued) HATCH UNIT 1 B 3.3-40 REVISION 69 BASES SURVEILLANCE SR 3.3.1.2.5 and SR 3.3.1.2.6 (continued) REQUIREMENTS The Note to the SR 3.3.1.2.6 allows the Surveillance to be delayed until entry into the specified condition of the Applicability (THERMAL POWER decreased to IRM Range 2 or below). The SR must be performed within 12 hours after IRMs are on Range 2 or below. The allowance to enter the Applicability with the 31 day Frequency not met is reasonable, based on the limited time of 12 hours allowed after entering the Applicability and the inability to perform the Surveillance while at higher power levels. Although the Surveillance could be performed while on IRM Range 3, the plant would not be expected to maintain steady state operation at this power level. In this event, the 12 hour Frequency is reasonable, based on the SRMs being otherwise verified to be OPERABLE (i.e., satisfactorily performing the CHANNEL CHECK) and the time required to perform the Surveillances.

SR 3.3.1.2.7 Performance of a CHANNEL CALIBRATION verifies the performance of the SRM detectors and associated circuitry. The Frequency considers the plant conditions required to perform the test, the ease of performing the test, and the likelihood of a change in the system or component status. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The neutron detectors are excluded from the CHANNEL CALIBRATION (Note 1) because they cannot readily be adjusted. The detectors are fission chambers that are designed to have a relatively constant sensitivity over the range and with an accuracy specified for a fixed useful life. Note 2 to the Surveillance allows the Surveillance to be delayed until entry into the specified condition of the Applicability. The SR must be performed in MODE 2 within 12 hours of entering MODE 2 with IRMs on Range 2 or below. The allowance to enter the Applicability with the Frequency not met is reasonable, based on the limited time of 12 hours allowed after entering the Applicability and the inability to perform the Surveillance while at higher power levels. Although the Surveillance could be performed while on IRM Range 3, the plant would not be expected to maintain steady state operation at this power level. In this event, the 12 hour Frequency is reasonable, based on the SRMs being otherwise verified to be OPERABLE (i.e., satisfactorily performing the CHANNEL CHECK) and the time required to perform the Surveillances. SRM Instrumentation B 3.3.1.2 HATCH UNIT 1 B 3.3-41 REVISION 69 BASES (continued) REFERENCES 1. NRC Safety Evaluation Report for Amendment 185, April 30, 1993.

Control Rod Block Instrumentation B 3.3.2.1 (continued) HATCH UNIT 1 B 3.3-42 REVISION 14 B 3.3 INSTRUMENTATION B 3.3.2.1 Control Rod Block Instrumentation BASES BACKGROUND Control rods provide the primary means for control of reactivity changes. Control rod block instrumentation includes channel sensors, logic circuitry, switches, and relays that are designed to ensure that the fuel cladding integrity safety limit (SL), and specified fuel design limits are not violated during postulated transients and accidents. During high power operation, the rod block monitor (RBM) provides protection for control rod withdrawal error events. During low power operations, control rod blocks from the rod worth minimizer (RWM) enforce specific control rod sequences designed to mitigate the consequences of the control rod drop accident (CRDA). During shutdown conditions, control rod blocks from the Reactor Mode Switch - Shutdown Position Function ensure that all control rods remain inserted to prevent inadvertent criticalities. The purpose of the RBM is to limit control rod withdrawal if localized neutron flux exceeds a predetermined setpoint during control rod manipulations. It is assumed to function to block further control rod withdrawal to preclude a violation of the MCPR SL or a specified acceptable fuel design limit (SAFDL). The RBM supplies a trip signal to the Reactor Manual Control System (RMCS) to appropriately inhibit control rod withdrawal during power operation above the low power range setpoint. The RBM has two channels, either of which can initiate a control rod block when the channel output exceeds the control rod block setpoint. One RBM channel inputs into one RMCS rod block circuit and the other RBM channel inputs into the second RMCS rod block circuit. The RBM channel signal is generated by averaging a set of local power range monitor (LPRM) signals at various core heights surrounding the control rod being withdrawn. A signal from one of the four redundant average power range monitor (APRM) channels supplies a reference signal for one of the RBM channels, and a signal from another of the APRM channels supplies the reference signal to the second RBM channel. This reference signal is used to determine which RBM range setpoint (low, intermediate, or high) is enabled. If the APRM is indicating less than the low power range setpoint, the RBM is automatically bypassed. The RBM is also automatically bypassed if a peripheral control rod is selected (Ref. 1). A rod block signal is also generated if an RBM Downscale trip or an Inoperable trip occurs. The Downscale trip will occur if the RBM channel signal decreases below the Downscale trip setpoint after the RBM signal has Control Rod Block Instrumentation B 3.3.2.1 (continued) HATCH UNIT 1 B 3.3-43 REVISION 28 BASES BACKGROUND been normalized. The Inoperable trip will occur during the nulling (continued) (normalization) sequence, if: the RBM channel fails to null, too few LPRM inputs are available, a module is not plugged in, or the function switch is moved to any position other than "Operate." The purpose of the RWM is to control rod patterns during startup and shutdown, such that only specified control rod sequences and relative positions are allowed over the operating range from all control rods inserted to 10% RTP. The sequences effectively limit the potential amount and rate of reactivity increase during a CRDA. Prescribed control rod sequences are stored in the RWM, which will initiate control rod withdrawal and insert blocks when the actual sequence deviates beyond allowances from the stored sequence. The RWM determines the actual sequence based position indication for each control rod. The RWM also uses APRM power signals to determine when the reactor power is above the preset power level at which the RWM is automatically bypassed (Ref. 2). The RWM is a single channel system that provides input into both RMCS rod block circuits. With the reactor mode switch in the shutdown position, a control rod withdrawal block is applied to all control rods to ensure that the shutdown condition is maintained. This Function prevents inadvertent criticality as the result of a control rod withdrawal during MODE 3 or 4, or during MODE 5 when the reactor mode switch is required to be in the shutdown position. The reactor mode switch has two channels, each inputting into a separate RMCS rod block circuit. A rod block in either RMCS circuit will provide a control rod block to all control rods.

APPLICABLE 1. Rod Block Monitor SAFETY ANALYSES, LCO, and The RBM is designed to prevent violation of the MCPR SL and the APPLICABILITY cladding 1% plastic strain fuel design limit that may result from a single control rod withdrawal error (RWE) event. The analytical methods and assumptions used in evaluating the RWE event are summarized in Reference 3. A statistical analysis of RWE events was performed to determine the RBM response for both channels for each event. From these responses, the fuel thermal performance as a function of RBM Allowable Value was determined. The Allowable Values are chosen as a function of power level. Based on the specified Allowable Values, operating limits are established. The RBM Function satisfies Criterion 3 of the NRC Policy Statement (Ref. 10). Control Rod Block Instrumentation B 3.3.2.1 (continued) HATCH UNIT 1 B 3.3-44 REVISION 61 BASES APPLICABLE 1. Rod Block Monitor (continued) SAFETY ANALYSES, LCO, and Two channels of the RBM are required to be OPERABLE, with their APPLICABILITY setpoints within the appropriate Allowable Values, to ensure that no single instrument failure can preclude a rod block from this Function. The setpoints are calibrated consistent with applicable setpoint methodology (nominal trip setpoint). Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Values between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor power), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for. The RBM is assumed to mitigate the consequences of an RWE event when operating 29% RTP. Below this power level, the consequences of an RWE event will not exceed the MCPR SL or the 1% plastic strain design limit; therefore, the RBM is not required to be OPERABLE (Ref. 3).

2. Rod Worth Minimizer The RWM enforces the banked position withdrawal sequence (BPWS) to ensure that the initial conditions of the CRDA analysis are not violated. The analytical methods and assumptions used in evaluating the CRDA are summarized in References 4, 5, 6, 7, and 14. In addition, the Reference 6 analysis (Generic BPWS analysis) may be modified by plant specific evaluations. The standard BPWS requires that control rods be moved in groups, with all control rods assigned to a specific group required to be within specified banked positions.

Control Rod Block Instrumentation B 3.3.2.1 (continued) HATCH UNIT 1 B 3.3-45 REVISION 61 BASES APPLICABLE 2. Rod Worth Minimizer (continued) SAFETY ANALYSES, LCO, and Requirements that the control rod sequence is in compliance with the APPLICABILITY BPWS are specified in LCO 3.1.6, "Rod Pattern Control."

When performing a shutdown of the plant, an optional BPWS control rod sequence (Ref. 14) may be used if the coupling of each withdrawn control rod has been confirmed. The rods may be inserted without the need to stop at intermediate positions. When using the Reference 14 control rod insertion sequence for shutdown, the rod worth minimizer may be reprogrammed to enforce the requirements of the improved BPWS control rod insertion process, or it can be bypassed if it is not programmed to reflect the optional BPWS shutdown sequence, as permitted by the Applicability Note for the RWM in Table 3.3.2.1-1. The RWM Function satisfies Criterion 3 of the NRC Policy Statement (Ref. 10). Since the RWM is a system designed to act as a backup to operator control of the rod sequences, only one channel of the RWM is available and required to be OPERABLE (Ref. 7). Special circumstances provided for in the Required Action of LCO 3.1.3, "Control Rod OPERABILITY," and LCO 3.1.6 may necessitate bypassing the RWM to allow continued operation with inoperable control rods, or to allow correction of a control rod pattern not in compliance with the BPWS. The RWM may be bypassed as required by these conditions, but then it must be considered inoperable and the Required Actions of this LCO followed. Compliance with the BPWS, and, therefore, OPERABILITY of the RWM, is required in MODES 1 and 2 when THERMAL POWER is < 10% RTP. When THERMAL POWER is > 10% RTP, there is no possible control rod configuration that results in a control rod worth that could exceed the 280 cal/gm fuel damage limit during a CRDA (Refs. 5 and 7). In MODES 3 and 4, all control rods are required to be inserted into the core; therefore, a CRDA cannot occur. In MODE 5, since only a single control rod can be withdrawn from a core cell containing fuel assemblies, adequate SDM ensures that the consequences of a CRDA are acceptable, since the reactor will be subcritical.

3. Reactor Mode Switch - Shutdown Position During MODES 3 and 4, and during MODE 5 when the reactor mode switch is required to be in the shutdown position, the core is assumed Control Rod Block Instrumentation B 3.3.2.1 (continued) HATCH UNIT 1 B 3.3-46 REVISION 61 BASES APPLICABLE 3. Reactor Mode Switch - Shutdown Position (continued) SAFETY ANALYSES, LCO, and to be subcritical; therefore, no positive reactivity insertion events are APPLICABILITY analyzed. The Reactor Mode Switch - Shutdown Position control rod withdrawal block ensures that the reactor remains subcritical by blocking control rod withdrawal, thereby preserving the assumptions of the safety analysis. The Reactor Mode Switch - Shutdown Position Function satisfies Criterion 3 of the NRC Policy Statement (Ref. 10). Two channels are required to be OPERABLE to ensure that no single channel failure will preclude a rod block when required. There is no Allowable Value for this Function since the channels are mechanically actuated based solely on reactor mode switch position.

During shutdown conditions (MODE 3, 4, or 5), no positive reactivity insertion events are analyzed because assumptions are that control rod withdrawal blocks are provided to prevent criticality. Therefore, when the reactor mode switch is in the shutdown position, the control rod withdrawal blockis required to be OPERABLE. During MODE 5 with the reactor mode switch in the refueling position, the refuel position one-rod-out interlock (LCO 3.9.2, "Refuel Position One-Rod-Out Interlock") provides the required control rod withdrawal blocks. ACTIONS A.1 With one RBM channel inoperable, the remaining OPERABLE channel is adequate to perform the control rod block function; however, overall reliability is reduced because a single failure in the remaining OPERABLE channel can result in no control rod block capability for the RBM. For this reason, Required Action A.1 requires restoration of the inoperable channel to OPERABLE status. The Completion Time of 24 hours is based on the low probability of the event occurring coincident with a failure in the remaining OPERABLE channel. B.1 If Required Action A.1 is not met and the associated Completion Time has expired, the inoperable channel must be placed in trip within 1 hour. If both RBM channels are inoperable, the RBM is not capable of performing its intended function; thus, one channel must also be placed in trip. This initiates a control rod withdrawal block, thereby ensuring that the RBM function is met. Control Rod Block Instrumentation B 3.3.2.1 (continued) HATCH UNIT 1 B 3.3-47 REVISION 61 BASES ACTIONS B.1 (continued) The 1 hour Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities and is acceptable because it minimizes risk while allowing time for restoration or tripping of inoperable channels. C.1, C.2.1.1, C.2.1.2, and C.2.2 With the RWM inoperable during a reactor startup, the operator is still capable of enforcing the prescribed control rod sequence. However, the overall reliability is reduced because a single operator error can result in violating the control rod sequence. Therefore, control rod movement must be immediately suspended except by scram. Alternatively, startup may continue if at least 12 control rods have already been withdrawn, or a reactor startup with an inoperable RWM during withdrawal of one or more of the first 12 rods, was not performed in the last calendar year (i.e., in the last 12 months). These requirements minimize the number of reactor startups initiated with RWM inoperable. Required Actions C.2.1.1 and C.2.1.2 require verification of these conditions by review of plant logs and control room indications. Once Required Action C.2.1.1 or C.2.1.2 is satisfactorily completed, control rod withdrawal may proceed in accordance with the restrictions imposed by Required Action C.2.2. Required Action C.2.2 allows for the RWM Function to be performed manually and requires a double check of compliance with the prescribed rod sequence by a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff (e.g., a qualified shift technical advisor or reactor engineer). The RWM may be bypassed under these conditions to allow continued operations. In addition, Required Actions of LCO 3.1.3 and LCO 3.1.6 may require bypassing the RWM, during which time the RWM must be considered inoperable with Condition C entered and its Required Actions taken. D.1 With the RWM inoperable during a reactor shutdown, the operator is still capable of enforcing the prescribed control rod sequence. Required Action D.1 allows for the RWM Function to be performed manually and requires a double check of compliance with the prescribed rod sequence by a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff. The RWM may be bypassed under these conditions to allow the reactor shutdown to continue. Control Rod Block Instrumentation B 3.3.2.1 (continued) HATCH UNIT 1 B 3.3-48 REVISION 61 BASES ACTIONS E.1 and E.2 (continued) With one Reactor Mode Switch Shutdown Position control rod withdrawal block channel inoperable, the remaining OPERABLE channel is adequate to perform the control rod withdrawal block function. However, since the Required Actions are consistent with the normal action of an OPERABLE Reactor Mode Switch Shutdown Position Function (i.e., maintaining all control rods inserted), there is no distinction between having one or two channels inoperable. In both cases (one or both channels inoperable), suspending all control rod withdrawal and initiating action to fully insert all insertable control rods in core cells containing one or more fuel assemblies will ensure that the core is subcritical with adequate SDM ensured by LCO 3.1.1. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and are therefore not required to be inserted. Action must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted. SURVEILLANCE As noted at the beginning of the SRs, the SRs for each Control REQUIREMENTS Rod Block instrumentation Function are found in the SRs column of Table 3.3.2.1-1. The Surveillances are modified by a second Note to indicate that when an RBM channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains control rod block capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 9) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that a control rod block will be initiated when necessary. SR 3.3.2.1.1 A CHANNEL FUNCTIONAL TEST is performed for each RBM channel to ensure that the entire channel will perform the intended function. It includes the Reactor Manual Control System input. Control Rod Block Instrumentation B 3.3.2.1 (continued) HATCH UNIT 1 B 3.3-49 REVISION 69 BASES SURVEILLANCE SR 3.3.2.1.1 (continued) REQUIREMENTS Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.2.1.2 and SR 3.3.2.1.3 A CHANNEL FUNCTIONAL TEST is performed for the RWM to ensure that the entire system will perform the intended function. The CHANNEL FUNCTIONAL TEST for the RWM is performed by attempting to withdraw a control rod not in compliance with the prescribed sequence and verifying a control rod block occurs. This test is performed as soon as possible after the applicable conditions are entered. As noted in the SRs, SR 3.3.2.1.2 is not required to be performed until 1 hour after any control rod is withdrawn at < 10% RTP in MODE 2, and SR 3.3.2.1.3 is not required to be performed until 1 hour after THERMAL POWER is < 10% RTP in MODE 1. This allows entry into MODE 2 (and if entered during a shutdown, concurrent power reduction to < 10% RTP) for SR 3.3.2.1.2 and THERMAL POWER reduction to < 10% RTP in MODE 1 for SR 3.3.2.1.3 to perform the required Surveillances if the Frequency is not met per SR 3.0.2. The 1 hour allowance is based on operating experience and in consideration of providing a reasonable time in which to complete the SRs. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.2.1.4 The RBM setpoints are automatically varied as a function of power. Three Allowable Values are specified in Table 3.3.2.1-1, each within a specific power range. The power at which the control rod block Allowable Values automatically change are based on the APRM signal's input to each RBM channel. Below the minimum power setpoint, the RBM is automatically bypassed. These power Allowable Values must be verified periodically to be less than or equal to the specified values. If any power range setpoint is nonconservative, then the affected RBM channel is considered inoperable. Alternatively, the power range channel can be placed in the conservative condition (i.e., enabling the proper RBM setpoint). If placed in this condition, the SR is met and the RBM channel is not considered inoperable. As noted, neutron detectors are excluded from the Surveillance because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Neutron detectors are adequately Control Rod Block Instrumentation B 3.3.2.1 (continued) HATCH UNIT 1 B 3.3-50 REVISION 69 BASES SURVEILLANCE SR 3.3.2.1.4 (continued) REQUIREMENTS tested in SR 3.3.1.1.2 and SR 3.3.1.1.8. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.2.1.5 The RWM is automatically bypassed when power is above a specified value. The power level is determined from APRM power signals. The automatic bypass setpoint must be verified periodically to be 10% RTP. If the RWM low power setpoint is nonconservative, then the RWM is considered inoperable. Alternately, the low power setpoint channel can be placed in the conservative condition (nonbypass). If placed in the nonbypassed condition, the SR is met and the RWM is not considered inoperable. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.2.1.6 A CHANNEL FUNCTIONAL TEST is performed for the Reactor Mode Switch Shutdown Position Function to ensure that the entire channel will perform the intended function. The CHANNEL FUNCTIONAL TEST for the Reactor Mode Switch Shutdown Position Function is performed by attempting to withdraw any control rod with the reactor mode switch in the shutdown position and verifying a control rod block occurs. As noted in the SR, the Surveillance is not required to be performed until 1 hour after the reactor mode switch is in the shutdown position, since testing of this interlock with the reactor mode switch in any other position cannot be performed without using jumpers, lifted leads, or movable links. This allows entry into MODES 3 and 4 if the 18 month Frequency is not met per SR 3.0.2. The 1 hour allowance is based on operating experience and in consideration of providing a reasonable time in which to complete the SR. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.2.1.7 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the Control Rod Block Instrumentation B 3.3.2.1 (continued) HATCH UNIT 1 B 3.3-51 REVISION 69 BASES SURVEILLANCE SR 3.3.2.1.7 (continued) REQUIREMENTS measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. As noted, neutron detectors are excluded from the CHANNEL CALIBRATION because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Neutron detectors are adequately tested in SR 3.3.1.1.8. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.1.8 The RWM will only enforce the proper control rod sequence if the rod sequence is properly input into the RWM computer. This SR ensures that the proper sequence is loaded into the RWM so that it can perform its intended function. The Surveillance is performed once prior to declaring RWM OPERABLE following loading of sequence into RWM, since this is when rod sequence input errors are possible. REFERENCES 1. FSAR, Section 7.5.8.2.3. 2. FSAR, Section 7.2.2.4.

3. NEDC-30474-P, "Average Power Range Monitor, Rod Block Monitor, and Technical Specification Improvements (ARTS) Program for Edwin I. Hatch Nuclear Plants," December 1983.

4. NEDE-24011-P-A-US, "General Electrical Standard Application for Reload Fuel," Supplement for United States, (revision specified in the COLR). 5. Letter from T. A. Pickens (BWROG) to G. C. Lainas (NRC), "Amendment 17 to General Electric Licensing Topical Report NEDE-24011-P-A," BWROG-8644, August 15, 1986. 6. NEDO-21231, "Banked Position Withdrawal Sequence," January 1977.

Control Rod Block Instrumentation B 3.3.2.1 HATCH UNIT 1 B 3.3-52 REVISION 69 BASES REFERENCES 7. NRC SER, "Acceptance of Referencing of Licensing Topical (continued) Report NEDE-24011-P-A," "General Electric Standard Application for Reactor Fuel, Revision 8, Amendment 17," December 27, 1987.

8. NEDC-30851-P-A, "Technical Specification Improvement Analysis for BWR Control Rod Block Instrumentation,"

October 1988.

9. GENE-770-06-1, "Bases For Changes To Surveillance Test Intervals and Allowed Out-Of-Service Times For Selected Instrumentation Technical Specifications," February 1991. 10. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. 11. Not used 12. Not used

13. Not used 14. NEDO-33091-A, Revision 2, "Improved BPWS Control Rod Insertion Process," July 2004.

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 (continued) HATCH UNIT 1 B 3.3-53 REVISION 36 B 3.3 INSTRUMENTATION

B 3.3.2.2 Feedwater and Main Turbine High Water Level Trip Instrumentation

BASES BACKGROUND The feedwater and main turbine high water level trip instrumentation is designed to detect a potential failure of the Feedwater Level Control System that causes excessive feedwater flow. With excessive feedwater flow, the water level in the reactor vessel rises toward the high water level setpoint, causing the trip of the two feedwater pump turbines and the main turbine. Reactor Vessel Water Level High signals are provided by level sensors that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level in the reactor vessel (variable leg). Three channels of Reactor Vessel Water Level High instrumentation are provided as input to a two-out-of-three initiation logic that trips the two feedwater pump turbines and the main turbine. The channels include electronic equipment (e.g., trip relays) that compare measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a main feedwater and turbine trip signal to the trip logic. A trip of the feedwater pump turbines limits further increase in reactor vessel water level by limiting further addition of feedwater to the reactor vessel. A trip of the main turbine and closure of the stop valves protects the turbine from damage due to water entering the turbine. APPLICABLE The feedwater and main turbine high water level trip instrumentation SAFETY ANALYSES is assumed to be capable of providing a turbine trip in the design basis transient analysis for a feedwater controller failure, maximum demand event (Ref. 1). The high level trip indirectly initiates a reactor scram from the main turbine trip (above 27.6% RTP) and trips the feedwater pumps, thereby terminating the event. The reactor scram mitigates the reduction in MCPR. Feedwater and main turbine high water level trip instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 3). Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 (continued) HATCH UNIT 1 B 3.3-54 REVISION 36 BASES (continued) LCO The LCO requires three channels of the Reactor Vessel Water Level High instrumentation to be OPERABLE to ensure that no single instrument failure will prevent the feedwater pump turbines and main turbine trip on a valid Reactor Vessel Water Level High signal. Two of the three channels are needed to provide trip signals in order for the feedwater and main turbine trips to occur. Each channel must have its setpoint set within the specified Allowable Value of SR 3.3.2.2.2. The Allowable Value is set to ensure that the thermal limits are not exceeded during the event. The setpoint is calibrated to be consistent with the applicable setpoint methodology assumptions (nominal trip setpoint). Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip relay) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for. APPLICABILITY The feedwater and main turbine high water level trip instrumentation is required to be OPERABLE at 24% RTP to ensure that the specified acceptable fuel design limits are not violated during the feedwater controller failure, maximum demand event. As discussed in the Bases for LCO 3.2.1, "Average Planar Linear Heat Generation Rate (APLHGR)," and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)," sufficient margin to these limits exists below 24% RTP; therefore, these requirements are only necessary when operating at or above this power level.

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 (continued) HATCH UNIT 1 B 3.3-55 REVISION 0 BASES (continued) ACTIONS A Note has been provided to modify the ACTIONS related to feedwater and main turbine high water level trip instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable feedwater and main turbine high water level trip instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable feedwater and main turbine high water level trip instrumentation channel. A.1 With one channel inoperable, the remaining two OPERABLE channels can provide the required trip signal. However, overall instrumentation reliability is reduced because a single failure in one of the remaining channels concurrent with feedwater controller failure, maximum demand event, may result in the instrumentation not being able to perform its intended function. Therefore, continued operation is only allowed for a limited time with one channel inoperable. If the inoperable channel cannot be restored to OPERABLE status within the Completion Time, the channel must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue with no further restrictions. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in a feedwater or main turbine trip), Condition C must be entered and its Required Action taken. The Completion Time of 7 days is based on the low probability of the event occurring coincident with a single failure in a remaining OPERABLE channel. B.1 With two or more channels inoperable, the feedwater and main turbine high water level trip instrumentation cannot perform its design function (feedwater and main turbine high water level trip capability is Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 (continued) HATCH UNIT 1 B 3.3-56 REVISION 36 BASES ACTIONS B.1 (continued) not maintained). Therefore, continued operation is only permitted for a 2 hour period, during which feedwater and main turbine high water level trip capability must be restored. The trip capability is considered maintained when sufficient channels are OPERABLE or in trip such that the feedwater and main turbine high water level trip logic will generate a trip signal on a valid signal. This requires two channels to each be OPERABLE or in trip. If the required channels cannot be restored to OPERABLE status or placed in trip, Condition C must be entered and its Required Action taken. The 2 hour Completion Time is sufficient for the operator to take corrective action, and takes into account the likelihood of an event requiring actuation of feedwater and main turbine high water level trip instrumentation occurring during this period. It is also consistent with the 2 hour Completion Time provided in LCO 3.2.2 for Required Action A.1, since this instrumentation's purpose is to preclude a MCPR violation. C.1 With the required channels not restored to OPERABLE status or placed in trip, THERMAL POWER must be reduced to < 24% RTP within 4 hours. As discussed in the Applicability section of the Bases, operation below 24% RTP results in sufficient margin to the required limits, and the feedwater and main turbine high water level trip instrumentation is not required to protect fuel integrity during the feedwater controller failure, maximum demand event. The allowed Completion Time of 4 hours is based on operating experience to reduce THERMAL POWER to < 24% RTP from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE The Surveillances are modified by a Note to indicate that when a REQUIREMENTS channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains feedwater and main turbine high water level trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 2) assumption of the average time required to perform channel Surveillance. That analysis Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 (continued) HATCH UNIT 1 B 3.3-57 REVISION 69 BASES SURVEILLANCE demonstrated that the 6 hour testing allowance does not significantly REQUIREMENTS reduce the probability that the feedwater pump turbines and main (continued) turbine will trip when necessary. SR 3.3.2.2.1 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. Due to the high turbine trip and reactor scram potential incurred when valving reactor water level differential pressure transmitters into and out of service, it is acceptable to perform the CHANNEL FUNCTIONAL TEST for this logic from the input of the alarm unit. This is consistent with the CHANNEL FUNCTIONAL TEST definition requiring the signal to be injected "as close to the sensor as practicable." Additionally, due to the physical location of the turbine trip relays and their close proximity to other sensitive equipment, accessibility is extremely limited. Verification of relay actuation and associated relay contact status by accessing the relay introduces a high potential for turbine trip and reactor scram. One contact from each turbine trip relay energizes an amber light indicating relay actuation. Therefore, it is acceptable to terminate the test at the turbine trip relay, utilizing light indication for relay status. These allowances are only acceptable if the CHANNEL CALIBRATION and the LOGIC SYSTEM FUNCTIONAL TEST overlap both the initiation and termination point of this CHANNEL FUNCTIONAL TEST such that the entire trip logic is tested. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.2.2.2 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 HATCH UNIT 1 B 3.3-58 REVISION 69 BASES SURVEILLANCE SR 3.3.2.2.2 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.2.3 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the feedwater and main turbine valves is included as part of this Surveillance and overlaps the LOGIC SYSTEM FUNCTIONAL TEST to provide complete testing of the assumed safety function. Therefore, if a valve is incapable of operating, the associated instrumentation channels would also be inoperable. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 14.3.2.1. 2. GENE-770-06-1, "Bases for Changes to Surveillance Test Intervals and Allowed Out-Of-Service Times for Selected Instrumentation Technical Specifications," February 1991. 3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

PAM Instrumentation B 3.3.3.1 (continued) HATCH UNIT 1 B 3.3-59 REVISION 1 B 3.3 INSTRUMENTATION

B 3.3.3.1 Post Accident Monitoring (PAM) Instrumentation

BASES BACKGROUND The primary purpose of the PAM instrumentation is to display plant variables that provide information required by the control room operators during accident situations. This information provides the necessary support for the operator to take the manual actions for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for Design Basis Events. The instruments that monitor these variables are designated as Type A, Category I, and non-Type A, Category I, in accordance with Regulatory Guide 1.97 (Ref. 1). The OPERABILITY of the accident monitoring instrumentation ensures that there is sufficient information available on selected plant parameters to monitor and assess plant status and behavior following an accident. This capability is consistent with the recommendations of Reference 1. APPLICABLE The PAM instrumentation LCO ensures the OPERABILITY of SAFETY ANALYSES Regulatory Guide 1.97, Type A variables so that the control room operating staff can:

a. Perform the diagnosis specified in the Emergency Operating Procedures (EOPs). These variables are restricted to preplanned actions for the primary success path of Design Basis Accidents (DBAs), [e.g., loss of coolant accident (LOCA)], and

b. Take the specified, preplanned, manually controlled actions for which no automatic control is provided, which are required for safety systems to accomplish their safety function. The PAM instrumentation LCO also ensures OPERABILITY of Category I, non-Type A, variables so that the control room operating staff can:

a. Determine whether systems important to safety are performing their intended functions;

b. Determine the potential for causing a gross breach of the barriers to radioactivity release; PAM Instrumentation B 3.3.3.1 (continued) HATCH UNIT 1 B 3.3-60 REVISION 1 BASES APPLICABLE c. Determine whether a gross breach of a barrier has occurred; SAFETY ANALYSES and (continued)

d. Initiate action necessary to protect the public and for an estimate of the magnitude of any impending threat.

The plant specific Regulatory Guide 1.97 Analysis (Ref. 2) documents the process that identified Type A and Category I, non-Type A, variables. Accident monitoring instrumentation that satisfies the definition of Type A in Regulatory Guide 1.97 meets Criterion 3 of the NRC Policy Statement (Ref. 3). Category I, non-Type A, instrumentation is retained in Technical Specifications (TS) because they are intended to assist operators in minimizing the consequences of accidents. Therefore, these Category I variables are important for reducing public risk. LCO LCO 3.3.3.1 requires two OPERABLE channels for most of the Functions to ensure that no single failure prevents the operators from being presented with the information necessary to determine the status of the plant and to bring the plant to, and maintain it in, a safe condition following that accident. Furthermore, provision of two channels allows a CHANNEL CHECK during the post accident phase to confirm the validity of displayed information. The exceptions to the two channel requirement are the primary containment isolation valve (PCIV) position, Reactor Vessel Water Level (0 to +400 inches), Suppression Pool Water Temperature, Drywell Temperature in Vicinity of Reactor Level Instrument Reference Leg, and Diesel Generator (DG) Parameters. For the PCIV position, the important information is the status of the primary containment penetrations. The LCO requires one position indicator for each active (e.g., automatic) PCIV. This is sufficient to redundantly verify the isolation status of each isolable penetration either via indicated status of the active valve and prior knowledge of passive valve or via system boundary status. If a normally active PCIV is known to be closed and deactivated, position indication is not needed to determine status. Therefore, the position indication for closed and deactivated valves is not required to be OPERABLE. For the Reactor Vessel Water Level (0 to +400 inches), there is only one installed indicator covering this range. For the Suppression Pool Water Temperature, there are two required instruments per quadrant, since two instruments alone cannot provide adequate indication of PAM Instrumentation B 3.3.3.1 (continued) HATCH UNIT 1 B 3.3-61 REVISION 32 BASES LCO bulk average temperature. For the Drywell Temperature, indications (continued) are required near all reactor vessel water level reference legs whose indicators are affected by post accident temperature changes in the drywell. For the DG parameters, there are three DGs, thus, one instrument per DG is required. The following list is a discussion of the specified instrument Functions listed in Table 3.3.3.1-1. 1. Reactor Steam Dome Pressure Reactor steam dome pressure is a Type A variable provided to support monitoring of Reactor Coolant System (RCS) integrity and to verify operation of the Emergency Core Cooling Systems (ECCS). Two independent pressure transmitters with a range of 0 psig to 1500 psig monitor pressure. Wide range recorders are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel.

2. Reactor Vessel Water Level Reactor vessel water level is a Category I variable for all ranges and is also a Type A variable for the -150 inches to +60 inches range.

They are provided to support monitoring of core cooling and to verify operation of the ECCS. Four different range channels provide the PAM Reactor Vessel Water Level Function. The water level channels measure from 400 inches above the steam dryer skirt down to a point just below the bottom of the active fuel. Water level is measured by independent differential pressure transmitters for each required channel. The output from these channels is recorded on independent recorders or read on indicators, which is the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel. The reactor vessel water level instruments are compensated, where appropriate, for variation in reactor water density and are calibrated to be most accurate at operational pressure and temperature. Temperature corrections are made, where appropriate, based on drywell temperature (see Function 10 discussion). PAM Instrumentation B 3.3.3.1 (continued) HATCH UNIT 1 B 3.3-62 REVISION 1 BASES LCO 3. Suppression Pool Water Level (continued) Suppression pool water level is a Category I variable provided to detect a breach in the reactor coolant pressure boundary (RCPB). This variable is also used to verify and provide long term surveillance of ECCS function. The wide range and narrow range suppression pool water level measurement provides the operator with sufficient information to assess the status of both the RCPB and the water supply to the ECCS. The wide range water level indicators monitor the suppression pool water level from the center line of the ECCS suction lines to the top of the pool, while the narrow range water level indicators monitor the water level around its normal level. Two wide range and two narrow range suppression pool water level signals are transmitted from separate differential pressure transmitters and are continuously recorded on recorders (for the narrow range signals) and read on indicators (for the wide range signals) in the control room. These recorders are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel. 4. Drywell Pressure Drywell pressure is a Category I variable provided to detect breach of the RCPB and to verify ECCS functions that operate to maintain RCS integrity. Three different range drywell pressure channels receive signals that are transmitted from separate pressure transmitters and are continuously recorded and displayed on six control room recorders. These recorders are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel.

5. Drywell Area Radiation (High Range)

Drywell area radiation (high range) is a Category I variable provided to monitor the potential of significant radiation releases and to provide release assessment for use by operators in determining the need to invoke site emergency plans. Two radiation signals are transmitted from separate monitors and are continuously recorded on two recorders in the control room. These recorders are the primary indication used by the operator during an accident. Therefore, the PAM specification deals specifically with this portion of the instrument channel. PAM Instrumentation B 3.3.3.1 (continued) HATCH UNIT 1 B 3.3-63 REVISION 45 BASES LCO 6. Primary Containment Isolation Valve (PCIV) Position (continued) PCIV position is provided for verification of containment integrity. In the case of PCIV position, the important information is the isolation status of the containment penetration. The LCO requires one channel of valve position indication in the control room to be OPERABLE for each active PCIV in a containment penetration flow path, i.e., two total channels of PCIV position indication for a penetration flow path with two active valves. For containment penetrations with only one active PCIV having control room indication, Note (b) requires a single channel of valve position indication to be OPERABLE. This is sufficient to redundantly verify the isolation status of each isolable penetration via indicated status of the active valve, as applicable, and prior knowledge of passive valve or system boundary status. If a penetration flow path is isolated, position indication for the PCIV(s) in the associated penetration flow path is not needed to determine status. Therefore, the position indication for valves in an isolated penetration flow path is not required to be OPERABLE. The indication for each PCIV consists of green and red indicator lights that illuminate to indicate whether the PCIV is fully open, fully closed, or in a mid-position. Therefore, the PAM specification deals specifically with this portion of the instrumentation channel.

7., 8. (Deleted)

9. Suppression Pool Water Temperature Suppression pool water temperature is a Type A variable provided to detect a condition that could potentially lead to containment breach and to verify the effectiveness of ECCS actions taken to prevent containment breach. The suppression pool water temperature PAM Instrumentation B 3.3.3.1 (continued) HATCH UNIT 1 B 3.3-64 REVISION 8 BASES LCO 9. Suppression Pool Water Temperature (continued) instrumentation allows operators to detect trends in suppression pool water temperature in sufficient time to take action to prevent steam quenching vibrations in the suppression pool. Fifteen active RTD elements are used for RG 1.97 compliance. Eleven of these devices are grouped together to provide an average measure of the upper region of the suppression pool. These input to a single recorder. The other four RTDs are used to measure the lower region of the suppression pool and are spaced almost equilaterally. They input to two recorders. However, to ensure the average temperature of the suppression pool is monitored, only two of these RTDs per quadrant are needed, since other means are available to ensure the average bulk suppression pool temperature is known if a few of the RTDs are inoperable. These recorders are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channels.

10. Drywell Temperature in the Vicinity of Reactor Vessel Level Instrument Reference Leg Drywell temperature in the vicinity of reactor vessel level instrument reference legs is a Type A variable provided to measure drywell temperature so that proper compensation of reactor water level instruments can be accomplished. The drywell temperature is measured by six RTDs in the vicinity of the associated reference legs with the output being recorded on pen recorders in the control room.

This is the primary indication used by the operator during an accident. Therefore, the PAM specification deals specifically with this portion of the instrumentation channel.

11. Diesel Generator Parameters Diesel generator (DG) parameters are Type A variables provided to allow the operator to ensure proper operation of the DGs and to control the DGs post accident. Each of the four parameters (output voltage, output current, output power, and battery voltage) is monitored for each of the two unit specific DGs and the swing DG and is read on indicators in the control room. These are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channels.

PAM Instrumentation B 3.3.3.1 (continued) HATCH UNIT 1 B 3.3-65 REVISION 49 BASES LCO 12. RHR Service Water Flow (continued) RHR service water flow is a Type A variable provided to support the containment cooling function. The RHR Service Water flow signals are transmitted from separate flow transmitters (one per subsystem) and are continuously read on two control room indicators. These indicators are the primary indication used by the operator during an accident. Therefore, the PAM specification deals specifically with this portion of the instrument channel. APPLICABILITY The PAM instrumentation LCO is applicable in MODES 1 and 2. These variables are related to the diagnosis and preplanned actions required to mitigate DBAs. The applicable DBAs are assumed to occur in MODES 1 and 2. In MODES 3, 4, and 5, plant conditions are such that the likelihood of an event that would require PAM instrumentation is extremely low; therefore, PAM instrumentation is not required to be OPERABLE in these MODES. ACTIONS A Note has been provided to modify the ACTIONS related to PAM instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable PAM instrumentation channels provide appropriate compensatory measures for separate Functions. As such, a Note has been provided that allows separate Condition entry for each inoperable PAM Function.

PAM Instrumentation B 3.3.3.1 (continued) HATCH UNIT 1 B 3.3-66 REVISION 1 BASES ACTIONS A.1 (continued) When one or more Functions have one required channel that is inoperable, the required inoperable channel must be restored to OPERABLE status within 30 days. The 30 day Completion Time is based on operating experience and takes into account the remaining OPERABLE channels (or, in the case of a Function that has only one required channel, other non-Regulatory Guide 1.97 instrument channels to monitor the Function), the passive nature of the instrument (no critical automatic action is assumed to occur from these instruments), and the low probability of an event requiring PAM instrumentation during this interval. B.1 If a channel has not been restored to OPERABLE status in 30 days, this Required Action specifies initiation of action in accordance with Specification 5.6.6, which requires a written report to be submitted to the NRC. This report discusses the results of the root cause evaluation of the inoperability and identifies proposed restorative actions. This action is appropriate in lieu of a shutdown requirement, since alternative actions are identified before loss of functional capability, and given the likelihood of plant conditions that would require information provided by this instrumentation.

C.1 When one or more Functions have two or more required channels that are inoperable (i.e., two channels inoperable in the same Function), all but one channel in the Function should be restored to OPERABLE status within 7 days. The Completion Time of 7 days is based on the relatively low probability of an event requiring PAM instrument operation and the availability of alternate means to obtain the required information. Continuous operation with two required channels inoperable in a Function is not acceptable because the alternate indications may not fully meet all performance qualification requirements applied to the PAM instrumentation. Therefore, requiring restoration of one inoperable channel of the Function limits the risk that the PAM Function will be in a degraded condition should an accident occur. PAM Instrumentation B 3.3.3.1 (continued) HATCH UNIT 1 B 3.3-67 REVISION 1 BASES ACTIONS D.1 (continued) This Required Action directs entry into the appropriate Condition referenced in Table 3.3.3.1-1. The applicable Condition referenced in the Table is Function dependent. Each time an inoperable channel has not met the Required Action of Condition C, and the associated Completion Time has expired, Condition D is entered for that channel and provides for transfer to the appropriate subsequent Condition. E.1 For the majority of Functions in Table 3.3.3.1-1, if any Required Action and associated Completion Time of Condition C is not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

F.1 Since alternate means of monitoring drywell area radiation have been developed and tested, the Required Action is not to shut down the plant, but rather to follow the directions of Specification 5.6.6. These alternate means may be temporarily installed if the normal PAM channel cannot be restored to OPERABLE status within the allotted time. The report provided to the NRC should discuss the alternate means used, describe the degree to which the alternate means are equivalent to the installed PAM channels, justify the areas in which they are not equivalent, and provide a schedule for restoring the normal PAM channels. SURVEILLANCE As noted at the beginning of the SRs, the following SRs apply REQUIREMENTS to each PAM instrumentation Function in Table 3.3.3.1-1.

The Surveillances are modified by a second Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours, provided the other required channel(s) in the associated Function are OPERABLE. Upon completion of the Surveillance, or expiration of the PAM Instrumentation B 3.3.3.1 (continued) HATCH UNIT 1 B 3.3-68 REVISION 69 BASES SURVEILLANCE 6 hour allowance, the channel must be returned to OPERABLE status REQUIREMENTS or the applicable Condition entered and Required Actions taken. The (continued) Note is based upon a NRC Safety Evaluation Report (Ref. 2) which concluded that the 6 hour testing allowance does not significantly reduce the probability of properly monitoring post accident parameters, when necessary.

SR 3.3.3.1.1 Performance of the CHANNEL CHECK once every 31 days ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel against a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.3.1.2 CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies the channel responds to measured parameter with the necessary range and accuracy. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

PAM Instrumentation B 3.3.3.1 HATCH UNIT 1 B 3.3-69 REVISION 69 BASES (continued) REFERENCES 1. Regulatory Guide 1.97, "Instrumentation for Light Water Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident," Revision 2, December 1980.

2. NRC Safety Evaluation Report, "Edwin I. Hatch Nuclear Plant, Unit Nos. 1 and 2, Conformance to Regulatory Guide 1.97,"

dated July 30, 1985. 3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. Remote Shutdown System B 3.3.3.2 (continued) HATCH UNIT 1 B 3.3-70 REVISION 1 B 3.3 INSTRUMENTATION

B 3.3.3.2 Remote Shutdown System BASES BACKGROUND The Remote Shutdown System provides the control room operator with sufficient instrumentation and controls to place and maintain the plant in a safe shutdown condition from a location other than the control room. This capability is necessary to protect against the possibility of the control room becoming inaccessible. A safe shutdown condition is defined as MODE 3. With the plant in MODE 3, the Reactor Core Isolation Cooling (RCIC) System, the safety/relief valves, and the Residual Heat Removal Shutdown Cooling System can be used to remove core decay heat and meet all safety requirements. The long term supply of water for the RCIC and the ability to operate shutdown cooling from outside the control room allow extended operation in MODE 3. In the event that the control room becomes inaccessible, the operators can establish control at the remote shutdown panel and place and maintain the plant in MODE 3. Not all controls and necessary transfer switches are located at the remote shutdown panel. Some controls and transfer switches will have to be operated locally at the switchgear, motor control panels, or other local stations. The plant automatically reaches MODE 3 following a plant shutdown and can be maintained safely in MODE 3 for an extended period of time. The OPERABILITY of the Remote Shutdown System control and instrumentation Functions ensures that there is sufficient information available on selected plant parameters to place and maintain the plant in MODE 3 should the control room become inaccessible. APPLICABLE The Remote Shutdown System is required to provide equipment SAFETY ANALYSES at appropriate locations outside the control room with a design capability to promptly shut down the reactor to MODE 3, including the necessary instrumentation and controls, to maintain the plant in a safe condition in MODE 3. The criteria governing the design and the specific system requirements of the Remote Shutdown System are located in 10 CFR 50, Appendix A, GDC 19 (Ref. 1). Remote Shutdown System B 3.3.3.2 (continued) HATCH UNIT 1 B 3.3-71 REVISION 1 BASES APPLICABLE The Remote Shutdown System is considered an important contributor SAFETY ANALYSES to reducing the risk of accidents; as such, it meets Criterion 4 of the (continued) NRC Policy Statement (Ref. 3).

LCO The Remote Shutdown System LCO provides the requirements for the OPERABILITY of the instrumentation and controls necessary to place and maintain the plant in MODE 3 from a location other than the control room. The instrumentation and controls required are listed in Reference 2. The controls, instrumentation, and transfer switches are those required for: a. Reactor pressure vessel (RPV) pressure control; b. Decay heat removal;

c. RPV inventory control; and d. Safety support systems for the above functions, including Plant Service Water System, Residual Heat Removal Service Water System, and onsite power, including the diesel generators (DGs). The Remote Shutdown System is OPERABLE if all instrument and control channels needed to support the remote shutdown function are OPERABLE. In some cases, the required information or control capability may be available from several alternate sources. In these cases, the Remote Shutdown System is OPERABLE as long as one channel of any of the alternate information or control sources for each Function is OPERABLE. The Remote Shutdown System instruments and control circuits covered by this LCO do not need to be energized to be considered OPERABLE. This LCO is intended to ensure that the instruments and control circuits will be OPERABLE if plant conditions require that the Remote Shutdown System be placed in operation. APPLICABILITY The Remote Shutdown System LCO is applicable in MODES 1 and 2. This is required so that the plant can be placed and maintained in MODE 3 for an extended period of time from a location other than the control room.

Remote Shutdown System B 3.3.3.2 (continued) HATCH UNIT 1 B 3.3-72 REVISION 49 BASES APPLICABILITY This LCO is not applicable in MODES 3, 4, and 5. In these MODES, (continued) the plant is already subcritical and in a condition of reduced Reactor Coolant System energy. Under these conditions, considerable time is available to restore necessary instrument control Functions if control room instruments or control becomes unavailable. Consequently, the TS do not require OPERABILITY in MODES 3, 4, and 5. ACTIONS A Note has been provided to modify the ACTIONS related to Remote Shutdown System Functions. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable Remote Shutdown System Functions provide appropriate compensatory measures for separate Functions. As such, a Note has been provided that allows separate Condition entry for each inoperable Remote Shutdown System Function. A.1 Condition A addresses the situation where one or more required Functions of the Remote Shutdown System is inoperable. This includes any Function listed in Reference 2, as well as the control and transfer switches. The Required Action is to restore the Function to OPERABLE status within 30 days. The Completion Time is based on operating experience and the low probability of an event that would require evacuation of the control room.

Remote Shutdown System B 3.3.3.2 (continued) HATCH UNIT 1 B 3.3-73 REVISION 69 BASES ACTIONS B.1 (continued) If the Required Action and associated Completion Time of Condition A are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours. The allowed Completion Time is reasonable, based on operating experience, to reach the required MODE from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE The Surveillances are modified by a Note to indicate that when an REQUIREMENTS instrument channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. The Note is based upon a NRC Safety Evaluation Report (Ref. 1) which concluded that the 6 hour testing allowance does not significantly reduce the probability of monitoring required parameters, when necessary.

SR 3.3.3.2.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel against a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. As specified in the Surveillance, a CHANNEL CHECK is only required for those channels that are normally energized. Remote Shutdown System B 3.3.3.2 HATCH UNIT 1 B 3.3-74 REVISION 69 BASES SURVEILLANCE SR 3.3.3.2.1 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.3.2.2 SR 3.3.3.2.2 verifies each required Remote Shutdown System transfer switch and control circuit performs the intended function. This verification is performed from the remote shutdown panel and locally, as appropriate. Operation of equipment from the remote shutdown panel is not necessary. The Surveillance can be satisfied by performance of a continuity check, or, in the case of the DG controls, the routine Surveillances of LCO 3.8.1 (since local control is utilized during the performance of some of the Surveillances of LCO 3.8.1). This will ensure that if the control room becomes inaccessible, the plant can be placed and maintained in MODE 3 from the remote shutdown panel and the local control stations. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.3.2.3 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. The test verifies the channel responds to measured parameter values with the necessary range and accuracy. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. 10 CFR 50, Appendix A, GDC 19.

2. Technical Requirements Manual, Table T6.0-1. 3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

EOC-RPT Instrumentation B 3.3.4.1 (continued) HATCH UNIT 1 B 3.3-75 REVISION 65 B 3.3 INSTRUMENTATION B 3.3.4.1 End of Cycle Recirculation Pump Trip (EOC-RPT) Instrumentation

BASES BACKGROUND The EOC-RPT instrumentation initiates a recirculation pump trip (RPT) to reduce the peak reactor pressure and power resulting from turbine trip or generator load rejection transients to provide additional margin to core thermal MCPR Safety Limits (SLs). The need for the additional negative reactivity in excess of that normally inserted on a scram reflects end of cycle reactivity considerations. Depending on the MCPR operating limit, flux shapes at the end of cycle could be such that the control rods would not be able to ensure that thermal limits are maintained by inserting sufficient negative reactivity during the first few feet of rod travel upon a scram caused by Turbine Stop Valve (TSV) - Closure or Turbine Control Valve (TCV) Fast Closure, Trip Oil Pressure - Low. The physical phenomenon involved is that the void reactivity feedback due to a pressurization transient can add positive reactivity at a faster rate than the control rods can add negative reactivity. EOC-RPT allows a margin improvement which in turn allows a reduction in the MCPR operating limit. The EOC-RPT instrumentation, as discussed in Reference 1, is composed of sensors that detect initiation of closure of the TSVs or fast closure of the TCVs, combined with relays, logic circuits, and fast acting circuit breakers that interrupt power from the recirculation pump adjustable speed drives (ASDs) to each of the recirculation pump motors. The channels include electronic equipment (e.g., trip relays) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs an EOC-RPT signal to the trip logic. When the RPT breakers trip open, the recirculation pumps coast down under their own inertia. The EOC-RPT has two identical trip systems, either of which can actuate an RPT. Each EOC-RPT trip system is a two-out-of-two logic for each Function; thus, either two TSV - Closure or two TCV Fast Closure, Trip Oil Pressure - Low signals are required for a trip system to actuate. If either trip system actuates, both recirculation pumps will trip. There are two EOC-RPT breakers in series per recirculation pump. One trip system trips one of the two EOC-RPT breakers for each recirculation pump, and the second trip system trips the other EOC-RPT breaker for each recirculation pump.

EOC-RPT Instrumentation B 3.3.4.1 (continued) HATCH UNIT 1 B 3.3-76 REVISION 36 BASES (continued) APPLICABLE The TSV - Closure and the TCV Fast Closure, Trip Oil SAFETY ANALYSES, Pressure - Low Functions are designed to trip the recirculation LCO, and pumps in the event of a turbine trip or generator load rejection to APPLICABILITY mitigate the increase in neutron flux, heat flux, and reactor pressure, and to increase the margin to the MCPR SL. The analytical methods and assumptions used in evaluating the turbine trip and generator load rejection are summarized in References 2 and 3. To mitigate pressurization transient effects, the EOC-RPT must trip the recirculation pumps after initiation of closure movement of either the TSVs or the TCVs. The combined effects of this trip and a scram reduce fuel bundle power more rapidly than a scram alone, resulting in an increased margin to the MCPR SL. Alternatively, MCPR limits for an inoperable EOC-RPT, as specified in the COLR, are sufficient to prevent violation of the MCPR Safety Limit. The EOC-RPT function is automatically disabled when turbine first stage pressure is < 27.6% RTP. EOC-RPT instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 6). The OPERABILITY of the EOC-RPT is dependent on the OPERABILITY of the individual instrumentation channel Functions. Each Function must have a required number of OPERABLE channels in each trip system, with their setpoints within the specified Allowable Value of SR 3.3.4.1.3. The setpoint is calibrated consistent with applicable setpoint methodology assumptions (nominal trip setpoint). Channel OPERABILITY also includes the associated EOC-RPT breakers. Each channel (including the associated EOC-RPT breakers) must also respond within its assumed response time. Allowable Values are specified for each EOC-RPT Function specified in the LCO. Nominal trip setpoints are specified in the setpoint calculations. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Each Allowable Value specified is more conservative than the analytical limit assumed in the transient and accident analysis in order to account for instrument uncertainties appropriate to the Function. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., TSV position), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip EOC-RPT Instrumentation B 3.3.4.1 (continued) HATCH UNIT 1 B 3.3-77 REVISION 36 BASES APPLICABLE relay) changes state. The analytic limits are derived from the limiting SAFETY ANALYSES, values of the process parameters obtained from the safety analysis. LCO, and The Allowable Values are derived from the analytic limits, corrected APPLICABILITY for calibration, process, and some of the instrument errors. The trip (continued) setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for. The specific Applicable Safety Analysis, LCO, and Applicability discussions are listed below on a Function by Function basis. Alternatively, since this instrumentation protects against a MCPR SL violation, with the instrumentation inoperable, modifications to the MCPR limits (LCO 3.2.2) may be applied to allow this LCO to be met. The MCPR penalty for the EOC-RPT inoperable condition is specified in the COLR. Turbine Stop Valve - Closure Closure of the TSVs and a main turbine trip result in the loss of a heat sink and increases reactor pressure, neutron flux, and heat flux that must be limited. Therefore, an RPT is initiated on a TSV - Closure signal before the TSVs are completely closed in anticipation of the effects that would result from closure of these valves. EOC-RPT decreases reactor power and aids the reactor scram in ensuring that the MCPR SL is not exceeded during the worst case transient. Closure of the TSVs is determined by measuring the position of each valve. While there are two separate position switches associated with each stop valve, only the signal from one switch for each TSV is used, with each of the four channels being assigned to a separate trip channel. The logic for the TSV - Closure Function is such that two or more TSVs must be closed to produce an EOC-RPT. This Function must be enabled at THERMAL POWER 27.6% RTP. This is normally accomplished automatically by pressure switches sensing turbine first stage pressure; therefore, opening of the turbine bypass valves may affect this Function. Four channels of TSV - Closure, with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure will preclude an EOC-RPT from this Function on a valid signal. The TSV - Closure Allowable Value is selected to detect imminent TSV closure. EOC-RPT Instrumentation B 3.3.4.1 (continued) HATCH UNIT 1 B 3.3-78 REVISION 36 BASES APPLICABLE Turbine Stop Valve - Closure (continued) SAFETY ANALYSIS, LCO, and This protection is required, consistent with the safety analysis APPLICABILITY assumptions, whenever THERMAL POWER is 27.6% RTP. Below 27.6% RTP, the Reactor Vessel Steam Dome Pressure - High and the Average Power Range Monitor (APRM) Neutron Flux - High Functions of the Reactor Protection System (RPS) are adequate to maintain the necessary margin to the MCPR SL. Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Fast closure of the TCVs during a generator load rejection results in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, an RPT is initiated on TCV Fast Closure, Trip Oil Pressure - Low in anticipation of the transients that would result from the closure of these valves. The EOC-RPT decreases reactor power and aids the reactor scram in ensuring that the MCPR SL is not exceeded during the worst case transient. Fast closure of the TCVs is determined by measuring the electrohydraulic control fluid pressure at each control valve. There is one pressure switch associated with each control valve, and the signal from each switch is assigned to a separate trip channel. The logic for the TCV Fast Closure, Trip Oil Pressure - Low Function is such that two or more TCVs must be closed (pressure transmitter trips) to produce an EOC-RPT. This Function must be enabled at THERMAL POWER 27.6% RTP. This is normally accomplished automatically by pressure switches sensing turbine first stage pressure; therefore, opening of the turbine bypass valves may affect this Function. Four channels of TCV Fast Closure, Trip Oil Pressure - Low, with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure will preclude an EOC-RPT from this Function on a valid signal. The TCV Fast Closure, Trip Oil Pressure - Low Allowable Value is selected high enough to detect imminent TCV fast closure. This protection is required consistent with the safety analysis whenever THERMAL POWER is 27.6% RTP. Below 27.6% RTP, the Reactor Vessel Steam Dome Pressure - High and the APRM Neutron Flux - High Functions of the RPS are adequate to maintain the necessary margin to the MCPR SL.

EOC-RPT Instrumentation B 3.3.4.1 (continued) HATCH UNIT 1 B 3.3-79 REVISION 1 BASES (continued) ACTIONS A Note has been provided to modify the ACTIONS related to EOC-RPT instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable EOC-RPT instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable EOC-RPT instrumentation channel. A.1 and A.2 With one or more channels inoperable, but with EOC-RPT trip capability maintained (refer to Required Actions B.1 and B.2 Bases), the EOC-RPT System is capable of performing the intended function. However, the reliability and redundancy of the EOC-RPT instrumentation is reduced such that a single failure in the remaining trip system could result in the inability of the EOC-RPT System to perform the intended function. Therefore, only a limited time is allowed to restore compliance with the LCO. Because of the diversity of sensors available to provide trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of an EOC-RPT, 72 hours is provided to restore the inoperable channels (Required Action A.1) or apply the EOC-RPT inoperable MCPR limit. Alternately, the inoperable channels may be placed in trip (Required Action A.2), since this would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. As noted, placing the channel in trip with no further restrictions is not allowed if the inoperable channel is the result of an inoperable breaker, since this may not adequately compensate for the inoperable breaker (e.g., the breaker may be inoperable such that it will not open). If it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an RPT, or if the inoperable channel is the result of an inoperable breaker), Condition C must be entered and its Required Actions taken.

EOC-RPT Instrumentation B 3.3.4.1 (continued) HATCH UNIT 1 B 3.3-80 REVISION 36 BASES ACTIONS B.1 and B.2 (continued) Required Actions B.1 and B.2 are intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in the Function not maintaining EOC-RPT trip capability. A Function is considered to be maintaining EOC-RPT trip capability when sufficient channels are OPERABLE or in trip, such that the EOC-RPT System will generate a trip signal from the given Function on a valid signal and both recirculation pumps can be tripped. Alternately, Required Action B.2 requires the MCPR limit for inoperable EOC-RPT, as specified in the COLR, to be applied. This also restores the margin to MCPR assumed in the safety analysis. The 2 hour Completion Time is sufficient time for the operator to take corrective action, and takes into account the likelihood of an event requiring actuation of the EOC-RPT instrumentation during this period. It is also consistent with the 2 hour Completion Time provided in LCO 3.2.2 for Required Action A.1, since this instrumentation's purpose is to preclude a MCPR violation. C.1 and C.2 With any Required Action and associated Completion Time not met, THERMAL POWER must be reduced to < 27.6% RTP within 4 hours. Alternately, the associated recirculation pump may be removed from service, since this performs the intended function of the instrumentation. The allowed Completion Time of 4 hours is reasonable, based on operating experience, to reduce THERMAL POWER to < 27.6% RTP from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE The Surveillances are modified by a Note to indicate that when a REQUIREMENTS channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains EOC-RPT trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 4) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the recirculation pumps will trip when necessary. EOC-RPT Instrumentation B 3.3.4.1 (continued) HATCH UNIT 1 B 3.3-81 REVISION 69 BASES SURVEILLANCE SR 3.3.4.1.1 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.4.1.2 This SR ensures that an EOC-RPT initiated from the TSV - Closure and TCV Fast Closure, Trip Oil Pressure - Low Functions will not be inadvertently bypassed when THERMAL POWER is 27.6% RTP. This involves calibration of the bypass channels. Adequate margins for the instrument setpoint methodologies are incorporated into the actual setpoint. Because main turbine bypass flow can affect this setpoint nonconservatively (THERMAL POWER is derived from first stage pressure) the main turbine bypass valves must remain closed during the calibration at THERMAL POWER 27.6% RTP to ensure that the calibration is valid. If any bypass channel's setpoint is nonconservative (i.e., the Functions are bypassed at 27.6% RTP, either due to open main turbine bypass valves or other reasons), the affected TSV - Closure and TCV Fast Closure, Trip Oil Pressure - Low Functions are considered inoperable. Alternatively, the bypass channel can be placed in the conservative condition (nonbypass). If placed in the nonbypass condition (Turbine Stop Valve - Closure and Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Functions are enabled), this SR is met with the channel considered OPERABLE. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.4.1.3 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. For the TSV - Closure Function, this SR also includes a physical inspection and actuation of the switches. EOC-RPT Instrumentation B 3.3.4.1 (continued) HATCH UNIT 1 B 3.3-82 REVISION 69 BASES SURVEILLANCE SR 3.3.4.1.3 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.4.1.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the pump breakers is included as a part of this test, overlapping the LOGIC SYSTEM FUNCTIONAL TEST, to provide complete testing of the associated safety function. Therefore, if a breaker is incapable of operating, the associated instrument channel(s) would also be inoperable. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.4.1.5 This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the accident analysis. The EOC-RPT SYSTEM RESPONSE TIME acceptance criteria are included in Reference 5. A Note to the Surveillance states that breaker interruption (i.e., trip) time may be assumed from the most recent performance of SR 3.3.4.1.6. This is allowed since the time to open the contacts after energization of the trip coil and the arc suppression time are short and do not appreciably change, due to the design of the breaker opening device and the fact that the breaker is not routinely cycled. Response times cannot be determined at power because operation of final actuated devices is required. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.4.1.6 This SR ensures that the RPT breaker interruption time is provided to the EOC-RPT SYSTEM RESPONSE TIME test. Breaker interruption (i.e., trip) time is defined as breaker response time plus arc suppression time. Breaker response time is the time from application of voltage to the trip coil until the main contacts separate. Arc EOC-RPT Instrumentation B 3.3.4.1 HATCH UNIT 1 B 3.3-83 REVISION 69 BASES SURVEILLANCE SR 3.3.4.1.6 (continued) REQUIREMENTS suppression time is the time from main contact separation until the complete suppression of the electrical arc across the open contacts. Breaker response shall be verified by testing and added to the manufacturer's design arc suppression time to determine breaker interruption time. The breaker arc suppression time shall be validated by the performance of periodic contact gap measurements in accordance with plant procedures. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 7.17.

2. FSAR, Subsection 14.3.1.

3. Unit 2 FSAR, Paragraph 5.5.16.1 and Subsection 7.6.10. 4. GENE-770-06-1, "Bases For Changes To Surveillance Test Intervals And Allowed Out-Of-Service Times For Selected Instrumentation Technical Specifications," February 1991. 5. Technical Requirements Manual, Table T5.0-1. 6. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

ATWS-RPT Instrumentation B 3.3.4.2 (continued) HATCH UNIT 1 B 3.3-84 REVISION 3 B 3.3 INSTRUMENTATION

B 3.3.4.2 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT) Instrumentation BASES BACKGROUND The ATWS-RPT System initiates an RPT, adding negative reactivity, following events in which a scram does not (but should) occur, to lessen the effects of an ATWS event. Tripping the recirculation pumps adds negative reactivity from the increase in steam voiding in the core area as core flow decreases. When Reactor Vessel Water Level - ATWS-RPT Level or Reactor Steam Dome Pressure - High setpoint is reached, the recirculation pump drive motor breakers trip. The ATWS-RPT System (Ref. 1) includes sensors, relays, bypass capability, circuit breakers, and switches that are necessary to cause initiation of an RPT. The channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs an ATWS-RPT signal to the trip logic. The ATWS-RPT consists of two independent trip systems, with two channels of Reactor Steam Dome Pressure - High and two channels of Reactor Vessel Water Level - ATWS-RPT Level in each trip system. Each ATWS-RPT trip system is a two-out-of-two logic for each Function. Thus, either two Reactor Water Level - ATWS-RPT Level or two Reactor Pressure - High signals are needed to trip a trip system. The outputs of the channels in a trip system are combined in a logic so that either trip system will trip both recirculation pumps (by tripping the respective drive motor breakers). There is one drive motor breaker provided for each of the two recirculation pumps for a total of two breakers. The output of each trip system is provided to both recirculation pump breakers. APPLICABLE The ATWS-RPT is not assumed in the safety analysis. The SAFETY ANALYSES, ATWS-RPT initiates an RPT to aid in preserving the integrity of the LCO, and fuel cladding following events in which a scram does not, but should, APPLICABILITY occur. Based on its contribution to the reduction of overall plant risk, however, the instrumentation meets Criterion 4 of the NRC Policy Statement (Ref. 3).

ATWS-RPT Instrumentation B 3.3.4.2 (continued) HATCH UNIT 1 B 3.3-85 REVISION 1 BASES APPLICABLE The OPERABILITY of the ATWS-RPT is dependent on the SAFETY ANALYSES, OPERABILITY of the individual instrumentation channel Functions. LCO, and Each Function must have a required number of OPERABLE channels APPLICABILITY in each trip system, with their setpoints within the specified Allowable (continued) Value of SR 3.3.4.2.3. The setpoint is calibrated consistent with applicable setpoint methodology assumptions (nominal trip setpoint). Channel OPERABILITY also includes the associated recirculation pump drive motor breakers. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Allowable Values are specified for each ATWS-RPT Function specified in the LCO. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for. The individual Functions are required to be OPERABLE in MODE 1 to protect against common mode failures of the Reactor Protection System by providing a diverse trip to mitigate the consequences of a postulated ATWS event. The Reactor Steam Dome Pressure - High and Reactor Vessel Water Level - ATWS-RPT Level Functions are required to be OPERABLE in MODE 1, since the reactor is producing significant power and the recirculation system could be at high flow. During this MODE, the potential exists for pressure increases or low water level, assuming an ATWS event. In MODE 2, the reactor is at low power and the recirculation system is at low flow; thus, the potential is low for a pressure increase or low water level, assuming an ATWS event. Therefore, the ATWS-RPT is not necessary. In MODES 3 and 4, the reactor is shut down with all control rods inserted; thus, an ATWS event is not significant and the possibility of ATWS-RPT Instrumentation B 3.3.4.2 (continued) HATCH UNIT 1 B 3.3-86 REVISION 22 BASES APPLICABLE a significant pressure increase or low water level is negligible. In SAFETY ANALYSES, MODE 5, the one rod out interlock ensures that the reactor remains LCO, and subcritical; thus, an ATWS event is not significant. In addition, the APPLICABILITY reactor pressure vessel (RPV) head is not fully tensioned and no (continued) pressure transient threat to the reactor coolant pressure boundary (RCPB) exists. The specific Applicable Safety Analyses and LCO discussions are listed below on a Function by Function basis.

a. Reactor Vessel Water Level - ATWS-RPT Level Low RPV water level indicates the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the ATWS-RPT System is initiated at a low level to aid in maintaining level above the top of the active fuel. The reduction of core flow reduces the neutron flux and THERMAL POWER and, therefore, the rate of coolant boiloff. The top of active fuel is defined in "Applicable Safety Analyses" for Safety Limit 2.1.1.3, "Reactor Vessel Water Level," found in the Bases for Safety Limit 2.1.1, "Reactor Core SLs."

Reactor vessel water level signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - ATWS-RPT Level, with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure can preclude an ATWS-RPT from this Function on a valid signal. The Reactor Vessel Water Level - ATWS-RPT Level Allowable Value is chosen so that the system will not be initiated after a Level 3 scram until feedwater, HPCI, and RCIC have failed to stop the level excursion.

b. Reactor Steam Dome Pressure - High Excessively high RPV pressure may rupture the RCPB. An increase in the RPV pressure during reactor operation compresses the steam voids and results in a positive reactivity insertion. This increases neutron flux and THERMAL POWER, ATWS-RPT Instrumentation B 3.3.4.2 (continued) HATCH UNIT 1 B 3.3-87 REVISION 22 BASES APPLICABLE b. Reactor Steam Dome Pressure - High (continued) SAFETY ANALYSES, LCO, and which could potentially result in fuel failure and APPLICABILITY overpressurization. The Reactor Steam Dome Pressure - High Function initiates an RPT for transients that result in a pressure increase, counteracting the pressure increase by rapidly reducing core power generation. For the overpressurization event, the RPT aids in the termination of the ATWS event and, along with the safety/relief valves, limits the peak RPV pressure to less than the ASME Section III Code limits.

The Reactor Steam Dome Pressure - High signals are initiated from four pressure transmitters that monitor reactor steam dome pressure. Four channels of Reactor Steam Dome Pressure - High, with two channels in each trip system, are available and are required to be OPERABLE to ensure that no single instrument failure can preclude an ATWS-RPT from this Function on a valid signal. The Reactor Steam Dome Pressure - High Allowable Value is chosen to provide an adequate margin to the ASME Section III Code limits. ACTIONS A Note has been provided to modify the ACTIONS related to ATWS-RPT instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable ATWS-RPT instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable ATWS-RPT instrumentation channel. A.1 and A.2 With one or more channels inoperable, but with ATWS-RPT capability for each Function maintained (refer to Required Actions B.1 and C.1 Bases), the ATWS-RPT System is capable of performing the intended function. However, the reliability and redundancy of the ATWS-RPT instrumentation is reduced, such that a single failure in the remaining ATWS-RPT Instrumentation B 3.3.4.2 (continued) HATCH UNIT 1 B 3.3-88 REVISION 1 BASES ACTIONS A.1 and A.2 (continued) trip system could result in the inability of the ATWS-RPT System to perform the intended function. Therefore, only a limited time is allowed to restore the inoperable channels to OPERABLE status. Because of the diversity of sensors available to provide trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of ATWS-RPT, 14 days is provided to restore the inoperable channel (Required Action A.1). Alternately, the inoperable channel may be placed in trip (Required Action A.2), since this would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. As noted, placing the channel in trip with no further restrictions is not allowed if the inoperable channel is the result of an inoperable breaker, since this may not adequately compensate for the inoperable breaker (e.g., the breaker may be inoperable such that it will not open). If it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel would result in an RPT), or if the inoperable channel is the result of an inoperable breaker, Condition D must be entered and its Required Actions taken. B.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in the Function not maintaining ATWS-RPT trip capability. A Function is considered to be maintaining ATWS-RPT trip capability when sufficient channels are OPERABLE or in trip such that the ATWS-RPT System will generate a trip signal from the given Function on a valid signal, and both recirculation pumps can be tripped. The 72 hour Completion Time is sufficient for the operator to take corrective action (e.g., restoration or tripping of channels) and takes into account the likelihood of an event requiring actuation of the ATWS-RPT instrumentation during this period and that one Function is still maintaining ATWS-RPT trip capability. C.1 Required Action C.1 is intended to ensure that appropriate Actions are taken if multiple, inoperable, untripped channels within both Functions result in both Functions not maintaining ATWS-RPT trip capability. ATWS-RPT Instrumentation B 3.3.4.2 (continued) HATCH UNIT 1 B 3.3-89 REVISION 69 BASES ACTIONS C.1 (continued) The description of a Function maintaining ATWS-RPT trip capability is discussed in the Bases for Required Action B.1 above. The 1 hour Completion Time is sufficient for the operator to take corrective action and takes into account the likelihood of an event requiring actuation of the ATWS-RPT instrumentation during this period.

D.1 and D.2 With any Required Action and associated Completion Time not met, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 2 within 6 hours (Required Action D.2). Alternately, the associated recirculation pump may be removed from service since this performs the intended function of the instrumentation (Required Action D.1). The allowed Completion Time of 6 hours is reasonable, based on operating experience, both to reach MODE 2 from full power conditions and to remove a recirculation pump from service in an orderly manner and without challenging plant systems.

SURVEILLANCE The Surveillances are modified by a Note to indicate that when a REQUIREMENTS channel is placed in an inoperable status solely for performance of required Surveillances, entry into the associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains ATWS-RPT trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 2) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the recirculation pumps will trip when necessary. SR 3.3.4.2.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally ATWS-RPT Instrumentation B 3.3.4.2 (continued) HATCH UNIT 1 B 3.3-90 REVISION 69 BASES SURVEILLANCE SR 3.3.4.2.1 (continued) REQUIREMENTS a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.4.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.4.2.3 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. ATWS-RPT Instrumentation B 3.3.4.2 HATCH UNIT 1 B 3.3-91 REVISION 69 BASES SURVEILLANCE SR 3.3.4.2.3 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.4.2.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the pump breakers is included as part of this Surveillance and overlaps the LOGIC SYSTEM FUNCTIONAL TEST to provide complete testing of the assumed safety function. Therefore, if a breaker is incapable of operating, the associated instrument channel(s) would be inoperable. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 7.23.

2. GENE-770-06-1, "Bases for Changes To Surveillance Test Intervals and Allowed Out-of-Service Times For Selected Instrumentation Technical Specifications," February 1991. 3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-92 REVISION 1 B 3.3 INSTRUMENTATION B 3.3.5.1 Emergency Core Cooling System (ECCS) Instrumentation

BASES BACKGROUND The purpose of the ECCS instrumentation is to initiate appropriate responses from the systems to ensure that the fuel is adequately cooled in the event of a design basis accident or transient. For most anticipated operational occurrences and Design Basis Accidents (DBAs), a wide range of dependent and independent parameters are monitored. The ECCS instrumentation actuates core spray (CS), low pressure coolant injection (LPCI), high pressure coolant injection (HPCI), Automatic Depressurization System (ADS), and the diesel generators (DGs). The equipment involved with each of these systems is described in the Bases for LCO 3.5.1, "ECCS - Operating." Core Spray System The CS System may be initiated by automatic means. Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low Low, Level 1 or Drywell Pressure - High. Each of these diverse variables is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units for each Function are connected to relays which send signals to two trip systems, with each trip system arranged in a one-out-of-two taken twice logic (each trip unit sends a signal to both trip systems). Each trip system can initiate both core spray pumps. Upon receipt of an automatic initiation signal, the CS pumps are started immediately after power is available. The high drywell pressure and low water level initiation signals automatically reset once the conditions clear. The CS test line isolation valve, which is also a primary containment isolation valve (PCIV), is closed on a CS initiation signal to allow full system flow assumed in the accident analyses and maintain primary containment isolated in the event CS is not operating. The CS pump discharge flow is monitored by a flow transmitter. When the pump is running and discharge flow is low enough so that pump overheating may occur, the minimum flow return line valve is opened. The valve is automatically closed if flow is above the ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-93 REVISION 1 BASES BACKGROUND Core Spray System (continued) minimum flow setpoint to allow the full system flow assumed in the accident analysis. The CS System also monitors the pressure in the reactor to ensure that, before the injection valves open, the reactor pressure has fallen to a value below the CS System's maximum design pressure. The variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic. Low Pressure Coolant Injection System The LPCI is an operating mode of the Residual Heat Removal (RHR) System, with two LPCI subsystems. The LPCI subsystems may be initiated by automatic means. Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low Low, Level 1 or Drywell Pressure - High. Each of these diverse variables is monitored by four redundant transmitters, which, in turn, are connected to four trip units. The outputs of the trip units for each Function are connected to relays which send signals to two trip systems, with each trip system arranged in a one-out-of-two taken twice logic (each trip unit sends a signal to both trip systems). Each trip system can initiate all four LPCI pumps. Upon receipt of an automatic initiation signal, all LPCI pumps will start immediately if power is provided by the 1D Startup Auxiliary Transformer (SAT). If power is provided by the 1C SAT or the DGs, the LPCI C pump starts within 1 second when power is available, and the LPCI A, B, and D pumps are started after a 10 second delay. This limits the loading of the 1C SAT and the standby power sources. Once an initiation signal is received, the signal is sealed in and must be manually reset when the signal clears. Each LPCI subsystem's discharge flow is monitored by a flow transmitter. When a pump is running and discharge flow is low enough so that pump overheating may occur, the respective minimum flow return line valve is opened. If flow is above the minimum flow setpoint, the valve is automatically closed to allow the full system flow assumed in the analyses. The RHR test line suppression pool cooling isolation valve, suppression pool spray isolation valves, and containment spray ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-94 REVISION 1 BASES BACKGROUND Low Pressure Coolant Injection System (continued) isolation valves (which are also PCIVs) are also closed on a LPCI initiation signal to allow the full system flow assumed in the accident analyses and maintain primary containment isolated in the event LPCI is not operating. The LPCI System monitors the pressure in the reactor to ensure that, before an injection valve opens, the reactor pressure has fallen to a value below the LPCI System's maximum design pressure. The variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic. Additionally, instruments are provided to close the recirculation pump discharge valves to ensure that LPCI flow does not bypass the core when it injects into the recirculation lines. The variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic. Low reactor water level in the shroud is detected by two additional instruments to automatically isolate other modes of RHR (e.g., suppression pool cooling) when LPCI is required. Manual overrides for these isolations are provided.

High Pressure Coolant Injection System The HPCI System may be initiated by automatic means. Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low, Level 2 or Drywell Pressure - High. Each of these variables is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic for each Function. Once an initiation signal is received, the signal is sealed in and must be manually reset when the signal clears. The HPCI pump discharge flow is monitored by a flow transmitter. When the pump is running and discharge flow is low enough so that pump overheating may occur, the minimum flow return line valve is opened. The valve is automatically closed if flow is above the minimum flow setpoint to allow the full system flow assumed in the accident analysis. ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-95 REVISION 1 BASES BACKGROUND High Pressure Coolant Injection System (continued) The HPCI test line isolation valves are closed upon receipt of a HPCI initiation signal to allow the full system flow assumed in the accident analysis. The HPCI System also monitors the water levels in the condensate storage tank (CST) and the suppression pool because these are the two sources of water for HPCI operation. Reactor grade water in the CST is the normal source. Upon receipt of a HPCI initiation signal, the CST suction valve is automatically signaled to open (it is normally in the open position) unless both suppression pool suction valves are open. If the water level in the CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. Two level switches are used to detect low water level in the CST. Either switch can cause the suppression pool suction valves to open and the CST suction valve to close. The suppression pool suction valves also automatically open and the CST suction valve closes if high water level is detected in the suppression pool (one-out-of-two logic similar to the CST water level logic). To prevent losing suction to the pump, the suction valves are interlocked so that one suction path must be open before the other automatically closes. The HPCI System provides makeup water to the reactor until the reactor vessel water level reaches the Reactor Vessel Water Level - High, Level 8 trip, at which time the HPCI turbine trips, which causes the turbine's stop valve and the injection valves to close. The logic is two-out-of-two to provide high reliability of the HPCI System. The HPCI System automatically restarts if a Reactor Vessel Water Level - Low Low, Level 2 signal is subsequently received. If HPCI restart is desired prior to a level 2 signal being received, the level 8 trip must be manually reset (once the signal clears).

Automatic Depressurization System The ADS may be initiated by automatic means. Automatic initiation occurs when signals indicating Reactor Vessel Water Level - Low Low Low, Level 1; Drywell Pressure - High or ADS Bypass Low Water Level Actuation Timer; confirmed Reactor Vessel Water Level - Low, Level 3; and CS or LPCI Pump Discharge Pressure - High are all present and the ADS Initiation Timer has timed out. There are two transmitters each for Reactor Vessel Water Level - Low Low Low, Level 1 and Drywell Pressure - High, and one transmitter for confirmed Reactor Vessel Water Level - Low, Level 3 in each of the ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-96 REVISION 1 BASES BACKGROUND Automatic Depressurization System (continued) two ADS trip systems. Each of these transmitters connects to a trip unit, which then drives a relay whose contacts form the initiation logic. Each ADS trip system includes a time delay between satisfying the initiation logic and the actuation of the ADS valves. The ADS Initiation Timer time delay setpoint chosen is long enough that the HPCI has sufficient operating time to recover to a level above Level 1, yet not so long that the LPCI and CS Systems are unable to adequately cool the fuel if the HPCI fails to maintain that level. An alarm in the control room is annunciated when either of the timers is timing. Resetting the ADS initiation signals resets the ADS Initiation Timers. The ADS also monitors the discharge pressures of the four LPCI pumps and the two CS pumps. Each ADS trip system includes two discharge pressure permissive transmitters from both CS and from two LPCI pumps (i.e., LPCI pumps A and D input to ADS trip system A, and LPCI pumps B and C input to ADS trip system B). The signals are used as a permissive for ADS actuation, indicating that there is a source of core coolant available once the ADS has depressurized the vessel. Any one of the six low pressure pumps is sufficient to permit automatic depressurization. The ADS logic in each trip system is arranged in two strings. Each string has a contact from each of the following variables: Reactor Vessel Water Level - Low Low Low, Level 1; Drywell Pressure - High; and Low Water Level Actuation Timer. One of the two strings in each trip system must also have a confirmed Reactor Vessel Water Level - Low, Level 3. The Reactor Vessel Water Level - Low Low Low, Level 1 and Drywell Pressure - High or Low Water Level Actuation Timer contacts in both logic strings must close, the Reactor Vessel Water Level - Low, Level 3 contact in the one logic string must close, the ADS initiation timer must time out, and a CS or LPCI pump discharge pressure signal must be present to initiate an ADS trip system. Either the A or B trip system will cause all the ADS relief valves to open. Once the Drywell Pressure - High signal, the ADS Low Water Level Actuation Timer, or the ADS initiation signal is present, it is individually sealed in until manually reset. Manual inhibit switches are provided in the control room for the ADS; however, their function is not required for ADS OPERABILITY (provided ADS is not inhibited when required to be OPERABLE).

ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-97 REVISION 1 BASES BACKGROUND Diesel Generators (continued) The DGs may be initiated by either automatic or manual means. Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low Low, Level 1 or Drywell Pressure - High. Refer to the Bases for LCO 3.3.8.1, "Loss of Power (LOP) Instrumentation," for a discussion of the DG LOP initiation signals. Each of these diverse variables is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays which send signals to two trip systems, with each trip system arranged in a one-out-of-two taken twice logic (each trip unit sends a signal to both trip systems). Each trip system can initiate all three DGs (1A, 1B, and 1C). The DGs receive their initiation signals from the CS System initiation logic. The DGs can also be started manually from the control room and locally from the associated DG room. Upon receipt of an initiation signal, each DG is automatically started, is ready to load in approximately 12 seconds, and will run in standby conditions (rated voltage and speed, with the DG output breaker open). Each DG will only energize its respective Engineered Safety Feature bus if a loss of offsite power occurs on its associated bus. (Refer to Bases for LCO 3.3.8.1.) The DG initiation signal is automatically reset once the condition clears.

Plant Service Water (PSW) Turbine Building (T/B) Isolation Valves The PSW T/B isolation may be initiated by either automatic or manual means. Automatic isolation occurs for conditions of Reactor Vessel Water Level - Low Low Low, Level 1 or Drywell Pressure - High. Each of these diverse variables is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts are connected to a one-out-of-two taken twice logic to close all four PSW T/B isolation valves. The PSW T/B isolation valves receive their isolation signal from the CS System initiation logic. The PSW T/B isolation valves can also be closed manually from the control room. Upon receipt of an initiation signal, each PSW T/B isolation valve is automatically closed. The signal is automatically reset once the condition clears (allowing the valves to be manually reopened). APPLICABLE The actions of the ECCS are explicitly assumed in the safety analyses SAFETY ANALYSES, of References 1, 2, 3, and 4. The ECCS is initiated to preserve the LCO, and integrity of the fuel cladding by limiting the post LOCA peak cladding APPLICABILITY temperature to less than the 10 CFR 50.46 limits. ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-98 REVISION 1 BASES APPLICABLE ECCS instrumentation satisfies Criterion 3 of the NRC Policy SAFETY ANALYSES, Statement (Ref. 6). Certain instrumentation Functions are retained for LCO, and other reasons and are described below in the individual Functions APPLICABILITY discussion. (continued) The OPERABILITY of the ECCS instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.1-1. Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. The setpoint is calibrated consistent with applicable setpoint methodology assumptions (nominal trip setpoint). Each ECCS subsystem must also respond within its assumed response time. Table 3.3.5.1-1, footnote (b), is added to show that certain ECCS instrumentation Functions are also required to be OPERABLE to perform DG initiation and actuation of the PSW T/B isolation. Allowable Values are specified for each ECCS Function specified in the table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis, where applicable. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined, accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for. In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions that may require ECCS (or DG) initiation to mitigate the consequences of a design basis transient or accident. To ensure reliable ECCS and DG function, a combination of Functions is required to provide primary and secondary initiation signals. ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-99 REVISION 1 BASES APPLICABLE The specific Applicable Safety Analyses, LCO, and Applicability SAFETY ANALYSES, discussions are listed below on a Function by Function basis. LCO, and APPLICABILITY 1., 2. Core Spray and Low Pressure Coolant Injection Systems (continued) 1.a., 2.a. Reactor Vessel Water Level - Low Low Low, Level 1 Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. The low pressure ECCS, associated DGs, and PSW T/B isolation are initiated at Level 1 to ensure that core spray and flooding functions are available to prevent or minimize fuel damage. The Reactor Vessel Water Level - Low Low Low, Level 1 is one of the Functions assumed to be OPERABLE and capable of initiating the ECCS during the transients analyzed in Reference 3. In addition, the Reactor Vessel Water Level - Low Low Low, Level 1 Function is directly assumed in the analysis of the recirculation line break (Ref. 4). The core cooling function of the ECCS, along with the scram action of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Reactor Vessel Water Level - Low Low Low, Level 1 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Reactor Vessel Water Level - Low Low Low, Level 1 Allowable Value is chosen to allow time for the low pressure injection/spray subsystems to activate and provide adequate cooling. Four channels of Reactor Vessel Water Level - Low Low Low, Level 1 Function are only required to be OPERABLE when the ECCS, DG(s), or PSW System are required to be OPERABLE to ensure that no single instrument failure can preclude ECCS and DG initiation and PSW T/B isolation. Refer to LCO 3.5.1 and LCO 3.5.2, "ECCS - Shutdown," for Applicability Bases for the low pressure ECCS subsystems; LCO 3.8.1, "AC Sources - Operating" and LCO 3.8.2, "AC Sources - Shutdown," for Applicability Bases for the DGs; and LCO 3.7.2, "Plant Service Water (PSW) System," for Applicability Bases for the PSW System.

ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-100 REVISION 1 BASES APPLICABLE 1.b., 2.b. Drywell Pressure - High SAFETY ANALYSES, LCO, and High pressure in the drywell could indicate a break in the reactor APPLICABILITY coolant pressure boundary (RCPB). The low pressure ECCS, (continued) associated DGs, and PSW T/B isolation are initiated upon receipt of the Drywell Pressure - High Function in order to minimize the possibility of fuel damage. The Drywell Pressure - High Function, along with the Reactor Water Level - Low Low Low, Level 1 Function, is directly assumed in the analysis of the recirculation line break (Ref. 4). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. High drywell pressure signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment. The Drywell Pressure - High Function is required to be OPERABLE when the ECCS, DG(s), or PSW System are required to be OPERABLE in conjunction with times when the primary containment is required to be OPERABLE. Thus, four channels of the CS and LPCI Drywell Pressure - High Function are required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single instrument failure can preclude ECCS and DG initiation and PSW T/B isolation. In MODES 4 and 5, the Drywell Pressure - High Function is not required, since there is insufficient energy in the reactor to pressurize the primary containment to the Drywell Pressure - High setpoint. Refer to LCO 3.5.1 for Applicability Bases for the low pressure ECCS subsystems; LCO 3.8.1 for Applicability Bases for the DGs; and LCO 3.7.2 for Applicability Bases for the PSW System.

1.c., 2.c. Reactor Steam Dome Pressure - Low (Injection Permissive) Low reactor steam dome pressure signals are used as permissives for the low pressure ECCS subsystems. This ensures that, prior to opening the injection valves of the low pressure ECCS subsystems, the reactor pressure has fallen to a value below these subsystems' maximum design pressure. The Reactor Steam Dome Pressure - Low is one of the Functions assumed to be OPERABLE and capable of permitting initiation of the ECCS during the transients analyzed in Reference 3. In addition, the Reactor Steam Dome Pressure - Low Function is directly assumed in the analysis of the recirculation line break (Refs. 2 and 4). The core cooling function of the ECCS, along ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-101 REVISION 1 BASES APPLICABLE 1.c., 2.c. Reactor Steam Dome Pressure - Low (Injection Permissive) SAFETY ANALYSES, (continued) LCO, and APPLICABILITY with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Steam Dome Pressure - Low signals are initiated from four pressure transmitters that sense the reactor dome pressure. The Allowable Value is low enough to prevent overpressuring the equipment in the low pressure ECCS, but high enough to ensure that the ECCS injection prevents the fuel peak cladding temperature from exceeding the limits of 10 CFR 50.46. Four channels of Reactor Steam Dome Pressure - Low Function are only required to be OPERABLE when the ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude ECCS initiation. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems. 1.d., 2.g. Core Spray and Low Pressure Coolant Injection Pump Discharge Flow - Low (Bypass) The minimum flow instruments are provided to protect the associated low pressure ECCS pump from overheating when the pump is operating and the associated injection valve is not fully open. The minimum flow line valve is opened when low flow is sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump. The LPCI and CS Pump Discharge Flow - Low Functions are assumed to be OPERABLE and capable of closing the minimum flow valves to ensure that the low pressure ECCS flows assumed during the transients and accidents analyzed in References 1, 2, 3, and 4 are met. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. One flow transmitter per ECCS subsystem is used to detect the associated subsystems' flow rates. The logic is arranged such that each transmitter causes its associated minimum flow valve to open. The logic will close the minimum flow valve once the closure setpoint is exceeded. The LPCI minimum flow valves are time delayed such that the valves will not open for 10 seconds after the switches detect low flow. The time delay is provided to limit reactor vessel inventory loss during the startup of the RHR shutdown cooling mode. The Pump Discharge Flow - Low Allowable Values are high enough to ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-102 REVISION 1 BASES APPLICABLE 1.d., 2.g. Core Spray and Low Pressure Coolant Injection Pump SAFETY ANALYSES, Discharge Flow - Low (Bypass) (continued) LCO, and APPLICABILITY ensure that the pump flow rate is sufficient to protect the pump, yet low enough (based on engineering judgment) to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core. Each channel of Pump Discharge Flow - Low Function (two CS channels and two LPCI channels) is only required to be OPERABLE when the associated ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude the ECCS function. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.

2.d. Reactor Steam Dome Pressure - Low (Recirculation Discharge Valve Permissive) Low reactor steam dome pressure signals are used as permissives for recirculation discharge valve closure. This ensures that the LPCI subsystems inject into the proper RPV location assumed in the safety analysis. The Reactor Steam Dome Pressure - Low is one of the Functions assumed to be OPERABLE and capable of closing the valve during the transients analyzed in Reference 3. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Steam Dome Pressure - Low Function is directly assumed in the analysis of the recirculation line break (Refs. 2 and 4). The Reactor Steam Dome Pressure - Low signals are initiated from four pressure transmitters that sense the reactor dome pressure. The Allowable Value is chosen to ensure that the valves close prior to commencement of LPCI injection flow into the core, as assumed in the safety analysis. Four channels of the Reactor Steam Dome Pressure - Low Function are only required to be OPERABLE in MODES 1, 2, and 3 with the associated recirculation pump discharge valve open. With the valve(s) closed, the function of the instrumentation has been performed; thus, the Function is not required. In MODES 4 and 5, the loop injection location is not critical since LPCI injection through the recirculation loop in either direction will still ensure that LPCI flow reaches the core (i.e., there is no significant reactor steam dome back pressure). ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-103 REVISION 1 BASES APPLICABLE 2.e. Reactor Vessel Shroud Level - Level 0 SAFETY ANALYSES, LCO, and The Level 0 Function is provided as a permissive to allow the RHR APPLICABILITY System to be manually aligned from the LPCI mode to the (continued) suppression pool cooling/spray or drywell spray modes. The permissive ensures that water in the vessel is approximately two thirds core height before the manual transfer is allowed. This ensures that LPCI is available to prevent or minimize fuel damage. This function may be overridden during accident conditions as allowed by plant procedures. Reactor Vessel Shroud Level - Level 0 Function is implicitly assumed in the analysis of the recirculation line break (Refs. 2 and 4) since the analysis assumes that no LPCI flow diversion occurs when reactor water level is below Level 0. Reactor Vessel Shroud Level - Level 0 signals are initiated from two level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Reactor Vessel Shroud Level - Level 0 Allowable Value is chosen to allow the low pressure core flooding systems to activate and provide adequate cooling before allowing a manual transfer. Two channels of the Reactor Vessel Shroud Level - Level 0 Function are only required to be OPERABLE in MODES 1, 2, and 3. In MODES 4 and 5, the specified initiation time of the LPCI subsystems is not assumed, and other administrative controls are adequate to control the valves that this Function isolates (since the systems that the valves are opened for are not required to be OPERABLE in MODES 4 and 5 and are normally not used). 2.f. Low Pressure Coolant Injection Pump Start - Time Delay Relay The purpose of this time delay is to stagger the start of the LPCI pumps that are in each of Divisions 1 and 2, thus limiting the starting transients on the 4.16 kV emergency buses. This Function is only necessary when power is being supplied from the standby power source (DG). The LPCI Pump Start - Time Delay Relays are assumed to be OPERABLE in the accident and transient analyses requiring ECCS initiation. That is, the analyses assume that the pumps will initiate when required and excess loading will not cause failure of the power sources. There are seven LPCI Pump Start - Time Delay Relays, two in each of the RHR pump start logic circuits with the exception of the C pump, which has only one. The one time delay for the LPCI C pump is ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-104 REVISION 22 BASES APPLICABLE 2.f. Low Pressure Coolant Injection Pump Start - Time Delay Relay SAFETY ANALYSES, (continued) LCO, and APPLICABILITY associated with trip (pump start) logic B, starting LPCI C pump within 1 second upon an initiation signal. Trip logic A has no associated time delay relay for the LPCI C pump, starting the pump immediately upon an initiation signal. Therefore, to satisfy the required channels per Function for LPCI C pump, either the time delay relay associated with trip logic B must be OPERABLE or trip logic A must be OPERABLE. The intent of SR 3.3.5.1.4 for Function 2.f, LPCI C pump start - trip logic A, is captured by SR 3.3.5.1.5. Therefore, a satisfactory performance of SR 3.3.5.1.5 for LPCI C pump start - trip logic A also satisfies the requirements of SR 3.3.5.1.4 for that Function. While each time delay relay is dedicated to a single pump start logic, a single failure of a LPCI Pump Start - Time Delay Relay could result in the failure of the two low pressure ECCS pumps, powered from the same Engineered Safety Feature (ESF) bus, to perform their intended function within the assumed ECCS RESPONSE TIME (e.g., as in the case where both ECCS pumps on one ESF bus start simultaneously due to an inoperable time delay relay). This still leaves four of the six low pressure ECCS pumps OPERABLE; thus, the single failure criterion is met (i.e., loss of one instrument does not preclude ECCS initiation). The Allowable Value for the LPCI Pump Start - Time Delay Relays is chosen to be long enough so that most of the starting transient of the first pump is complete before starting the second pump on the same 4.16 kV emergency bus and short enough so that ECCS operation is not degraded. Each LPCI Pump Start - Time Delay Relay Function is required to be OPERABLE only when the associated LPCI subsystem is required to be OPERABLE. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the LPCI subsystems.

3. HPCI System 3.a. Reactor Vessel Water Level - Low Low, Level 2 Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the HPCI System is initiated at Level 2 to maintain level above the top of the active fuel. The top of active fuel is defined in "Applicable Safety Analyses" for Safety Limit 2.1.1.3, "Reactor Vessel Water Level," found in the Bases for Safety Limit 2.1.1, "Reactor Core SLs." While HPCI is not assumed to be ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-105 REVISION 22 BASES APPLICABLE 3.a. Reactor Vessel Water Level - Low Low, Level 2 (continued) SAFETY ANALYSES, LCO, and OPERABLE in any DBA or transient analysis, the Reactor Vessel APPLICABILITY Water Level - Low Low, Level 2 is one of the Functions capable of initiating HPCI during the transients analyzed in References 1 and 3 and during a LOCA (Refs. 2 and 4). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Therefore, this Function meets Criterion 4 of the NRC Policy Statement (Ref. 6). Reactor Vessel Water Level - Low Low, Level 2 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value is selected at the Reactor Core Isolation Cooling (RCIC) System Level 2 Allowable Value for convenience. Refer to LCO 3.3.5.2, "Reactor Core Isolation Cooling (RCIC) System Instrumentation," for the Bases discussion of this Function. Four channels of Reactor Vessel Water Level - Low Low, Level 2 Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation. Refer to LCO 3.5.1 for HPCI Applicability Bases. 3.b. Drywell Pressure - High High pressure in the drywell could indicate a break in the RCPB. The HPCI System is initiated upon receipt of the Drywell Pressure - High Function in order to minimize the possibility of fuel damage. While HPCI is not assumed to be OPERABLE in any DBA or transient analysis, the Drywell Pressure - High Function is capable of initiating HPCI during a LOCA (Refs. 2 and 4). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Therefore, this Function meets Criterion 4 of the NRC Policy Statement (Ref. 6). High drywell pressure signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible to be indicative of a LOCA inside primary containment.

ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-106 REVISION 1 BASES APPLICABLE 3.b. Drywell Pressure - High (continued) SAFETY ANALYSES, LCO, and Four channels of the Drywell Pressure - High Function are required to APPLICABILITY be OPERABLE when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation. Refer to LCO 3.5.1 for the Applicability Bases for the HPCI System. 3.c. Reactor Vessel Water Level - High, Level 8 High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel. Therefore, the Level 8 signal is used to trip the HPCI turbine to prevent overflow into the main steam lines (MSLs). The Reactor Vessel Water Level - High, Level 8 Function is not assumed in the accident and transient analyses. It was retained since it is a potentially significant contributor to risk, thus it meets Criterion 4 of the NRC Policy Statement (Ref. 6). Reactor Vessel Water Level - High, Level 8 signals for HPCI are initiated from two level transmitters from the narrow range water level measurement instrumentation. This ensures that no single instrument failure can preclude HPCI initiation. The Reactor Vessel Water Level - High, Level 8 Allowable Value is chosen to prevent flow from the HPCI System from overflowing into the MSLs. Two channels of Reactor Vessel Water Level - High, Level 8 Function are required to be OPERABLE only when HPCI is required to be OPERABLE. Refer to LCO 3.5.1 for HPCI Applicability Bases. 3.d. Condensate Storage Tank Level - Low Low level in the CST indicates the unavailability of an adequate supply of makeup water from this normal source. Normally the suction valves between HPCI and the CST are open and, upon receiving a HPCI initiation signal, water for HPCI injection would be taken from the CST. However, if the water level in the CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. This ensures that an adequate supply of makeup water is available to the HPCI pump. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CST suction valve automatically closes. While HPCI is not assumed to be OPERABLE in any DBA or transient analysis, the Function is implicitly assumed if HPCI is to be ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-107 REVISION 28 BASES APPLICABLE 3.d. Condensate Storage Tank Level - Low (continued) SAFETY ANALYSES, LCO, and utilized, since the long term use of HPCI during a DBA requires the APPLICABILITY HPCI suction source to be the suppression pool. As such this Function meets Criterion 4 of the NRC Policy Statement (Ref. 6). Condensate Storage Tank Level - Low signals are initiated from two level switches. The Condensate Storage Tank Level - Low Function Allowable Value is high enough to ensure adequate pump suction head while water is being taken from the CST. Two channels of the Condensate Storage Tank Level - Low Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source. Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.e. Suppression Pool Water Level - High Excessively high suppression pool water could result in the loads on the suppression pool exceeding design values should there be a blowdown of the reactor vessel pressure through the safety/relief valves. Therefore, signals indicating high suppression pool water level are used to transfer the suction source of HPCI from the CST to the suppression pool to eliminate the possibility of HPCI continuing to provide additional water from a source outside containment. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CST suction valve automatically closes. While HPCI is not assumed to be OPERABLE in any DBA or transient analysis, this Function is implicitly assumed if HPCI is to be utilized, since the long term use of HPCI during a DBA requires the HPCI suction source to be the suppression pool. As such, this Function meets Criterion 4 of the NRC Policy Statement (Ref. 6). Suppression Pool Water Level - High signals are initiated from two level transmitters. The Allowable Value for the Suppression Pool Water Level - High Function is chosen to ensure that HPCI will be aligned for suction from the suppression pool before the water level reaches the point at which suppression pool design loads would be exceeded. Two channels of Suppression Pool Water Level - High Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source. Refer to LCO 3.5.1 for HPCI Applicability Bases. ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-108 REVISION 1 BASES APPLICABLE 3.f. High Pressure Coolant Injection Pump Discharge Flow - Low SAFETY ANALYSES, (Bypass) LCO, and APPLICABILITY The minimum flow instruments are provided to protect the HPCI pump (continued) from overheating when the pump is operating and the associated injection valve is not fully open. The minimum flow line valve is opened when low flow is sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump. While HPCI is not assumed to be OPERABLE in any DBA or transient analysis, the High Pressure Coolant Injection Pump Discharge Flow - Low Function is capable of closing the minimum flow valve to ensure that the HPCI flow provided, if HPCI is utilized during the transients and accidents analyzed in References 1, 2, and 3, is adequate. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Therefore, this Function meets Criterion 4 of the NRC Policy Statement (Ref. 6). One flow transmitter is used to detect the HPCI System's flow rate. The logic is arranged such that the transmitter causes the minimum flow valve to open. The logic will close the minimum flow valve once the closure setpoint is exceeded. The High Pressure Coolant Injection Pump Discharge Flow - Low Allowable Value is high enough to ensure that pump flow rate is sufficient to protect the pump, yet low enough (based on engineering judgment) to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core. One channel is required to be OPERABLE when the HPCI is required to be OPERABLE. Refer to LCO 3.5.1 for HPCI Applicability Bases.

4., 5. Automatic Depressurization System 4.a., 5.a. Reactor Vessel Water Level - Low Low Low, Level 1 Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, ADS receives one of the signals necessary for initiation from this Function. The Reactor Vessel Water Level - Low Low Low, Level 1 is one of the Functions assumed to be OPERABLE and capable of initiating the ADS during the accident analyzed in References 2 and 4. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-109 REVISION 1 BASES APPLICABLE 4.a., 5.a. Reactor Vessel Water Level - Low Low Low, Level 1 SAFETY ANALYSES, (continued) LCO, and APPLICABILITY Reactor Vessel Water Level - Low Low Low, Level 1 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low Low Low, Level 1 Function are required to be OPERABLE only when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip system A, while the other two channels input to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases. The Reactor Vessel Water Level - Low Low Low, Level 1 Allowable Value is chosen to allow time for the low pressure core flooding systems to initiate and provide adequate cooling.

4.b., 5.b. Drywell Pressure - High High pressure in the drywell could indicate a break in the RCPB. Therefore, ADS receives one of the signals necessary for initiation from this Function in order to minimize the possibility of fuel damage. The Drywell Pressure - High is assumed to be OPERABLE and capable of initiating the ADS during the accidents analyzed in References 2 and 4. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Drywell Pressure - High signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment. Four channels of Drywell Pressure - High Function are only required to be OPERABLE when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip system A, while the other two channels input to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases. 4.c., 5.c. Automatic Depressurization System Initiation Timer The purpose of the Automatic Depressurization System Initiation Timer is to delay depressurization of the reactor vessel to allow the ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-110 REVISION 1 BASES APPLICABLE 4.c., 5.c. Automatic Depressurization System Initiation Timer SAFETY ANALYSES, (continued) LCO, and APPLICABILITY HPCI System time to maintain reactor vessel water level. Since the rapid depressurization caused by ADS operation is one of the most severe transients on the reactor vessel, its occurrence should be limited. By delaying initiation of the ADS Function, the operator is given the chance to monitor the success or failure of the HPCI System to maintain water level, and then to decide whether or not to allow ADS to initiate, to delay initiation further by recycling the timer, or to inhibit initiation permanently. The Automatic Depressurization System Initiation Timer Function is assumed to be OPERABLE for the accident analyses of References 2 and 4 that require ECCS initiation and assume failure of the HPCI System. There are two Automatic Depressurization System Initiation Timer relays, one in each of the two ADS trip systems. The Allowable Value for the Automatic Depressurization System Initiation Timer is chosen so that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling. Two channels of the Automatic Depressurization System Initiation Timer Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.d., 5.d. Reactor Vessel Water Level - Low, Level 3 The Reactor Vessel Water Level - Low, Level 3 Function is used by the ADS only as a confirmatory low water level signal. ADS receives one of the signals necessary for initiation from Reactor Vessel Water Level - Low Low Low, Level 1 signals. In order to prevent spurious initiation of the ADS due to spurious Level 1 signals, a Level 3 signal must also be received before ADS initiation commences. Reactor Vessel Water Level - Low, Level 3 signals are initiated from two level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Allowable Value for Reactor Vessel Water Level - Low, Level 3 is selected at the RPS Level 3 scram Allowable Value for convenience. Refer to LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," for the Bases discussion of this Function. ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-111 REVISION 15 BASES APPLICABILITY 4.d., 5.d. Reactor Vessel Water Level - Low, Level 3 (continued) SAFETY ANALYSES, LCO, and Two channels of Reactor Vessel Water Level - Low, Level 3 Function APPLICABILITY are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases. 4.e., 4.f., 5.e., 5.f. Core Spray and Low Pressure Coolant Injection Pump Discharge Pressure - High The Pump Discharge Pressure - High signals from the CS and LPCI pumps are used as permissives for ADS initiation, indicating that there is a source of low pressure cooling water available once the ADS has depressurized the vessel. Pump Discharge Pressure - High is one of the Functions assumed to be OPERABLE and capable of permitting ADS initiation during the events analyzed in References 2 and 4 with an assumed HPCI failure. For these events, the ADS depressurizes the reactor vessel so that the low pressure ECCS can perform the core cooling functions. This core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Pump discharge pressure signals are initiated from twelve pressure transmitters, two on the discharge side of each of the six low pressure ECCS pumps. In order to generate an ADS permissive in one trip system, it is necessary that only 1 pump (1 channel for each LPCI pump, 2 channels for each CS pump, or 1 channel from one CS pump and the opposite channel for the other CS pump) indicate the high discharge pressure condition. The Pump Discharge Pressure - High Allowable Value is less than the pump discharge pressure when the pump is operating in a minimum flow mode and high enough to avoid any condition that results in a discharge pressure permissive when the CS and LPCI pumps are aligned for injection and the pumps are not running. The actual operating point of this function is not assumed in any transient or accident analysis. Twelve channels of Core Spray and Low Pressure Coolant Injection Pump Discharge Pressure - High Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two CS channels associated with CS pump A and four LPCI channels associated with LPCI pumps A and D are required for trip system A. Two CS channels associated with CS pump B and four LPCI channels ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-112 REVISION 1 BASES APPLICABLE 4.e., 4.f., 5.e., 5.f. Core Spray and Low Pressure Coolant Injection SAFETY ANALYSES, Pump Discharge Pressure - High (continued) LCO, and APPLICABILITY associated with LPCI pumps B and C are required for trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.g., 5.g. Automatic Depressurization System Low Water Level Actuation Timer One of the signals required for ADS initiation is Drywell Pressure - High. However, if the event requiring ADS initiation occurs outside the drywell (e.g., main steam line break outside containment), a high drywell pressure signal may never be present. Therefore, the Automatic Depressurization System Low Water Level Actuation Timer is used to bypass the Drywell Pressure - High Function after a certain time period has elapsed. Operation of the Automatic Depressurization System Low Water Level Actuation Timer Function is not assumed in any accident analysis. The instrumentation is retained in the TS because ADS is part of the primary success path for mitigation of a DBA. There are four Automatic Depressurization System Low Water Level Actuation Timer relays, two in each of the two ADS trip systems. The Allowable Value for the Automatic Depressurization System Low Water Level Actuation Timer is chosen to ensure that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling. Four channels of the Automatic Depressurization System Low Water Level Actuation Timer Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Refer to LCO 3.5.1 for ADS Applicability Bases. ACTIONS A Note has been provided to modify the ACTIONS related to ECCS instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable ECCS ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-113 REVISION 8 BASES ACTIONS instrumentation channels provide appropriate compensatory (continued) measures for separate inoperable Condition entry for each inoperable ECCS instrumentation channel. A.1 Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.1-1. The applicable Condition referenced in the table is Function dependent. Each time a channel is discovered inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition. B.1, B.2, and B.3 Required Actions B.1 and B.2 are intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in automatic initiation capability being lost for the same feature(s) in both divisions. Required Action B.1 features would be those that are initiated by Functions 1.a, 1.b, 2.a, and 2.b (e.g., low pressure ECCS). The Required Action B.2 system would be HPCI. For low pressure ECCS, since each inoperable channel would have Required Action B.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated low pressure ECCS, DGs, and PSW System to be declared inoperable. However, since channels in both associated low pressure ECCS subsystems (e.g., both CS subsystems) are inoperable and untripped, and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in the associated low pressure ECCS, DGs, and PSW System being concurrently declared inoperable. In this situation (loss of automatic initiation capability), the 24 hour allowance of Required Action B.3 is not appropriate and the feature(s) associated with the inoperable, untripped channels must be declared inoperable within 1 hour. As noted (Note 1 to Required Action B.1), Required Action B.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the low pressure ECCS is not assumed and the probability of a LOCA is lower. However, as stated on page 95 of the Safety Evaluation by the Office of Nuclear Reactor Regulation for Unit 1 Amendment 195 and Unit 2 Amendment 135, Georgia Power Company committed to not use the 24 hour allowance of Required Action B.3 for Function 1.a (for CS ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-114 REVISION 8 BASES ACTIONS B.1, B.2, and B.3 (continued) Level 1 initiation) and Function 2.a (for LPCI Level 1 initiation) when in MODE 4 or 5. Instead, the ACTIONS of TS 3.5.2, ECCS - Shutdown, will be entered immediately for the inoperable ECCS subsystems. This commitment does not apply to the Function 1.a and Function 2.a initiation of the associated DG and the isolation of the associated PSW turbine building isolation valves. There is no similar Note provided for Required Action B.2 since HPCI instrumentation is not required in MODES 4 and 5; thus, a Note is not necessary. Notes are also provided (Note 2 to Required Action B.1 and the Note to Required Action B.2) to delineate which Required Action is applicable for each Function that requires entry into Condition B if an associated channel is inoperable. This ensures that the proper loss of initiation capability check is performed. Required Action B.1 (the Required Action for certain inoperable channels in the low pressure ECCS subsystems) is not applicable to Function 2.e, since this Function provides backup to administrative controls ensuring that operators do not divert LPCI flow from injecting into the core when needed. Thus, a total loss of Function 2.e capability for 24 hours is allowed, since the LPCI subsystems remain capable of performing their intended function. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action B.1, the Completion Time only begins upon discovery that features in the same system (e.g., both CS subsystems) cannot be automatically initiated due to inoperable, untripped channels within the same Function as described in the paragraph above. For Required Action B.2, the Completion Time only begins upon discovery that the HPCI System cannot be automatically initiated due to inoperable, untripped channels for the associated Function as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status. If ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-115 REVISION 1 BASES ACTIONS B.1, B.2, and B.3 (continued) the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action B.3. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken. C.1 and C.2 Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the same Function result in automatic initiation capability being lost for the same feature(s) in both divisions. Required Action C.1 features would be those that are initiated by Functions 1.c, 2.c, 2.d, and 2.f (i.e., low pressure ECCS). In this situation (loss of automatic initiation capability), the 24 hour allowance of Required Action C.2 is not appropriate and the feature(s) associated with the inoperable channels must be declared inoperable within 1 hour. Since each inoperable channel would have Required Action C.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated system to be declared inoperable. However, since channels for both low pressure ECCS subsystems are inoperable (e.g., both CS subsystems), and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in both subsystems being concurrently declared inoperable. For Functions 1.c, 2.c, and 2.d, the affected portions are the associated low pressure ECCS pumps. Two failure modes exist for Function 2.f. If the time delay fails such that the pump start is delayed in excess of the specified time, the inoperable supported features are the associated pump and the associated DG. However, if the time delay fails such that the pump start is quicker than the specified time, the inoperable supported feature is the associated DG. The associated DG can be restored to OPERABLE status by preventing the affected pump from starting on an initiation signal.

ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-116 REVISION 1 BASES ACTIONS C.1 and C.2 (continued) As noted (Note 1), Required Action C.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of automatic initiation capability for 24 hours (as allowed by Required Action C.2) is allowed during MODES 4 and 5. Note 2 states that Required Action C.1 is only applicable for Functions 1.c, 2.c, 2.d, and 2.f. Required Action C.1 is not applicable to Function 3.c (which also requires entry into this Condition if a channel in this Function is inoperable), since the loss of one channel results in a loss of the Function (two-out-of-two logic). This loss was considered during the development of Reference 5 and considered acceptable for the 24 hours allowed by Required Action C.2. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action C.1, the Completion Time only begins upon discovery that the same feature in both subsystems (e.g., both CS subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels. Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would either cause the initiation or it would not necessarily result in a safe state for the channel in all events.

D.1, D.2.1, and D.2.2 Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic component initiation capability for the HPCI System. In this situation (loss of automatic ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-117 REVISION 1 BASES ACTIONS D.1, D.2.1, and D.2. (continued) suction swap), the 24 hour allowance of Required Actions D.2.1 and D.2.2 is not appropriate and the HPCI System must be declared inoperable within 1 hour after discovery of loss of HPCI initiation capability. As noted, Required Action D.1 is only applicable if the HPCI pump suction is not aligned to the suppression pool, since, if aligned, the Function is already performed. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action D.1, the Completion Time only begins upon discovery that the HPCI System cannot be automatically aligned to the suppression pool due to inoperable, untripped channels in the same Function as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1 or the suction source must be aligned to the suppression pool per Required Action D.2.2. Placing the inoperable channel in trip performs the intended function of the channel (shifting the suction source to the suppression pool). Performance of either of these two Required Actions will allow operation to continue. If Required Action D.2.1 or D.2.2 is performed, measures should be taken to ensure that the HPCI System piping remains filled with water. Alternately, if it is not desired to perform Required Actions D.2.1 and D.2.2 (e.g., as in the case where shifting the suction source could drain down the HPCI suction piping), Condition H must be entered and its Required Action taken. E.1 and E.2 Required Action E.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the Core Spray and Low Pressure Coolant Injection Pump Discharge Flow - Low Bypass Functions result in automatic initiation capability being lost for the ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-118 REVISION 1 BASES ACTIONS E.1 and E.2 (continued) same feature(s) in both divisions. For Required Action E.1, the features would be those that are initiated by Functions 1.d and 2.g (e.g., low pressure ECCS). Since each inoperable channel would have Required Action E.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected low pressure ECCS pump(s) to be declared inoperable. However, since channels for more than one low pressure ECCS pump are inoperable, and the Completion Times started concurrently for the channels of the low pressure ECCS pumps, this results in the affected low pressure ECCS pumps being concurrently declared inoperable. In this situation (loss of minimum flow capability), the 7 day allowance of Required Action E.2 is not appropriate and the subsystem associated with each inoperable channel must be declared inoperable within 1 hour. As noted (Note 1 to Required Action E.1), Required Action E.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of initiation capability for 7 days (as allowed by Required Action E.2) is allowed during MODES 4 and 5. A Note is also provided (Note 2 to Required Action E.1) to delineate that Required Action E.1 is only applicable to low pressure ECCS Functions. Required Action E.1 is not applicable to HPCI Function 3.f since the loss of one channel results in a loss of the Function (one-out-of-one logic). This loss was considered during the development of Reference 5 and considered acceptable for the 7 days allowed by Required Action E.2. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action E.1, the Completion Time only begins upon discovery that the same feature in both subsystems (e.g., both CS subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels. If the instrumentation that controls the pump minimum flow valve is inoperable, such that the valve will not automatically open, extended pump operation with no injection path available could lead to pump overheating and failure. If there were a failure of the instrumentation, such that the valve would not automatically close, a portion of the ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-119 REVISION 1 BASES ACTIONS E.1 and E.2 (continued) pump flow could be diverted from the reactor vessel injection path, causing insufficient core cooling. These consequences can be averted by the operator's manual control of the valve, which would be adequate to maintain ECCS pump protection and required flow. Furthermore, other ECCS pumps would be sufficient to complete the assumed safety function if no additional single failure were to occur. The 7 day Completion Time of Required Action E.2 to restore the inoperable channel to OPERABLE status is reasonable based on the remaining capability of the associated ECCS subsystems, the redundancy available in the ECCS design, and the low probability of a DBA occurring during the allowed out of service time. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events. F.1 and F.2 Required Action F.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within similar ADS trip system A and B Functions result in automatic initiation capability being lost for the ADS. In this situation (loss of automatic initiation capability), the 96 hour or 8 day allowance, as applicable, of Required Action F.2 is not appropriate and all ADS valves must be declared inoperable within 1 hour after discovery of loss of ADS initiation capability. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action F.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable, untripped channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-120 REVISION 1 BASES ACTIONS F.1 and F.2 (continued) service time of 8 days has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE. If either HPCI or RCIC is inoperable, the time is shortened to 96 hours. If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours, the 96 hours begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable, untripped channel cannot exceed 8 days. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable, untripped channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action F.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken. G.1 and G.2 Required Action G.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within similar ADS trip system Functions result in automatic initiation capability being lost for the ADS. In this situation (loss of automatic initiation capability), the 96 hour or 8 day allowance, as applicable, of Required Action G.2 is not appropriate, and all ADS valves must be declared inoperable within 1 hour after discovery of loss of ADS initiation capability. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action G.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-121 REVISION 1 BASES ACTIONS G.1 and G.2 (continued) Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE (Required Action G.2). If either HPCI or RCIC is inoperable, the time shortens to 96 hours. If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours, the 96 hours begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable channel cannot exceed 8 days. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.

H.1 With any Required Action and associated Completion Time not met, the associated feature(s) may be incapable of performing the intended function, and the supported feature(s) associated with inoperable untripped channels must be declared inoperable immediately. Two failure modes exist for Function 2.f. If the time delay fails such that the pump start is delayed in excess of the specified time, the inoperable supported features are the associated pump and the associated DG. However, if the time delay fails such that the pump start is quicker than the specified time, the inoperable supported feature is the associated DG. The associated DG can be restored to OPERABLE status by preventing the affected pump from starting on an initiation signal. SURVEILLANCE As noted in the beginning of the SRs, the SRs for each ECCS REQUIREMENTS instrumentation Function are found in the SRs column of Table 3.3.5.1-1. The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-122 REVISION 69 BASES SURVEILLANCE required Surveillances, entry into associated Conditions and Required REQUIREMENTS Actions may be delayed for up to 6 hours as follows: (a) for (continued) Functions 3.c and 3.f; and (b) for Functions other than 3.c and 3.f provided the associated Function or the redundant Function maintains initiation capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 5) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the ECCS will initiate when necessary. SR 3.3.5.1.1 Performance of the CHANNEL CHECK once every 12 hours ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.5.1.2 and SR 3.3.5.1.3 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 1 B 3.3-123 REVISION 69 BASES SURVEILLANCE SR 3.3.5.1.2 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.1.4 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.1.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.1, LCO 3.5.2, LCO 3.7.2, LCO 3.8.1, and LCO 3.8.2 overlaps this Surveillance to complete testing of the assumed safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 4.8.

2. FSAR, Section 6.5.

3. FSAR, Section 14.4. 4. NEDC-31376-P, "Edwin I. Hatch Nuclear Power Plant, SAFER/GESTR-LOCA, Loss-of-Coolant Accident Analysis," December 1986.

ECCS Instrumentation B 3.3.5.1 HATCH UNIT 1 B 3.3-124 REVISION 69 BASES REFERENCES 5. NEDC-30936-P-A, "BWR Owners' Group Technical (continued) Specification Improvement Analyses for ECCS Actuation Instrumentation, Part 2," December 1988. 6. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. RCIC System Instrumentation B 3.3.5.2 (continued) HATCH UNIT 1 B 3.3-125 REVISION 1 B 3.3 INSTRUMENTATION B 3.3.5.2 Reactor Core Isolation Cooling (RCIC) System Instrumentation

BASES BACKGROUND The purpose of the RCIC System instrumentation is to initiate actions to ensure adequate core cooling when the reactor vessel is isolated from its primary heat sink (the main condenser) and normal coolant makeup flow from the Reactor Feedwater System is unavailable, such that RCIC System initiation occurs and maintains sufficient reactor water level such that initiation of the low pressure Emergency Core Cooling System (ECCS) pumps does not occur. A more complete discussion of RCIC System operation is provided in the Bases of LCO 3.5.3, "RCIC System." The RCIC System may be initiated by automatic means. Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low, Level 2. The variable is monitored by four transmitters that are connected to four trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic arrangement. Once initiated, the RCIC logic seals in and can be reset by the operator only when the reactor vessel water level signals have cleared. The RCIC test line isolation valve is closed on a RCIC initiation signal to allow full system flow. The RCIC System also monitors the water levels in the condensate storage tank (CST) and the suppression pool since these are the two sources of water for RCIC operation. Reactor grade water in the CST is the normal source. Upon receipt of a RCIC initiation signal, the CST suction valve is automatically signaled to open (it is normally in the open position) unless the pump suction valves from the suppression pool are open. If the water level in the CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. Two level switches are used to detect low water level in the CST. Either switch can cause the suppression pool suction valves to open and the CST suction valve to close. The suppression pool suction valves also automatically open and the CST suction valve closes if high water level is detected in the suppression pool (one-out-of-two logic similar to the CST water level logic). To prevent losing suction to the pump, the suction valves are interlocked so that one suction path must be open before the other automatically closes.

RCIC System Instrumentation B 3.3.5.2 (continued) HATCH UNIT 1 B 3.3-126 REVISION 7 BASES BACKGROUND The RCIC System provides makeup water to the reactor until the (continued) reactor vessel water level reaches the high water level (Level 8) trip (two-out-of-two logic), at which time the RCIC steam supply and cooling water supply valves close (the injection valve also closes due to the closure of the steam supply valve). The RCIC System restarts if vessel level again drops to the low level initiation point (Level 2). APPLICABLE The function of the RCIC System to provide makeup coolant to the SAFETY ANALYSES, reactor is used to respond to transient events. The RCIC System LCO, and is not an Engineered Safety Feature System and no credit is taken APPLICABILITY in the safety analyses for RCIC System operation. Based on its contribution to the reduction of overall plant risk, however, the system, and therefore its instrumentation, meets Criterion 4 of the NRC Policy Statement (Ref. 2). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion. The OPERABILITY of the RCIC System instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.2-1. Each Function must have a required number of OPERABLE channels with their setpoints within the specified Allowable Values, where appropriate. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The setpoint is calibrated consistent with applicable setpoint methodology assumptions (nominal trip setpoint). Allowable Values are specified for each RCIC System instrumentation Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Each Allowable Value specified accounts for instrument uncertainties appropriate to the Function. These uncertainties are described in the setpoint methodology. The individual Functions are required to be OPERABLE in MODE 1, and in MODES 2 and 3 with reactor steam dome pressure > 150 psig since this is when RCIC is required to be OPERABLE. (Refer to LCO 3.5.3 for Applicability Bases for the RCIC System.) The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

RCIC System Instrumentation B 3.3.5.2 (continued) HATCH UNIT 1 B 3.3-127 REVISION 22 BASES APPLICABLE 1. Reactor Vessel Water Level - Low Low, Level 2 SAFETY ANALYSES, LCO, and Low reactor pressure vessel (RPV) water level indicates that normal APPLICABILITY feedwater flow is insufficient to maintain reactor vessel water level (continued) and that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the RCIC System is initiated at Level 2 to assist in maintaining water level above the top of the active fuel. The top of active fuel is defined in "Applicable Safety Analyses" for Safety Limit 2.1.1.3, "Reactor Vessel Water Level," found in the Bases for Safety Limit 2.1.1, "Reactor Core SLs." Reactor Vessel Water Level - Low Low, Level 2 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value is set high enough such that for complete loss of feedwater flow, the RCIC System flow with high pressure coolant injection assumed to fail will be sufficient to avoid initiation of low pressure ECCS at Level 1. Four channels of Reactor Vessel Water Level - Low Low, Level 2 Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC initiation. (Refer to LCO 3.5.3 for RCIC Applicability Bases.)

2. Reactor Vessel Water Level - High, Level 8 High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel. Therefore, the Level 8 signal is used to close the RCIC steam supply and cooling water supply valves to prevent overflow into the main steam lines (MSLs). (The injection valve also closes due to the closure of the steam supply valve.) Reactor Vessel Water Level - High, Level 8 signals for RCIC are initiated from two level transmitters from the narrow range water level measurement instrumentation, which sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel Water Level - High, Level 8 Allowable Value is high enough to preclude isolating the injection valve of the RCIC RCIC System Instrumentation B 3.3.5.2 (continued) HATCH UNIT 1 B 3.3-128 REVISION 1 BASES APPLICABLE 2. Reactor Vessel Water Level - High, Level 8 (continued) SAFETY ANALYSES, LCO, and during normal operation, yet low enough to trip the RCIC System prior APPLICABILITY to water overflowing into the MSLs. Two channels of Reactor Vessel Water Level - High, Level 8 Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC initiation. (Refer to LCO 3.5.3 for RCIC Applicability Bases.)

3. Condensate Storage Tank Level - Low Low level in the CST indicates the unavailability of an adequate supply of makeup water from this normal source. Normally, the suction valve between the RCIC pump and the CST is open and, upon receiving a RCIC initiation signal, water for RCIC injection would be taken from the CST. However, if the water level in the CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. This ensures that an adequate supply of makeup water is available to the RCIC pump. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CST suction valve automatically closes. Two level switches are used to detect low water level in the CST. The Condensate Storage Tank Level - Low Function Allowable Value is set high enough to ensure adequate pump suction head while water is being taken from the CST.

Two channels of Condensate Storage Tank Level - Low Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC swap to suppression pool source. (Refer to LCO 3.5.3 for RCIC Applicability Bases.)

4. Suppression Pool Water Level - High Excessively high suppression pool water level could result in the loads on the suppression pool exceeding design values should there be a blowdown of the reactor vessel pressure through the safety/relief valves. Therefore, signals indicating high suppression pool water level are used to transfer the suction source of RCIC from the CST to RCIC System Instrumentation B 3.3.5.2 (continued) HATCH UNIT 1 B 3.3-129 REVISION 1 BASES APPLICABLE 4. Suppression Pool Water Level - High (continued) SAFETY ANALYSES, LCO, and the suppression pool to eliminate the possibility of RCIC continuing to APPLICABILITY provide additional water from a source outside primary containment. This Function satisfies Criterion 3 of the NRC Policy Statement. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CST suction valve automatically closes. Suppression Pool Water Level - High signals are initiated from two level switches. The Allowable Value for the Suppression Pool Water Level - High Function is set low enough to ensure that RCIC will be aligned to take suction from the suppression pool before the water level reaches the point at which suppression design loads would be exceeded. Two channels of Suppression Pool Water Level - High Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC swap to suppression pool source. Refer to LCO 3.5.3 for RCIC Applicability Bases. ACTIONS A Note has been provided to modify the ACTIONS related to RCIC System instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable RCIC System instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable RCIC System instrumentation channel.

A.1 Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.2-1. The applicable Condition referenced in the Table is Function dependent. Each time a channel is discovered to be inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition. RCIC System Instrumentation B 3.3.5.2 (continued) HATCH UNIT 1 B 3.3-130 REVISION 1 BASES ACTIONS B.1 and B.2 (continued) Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic initiation capability for the RCIC System. In this situation (loss of automatic initiation capability), the 24 hour allowance of Required Action B.2 is not appropriate, and the RCIC System must be declared inoperable within 1 hour after discovery of loss of RCIC initiation capability. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action B.1, the Completion Time only begins upon discovery that the RCIC System cannot be automatically initiated due to inoperable, untripped Reactor Vessel Water Level - Low Low, Level 2 channels as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. Because of the redundancy of sensors available to provide initiation signals and the fact that the RCIC System is not assumed in any accident or transient analysis, an allowable out of service time of 24 hours has been shown to be acceptable (Ref. 1) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action B.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition E must be entered and its Required Action taken.

C.1 A risk based analysis was performed and determined that an allowable out of service time of 24 hours (Ref. 1) is acceptable to permit restoration of any inoperable channel to OPERABLE status (Required Action C.1). A Required Action (similar to Required Action B.1) limiting the allowable out of service time, if a loss of automatic RCIC initiation capability exists, is not required. This RCIC System Instrumentation B 3.3.5.2 (continued) HATCH UNIT 1 B 3.3-131 REVISION 1 BASES ACTIONS C.1 (continued) Condition applies to the Reactor Vessel Water Level - High, Level 8 Function whose logic is arranged such that any inoperable channel will result in a loss of automatic RCIC initiation capability (loss of high water level trip capability). As stated above, this loss of automatic RCIC initiation capability was analyzed and determined to be acceptable. The Required Action does not allow placing a channel in trip since this action would not necessarily result in a safe state for the channel in all events. D.1, D.2.1, and D.2.2 Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in automatic component initiation capability being lost for the feature(s). For Required Action D.1, the RCIC System is the only associated feature. In this situation (loss of automatic suction swap), the 24 hour allowance of Required Actions D.2.1 and D.2.2 is not appropriate, and the RCIC System must be declared inoperable within 1 hour from discovery of loss of RCIC initiation capability. As noted, Required Action D.1 is only applicable if the RCIC pump suction is not aligned to the suppression pool since, if aligned, the Function is already performed. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action D.1, the Completion Time only begins upon discovery that the RCIC System cannot be automatically aligned to the suppression pool due to inoperable, untripped channels in the same Function as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. Because of the redundancy of sensors available to provide initiation signals and the fact that the RCIC System is not assumed in any accident or transient analysis, an allowable out of service time of 24 hours has been shown to be acceptable (Ref. 1) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1, which performs the intended function of the channel (shifting the suction source to the RCIC System Instrumentation B 3.3.5.2 (continued) HATCH UNIT 1 B 3.3-132 REVISION 69 BASES ACTIONS D.1, D.2.1, and D.2.2 (continued) suppression pool). Alternatively, Required Action D.2.2 allows the manual alignment of the RCIC suction to the suppression pool, which also performs the intended function. If Required Action D.2.1 or D.2.2 is performed, measures should be taken to ensure that the RCIC System piping remains filled with water. If it is not desired to perform Required Actions D.2.1 and D.2.2 (e.g., as in the case where shifting the suction source could drain down the RCIC suction piping), Condition E must be entered and its Required Action taken. E.1 With any Required Action and associated Completion Time not met, the RCIC System may be incapable of performing the intended function, and the RCIC System must be declared inoperable immediately. SURVEILLANCE As noted in the beginning of the SRs, the SRs for each RCIC System REQUIREMENTS instrumentation Function are found in the SRs column of Table 3.3.5.2-1. The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed as follows: (a) for up to 6 hours for Function 2; and (b) for up to 6 hours for Functions 1, 3, and 4, provided the associated Function maintains trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 1) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the RCIC will initiate when necessary. SR 3.3.5.2.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a parameter on other similar channels. It is based on the assumption that RCIC System Instrumentation B 3.3.5.2 (continued) HATCH UNIT 1 B 3.3-133 REVISION 69 BASES SURVEILLANCE SR 3.3.5.2.1 (continued) REQUIREMENTS instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO. SR 3.3.5.2.2 and SR 3.3.5.2.3 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.5.2.4 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology.

RCIC System Instrumentation B 3.3.5.2 (continued) HATCH UNIT 1 B 3.3-134 REVISION 69 BASES SURVEILLANCE SR 3.3.5.2.4 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.2.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.3 overlaps this Surveillance to provide complete testing of the safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. GENE-770-06-2, "Addendum to Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991. 2. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-135 REVISION 1 B 3.3 INSTRUMENTATION B 3.3.6.1 Primary Containment Isolation Instrumentation

BASES BACKGROUND The primary containment isolation instrumentation automatically initiates closure of appropriate primary containment isolation valves (PCIVs). The function of the PCIVs, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs). Primary containment isolation within the time limits specified for those isolation valves designed to close automatically ensures that the release of radioactive material to the environment will be consistent with the assumptions used in the analyses for a DBA. The isolation instrumentation includes the sensors, relays, and switches that are necessary to cause initiation of primary containment and reactor coolant pressure boundary (RCPB) isolation. Most channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a primary containment isolation signal to the isolation logic. Functional diversity is provided by monitoring a wide range of independent parameters. The input parameters to the isolation logics are: (a) reactor vessel water level, (b) area ambient and differential temperatures, (c) main steam line (MSL) flow measurement, (d) Standby Liquid Control (SLC) System initiation, (e) condenser vacuum, (f) main steam line pressure, (g) high pressure coolant injection (HPCI) and reactor core isolation cooling (RCIC) steam line flow, (h) drywell radiation and pressure, (i) HPCI and RCIC steam line pressure, (j) HPCI and RCIC turbine exhaust diaphragm pressure, and (k) reactor steam dome pressure. Redundant sensor input signals from each parameter are provided for initiation of isolation. The only exception is SLC System initiation. Primary containment isolation instrumentation has inputs to the trip logic of the isolation functions listed below.

1. Main Steam Line Isolation Most MSL Isolation Functions receive inputs from four channels. The outputs from these channels are combined in a one-out-of-two taken twice logic to initiate isolation of all main steam isolation valves (MSIVs). The outputs from the same channels are arranged into two two-out-of-two logic trip systems to isolate all MSL drain valves and Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-136 REVISION 1 BASES BACKGROUND 1. Main Steam Line Isolation (continued) reactor water sample valves. The MSL drain line has two isolation valves with one two-out-of-two logic system associated with each valve. The reactor water sample line also has two isolation valves with similar logic.

The exceptions to this arrangement are the Main Steam Line Flow - High Function and Area Temperature Functions. The Main Steam Line Flow - High Function uses 16 flow channels, four for each steam line. One channel from each steam line inputs to one of the four trip strings. Two trip strings make up each trip system and both trip systems must trip to cause an MSL isolation. Each trip string has four inputs (one per MSL), any one of which will trip the trip string. The trip strings are arranged in a one-out-of-two taken twice logic. This is effectively a one-out-of-eight taken twice logic arrangement to initiate isolation of the MSIVs. Similarly, the 16 flow channels are connected into two two-out-of-two logic trip systems (effectively, two one-out-of-four twice logic), with each trip system isolating one of the two MSL drain valves and one of the two reactor water sample valves. The Main Steam Tunnel Temperature - High Function receives input from 16 channels. The logic is arranged similar to the Main Steam Line Flow - High Function. The Turbine Building Area Temperature - High Function receives input from 64 channels. Four channels from each steam line inputs to one of the four trip strings. Two trip strings make up each trip system and both trip systems must trip to cause an MSL isolation. Each trip string has 16 inputs (4 per MSL), any one of which will trip the trip string. The trip strings are arranged in a one-out-of-two taken twice logic. This is effectively a one-out-of-thirty-two taken twice logic trip system to isolate all MSIVs. Similarly, the inputs are arranged in two one-out-of-sixteen twice logic trip systems, with each trip system isolating one of the two MSL drain valves and one of the two reactor water sample valves. MSL Isolation Functions isolate the Group 1 valves.

2. Primary Containment Isolation Most Primary Containment Isolation Functions receive inputs from four channels. The outputs from these channels are arranged into two two-out-of-two logic trip systems. One trip system initiates isolation of all inboard primary containment isolation valves, while the other trip system initiates isolation of all outboard primary containment isolation valves. Each logic closes one of the two valves on each Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-137 REVISION 1 BASES BACKGROUND 2. Primary Containment Isolation (continued) penetration, so that operation of either logic isolates the penetration. The TIP ball valves isolation does not occur until the TIPs have been fully retracted (the logic also sends a TIP retraction signal). The exception to this arrangement is the Drywell Radiation - High Function. This Function has two channels, whose outputs are arranged in two one-out-of-one logic trip systems. Each trip system isolates one valve per associated penetration, similar to the two-out-of-two logic described above.

Primary Containment Isolation Drywell Pressure - High and Reactor Vessel Water Level - Low, Level 3 Functions isolate the Group 2, 10, and 11 valves. The Reactor Vessel Water Level - Low, Level 3 Function also isolates the Group 6 valves. Reactor Building and Refueling Floor Exhaust Radiation - High Functions isolate the Group 2 (18 inch containment purge and vent), 10, and 11 valves. Primary Containment Isolation Drywell Radiation - High Function isolates the Group 2, 18 inch containment purge and vent valves.

3., 4. High Pressure Coolant Injection System Isolation and Reactor Core Isolation Cooling System Isolation Most Functions that isolate HPCI and RCIC receive input from two channels, with each channel in one trip system using a one-out-of-one logic. Each of the two trip systems in each isolation group is connected to one of the two valves on each associated penetration. The exceptions are the HPCI and RCIC Turbine Exhaust Diaphragm Pressure - High and Steam Supply Line Pressure - Low Functions. These Functions receive inputs from four turbine exhaust diaphragm pressure and four steam supply pressure channels for each system. The outputs from the turbine exhaust diaphragm pressure and steam supply pressure channels are each connected to two two-out-of-two trip systems. Additionally, each trip system of the Steam Line Flow - High Functions receives input from a low differential pressure channel. The low differential pressure channels are not required for OPERABILITY. Each trip system isolates one valve per associated penetration. HPCI and RCIC Functions isolate the Group 3, 4, 8, and 9 valves. The inboard HPCI torus suction valve, 1E41-F041, while not a PCIV, isolates on the same signals which isolate Group 3 valves. Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-138 REVISION 1 BASES BACKGROUND 5. Reactor Water Cleanup System Isolation (continued) The Reactor Vessel Water Level - Low Low, Level 2 Isolation Function receives input from four reactor vessel water level channels. The outputs from the reactor vessel water level channels are connected into two two-out-of-two trip systems. The Area Temperature - High Function receives input from six temperature monitors, three to each trip system. The Area Ventilation Differential Temperature - High Function receives input from six differential temperature monitors, three in each trip system. These are configured so that any one input will trip the associated trip system. Each of the two trip systems is connected to one of the two valves on the RWCU penetration. However, the SLC System Initiation Function only provides an input to one trip system, thus closes only one valve. RWCU Functions isolate the Group 5 valves.

6. RHR Shutdown Cooling System Isolation The Reactor Vessel Water Level - Low, Level 3 Function receives input from four reactor vessel water level channels. The outputs from the reactor vessel water level channels are connected to two two-out-of-two trip systems. The Reactor Vessel Pressure - High Function receives input from two channels, with each channel in one trip system using a one-out-of-one logic. Each of the two trip systems is connected to one of the two valves on the shutdown cooling penetration.

RHR Shutdown Cooling System Isolation Functions isolate the Group 6 valves. The outboard shutdown cooling isolation valve, 1E11-F009, while not a PCIV, isolates on the same signals which isolate Group 6 valves. APPLICABLE The isolation signals generated by the primary containment isolation SAFETY ANALYSES, instrumentation are implicitly assumed in the safety analyses of LCO, and References 1 and 2 to initiate closure of valves to limit offsite doses. APPLICABILITY Refer to LCO 3.6.1.3, "Primary Containment Isolation Valves (PCIVs)," Applicable Safety Analyses Bases for more detail of the safety analyses. Primary containment isolation instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 6). Certain instrumentation Functions Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-139 REVISION 1 BASES APPLICABLE are retained for other reasons and are described below in the SAFETY ANALYSES, individual Functions discussion. LCO, and APPLICABILITY The OPERABILITY of the primary containment instrumentation is (continued) dependent on the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.6.1-1. Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The setpoint is calibrated consistent with applicable setpoint methodology assumptions (nominal trip setpoint). Each channel must also respond within its assumed response time, where appropriate. Allowable Values are specified for each Primary Containment Isolation Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for. Certain Emergency Core Cooling Systems (ECCS) and RCIC valves (e.g., minimum flow) also serve the dual function of automatic PCIVs. The signals that isolate these valves are also associated with the automatic initiation of the ECCS and RCIC. The instrumentation requirements and ACTIONS associated with these signals are addressed in LCO 3.3.5.1, "Emergency Core Cooling Systems (ECCS) Instrumentation," and LCO 3.3.5.2, "Reactor Core Isolation Cooling (RCIC) System Instrumentation," and are not included in this LCO.

Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-140 REVISION 70 BASES APPLICABLE In general, the individual Functions are required to be OPERABLE in SAFETY ANALYSES MODES 1, 2, and 3 consistent with the Applicability for LCO 3.6.1.1, LCO, and "Primary Containment." Functions that have different Applicabilities APPLICABILITY are discussed below in the individual Functions discussion. (continued) The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

1. Main Steam Line Isolation 1.a. Reactor Vessel Water Level - Low Low Low, Level 1 Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result.

Therefore, isolation of the MSIVs and other interfaces with the reactor vessel occurs to prevent offsite dose limits from being exceeded. The Reactor Vessel Water Level - Low Low Low, Level 1 Function is one of the many Functions assumed to be OPERABLE and capable of providing isolation signals. The Reactor Vessel Water Level - Low Low Low, Level 1 Function associated with isolation is assumed in the analysis of the recirculation line break (Ref. 1). The isolation of the MSLs on Level 1 supports actions to ensure that offsite dose limits are not exceeded for a DBA. Reactor vessel water level signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low Low Low, Level 1 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Reactor Vessel Water Level - Low Low Low, Level 1 Allowable Value is chosen to be the same as the ECCS Level 1 Allowable Value (LCO 3.3.5.1) to ensure that the MSLs isolate on a potential loss of coolant accident (LOCA) to prevent offsite doses from exceeding 10 CFR 50.67 limits. This Function isolates the Group 1 valves. Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-141 REVISION 75 BASES APPLICABLE 1.b. Main Steam Line Pressure - Low SAFETY ANALYSES, LCO, and Low MSL pressure with the reactor at power indicates that there may APPLICABILITY be a problem with the turbine pressure regulation, which could result (continued) in a low reactor vessel water level condition and the RPV cooling down more than 100°F/hour if the pressure loss is allowed to continue. The Main Steam Line Pressure - Low Function is directly assumed in the analysis of the pressure regulator failure (Ref. 2). For this event, the closure of the MSIVs ensures that the RPV temperature change limit (100°F/hour) is not reached. In addition, this Function supports actions to ensure that Safety Limit 2.1.1.1 is not exceeded. (This Function closes the MSIVs prior to pressure decreasing below 685 psig, which results in a scram due to MSIV closure, thus reducing reactor power to < 24% RTP.) The MSL low pressure signals are initiated from four switches that are connected to the MSL header. The switches are arranged such that, even though physically separated from each other, each switch is able to detect low MSL pressure. Four channels of Main Steam Line Pressure - Low Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Value was selected to be high enough to prevent excessive RPV depressurization. The Main Steam Line Pressure - Low Function is only required to be OPERABLE in MODE 1 since this is when the assumed transient can occur (Ref. 2). This Function isolates the Group 1 valves.

1.c. Main Steam Line Flow - High Main Steam Line Flow - High is provided to detect a break of the MSL and to initiate closure of the MSIVs. If the steam were allowed to continue flowing out of the break, the reactor would depressurize and the core could uncover. If the RPV water level decreases too far, fuel damage could occur. Therefore, the isolation is initiated on high flow to prevent or minimize core damage. The Main Steam Line Flow - High Function is directly assumed in the analysis of the main steam line break (MSLB) (Ref. 2). The isolation action, along with the scram function of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46 and offsite doses do not exceed the 10 CFR 50.67 limits. Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-142 REVISION 42 BASES APPLICABLE 1.c. Main Steam Line Flow - High (continued) SAFETY ANALYSES, LCO, and The MSL flow signals are initiated from 16 transmitters that are APPLICABILITY connected to the four MSLs. The transmitters are arranged such that, even though physically separated from each other, all four connected to one MSL would be able to detect the high flow. Four channels of Main Steam Line Flow - High Function for each unisolated MSL (two channels per trip system) are available and are required to be OPERABLE so that no single instrument failure will preclude detecting a break in any individual MSL. The Allowable Value is chosen to ensure that offsite dose limits are not exceeded due to the break. The Allowable Value corresponds to 140 psid, which is the parameter monitored on control room instruments. This Function isolates the Group 1 valves.

1.d. Condenser Vacuum - Low The Condenser Vacuum - Low Function is provided to prevent overpressurization of the main condenser in the event of a loss of the main condenser vacuum. Since the integrity of the condenser is an assumption in offsite dose calculations, the Condenser Vacuum - Low Function is assumed to be OPERABLE and capable of initiating closure of the MSIVs. The closure of the MSIVs is initiated to prevent the addition of steam that would lead to additional condenser pressurization and possible rupture of the diaphragm installed to protect the turbine exhaust hood, thereby preventing a potential radiation leakage path following an accident. Condenser vacuum pressure signals are derived from four pressure switches that sense the pressure in the condenser. Four channels of Condenser Vacuum - Low Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Value is chosen to prevent damage to the condenser due to pressurization, thereby ensuring its integrity for offsite dose analysis. As noted [footnote (a) to Table 3.3.6.1-1], the channels are not required to be OPERABLE in MODES 2 and 3 when all turbine stop valves (TSVs) are closed, since the potential for condenser overpressurization is minimized. Switches are provided to manually bypass the channels when all TSVs are closed. This Function isolates the Group 1 valves. Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-143 REVISION 70 BASES APPLICABLE 1.e., 1.f. Area Temperature - High SAFETY ANALYSES, LCO, and Area temperature is provided to detect a leak in the RCPB and APPLICABILITY provides diversity to the high flow instrumentation. The isolation (continued) occurs when a very small leak has occurred. If the small leak is allowed to continue without isolation, offsite dose limits may be reached. However, credit for these instruments is not taken in any transient or accident analysis in the FSAR, since bounding analyses are performed for large breaks, such as MSLBs. Area temperature signals are initiated from RTDs (for the Main Steam Tunnel Temperature - High Function) or temperature switches (for the Turbine Building Area Temperature - High Function) located in the area being monitored. While 16 channels of Main Steam Tunnel Temperature - High Function are available, only 12 channels (6 per trip system) are required to be OPERABLE. This will ensure that no single instrument failure can preclude the isolation function, assuming a line break on any line (the instruments assigned to monitor one line can still detect a leak on another line due to their close proximity to one another and the small confines of the area). While 64 channels of Turbine Building Area Temperature - High Function are available, only 32 channels are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. Each channel has one temperature element. The 32 channel requirement is further divided up, as noted in footnote (b), into 16 channels per trip system with 8 per trip string. Each trip string shall have 2 channels per main steam line, with no more than 40 feet separating any two OPERABLE channels. In addition, no unmonitored area should exceed 40 feet in length. The ambient temperature monitoring Allowable Value is chosen to detect a leak equivalent to between 1% and 10% rated steam flow. These Functions isolate the Group 1 valves.

2. Primary Containment Isolation 2.a. Reactor Vessel Water Level - Low, Level 3 Low RPV water level indicates that the capability to cool the fuel may be threatened. The valves whose penetrations communicate with the primary containment are isolated to limit the release of fission products. The isolation of the primary containment on Level 3 supports actions to ensure that offsite dose limits of 10 CFR 50.67 are not exceeded. The Reactor Vessel Water Level - Low, Level 3 Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-144 REVISION 70 BASES APPLICABLE 2.a. Reactor Vessel Water Level - Low, Level 3 (continued) SAFETY ANALYSES, LCO, and Function associated with isolation is implicitly assumed in the FSAR APPLICABILITY analysis as these leakage paths are assumed to be isolated post LOCA. Reactor Vessel Water Level - Low, Level 3 signals are initiated from level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low, Level 3 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Reactor Vessel Water Level - Low, Level 3 Allowable Value was chosen to be the same as the RPS Level 3 scram Allowable Value (LCO 3.3.1.1), since isolation of these valves is not critical to orderly plant shutdown. This Function isolates the Group 2, 6, 10, and 11 valves.

2.b. Drywell Pressure - High High drywell pressure can indicate a break in the RCPB inside the primary containment. The isolation of some of the primary containment isolation valves on high drywell pressure supports actions to ensure that offsite dose limits of 10 CFR 50.67 are not exceeded. The Drywell Pressure - High Function, associated with isolation of the primary containment, is implicitly assumed in the FSAR accident analysis as these leakage paths are assumed to be isolated post LOCA. High drywell pressure signals are initiated from pressure transmitters that sense the pressure in the drywell. Four channels of Drywell Pressure - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Value was selected to be the same as the ECCS Drywell Pressure - High Allowable Value (LCO 3.3.5.1), since this may be indicative of a LOCA inside primary containment. This Function isolates the Group 2, 10, and 11 valves.

Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-145 REVISION 1 BASES APPLICABLE 2.c. Drywell Radiation - High SAFETY ANALYSES, LCO, and High drywell radiation indicates possible gross failure of the fuel APPLICABILITY cladding. Therefore, when Drywell Radiation - High is detected, an (continued) isolation is initiated to limit the release of fission products. However, this Function is not assumed in any accident or transient analysis in the FSAR because other leakage paths (e.g., MSIVs) are more limiting. The drywell radiation signals are initiated from radiation detectors that are located in the drywell. Two channels of Drywell Radiation - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Value is low enough to promptly detect gross failures in the fuel cladding. This Function isolates the Group 2, 18 inch containment vent and purge valves. 2.d., 2.e. Reactor Building and Refueling Floor Exhaust Radiation - High High secondary containment exhaust radiation is an indication of possible gross failure of the fuel cladding. The release may have originated from the primary containment due to a break in the RCPB. When Exhaust Radiation - High is detected, valves whose penetrations communicate with the primary containment atmosphere are isolated to limit the release of fission products. The Exhaust Radiation - High signals are initiated from radiation detectors that are located near the ventilation exhaust ductwork coming from the reactor building and the refueling floor zones, respectively. The signal from each detector is input to an individual monitor whose trip outputs are assigned to an isolation channel. Four channels of Reactor Building Exhaust - High Function and four channels of Refueling Floor Exhaust - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Values are chosen to ensure radioactive releases do not exceed offsite dose limits. Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-146 REVISION 6 BASES APPLICABLE 2.d., 2.e. Reactor Building and Refueling Floor Exhaust SAFETY ANALYSES, Radiation - High (continued) LCO, and APPLICABILITY These Functions isolate the Group 2 (18 inch containment purge and vent), 10, and 11 valves.

3., 4. High Pressure Coolant Injection and Reactor Core Isolation Cooling Systems Isolation 3.a., 4.a. HPCI and RCIC Steam Line Flow - High Steam Line Flow - High Functions are provided to detect a break of the RCIC or HPCI steam lines and initiate closure of the steam line isolation valves of the appropriate system. If the steam is allowed to continue flowing out of the break, the reactor will depressurize and the core can uncover. Therefore, the isolations are initiated on high flow to prevent or minimize core damage. The isolation action, along with the scram function of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Specific credit for these Functions is not assumed in any FSAR accident analyses since the bounding analysis is performed for large breaks such as recirculation and MSL breaks. However, these instruments prevent the RCIC or HPCI steam line breaks from becoming bounding. The HPCI and RCIC Steam Line Flow - High signals are initiated from transmitters (two for HPCI and two for RCIC) that are connected to the system steam lines. Two channels of both HPCI and RCIC Steam Line Flow - High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Values are chosen to be low enough to ensure that the trip occurs to prevent fuel damage and maintains the MSLB event as the bounding event. The Allowable Values correspond to 228 inches water column for HPCI and 209 inches water column for RCIC, which are the parameters monitored on control room instruments. These Functions isolate the Group 3 (and 1E41-F041) and 4 valves, as appropriate.

Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-147 REVISION 1 BASES APPLICABLE 3.b., 4.b. HPCI and RCIC Steam Supply Line Pressure - Low SAFETY ANALYSES, LCO, and Low MSL pressure indicates that the pressure of the steam in the APPLICABILITY HPCI or RCIC turbine may be too low to continue operation of the (continued) associated system's turbine. These isolations are for equipment protection and are not assumed in any transient or accident analysis in the FSAR. However, they also provide a diverse signal to indicate a possible system break. These instruments are included in Technical Specifications (TS) because of the potential for risk due to possible failure of the instruments preventing HPCI and RCIC initiations. Therefore, they meet Criterion 4 of the NRC Policy Statement (Ref. 6). The HPCI and RCIC Steam Supply Line Pressure - Low signals are initiated from transmitters (four for HPCI and four for RCIC) that are connected to the system steam line. Four channels of both HPCI and RCIC Steam Supply Line Pressure - Low Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Values are selected to be high enough to prevent damage to the system's turbine. These Functions isolate the Group 3 (and 1E41-F041) and 4 valves, as appropriate. These functions serve as permissives for the Drywell Pressure - High isolation of the Group 8 and 9 valves, as appropriate. 3.c., 4.c. HPCI and RCIC Turbine Exhaust Diaphraqm Pressure - Low High turbine exhaust diaphragm pressure indicates that the pressure may be too high to continue operation of the associated system's turbine. That is, one of two exhaust diaphragms has ruptured and pressure is reaching turbine casing pressure limits. These isolations are for equipment protection and are not assumed in any transient or accident analysis in the FSAR. These instruments are included in the TS because of the potential for risk due to possible failure of the instruments preventing HPCI and RCIC initiations. Therefore, they meet Criterion 4 of the NRC Policy Statement (Ref. 6). The HPCI and RCIC Turbine Exhaust Diaphragm Pressure - High signals are initiated from transmitters (four for HPCI and four for RCIC) that are connected to the area between the rupture diaphragms on each system's turbine exhaust line. Four channels of both HPCI and RCIC Turbine Exhaust Diaphragm Pressure - High Functions are Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-148 REVISION 1 BASES APPLICABLE 3.c., 4.c. HPCI and RCIC Turbine Exhaust Diaphraqm SAFETY ANALYSES, Pressure - Low (continued) LCO, and APPLICABILITY available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Values are low enough to prevent damage to the system's turbine. These Functions isolate the Group 3 (and 1E41-F041) and 4 valves, as appropriate.

3.d., 4.d. Drywell Pressure - High High drywell pressure can indicate a break in the RCPB. The HPCI and RCIC isolation of the turbine exhaust vacuum breakers is provided to prevent communication with the drywell when high drywell pressure exists. A potential leakage path exists via the turbine exhaust. The isolation is delayed until the system becomes unavailable for injection (i.e., low steam line pressure). The isolation of the HPCI and RCIC turbine exhaust by Drywell Pressure - High is indirectly assumed in the FSAR accident analysis because the turbine exhaust leakage path is not assumed to contribute to offsite doses. High drywell pressure signals are initiated from pressure transmitters that sense the pressure in the drywell. Two channels of both HPCI and RCIC Drywell Pressure - High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Value was selected to be the same as the ECCS Drywell Pressure - High Allowable Value (LCO 3.3.5.1), since this is indicative of a LOCA inside primary containment. This Function isolates the Group 8 and 9 valves.

3.e., 3.f., 3.h., 3.i., 4.e., 4.g., 4.h. Area and Differential Temperature - High Area and differential temperatures are provided to detect a leak from the associated system steam piping. The isolation occurs when a very small leak has occurred and is diverse to the high flow instrumentation. If the small leak is allowed to continue without isolation, offsite dose limits may be reached. These Functions are not Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-149 REVISION 1 BASES APPLICABLE 3.e., 3.f., 3.h., 3.i., 4.e., 4.g., 4.h. Area and Differential SAFETY ANALYSES, Temperature - High (continued) LCO, and APPLICABILITY assumed in any FSAR transient or accident analysis, since bounding analyses are performed for large breaks such as recirculation or MSL breaks. Area and Differential Temperature - High signals are initiated from RTDs that are appropriately located to protect the system that is being monitored. Two instruments monitor each area. Two channels for each HPCI and RCIC Area and Differential Temperature - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Suppression Pool Area Ambient Temperature and Differential Temperature - High Functions are delayed by the Suppression Pool Area Temperature - Time Delay Relays. The Allowable Values are set low enough to detect a leak equivalent to 25 gpm. These Functions isolate the Group 3 (and 1E41-F041) and 4 valves, as appropriate.

3.g., 4.f. Suppression Pool Area Temperature - Time Delay Relay The Suppression Pool Area Temperature - Time Delay Relays are provided to allow all the other systems that may be leaking into the pool area (as indicated by the high temperature) to be isolated before HPCI and/or RCIC are automatically isolated. This ensures maximum HPCI and RCIC System operation by preventing isolations due to leaks in other systems. These Functions are not assumed in any FSAR transient or accident analysis. There are four time delay relays (two for HPCI and two for RCIC). The time delay relays delay the Suppression Pool Area Ambient Temperature and Differential Temperature - High Functions. Two channels each for both HPCI and RCIC Suppression Pool Area Temperature - Time Delay Relay Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Values are based on maximizing the availability of the HPCI and RCIC systems. That is, they provide sufficient time to isolate all other potential leakage sources in the suppression pool area before HPCI and RCIC are isolated. Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-150 REVISION 1 BASES APPLICABLE 3.g., 4.f. Suppression Pool Area Temperature - Time Delay Relay SAFETY ANALYSES, (continued) LCO, and APPLICABILITY These Functions isolate the Group 3 (and 1E41-F041) and 4 valves, as appropriate.

5. Reactor Water Cleanup System Isolation 5.a., 5.b. Area and Area Ventilation Differential Temperature - High RWCU area and area ventilation differential temperatures are provided to detect a leak from the RWCU System. The isolation occurs even when very small leaks have occurred. If the small leak continues without isolation, offsite dose limits may be reached. Credit for these instruments is not taken in any transient or accident analysis in the FSAR, since bounding analyses are performed for large breaks such as recirculation or MSL breaks.

Area and area ventilation differential temperature signals are initiated from temperature elements that are located in the area that is being monitored. Six RTDs provide input to the Area Temperature - High Function (two per area). Six channels are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. Twelve RTDs provide input to the Area Ventilation Differential Temperature - High Function. The output of these RTDs is used to determine the differential temperature. Each channel consists of a differential temperature instrument that receives inputs from RTDs that are located in the inlet and outlet of the area cooling system and for a total of six available channels (two per area). Six channels are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Area and Area Ventilation Differential Temperature - High Allowable Values are set low enough to detect a leak equivalent to 25 gpm. These Functions isolate the Group 5 valves. 5.c. SLC System Initiation The isolation of the RWCU System is required when the SLC System has been initiated to prevent dilution and removal of the boron Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-151 REVISION 1 BASES APPLICABLE 5.c. SLC System Initiation (continued) SAFETY ANALYSES, LCO, and solution by the RWCU System (Ref. 3). SLC System initiation signal APPLICABILITY is initiated from the SLC pump start signal. There is no Allowable Value associated with this Function since the channel is mechanically actuated based solely on the position of the SLC System initiation switch. One channel of the SLC System Initiation Function is available and is required to be OPERABLE only in MODES 1 and 2, since these are the only MODES where the reactor can be critical, and these MODES are consistent with the Applicability for the SLC System (LCO 3.1.7). As noted [footnote (c) to Table 3.3.6.1-1], this Function is only required to close one of the Group 5 RWCU isolation valves since the signal only provides input into one of the two trip systems.

5.d. Reactor Vessel Water Level - Low Low, Level 2 Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of some interfaces with the reactor vessel occurs to isolate the potential sources of a break. The isolation of the RWCU System on Level 2 supports actions to ensure that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Vessel Water Level - Low Low, Level 2 Function associated with RWCU isolation is not directly assumed in the FSAR safety analyses because the RWCU System line break is bounded by breaks of larger systems (recirculation and MSL breaks are more limiting). Reactor Vessel Water Level - Low Low, Level 2 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low Low, Level 2 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-152 REVISION 22 BASES APPLICABLE 5.d. Reactor Vessel Water Level - Low Low, Level 2 (continued) SAFETY ANALYSES, LCO, and The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value APPLICABILITY was chosen to be the same as the ECCS Reactor Vessel Water Level - Low Low, Level 2 Allowable Value (LCO 3.3.5.1), since the capability to cool the fuel may be threatened. This Function isolates the Group 5 valves. 6. RHR Shutdown Cooling System Isolation 6.a. Reactor Steam Dome Pressure - High The Reactor Steam Dome Pressure - High Function is provided to isolate the shutdown cooling portion of the Residual Heat Removal (RHR) System. This interlock is provided only for equipment protection to prevent an intersystem LOCA scenario, and credit for the interlock is not assumed in the accident or transient analysis in the FSAR. The Reactor Steam Dome Pressure - High signals are initiated from two transmitters that are connected to different taps on the RPV. Two channels of Reactor Steam Dome Pressure - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Function is only required to be OPERABLE in MODES 1, 2, and 3, since these are the only MODES in which the reactor can be pressurized; thus, equipment protection is needed. The Allowable Value was chosen to be low enough to protect the system equipment from overpressurization. This Function isolates the Group 6 valves (and 1E11-F009).

6.b. Reactor Vessel Water Level - Low, Level 3 Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of some reactor vessel interfaces occurs to begin isolating the potential sources of a break. The Reactor Vessel Water Level - Low, Level 3 Function associated with RHR Shutdown Cooling System isolation is not directly assumed in safety analyses because a break of the RHR Shutdown Cooling System is bounded by breaks of the recirculation and MSL. The Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-153 REVISION 22 BASES APPLICABLE 6.b. Reactor Vessel Water Level - Low, Level 3 (continued) SAFETY ANALYSES, LCO, and RHR Shutdown Cooling System isolation on Level 3 supports actions APPLICABILITY to ensure that the RPV water level does not drop below the top of the active fuel during a vessel draindown event caused by a leak (e.g., pipe break or inadvertent valve opening) in the RHR Shutdown Cooling System. The top of active fuel is defined in "Applicable Safety Analyses" for Safety Limit 2.1.1.3, "Reactor Vessel Water Level," found in the Bases for Safety Limit 2.1.1, "Reactor Core SLs." Reactor Vessel Water Level - Low, Level 3 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of the Reactor Vessel Water Level - Low, Level 3 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. As noted [footnote (d) to Table 3.3.6.1-1], only two channels of the Reactor Vessel Water Level - Low, Level 3 Function are required to be OPERABLE in MODES 4 and 5 (and must input into the same trip system), provided the RHR Shutdown Cooling System integrity is maintained. System integrity is maintained provided the piping is intact and no maintenance is being performed that has the potential for draining the reactor vessel through the system. The Reactor Vessel Water Level - Low, Level 3 Allowable Value was chosen to be the same as the RPS Reactor Vessel Water Level - Low, Level 3 Allowable Value (LCO 3.3.1.1), since the capability to cool the fuel may be threatened. The Reactor Vessel Water Level - Low, Level 3 Function is only required to be OPERABLE in MODES 3, 4, and 5 to prevent this potential flow path from lowering the reactor vessel level to the top of the fuel. In MODES 1 and 2, another isolation (i.e., Reactor Steam Dome Pressure - High) and administrative controls ensure that this flow path remains isolated to prevent unexpected loss of inventory via this flow path. This Function isolates the Group 6 valves (and 1E11-F009). ACTIONS A Note has been provided to modify the ACTIONS related to primary containment isolation instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-154 REVISION 1 BASES ACTIONS subsequent divisions, subsystems, components, or variables (continued) expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable primary containment isolation instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable primary containment isolation instrumentation channel.

A.1 Because of the diversity of sensors available to provide isolation signals and the redundancy of the isolation design, an allowable out of service time of 12 hours for Functions 2.a, 2.b, and 6.b and 24 hours for Functions other than Functions 2.a, 2.b, and 6.b has been shown to be acceptable (Refs. 4 and 5) to permit restoration of any inoperable channel to OPERABLE status. This out of service time is only acceptable provided the associated Function is still maintaining isolation capability (refer to Required Action B.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue with no further restrictions. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an isolation), Condition C must be entered and its Required Action taken. B.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in automatic isolation capability being lost for the associated penetration flow path(s). The MSL Isolation Functions are considered to be maintaining isolation capability when sufficient channels are OPERABLE or in trip, such that both trip systems will generate a trip signal from the given Function on a valid signal. The other isolation functions are considered to be maintaining isolation capability when sufficient channels are OPERABLE or in trip, such that one trip system will generate a trip signal from the given Function Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-155 REVISION 1 BASES ACTIONS B.1 (continued) on a valid signal. This ensures that one of the two PCIVs in the associated penetration flow path can receive an isolation signal from the given Function. As noted, this Condition is not applicable for Function 5.c (SLC System Initiation), since the loss of the single channel results in a loss of the Function (one-out-of-one logic). This loss was considered during the development of Reference 5 and considered acceptable for the 24 hours allowed by Required Action A.1. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. C.1 Required Action C.1 directs entry into the appropriate Condition referenced in Table 3.3.6.1-1. The applicable Condition specified in Table 3.3.6.1-1 is Function and MODE or other specified condition dependent and may change as the Required Action of a previous Condition is completed. Each time an inoperable channel has not met any Required Action of Condition A or B and the associated Completion Time has expired, Condition C will be entered for that channel and provides for transfer to the appropriate subsequent Condition. D.1, D.2.1, and D.2.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the associated MSLs may be isolated (Required Action D.1), and, if allowed (i.e., plant safety analysis allows operation with an MSL isolated), operation with that MSL isolated may continue. Isolating the affected MSL accomplishes the safety function of the inoperable channel. This Required Action will generally only be used if a Function 1.c channel is inoperable and untripped. The associated MSL(s) to be isolated are those whose Main Steam Line Flow - High Function channel(s) are inoperable. Alternately, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours and in MODE 4 within 36 hours (Required Actions D.2.1 and D.2.2). The Completion Times Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-156 REVISION 1 BASES ACTIONS D.1, D.2.1, and D.2.2 (continued) are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. E.1 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 2 within 6 hours. The allowed Completion Time of 6 hours is reasonable, based on operating experience, to reach MODE 2 from full power conditions in an orderly manner and without challenging plant systems.

F.1 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, plant operations may continue if the affected penetration flow path(s) is isolated. Isolating the affected penetration flow path(s) accomplishes the safety function of the inoperable channels. For the RWCU Area and Area Ventilation Differential Temperature - High Functions, the affected penetration flow path(s) may be considered isolated by isolating only that portion of the system in the associated room monitored by the inoperable channel. That is, if the RWCU pump room A area channel is inoperable, the pump room A area can be isolated while allowing continued RWCU operation utilizing the B RWCU pump. Alternately, if it is not desired to isolate the affected penetration flow path(s) (e.g., as in the case where isolating the penetration flow path(s) could result in a reactor scram), Condition G must be entered and its Required Actions taken. The 1 hour Completion Time is acceptable, because it minimizes risk while allowing sufficient time for personnel to isolate the affected penetration flow path(s).

Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-157 REVISION 1 BASES ACTIONS G.1 and G.2 (continued) If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, or any Required Action of Condition F is not met and the associated Completion Time has expired, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. H.1 and H.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the SLC System is declared inoperable or the RWCU System is isolated. Since this Function is required to ensure that the SLC System performs its intended function, sufficient remedial measures are provided by declaring the SLC System inoperable or isolating the RWCU System. The 1 hour Completion Time is acceptable because it minimizes risk while allowing sufficient time for personnel to isolate the RWCU System. I.1 and I.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the associated penetration flow path should be closed. However, if the shutdown cooling function is needed to provide core cooling, these Required Actions allow the penetration flow path to remain unisolated provided action is immediately initiated to restore the channel to OPERABLE status or to isolate the RHR Shutdown Cooling System (i.e., provide alternate decay heat removal capabilities so the penetration flow path can be isolated). Actions must continue until the channel is restored to OPERABLE status or the RHR Shutdown Cooling System is isolated.

SURVEILLANCE As noted at the beginning of the SRs, the SRs for each Primary REQUIREMENTS Containment Isolation instrumentation Function are found in the SRs column of Table 3.3.6.1-1. Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-158 REVISION 69 BASES SURVEILLANCE The Surveillances are modified by a Note to indicate that when a REQUIREMENTS channel is placed in an inoperable status solely for performance of (continued) required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains isolation capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 4 and 5) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the PCIVs will isolate the penetration flow path(s) when necessary. SR 3.3.6.1.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. p It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO. SR 3.3.6.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 1 B 3.3-159 REVISION 69 BASES SURVEILLANCE SR 3.3.6.1.2 (continued) REQUIREMENTS function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.6.1.3, SR 3.3.6.1.4, and SR 3.3.6.1.5 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.6.1.6 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required isolation logic for a specific channel. The system functional testing performed on PCIVs in LCO 3.6.1.3 overlaps this Surveillance to provide complete testing of the assumed safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 5.2.

2. FSAR, Chapter 14. 3. FSAR, Section 3.8.3. 4. NEDC-31677P-A, "Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation," July 1990.

Primary Containment Isolation Instrumentation B 3.3.6.1 HATCH UNIT 1 B 3.3-160 REVISION 69 BASES REFERENCES 5. NEDC-30851P-A Supplement 2, "Technical Specifications (continued) Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation," March 1989. 6. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Secondary Containment Isolation Instrumentation B 3.3.6.2 (continued) HATCH UNIT 1 B 3.3-161 REVISION 1 B 3.3 INSTRUMENTATION B 3.3.6.2 Secondary Containment Isolation Instrumentation

BASES BACKGROUND The secondary containment isolation instrumentation automatically initiates closure of appropriate secondary containment isolation valves (SCIVs) and starts the Standby Gas Treatment (SGT) System. The function of these systems, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs) (Refs. 1 and 2). Secondary containment isolation and establishment of vacuum with the SGT System within the assumed time limits ensures that fission products that leak from primary containment following a DBA, or are released outside primary containment, or are released during certain operations when primary containment is not required to be OPERABLE are maintained within applicable limits. The isolation instrumentation includes the sensors, relays, and switches that are necessary to cause initiation of secondary containment isolation. Most channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a secondary containment isolation signal to the isolation logic. Functional diversity is provided by monitoring a wide range of independent parameters. The input parameters to the isolation logic are: (1) reactor vessel water level, (2) drywell pressure, (3) reactor building exhaust high radiation, and (4) refueling floor exhaust high radiation. Redundant sensor input signals from each parameter are provided for initiation of isolation. The outputs of the logic channels in a trip system are arranged into two two-out-of-two trip system logics. Any trip system initiates all SGT subsystems and isolates the automatic isolation valves (dampers) in each secondary containment penetration. Each logic closes at least one of the two valves in each secondary containment penetration and starts the required SGT subsystems, so that operation of either logic isolates the secondary containment and provides for the necessary filtration of fission products. APPLICABLE The isolation signals generated by the secondary containment SAFETY ANALYSES, isolation instrumentation are implicitly assumed in the safety analyses LCO, and of References 1 and 2 to initiate closure of valves and start the SGT APPLICABILITY System to limit offsite doses. Secondary Containment Isolation Instrumentation B 3.3.6.2 (continued) HATCH UNIT 1 B 3.3-162 REVISION 1 BASES APPLICABLE Refer to LCO 3.6.4.2, "Secondary Containment Isolation Valves SAFETY ANALYSES, (SCIVs)," and LCO 3.6.4.3, "Standby Gas Treatment (SGT) System," LCO, and Applicable Safety Analyses Bases for more detail of the safety APPLICABILITY analyses. (continued) The secondary containment isolation instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 7). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion. The OPERABILITY of the secondary containment isolation instrumentation is dependent on the OPERABILITY of the individual instrumentation channel Functions. Each Function must have the required number of OPERABLE channels with their setpoints set within the specified Allowable Values, as shown in Table 3.3.6.2-1. The setpoint is calibrated consistent with applicable setpoint methodology assumptions (nominal trip setpoint). A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Each channel must also respond within its assumed response time, where appropriate. Allowable Values are specified for each Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

Secondary Containment Isolation Instrumentation B 3.3.6.2 (continued) HATCH UNIT 1 B 3.3-163 REVISION 1 BASES APPLICABLE In general, the individual Functions are required to be OPERABLE in SAFETY ANALYSES, the MODES or other specified conditions when SCIVs and the SGT LCO, and System are required. APPLICABILITY (continued) The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

1. Reactor Vessel Water Level - Low Low, Level 2 Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. An isolation of the secondary containment and actuation of the SGT System are initiated in order to minimize the potential of an offsite dose release. The Reactor Vessel Water Level - Low Low, Level 2 Function is one of the Functions assumed to be OPERABLE and capable of providing isolation and initiation signals. The isolation and initiation systems on Reactor Vessel Water Level - Low Low, Level 2 support actions to ensure that any offsite releases are within the limits calculated in the safety analysis (Refs. 3 and 4). Reactor Vessel Water Level - Low Low, Level 2 signals are initiated from level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low Low, Level 2 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value was chosen to be the same as the High Pressure Coolant Injection/Reactor Core Isolation Cooling (HPCI/RCIC) Reactor Vessel Water Level - Low Low, Level 2 Allowable Value (LCO 3.3.5.1 and LCO 3.3.5.2), since this could indicate that the capability to cool the fuel is being threatened. The Reactor Vessel Water Level - Low Low, Level 2 Function is required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists in the Reactor Coolant System (RCS); thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. In MODES 4 and 5, the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES; thus, this Function is not required. In addition, the Function is also required to be OPERABLE during operations with a potential for draining the reactor vessel Secondary Containment Isolation Instrumentation B 3.3.6.2 (continued) HATCH UNIT 1 B 3.3-164 REVISION 1 BASES APPLICABLE 1. Reactor Vessel Water Level - Low Low, Level 2 (continued) SAFETY ANALYSES, LCO, and (OPDRVs) because the capability of isolating potential sources of APPLICABILITY leakage must be provided to ensure that offsite dose limits are not exceeded if core damage occurs.

2. Drywell Pressure - High High drywell pressure can indicate a break in the reactor coolant pressure boundary (RCPB). An isolation of the secondary containment and actuation of the SGT System are initiated in order to minimize the potential of an offsite dose release. The isolation on high drywell pressure supports actions to ensure that any offsite releases are within the limits calculated in the safety analysis. However, the Drywell Pressure - High Function associated with isolation is not assumed in any FSAR accident or transient analyses.

It is retained for the overall redundancy and diversity of the secondary containment isolation instrumentation as required by the NRC approved licensing basis. High drywell pressure signals are initiated from pressure transmitters that sense the pressure in the drywell. Four channels of Drywell Pressure - High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude performance of the isolation function. The Allowable Value was chosen to be the same as the ECCS Drywell Pressure - High Function Allowable Value (LCO 3.3.5.1) since this is indicative of a loss of coolant accident (LOCA). The Drywell Pressure - High Function is required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists in the RCS; thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. This Function is not required in MODES 4 and 5 because the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES.

3., 4. Reactor Building and Refueling Floor Exhaust Radiation - High High secondary containment exhaust radiation is an indication of possible gross failure of the fuel cladding. The release may have originated from the primary containment due to a break in the RCPB or the refueling floor due to a fuel handling accident. When Exhaust Secondary Containment Isolation Instrumentation B 3.3.6.2 (continued) HATCH UNIT 1 B 3.3-165 REVISION 1 BASES APPLICABLE 3., 4. Reactor Building and Refueling Floor Exhaust Radiation - High SAFETY ANALYSES, (continued) LCO, and APPLICABILITY Radiation - High is detected, secondary containment isolation and actuation of the SGT System are initiated to limit the release of fission products as assumed in the FSAR safety analyses (Ref. 4). The Exhaust Radiation - High signals are initiated from radiation detectors that are located near the ventilation exhaust ductwork coming from the reactor building and the refueling floor zones, respectively. The signal from each detector is input to an individual monitor whose trip outputs are assigned to an isolation channel. Four channels of Reactor Building Exhaust Radiation - High Function and four channels of Refueling Floor Exhaust Radiation - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Values are chosen to ensure radioactive releases do not exceed offsite dose limits. The Reactor Building and Refueling Floor Exhaust Radiation - High Functions are required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists; thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. In MODES 4 and 5, the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES; thus, these Functions are not required. The Reactor Building Exhaust Radiation - High Function is also required to be OPERABLE during OPDRVs (in MODE 4 and MODE 5) because the capability of detecting radiation releases due to fuel failures (due to fuel uncovery) must be provided to ensure that offsite dose limits are not exceeded. The Refueling Floor Exhaust Radiation - High Function is also required to be OPERABLE during CORE ALTERATIONS, MODE 5 OPDRVs, and movement of irradiated fuel assemblies in the secondary containment because the capability of detecting radiation releases due to fuel failures (e.g., due to a dropped fuel assembly) must be provided to ensure that offsite dose limits are not exceeded. ACTIONS A Note has been provided to modify the ACTIONS related to secondary containment isolation instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Secondary Containment Isolation Instrumentation B 3.3.6.2 (continued) HATCH UNIT 1 B 3.3-166 REVISION 1 BASES ACTIONS Section 1.3 also specifies that Required Actions of the Condition (continued) continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable secondary containment isolation instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable secondary containment isolation instrumentation channel. A.1 Because of the diversity of sensors available to provide isolation signals and the redundancy of the isolation design, an allowable out of service time of 12 hours for Function 2, and 24 hours for Functions other than Function 2, has been shown to be acceptable (Refs. 5 and 6) to permit restoration of any inoperable channel to OPERABLE status. This out of service time is only acceptable provided the associated Function is still maintaining isolation capability (refer to Required Action B.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an undesired isolation), Condition C must be entered and its Required Actions taken.

B.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic isolation capability for the associated secondary containment penetration flow path(s) or a complete loss of automatic initiation capability for the Unit 1 and Unit 2 SGT Systems. A Function is considered to be maintaining secondary containment isolation capability when sufficient channels are OPERABLE or in trip, such that one trip system will generate a trip signal from the given Function on a valid signal. This ensures that one of the two SCIVs in each penetration flow path, and the required Unit 1 and Unit 2 SGT subsystems can be initiated on an isolation signal from the given Function. Secondary Containment Isolation Instrumentation B 3.3.6.2 (continued) HATCH UNIT 1 B 3.3-167 REVISION 1 BASES ACTIONS B.1 (continued) The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

C.1.1, C.1.2, C.2.1, and C.2.2 If any Required Action and associated Completion Time of Condition A or B are not met, the ability to isolate the secondary containment and start the required Unit 1 and Unit 2 SGT Systems cannot be ensured. Therefore, further actions must be performed to ensure the ability to maintain the secondary containment function. Isolating the associated flow paths (closing the ventilation supply and exhaust automatic isolation dampers) and starting the associated SGT subsystem(s) (Required Actions C.1.1 and C.2.1) performs the intended function of the instrumentation and allows operation to continue. Alternately, declaring the associated SCIVs or SGT subsystem(s) inoperable (Required Actions C.1.2 and C.2.2) is also acceptable since the Required Actions of the respective LCOs (LCO 3.6.4.2 and LCO 3.6.4.3) provide appropriate actions for the inoperable components. Since each trip system affects multiple SGT subsystems Required Actions C.2.1 and C.2.2 can be performed independently on each SGT subsystem. That is, one SGT subsystem can be started (Required Action C.2.1) while another SGT subsystem can be declared inoperable (Required Action C.2.2). One hour is sufficient for personnel to establish required plant conditions or to declare the associated components inoperable without unnecessarily challenging plant systems. SURVEILLANCE As noted at the beginning of the SRs, the SRs for each Secondary REQUIREMENTS Containment Isolation instrumentation Function are located in the SRs column of Table 3.3.6.2-1. The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains isolation capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must Secondary Containment Isolation Instrumentation B 3.3.6.2 (continued) HATCH UNIT 1 B 3.3-168 REVISION 69 BASES SURVEILLANCE be returned to OPERABLE status or the applicable Condition entered REQUIREMENTS and Required Actions taken. This Note is based on the reliability (continued) analysis (Refs. 5 and 6) assumption of the average time required to perform channel surveillance. That analysis demonstrated the 6 hour testing allowance does not significantly reduce the probability that the SCIVs will isolate the associated penetration flow paths and that the SGT System will initiate when necessary. SR 3.3.6.2.1 Performance of the CHANNEL CHECK once every 12 hours ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel status during normal operational use of the displays associated with channels required by the LCO.

SR 3.3.6.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Secondary Containment Isolation Instrumentation B 3.3.6.2 (continued) HATCH UNIT 1 B 3.3-169 REVISION 69 BASES SURVEILLANCE SR 3.3.6.2.3 and SR 3.3.6.2.4 REQUIREMENTS (continued) A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.6.2.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required isolation logic for a specific channel. The system functional testing performed on SCIVs and the SGT System in LCO 3.6.4.2 and LCO 3.6.4.3, respectively, overlaps this Surveillance to provide complete testing of the assumed safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 5.2.

2. FSAR, Section 14.4.

3. FSAR, Sections 14.4.5 and 14.5.4. 4. FSAR, Sections 14.4.3, 14.4.4, 14.5.2, and 14.5.3.

5. NEDC-31677P-A, "Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation," July 1990. 6. NEDC-30851P-A Supplement 2, "Technical Specifications Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation," March 1989.

Secondary Containment Isolation Instrumentation B 3.3.6.2 HATCH UNIT 1 B 3.3-170 REVISION 69 BASES REFERENCES 7. NRC No. 93-102, "Final Policy Statement on Technical (continued) Specification Improvements," July 23, 1993.

LLS Instrumentation B 3.3.6.3 (continued) HATCH UNIT 1 B 3.3-171 REVISION 1 B 3.3 INSTRUMENTATION

B 3.3.6.3 Low-Low Set (LLS) Instrumentation

BASES BACKGROUND The LLS logic and instrumentation is designed to mitigate the effects of postulated thrust loads on the safety/relief valve (S/RV) discharge lines by preventing subsequent actuations with an elevated water leg in the S/RV discharge line. It also mitigates the effects of postulated pressure loads on the torus shell or suppression pool by preventing multiple actuations in rapid succession of the S/RVs subsequent to their initial actuation. Upon initiation, the LLS logic will assign preset opening and closing setpoints to four preselected S/RVs. These setpoints are selected such that the LLS S/RVs will stay open longer; thus, releasing more steam (energy) to the suppression pool, and hence more energy (and time) will be required for repressurization and subsequent S/RV openings. The LLS logic increases the time between (or prevents) subsequent actuations to allow the high water leg created from the initial S/RV opening to return to (or fall below) its normal water level; thus, reducing thrust loads from subsequent actuations to within their design limits. In addition, the LLS is designed to limit S/RV subsequent actuations to one valve, so torus loads will also be reduced. The LLS instrumentation logic is arranged in two divisions with Logic channels A and C in one division and Logic channels B and D in the other division (Ref. 1). Each LLS logic channel (e.g., Logic A channel) controls one LLS valve. The LLS logic channels will not actuate their associated LLS valves at their LLS setpoints until the arming portion of the associated LLS logic is satisfied. Arming occurs when any one of the 11 S/RVs opens, as indicated by a signal from one of the redundant pressure switches located on its tailpipe, coincident with a high reactor pressure signal. Each division receives tailpipe arming signals from dedicated tailpipe pressure switches on each of the 11 S/RVs, 6 in 1 LLS logic (e.g., Logic C) and 5 in the other LLS logic (e.g., Logic A). Each LLS logic (e.g., Logic A) receives the reactor pressure arming signal from a different reactor pressure transmitter and trip unit. These arming signals seal in until reset. The arming signal from one logic is sent to the other logic within the same division and performs the same function as the tailpipe arming signal (i.e., Logic A will arm if it has received a high reactor pressure signal and Logic C has armed). LLS Instrumentation B 3.3.6.3 (continued) HATCH UNIT 1 B 3.3-172 REVISION 1 BASES BACKGROUND After arming, opening of each LLS valve is by a two-out-of-two logic (continued) from two reactor pressure transmitters and two trip units set to trip at the required LLS opening setpoint. The LLS valve recloses when reactor pressure has decreased to the reclose setpoint of one of the two trip units used to open the valve (one-out-of-two logic). This logic arrangement prevents single instrument failures from precluding the LLS S/RV function. The channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a LLS initiation signal to the initiation logic.

APPLICABLE The LLS instrumentation and logic function ensures that the SAFETY ANALYSES containment loads remain within the primary containment design basis (Ref. 2). The LLS instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 4). LCO The LCO requires OPERABILITY of sufficient LLS instrumentation channels to ensure successfully accomplishing the LLS function assuming any single instrumentation channel failure within the LLS logic. Therefore, the OPERABILITY of the LLS instrumentation is dependent on the OPERABILITY of the instrumentation channel Function specified in Table 3.3.6.3-1. Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Value. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The setpoint is calibrated consistent with applicable setpoint methodology assumptions (nominal trip setpoint). Allowable Values are specified for each LLS actuation Function in Table 3.3.6.3-1. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the LLS Instrumentation B 3.3.6.3 (continued) HATCH UNIT 1 B 3.3-173 REVISION 1 BASES LCO setpoint, the associated device (e.g., trip unit) changes state. The (continued) analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for. The Tailpipe Pressure Switch Allowable Value is based on ensuring that a proper arming signal is sent to the LLS logic. That is, the pressure switch is initiated only when an S/RV has opened. The Reactor Steam Dome Pressure - High was chosen to be the same as the Reactor Protection System (RPS) Reactor Steam Dome Pressure Allowable Value (LCO 3.3.1.1) because it would be expected that LLS would be needed for pressurization events. Providing LLS after a scram has been initiated would prevent false initiations of LLS at 100% power. The LLS valve open and close Allowable Values are based on the safety analysis performed in Reference 2.

APPLICABILITY The LLS instrumentation is required to be OPERABLE in MODES 1, 2, and 3 since considerable energy is in the nuclear system and the S/RVs may be needed to provide pressure relief. If the S/RVs are needed, then the LLS function is required to ensure that the primary containment design basis is maintained. In MODES 4 and 5, the reactor pressure is low enough that the overpressure limit cannot be approached by assumed operational transients or accidents. Thus, LLS instrumentation and associated pressure relief is not required. ACTIONS A.1 The failure of any reactor steam dome pressure instrument channel to provide the arming, S/RV opening pressure, and S/RV closing pressure signals for an individual LLS valve does not affect the ability of the other LLS S/RVs to perform their LLS function. Therefore, 24 hours is provided to restore the inoperable channel(s) to LLS Instrumentation B 3.3.6.3 (continued) HATCH UNIT 1 B 3.3-174 REVISION 49 BASES ACTIONS A.1 (continued) OPERABLE status (i.e., restore the LLS valve's initiation capability). If the inoperable channel(s) cannot be restored to OPERABLE status within the allowable out of service time, Condition D must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action could result in an instrumented LLS valve actuation. The 24 hour Completion Time is considered appropriate because of the redundancy in the design (4 LLS valves are provided and any 1 LLS valve can perform the LLS function) and the very low probability of multiple LLS instrumentation channel failures, which render the remaining LLS S/RVs inoperable, occurring together with an event requiring the LLS function during the 24 hour Completion Time. The 24 hour Completion Time is also based on the reliability analysis of Reference 3. B.1 Although the LLS circuitry is designed so that operation of a single tailpipe pressure switch will result in arming both LLS logics in its associated division, each tailpipe pressure switch provides a direct input to only one LLS logic (e.g., Logic A). Since each LLS logic normally receives at least five S/RV pressure switch inputs (and also receives the other S/RV signals from the other logic in the same division by an arming signal), the LLS logic and instrumentation remains capable of performing its safety function if any S/RV tailpipe pressure switch instrument channel becomes inoperable. Therefore, it is acceptable for plant operation to continue with only one tailpipe pressure switch OPERABLE on each S/RV. However, this is only acceptable provided each LLS valve is maintaining initiation capability. (Refer to Required Actions A.1 and D.1 Bases.) Required Action B.1 requires restoration of the tailpipe pressure switches to OPERABLE status prior to entering MODE 2 or 3 from MODE 4 to ensure that all switches are OPERABLE at the beginning of a reactor startup (this is because the switches are not accessible during plant operation). The Required Actions do not allow placing the channel in trip since this action could result in a LLS valve actuation. LLS Instrumentation B 3.3.6.3 (continued) HATCH UNIT 1 B 3.3-175 REVISION 13 BASES ACTIONS C.1 (continued) A failure of two pressure switch channels associated with one S/RV tailpipe could result in the loss of the LLS function (i.e., multiple actuations of the S/RV would go undetected by the LLS logic). However, there is a total of 11 S/RVs. Therefore, it would be very unlikely that a single S/RV would be required to arm all the LLS logic. Therefore, it is acceptable to allow 14 days to restore one pressure switch of the associated S/RV to OPERABLE status (Required Action C.1). However, this allowable out of service time is only acceptable provided each LLS is maintaining initiation capability (Refer to Required Action A.1 and D.1 Bases). If one inoperable tailpipe pressure switch cannot be restored to OPERABLE status within the allowable out of service time, Condition D must be entered and its Required Action taken. The Required Actions do not allow placing the channels in trip since this action could result in a LLS valve actuation. A Note has been provided in the Condition to modify the Required Actions and Completion Times conventions related to LLS Function 3 channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable LLS Function 3 channels provide appropriate compensatory measures for separate inoperable Condition entry for each S/RV with inoperable tailpipe pressure switches.

D.1 If any Required Action and associated Completion Time of Conditions A, B, or C are not met, or two or more LLS valves with initiation capability not maintained, the LLS valves may be incapable of performing their intended function. Therefore, the associated LLS valve(s) must be declared inoperable immediately.

SURVEILLANCE As noted at the beginning of the SRs, the SRs for each LLS REQUIREMENTS instrumentation Function are located in the SRs column of Table 3.3.6.3-1.

LLS Instrumentation B 3.3.6.3 (continued) HATCH UNIT 1 B 3.3-176 REVISION 69 BASES SURVEILLANCE The Surveillances are also modified by a Note to indicate that when a REQUIREMENTS channel is placed in an inoperable status solely for performance of (continued) required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains LLS initiation capability. LLS initiation capability is maintained provided three LLS valves are maintaining initiation capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 3) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the LLS valves will initiate when necessary. SR 3.3.6.3.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on another channel. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with channels required by the LCO. SR 3.3.6.3.2, SR 3.3.6.3.3, and SR 3.3.6.3.4 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended LLS Instrumentation B 3.3.6.3 (continued) HATCH UNIT 1 B 3.3-177 REVISION 69 BASES SURVEILLANCE SR 3.3.6.3.2, SR 3.3.6.3.3, and SR 3.3.6.3.4 (continued) REQUIREMENTS function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. A portion of the S/RV tailpipe pressure switch instrument channels are located inside the primary containment. The Note for SR 3.3.6.3.3, "Only required to be performed prior to entering MODE 2 during each scheduled outage > 72 hours when entry is made into primary containment," is based on the location of these instruments, ALARA considerations, and compatibility with the Completion Time of the associated Required Action (Required Action B.1). For this Note, a scheduled outage is a refueling outage or an outage for which at least a 72 hour period exists between discovery of an off-normal condition and a corresponding change in power level. Outage duration is measured from the time the generator is removed from the grid to the time the generator is tied to the grid, i.e., "breaker-to-breaker." SR 3.3.6.3.5 CHANNEL CALIBRATION is a complete check of the instrument loop and sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.6.3.6 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required actuation logic for a specified channel. The system functional testing performed in LCO 3.4.3, "Safety/Relief Valves (S/RVs)" and LCO 3.6.1.8, "Low-Low Set (LLS) Safety/Relief Valves (S/RVs)," for S/RVs overlaps this test to provide complete testing of the assumed safety function.

LLS Instrumentation B 3.3.6.3 HATCH UNIT 1 B 3.3-178 REVISION 69 BASES SURVEILLANCE SR 3.3.6.3.6 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 7.19.

2. FSAR, Section 4.11. 3. GENE-770-06-1, "Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991. 4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

MCREC System Instrumentation B 3.3.7.1 (continued) HATCH UNIT 1 B 3.3-179 REVISION 1 B 3.3 INSTRUMENTATION B 3.3.7.1 Main Control Room Environmental Control (MCREC) System Instrumentation

BASES BACKGROUND The MCREC System is designed to provide a radiologically controlled environment to ensure the habitability of the control room for the safety of control room operators under all plant conditions. Two independent MCREC subsystems are each capable of fulfilling the stated safety function. The instrumentation and controls for the MCREC System automatically initiate action to pressurize the main control room (MCR) to minimize the consequences of radioactive material in the control room environment. In the event of a Control Room Air Inlet Radiation - High signal, the MCREC System is automatically started in the pressurization mode. The air is then recirculated through the charcoal filter, and sufficient outside air is drawn in through the normal intake to maintain the MCR slightly pressurized with respect to the turbine building. The MCREC System instrumentation has two trip systems, either of which can initiate both MCREC subsystems (Ref. 1). Each of the two trip systems for the Control Room Air Inlet Radiation - High is arranged in a one-out-of-one logic. The channels include electronic equipment (e.g., trip relays) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a MCREC System initiation signal to the initiation logic. APPLICABLE The ability of the MCREC System to maintain the habitability of the SAFETY ANALYSES, MCR is explicitly assumed for certain accidents as discussed in the LCO, and FSAR safety analyses (Refs. 2, 3, 4, and 5). MCREC System APPLICABILITY operation ensures that the radiation exposure of control room personnel, through the duration of any one of the postulated accidents, does not exceed the limits set by GDC 19 of 10 CFR 50, Appendix A. MCREC System instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 7). The OPERABILITY of the MCREC System instrumentation is dependent upon the OPERABILITY of the Control Room Air Inlet Radiation - High instrumentation channel Function. The Function must have a required number of OPERABLE channels, with their MCREC System Instrumentation B 3.3.7.1 (continued) HATCH UNIT 1 B 3.3-180 REVISION 1 BASES APPLICABLE setpoints within the specified Allowable Value of SR 3.3.7.1.3. A SAFETY ANALYSES, channel is inoperable if its actual trip setpoint is not within its required LCO, and Allowable Value. The setpoint is calibrated consistent with applicable APPLICABILITY setpoint methodology assumptions (nominal trip setpoint). (continued) Allowable Values are specified for the MCREC System Control Room Air Inlet Radiation - High Function. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip relay) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for. The control room air inlet radiation monitors measure radiation levels exterior to the inlet ducting of the MCR. A high radiation level may pose a threat to MCR personnel; thus, automatically initiating the MCREC System. The Control Room Air Inlet Radiation - High Function consists of two independent monitors. Two channels of Control Room Air Inlet Radiation - High are available and are required to be OPERABLE to ensure that no single instrument failure can preclude MCREC System initiation. The Allowable Value was selected to ensure protection of the control room personnel. The Control Room Air Inlet Radiation - High Function is required to be OPERABLE in MODES 1, 2, and 3 and during CORE ALTERATIONS, OPDRVs, and movement of irradiated fuel assemblies in the secondary containment, to ensure that control room personnel are protected during a LOCA, fuel handling event, or MCREC System Instrumentation B 3.3.7.1 (continued) HATCH UNIT 1 B 3.3-181 REVISION 1 BASES APPLICABLE vessel draindown event. During MODES 4 and 5, when these SAFETY ANALYSES, specified conditions are not in progress (e.g., CORE ALTERATIONS), LCO, and the probability of a LOCA or fuel damage is low; thus, the Function APPLICABILITY is not required. (continued) ACTIONS A Note has been provided to modify the ACTIONS related to MCREC System instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable MCREC System instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable MCREC System instrumentation channel.

A.1 and A.2 Because of the diversity of sensors available to provide initiation signals and the redundancy of the MCREC System design, an allowable out of service time of 6 hours is provided to permit restoration of any inoperable channel to OPERABLE status. However, this out of service time is only acceptable provided the Control Room Air Inlet Radiation - High Function is still maintaining MCREC System initiation capability. The Function is considered to be maintaining MCREC System initiation capability when sufficient channels are OPERABLE or in trip such that one trip system will generate an initiation signal from the given Function on a valid signal. In this situation (loss of MCREC System initiation capability), the 6 hour allowance of Required Action A.2 is not appropriate. If the Function is not maintaining MCREC System initiation capability, the MCREC System must be declared inoperable within 1 hour of discovery of the loss of MCREC System initiation capability as described above. The 1 hour Completion Time (A.1) is acceptable because it minimizes risk while allowing time for restoring or tripping of channels. MCREC System Instrumentation B 3.3.7.1 (continued) HATCH UNIT 1 B 3.3-182 REVISION 1 BASES ACTIONS A.1 and A.2 (continued) If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.2. Placing the inoperable channel in trip performs the intended function of the channel (starts both MCREC subsystems in the pressurization mode). Alternately, if it is not desired to place the channel in trip (e.g., as in the case where it is not desired to start the subsystem), Condition B must be entered and its Required Action taken. The 6 hour Completion Time is based on the consideration that this Function provides the primary signal to start the MCREC System; thus, ensuring that the design basis of the MCREC System is met.

B.1 and B.2 With any Required Action and associated Completion Time not met, the associated MCREC subsystem(s) must be placed in the pressurization mode of operation per Required Action B.1 to ensure that control room personnel will be protected in the event of a Design Basis Accident. The method used to place the MCREC subsystem(s) in operation must provide for automatically re-initiating the subsystem(s) upon restoration of power following a loss of power to the MCREC subsystem(s). Alternately, if it is not desired to start the subsystem(s), the MCREC subsystem(s) associated with inoperable, untripped channels must be declared inoperable within 1 hour. Since each trip system can affect both MCREC subsystems, Required Actions B.1 and B.2 can be performed independently on each MCREC subsystem. That is, one MCREC subsystem can be placed in the pressurization Mode (Required Action B.1) while the other MCREC subsystem can be declared inoperable (Required Action B.2). The 1 hour Completion Time is acceptable because it minimizes risk while allowing time for restoring or tripping of channels. SURVEILLANCE The Surveillances are modified by a Note to indicate that when a REQUIREMENTS Control Room Air Inlet Radiation - High channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours, provided the other channel is OPERABLE. Upon completion of the Surveillance, or expiration of the 6 hour MCREC System Instrumentation B 3.3.7.1 (continued) HATCH UNIT 1 B 3.3-183 REVISION 69 BASES SURVEILLANCE allowance, the channel must be returned to OPERABLE status or the REQUIREMENTS applicable Condition entered and Required Actions taken. This Note (continued) is based on the reliability analysis (Ref. 6) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the MCREC System will initiate when necessary. SR 3.3.7.1.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel status during normal operational use of the displays associated with channels required by the LCO.

SR 3.3.7.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. MCREC System Instrumentation B 3.3.7.1 HATCH UNIT 1 B 3.3-184 REVISION 69 BASES SURVEILLANCE SR 3.3.7.1.3 REQUIREMENTS (continued) A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.7.1.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.7.4, "Main Control Room Environmental Control (MCREC) System," overlaps this Surveillance to provide complete testing of the assumed safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. Unit 2 FSAR, Section 7.3.5. 2. FSAR, Section 5.2. 3. Unit 2 FSAR, Section 6.4.1.2.2. 4. FSAR, Chapter 14. 5. Unit 2 FSAR, Table 15.1-28. 6. GENE-770-06-1, "Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991. 7. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. LOP Instrumentation B 3.3.8.1 (continued) HATCH UNIT 1 B 3.3-185 REVISION 1 B 3.3 INSTRUMENTATION B 3.3.8.1 Loss of Power (LOP) Instrumentation

BASES BACKGROUND Successful operation of the required safety functions of the Emergency Core Cooling Systems (ECCS) is dependent upon the availability of adequate power sources for energizing the various components such as pump motors, motor operated valves, and the associated control components. The LOP instrumentation monitors the 4.16 kV emergency buses. Offsite power is the preferred source of power for the 4.16 kV emergency buses. If the monitors determine that insufficient power is available, the buses are disconnected from the offsite power sources and connected to the onsite diesel generator (DG) power sources. Each 4.16 kV emergency bus has its own independent LOP instrumentation and associated trip logic. The voltage for each bus is monitored at two levels: 4.16 kV Emergency Bus Undervoltage Loss of Voltage and Degraded Voltage, however, only the Loss of Voltage Function is part of this LCO. The Loss of Voltage Function causes various bus transfers and disconnects and is monitored by two undervoltage relays for each emergency bus, whose outputs are arranged in a two-out-of-two logic configuration for all affected components except the DGs. The DG start logic configuration is one-out-of-two (Ref. 1). The channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a LOP trip signal to the trip logic. Each 4.16 kV emergency bus has its own independent LOP alarm instrumentation to provide an anticipatory alarm and the initiation of corrective measures to restore emergency bus voltages. The alarms are set higher than the LOP trip relays. The alarm setpoints are approximately midway between the calculated minimum expected voltage and the calculated minimum required voltage, based on the maximum expected operating (i.e., non-LOCA) load conditions. The alarm setpoints signify that adequate voltage is available for normal operations. The LOP anticipatory alarms provide a total time delay of 65 seconds to reduce the possibility of nuisance alarms, while permitting prompt detection of potential low voltage conditions. Each 4.16 kV emergency bus has a dedicated low voltage annunciator fed by two relays and their associated time delays. The logic for the annunciation function is arranged in a two-out-of-two configuration. LOP Instrumentation B 3.3.8.1 (continued) HATCH UNIT 1 B 3.3-186 REVISION 1 BASES (continued) APPLICABLE The LOP instrumentation is required for Engineered Safety Features SAFETY ANALYSES, to function in any accident with a loss of offsite power. The required LCO, and channels of LOP instrumentation ensure that the ECCS and other APPLICABILITY assumed systems powered from the DGs, provide plant protection in the event of any of the References 2, 3, and 4 analyzed accidents in which a loss of offsite power is assumed. The initiation of the DGs on loss of offsite power, and subsequent initiation of the ECCS, ensure that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Accident analyses credit the loading of the DG based on the concurrent loss of offsite power during a loss of coolant accident. The diesel starting and loading times have been included in the delay time associated with each safety system component requiring DG supplied power following a loss of offsite power. The LOP alarm instrumentation is required to initiate manual actions to restore the 4.16 kV emergency bus voltages or to initiate a plant shutdown. The required channels of LOP alarm instrumentation ensure the initiation of manual actions to protect the ECCS and other assumed systems from degraded voltage without initiating an unnecessary automatic disconnect from the preferred offsite power source. The occurrence of an undervoltage degraded voltage condition credits the manual actions to mitigate the condition and ensure plant safety is maintained. The LOP instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 5), except that credit is taken for manual actions. The OPERABILITY of the LOP instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.8.1-1. Each Function must have a required number of OPERABLE channels per 4.16 kV emergency bus, with their setpoints within the specified Allowable Values. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The setpoint is calibrated consistent with applicable procedures (nominal trip setpoint). The Allowable Values are specified for the 4.16 kV Emergency Bus Undervoltage Function. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected, based on engineering judgment, to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within the Allowable Value, is acceptable. Trip setpoints are those predetermined values of output and time delay at which an action LOP Instrumentation B 3.3.8.1 (continued) HATCH UNIT 1 B 3.3-187 REVISION 1 BASES APPLICABLE should take place. The setpoints are compared to the actual process SAFETY ANALYSES, parameter (e.g., degraded voltage), and when the measured output LCO, and value of the process parameter exceeds the setpoint and time delay, APPLICABILITY the associated device (e.g., trip relay) changes state. (continued) The 4.16 kV undervoltage degraded voltage trip setpoints were determined in accordance with the NRC staff positions contained in an NRC letter dated June 2, 1977, except that manual actions are credited for restoring bus voltages or initiating a plant shutdown in the range of 78.8 to 92% of 4.16 kV. The undervoltage degraded voltage setpoint represents a point on the inverse time characteristic curve for the relay. The anticipatory alarm setpoints are approximately midway between the calculated minimum expected voltage and the calculated minimum required voltage, based on maximum expected operating; i.e., non-LOCA, conditions. The Specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

1. 4.16 kV Emergency Bus Undervoltage (Loss of Voltage) Loss of voltage on a 4.16 kV emergency bus indicates that offsite power may be completely lost to the respective emergency bus and is unable to supply sufficient power for proper operation of the applicable equipment. Therefore, the power supply to the bus is transferred from offsite power to DG power when the voltage on the bus drops below the Loss of Voltage Function Allowable Values (loss of voltage with a short time delay). This ensures that adequate power will be available to the required equipment. The Bus Undervoltage Allowable Values are low enough to prevent inadvertent power supply transfer, but high enough to ensure that power is available to the required equipment. The Time Delay Allowable Values are long enough to provide time for the offsite power supply to recover to normal voltages, but short enough to ensure that power is available to the required equipment. Two channels of 4.16 kV Emergency Bus Undervoltage (Loss of Voltage) Function per associated emergency bus are only required to be OPERABLE when the associated DG is required to be OPERABLE to ensure that no single instrument failure can preclude the DG function. (Two channels input to each of the three DGs.) (Refer to LCOs 3.8.1, "AC Sources - Operating," and 3.8.2, "AC Sources -

Shutdown," for Applicability Bases for the DGs.) LOP Instrumentation B 3.3.8.1 (continued) HATCH UNIT 1 B 3.3-188 REVISION 1 BASES APPLICABLE 2. 4.16 kV Emergency Bus Undervoltage (Degraded Voltage) SAFETY ANALYSES, LCO, and A reduced voltage condition on a 4.16 kV emergency bus indicates APPLICABILITY that, while offsite power may not be completely lost to the respective (continued) emergency bus, available power may be insufficient for starting large ECCS motors without risking damage to the motors that could disable the ECCS Function. Therefore, power supply to the bus is transferred from offsite power to onsite DG power when the voltage on the bus drops below the Degraded Voltage Function Allowable Values (degraded voltage with a time delay). This ensures that adequate power will be available to the required equipment. The Bus Undervoltage Allowable Values are low enough to prevent inadvertent power supply transfer, but high enough to ensure that sufficient power is available to the large ECCS motors. The Time Delay Allowable Values are long enough for the offsite power supply to usually recover. This minimizes the potential that short duration disturbances will adversely impact the availability of the offsite power supply. Manual actions are credited in the range of 78.8 to 92% of 4.16 kV to restore bus voltages or to initiate a plant shutdown. The range specified for manual actions indicates that sufficient power is available to the large ECCS motors; however, sufficient voltage for equipment at lower voltages required for LOCA conditions may not be available. Two channels of 4.16 kV Emergency Bus Undervoltage (Degraded Voltage) Function per associated bus are only required to be OPERABLE when the associated DG is required to be OPERABLE to ensure that no single instrument failure can preclude the DG function. (Two channels input to each of the three emergency buses and DGs.) Refer to LCO 3.8.1 and LCO 3.8.2 for Applicability Bases for the DGs.

3. 4.16 kV Emergency Bus Undervoltage (Anticipatory Alarm) A reduced voltage condition on a 4.16 kV emergency bus indicates that, while offsite power is adequate for normal operating conditions, available power may be marginal for some equipment required for LOCA conditions. Therefore, the anticipatory alarms actuate when the 4.16 kV bus voltages approach the minimum required voltage for normal; i.e., non-LOCA conditions. This ensures that manual actions will be initiated to restore the bus voltages or to initiate a plant shutdown.

LOP Instrumentation B 3.3.8.1 (continued) HATCH UNIT 1 B 3.3-189 REVISION 1 BASES APPLICABLE 3. 4.16 kV Emergency Bus Undervoltage (Anticipatory Alarm) SAFETY ANALYSES, (continued) LCO, and APPLICABILITY Two channels of 4.16 kV Emergency Bus Undervoltage (Anticipatory Alarm) Function per associated bus are only required to be OPERABLE when the associated DG is required to be OPERABLE. (Two channels input to each of the three emergency buses.) ACTIONS A Note has been provided to modify the ACTIONS related to LOP instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable LOP instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable LOP instrumentation channel.

A.1 With one or more channels of Function 1 or 2 inoperable, the Function does not maintain initiation capability for the associated emergency bus. Therefore, only 1 hour is allowed to restore the inoperable channel to OPERABLE status. The Required Action does not allow placing a channel in trip since this action will result in a DG initiation. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

B.1 Each 4.16 kV bus has a dedicated annunciator fed by two relays and their associated time delays in a two-out-of-two logic configuration. Both relays and their associated time delays are required to be OPERABLE. Therefore, the loss of either required relay or time delay renders Function 3 incapable of performing the intended function. LOP Instrumentation B 3.3.8.1 (continued) HATCH UNIT 1 B 3.3-190 REVISION 69 BASES ACTIONS B.1 (continued) Since the intended function is to alert personnel to a lowering voltage condition and the voltage reading is available for each bus on the control room front panels, the Required Action is verification of the voltage to be above the annunciator setpoint (nominal) hourly.

C.1 If any Required Action and associated Completion Time are not met, the associated Function does not maintain initiation capability for the associated emergency bus. Therefore, the associated DG(s) is declared inoperable immediately. This requires entry into applicable Conditions and Required Actions of LCO 3.8.1 and LCO 3.8.2, which provide appropriate actions for the inoperable DG(s). SURVEILLANCE As noted at the beginning of the SRs, the SRs for each LOP REQUIREMENTS instrumentation Function are located in the SRs column of Table 3.3.8.1-1. The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains initiation capability (for Functions 1 and 2) and annunciation capability (for Function 3). Functions 1 and 2 maintain initiation capability provided that, for 2 of the 3 emergency buses, the following can be initiated by the Function: DG start, disconnect from the offsite power source, DG output breaker closure, load shed, and activation of the ECCS pump power permissive. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken.

SR 3.3.8.1.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation or a failure of annunciation has not occurred. A CHANNEL CHECK is defined for Function 3 to be a comparison of the annunciator status to the bus voltage and an annunciator test confirming the annunciator is capable of lighting and sounding. A CHANNEL CHECK will detect gross channel failure or an annunciator failure; thus, it is key to verifying the instrumentation continues to LOP Instrumentation B 3.3.8.1 (continued) HATCH UNIT 1 B 3.3-191 REVISION 69 BASES SURVEILLANCE SR 3.3.8.1.1 (continued) REQUIREMENTS operate properly between each CHANNEL CALIBRATION. If a channel is outside the match criteria, it may be an indication that the instrument has drifted outside its limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with channels required by the LCO. SR 3.3.8.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.8.1.3 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.8.1.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required actuation logic for a specific channel. LOP Instrumentation B 3.3.8.1 HATCH UNIT 1 B 3.3-192 REVISION 69 BASES SURVEILLANCE SR 3.3.8.1.4 (continued) REQUIREMENTS The system functional testing performed in LCO 3.8.1 and LCO 3.8.2 overlaps this Surveillance to provide complete testing of the assumed safety functions. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 8.4.

2. FSAR, Section 4.8.

3. FSAR, Section 6.5. 4. FSAR, Chapter 14.

5. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RPS Electric Power Monitoring B 3.3.8.2 (continued) HATCH UNIT 1 B 3.3-193 REVISION 1 B 3.3 INSTRUMENTATION B 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring

BASES BACKGROUND RPS Electric Power Monitoring System is provided to isolate the RPS bus from the motor generator (MG) set or an alternate power supply in the event of overvoltage, undervoltage, or underfrequency. This system protects the loads connected to the RPS bus against unacceptable voltage and frequency conditions (Ref. 1) and forms an important part of the primary success path of the essential safety circuits. Some of the essential equipment powered from the RPS buses includes the RPS logic, scram solenoids, and various valve isolation logic (e.g., residual heat removal shutdown cooling). RPS electric power monitoring assembly will detect any abnormal high or low voltage or low frequency condition in the outputs of the two MG sets or the alternate power supply and will de-energize its respective RPS bus, thereby causing all safety functions normally powered by this bus to de-energize. In the event of failure of an RPS Electric Power Monitoring System (e.g., both inseries electric power monitoring assemblies), the RPS loads may experience significant effects from the unregulated power supply. Deviation from the nominal conditions can potentially cause damage to the scram solenoids and other Class 1E devices. In the event of a low voltage condition for an extended period of time, the scram solenoids can chatter and potentially lose their pneumatic control capability, resulting in a loss of primary scram action. In the event of an overvoltage condition, the RPS logic relays and scram solenoids, as well as the main steam isolation valve (MSIV) solenoids, may experience a voltage higher than their design voltage. If the overvoltage condition persists for an extended time period, it may cause equipment degradation and the loss of plant safety function. Two redundant Class 1E circuit breakers are connected in series between each RPS bus and its MG set, and between each RPS bus and its alternate power supply. Each of these circuit breakers has an associated independent set of Class 1E overvoltage, undervoltage, and underfrequency sensing logic. Together, a circuit breaker and its sensing logic constitute an electric power monitoring assembly. If the output of the MG set or the alternate power supply exceeds predetermined limits of overvoltage, undervoltage, or underfrequency, RPS Electric Power Monitoring B 3.3.8.2 (continued) HATCH UNIT 1 B 3.3-194 REVISION 1 BASES BACKGROUND a trip coil driven by this logic circuitry opens the circuit breaker, which (continued) removes the associated power supply from service. APPLICABLE The RPS electric power monitoring is necessary to meet the SAFETY ANALYSES assumptions of the safety analyses by ensuring that the equipment powered from the RPS buses can perform its intended function. RPS electric power monitoring provides protection to the RPS and other systems that receive power from the RPS buses, by acting to disconnect the RPS from the power supply under specified conditions that could damage the RPS bus powered equipment. RPS electric power monitoring satisfies Criterion 3 of the NRC Policy Statement (Ref. 3). LCO The OPERABILITY of each RPS electric power monitoring assembly is dependent on the OPERABILITY of the overvoltage, undervoltage, and underfrequency logic, as well as the OPERABILITY of the associated circuit breaker. Two electric power monitoring assemblies are required to be OPERABLE for each inservice power supply. This provides redundant protection against any abnormal voltage or frequency conditions to ensure that no single RPS electric power monitoring assembly failure can preclude the function of RPS bus powered components. Each inservice electric power monitoring assembly's trip logic setpoints are required to be within the specified Allowable Value. The setpoint is calibrated consistent with applicable procedures (nominal trip setpoint). Allowable Values are specified for each RPS electric power monitoring assembly trip logic (refer to SR 3.3.8.2.2). Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected, based on engineering judgment and operational experience, to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., overvoltage), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. RPS Electric Power Monitoring B 3.3.8.2 (continued) HATCH UNIT 1 B 3.3-195 REVISION 1 BASES LCO The Allowable Values for the instrument settings are based on the (continued) RPS continuously providing 57 Hz, 120 V +/- 10% (to all equipment), and 115 V +/- 10 V (to scram and MSIV solenoids). The most limiting voltage requirement and associated line losses determine the settings of the electric power monitoring instrument channels. The settings are calculated based on the loads on the buses and RPS MG set or alternate power supply being 120 VAC and 60 Hz. APPLICABILITY The operation of the RPS electric power monitoring assemblies is essential to disconnect the RPS bus powered components from the MG set or alternate power supply during abnormal voltage or frequency conditions. Since the degradation of a nonclass 1E source supplying power to the RPS bus can occur as a result of any random single failure, the OPERABILITY of the RPS electric power monitoring assemblies is required when the RPS bus powered components are required to be OPERABLE. This results in the RPS Electric Power Monitoring System OPERABILITY being required in MODES 1, 2, and 3; and in MODES 4 and 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies or with both residual heat removal (RHR) shutdown cooling isolation valves open. ACTIONS A.1 If one RPS electric power monitoring assembly for an inservice power supply (MG set or alternate) is inoperable, or one RPS electric power monitoring assembly on each inservice power supply is inoperable, the OPERABLE assembly will still provide protection to the RPS bus powered components under degraded voltage or frequency conditions. However, the reliability and redundancy of the RPS Electric Power Monitoring System is reduced, and only a limited time (72 hours) is allowed to restore the inoperable assembly to OPERABLE status. If the inoperable assembly cannot be restored to OPERABLE status, the associated power supply(s) must be removed from service (Required Action A.1). This places the RPS bus in a safe condition. An alternate power supply with OPERABLE power monitoring assemblies may then be used to power the RPS bus. The 72 hour Completion Time takes into account the remaining OPERABLE electric power monitoring assembly and the low probability of an event requiring RPS electric power monitoring protection occurring during this period. It allows time for plant RPS Electric Power Monitoring B 3.3.8.2 (continued) HATCH UNIT 1 B 3.3-196 REVISION 1 BASES ACTIONS A.1 (continued) operations personnel to take corrective actions or to place the plant in the required condition in an orderly manner and without challenging plant systems. Alternately, if it is not desired to remove the power supply from service (e.g., as in the case where removing the power supply(s) from service would result in a scram or isolation), Condition C or D, as applicable, must be entered and its Required Actions taken. B.1 If both power monitoring assemblies for an inservice power supply (MG set or alternate) are inoperable or both power monitoring assemblies in each inservice power supply are inoperable, the system protective function is lost. In this condition, 1 hour is allowed to restore one assembly to OPERABLE status for each inservice power supply. If one inoperable assembly for each inservice power supply cannot be restored to OPERABLE status, the associated power supply(s) must be removed from service within 1 hour (Required Action B.1). An alternate power supply with OPERABLE assemblies may then be used to power one RPS bus. The 1 hour Completion Time is sufficient for the plant operations personnel to take corrective actions and is acceptable because it minimizes risk while allowing time for restoration or removal from service of the electric power monitoring assemblies. Alternately, if it is not desired to remove the power supply(s) from service (e.g., as in the case where removing the power supply(s) from service would result in a scram or isolation), Condition C or D, as applicable, must be entered and its Required Actions taken.

C.1 and C.2 If any Required Action and associated Completion Time of Condition A or B are not met in MODE 1, 2, or 3, a plant shutdown must be performed. This places the plant in a condition where minimal equipment, powered through the inoperable RPS electric power monitoring assembly(s), is required and ensures that the safety function of the RPS (e.g., scram of control rods) is not required. The plant shutdown is accomplished by placing the plant in MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the RPS Electric Power Monitoring B 3.3.8.2 (continued) HATCH UNIT 1 B 3.3-197 REVISION 1 BASES ACTIONS C.1 and C.2 (continued) required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

D.1, D.2.1, and D.2.2 If any Required Action and associated Completion Time of Condition A or B are not met in MODE 4 or 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies or with both RHR shutdown cooling valves open, the operator must immediately initiate action to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Required Action D.1 results in the least reactive condition for the reactor core and ensures that the safety function of the RPS (e.g., scram of control rods) is not required. In addition, action must be immediately initiated to either restore one electric power monitoring assembly to OPERABLE status for the inservice power source supplying the required instrumentation powered from the RPS bus (Required Action D.2.1) or to isolate the RHR Shutdown Cooling System (Required Action D.2.2). Required Action D.2.1 is provided because the RHR Shutdown Cooling System may be needed to provide core cooling. All actions must continue until the applicable Required Actions are completed. SURVEILLANCE The Surveillances are modified by a Note to indicate that when an REQUIREMENTS RPS electric power monitoring assembly is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the other RPS electric power monitoring assembly for the associated power supply maintains trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the assembly must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. SR 3.3.8.2.1 A CHANNEL FUNCTIONAL TEST is performed on each overvoltage, undervoltage, and underfrequency channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. RPS Electric Power Monitoring B 3.3.8.2 (continued) HATCH UNIT 1 B 3.3-198 REVISION 69 BASES SURVEILLANCE SR 3.3.8.2.1 (continued) REQUIREMENTS As noted in the Surveillance, the CHANNEL FUNCTIONAL TEST is only required to be performed while the plant is in a condition in which the loss of the RPS bus will not jeopardize steady state power operation (the design of the system is such that the power source must be removed from service to conduct the Surveillance). The 24 hours is intended to indicate an outage of sufficient duration to allow for scheduling and proper performance of the Surveillance. The Note in the Surveillance is based on guidance provided in Generic Letter 91-09 (Ref. 2). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.8.2.2 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.8.2.3 Performance of a system functional test demonstrates that, with a required system actuation (simulated or actual) signal, the logic of the system will automatically trip open the associated power monitoring assembly. Only one signal per power monitoring assembly is required to be tested. This Surveillance overlaps with the CHANNEL CALIBRATION to provide complete testing of the safety function. The system functional test of the Class 1E circuit breakers is included as part of this test to provide complete testing of the safety function. If the breakers are incapable of operating, the associated electric power monitoring assembly would be inoperable. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. RPS Electric Power Monitoring B 3.3.8.2 HATCH UNIT 1 B 3.3-199 REVISION 69 BASES (continued) REFERENCES 1. FSAR, Section 8.7.

2. NRC Generic Letter 91-09, "Modification of Surveillance Interval for the Electrical Protective Assemblies in Power Supplies for the Reactor Protection System." 3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Recirculation Loops Operating B 3.4.1 (continued) HATCH UNIT 1 B 3.4-1 REVISION 65 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.1 Recirculation Loops Operating

BASES BACKGROUND The Reactor Coolant Recirculation System is designed to provide a forced coolant flow through the core to remove heat from the fuel. The forced coolant flow removes more heat from the fuel than would be possible with just natural circulation. The forced flow, therefore, allows operation at significantly higher power than would otherwise be possible. The recirculation system also controls reactivity over a wide span of reactor power by varying the recirculation flow rate to control the void content of the moderator. The Reactor Coolant Recirculation System consists of two recirculation pump loops external to the reactor vessel. These loops provide the piping path for the driving flow of water to the reactor vessel jet pumps. Each external loop contains one variable speed motor driven recirculation pump, an adjustable speed drive (ASD) to control pump speed and associated piping, jet pumps, valves, and instrumentation. The recirculation loops are part of the reactor coolant pressure boundary and are located inside the drywell structure. The jet pumps are reactor vessel internals. The recirculated coolant consists of saturated water from the steam separators and dryers that has been subcooled by incoming feedwater. This water passes down the annulus between the reactor vessel wall and the core shroud. A portion of the coolant flows from the vessel, through the two external recirculation loops, and becomes the driving flow for the jet pumps. Each of the two external recirculation loops discharges high pressure flow into an external manifold, from which individual recirculation inlet lines are routed to the jet pump risers within the reactor vessel. The remaining portion of the coolant mixture in the annulus becomes the suction flow for the jet pumps. This flow enters the jet pump at suction inlets and is accelerated by the driving flow. The drive flow and suction flow are mixed in the jet pump throat section. The total flow then passes through the jet pump diffuser section into the area below the core (lower plenum), gaining sufficient head in the process to drive the required flow upward through the core. The subcooled water enters the bottom of the fuel channels and contacts the fuel cladding, where heat is transferred to the coolant. As it rises, the coolant begins to boil, creating steam voids within the fuel channel that continue until the coolant exits the core. Because of reduced moderation, the steam voiding introduces negative reactivity that must be compensated for to maintain or to increase reactor power. The recirculation flow control allows operators to increase recirculation flow and sweep some of the voids from the fuel channel, overcoming the negative reactivity void Recirculation Loops Operating B 3.4.1 (continued) HATCH UNIT 1 B 3.4-2 REVISION 65 BASES BACKGROUND effect. Thus, the reason for having variable recirculation flow is to (continued) compensate for reactivity effects of boiling over a wide range of power generation (i.e., 55 to 100% of RTP) without having to move control rods and disturb desirable flux patterns. In addition, core flow as a function of core thermal power, is usually maintained such that core thermal-hydraulic oscillations do not occur. These oscillations can occur during two-loop operation, as well as single-loop and no-loop operation. Plant procedures include requirements of this LCO as well as other vendor and NRC recommended requirements and actions to minimize the potential of core thermal-hydraulic oscillations. Each recirculation loop is manually started from the control room. The ASD provides regulation of individual recirculation loop drive flows. The flow in each loop is manually controlled. APPLICABLE The operation of the Reactor Coolant Recirculation System is an SAFETY ANALYSES initial condition assumed in the design basis loss of coolant accident (LOCA) (Ref. 1). During a LOCA caused by a recirculation loop pipe break, the intact loop is assumed to provide coolant flow during the first few seconds of the accident. The initial core flow decrease is rapid because the recirculation pump in the broken loop ceases to pump reactor coolant to the vessel almost immediately. The pump in the intact loop coasts down relatively slowly. This pump coastdown governs the core flow response for the next several seconds until the jet pump suction is uncovered (Ref. 1). The analyses assume that both loops are operating at the same flow prior to the accident. However, the LOCA analysis was reviewed for the case with a flow mismatch between the two loops, with the pipe break assumed to be in the loop with the higher flow. While the flow coastdown and core response are potentially more severe in this assumed case (since the intact loop starts at a lower flow rate and the core response is the same as if both loops were operating at a lower flow rate), a small mismatch has been determined to be acceptable based on engineering judgement. The recirculation system is also assumed to have sufficient flow coastdown characteristics to maintain fuel thermal margins during abnormal operational occurrences (AOOs) (Ref. 2), which are analyzed in Chapter 14 of the FSAR. A plant specific LOCA analysis has been performed assuming only one operating recirculation loop. This analysis has demonstrated that, in the event of a LOCA caused by a pipe break in the operating recirculation loop, the Emergency Core Cooling System response will provide adequate core cooling, provided the LHGR and APLHGR requirements are modified accordingly (Refs. 1 and 3). Recirculation Loops Operating B 3.4.1 (continued) HATCH UNIT 1 B 3.4-3 REVISION 37 BASES APPLICABLE The transient analyses of Chapter 15 of the Unit 2 FSAR have also SAFETY ANALYSES been, performed for single recirculation loop operation (Ref. 3) and (continued) demonstrate sufficient flow coastdown characteristics to maintain fuel thermal margins during the abnormal operational transients analyzed provided the MCPR requirements are modified. During single recirculation loop operation, modification to the Reactor Protection System (RPS) average power range monitor (APRM) instrument setpoints is also required to account for the different relationships between recirculation drive flow and reactor core flow. The MCPR setpoints for single loop operation are specified in the COLR. The APRM Simulated Thermal Power - High setpoint is in LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation." Recirculation loops operating satisfies Criterion 2 of the NRC Policy Statement (Ref. 4). LCO Two recirculation loops are normally required to be in operation with their flows matched within the limits specified in SR 3.4.1.1 to ensure that during a LOCA caused by a break of the piping of one recirculation loop the assumptions of the LOCA analysis are satisfied. With only one recirculation loop in operation, modifications to the required APLHGR limits [LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)"], MCPR limits [LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)"], LHGR limits, [LCO 3.2.3, "LINEAR HEAT GENERATION RATE (LHGR)"], and APRM Simulated Thermal Power - High setpoint (LCO 3.3.1.1) must be applied to allow continued operation consistent with the assumptions of References 1 and 3.

APPLICABILITY In MODES 1 and 2, requirements for operation of the Reactor Coolant Recirculation System are necessary since there is considerable energy in the reactor core and the limiting design basis transients and accidents are assumed to occur. In MODES 3, 4, and 5, the consequences of an accident are reduced and the coastdown characteristics of the recirculation loops are not important. Recirculation Loops Operating B 3.4.1 (continued) HATCH UNIT 1 B 3.4-4 REVISION 37 BASES (continued) ACTIONS A.1 With the requirements of the LCO not met, the recirculation loops must be restored to operation with matched flows within 24 hours. A recirculation loop is considered not in operation when the pump in that loop is idle or when the mismatch between total jet pump flows of the two loops is greater than required limits. The loop with the lower flow must be considered not in operation. Should a LOCA or AOO occur with one recirculation loop not in operation, the core flow coastdown and resultant core response may not be bounded by the LOCA analyses or the AOO analyses. Therefore, only a limited time is allowed to restore the inoperable loop to operating status. Alternatively, if the single loop requirements of the LCO are applied to operating limits and RPS setpoints, operation with only one recirculation loop would satisfy the requirements of the LCO and the initial conditions of the accident or AOO sequence. The 24 hour Completion Time is based on the low probability of an accident or AOO occurring during this time period, on a reasonable time to complete the Required Action, and on frequent core monitoring by operators allowing abrupt changes in core flow conditions to be quickly detected. This Required Action does not require tripping the recirculation pump in the lowest flow loop when the mismatch between total jet pump flows of the two loops is greater than the required limits. However, in cases where large flow mismatches occur, low flow or reverse flow can occur in the low flow loop jet pumps, causing vibration of the jet pumps. If zero or reverse flow is detected, the condition should be alleviated by changing pump speeds to re-establish forward flow or by tripping the pump. B.1 With any Required Action and associated Completion Time of Condition A not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours. In this condition, the recirculation loops are not required to be operating because of the reduced severity of Design Basis Accidents and minimal dependence on the recirculation loop coastdown characteristics. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. Recirculation Loops Operating B 3.4.1 HATCH UNIT 1 B 3.4-5 REVISION 69 BASES (continued) SURVEILLANCE SR 3.4.1.1 REQUIREMENTS This SR ensures the recirculation loops are within the allowable limits for mismatch. At low core flow (i.e., < 70% of rated core flow), the MCPR requirements provide larger margins to the fuel cladding integrity Safety Limit such that the potential adverse effect of early boiling transition during a LOCA is reduced. A larger flow mismatch can therefore be allowed when core flow is < 70% of rated core flow. The recirculation loop jet pump flow, as used in this Surveillance, is the summation of the flows from all of the jet pumps associated with a single recirculation loop. The mismatch is measured in terms of percent of rated core flow. If the flow mismatch exceeds the specified limits, the loop with the lower flow is considered not in operation. The SR is not required when both loops are not in operation since the mismatch limits are meaningless during single loop or natural circulation operation. The Surveillance must be performed within 24 hours after both loops are in operation. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.1.2 (Not used.) REFERENCES 1. NEDC-32720P, "E. I. Hatch Nuclear Plant Units 1 and 2 SAFER/GESTR-LOCA Loss-of-Coolant Accident Analysis," March 1997.

2. FSAR, Section 4.3.5.

3. NEDO-24205, "E. I. Hatch Nuclear Plant Units 1 and 2 Single-Loop Operation," August 1979.

4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Jet PumpsB 3.4.2(continued)HATCH UNIT 1B 3.4-6REVISION 0B 3.4 REACTOR COOLANT SYSTEM (RCS)B 3.4.2 Jet PumpsBASESBACKGROUNDThe Reactor Coolant Recirculation System is described in theBackground section of the Bases for LCO 3.4.1, "Recirculation LoopsOperating," which discusses the operating characteristics of thesystem and how these characteristics affect the Design BasisAccident (DBA) analyses.The jet pumps are part of the Reactor Coolant Recirculation Systemand are designed to provide forced circulation through the core toremove heat from the fuel. The jet pumps are located in the annularregion between the core shroud and the vessel inner wall. Becausethe jet pump suction elevation is at two-thirds core height, the vessel can be reflooded and coolant level maintained at two-thirds coreheight even with the complete break of the recirculation loop pipe thatis located below the jet pump suction elevation.Each reactor coolant recirculation loop contains 10 jet pumps.Recirculated coolant passes down the annulus between the reactorvessel wall and the core shroud. A portion of the coolant flows fromthe vessel, through the two external recirculation loops, and becomesthe driving flow for the jet pumps. Each of the two externalrecirculation loops discharges high pressure flow into an externalmanifold from which individual recirculation inlet lines are routed to thejet pump risers within the reactor vessel. The remaining portion of the coolant mixture in the annulus becomes the suction flow for the jetpumps. This flow enters the jet pump at suction inlets and isaccelerated by the drive flow. The drive flow and suction flow aremixed in the jet pump throat section. The total flow then passesthrough the jet pump diffuser section into the area below the core (lower plenum), gaining sufficient head in the process to drive therequired flow upward through the core.APPLICABLEJet pump OPERABILITY is an explicit assumption in the designSAFETY ANALYSESbasis loss of coolant accident (LOCA) analysis evaluated inReference 1.The capability of reflooding the core to two-thirds core height isdependent upon the structural integrity of the jet pumps. If the structural system, including the beam holding a jet pump inlet mixer in Jet PumpsB 3.4.2(continued)HATCH UNIT 1B 3.4-7REVISION 0BASESAPPLICABLEplace, fails, jet pump displacement and performance degradationSAFETY ANALYSEScould occur, resulting in an increased flow area through the jet pump(continued)and a lower core flooding elevation. This could adversely affect thewater level in the core during the reflood phase of a LOCA as well asthe assumed blowdown flow during a LOCA.Jet pumps satisfy Criterion 2 of the NRC Policy Statement (Ref. 4).LCOThe structural failure of any of the jet pumps could cause significantdegradation in the ability of the jet pumps to allow reflooding totwo-thirds core height during a LOCA. OPERABILITY of all jet pumps is required to ensure that operation of the Reactor CoolantRecirculation System will be consistent with the assumptions used inthe licensing basis analysis (Ref. 1).APPLICABILITYIn MODES 1 and 2, the jet pumps are required to be OPERABLEsince there is a large amount of energy in the reactor core and since the limiting DBAs are assumed to occur in these MODES. This isconsistent with the requirements for operation of the Reactor CoolantRecirculation System (LCO 3.4.1).In MODES 3, 4, and 5, the Reactor Coolant Recirculation System isnot required to be in operation, and when not in operation, sufficientflow is not available to evaluate jet pump OPERABILITY.ACTIONSA.1An inoperable jet pump can increase the blowdown area and reducethe capability of reflooding during a design basis LOCA. If one or more of the jet pumps are inoperable, the plant must be brought to aMODE in which the LCO does not apply. To achieve this status, theplant must be brought to MODE 3 within 12 hours. The CompletionTime of 12 hours is reasonable, based on operating experience, toreach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. Jet PumpsB 3.4.2(continued)HATCH UNIT 1B 3.4-8REVISION 0BASES (continued)SURVEILLANCESR 3.4.2.1REQUIREMENTSThis SR is designed to detect significant degradation in jet pumpperformance that precedes jet pump failure (Ref. 2). This SR isrequired to be performed only when the loop has forced recirculation flow since surveillance checks and measurements can only beperformed during jet pump operation. The jet pump failure of concernis a complete mixer displacement due to jet pump beam failure. Jetpump plugging is also of concern since it adds flow resistance to therecirculation loop. Significant degradation is indicated if the specifiedcriteria confirm unacceptable deviations from established patterns orrelationships. The allowable deviations from the established patterns have been developed based on the variations experienced at plantsduring normal operation and with jet pump assembly failures (Refs. 2and 3). Each recirculation loop must satisfy one of the performancecriteria provided. Since refueling activities (fuel assemblyreplacement or shuffle, as well as any modifications to fuel support orifice size or core plate bypass flow) can affect the relationshipbetween core flow, jet pump flow, and recirculation loop flow, theserelationships may need to be re-established each cycle. Similarly,initial entry into extended single loop operation may also requireestablishment of these relationships. During the initial weeks of operation under such conditions, while base-lining new "establishedpatterns", engineering judgement of the daily surveillance results isused to detect significant abnormalities which could indicate a jetpump failure.The recirculation pump speed operating characteristics (pump flowand loop flow versus pump speed) are determined by the flowresistance from the loop suction through the jet pump nozzles. Achange in the relationship indicates a plug, flow restriction, loss inpump hydraulic performance, leakage, or new flow path between the recirculation pump discharge and jet pump nozzle. For this criterion,the pump flow and loop flow versus pump speed relationship must beverified.Individual jet pumps in a recirculation loop normally do not have thesame flow. The unequal flow is due to the drive flow manifold, whichdoes not distribute flow equally to all risers. The flow (or jet pump diffuser to lower plenum differential pressure) pattern or relationship ofone jet pump to the loop average is repeatable. An appreciablechange in this relationship is an indication that increased (or reduced)resistance has occurred in one of the jet pumps. Jet PumpsB 3.4.2HATCH UNIT 1B 3.4-9REVISION 0BASESSURVEILLANCESR 3.4.2.1 (continued)REQUIREMENTSThe deviations from normal are considered indicative of a potentialproblem in the recirculation drive flow or jet pump system (Ref. 2).Normal flow ranges and established jet pump flow and differential pressure patterns are established by plotting historical data asdiscussed in Reference 2.The 24 hour Frequency has been shown by operating experience tobe timely for detecting jet pump degradation and is consistent with theSurveillance Frequency for recirculation loop OPERABILITYverification.This SR is modified by two Notes. Note 1 allows this Surveillance notto be performed until 4 hours after the associated recirculation loop isin operation, since these checks can only be performed during jetpump operation. The 4 hours is an acceptable time to establish conditions appropriate for data collection and evaluation.Note 2 allows this SR not to be performed when THERMAL POWERis 25% of RTP and not until 24 hours after exceeding 25% RTP.During low flow conditions, jet pump noise approaches the thresholdresponse of the associated flow instrumentation and precludes thecollection of repeatable and meaningful data. The 24 hours is anacceptable time to establish conditions appropriate to perform this SR.REFERENCES1.NEDC-31376P, "E.I. Hatch Nuclear Plant Units 1 and 2SAFER/GESTR-LOCA Loss-of-Coolant Accident Analysis," December 1986.2.GE Service Information Letter No. 330, "Jet Pump BeamCracks," June 9, 1990.3.NUREG/CR-3052, "Closeout of IE Bulletin 80-07: BWR JetPump Assembly Failure," November 1984.4.NRC No. 93-102, "Final Policy Statement on TechnicalSpecification Improvements," July 23, 1993.

RCS Operational LEAKAGE B 3.4.4 (continued) HATCH UNIT 1 B 3.4-13 REVISION 0 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.4 RCS Operational LEAKAGE

BASES BACKGROUND The RCS includes systems and components that contain or transport the coolant to or from the reactor core. The pressure containing components of the RCS and the portions of connecting systems out to and including the isolation valves define the reactor coolant pressure boundary (RCPB). The joints of the RCPB components are welded or bolted. During plant life, the joint and valve interfaces can produce varying amounts of reactor coolant LEAKAGE, through either normal operational wear or mechanical deterioration. Limits on RCS operational LEAKAGE are required to ensure appropriate action is taken before the integrity of the RCPB is impaired. This LCO specifies the types and limits of LEAKAGE. This protects the RCS pressure boundary described in 10 CFR 50.2, 10 CFR 50.55a(c), and GDC 55 of 10 CFR 50, Appendix A (Refs. 1, 2, and 3). The safety significance of RCS LEAKAGE from the RCPB varies widely depending on the source, rate, and duration. Therefore, detection of LEAKAGE in the primary containment is necessary. Methods for quickly separating the identified LEAKAGE from the unidentified LEAKAGE are necessary to provide the operators quantitative information to permit them to take corrective action should a leak occur that is detrimental to the safety of the facility or the public. A limited amount of leakage inside primary containment is expected from auxiliary systems that cannot be made 100% leaktight. Leakage from these systems should be detected and isolated from the primary containment atmosphere, if possible, so as not to mask RCS operational LEAKAGE detection. This LCO deals with protection of the RCPB from degradation and the core from inadequate cooling, in addition to preventing the accident analyses radiation release assumptions from being exceeded. The consequences of violating this LCO include the possibility of a loss of coolant accident.

APPLICABLE The allowable RCS operational LEAKAGE limits are based on the SAFETY ANALYSES predicted and experimentally observed behavior of pipe cracks. The normally expected background LEAKAGE due to equipment design RCS Operational LEAKAGE B 3.4.4 (continued) HATCH UNIT 1 B 3.4-14 REVISION 59 BASES APPLICABLE and the detection capability of the instrumentation for determining SAFETY ANALYSES system LEAKAGE were also considered. The evidence from (continued) experiments suggests that, for LEAKAGE even greater than the specified unidentified LEAKAGE limits, the probability is small that the imperfection or crack associated with such LEAKAGE would grow rapidly. The unidentified LEAKAGE flow limit allows time for corrective action before the RCPB could be significantly compromised. The 5 gpm limit is a small fraction of the calculated flow from a critical crack in the primary system piping. Crack behavior from experimental programs (Refs. 4 and 5) shows that leakage rates of hundreds of gallons per minute will precede crack instability (Ref. 6). The low limit on increase in unidentified LEAKAGE assumes a failure mechanism of intergranular stress corrosion cracking (IGSCC) that produces tight cracks. This flow increase limit is capable of providing an early warning of such deterioration. No applicable safety analysis assumes the total LEAKAGE limit. The total LEAKAGE limit considers RCS inventory makeup capability and drywell floor sump capacity. RCS operational LEAKAGE satisfies Criterion 2 of the NRC Policy Statement (Ref. 9). LCO RCS operational LEAKAGE shall be limited to:

a. Pressure Boundary LEAKAGE No pressure boundary LEAKAGE is allowed, being indicative of material degradation. LEAKAGE of this type is unacceptable as the leak itself could cause further deterioration, resulting in higher LEAKAGE. Violation of this LCO could result in continued degradation of the RCPB. LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE.

b. Unidentified LEAKAGE The 5 gpm of unidentified LEAKAGE is allowed as a reasonable minimum detectable amount that the containment air monitoring and drywell sump level monitoring equipment can RCS Operational LEAKAGE B 3.4.4 (continued) HATCH UNIT 1 B 3.4-15 REVISION 0 BASES LCO b. Unidentified LEAKAGE (continued) detect within a reasonable time period. Violation of this LCO could result in continued degradation of the RCPB.

c. Total LEAKAGE The total LEAKAGE limit is based on a reasonable minimum detectable amount. The limit also accounts for LEAKAGE from known sources (identified LEAKAGE). Violation of this LCO indicates an unexpected amount of LEAKAGE and, therefore, could indicate new or additional degradation in an RCPB component or system. d. Unidentified LEAKAGE Increase An unidentified LEAKAGE increase of > 2 gpm within the previous 24 hour period indicates a potential flaw in the RCPB and must be quickly evaluated to determine the source and extent of the LEAKAGE. The increase is measured relative to the steady state value; temporary changes in LEAKAGE rate as a result of transient conditions (e.g., startup) are not considered. As such, the 2 gpm increase limit is only applicable in MODE 1 when operating pressures and temperatures are established. Violation of this LCO could result in continued degradation of the RCPB. APPLICABILITY In MODES 1, 2, and 3, the RCS operational LEAKAGE LCO applies, because the potential for RCPB LEAKAGE is greatest when the reactor is pressurized.

In MODES 4 and 5, RCS operational LEAKAGE limits are not required since the reactor is not pressurized and stresses in the RCPB materials and potential for LEAKAGE are reduced.

ACTIONS A.1 With RCS unidentified or total LEAKAGE greater than the limits, actions must be taken to reduce the leak. Because the LEAKAGE limits are conservatively below the LEAKAGE that would constitute a critical crack size, 4 hours is allowed to reduce the LEAKAGE rates before the reactor must be shut down. If an unidentified LEAKAGE RCS Operational LEAKAGE B 3.4.4 (continued) HATCH UNIT 1 B 3.4-16 REVISION 69 BASES ACTIONS A.1 (continued) has been identified and quantified, it may be reclassified and considered as identified LEAKAGE; however, the total LEAKAGE would remain unchanged. The total LEAKAGE must be averaged over the previous 24 hours for comparison to the limit.

B.1 An unidentified LEAKAGE increase of > 2 gpm within a 24 hour period is an indication of a potential flaw in the RCPB and must be quickly evaluated. Although the increase does not necessarily violate the absolute unidentified LEAKAGE limit, certain susceptible components must be determined not to be the source of the LEAKAGE increase within the required Completion Time. The 4 hour Completion Time is reasonable to properly reduce the LEAKAGE increase before the reactor must be shut down without unduly jeopardizing plant safety.

C.1 and C.2 If any Required Action and associated Completion Time of Condition A or B is not met or if pressure boundary LEAKAGE exists, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant safety systems. SURVEILLANCE SR 3.4.4.1 REQUIREMENTS The RCS LEAKAGE is monitored by a variety of instruments designed to provide alarms when LEAKAGE is indicated and to quantify the various types of LEAKAGE. Leakage detection instrumentation is discussed in more detail in the Bases for LCO 3.4.5, "RCS Leakage Detection Instrumentation." Sump level and flow rate are typically monitored to determine actual LEAKAGE rates; however, any method may be used to quantify LEAKAGE within the guidelines of Reference 7. The Surveillance Frequency is controlled under the RCS Operational LEAKAGE B 3.4.4 HATCH UNIT 1 B 3.4-17 REVISION 69 BASES SURVEILLANCE SR 3.4.4.1 (continued) REQUIREMENTS Surveillance Frequency Control Program. The identified portion of the total LEAKAGE is usually determined by the drywell equipment drain sump monitoring system which collect expected leakage not indicative of a degraded RCS boundary. The system equipment and operation is identical to that of the drywell floor drain monitoring system described in the Bases for LCO 3.4.5, "RCS Leakage Detection Instrumentation." If a contributor to the unidentified LEAKAGE has been identified and quantified, it may be reclassified and considered as identified LEAKAGE. REFERENCES 1. 10 CFR 50.2.

2. 10 CFR 50.55a(c).

3. 10 CFR 50, Appendix A, GDC 55. 4. GEAP-5620, "Failure Behavior in ASTM A106B Pipes Containing Axial Through-Wall Flaws," April 1968. 5. NUREG-75/067, "Investigation and Evaluation of Cracking in Austenitic Stainless Steel Piping of Boiling Water Reactors," October 1975. 6. FSAR, Section 4.10.3.2.

7. Regulatory Guide 1.45, May 1973. 8. Not used. 9. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RCS Leakage Detection Instrumentation B 3.4.5 (continued) HATCH UNIT 1 B 3.4-18 REVISION 15 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.5 RCS Leakage Detection Instrumentation

BASES BACKGROUND GDC 30 of 10 CFR 50, Appendix A (Ref. 1), requires means for detecting and, to the extent practical, identifying the location of the source of RCS LEAKAGE. Limits on LEAKAGE from the reactor coolant pressure boundary (RCPB) are required so that appropriate action can be taken before the integrity of the RCPB is impaired. Leakage detection systems for the RCS are provided to alert the operators when leakage rates above normal background levels are detected and also to supply quantitative measurement of leakage rates. The Bases for LCO 3.4.4, "RCS Operational LEAKAGE," discuss the limits on RCS LEAKAGE rates. Systems for separating the LEAKAGE of an identified source from an unidentified source are necessary to provide prompt and quantitative information to the operators to permit them to take immediate corrective action. LEAKAGE from the RCPB inside the drywell is detected by at least one of two or three independently monitored variables, such as sump level changes and drywell gaseous and particulate radioactivity levels. The primary means of quantifying LEAKAGE in the drywell is the drywell floor drain sump monitoring system. The drywell floor drain sump monitoring system monitors the LEAKAGE collected in the floor drain sump. This unidentified LEAKAGE consists of LEAKAGE from control rod drives, valve flanges or packings, floor drains, closed cooling water, and drywell air cooling unit condensate drains, and any LEAKAGE not collected in the drywell equipment drain sump. The floor drain sump level indicators have switches that start and stop the sump pumps when required. (The level indicators also provide a floor drain sump high level alarm in the control room.) One timer starts when a sump pump starts on high level, and another timer starts each time the sump is pumped down to the low level setpoint. If the pump does not stop on low level before the first timer ends or the sump fills to the high level setpoint before the second timer ends, an alarm sounds in the control room, indicating a LEAKAGE rate into the sump in excess of a preset limit. RCS Leakage Detection Instrumentation B 3.4.5 (continued) HATCH UNIT 1 B 3.4-19 REVISION 15 BASES BACKGROUND A flow indicator in the discharge line of the drywell floor drain sump (continued) pumps provides flow indication in the control room, thereby allowing the LEAKAGE rate to be quantified. Alternate means for quantifying the LEAKAGE rate may be used. The pumps can also be started from the control room. The primary containment air monitoring systems (particulate, noble gas, and iodine) continuously monitor the primary containment atmosphere for airborne particulate and gaseous radioactivity. A sudden increase of radioactivity, which may be attributed to RCPB steam or reactor water LEAKAGE, is annunciated in the control room. The primary containment atmosphere particulate and gaseous radioactivity monitoring systems are not capable of quantifying LEAKAGE rates, but are sensitive enough to indicate increased LEAKAGE rates. Larger changes in LEAKAGE rates are detected in shorter times (Ref. 2). APPLICABLE A threat of significant compromise to the RCPB exists if the barrier SAFETY ANALYSES contains a crack that is large enough to propagate rapidly. LEAKAGE rate limits are set low enough to detect the LEAKAGE emitted from a single crack in the RCPB (Refs. 3 and 4). Each of the leakage detection systems inside the drywell is designed with the capability of detecting LEAKAGE less than the established LEAKAGE rate limits and providing appropriate alarm of excess LEAKAGE in the control room. A control room alarm allows the operators to evaluate the significance of the indicated LEAKAGE and, if necessary, shut down the reactor for further investigation and corrective action. The allowed LEAKAGE rates are well below the rates predicted for critical crack sizes (Ref. 5). Therefore, these actions provide adequate response before a significant break in the RCPB can occur. RCS leakage detection instrumentation satisfies Criterion 1 of the NRC Policy Statement (Ref. 7). LCO The drywell floor drain sump monitoring system is required to alarm in the control room, as well as quantify the unidentified LEAKAGE from the RCS. For the system to be considered OPERABLE, one of the two sump level monitoring portions of the system must be OPERABLE. Upon receipt of an alarm from the sump level monitoring instrumentation, the unidentified LEAKAGE rate can be RCS Leakage Detection Instrumentation B 3.4.5 (continued) HATCH UNIT 1 B 3.4-20 REVISION 55 BASES LCO quantified by either the normal flow monitoring instrumentation or (continued) alternate means. Therefore, the normal flow monitoring portion of the system need not be OPERABLE for the drywell floor drain sump monitoring system to be considered OPERABLE. The other monitoring systems (particulate, noble gas, or iodine air monitoring systems) provide early alarms to the operators so closer examination of other detection systems will be made to determine the extent of any corrective action that may be required. With the leakage detection systems inoperable, monitoring for LEAKAGE in the RCPB is degraded. APPLICABILITY In MODES 1, 2, and 3, leakage detection systems are required to be OPERABLE to support LCO 3.4.4. This Applicability is consistent with that for LCO 3.4.4. ACTIONS A.1 With the drywell floor drain sump monitoring system inoperable, no other form of sampling can provide the equivalent information to quantify leakage. However, the primary containment atmospheric activity monitor will provide indication of changes in leakage. With the drywell floor drain sump monitoring system inoperable, but with RCS unidentified and total LEAKAGE being determined every 12 hours (SR 3.4.4.1), operation may continue for 30 days. The 30 day Completion Time of Required Action A.1 is acceptable, based on operating experience, considering the multiple forms of leakage detection that are still available. Acceptable methods for quantifying both identified and unidentified LEAKAGE include but are not limited to the following:

1) With a drifting sump monitoring system integrator, the sump can be manually pumped down with integrator readings taken before and after pumpdown. The difference in readings determines total gallons pumped. Using time elapsed since last pumpdown, sump inleakage rate can be calculated; and RCS Leakage Detection Instrumentation B 3.4.5 (continued) HATCH UNIT 1 B 3.4-21 REVISION 49 BASES ACTIONS A.1 (continued)

2) With an inoperable sump monitoring system integrator, the sump can be manually pumped down and the time for pumpdown recorded. Utilizing pump flow rate, total gallons pumped is determined. Using time elapsed since last pumpdown, sump inleakage rate can be calculated.

B.1 and B.2 With both gaseous and particulate primary containment atmospheric monitoring channels inoperable (i.e., the required containment atmospheric monitoring system), grab samples of the primary containment atmosphere must be taken and an isotopic analysis performed to provide periodic leakage information. Provided a sample is obtained and analyzed once every 12 hours, the plant may be operated for up to 30 days to allow restoration of at least one of the required monitors. The 12 hour interval provides periodic information that is adequate to detect LEAKAGE. The 30 day Completion Time for restoration recognizes that at least one other form of leakage detection is available. C.1 and C.2 If any Required Action and associated Completion Time of Condition A or B cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to perform the actions in an orderly manner and without challenging plant systems. RCS Leakage Detection Instrumentation B 3.4.5 (continued) HATCH UNIT 1 B 3.4-22 REVISION 69 BASES ACTIONS D.1 (continued) With all required monitors inoperable, no required automatic means of monitoring LEAKAGE are available, and immediate plant shutdown in accordance with LCO 3.0.3 is required. SURVEILLANCE The Surveillances are modified by a Note to indicate that when a REQUIREMENTS channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours, provided the other required instrumentation (either the drywell floor drain sump monitoring system or the primary containment atmospheric monitoring channel, as applicable) is OPERABLE. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. The Note is based upon a NRC Safety Evaluation Report (Ref. 6) which concluded that the 6 hour testing allowance does not significantly reduce the probability of detecting an unidentified LEAKAGE when necessary.

SR 3.4.5.1 This SR is for the performance of a CHANNEL CHECK of the required primary containment atmospheric monitoring system. The check gives reasonable confidence that the channel is operating properly. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.4.5.2 This SR is for the performance of a CHANNEL FUNCTIONAL TEST of the required RCS leakage detection instrumentation. The test ensures that the monitors can perform their function in the desired manner. The test also verifies the alarm setpoint and relative accuracy of the instrument string. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

RCS Leakage Detection Instrumentation B 3.4.5 HATCH UNIT 1 B 3.4-23 REVISION 69 BASES SURVEILLANCE SR 3.4.5.3 REQUIREMENTS (continued) This SR is for the performance of a CHANNEL CALIBRATION of required leakage detection instrumentation channels. The calibration verifies the accuracy of the instrument string, including the instruments located inside containment. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. 10 CFR 50, Appendix A, GDC 30.

2. FSAR, Section 4.10.3.4.

3. GEAP-5620, "Failure Behavior in ASTM A106B Pipes Containing Axial Through-Wall Flaws," April 1968.

4. NUREG-75/067, "Investigation and Evaluation of cracking in Austenitic Stainless Steel Piping of Boiling Water Reactors,"

October 1975. 5. FSAR, Section 4.10.3.2. 6. NRC Safety Evaluation Report for Amendment 185, April 30, 1993. 7. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. RCS Specific Activity B 3.4.6 (continued) HATCH UNIT 1 B 3.4-24 REVISION 70 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.6 RCS Specific Activity

BASES BACKGROUND During circulation, the reactor coolant acquires radioactive materials due to release of fission products from fuel leaks into the reactor coolant and activation of corrosion products in the reactor coolant. These radioactive materials in the reactor coolant can plate out in the RCS, and, at times, an accumulation will break away to spike the normal level of radioactivity. The release of coolant during a Design Basis Accident (DBA) could send radioactive materials into the environment. Limits on the maximum allowable level of radioactivity in the reactor coolant are established to ensure that in the event of a release of any radioactive material to the environment during a DBA, radiation doses are maintained within the limits of 10 CFR 50.67 (Ref. 1). This LCO contains the iodine specific activity limit. The iodine isotopic activities per gram of reactor coolant are expressed in terms of a DOSE EQUIVALENT I-131. The allowable level is intended to limit offsite doses to a small fraction of the 10 CFR 50.67 limits. APPLICABLE Analytical methods and assumptions involving radioactive material in SAFETY ANALYSES the primary coolant are presented in References 2 and 3. The specific activity in the reactor coolant (the source term) is an initial condition for evaluation of the consequences of an accident due to a main steam line break (MSLB) outside containment. No fuel damage is postulated in the MSLB accident, and the release of radioactive material to the environment is assumed to end when the main steam isolation valves (MSIVs) close completely. This MSLB release forms the basis for determining offsite doses (Refs. 2 and 3). The limits on the specific activity of the primary coolant ensure that offsite doses resulting from an MSLB outside containment during steady state operation, will be a small fraction of the dose guidelines of 10 CFR 50.67. The limits on specific activity are values from a parametric evaluation of typical site locations. These limits are conservative because the evaluation considered more restrictive parameters than for a specific RCS Specific Activity B 3.4.6 (continued) HATCH UNIT 1 B 3.4-25 REVISION 70 BASES APPLICABLE site, such as the location of the site boundary and the meteorological SAFETY ANALYSES conditions of the site.

(continued)

RCS specific activity satisfies Criterion 2 of the NRC Policy Statement (Ref. 4). LCO The specific iodine activity is limited to 0.2 µCi/gm DOSE EQUIVALENT I-131. This limit ensures the source term assumed in the safety analysis for the MSLB is not exceeded, so any release of radioactivity to the environment during an MSLB is a small fraction of the 10 CFR 50.67 limits.

APPLICABILITY In MODE 1, and MODES 2 and 3 with any main steam line not isolated, limits on the primary coolant radioactivity are applicable since there is an escape path for release of radioactive material from the primary coolant to the environment in the event of an MSLB outside of primary containment. In MODES 2 and 3 with the main steam lines isolated, such limits do not apply since an escape path does not exist. In MODES 4 and 5, no limits are required since the reactor is not pressurized and the potential for leakage is reduced.

ACTIONS A.1 and A.2 When the reactor coolant specific activity exceeds the LCO DOSE EQUIVALENT I-131 limit, but is 2.0 µCi/gm, samples must be analyzed for DOSE EQUIVALENT I-131 at least once every 4 hours. In addition, the specific activity must be restored to the LCO limit within 48 hours. The Completion Time of once every 4 hours is based on the time needed to take and analyze a sample. The 48 hour Completion Time to restore the activity level provides a reasonable time for temporary coolant activity increases (iodine spikes or crud bursts) to be cleaned up with the normal processing systems. A Note permits the use of the provisions of LCO 3.0.4.c. This allowance permits entry into the applicable MODE(S) while relying on the ACTIONS. This allowance is acceptable due to the significant conservatism incorporated into the specific activity limit, the low RCS Specific Activity B 3.4.6 (continued) HATCH UNIT 1 B 3.4-26 REVISION 70 BASES ACTIONS A.1 and A.2 (continued) probability of an event which is limiting due to exceeding this limit, and the ability to restore transient specific activity excursions while the plant remains at, or proceeds to power operation. B.1, B.2.1, B.2.2.1, and B.2.2.2 If the DOSE EQUIVALENT I-131 cannot be restored to 0.2 µCi/gm within 48 hours, or if at any time it is > 2.0 µCi/gm, it must be determined at least once every 4 hours and all the main steam lines must be isolated within 12 hours. Isolating the main steam lines precludes the possibility of releasing radioactive material to the environment in an amount that is more than a small fraction of the requirements of 10 CFR 50.67 during a postulated MSLB accident. Alternatively, the plant can be placed in MODE 3 within 12 hours and in MODE 4 within 36 hours. This option is provided for those instances when isolation of main steam lines is not desired (e.g., due to the decay heat loads). In MODE 4, the requirements of the LCO are no longer applicable. The Completion Time of once every 4 hours is the time needed to take and analyze a sample. The 12 hour Completion Time is reasonable, based on operating experience, to isolate the main steam lines in an orderly manner and without challenging plant systems. Also, the allowed Completion Times for Required Actions B.2.2.1 and B.2.2.2 for placing the unit in MODES 3 and 4 are reasonable, based on operating experience, to achieve the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SR 3.4.6.1 This Surveillance is performed to ensure iodine remains within limit during normal operation. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note that requires this Surveillance to be performed only in MODE 1 because the level of fission products generated in other MODES is much less. RCS Specific Activity B 3.4.6 HATCH UNIT 1 B 3.4-27 REVISION 70 BASES (continued) REFERENCES 1. 10 CFR 50.67.

2. FSAR, Section 14.4.5.

3. NEDE-24011-P-A-9-US, "GE Standard Application for Reactor Fuel," Supplement for United States, September 1988. 4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RHR Shutdown Cooling System - Hot Shutdown B 3.4.7 (continued) HATCH UNIT 1 B 3.4-28 REVISION 15 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.7 Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown

BASES BACKGROUND Irradiated fuel in the shutdown reactor core generates heat during the decay of fission products and increases the temperature of the reactor coolant. This decay heat must be removed to reduce the temperature of the reactor coolant to 212°F. This decay heat removal is in preparation for performing refueling or maintenance operations, or for keeping the reactor in the Hot Shutdown condition. The two redundant, manually controlled shutdown cooling subsystems of the RHR System provide decay heat removal. Each loop consists of two motor driven pumps, a heat exchanger, and associated piping and valves. Both loops have a common suction from the same recirculation loop. Each pump discharges the reactor coolant, after circulation through the respective heat exchanger, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the RHR Service Water System [LCO 3.7.1, "Residual Heat Removal Service Water (RHRSW) System"]. APPLICABLE Decay heat removal by operation of the RHR System in the shutdown SAFETY ANALYSES cooling mode is not required for mitigation of any event or accident evaluated in the safety analyses. Decay heat removal is, however, an important safety function that must be accomplished or core damage could result. The RHR Shutdown Cooling System meets Criterion 4 of the NRC Policy Statement (Ref. 1). LCO Two RHR shutdown cooling subsystems are required to be OPERABLE, and when no recirculation pump is in operation, one shutdown cooling subsystem must be in operation. An OPERABLE RHR shutdown cooling subsystem consists of one OPERABLE RHR pump and the associated heat exchanger, piping and valves which can provide the capability to reduce and maintain the reactor coolant temperature to < 212°F. Additionally, it should be noted that the Residual Heat Removal Service Water (RHRSW) System is a support system for the RHR shutdown cooling function. Two OPERABLE RHRSW system pumps are required per heat exchanger to transfer the heat necessary to reduce and maintain reactor coolant temperature to < 212°F. Calculations performed at extended power uprate conditions show that reactor coolant temperature can be RHR Shutdown Cooling System - Hot Shutdown B 3.4.7 (continued) HATCH UNIT 1 B 3.4-29 REVISION 15 BASES LCO decreased to < 212°F within the time limit specified in Regulatory (continued) Guide 1.139, "Guidance for Residual Heat Removal," assuming two RHRSW System pumps are in operation. OPERABILITY requirements for the RHRSW System in Mode 3 are addressed by LCO 3.7.1, "Residual Heat Removal Service Water (RHRSW) System." The two required RHR shutdown cooling subsystems have a common suction source and are allowed to have a common heat exchanger and common discharge piping. Since the piping and heat exchangers are passive components that are assumed not to fail, they are allowed to be common to both required subsystems. Thus, to meet the LCO, both RHR pumps in one loop or one RHR pump in each of the two loops must be OPERABLE. If the two required subsystems consist of an RHR pump in each loop, both heat exchangers, each with two OPERABLE RHRSW System pumps supplying cooling water, are required since one heat exchanger will not be common to both subsystems. Each shutdown cooling subsystem is considered OPERABLE if it can be manually aligned (remote or local) in the shutdown cooling mode for removal of decay heat. In MODE 3, one RHR shutdown cooling subsystem can provide the required cooling (sufficient to reduce and maintain reactor coolant temperature < 212°F), but two subsystems are required to be OPERABLE to provide redundancy. Operation of one subsystem can maintain or reduce the reactor coolant temperature as required. However, to ensure adequate core flow to allow for accurate average reactor coolant temperature monitoring, nearly continuous operation is required. In MODE 3, the RHR cross tie valve (1E11-F010) may not be opened (per LCO 3.5.1) to allow pumps in one loop to discharge through the opposite recirculation loop. Note 1 permits both RHR shutdown cooling subsystems and recirculation pumps to be shut down for a period of 2 hours in an 8 hour period. Note 2 allows one RHR shutdown cooling subsystem to be inoperable for up to 2 hours for performance of Surveillance tests. These tests may be on the affected RHR System or on some other plant system or component that necessitates placing the RHR System in an inoperable status during the performance. This is permitted because the core heat generation can be low enough and the heatup rate slow enough to allow some changes to the RHR subsystems or other operations requiring RHR flow interruption and loss of redundancy. The LCO consists of two separate requirements. Either requirement can be not met (and the associated Condition entered) without necessarily affecting the other (and without necessarily entering the RHR Shutdown Cooling System - Hot Shutdown B 3.4.7 (continued) HATCH UNIT 1 B 3.4-30 REVISION 15 BASES LCO other associated Condition). For example, an operating RHR (continued) shutdown cooling subsystem can be removed from operation, yet remain OPERABLE for the decay heat removal function. (Manual alignment and operation can satisfy OPERABILITY.) Conversely, an RHR shutdown cooling subsystem (or recirculation pump) can remain in operation, circulating reactor coolant; however, if the RHR heat exchanger cannot remove decay heat, the subsystem is inoperable. The LCO Notes follow this separation of requirements: an exception to circulating reactor coolant (Note 1) does not result in an exception to the OPERABILITY requirement, and an exception to the RHR shutdown cooling subsystem OPERABILITY requirements does not result in an exception to the requirement for circulating reactor coolant (Note 2).

APPLICABILITY In MODE 3 with reactor steam dome pressure below the RHR low pressure permissive pressure (i.e., the actual pressure at which the interlock resets) the RHR Shutdown Cooling System must be OPERABLE and shall be operated in the shutdown cooling mode to remove decay heat to reduce or maintain coolant temperature. Otherwise, a recirculation pump is required to be in operation. In MODES 1 and 2, and in MODE 3 with reactor steam dome pressure greater than or equal to the RHR low pressure permissive pressure, this LCO is not applicable. Operation of the RHR System in the shutdown cooling mode is not allowed above this pressure because the RCS pressure may exceed the design pressure of the shutdown cooling piping. Decay heat removal at reactor pressures greater than or equal to the RHR low pressure permissive pressure is typically accomplished by condensing the steam in the main condenser. Additionally, in MODE 2 below this pressure, the OPERABILITY requirements for the Emergency Core Cooling Systems (ECCS) (LCO 3.5.1, "ECCS - Operating") do not allow placing the RHR shutdown cooling subsystem into operation. The requirements for decay heat removal in MODES 4 and 5 are discussed in LCO 3.4.8, "Residual Heat Removal (RHR) Shutdown Cooling System - Cold Shutdown"; LCO 3.9.7, "Residual Heat Removal (RHR) - High Water Level"; and LCO 3.9.8, "Residual Heat Removal (RHR) - Low Water Level." RHR Shutdown Cooling System - Hot Shutdown B 3.4.7 (continued) HATCH UNIT 1 B 3.4-31 REVISION 49 BASES (continued) ACTIONS A Note has been provided to modify the ACTIONS related to RHR shutdown cooling subsystems. Section 1.3, Completion Times, specifies once a Condition has been entered, subsequent divisions, subsystems, components or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable shutdown cooling subsystems provide appropriate compensatory measures for separate inoperable shutdown cooling subsystems. As such, a Note has been provided that allows separate Condition entry for each inoperable RHR shutdown cooling subsystem.

A.1, A.2, and A.3 With one required RHR shutdown cooling subsystem inoperable for decay heat removal, except as permitted by LCO Note 2, the inoperable subsystem must be restored to OPERABLE status without delay. In this condition, the remaining OPERABLE subsystem can provide the necessary decay heat removal. The overall reliability is reduced, however, because a single failure in the OPERABLE subsystem could result in reduced RHR shutdown cooling capability. Therefore, an alternate method of decay heat removal must be provided. With both RHR shutdown cooling subsystems inoperable, an alternate method of decay heat removal must be provided in addition to that provided for the initial RHR shutdown cooling subsystem inoperability. This re-establishes backup decay heat removal capabilities, similar to the requirements of the LCO. The 1 hour Completion Time is based on the decay heat removal function and the probability of a loss of the available decay heat removal capabilities. The required cooling capacity of the alternate method should be ensured by verifying (by calculation or demonstration) its capability to maintain or reduce temperature. Decay heat removal by ambient losses can be considered as, or contributing to, the alternate method capability. Alternate methods that can be used include (but are not limited to) the Condensate/Main Steam Systems and the Reactor Water Cleanup System. RHR Shutdown Cooling System - Hot Shutdown B 3.4.7 (continued) HATCH UNIT 1 B 3.4-32 REVISION 69 BASES ACTIONS A.1, A.2, and A.3 (continued) However, due to the potentially reduced reliability of the alternate methods of decay heat removal, it is also required to reduce the reactor coolant temperature to the point where MODE 4 is entered. B.1, B.2, and B.3 With no RHR shutdown cooling subsystem and no recirculation pump in operation, except as permitted by LCO Note 1, reactor coolant circulation by the RHR shutdown cooling subsystem or recirculation pump must be restored without delay. Until RHR or recirculation pump operation is re-established, an alternate method of reactor coolant circulation must be placed into service. This will provide the necessary circulation for monitoring coolant temperature. The 1 hour Completion Time is based on the coolant circulation function and is modified such that the 1 hour is applicable separately for each occurrence involving a loss of coolant circulation. Furthermore, verification of the functioning of the alternate method must be reconfirmed every 12 hours thereafter. This will provide assurance of continued temperature monitoring capability. During the period when the reactor coolant is being circulated by an alternate method (other than by the required RHR shutdown cooling subsystem or recirculation pump), the reactor coolant temperature and pressure must be periodically monitored to ensure proper function of the alternate method. The once per hour Completion Time is deemed appropriate.

SURVEILLANCE SR 3.4.7.1 REQUIREMENTS This Surveillance verifies that one RHR shutdown cooling subsystem or recirculation pump is in operation and circulating reactor coolant. The required flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. RHR Shutdown Cooling System - Hot Shutdown B 3.4.7 HATCH UNIT 1 B 3.4-33 REVISION 49 BASES SURVEILLANCE SR 3.4.7.1 (continued) REQUIREMENTS This Surveillance is modified by a Note allowing sufficient time to align the RHR System for shutdown cooling operation after clearing the pressure interlock that isolates the system, or for placing a recirculation pump in operation. The Note takes exception to the requirements of the Surveillance being met (i.e., forced coolant circulation is not required for this initial 2 hour period), which also allows entry into the Applicability of this Specification in accordance with SR 3.0.4 since the Surveillance will not be "not met" at the time of entry into the Applicability. REFERENCES 1. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RHR Shutdown Cooling System - Cold Shutdown B 3.4.8 (continued) HATCH UNIT 1 B 3.4-34 REVISION 1 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.8 Residual Heat Removal (RHR) Shutdown Cooling System - Cold Shutdown

BASES BACKGROUND Irradiated fuel in the shutdown reactor core generates heat during the decay of fission products and increases the temperature of the reactor coolant. This decay heat must be removed to maintain the temperature of the reactor coolant 212°F. This decay heat removal is in preparation for performing refueling or maintenance operations, or for keeping the reactor in the Cold Shutdown condition. The two redundant, manually controlled shutdown cooling subsystems of the RHR System provide decay heat removal. Each loop consists of two motor driven pumps, a heat exchanger, and associated piping and valves. Both loops have a common suction from the same recirculation loop. Each pump discharges the reactor coolant, after circulation through the respective heat exchanger, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the RHRSW System. APPLICABLE Decay heat removal by operation of the RHR System in the shutdown SAFETY ANALYSES cooling mode is not required for mitigation of any event or accident evaluated in the safety analyses. Decay heat removal is, however, an important safety function that must be accomplished or core damage could result. The RHR Shutdown Cooling System meets Criterion 4 of the NRC Policy Statement (Ref. 1). LCO Two RHR shutdown cooling subsystems are required to be OPERABLE, and when no recirculation pump is in operation, one RHR shutdown cooling subsystem must be in operation. An OPERABLE RHR shutdown cooling subsystem consists of one OPERABLE RHR pump and the associated heat exchanger, one RHRSW pump providing cooling to the heat exchanger, and the associated piping and valves which can provide the capability to maintain the reactor coolant temperature < 212°F. The two required RHR shutdown cooling subsystems have a common suction source and are allowed to have a common heat exchanger and common discharge piping. Since the piping and heat exchangers are passive components that are assumed not to fail, they are allowed to be common to both required subsystems. Thus, to meet the LCO, both RHR pumps in one loop or one RHR pump in each of the two RHR Shutdown Cooling System - Cold Shutdown B 3.4.8 (continued) HATCH UNIT 1 B 3.4-35 REVISION 1 BASES LCO loops must be OPERABLE. If the two required subsystems consist of (continued) an RHR pump in each loop, both heat exchangers are required since one heat exchanger will not be common to both subsystems. In MODE 4, the RHR cross tie valve (1E11-F010) may be opened (per LCO 3.5.2) to allow pumps in one loop to discharge through the opposite recirculation loop to make a complete subsystem. Similarly, to meet the LCO, the cooling supply for the heat exchanger(s) requires two RHRSW pumps (either one pump in each RHRSW loop or two pumps in one RHRSW loop). With one RHR heat exchanger common to both RHR shutdown cooling subsystems, each RHRSW pump is required to be capable of providing cooling to that heat exchanger (Note: the RHRSW cross tie valves may be open to allow the RHRSW pump(s) in one loop to provide cooling to a heat exchanger in the opposite loop to make a complete subsystem.), or with both heat exchangers required, each heat exchanger is required to have an RHRSW pump capable of providing coolant to that heat exchanger. Additionally, each shutdown cooling subsystem is considered OPERABLE if it can be manually aligned (remote or local) in the shutdown cooling mode for removal of decay heat. In MODE 4, one RHR shutdown cooling subsystem can provide the required cooling (sufficient to maintain reactor coolant temperature < 212°F), but two subsystems are required to be OPERABLE to provide redundancy. Operation of one subsystem can maintain or reduce the reactor coolant temperature as required. However, to ensure adequate core flow to allow for accurate average reactor coolant temperature monitoring, nearly continuous operation is required. Note 1 permits both RHR shutdown cooling subsystems and recirculation pumps to be shut down for a period of 2 hours in an 8 hour period. Note 2 allows one RHR shutdown cooling subsystem to be inoperable for up to 2 hours for performance of Surveillance tests. These tests may be on the affected RHR System or on some other plant system or component that necessitates placing the RHR System in an inoperable status during the performance. This is permitted because the core heat generation can be low enough and the heatup rate slow enough to allow some changes to the RHR subsystems or other operations requiring RHR flow interruption and loss of redundancy. The LCO consists of two separate requirements. Either requirement can be not met (and the associated Condition entered) without necessarily affecting the other (and without necessarily entering the other associated Condition). For example, an operating RHR RHR Shutdown Cooling System - Cold Shutdown B 3.4.8 (continued) HATCH UNIT 1 B 3.4-36 REVISION 1 BASES LCO shutdown cooling subsystem can be removed from operation, yet (continued) remain OPERABLE for the decay heat removal function. (Manual alignment and operation can satisfy OPERABILITY.) Conversely, an RHR shutdown cooling subsystem (or recirculation pump) can remain in operation, circulating reactor coolant; however, if the RHR heat exchanger cannot remove decay heat, the subsystem is inoperable. The LCO Notes follow this separation of requirements: an exception to circulating reactor coolant (Note 1) does not result in an exception to the OPERABILITY requirement, and an exception to the RHR shutdown cooling subsystem OPERABILITY requirements does not result in an exception to the requirement for circulating reactor coolant (Note 2). APPLICABILITY In MODE 4, the RHR Shutdown Cooling System must be OPERABLE and shall be operated in the shutdown cooling mode to remove decay heat to maintain coolant temperature below 212°F. Otherwise, a recirculation pump is required to be in operation. In MODES 1 and 2, and in MODE 3 with reactor steam dome pressure greater than or equal to the RHR low pressure permissive pressure, this LCO is not applicable. Operation of the RHR System in the shutdown cooling mode is not allowed above this pressure because the RCS pressure may exceed the design pressure of the shutdown cooling piping. Decay heat removal at reactor pressures greater than or equal to the RHR low pressure permissive pressure is typically accomplished by condensing the steam in the main condenser. Additionally, in MODE 2 below this pressure, the OPERABILITY requirements for the Emergency Core Cooling Systems (ECCS) (LCO 3.5.1, "ECCS - Operating") do not allow placing the RHR shutdown cooling subsystem into operation. The requirements for decay heat removal in MODE 3 below the RHR low pressure permissive pressure and in MODE 5 are discussed in LCO 3.4.7, "Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown"; LCO 3.9.7, "Residual Heat Removal (RHR) - High Water Level"; and LCO 3.9.8, "Residual Heat Removal (RHR) - Low Water Level." ACTIONS A Note has been provided to modify the ACTIONS related to RHR shutdown cooling subsystems. Section 1.3, Completion Times, specifies once a Condition has been entered, subsequent divisions, subsystems, components or variables expressed in the Condition, RHR Shutdown Cooling System - Cold Shutdown B 3.4.8 (continued) HATCH UNIT 1 B 3.4-37 REVISION 1 BASES ACTIONS discovered to be inoperable or not within limits, will not result in (continued) separate entry into the Condition. Section 1.3 also specifies Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable shutdown cooling subsystems provide appropriate compensatory measures for separate inoperable shutdown cooling subsystems. As such, a Note has been provided that allows separate Condition entry for each inoperable RHR shutdown cooling subsystem.

A.1 With one of the two required RHR shutdown cooling subsystems inoperable, except as permitted by LCO Note 2, the remaining subsystem is capable of providing the required decay heat removal. However, the overall reliability is reduced. Therefore, an alternate method of decay heat removal must be provided. With both RHR shutdown cooling subsystems inoperable, an alternate method of decay heat removal must be provided in addition to that provided for the initial RHR shutdown cooling subsystem inoperability. This re-establishes backup decay heat removal capabilities, similar to the requirements of the LCO. The 1 hour Completion Time is based on the decay heat removal function and the probability of a loss of the available decay heat removal capabilities. Furthermore, verification of the functional availability of these alternate method(s) must be reconfirmed every 24 hours thereafter. This will provide assurance of continued heat removal capability. The required cooling capacity of the alternate method should be ensured by verifying (by calculation or demonstration) its capability to maintain or reduce temperature. Decay heat removal by ambient losses can be considered as, or contributing to, the alternate method capability. Alternate methods that can be used include (but are not limited to) the Condensate/Main Steam Systems (feed and bleed) and the Reactor Water Cleanup System.

B.1 and B.2 With no RHR shutdown cooling subsystem and no recirculation pump in operation, except as permitted by LCO Note 1, and until RHR or recirculation pump operation is re-established, an alternate method of reactor coolant circulation must be placed into service. This will provide the necessary circulation for monitoring coolant temperature. The 1 hour Completion Time is based on the coolant circulation RHR Shutdown Cooling System - Cold Shutdown B 3.4.8 HATCH UNIT 1 B 3.4-38 REVISION 69 BASES ACTIONS B.1 and B.2 (continued) function and is modified such that the 1 hour is applicable separately for each occurrence involving a loss of coolant circulation. Furthermore, verification of the functioning of the alternate method must be reconfirmed every 12 hours thereafter. This will provide assurance of continued temperature monitoring capability. During the period when the reactor coolant is being circulated by an alternate method (other than by the required RHR shutdown cooling subsystem or recirculation pump), the reactor coolant temperature and pressure must be periodically monitored to ensure proper function of the alternate method. The once per hour Completion Time is deemed appropriate. SURVEILLANCE SR 3.4.8.1 REQUIREMENTS This Surveillance verifies that one RHR shutdown cooling subsystem or recirculation pump is in operation and circulating reactor coolant. The required flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RCS P/T Limits B 3.4.9 (continued) HATCH UNIT 1 B 3.4-42 REVISION 12 BASES LCO Violation of the limits places the reactor vessel outside of the bounds (continued) of the stress analyses and can increase stresses in other RCS components. The consequences depend on several factors, as follows:

a. The severity of the departure from the allowable operating pressure temperature regime or the severity of the rate of change of temperature; b. The length of time the limits were violated (longer violations allow the temperature gradient in the thick vessel walls to become more pronounced); and

c. The existences, sizes, and orientations of flaws in the vessel material. APPLICABILITY The potential for violating a P/T limit exists at all times. For example, P/T limit violations could result from ambient temperature conditions that result in the reactor vessel metal temperature being less than the minimum allowed temperature for boltup. Therefore, this LCO is applicable even when fuel is not loaded in the core. ACTIONS A.1 and A.2 Operation outside the P/T limits while in MODES 1, 2, and 3 must be corrected so that the RCPB is returned to a condition that has been verified by stress analyses. The 30 minute Completion Time reflects the urgency of restoring the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in this time in a controlled manner.

Besides restoring operation within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify the RCPB integrity remains acceptable and must be completed if continued operation is desired. Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, new analyses, or inspection of the components. ASME Code, Section XI, Appendix E (Ref. 6), may be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline. RCS P/T Limits B 3.4.9 (continued) HATCH UNIT 1 B 3.4-43 REVISION 12 BASES ACTIONS A.1 and A.2 (continued) The 72 hour Completion Time is reasonable to accomplish the evaluation of a mild violation. More severe violations may require special, event specific stress analyses or inspections. A favorable evaluation must be completed if continued operation is desired. Condition A is modified by a Note requiring Required Action A.2 be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required Action A.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity. B.1 and B.2 If a Required Action and associated Completion Time of Condition A are not met, the plant must be placed in a lower MODE because either the RCS remained in an unacceptable P/T region for an extended period of increased stress, or a sufficiently severe event caused entry into an unacceptable region. Either possibility indicates a need for more careful examination of the event, best accomplished with the RCS at reduced pressure and temperature. With the reduced pressure and temperature conditions, the possibility of propagation of undetected flaws is decreased. Pressure and temperature are reduced by placing the plant in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

C.1 and C.2 Operation outside the P/T limits in other than MODES 1, 2, and 3 (including defueled conditions) must be corrected so that the RCPB is returned to a condition that has been verified by stress analyses. The Required Action must be initiated without delay and continued until the limits are restored. Besides restoring the P/T limit parameters to within limits, an evaluation is required to determine if RCS operation is allowed. This evaluation must verify that the RCPB integrity is acceptable and must

RCS P/T Limits B 3.4.9 (continued) HATCH UNIT 1 B 3.4-45 REVISION 23 BASES SURVEILLANCE SR 3.4.9.2 (continued) REQUIREMENTS Performing the Surveillance within 15 minutes prior to initial control rod withdrawal for the purpose of achieving criticality provides adequate assurance that the limits will not be exceeded between the time of the Surveillance and the time criticality is achieved. This SR, for clarity, is modified by a Note stating that it is only required to be met when the reactor is critical and immediately prior to control rod withdrawal for the purpose of achieving criticality. SR 3.4.9.3 and SR 3.4.9.4 Differential temperatures within the applicable limits ensure that thermal stresses resulting from the startup of an idle recirculation pump will not exceed design allowances. In addition, compliance with these limits ensures that the assumptions of the analysis for the startup of an idle recirculation loop (Ref. 7) are satisfied. The limit provided in SR 3.4.9.4 is also part of the basis for fuel thermal limits (Ref. 13). Performing the Surveillance within 15 minutes before starting the idle recirculation pump provides adequate assurance that the limits will not be exceeded between the time of the Surveillance and the time of the idle pump start. If the 145°F temperature differential specified in SR 3.4.9.3 cannot be determined by direct indication, an alternate method may be used as described below: The differential between the bottom head coolant temperature and the RPV coolant can be assumed to be 145°F if the following can be confirmed: a. One or more loop drive flows were > 40% of rated flow prior to the RPT,

b. High Pressure Coolant Injection (HPCI) and Reactor Core Isolation Cooling (RCIC) Systems have not injected since the RPT,

c. Feedwater temperature has remained > 300°F since the RPT, and

d. The time between the RPT and restart is < 30 minutes.

RCS P/T Limits B 3.4.9 (continued) HATCH UNIT 1 B 3.4-46 REVISION 69 BASES SURVEILLANCE SR 3.4.9.3 and SR 3.4.9.4 (continued) REQUIREMENTS General Electric test data from BWR plants shows that stratification up to the 145°F differential does not occur any sooner than 1 hour following the RPT (Refs. 10 and 11). Adding HPCI and RCIC injection, and feedwater temperature constraints provides assurance that the temperature differential will not be exceeded within 30 minutes of the RPT. An acceptable means of demonstrating compliance with the temperature differential requirement in SR 3.4.9.4 is to compare the temperatures of the operating recirculation loop and the idle loop. SR 3.4.9.3 and SR 3.4.9.4 have been modified by a Note that requires the Surveillance to be performed only in MODES 1, 2, 3, and 4. In MODE 5, the overall stress on limiting components is lower. Therefore, T limits are not required. SR 3.4.9.5 and SR 3.4.9.6 Limits on the reactor vessel flange and head flange temperatures are generally bounded by the other P/T limits during system heatup and cooldown. However, operations approaching MODE 4 from MODE 5 and in MODE 4 with RCS temperature less than or equal to certain specified values require assurance that these temperatures meet the LCO limits. The flange temperatures must be verified to be above the limits once within 30 minutes before and in accordance with the Frequency contained in the Surveillance Frequency Control Program thereafter while tensioning the vessel head bolting studs to ensure that once the head is tensioned the limits are satisfied. Verification of flange temperatures is also required while detensioning is in progress until all reactor vessel head bolts are completely detensioned. (The head is considered tensioned if one or more bolts are partly or completely tensioned.) When in MODE 4 with RCS temperature 86°F, the flange temperatures are required to be verified once within 30 minutes, and in accordance with the Surveillance Frequency Control Program thereafter because of the reduced margin to the limits. When in MODE 4 with RCS temperature 106°F, monitoring of the flange temperature is required once within 12 hours and in accordance with the Frequency of the Surveillance Frequency Control Program to ensure the temperature is within the limits specified. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Reactor Steam Dome Pressure B 3.4.10 (continued) HATCH UNIT 1 B 3.4-49 REVISION 23 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.10 Reactor Steam Dome Pressure

BASES BACKGROUND The reactor steam dome pressure is an assumed value in the determination of compliance with reactor pressure vessel overpressure protection criteria and is also an assumed initial condition of design basis accidents and transients.

APPLICABLE The reactor steam dome pressure of 1058 psig is an initial condition SAFETY ANALYSES of the vessel overpressure protection analysis of Reference 1. This analysis assumes an initial maximum reactor steam dome pressure and evaluates the response of the pressure relief system, primarily the safety/relief valves, during the limiting pressurization transient. The determination of compliance with the overpressure criteria is dependent on the initial reactor steam dome pressure; therefore, the limit on this pressure ensures that the assumptions of the overpressure protection analysis are conserved. Reference 2 also assumes an initial reactor steam dome pressure for the analysis of design basis accidents and transients used to determine the limits for fuel cladding integrity [see Bases for LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)"] and 1% cladding plastic strain [see Bases for LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)"]. Reactor steam dome pressure satisfies the requirements of Criterion 2 of the NRC Policy Statement (Ref. 3). LCO The specified reactor steam dome pressure limit of 1058 psig ensures the plant is operated within the assumptions of the overpressure protection analysis. Operation above the limit may result in a response more severe than analyzed. APPLICABILITY In MODES 1 and 2, the reactor steam dome pressure is required to be less than or equal to the limit. In these MODES, the reactor may be generating significant steam and events which may challenge the overpressure limits are possible. Reactor Steam Dome Pressure B 3.4.10 HATCH UNIT 1 B 3.4-50 REVISION 69 BASES APPLICABILITY In MODES 3, 4, and 5, the limit is not applicable because the reactor (continued) is shut down. In these MODES, the reactor pressure is well below the required limit, and no anticipated events will challenge the overpressure limits.

ACTIONS A.1 With the reactor steam dome pressure greater than the limit, prompt action should be taken to reduce pressure to below the limit and return the reactor to operation within the bounds of the analyses. The 15 minute Completion Time is reasonable considering the importance of maintaining the pressure within limits. This Completion Time also ensures that the probability of an accident occurring while pressure is greater than the limit is minimized.

B.1 If the reactor steam dome pressure cannot be restored to within the limit within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.4.10.1 REQUIREMENTS Verification that reactor steam dome pressure is 1058 psig ensures that the initial conditions of the vessel overpressure protection analysis is met. The Surveillance Frequency is controlled under the Surveillance Frequency Control Progam. REFERENCES 1. FSAR, Appendix M. 2. FSAR, Section 14.3.

3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

ECCS - Operating B 3.5.1 (continued) HATCH UNIT 1 B 3.5-1 REVISION 0 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM

B 3.5.1 ECCS - Operating BASES BACKGROUND The ECCS is designed, in conjunction with the primary and secondary containment, to limit the release of radioactive materials to the environment following a loss of coolant accident (LOCA). The ECCS uses two independent methods (flooding and spraying) to cool the core during a LOCA. The ECCS network consists of the High Pressure Coolant Injection (HPCI) System, the Core Spray (CS) System, the low pressure coolant injection (LPCI) mode of the Residual Heat Removal (RHR) System, and the Automatic Depressurization System (ADS). The suppression pool provides the required source of water for the ECCS. Although no credit is taken in the safety analyses for the condensate storage tank (CST), it is capable of providing a source of water for the HPCI and CS Systems. On receipt of an initiation signal, ECCS pumps automatically start. Simultaneously, the system aligns and the pumps inject water, taken either from the CST or suppression pool, into the Reactor Coolant System (RCS) as RCS pressure is overcome by the discharge pressure of the ECCS pumps. Although the system is initiated, ADS action is delayed, allowing the operator to interrupt the timed sequence if the system is not needed. The HPCI pump discharge pressure almost immediately exceeds that of the RCS, and the pump injects coolant into the vessel to cool the core. If the break is small, the HPCI System will maintain coolant inventory as well as vessel level while the RCS is still pressurized. If HPCI fails, it is backed up by ADS in combination with LPCI and CS. In this event, the ADS timed sequence could be allowed to time out and open the selected safety/relief valves (S/RVs) depressurizing the RCS, thus allowing LPCI and CS to overcome RCS pressure and inject coolant into the vessel. If the break is large, RCS pressure initially drops rapidly and the LPCI and CS cool the core. Water from the break returns to the suppression pool where it is used again and again. Water in the suppression pool may be circulated through a heat exchanger cooled by the RHR Service Water System. Depending on the location and size of the break, portions of the ECCS may be ineffective; however, the overall design is effective in cooling the core regardless of the size or location of the piping break.

ECCS - Operating B 3.5.1 (continued) HATCH UNIT 1 B 3.5-2 REVISION 16 BASES BACKGROUND All ECCS subsystems are designed to ensure that no single active (continued) component failure will prevent automatic initiation and successful operation of the minimum required ECCS equipment. The CS System is composed of two independent subsystems (Ref. 1). Each subsystem consists of a motor driven pump, a spray sparger above the core, and piping and valves to transfer water from the suppression pool to the sparger. The CS System is designed to provide cooling to the reactor core when reactor pressure is low. Upon receipt of an initiation signal, the CS pumps in both subsystems are automatically started when AC power is available. When the RPV pressure drops sufficiently, CS System flow to the RPV begins. A full flow test line is provided to route water from and to the suppression pool to allow testing of the CS System without spraying water in the RPV. LPCI is an independent operating mode of the RHR System. There are two LPCI subsystems (Ref. 2), each consisting of two motor driven pumps and piping and valves to transfer water from the suppression pool to the RPV via the corresponding recirculation loop. The two LPCI subsystems can be interconnected via the RHR System cross tie valve; however, the cross tie valve is maintained closed with its power removed to prevent loss of both LPCI subsystems during a LOCA. The LPCI subsystems are designed to provide core cooling at low RPV pressure. Upon receipt of an initiation signal, all four LPCI pumps are automatically started (all pumps immediately if power is provided by the 1D Startup Auxiliary Transformer (SAT), and if power is provided by the 1C SAT or the DGs, C pump within 1 second after AC power is available, and A, B, and D pumps approximately 10 seconds after AC power is available). RHR System valves in the LPCI flow path are automatically positioned to ensure the proper flow path for water from the suppression pool to inject into the recirculation loops. When the RPV pressure drops sufficiently, the LPCI flow to the RPV, via the corresponding recirculation loop, begins. The water then enters the reactor through the jet pumps. Full flow test lines are provided for the four LPCI pumps to route water from the suppression pool, to allow testing of the LPCI pumps without injecting water into the RPV. These test lines also provide suppression pool cooling capability, as described in LCO 3.6.2.3, "RHR Suppression Pool Cooling." The HPCI System (Ref. 3) consists of a steam driven turbine pump unit, piping, and valves to provide steam to the turbine, as well as piping and valves to transfer water from the suction source to the core via the feedwater system line, where the coolant is distributed within the RPV through the feedwater sparger. Suction piping for the system ECCS - Operating B 3.5.1 (continued) HATCH UNIT 1 B 3.5-3 REVISION 0 BASES BACKGROUND is provided from the CST and the suppression pool. Pump suction for (continued) HPCI is normally aligned to the CST source to minimize injection of suppression pool water into the RPV. However, if the CST water supply is low, or if the suppression pool level is high, an automatic transfer to the suppression pool water source ensures a water supply for continuous operation of the HPCI System. The steam supply to the HPCI turbine is piped from a main steam line upstream of the associated inboard main steam isolation valve. The HPCI System is designed to provide core cooling for a wide range of reactor pressures (150 psig to 1185 psig). Upon receipt of an initiation signal, the HPCI turbine stop valve and turbine control valve open simultaneously and the turbine accelerates to a specified speed. As the HPCI flow increases, the turbine governor valve is automatically adjusted to maintain design flow. Exhaust steam from the HPCI turbine is discharged to the suppression pool. A full flow test line is provided to route water from and to the CST to allow testing of the HPCI System during normal operation without injecting water into the RPV. The ECCS pumps are provided with minimum flow bypass lines, which discharge to the suppression pool. The valves in these lines automatically open to prevent pump damage due to overheating when other discharge line valves are closed. To ensure rapid delivery of water to the RPV and to minimize water hammer effects, all ECCS pump discharge lines are filled with water. The LPCI and CS System discharge lines are kept full of water using a "keep fill" system (jockey pump system). The HPCI System is normally aligned to the CST. The height of water in the CST is sufficient to maintain the piping full of water up to the first isolation valve. The relative height of the feedwater line connection for HPCI is such that the water in the feedwater lines keeps the remaining portion of the HPCI discharge line full of water. Therefore, HPCI does not require a "keep fill" system. The ADS (Ref. 4) consists of 7 of the 11 S/RVs. It is designed to provide depressurization of the RCS during a small break LOCA if HPCI fails or is unable to maintain required water level in the RPV. ADS operation reduces the RPV pressure to within the operating pressure range of the low pressure ECCS subsystems (CS and LPCI), so that these subsystems can provide coolant inventory makeup. Each of the S/RVs used for automatic depressurization is equipped with one air accumulator and associated inlet check valves. The accumulator provides the pneumatic power to actuate the valves. ECCS - Operating B 3.5.1 (continued) HATCH UNIT 1 B 3.5-4 REVISION 13 BASES (continued) APPLICABLE The ECCS performance is evaluated for the entire spectrum of SAFETY ANALYSES break sizes for a postulated LOCA. The accidents for which ECCS operation is required are presented in References 5 and 6. The required analyses and assumptions are defined in Reference 7. The results of these analyses are also described in References 8 and 9. This LCO helps to ensure that the following acceptance criteria for the ECCS, established by 10 CFR 50.46 (Ref. 10), will be met following a LOCA, assuming the worst case single active component failure in the ECCS: a. Maximum fuel element cladding temperature is 2200°F; b. Maximum cladding oxidation is 0.17 times the total cladding thickness before oxidation; c. Maximum hydrogen generation from a zirconium water reaction is 0.01 times the hypothetical amount that would be generated if all of the metal in the cladding surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react;

d. The core is maintained in a coolable geometry; and e. Adequate long term cooling capability is maintained.

The limiting single failures are discussed in Reference 9. The remaining OPERABLE ECCS subsystems provide the capability to adequately cool the core and prevent excessive fuel damage. The ECCS satisfy Criteria 3 and 4 of the NRC Policy Statement (Ref. 12). LCO Each ECCS injection/spray subsystem and six of seven ADS valves are required to be OPERABLE. The ECCS injection/spray subsystems are defined as the two CS subsystems, the two LPCI subsystems, and one HPCI System. The low pressure ECCS injection/spray subsystems are defined as the two CS subsystems and the two LPCI subsystems. With less than the required number of ECCS subsystems OPERABLE, the potential exists that during a limiting design basis LOCA concurrent with the worst case single failure, the limits specified in Reference 10 could be exceeded. All low pressure ECCS ECCS - Operating B 3.5.1 (continued) HATCH UNIT 1 B 3.5-5 REVISION 49 BASES LCO subsystems and ADS must therefore be OPERABLE to satisfy the (continued) single failure criterion required by Reference 10. (Reference 9 takes no credit for HPCI.) HPCI must be OPERABLE due to risk consideration. LPCI subsystems may be considered OPERABLE during alignment and operation for decay heat removal when below the actual RHR low pressure permissive pressure in MODE 3, if capable of being manually realigned (remote or local) to the LPCI mode and not otherwise inoperable. At these low pressures and decay heat levels, a reduced complement of ECCS subsystems should provide the required core cooling, thereby allowing operation of RHR shutdown cooling when necessary.

APPLICABILITY All ECCS subsystems are required to be OPERABLE during MODES 1, 2, and 3, when there is considerable energy in the reactor core and core cooling would be required to prevent fuel damage in the event of a break in the primary system piping. In MODES 2 and 3, when reactor steam dome pressure is 150 psig, ADS and HPCI are not required to be OPERABLE because the low pressure ECCS subsystems can provide sufficient flow below this pressure. ECCS requirements for MODES 4 and 5 are specified in LCO 3.5.2, "ECCS - Shutdown."

ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable HPCI subsystem. There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable HPCI subsystem and the provisions of LCO 3.0.4.b, which allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance. A.1 If any one low pressure ECCS injection/spray subsystem is inoperable, the inoperable subsystem must be restored to OPERABLE status within 7 days. In this condition, the remaining OPERABLE subsystems provide adequate core cooling during a LOCA. However, overall ECCS reliability is reduced, because a single failure in one of the remaining OPERABLE subsystems, concurrent with a LOCA, may result in the ECCS not being able to perform its intended safety function. The 7 day Completion Time is ECCS - Operating B 3.5.1 (continued) HATCH UNIT 1 B 3.5-6 REVISION 49 BASES ACTIONS A.1 (continued) based on a reliability study (Ref. 11) that evaluated the impact on ECCS availability, assuming various components and subsystems were taken out of service. The results were used to calculate the average availability of ECCS equipment needed to mitigate the consequences of a LOCA as a function of allowed outage times (i.e., Completion Times). B.1 and B.2 If the inoperable low pressure ECCS subsystem cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

C.1 and C.2 If the HPCI System is inoperable and the RCIC System is verified to be OPERABLE, the HPCI System must be restored to OPERABLE status within 14 days. In this condition, adequate core cooling is ensured by the OPERABILITY of the redundant and diverse low pressure ECCS injection/spray subsystems in conjunction with ADS. Also, the RCIC System will automatically provide makeup water at most reactor operating pressures. Verification of RCIC OPERABILITY within 1 hour is therefore required when HPCI is inoperable. This may be performed as an administrative check by examining logs or other information to determine if RCIC is out of service for maintenance or other reasons. It does not mean to perform the Surveillances needed to demonstrate the OPERABILITY of the RCIC System. If the OPERABILITY of the RCIC System cannot be verified, however, Condition E must be immediately entered. If a single active component fails concurrent with a design basis LOCA, there is a potential, depending on the specific failure, that the minimum required ECCS equipment will not be available. A 14 day Completion Time is based on a reliability study cited in Reference 11 and has been found to be acceptable through operating experience. ECCS - Operating B 3.5.1 (continued) HATCH UNIT 1 B 3.5-7 REVISION 49 BASES ACTIONS D.1 and D.2 If any one low pressure ECCS injection/spray subsystem is inoperable in addition to an inoperable HPCI System, the inoperable low pressure ECCS injection/spray subsystem or the HPCI System must be restored to OPERABLE status within 72 hours. In this condition, adequate core cooling is ensured by the OPERABILITY of the ADS and the remaining low pressure ECCS subsystems. However, the overall ECCS reliability is significantly reduced because a single failure in one of the remaining OPERABLE subsystems concurrent with a design basis LOCA may result in the ECCS not being able to perform its intended safety function. Since both a high pressure system (HPCI) and a low pressure subsystem are inoperable, a more restrictive Completion Time of 72 hours is required to restore either the HPCI System or the low pressure ECCS injection/spray subsystem to OPERABLE status. This Completion Time is based on a reliability study cited in Reference 11 and has been found to be acceptable through operating experience. E.1 and E.2 With one ADS valve inoperable, no action is required, because an analysis demonstrated that the remaining six ADS valves are capable of providing the ADS function, per Reference 13. If any Required Action and associated Completion Time of Condition C or D is not met, or if two or more ADS valves are inoperable, the plant must be brought to a condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and reactor steam dome pressure reduced to 150 psig within 36 hours. Entry into MODE 3 is not required if the reduction in reactor steam dome pressure to 150 psig results in exiting the Applicability for the Condition, and the 150 psig is achieved within the given 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

F.1 When multiple ECCS subsystems are inoperable, as stated in Condition H, the plant is in a condition outside of the accident analyses. Therefore, LCO 3.0.3 must be entered immediately. ECCS - Operating B 3.5.1 (continued) HATCH UNIT 1 B 3.5-8 REVISION 69 BASES (continued) SURVEILLANCE SR 3.5.1.1 REQUIREMENTS The flow path piping has the potential to develop voids and pockets of entrained air. Maintaining the pump discharge lines of the HPCI System, CS System, and LPCI subsystems full of water ensures that the ECCS will perform properly, injecting its full capacity into the RCS upon demand. This will also prevent a water hammer following an ECCS initiation signal. One acceptable method of ensuring that the lines are full is to vent at the high points. In addition, when HPCI is aligned to the suppression pool (instead of the CST), one acceptable method is to monitor pump suction pressure. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.5.1.2 Verifying the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths provides assurance that the proper flow paths will exist for ECCS operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an initiation signal is allowed to be in a nonaccident position provided the valve will automatically reposition in the proper stroke time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. For the HPCI System, this SR also includes the steam flow path for the turbine and the flow controller position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note that allows LPCI subsystems to be considered OPERABLE during alignment and operation for decay heat removal with reactor steam dome pressure less than the RHR low pressure permissive pressure in MODE 3, if capable of being manually realigned (remote or local) to the LPCI mode and not otherwise inoperable. This allows operation in the RHR shutdown cooling mode during MODE 3, if necessary.

ECCS - Operating B 3.5.1 (continued) HATCH UNIT 1 B 3.5-9 REVISION 69 BASES SURVEILLANCE SR 3.5.1.3 REQUIREMENTS (continued) Verification that ADS air supply header pressure is 90 psig ensures adequate air pressure for reliable ADS operation. The accumulator on each ADS valve provides pneumatic pressure for valve actuation. The design pneumatic supply pressure requirements for the accumulator are such that, following a failure of the pneumatic supply to the accumulator, at least two valve actuations can occur with the drywell at 70% of design pressure (Ref. 11). The ECCS safety analysis assumes only one actuation to achieve the depressurization required for operation of the low pressure ECCS. This minimum required pressure of 90 psig (for one actuation) is provided by the ADS instrument air supply. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.1.4 Verification that the RHR System cross tie valve is closed and power to its operator is disconnected ensures that each LPCI subsystem remains independent and a failure of the flow path in one subsystem will not affect the flow path of the other LPCI subsystem. Acceptable methods of removing power to the operator include de-energizing breaker control power or racking out or removing the breaker. If the RHR System cross tie valve is open or power has not been removed from the valve operator, both LPCI subsystems must be considered inoperable. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.1.5 (Not used.)

SR 3.5.1.6 Cycling the recirculation pump discharge valves through one complete cycle of full travel demonstrates that the valves are mechanically OPERABLE and will close when required. Upon initiation of an automatic LPCI subsystem injection signal, these valves are required to be closed to ensure full LPCI subsystem flow injection in the reactor via the recirculation jet pumps. De-energizing the valve in the closed position will also ensure the proper flow path for the LPCI subsystem. Acceptable methods of de-energizing the valve include de-energizing breaker control power, racking out the breaker or removing the breaker. ECCS - Operating B 3.5.1 (continued) HATCH UNIT 1 B 3.5-10 REVISION 69 BASES SURVEILLANCE SR 3.5.1.6 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. However, this SR is modified by a Note that states the Surveillance is only required to be performed prior to entering MODE 2 from MODE 3 or 4, when in MODE 4 > 48 hours. Verification during or following MODE 4 > 48 hours and prior to entering MODE 2 from MODE 3 or 4 is an exception to the normal Inservice Testing Program generic valve cycling Frequency of 92 days, but is considered acceptable due to the demonstrated reliability of these valves. The 48 hours is intended to indicate an outage of sufficient duration to allow for scheduling and proper performance of the Surveillance. If the valve is inoperable and in the open position, the associated LPCI subsystem must be declared inoperable. SR 3.5.1.7, SR 3.5.1.8, and SR 3.5.1.9 The performance requirements of the low pressure ECCS pumps are determined through application of the 10 CFR 50, Appendix K criteria (Ref. 7). This periodic Surveillance is performed (in accordance with the ASME Code, Section XI, requirements for the ECCS pumps) to verify that the ECCS pumps will develop the flow rates required by the respective analyses. The low pressure ECCS pump flow rates ensure that adequate core cooling is provided to satisfy the acceptance criteria of Reference 9. The pump flow rates are verified against a system head equivalent to the RPV pressure expected during a LOCA. The total system pump outlet pressure is adequate to overcome the elevation head pressure between the pump suction and the vessel discharge, the piping friction losses, and RPV pressure present during a LOCA. These values may be established during preoperational testing. The flow tests for the HPCI System are performed at two different pressure ranges such that system capability to provide rated flow is tested at both the higher and lower operating ranges of the system. The pump flow rates are verified against a system head corresponding to the RPV pressure. The total system pump outlet pressure is adequate to overcome the elevation head pressure between the pump suction and the vessel discharge, the piping friction losses, and RPV pressure. Additionally, adequate steam flow must be passing through the main turbine or turbine bypass valves to continue to control reactor pressure when the HPCI System diverts steam flow. The reactor steam pressure must be 920 psig to perform SR 3.5.1.8 and 150 psig to perform SR 3.5.1.9. Adequate ECCS - Operating B 3.5.1 (continued) HATCH UNIT 1 B 3.5-11 REVISION 69 BASES SURVEILLANCE SR 3.5.1.7, SR 3.5.1.8, and SR 3.5.1.9 (continued) REQUIREMENTS steam flow for SR 3.5.1.8 is represented by at least two turbine bypass valves open, or 200 MWE from the main turbine generator; and for SR 3.5.1.9 adequate steam flow is represented by at least 1.25 turbine bypass valves open, or total steam flow 1E6 lb/hour. Therefore, sufficient time is allowed after adequate pressure and flow are achieved to perform these tests. Reactor startup is allowed prior to performing the low pressure Surveillance test because the reactor pressure is low and the time allowed to satisfactorily perform the Surveillance test is short. The reactor pressure is allowed to be increased to normal operating pressure since it is assumed that the low pressure test has been satisfactorily completed and there is no indication or reason to believe that HPCI is inoperable. Therefore, SR 3.5.1.8 and SR 3.5.1.9 are modified by Notes that state the Surveillances are not required to be performed until 12 hours after the reactor steam pressure and flow are adequate to perform the test. The 12 hours allowed is sufficient to achieve stable conditions for testing and provides a reasonable time to complete the SR. The Frequency for SR 3.5.1.7 is consistent with the Inservice Testing Program pump testing requirements. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.1.10 The ECCS subsystems are required to actuate automatically to perform their design functions. This Surveillance verifies that, with a required system initiation signal (actual or simulated), the automatic initiation logic of HPCI, CS, and LPCI will cause the systems or subsystems to operate as designed, including actuation of the system throughout its emergency operating sequence, automatic pump startup and actuation of all automatic valves to their required positions. This SR also ensures that the HPCI System will automatically restart on an RPV low water level (Level 2) signal received subsequent to an RPV high water level (Level 8) trip and that the suction is automatically transferred from the CST to the suppression pool. The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 overlaps this Surveillance to provide complete testing of the assumed safety function.

ECCS - Shutdown B 3.5.2 (continued) HATCH UNIT 1 B 3.5-14 REVISION 69 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM

B 3.5.2 ECCS - Shutdown BASES BACKGROUND A description of the Core Spray (CS) System and the low pressure coolant injection (LPCI) mode of the Residual Heat Removal (RHR) System is provided in the Bases for LCO 3.5.1, "ECCS - Operating." APPLICABLE The ECCS performance is evaluated for the entire spectrum of SAFETY ANALYSES break sizes for a postulated loss of coolant accident (LOCA). The long term cooling analysis following a design basis LOCA (Ref. 1) demonstrates that only one low pressure ECCS injection/spray subsystem is required, post LOCA, to maintain adequate reactor vessel water level in the event of an inadvertent vessel draindown. It is reasonable to assume, based on engineering judgment, that while in MODES 4 and 5, one low pressure ECCS injection/spray subsystem can maintain adequate reactor vessel water level. To provide redundancy, a minimum of two low pressure ECCS injection/spray subsystems are required to be OPERABLE in MODES 4 and 5. The low pressure ECCS subsystems satisfy Criterion 3 of the NRC Policy Statement (Ref. 3). LCO Two low pressure ECCS injection/spray subsystems are required to be OPERABLE. The low pressure ECCS injection/spray subsystems consist of two CS subsystems and two LPCI subsystems. Each CS subsystem consists of one motor driven pump, piping, and valves to transfer water from the suppression pool or condensate storage tank (CST) to the reactor pressure vessel (RPV). Each LPCI subsystem consists of one motor driven pump, piping, and valves to transfer water from the suppression pool to the RPV. Only a single LPCI pump is required per subsystem because of the larger injection capacity in relation to a CS subsystem. In MODES 4 and 5, the RHR System cross tie valve is not required to be closed. The necessary portions of the Plant Service Water System are also required to provide appropriate cooling to each required ECCS subsystem. One LPCI subsystem may be aligned for decay heat removal and considered OPERABLE for the ECCS function, if it can be manually ECCS - Shutdown B 3.5.2 (continued) HATCH UNIT 1 B 3.5-15 REVISION 69 BASES LCO realigned (remote or local) to the LPCI mode and is not otherwise (continued) inoperable. Because of low pressure and low temperature conditions in MODES 4 and 5, sufficient time will be available to manually align and initiate LPCI subsystem operation to provide core cooling prior to postulated fuel uncovery. APPLICABILITY OPERABILITY of the low pressure ECCS injection/spray subsystems is required in MODES 4 and 5 to ensure adequate coolant inventory and sufficient heat removal capability for the irradiated fuel in the core in case of an inadvertent draindown of the vessel. Requirements for ECCS OPERABILITY during MODES 1, 2, and 3 are discussed in the Applicability section of the Bases for LCO 3.5.1. ECCS subsystems are not required to be OPERABLE during MODE 5 with the spent fuel storage pool gates removed and the water level maintained at 22 ft 1/8 inches above the RPV flange (equivalent to 21 ft of water above the top of irradiated fuel assemblies seated in the spent fuel storage pool racks; the point from which the water level is measured is shown in Figure B 3.5.2-1). This provides sufficient coolant inventory to allow operator action to terminate the inventory loss prior to fuel uncovery in case of an inadvertent draindown. The Automatic Depressurization System is not required to be OPERABLE during MODES 4 and 5 because the RPV pressure is 150 psig, and the CS System and the LPCI subsystems can provide core cooling without any depressurization of the primary system. The High Pressure Coolant Injection System is not required to be OPERABLE during MODES 4 and 5 since the low pressure ECCS injection/spray subsystems can provide sufficient flow to the vessel. ACTIONS A.1 and B.1 If any one required low pressure ECCS injection/spray subsystem is inoperable, the inoperable subsystem must be restored to OPERABLE status in 4 hours. In this condition, the remaining OPERABLE subsystem can provide sufficient vessel flooding capability to recover from an inadvertent vessel draindown. However, overall system reliability is reduced because a single failure in the remaining OPERABLE subsystem concurrent with a vessel draindown could result in the ECCS not being able to perform its intended function. The 4 hour Completion Time for restoring the required low pressure ECCS injection/spray subsystem to OPERABLE status is ECCS - Shutdown B 3.5.2 (continued) HATCH UNIT 1 B 3.5-16 REVISION 69 BASES ACTIONS A.1 and B.1 (continued) based on engineering judgment that considered the remaining available subsystem and the low probability of a vessel draindown event. With the inoperable subsystem not restored to OPERABLE status in the required Completion Time, action must be immediately initiated to suspend operations with a potential for draining the reactor vessel (OPDRVs) to minimize the probability of a vessel draindown and the subsequent potential for fission product release. Actions must continue until OPDRVs are suspended. C.1, C.2, D.1, D.2, and D.3 With both of the required ECCS injection/spray subsystems inoperable, all coolant inventory makeup capability may be unavailable. Therefore, actions must immediately be initiated to suspend OPDRVs to minimize the probability of a vessel draindown and the subsequent potential for fission product release. Actions must continue until OPDRVs are suspended. One ECCS injection/spray subsystem must also be restored to OPERABLE status within 4 hours. The 4 hour Completion Time to restore at least one low pressure ECCS injection/spray subsystem to OPERABLE status ensures that prompt action will be taken to provide the required cooling capacity or to initiate actions to place the plant in a condition that minimizes any potential fission product release to the environment. If at least one low pressure ECCS injection/spray subsystem is not restored to OPERABLE status within the 4 hour Completion Time, additional actions are required to minimize any potential fission product release to the environment. This includes ensuring:

1) secondary containment [at least including: the Unit 1 reactor building zone if in MODE 4; or the common refueling floor zone if in MODE 5] is OPERABLE; 2) sufficient standby gas treatment (SGT) subsystem(s) are OPERABLE to maintain the secondary containment at a negative pressure with respect to the environment (dependent on secondary containment configuration, refer to Reference 2; single failure protection is not required while in this ACTION); and 3) secondary containment isolation capability is available in each associated secondary containment penetration flow path not isolated that is assumed to be isolated to mitigate radioactivity releases (i.e., one secondary containment isolation valve and associated instrumentation are OPERABLE or other acceptable administrative ECCS - Shutdown B 3.5.2 (continued) HATCH UNIT 1 B 3.5-17 REVISION 69 BASES ACTIONS C.1, C.2, D.1, D.2, and D.3 (continued) controls to assure isolation capability. The administrative controls can consist of stationing a dedicated operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated.).

OPERABILITY may be verified by an administrative check, or by examining logs or other information, to determine whether the components are out of service for maintenance or other reasons. It is not necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, the Surveillance may need to be performed to restore the component to OPERABLE status. Actions must continue until all required components are OPERABLE. SURVEILLANCE SR 3.5.2.1 and SR 3.5.2.2 REQUIREMENTS The minimum water level of 146 inches required for the suppression pool is periodically verified to ensure that the suppression pool will provide adequate net positive suction head (NPSH) for the CS System and LPCI subsystem pumps, recirculation volume, and vortex prevention. With the suppression pool water level less than the required limit, all ECCS injection/spray subsystems are inoperable unless they are aligned to an OPERABLE CST. When suppression pool level is < 146 inches, the CS System is considered OPERABLE only if it can take suction from the CST, and the CST water level is sufficient to provide the required NPSH for the CS pump. Therefore, a verification that either the suppression pool water level is 146 inches or that CS is aligned to take suction from the CST and the CST contains 150,000 gallons of water, equivalent to 13 ft, ensures that the CS System can supply at least 50,000 gallons of makeup water to the RPV. The CS suction is uncovered at the 100,000 gallon level. However, as noted, only one required CS subsystem may take credit for the CST option during OPDRVs. During OPDRVs, the volume in the CST may not provide adequate makeup if the RPV were completely drained. Therefore, only one CS subsystem is allowed to use the CST. This ensures the other required ECCS subsystem has adequate makeup volume. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ECCS - Shutdown B 3.5.2 (continued) HATCH UNIT 1 B 3.5-18 REVISION 69 BASES SURVEILLANCE SR 3.5.2.3, SR 3.5.2.5, and SR 3.5.2.6 REQUIREMENTS (continued) The Bases provided for SR 3.5.1.1, SR 3.5.1.7, and SR 3.5.1.10 are applicable to SR 3.5.2.3, SR 3.5.2.5, and SR 3.5.2.6, respectively. However, the LPCI flow rate requirement for SR 3.5.2.5 is based on a single pump, not the two pump flow rate requirement of SR 3.5.1.7.

SR 3.5.2.4 Verifying the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths provides assurance that the proper flow paths will exist for ECCS operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an initiation signal is allowed to be in a nonaccident position provided the valve will automatically reposition in the proper stroke time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. In MODES 4 and 5, the RHR System may operate in the shutdown cooling mode to remove decay heat and sensible heat from the reactor. Therefore, RHR valves that are required for LPCI subsystem operation may be aligned for decay heat removal. Therefore, this SR is modified by a Note that allows one LPCI subsystem of the RHR System to be considered OPERABLE for the ECCS function if all the required valves in the LPCI flow path can be manually realigned (remote or local) to allow injection into the RPV, and the system is not otherwise inoperable. This will ensure adequate core cooling if an inadvertent RPV draindown should occur. ECCS - Shutdown B 3.5.2 HATCH UNIT 1 B 3.5-19 REVISION 69 BASES (continued) REFERENCES 1. NEDC-31376P, "E. I. Hatch Nuclear Plant Units 1 and 2 SAFER/GESTR-LOCA Loss-of-Coolant Accident Analysis," December 1986. 2. Technical Requirements Manual, Section 8.0. 3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. ECCS - Shutdown B 3.5.2 HATCH UNIT 1 B 3.5-20 REVISION 69

Figure B 3.5.2-1 (page 1 of 1) Top of Irradiated Fuel Assembly RCIC System B 3.5.3 (continued) HATCH UNIT 1 B 3.5-21 REVISION 69 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM

B 3.5.3 RCIC System BASES BACKGROUND The RCIC System is not part of the ECCS; however, the RCIC System is included with the ECCS section because of their similar functions. The RCIC System is designed to operate either automatically or manually following reactor pressure vessel (RPV) isolation accompanied by a loss of coolant flow from the feedwater system to provide adequate core cooling and control of the RPV water level. Under these conditions, the High Pressure Coolant Injection (HPCI) and RCIC systems perform similar functions. The RCIC System design requirements ensure that the criteria of Reference 1 are satisfied. The RCIC System (Ref. 2) consists of a steam driven turbine pump unit, piping, and valves to provide steam to the turbine, as well as piping and valves to transfer water from the suction source to the core via the feedwater system line, where the coolant is distributed within the RPV through the feedwater sparger. Suction piping is provided from the condensate storage tank (CST) and the suppression pool. Pump suction is normally aligned to the CST to minimize injection of suppression pool water into the RPV. However, if the CST water supply is low, or the suppression pool level is high, an automatic transfer to the suppression pool water source ensures a water supply for continuous operation of the RCIC System. The steam supply to the turbine is piped from a main steam line upstream of the associated inboard main steam line isolation valve. The RCIC System is designed to provide core cooling for a wide range of reactor pressures (150 psig to 1185 psig). Upon receipt of an initiation signal, the RCIC turbine accelerates to a specified speed. As the RCIC flow increases, the turbine control valve is automatically adjusted to maintain design flow. Exhaust steam from the RCIC turbine is discharged to the suppression pool. A full flow test line is provided to route water from and to the CST to allow testing of the RCIC System during normal operation without injecting water into the RPV. The RCIC pump is provided with a minimum flow bypass line, which discharges to the suppression pool. The valve in this line automatically opens to prevent pump damage due to overheating RCIC System B 3.5.3 (continued) HATCH UNIT 1 B 3.5-22 REVISION 69 BASES BACKGROUND when other discharge line valves are closed. To ensure rapid delivery (continued) of water to the RPV and to minimize water hammer effects, the RCIC System discharge piping is kept full of water. The RCIC System is normally aligned to the CST. The height of water in the CST is sufficient to maintain the piping full of water up to the first isolation valve. The relative height of the feedwater line connection for RCIC is such that the water in the feedwater lines keeps the remaining portion of the RCIC discharge line full of water. Therefore, RCIC does not require a "keep fill" system. APPLICABLE The function of the RCIC System is to respond to transient events by SAFETY ANALYSES providing makeup coolant to the reactor. The RCIC System is not an Engineered Safety Feature System and no credit is taken in the safety analyses for RCIC System operation. Based on its contribution to the reduction of overall plant risk, however, the system satisfies Criterion 4 of the NRC Policy Statement (Ref. 5). LCO The OPERABILITY of the RCIC System provides adequate core cooling such that actuation of any of the low pressure ECCS subsystems is not required in the event of RPV isolation accompanied by a loss of feedwater flow. The RCIC System has sufficient capacity for maintaining RPV inventory during an isolation event. APPLICABILITY The RCIC System is required to be OPERABLE during MODE 1, and MODES 2 and 3 with reactor steam dome pressure > 150 psig, since RCIC is the primary non-ECCS water source for core cooling when the reactor is isolated and pressurized. In MODES 2 and 3 with reactor steam dome pressure 150 psig, and in MODES 4 and 5, RCIC is not required to be OPERABLE since the low pressure ECCS injection/spray subsystems can provide sufficient flow to the RPV. ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable RCIC subsystem. There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable RCIC subsystem and the provisions of LCO 3.0.4.b, which allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance. RCIC System B 3.5.3 (continued) HATCH UNIT 1 B 3.5-23 REVISION 69 BASES ACTIONS A.1 and A.2 (continued) If the RCIC System is inoperable during MODE 1, or MODE 2 or 3 with reactor steam dome pressure > 150 psig, and the HPCI System is verified to be OPERABLE, the RCIC System must be restored to OPERABLE status within 14 days. In this condition, loss of the RCIC System will not affect the overall plant capability to provide makeup inventory at high reactor pressure since the HPCI System is the only high pressure system assumed to function during a loss of coolant accident (LOCA). OPERABILITY of HPCI is therefore verified within 1 hour when the RCIC System is inoperable. This may be performed as an administrative check, by examining logs or other information, to determine if HPCI is out of service for maintenance or other reasons. It does not mean it is necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the HPCI System. If the OPERABILITY of the HPCI System cannot be verified, however, Condition B must be immediately entered. For non-LOCA events, RCIC (as opposed to HPCI) is the preferred source of makeup coolant because of its relatively small capacity, which allows easier control of the RPV water level. Therefore, a limited time is allowed to restore the inoperable RCIC to OPERABLE status. The 14 day Completion Time is based on a reliability study (Ref. 3) that evaluated the impact on ECCS availability, assuming various components and subsystems were taken out of service. The results were used to calculate the average availability of ECCS equipment needed to mitigate the consequences of a LOCA as a function of allowed outage times (AOTs). Because of similar functions of HPCI and RCIC, the AOTs (i.e., Completion Times) determined for HPCI are also applied to RCIC. B.1 and B.2 If the RCIC System cannot be restored to OPERABLE status within the associated Completion Time, or if the HPCI System is simultaneously inoperable, the plant must be brought to a condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and reactor steam dome pressure reduced to 150 psig within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. RCIC System B 3.5.3 (continued) HATCH UNIT 1 B 3.5-24 REVISION 69 BASES (continued) SURVEILLANCE SR 3.5.3.1 REQUIREMENTS The flow path piping has the potential to develop voids and pockets of entrained air. Maintaining the pump discharge line of the RCIC System full of water ensures that the system will perform properly, injecting its full capacity into the Reactor Coolant System upon demand. This will also prevent a water hammer following an initiation signal. One acceptable method of ensuring the line is full when aligned to the CST is to vent at the high points and, when aligned to the suppression pool, by monitoring pump suction pressure. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.5.3.2 Verifying the correct alignment for manual, power operated, and automatic valves in the RCIC flow path provides assurance that the proper flow path will exist for RCIC operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an initiation signal is allowed to be in a nonaccident position provided the valve will automatically reposition in the proper stroke time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. For the RCIC System, this SR also includes the steam flow path for the turbine and the flow controller position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SURVEILLANCE SR 3.5.3.3 and SR 3.5.3.4 REQUIREMENTS The RCIC pump flow rates ensure that the system can maintain reactor coolant inventory during pressurized conditions with the RPV isolated. The required flow rate (400 gpm) is the pump design flow rate. Analysis has demonstrated that RCIC can fulfill its design function at a system flow rate of 360 gpm (Ref. 4). The pump flow

RCIC System B 3.5.3 HATCH UNIT 1 B 3.5-25 REVISION 69 BASES SURVEILLANCE SR 3.5.3.3 and SR 3.5.3.4 (continued) REQUIREMENTS (continued) rates are verified against a system head equivalent to the RPV pressure. The total system pump outlet pressure is adequate to overcome the elevation head pressure between the pump suction and the vessel discharge, the piping friction losses, and RPV pressure. The flow tests for the RCIC System are performed at two different pressure ranges such that system capability to provide rated flow is tested both at the higher and lower operating ranges of the system. Additionally, adequate steam flow must be passing through the main turbine or turbine bypass valves to continue to control reactor pressure when the RCIC System diverts steam flow. Reactor steam pressure must be 920 psig to perform SR 3.5.3.3 and 150 psig to perform SR 3.5.3.4. Adequate steam flow is represented by at least one turbine bypass valve open, or for SR 3.5.3.3 200 MWE from the main turbine-generator and for SR 3.5.3.4 total steam flow 1E6 lb/hour. Therefore, sufficient time is allowed after adequate pressure and flow are achieved to perform these SRs. Reactor startup is allowed prior to performing the low pressure Surveillance because the reactor pressure is low and the time allowed to satisfactorily perform the Surveillance is short. The reactor pressure is allowed to be increased to normal operating pressure since it is assumed that the low pressure Surveillance has been satisfactorily completed and there is no indication or reason to believe that RCIC is inoperable. Therefore, these SRs are modified by Notes that state the Surveillances are not required to be performed until 12 hours after the reactor steam pressure and flow are adequate to perform the test. The 12 hours allowed is sufficient to achieve stable conditions for testing and provides a reasonable time to complete the SR. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.3.5 The RCIC System is required to actuate automatically in order to verify its design function satisfactorily. This Surveillance verifies that, with a required system initiation signal (actual or simulated), the automatic initiation logic of the RCIC System will cause the system to operate as designed, including actuation of the system throughout its emergency operating sequence; that is, automatic pump startup and actuation of all automatic valves to their required positions. This test also ensures the RCIC System will automatically restart on an RPV

RCIC System B 3.5.3 HATCH UNIT 1 B 3.5-26 REVISION 69 BASES SURVEILLANCE SR 3.5.3.5 (continued) REQUIREMENTS (continued) low water level (Level 2) signal received subsequent to an RPV high water level (Level 8) trip and that the suction is automatically transferred from the CST to the suppression pool. The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.2 overlaps this Surveillance to provide complete testing of the assumed safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note that excludes vessel injection during the Surveillance. Since all active components are testable and full flow can be demonstrated by recirculation through the test line, coolant injection into the RPV is not required during the Surveillance. REFERENCES 1. 10 CFR 50, Appendix A, GDC 33.

2. FSAR, Section 4.7. 3. Memorandum from R. L. Baer (NRC) to V. Stello, Jr. (NRC), "Recommended Interim Revisions to LCOs for ECCS Components," December 1, 1975. 4. GE Report AES-41-0688, "Safety Evaluation for Relaxation of RCIC Performance Requirements for Plant Hatch Units 1 and 2," July 1988. 5. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Primary Containment B 3.6.1.1 (continued) HATCH UNIT 1 B 3.6-1 REVISION 5 B 3.6 CONTAINMENT SYSTEMS

B 3.6.1.1 Primary Containment

BASES BACKGROUND The function of the primary containment is to isolate and contain fission products released from the Reactor Primary System following a Design Basis Accident (DBA) and to confine the postulated release of radioactive material. The primary containment consists of a steel lined, reinforced concrete vessel, which surrounds the Reactor Primary System and provides an essentially leak tight barrier against an uncontrolled release of radioactive material to the environment. The isolation devices for the penetrations in the primary containment boundary are a part of the containment leak tight barrier. To maintain this leak tight barrier:

a. All penetrations required to be closed during accident conditions are either: 1. Capable of being closed by an OPERABLE automatic containment isolation system, or 2. Closed by manual valves, blind flanges, or de-activated automatic valves secured in their closed positions, except as provided in LCO 3.6.1.3, "Primary Containment Isolation Valves (PCIVs)";

b. The primary containment air lock is OPERABLE, except as provided in LCO 3.6.1.2, "Primary Containment Air Lock"; and c. All equipment hatches are closed. This Specification ensures that the performance of the primary containment, in the event of a DBA, meets the assumptions used in the safety analyses of References 1 and 2. SR 3.6.1.1.1 leakage rate requirements are in conformance with 10 CFR 50, Appendix J, Option B (Ref. 3), as modified by approved exemptions. APPLICABLE The safety design basis for the primary containment is that it must SAFETY ANALYSES withstand the pressures and temperatures of the limiting DBA without exceeding the design leakage rate.

Primary Containment B 3.6.1.1 (continued) HATCH UNIT 1 B 3.6-2 REVISION 47 BASES APPLICABLE The DBA that postulates the maximum release of radioactive material SAFETY ANALYSES within primary containment is a LOCA. In the analysis of this (continued) accident, it is assumed that primary containment is OPERABLE such that release of fission products to the environment is controlled by the rate of primary containment leakage. Analytical methods and assumptions involving the primary containment are presented in References 1 and 2. The safety analyses assume a nonmechanistic fission product release following a DBA, which forms the basis for determination of offsite doses. The fission product release is, in turn, based on an assumed leakage rate from the primary containment. OPERABILITY of the primary containment ensures that the leakage rate assumed in the safety analyses is not exceeded. The maximum allowable leakage rate for the primary containment (La) is 1.2% by weight of the containment air per 24 hours at the design basis LOCA maximum peak containment pressure (Pa) of 50.8 psig (Ref. 1). Primary containment satisfies Criterion 3 of the NRC Policy Statement (Ref. 4). LCO Primary containment OPERABILITY is maintained by limiting leakage to La, except prior to the first startup after performing a required Primary Containment Leakage Rate Testing Program (Ref. 5) leakage test. At this time, applicable leakage limits specified in the Primary Containment Leakage Rate Testing Program must be met. Compliance with this LCO will ensure a primary containment configuration, including equipment hatches, that is structurally sound and that will limit leakage to those leakage rates assumed in the safety analyses. Individual leakage rates specified for the primary containment air lock are addressed in LCO 3.6.1.2. APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, primary containment is not required to be OPERABLE in MODES 4 and 5 to prevent leakage of radioactive material from primary containment. Primary Containment B 3.6.1.1 (continued) HATCH UNIT 1 B 3.6-3 REVISION 5 BASES (continued) ACTIONS A.1 In the event primary containment is inoperable, primary containment must be restored to OPERABLE status within 1 hour. The 1 hour Completion Time provides a period of time to correct the problem commensurate with the importance of maintaining primary containment OPERABILITY during MODES 1, 2, and 3. This time period also ensures that the probability of an accident (requiring primary containment OPERABILITY) occurring during periods where primary containment is inoperable is minimal. B.1 and B.2 If primary containment cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.1.1.1 REQUIREMENTS Maintaining the primary containment OPERABLE requires compliance with the visual examinations and leakage rate test requirements of the Primary Containment Leakage Rate Testing Program. Failure to meet air lock leakage testing (SR 3.6.1.2.1), or main steam isolation valve leakage (SR 3.6.1.3.10), does not necessarily result in a failure of this SR. The impact of the failure to meet these SRs must be evaluated against the Type A, B, and C acceptance criteria of the Primary Containment Leakage Rate Testing Program. The Primary Containment Leakage Rate Testing Program is based on the guidelines in Regulatory Guide 1.163 (Ref. 6), NEI 94-01 (Ref. 7), and ANSI/ANS-56.8-1994 (Ref. 8). Specific acceptance criteria for as found and as left leakage rates, as well as the methods of defining the leakage rates, are contained in the Primary Containment Leakage Rate Testing Program. At all other times between required leakage rate tests, the acceptance criteria are based on an overall Type A leakage limit of 1.0 La. At 1.0 La, the offsite dose consequences are bounded by the assumptions of the safety analysis. The Frequency is required by the Primary Containment Leak Rate Testing Program.

Primary Containment B 3.6.1.1 (continued) HATCH UNIT 1 B 3.6-4 REVISION 69 BASES SURVEILLANCE SR 3.6.1.1.2 REQUIREMENTS (continued) Maintaining the pressure suppression function of primary containment requires limiting the leakage from the drywell to the suppression chamber. Thus, if an event were to occur that pressurized the drywell, the steam would be directed through the downcomers into the suppression pool. This SR measures drywell to suppression chamber differential pressure during a 10 minute period to ensure that the leakage paths that would bypass the suppression pool are within allowable limits. Satisfactory performance of this SR can be achieved by establishing a known differential pressure between the drywell and the suppression chamber and verifying that the pressure in either the suppression chamber or the drywell does not change by more than 0.25 inch of water per minute over a 10 minute period. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 5.2.

2. FSAR, Section 14.4.3.

3. 10 CFR 50, Appendix J, Option B.

4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

5. Primary Containment Leakage Rate Testing Program. 6. Regulatory Guide 1.163, "Performance-Based Containment Leak-Test Program," September 1995. 7. NEI 94-01, "Industry Guideline for Implementing Performance-Based Option of 10 CFR Part 50, Appendix J," Revision 0, July 26, 1995.

Primary Containment B 3.6.1.1 HATCH UNIT 1 B 3.6-5 REVISION 69 BASES REFERENCES (continued)

8. ANSI/ANS-56.8-1994, "American National Standard for Containment System Leakage Testing Requirements," 1994.

Primary Containment Air Lock B 3.6.1.2 (continued) HATCH UNIT 1 B 3.6-6 REVISION 0 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.2 Primary Containment Air Lock

BASES BACKGROUND One double door primary containment air lock has been built into the primary containment to provide personnel access to the drywell and to provide primary containment isolation during the process of personnel entering and exiting the drywell. The air lock is designed to withstand the same loads, temperatures, and peak design internal and external pressures as the primary containment (Ref. 1). As part of the primary containment, the air lock limits the release of radioactive material to the environment during normal unit operation and through a range of transients and accidents up to and including postulated Design Basis Accidents (DBAs). Each air lock door has been designed and tested to certify its ability to withstand a pressure in excess of the maximum expected pressure following a DBA in primary containment. Each of the doors contains double gasketed seals and local leakage rate testing capability to ensure pressure integrity. To effect a leak tight seal, the air lock design uses pressure sealed doors (i.e., an increase in primary containment internal pressure results in increased sealing force on each door). The air lock is nominally a right circular cylinder, 10 ft in diameter, with doors at each end that are interlocked to prevent simultaneous opening. The air lock is provided with limit switches on both doors that provide control room indication of door position. Additionally, control room indication is provided to alert the operator whenever the air lock interlock mechanism is defeated. During periods when primary containment is not required to be OPERABLE, the air lock interlock mechanism may be disabled, allowing both doors of the air lock to remain open for extended periods when frequent primary containment entry is necessary. Under some conditions allowed by this LCO, the primary containment may be accessed through the air lock, when the interlock mechanism has failed, by manually performing the interlock function. The primary containment air lock forms part of the primary containment pressure boundary. As such, air lock integrity and leak tightness are essential for maintaining primary containment leakage rate to within limits in the event of a DBA. Not maintaining air lock integrity or leak tightness may result in a leakage rate in excess of that assumed in the unit safety analysis. Primary Containment Air Lock B 3.6.1.2 (continued) HATCH UNIT 1 B 3.6-7 REVISION 47 BASES (continued) APPLICABLE The DBA that postulates the maximum release of radioactive material SAFETY ANALYSES within primary containment is a LOCA. In the analysis of this accident, it is assumed that primary containment is OPERABLE, such that release of fission products to the environment is controlled by the rate of primary containment leakage. The primary containment is designed with a maximum allowable leakage rate (La) of 1.2% by weight of the containment air per 24 hours at the calculated design basis LOCA maximum peak containment pressure (Pa) of 50.8 psig (Ref. 2). This allowable leakage rate forms the basis for the acceptance criteria imposed on the SRs associated with the air lock. Primary containment air lock OPERABILITY is also required to minimize the amount of fission product gases that may escape primary containment through the air lock and contaminate and pressurize the secondary containment. The primary containment air lock satisfies Criterion 3 of the NRC Policy Statement (Ref. 4). LCO As part of primary containment, the air lock's safety function is related to control of containment leakage rates following a DBA. Thus, the air lock's structural integrity and leak tightness are essential to the successful mitigation of such an event. The primary containment air lock is required to be OPERABLE. For the air lock to be considered OPERABLE, the air lock interlock mechanism must be OPERABLE, the air lock must be in compliance with the Type B air lock leakage test, and both air lock doors must be OPERABLE. The interlock allows only one air lock door to be opened at a time. This provision ensures that a gross breach of primary containment does not exist when primary containment is required to be OPERABLE. Closure of a single door in each air lock is sufficient to provide a leak tight barrier following postulated events. Nevertheless, both doors are kept closed when the air lock is not being used for normal entry and exit from primary containment. APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, the primary containment air lock is not required to be OPERABLE in MODES 4

Primary Containment Air Lock B 3.6.1.2 (continued) HATCH UNIT 1 B 3.6-8 REVISION 0 BASES APPLICABILITY and 5 to prevent leakage of radioactive material from primary (continued) containment. ACTIONS The ACTIONS are modified by Note 1, which allows entry and exit to perform repairs of the affected air lock component. If the outer door is inoperable, then it may be easily accessed to repair. If the inner door is the one that is inoperable, however, then a short time exists when the containment boundary is not intact (during access through the outer door). The allowance to open the OPERABLE door, even if it means the primary containment boundary is temporarily not intact, is acceptable due to the low probability of an event that could pressurize the primary containment during the short time in which the OPERABLE door is expected to be open. The OPERABLE door must be immediately closed after each entry and exit. The ACTIONS are modified by a second Note, which ensures appropriate remedial measures are taken, if necessary, if air lock leakage results in exceeding overall containment leakage rate acceptance criteria. Pursuant to LCO 3.0.6, actions are not required, even if primary containment is exceeding its leakage limit. Therefore, the Note is added to require ACTIONS for LCO 3.6.1.1, "Primary Containment," to be taken in this event. A.1, A.2, and A.3 With one primary containment air lock door inoperable, the OPERABLE door must be verified closed (Required Action A.1) in the air lock. This ensures that a leak tight primary containment barrier is maintained by the use of an OPERABLE air lock door. This action must be completed within 1 hour. The 1 hour Completion Time is consistent with the ACTIONS of LCO 3.6.1.1, which requires that primary containment be restored to OPERABLE status within 1 hour. In addition, the air lock penetration must be isolated by locking closed the OPERABLE air lock door within the 24 hour Completion Time. The 24 hour Completion Time is considered reasonable for locking the OPERABLE air lock door, considering that the OPERABLE door is being maintained closed. Required Action A.3 ensures that the air lock with an inoperable door has been isolated by the use of a locked closed OPERABLE air lock door. This ensures that an acceptable primary containment leakage boundary is maintained. The Completion Time of once per 31 days is Primary Containment Air Lock B 3.6.1.2 (continued) HATCH UNIT 1 B 3.6-9 REVISION 0 BASES ACTIONS A.1, A.2, and A.3 (continued) based on engineering judgment and is considered adequate in view of the low likelihood of a locked door being mispositioned and other administrative controls. Required Action A.3 is modified by a Note that applies to air lock doors located in high radiation areas or areas with limited access due to inerting and allows these doors to be verified locked closed by use of administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small. The Required Actions have been modified by two Notes. Note 1 ensures that only the Required Actions and associated Completion Times of Condition C are required if both doors in the air lock are inoperable. With both doors in the air lock inoperable, an OPERABLE door is not available to be closed. Required Actions C.1 and C.2 are the appropriate remedial actions. The exception of Note 1 does not affect tracking the Completion Time from the initial entry into Condition A; only the requirement to comply with the Required Actions. Note 2 allows use of the air lock for entry and exit for 7 days under administrative controls. Primary containment entry may be required to perform Technical Specifications (TS) Surveillances and Required Actions, as well as other activities inside primary containment that are required by TS or activities that support TS-required equipment. This Note is not intended to preclude performing other activities (i.e., non-TS-related activities) if the primary containment was entered, using the inoperable air lock, to perform an allowed activity listed above. The administrative controls required consist of the stationing of a dedicated individual to assure closure of the OPERABLE door except during the entry and exit, and assuring the OPERABLE door is relocked after completion of the containment entry and exit. This allowance is acceptable due to the low probability of an event that could pressurize the primary containment during the short time that the OPERABLE door is expected to be open. B.1, B.2, and B.3 With an air lock interlock mechanism inoperable, the Required Actions and associated Completion Times are consistent with those specified in Condition A.

Primary Containment Air Lock B 3.6.1.2 (continued) HATCH UNIT 1 B 3.6-10 REVISION 0 BASES ACTIONS B.1, B.2, and B.3 (continued) The Required Actions have been modified by two Notes. Note 1 ensures that only the Required Actions and associated Completion Times of Condition C are required if both doors in the air lock are inoperable. With both doors in the air lock inoperable, an OPERABLE door is not available to be closed. Required Actions C.1 and C.2 are the appropriate remedial actions. Note 2 allows entry into and exit from the primary containment under the control of a dedicated individual stationed at the air lock to ensure that only one door is opened at a time (i.e., the individual performs the function of the interlock). Required Action B.3 is modified by a Note that applies to air lock doors located in high radiation areas or areas with limited access due to inerting and that allows these doors to be verified locked closed by use of administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small.

C.1, C.2, and C.3 If the air lock is inoperable for reasons other than those described in Condition A or B, Required Action C.1 requires action to be immediately initiated to evaluate containment overall leakage rates using current air lock leakage test results. An evaluation is acceptable since it is overly conservative to immediately declare the primary containment inoperable if both doors in the air lock have failed a seal test or if the overall air lock leakage is not within limits. In many instances (e.g., only one seal per door has failed), primary containment remains OPERABLE, yet only 1 hour (according to LCO 3.6.1.1) would be provided to restore the air lock door to OPERABLE status prior to requiring a plant shutdown. In addition, even with both doors failing the seal test, the overall containment leakage rate can still be within limits. Required Action C.2 requires that one door in the primary containment air lock must be verified closed. This action must be completed within the 1 hour Completion Time. This specified time period is consistent with the ACTIONS of LCO 3.6.1.1, which require that primary containment be restored to OPERABLE status within 1 hour. Additionally, the air lock must be restored to OPERABLE status within 24 hours. The 24 hour Completion Time is reasonable for restoring Primary Containment Air Lock B 3.6.1.2 (continued) HATCH UNIT 1 B 3.6-11 REVISION 5 BASES ACTIONS C.1, C.2, and C.3 (continued) an inoperable air lock to OPERABLE status considering that at least one door is maintained closed in the air lock.

D.1 and D.2 If the inoperable primary containment air lock cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.1.2.1 REQUIREMENTS Maintaining primary containment air locks OPERABLE requires compliance with the leakage rate test requirements of the Primary Containment Leakage Rate Testing Program (Ref. 3). This SR reflects the leakage rate testing requirements with respect to air lock leakage (Type B leakage tests). The acceptance criteria were established as a small fraction of the total allowable containment leakage. The periodic testing requirements verify that the air lock leakage does not exceed the allowed fraction of the overall primary containment leakage rate. The Frequency is required by the Primary Containment Leakage Rate Testing Program. The SR has been modified by two Notes. Note 1 states that an inoperable air lock door does not invalidate the previous successful performance of the overall air lock leakage test. This is considered reasonable since either air lock door is capable of providing a fission product barrier in the event of a DBA. Note 2 has been added to this SR, requiring the results to be evaluated against the acceptance criteria applicable to SR 3.6.1.1.1. This ensures that air lock leakage is properly accounted for in determining the combined Types B and C primary containment leakage. Primary Containment Air Lock B 3.6.1.2 HATCH UNIT 1 B 3.6-12 REVISION 69 BASES SURVEILLANCE SR 3.6.1.2.2 REQUIREMENTS (continued) The air lock interlock mechanism is designed to prevent simultaneous opening of both doors in the air lock. Since both the inner and outer doors of an air lock are designed to withstand the maximum expected post accident primary containment pressure, closure of either door will support primary containment OPERABILITY. Thus, the interlock feature supports primary containment OPERABILITY while the air lock is being used for personnel transit in and out of the containment. Periodic testing of this interlock demonstrates that the interlock will function as designed and that simultaneous inner and outer door opening will not inadvertently occur. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 5.2.3.4.5.

2. FSAR, Section 5.2.

3. Primary Containment Leakage Rate Testing Program. 4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

PCIVs B 3.6.1.3 (continued) HATCH UNIT 1 B 3.6-13 REVISION 0 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.3 Primary Containment Isolation Valves (PCIVs)

BASES BACKGROUND The function of the PCIVs, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs) to within limits. Primary containment isolation ensures that the release of radioactive material to the environment will be consistent with the assumptions used in the analyses for a DBA. The OPERABILITY requirements for PCIVs help ensure that an adequate primary containment boundary is maintained during and after an accident by minimizing potential paths to the environment. Therefore, the OPERABILITY requirements provide assurance that primary containment function assumed in the safety analyses will be maintained. These isolation devices are either passive or active (automatic). Manual valves, de-activated automatic valves secured in their closed position, check valves with flow through the valve secured, blind flanges, and closed systems are considered passive devices. Check valves and other automatic valves designed to close without operator action following an accident, are considered active devices. Two barriers in series are provided for each penetration so that no single credible failure or malfunction of an active component can result in a loss of isolation or leakage that exceeds limits assumed in the safety analyses. One of these barriers may be a closed system. The reactor building-to-suppression chamber vacuum breakers serve a dual function, one of which is primary containment isolation. However, since the other safety function of the vacuum breakers would not be available if the normal PCIV actions were taken, the PCIV OPERABILITY requirements are not applicable to the reactor building-to-suppression chamber vacuum breaker valves. Similar Surveillance Requirements in the LCO for reactor building-to-suppression chamber vacuum breakers provide assurance that the isolation capability is available without conflicting with the vacuum relief function. The primary containment purge supply lines are 18 inches in diameter; exhaust lines are 18 inches in diameter. The 18 inch primary containment purge valves are normally maintained closed in MODES 1, 2, and 3 to ensure the primary containment boundary is maintained. However, the 18 inch valves are qualified for use and may be opened when used for inerting, de-inerting, pressure control, PCIVs B 3.6.1.3 (continued) HATCH UNIT 1 B 3.6-14 REVISION 0 BASES BACKGROUND ALARA or air quality considerations for personnel entry, or (continued) Surveillances that require the valves to be open. These valves are qualified to be open because two additional redundant excess flow isolation dampers are provided on the vent line upstream of the Standby Gas Treatment (SGT) System filter trains. These isolation dampers, together with the PCIVs, will prevent high pressure from reaching the SGT System filter trains in the unlikely event of a loss of coolant accident (LOCA) during venting. Closure of the excess flow isolation dampers will not prevent the SGT System from performing its design function (that is, to maintain a negative pressure in the secondary containment). To ensure that a vent path is available, a 2 inch bypass line is provided around the dampers. The isolation valves on the 18 inch exhaust lines have 2 inch bypass lines around them for use during normal reactor operation or when the 18 inch valves cannot be opened. APPLICABLE The PCIVs LCO was derived from the assumptions related to SAFETY ANALYSES minimizing the loss of reactor coolant inventory, and establishing the primary containment boundary during major accidents. As part of the primary containment boundary, PCIV OPERABILITY supports leak tightness of primary containment. Therefore, the safety analysis of any event requiring isolation of primary containment is applicable to this LCO. The DBAs that result in a release of radioactive material for which the consequences are mitigated by PCIVs are a LOCA and a main steam line break (MSLB). In the analysis for each of these accidents, it is assumed that PCIVs are either closed or close within the required isolation times following event initiation. This ensures that potential paths to the environment through PCIVs (including primary containment purge valves) are minimized. Of the events analyzed in Reference 1, the MSLB is the most limiting event due to radiological consequences. The closure time of the main steam isolation valves (MSIVs) is a significant variable from a radiological standpoint. The MSIVs are required to close within 3 to 5 seconds since the 5 second closure time is assumed in the analysis. The safety analyses assume that the purge valves were closed at event initiation. Likewise, it is assumed that the primary containment is isolated such that release of fission products to the environment is controlled. The single failure criterion required to be imposed in the conduct of unit safety analyses was considered in the original design of the primary containment purge valves. Two valves in series on each PCIVs B 3.6.1.3 (continued) HATCH UNIT 1 B 3.6-15 REVISION 0 BASES APPLICABLE purge line provide assurance that both the supply and exhaust lines SAFETY ANALYSES could be isolated even if a single failure occurred. (continued) PCIVs satisfy Criterion 3 of the NRC Policy Statement (Ref. 5). LCO PCIVs form a part of the primary containment boundary. The PCIV safety function is related to minimizing the loss of reactor coolant inventory and establishing the primary containment boundary during a DBA. The power operated and the automatic isolation valves are required to have isolation times within limits and the automatic isolation valves actuate on an automatic isolation signal. While the reactor building-to-suppression chamber vacuum breakers isolate primary containment penetrations, they are excluded from this Specification. Controls on their isolation function are adequately addressed in LCO 3.6.1.7, "Reactor Building-to-Suppression Chamber Vacuum Breakers." The valves covered by this LCO are listed with their associated stroke times in Reference 2. The normally closed PCIVs are considered OPERABLE when manual valves are closed, or open in accordance with appropriate administrative controls, automatic valves are de-activated and secured in their closed position, blind flanges are in place, and closed systems are intact. These passive isolation valves and devices are those listed in Reference 2. MSIVs must meet additional leakage rate requirements. Other PCIV leakage rates are addressed by LCO 3.6.1.1, "Primary Containment," as Type B or C testing. This LCO provides assurance that the PCIVs will perform their designed safety functions to minimize the loss of reactor coolant inventory and establish the primary containment boundary during accidents. APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, most PCIVs are not required to be OPERABLE and the primary containment purge valves are not required to be sealed closed in MODES 4 and 5. PCIVs B 3.6.1.3 (continued) HATCH UNIT 1 B 3.6-16 REVISION 0 BASES APPLICABILITY Certain valves, however, are required to be OPERABLE to prevent (continued) inadvertent reactor vessel draindown. These valves are those whose associated instrumentation is required to be OPERABLE per LCO 3.3.6.1, "Primary Containment Isolation Instrumentation." (This does not include the valves that isolate the associated instrumentation.) ACTIONS The ACTIONS are modified by a Note allowing penetration flow path(s) except for 18 inch purge valve flow path(s) to be unisolated intermittently under administrative controls. These controls consist of stationing a dedicated operator at the controls of the valve, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for primary containment isolation is indicated. Due to the size of the primary containment purge supply and exhaust line penetrations and the fact that those penetrations exhaust directly from the containment atmosphere to the environment (via the SGT Systems), the penetration flow path containing these valves is not allowed to be opened under administrative controls. A second Note has been added to provide clarification that, for the purpose of this LCO, separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable PCIV. Complying with the Required Actions may allow for continued operation, and subsequent inoperable PCIVs are governed by subsequent Condition entry and application of associated Required Actions. The ACTIONS are modified by Notes 3 and 4. Note 3 ensures that appropriate remedial actions are taken, if necessary, if the affected system(s) are rendered inoperable by an inoperable PCIV (e.g., an Emergency Core Cooling System (ECCS) subsystem is inoperable due to a failed open test return valve). Note 4 ensures appropriate remedial actions are taken when the primary containment leakage limits are exceeded. Pursuant to LCO 3.0.6, these actions are not required even when the associated LCO is not met. Therefore, Notes 3 and 4 are added to require the proper actions be taken.

PCIVs B 3.6.1.3 (continued) HATCH UNIT 1 B 3.6-17 REVISION 5 BASES ACTIONS A.1 and A.2 (continued) With one or more penetration flow paths with one PCIV inoperable except for inoperability due to leakage not within a limit specified in an SR to this LCO, the affected penetration flow paths must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, a blind flange, and a check valve with flow through the valve secured. For a penetration isolated in accordance with Required Action A.1, the device used to isolate the penetration should be the closest available valve to the primary containment. The device must be subjected to leakage testing requirements equivalent to the inoperable valve. For example: 1) if the inoperable valve is required to be Type C tested per 10 CFR 50, Appendix J, Option B (Ref. 4), the device chosen to isolate the penetration must also be subjected to Appendix J, Option B, Type C testing; and 2) if the inoperable valve is not subjected to Appendix J, Option B, testing ("-" in Reference 2, Table T7.0-1, Test Type column), the isolation device does not have to be subjected to Appendix J, Option B, testing. If a valve is inoperable due to isolation time not within limits or other condition that would not be expected to adversely affect leakage characteristics, the inoperable valve may be used to isolate the penetration. The Required Action must be completed within the 4 hour Completion Time (8 hours for main steam lines). The Completion Time of 4 hours is reasonable considering the time required to isolate the penetration and the relative importance of supporting primary containment OPERABILITY during MODES 1, 2, and 3. For main steam lines, an 8 hour Completion Time is allowed. The Completion Time of 8 hours for the main steam lines allows a period of time to restore the MSIVs to OPERABLE status given the fact that MSIV closure will result in isolation of the main steam line(s) and a potential for plant shutdown. For affected penetrations that have been isolated in accordance with Required Action A.1, the affected penetration flow path must be verified to be isolated on a periodic basis. This is necessary to ensure that primary containment penetrations required to be isolated following an accident, and no longer capable of being automatically isolated, will be in the isolation position should an event occur. This Required Action does not require any testing or device manipulation. Rather, it involves verification that those devices outside containment PCIVs B 3.6.1.3 (continued) HATCH UNIT 1 B 3.6-18 REVISION 5 BASES ACTIONS A.1 and A.2 (continued) and capable of potentially being mispositioned are in the correct position. The Completion Time of "Once per 31 days for isolation devices outside primary containment" is appropriate because the devices are operated under administrative controls and the probability of their misalignment is low. For the devices inside primary containment, the time period specified "Prior to entering MODE 2 or 3 from MODE 4, if primary containment was de-inerted while in MODE 4, if not performed within the previous 92 days" is based on engineering judgment and is considered reasonable in view of the inaccessibility of the devices and other administrative controls ensuring that device misalignment is an unlikely possibility. Condition A is modified by a Note indicating that this Condition is only applicable to those penetration flow paths with two PCIVs. For penetration flow paths with one PCIV, Condition C provides the appropriate Required Actions. Required Action A.2 is modified by a Note that applies to isolation devices located in high radiation areas, and allows them to be verified by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment, once they have been verified to be in the proper position, is low. B.1 With one or more penetration flow paths with two PCIVs inoperable except due to leakage not within limits, either the inoperable PCIVs must be restored to OPERABLE status or the affected penetration flow path must be isolated within 1 hour. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. A check valve may not be used to isolate the affected penetration. The device must be subjected to leakage testing requirements equivalent to the inoperable valve. For example: 1) if the inoperable valve is required to be Type C tested per 10 CFR 50, Appendix J, Option B, the device chosen to isolate the penetration must also be subjected to Appendix J, Option B, Type C testing; and 2) if the inoperable valve is not subjected to Appendix J, Option B, testing ("-" in Reference 2, Table T7.0-1, Test Type column), the isolation device does not have to be subjected to Appendix J, Option B, testing. PCIVs B 3.6.1.3 (continued) HATCH UNIT 1 B 3.6-19 REVISION 5 BASES ACTIONS B.1 (continued) If a valve is inoperable due to isolation time not within limits or other condition that would not be expected to adversely affect leakage characteristics, the inoperable valve may be used to isolate the penetration. The 1 hour Completion Time is consistent with the ACTIONS of LCO 3.6.1.1. Condition B is modified by a Note indicating this Condition is only applicable to penetration flow paths with two PCIVs. For penetration flow paths with one PCIV, Condition C provides the appropriate Required Actions. C.1 and C.2 With one or more penetration flow paths with one PCIV inoperable, except due to leakage not within limits, the inoperable valve must be restored to OPERABLE status or the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. A check valve may not be used to isolate the affected penetration. The device must be subjected to leakage testing requirements equivalent to the inoperable valve, except for inoperable valves in the Core Spray and Low Pressure Coolant Injection (LPCI) systems. For example: 1) if the inoperable valve is required to be Type C tested per 10 CFR 50, Appendix J, Option B, the device chosen to isolate the penetration must also be subjected to Appendix J, Option B, Type C testing; and 2) if the inoperable valve is not subjected to Appendix J, Option B, testing ("-" in Reference 2, Table T7.0-1, Test Type column), the isolation device does not have to be subjected to Appendix J, Option B, testing. For Core Spray and LPCI system valve inoperability, the device chosen to isolate the affected penetration is not required to be tested per 10 CFR 50, Appendix J, Option B, leakage testing. This exception is based on the integrity of the system piping, which serves to minimize leakage into the secondary containment. If a valve is inoperable due to isolation time not within limits or other condition that would not be expected to adversely affect leakage characteristics, the inoperable valve may be used to isolate the penetration. PCIVs B 3.6.1.3 (continued) HATCH UNIT 1 B 3.6-20 REVISION 1 BASES ACTIONS C.1 and C.2 (continued) Required Action C.1 must be completed within 4 hours for lines other than excess flow check valve (EFCV) lines and 12 hours for EFCV lines. The Completion Time of 4 hours is reasonable considering the relative stability of the closed system (hence, reliability) to act as a penetration isolation boundary and the relative importance of supporting primary containment OPERABILITY during MODES 1, 2, and 3. The Completion Time of 12 hours is reasonable considering the instrument to act as a penetration isolation boundary and the small pipe diameter of the affected penetrations. In the event the affected penetration flow path is isolated in accordance with Required Action C.1, the affected penetration must be verified to be isolated on a periodic basis. This is necessary to ensure that primary containment penetrations required to be isolated following an accident are isolated. The Completion Time of once per 31 days for verifying each affected penetration is isolated is appropriate because the valves are operated under administrative controls and the probability of their misalignment is low. Condition C is modified by a Note indicating that this Condition is only applicable to penetration flow paths with only one PCIV. For penetration flow paths with two PCIVs, Conditions A and B provide the appropriate Required Actions. Required Action C.2 is modified by a Note that applies to valves and blind flanges located in high radiation areas and allows them to be verified by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of these valves, once they have been verified to be in the proper position, is low. D.1 With the MSIV leakage rate not within limit, the assumptions of the safety analysis may not be met. Therefore, the leakage must be restored to within limit within 4 hours. Restoration can be accomplished by isolating the penetration that caused the limit to be exceeded by use of one closed and de-activated automatic valve, closed manual valve, or blind flange. When a penetration is isolated, the leakage rate for the isolated penetration is assumed to be the actual pathway leakage through the isolation device. If two isolation PCIVs B 3.6.1.3 (continued) HATCH UNIT 1 B 3.6-21 REVISION 1 BASES ACTIONS D.1 (continued) devices are used to isolate the penetration, the leakage rate is assumed to be the lesser actual pathway leakage of the two devices. The 4 hour Completion Time is reasonable considering the time required to restore the leakage by isolating the penetration and the relative importance to the overall containment function. E.1 and E.2 If any Required Action and associated Completion Time cannot be met in MODE 1, 2, or 3, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. F.1 and F.2 If any Required Action and associated Completion Time cannot be met, the unit must be placed in a condition in which the LCO does not apply. Action must be immediately initiated to suspend operations with a potential for draining the reactor vessel (OPDRVs) to minimize the probability of a vessel draindown and subsequent potential for fission product release. Actions must continue until OPDRVs are suspended and the valve(s) are restored to OPERABLE status. If suspending an OPDRV would result in closing the residual heat removal (RHR) shutdown cooling isolation valves, an alternative Required Action is provided to immediately initiate action to restore the valve(s) to OPERABLE status. This allows RHR shutdown cooling to remain in service while actions are being taken to restore the valve. SURVEILLANCE SR 3.6.1.3.1 REQUIREMENTS This SR ensures that the 18 inch primary containment purge valves are closed as required or, if open, are open for an allowable reason. If a purge valve is open in violation of this SR, the valve is considered inoperable (Condition A applies). The SR is modified by a PCIVs B 3.6.1.3 (continued) HATCH UNIT 1 B 3.6-22 REVISION 69 BASES SURVEILLANCE SR 3.6.1.3.1 (continued) REQUIREMENTS Note stating that the SR is not required to be met when the 18 inch purge valves are open for the stated reasons. The Note states that these valves may be opened for inerting, de-inerting, pressure control, ALARA or air quality considerations for personnel entry, or Surveillances that require the valves to be open. The 18 inch purge valves are capable of closing in the environment following a LOCA. Therefore, these valves are allowed to be open for limited periods of time. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.6.1.3.2 This SR verifies that each primary containment isolation manual valve and blind flange that is located outside primary containment and is required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside the primary containment boundary is within design limits. This SR does not require any testing or valve manipulation. Rather, it involves verification that those isolation devices outside primary containment, and capable of being mispositioned, are in the correct position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Two Notes have been added to this SR. The first Note allows valves and blind flanges located in high radiation areas to be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable since access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA reasons. Therefore, the probability of misalignment of these isolation devices, once they have been verified to be in the proper position, is low. A second Note has been included to clarify that PCIVs that are open under administrative controls are not required to meet the SR during the time that the PCIVs are open.

SR 3.6.1.3.3 This SR verifies that each primary containment manual isolation valve and blind flange that is located inside primary containment and is PCIVs B 3.6.1.3 (continued) HATCH UNIT 1 B 3.6-23 REVISION 69 BASES SURVEILLANCE SR 3.6.1.3.3 (continued) REQUIREMENTS required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside the primary containment boundary is within design limits. For these isolation devices inside primary containment, the Frequency defined as "Prior to entering MODE 2 or 3 from MODE 4 if primary containment was de-inerted while in MODE 4, if not performed within the previous 92 days" is appropriate since these isolation devices are operated under administrative controls and the probability of their misalignment is low. Two Notes have been added to this SR. The first Note allows valves and blind flanges located in high radiation areas to be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable since the primary containment is inerted and access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA and personnel safety reasons. Therefore, the probability of misalignment of these isolation devices, once they have been verified to be in their proper position, is low. A second Note has been included to clarify that PCIVs that are open under administrative controls are not required to meet the SR during the time that the PCIVs are open. SR 3.6.1.3.4 The traversing incore probe (TIP) shear isolation valves are actuated by explosive charges. Actuation and monitoring circuitry is provided in the main control room. Surveillance of explosive charge continuity provides assurance that TIP valves will actuate when required. The circuitry is such that a light illuminates upon loss of explosive charge continuity. Ensuring that the light illuminates when voltage is applied and that it is extinguished when installed in the circuit provides assurance of explosive valve continuity. Other administrative controls, such as those that limit the shelf life of the explosive charges, must be followed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.6.1.3.5 Verifying the isolation time of each power operated and each automatic PCIV is within limits is required to demonstrate OPERABILITY. MSIVs may be excluded from this SR since MSIV full PCIVs B 3.6.1.3 (continued) HATCH UNIT 1 B 3.6-24 REVISION 70 BASES SURVEILLANCE SR 3.6.1.3.5 (continued) REQUIREMENTS closure isolation time is demonstrated by SR 3.6.1.3.6. The isolation time test ensures that each valve will isolate in a time period less than or equal to that listed in the FSAR and that no degradation affecting valve closure since the performance of the last Surveillance has occurred. (EFCVs are not required to be tested because they have no specified time limit). The Frequency of this SR is in accordance with the requirements of the Inservice Testing Program.

SR 3.6.1.3.6 Verifying that the isolation time of each MSIV is within the specified limits is required to demonstrate OPERABILITY. The isolation time test ensures that the MSIV will isolate in a time period that does not exceed the times assumed in the DBA analyses. This ensures that the calculated radiological consequences of these events remain within 10 CFR 50.67 limits. The Frequency of this SR is in accordance with the requirements of the Inservice Testing Program. SR 3.6.1.3.7 Automatic PCIVs close on a primary containment isolation signal to prevent leakage of radioactive material from primary containment following a DBA. This SR ensures that each automatic PCIV will actuate to its isolation position on a primary containment isolation signal. The LOGIC SYSTEM FUNCTIONAL TEST in SR 3.3.6.1.6 overlaps this SR to provide complete testing of the safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.6.1.3.8 This SR requires a demonstration that each reactor instrumentation line excess flow check valve (EFCV) (of a representative sample) is OPERABLE by verifying that the valve reduces flow to within limits on an actual or simulated instrument line break condition. (The representative sample consists of an approximately equal number of EFCVs, such that each EFCV is tested. In addition, the EFCVs PCIVs B 3.6.1.3 (continued) HATCH UNIT 1 B 3.6-25 REVISION 70 BASES SURVEILLANCE SR 3.6.1.3.8 (continued) REQUIREMENTS in the sample are representative of the various plant configurations, models, sizes, and operating environments. This ensures that any potentially common problem with a specific type of application of EFCV is detected at the earliest possible time.) This SR provides assurance that the instrumentation line EFCVs will perform as designed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.1.3.9 The TIP shear isolation valves are actuated by explosive charges. An in place functional test is not possible with this design. The explosive squib is removed and tested to provide assurance that the valves will actuate when required. The replacement charge for the explosive squib shall be from the same manufactured batch as the one fired or from another batch that has been certified by having one of the batch successfully fired. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.6.1.3.10 The analyses in References 1 and 3 are based on leakage that is less than the specified leakage rate. Combined MSIV leakage rate for all four main steam lines must be 100 scfh when tested at 28.0 psig and < 50.8 psig, or combined MSIV leakage rate for all four main steam lines must be 144 scfh when tested at 50.8 psig. The Frequency is required by the Primary Containment Leakage Rate Testing Program (Ref. 6). SR 3.6.1.3.11 Deleted

SR 3.6.1.3.12 This SR provides assurance that the excess flow isolation dampers can close following an isolation signal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. PCIVs B 3.6.1.3 HATCH UNIT 1 B 3.6-26 REVISION 70 BASES (continued) SURVEILLANCE SR 3.6.1.3.13 REQUIREMENTS (continued) This SR ensures that the leakage rate of secondary containment bypass leakage paths is less than the specified leakage rate. This provides assurance that the assumptions in the radiological evaluations that form the basis of the FSAR (Ref. 1) are met. The secondary containment bypass leakage paths are: 1) main steam condensate drain, penetration 8; 2) reactor water cleanup, penetration 14; 3) equipment drain sump discharge, penetration 18; 4) floor drain sump discharge, penetration 19; 5) HPCI steam line condensate to main condenser, penetration 11; and 6) RCIC steam line condensate to main condenser, penetration 10. The leakage rate of each bypass leakage path is assumed to be the maximum pathway leakage (leakage through the worse of the two isolation valves) unless the penetration is isolated by use of one closed and de-activated automatic valve, closed manual valve, or blind flange. In this case, the leakage rate of the isolated bypass leakage path is assumed to be the actual pathway leakage through the isolation device. If both isolation valves in the penetration are closed, the actual leakage rate is the lesser leakage rate of the two valves. The Frequency is required by the Primary Containment Leakage Rate Testing Program (Ref. 6). REFERENCES 1. Unit 2 FSAR, Section 15.3. 2. Technical Requirements Manual, Table T7.0-1.

3. FSAR, Section 5.2.

4. 10 CFR 50, Appendix J, Option B. 5. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. 6. Primary Containment Leakage Rate Testing Program.

Drywell Pressure B 3.6.1.4 (continued) HATCH UNIT 1 B 3.6-27 REVISION 41 B 3.6 CONTAINMENT SYSTEMS

B 3.6.1.4 Drywell Pressure

BASES BACKGROUND The drywell pressure is limited during normal operations to preserve the initial conditions assumed in the accident analysis for a Design Basis Accident (DBA) or loss of coolant accident (LOCA).

APPLICABLE Primary containment performance is evaluated for the entire SAFETY ANALYSES spectrum of break sizes for postulated LOCAs (Ref. 1). Among the inputs to the DBA is the initial primary containment internal pressure (Ref. 1). Analyses assume an initial drywell pressure of 1.75 psig. This limitation ensures that the safety analysis remains valid by maintaining the expected initial conditions and ensures that the peak LOCA drywell internal pressure does not exceed the maximum allowable of 62 psig. The maximum calculated drywell pressure occurs during the reactor blowdown phase of the DBA, which assumes an instantaneous recirculation line break. The calculated peak drywell pressure for this limiting event is 50.8 psig (Ref. 1). Drywell pressure satisfies Criterion 2 of the NRC Policy Statement (Ref. 2). LCO In the event of a DBA, with an initial drywell pressure 1.75 psig, the resultant peak drywell accident pressure will be maintained below the drywell design pressure. APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, maintaining drywell pressure within limits is not required in MODE 4 or 5.

Drywell Pressure B 3.6.1.4 HATCH UNIT 1 B 3.6-28 REVISION 69 BASES (continued) ACTIONS A.1 With drywell pressure not within the limit of the LCO, drywell pressure must be restored within 1 hour. The Required Action is necessary to return operation to within the bounds of the primary containment analysis. The 1 hour Completion Time is consistent with the ACTIONS of LCO 3.6.1.1, "Primary Containment," which requires that primary containment be restored to OPERABLE status within 1 hour. B.1 and B.2 If drywell pressure cannot be restored to within limit within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.1.4.1 REQUIREMENTS Verifying that drywell pressure is within limit ensures that unit operation remains within the limit assumed in the primary containment analysis. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Sections 5.2 and 14.4.3.

2. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Drywell Air Temperature B 3.6.1.5 (continued) HATCH UNIT 1 B 3.6-29 REVISION 9 B 3.6 CONTAINMENT SYSTEMS

B 3.6.1.5 Drywell Air Temperature

BASES BACKGROUND The drywell contains the reactor vessel and piping, which add heat to the airspace. Drywell coolers remove heat and maintain a suitable environment. The average airspace temperature affects the calculated response to postulated Design Basis Accidents (DBAs). The limitation on the drywell average air temperature was developed as reasonable, based on operating experience. The limitation on drywell air temperature is used in the Reference 1 safety analyses. APPLICABLE Primary containment performance is evaluated for a spectrum of SAFETY ANALYSES break sizes for postulated loss of coolant accidents (LOCAs) (Ref. 1). Among the inputs to the design basis analysis is the initial drywell average air temperature (Ref. 1). Analyses assume an initial average drywell air temperature of 150°F. This limitation ensures that the safety analysis remains valid by maintaining the expected initial conditions and ensures that the peak LOCA drywell temperature does not result in the drywell structure exceeding the maximum allowable temperature of 281°F (Ref. 2). The peak ambient drywell air temperature is slightly above the drywell structure design temperature of 281°F during the initial 15 seconds of the limiting accident. An evaluation concluded that the actual drywell structure design temperature is not exceeded. Exceeding this design temperature may result in the degradation of the primary containment structure under accident loads. Equipment inside primary containment required to mitigate the effects of a DBA is designed to operate and be capable of operating under environmental conditions expected for the accident. Drywell air temperature satisfies Criterion 2 of the NRC Policy Statement (Ref. 3). LCO In the event of a DBA, with an initial drywell average air temperature less than or equal to the LCO temperature limit, the resultant peak accident temperature is maintained below the drywell design temperature. As a result, the ability of primary containment to perform its design function is ensured. Drywell Air Temperature B 3.6.1.5 (continued) HATCH UNIT 1 B 3.6-30 REVISION 9 BASES (continued) APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, maintaining drywell average air temperature within the limit is not required in MODE 4 or 5. ACTIONS A.1 With drywell average air temperature not within the limit of the LCO, drywell average air temperature must be restored within 8 hours. The Required Action is necessary to return operation to within the bounds of the primary containment analysis. The 8 hour Completion Time is acceptable, considering the sensitivity of the analysis to variations in this parameter, and provides sufficient time to correct minor problems.

B.1 and B.2 If the drywell average air temperature cannot be restored to within limit within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.1.5.1 REQUIREMENTS Verifying that the drywell average air temperature is within the LCO limit ensures that operation remains within the limits assumed for the primary containment analyses. Drywell air temperature is monitored in various quadrants and at various elevations (referenced to mean sea level). Due to the shape of the drywell, a volumetric average is used to determine an accurate representation of the actual average temperature. Drywell Air Temperature B 3.6.1.5 HATCH UNIT 1 B 3.6-31 REVISION 69 BASES SURVEILLANCE SR 3.6.1.5.1 (continued) REQUIREMENTS For the situation in which some or all of the normal temperature channels are inoperable, plant procedures contain instructions on how to determine the volumetric average to determine an accurate representation of the actual average temperature using the remaining OPERABLE instruments. Depending upon the location and number of inoperable temperature channels and the plant condition, a correction factor may have to be added to the volumetric average temperature calculated from the remaining OPERABLE temperature channels. The correction factor accounts for the inoperable channels and ensures a reasonable value for the average volumetric temperature is calculated. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Sections 5.2 and 14.4.3.

2. FSAR, Section 5.2.3.2. 3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.7 (continued) HATCH UNIT 1 B 3.6-35 REVISION 1 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.7 Reactor Building-to-Suppression Chamber Vacuum Breakers

BASES BACKGROUND The function of the reactor building-to-suppression chamber vacuum breakers is to relieve vacuum when primary containment depressurizes below reactor building pressure. If the drywell depressurizes below reactor building pressure, the negative differential pressure is mitigated by flow through the reactor building-to-suppression chamber vacuum breakers and through the suppression-chamber-to-drywell vacuum breakers. The design of the external (reactor building-to-suppression chamber) vacuum relief provisions consists of two vacuum breakers (a mechanical vacuum breaker and an air operated butterfly valve), located in series in each of two lines from the reactor building to the suppression chamber airspace. The butterfly valve is actuated by differential pressure. The mechanical vacuum breaker is self actuating and can be remotely operated for testing purposes. The two vacuum breakers in series must be closed to maintain a leak tight primary containment boundary. A negative differential pressure across the drywell wall is caused by rapid depressurization of the drywell. Events that cause this rapid depressurization are cooling cycles, inadvertent primary containment spray actuation, and steam condensation in the event of a primary system rupture. Reactor building-to-suppression chamber vacuum breakers prevent an excessive negative differential pressure across the primary containment boundary. Cooling cycles result in minor pressure transients in the drywell, which occur slowly and are normally controlled by heating and ventilation equipment. Inadvertent spray actuation results in a more significant pressure transient and becomes important in sizing the external (reactor building-to-suppression chamber) vacuum breakers. The external vacuum breakers are sized on the basis of the air flow from the secondary containment that is required to mitigate the depressurization transient and limit the maximum negative containment (drywell and suppression chamber) pressure to within design limits. The maximum depressurization rate is a function of the primary containment spray flow rate and temperature and the assumed initial conditions of the primary containment atmosphere. Low spray temperatures and atmospheric conditions that yield the minimum amount of contained noncondensable gases are assumed for conservatism. Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.7 (continued) HATCH UNIT 1 B 3.6-36 REVISION 1 BASES (continued) APPLICABLE Analytical methods and assumptions involving the reactor SAFETY ANALYSES building-to-suppression chamber vacuum breakers are part of the accident response of the containment systems. Internal (suppression chamber-to-drywell) and external (reactor building-to-suppression chamber) vacuum breakers are provided as part of the primary containment to limit the negative differential pressure across the drywell and suppression chamber walls, which form part of the primary containment boundary. While the explicit assumptions of the Unit 1 safety analysis are not described in Unit 1 FSAR Section 5.2 (Ref. 1), a comparison of the containment designs and accident responses of Units 1 and 2 indicate that the analyses described in Unit 2 FSAR Section 6.2.1 (Ref. 2) are appropriate for Unit 1. The Reference 2 safety analyses assume the external vacuum breakers to be closed initially and to be fully open at 0.5 psid. Additionally, of the two reactor building-to-suppression chamber vacuum breakers, one is assumed to fail in a closed position to satisfy the single active failure criterion. Design Basis Accident (DBA) analyses assume the vacuum breakers to be closed initially and to remain closed and leak tight with positive primary containment pressure. The reactor building-to-suppression chamber vacuum breakers satisfy Criterion 3 of the NRC Policy Statement (Ref. 3).

LCO All reactor building-to-suppression chamber vacuum breakers are required to be OPERABLE for opening to satisfy the assumptions used in the safety analyses. This requirement ensures both vacuum breakers in each line (mechanical vacuum breaker and air operated butterfly valve) will open to relieve a negative pressure in the suppression chamber. The LCO also ensures that the two vacuum breakers in each of the two lines from the reactor building to the suppression chamber airspace are closed (except when performing their intended function).

APPLICABILITY In MODES 1, 2, and 3, a DBA could result in excessive negative differential pressure across the drywell wall caused by the rapid depressurization of the drywell. The event that results in the limiting rapid depressurization of the drywell is the primary system rupture, which purges the drywell of air and fills the drywell free airspace with steam. Subsequent condensation of the steam would result in depressurization of the drywell, which, after the suppression Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.7 (continued) HATCH UNIT 1 B 3.6-37 REVISION 1 BASES APPLICABILITY chamber-to-drywell vacuum breakers open (due to the differential (continued) pressure between the suppression chamber and drywell), would result in depressurization of the suppression chamber. The limiting pressure and temperature of the primary system prior to a DBA occur in MODES 1, 2, and 3. Excessive negative pressure inside primary containment could also occur due to inadvertent initiation of the Drywell Spray System. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining reactor building-to-suppression chamber vacuum breakers OPERABLE is not required in MODE 4 or 5.

ACTIONS A Note has been added to provide clarification that, for the purpose of this LCO, separate Condition entry is allowed for each penetration flow path. A.1 With one or more vacuum breakers not closed, the leak tight primary containment boundary may be threatened. Therefore, the inoperable vacuum breakers must be restored to OPERABLE status or the open vacuum breaker closed within 72 hours. The 72 hour Completion Time is consistent with requirements for inoperable suppression chamber-to-drywell vacuum breakers in LCO 3.6.1.8, "Suppression Chamber-to-Drywell Vacuum Breakers." The 72 hour Completion Time takes into account the redundant capability afforded by the remaining breakers, the fact that the OPERABLE breaker in each of the lines is closed, and the low probability of an event occurring that would require the vacuum breakers to be OPERABLE during this period. B.1 With one or more lines with two vacuum breakers not closed, primary containment integrity is not maintained. Therefore, one open vacuum breaker must be closed within 1 hour. This Completion Time is consistent with the ACTIONS of LCO 3.6.1.1, "Primary Containment," which requires that primary containment be restored to OPERABLE status within 1 hour. Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.7 (continued) HATCH UNIT 1 B 3.6-38 REVISION 69 BASES ACTIONS C.1 (continued) With one line with one or more vacuum breakers inoperable for opening, the leak tight primary containment boundary is intact. The ability to mitigate an event that causes a containment depressurization is threatened, however, if both vacuum breakers in at least one vacuum breaker penetration are not OPERABLE. Therefore, the inoperable vacuum breaker must be restored to OPERABLE status within 72 hours. This is consistent with the Completion Time for Condition A and the fact that the leak tight primary containment boundary is being maintained.

D.1 With two lines with one or more vacuum breakers inoperable for opening, the primary containment boundary is intact. However, in the event of a containment depressurization, the function of the vacuum breakers is lost. Therefore, all vacuum breakers in one line must be restored to OPERABLE status within 1 hour. This Completion Time is consistent with the ACTIONS of LCO 3.6.1.1, which require that primary containment be restored to OPERABLE status within 1 hour.

E.1 and E.2 If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.1.7.1 REQUIREMENTS Each vacuum breaker is verified to be closed to ensure that a potential breach in the primary containment boundary is not present. This Surveillance is performed by observing local or control room indications of vacuum breaker position or by verifying a differential pressure of 0.5 psid is maintained between the reactor building and suppression chamber. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.7 (continued) HATCH UNIT 1 B 3.6-39 REVISION 69 BASES SURVEILLANCE SR 3.6.1.7.1 (continued) REQUIREMENTS Two Notes are added to this SR. The first Note allows reactor building-to-suppression chamber vacuum breakers opened in conjunction with the performance of a Surveillance to not be considered as failing this SR. These periods of opening vacuum breakers are controlled by plant procedures and do not represent inoperable vacuum breakers. The second Note is included to clarify that vacuum breakers, which are open due to an actual differential pressure, are not considered as failing this SR. SR 3.6.1.7.2 Each vacuum breaker must be cycled to ensure that it opens properly to perform its design function and returns to its fully closed position. This ensures that the safety analysis assumptions are valid. The 92 day Frequency of this SR is in accordance with the requirements of the Inservice Testing Program. SR 3.6.1.7.3 Demonstration of vacuum breaker opening setpoint is necessary to ensure that the safety analysis assumption regarding vacuum breaker full open differential pressure of 0.5 psid is valid. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.7 HATCH UNIT 1 B 3.6-40 REVISION 69 BASES (continued) REFERENCES 1. FSAR, Section 5.2.

2. Unit 2 FSAR, Section 6.2.1.

3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.8 (continued) HATCH UNIT 1 B 3.6-41 REVISION 1 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.8 Suppression Chamber-to-Drywell Vacuum Breakers

BASES BACKGROUND The function of the suppression chamber-to-drywell vacuum breakers is to relieve vacuum in the drywell. There are 12 internal vacuum breakers located on the vent header of the vent system between the drywell and the suppression chamber, which allow air and steam flow from the suppression chamber to the drywell when the drywell is at a negative pressure with respect to the suppression chamber. Therefore, suppression chamber-to-drywell vacuum breakers prevent an excessive negative differential pressure across the wetwell drywell boundary. Each vacuum breaker is a self actuating valve, similar to a check valve, which can be remotely operated for testing purposes. A negative differential pressure across the drywell wall is caused by rapid depressurization of the drywell. Events that cause this rapid depressurization are cooling cycles, inadvertent drywell spray actuation, and steam condensation from sprays or subcooled water reflood of a break in the event of a primary system rupture. Cooling cycles result in minor pressure transients in the drywell that occur slowly and are normally controlled by heating and ventilation equipment. Spray actuation or spill of subcooled water out of a break results in more significant pressure transients and becomes important in sizing the internal vacuum breakers. Increased differential pressure between the suppression chamber and the drywell can also be caused by operations which add gas to the suppression chamber or remove gas from the drywell. Such operations include inerting/de-inerting of the primary containment. In the event of a primary system rupture, steam condensation within the drywell results in the most severe pressure transient. Following a primary system rupture, air in the drywell is purged into the suppression chamber free airspace, leaving the drywell full of steam. Subsequent condensation of the steam can be caused in two possible ways, namely, Emergency Core Cooling Systems flow from a recirculation line break, or drywell spray actuation following a loss of coolant accident (LOCA). These two cases determine the maximum depressurization rate of the drywell. In addition, the waterleg in the Mark I Vent System downcomer is controlled by the drywell-to-suppression chamber differential pressure. If the drywell pressure is less than the suppression Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.8 (continued) HATCH UNIT 1 B 3.6-42 REVISION 1 BASES BACKGROUND chamber pressure, there will be an increase in the vent waterleg.

(continued) This will result in an increase in the water clearing inertia in the event of a postulated LOCA, resulting in an increase in the peak drywell pressure. This in turn will result in an increase in the pool swell dynamic loads. The internal vacuum breakers limit the height of the waterleg in the vent system during normal operation. APPLICABLE Analytical methods and assumptions involving the suppression SAFETY ANALYSES chamber-to-drywell vacuum breakers are part of the accident response of the primary containment systems. Internal (suppression chamber-to-drywell) and external (reactor building-to-suppression chamber) vacuum breakers are provided as part of the primary containment to limit the negative differential pressure across the drywell and suppression chamber walls that form part of the primary containment boundary.

While the explicit assumptions of the Unit 1 safety analysis are not described in Unit 1 FSAR Section 5.2 (Ref. 1), a comparison of the containment designs and accident responses of Units 1 and 2 indicate that the analyses described in Unit 2 FSAR Section 6.2.1 (Ref. 2) are appropriate for Unit 1. The Reference 2 safety analyses assume that the internal vacuum breakers are closed initially and are fully open at a differential pressure of 0.5 psid. Additionally, 3 of the 12 internal vacuum breakers are assumed to fail in a closed position. The results of the analyses show that the design pressure is not exceeded even under the worst case accident scenario. The vacuum breaker opening differential pressure setpoint and the requirement that 10 of 12 vacuum breakers be OPERABLE (an additional vacuum breaker is required to meet the single failure criterion) are a result of the requirement placed on the vacuum breakers to limit the vent system waterleg height. The total cross sectional area of the main vent system between the drywell and suppression chamber needed to fulfill this requirement has been established as a minimum of 51.5 times the total break area. In turn, the vacuum relief capacity between the drywell and suppression chamber should be 1/16 of the total main vent cross sectional area, with the valves set to operate at 0.5 psid differential pressure. Design Basis Accident (DBA) analyses assume the vacuum breakers to be closed initially and to remain closed and leak tight. The suppression chamber-to-drywell vacuum breakers satisfy Criterion 3 of the NRC Policy Statement (Ref. 3). Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.8 (continued) HATCH UNIT 1 B 3.6-43 REVISION 1 BASES (continued) LCO Only 10 of the 12 vacuum breakers must be OPERABLE for opening. All suppression chamber-to-drywell vacuum breakers, however, are required to be closed (except when the vacuum breakers are performing their intended design function). The vacuum breaker OPERABILITY requirement provides assurance that the drywell-to-suppression chamber negative differential pressure remains below the design value. The requirement that the vacuum breakers be closed ensures that there is no excessive bypass leakage should a LOCA occur. APPLICABILITY In MODES 1, 2, and 3, a DBA could result in excessive negative differential pressure across the drywell wall, caused by the rapid depressurization of the drywell. The event that results in the limiting rapid depressurization of the drywell is the primary system rupture that purges the drywell of air and fills the drywell free airspace with steam. Subsequent condensation of the steam would result in depressurization of the drywell. The limiting pressure and temperature of the primary system prior to a DBA occur in MODES 1, 2, and 3. Excessive negative pressure inside the primary containment could also occur due to inadvertent actuation of the Drywell Spray System. In MODES 4 and 5, the probability and consequences of these events are reduced by the pressure and temperature limitations in these MODES. Therefore, maintaining suppression chamber-to-drywell vacuum breakers OPERABLE is not required in MODE 4 or 5. ACTIONS A.1 With one of the required vacuum breakers inoperable for opening (e.g., the vacuum breaker is not open and may be stuck closed or not within its opening setpoint limit, so that it would not function as designed during an event that depressurized the drywell), the remaining nine OPERABLE vacuum breakers are capable of providing the vacuum relief function. However, overall system reliability is reduced because a single failure in one of the remaining vacuum breakers could result in an excessive suppression chamber-to-drywell differential pressure during a DBA. Therefore, with 1 of the 10 required vacuum breakers inoperable, 72 hours is allowed to restore at least one of the inoperable vacuum breakers to OPERABLE status so that plant conditions are consistent with those assumed for the design basis analysis. The 72 hour Completion Time is Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.8 (continued) HATCH UNIT 1 B 3.6-44 REVISION 1 BASES ACTIONS A.1 (continued) considered acceptable due to the low probability of an event in which the remaining vacuum breaker capability would not be adequate.

B.1 An open vacuum breaker allows communication between the drywell and suppression chamber airspace, and, as a result, there is the potential for suppression chamber overpressurization due to this bypass leakage if a LOCA were to occur. Therefore, the open vacuum breaker must be closed. The required 2 hour Completion Time is allowed to close the vacuum breaker due to the low probability of an event that would pressurize primary containment.

C.1 and C.2 If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.1.8.1 REQUIREMENTS Each vacuum breaker is verified closed to ensure that this potential large bypass leakage path is not present. This Surveillance is performed by observing the vacuum breaker position indication or by verifying that a differential pressure of 0.5 psid between the drywell and suppression chamber is maintained for 1 hour without makeup. However, if vacuum breaker position indication is not reliable, either due to: 1) dual or open indication while torus-to-drywell differential pressure remains normal, or 2) closed indication while torus-to-drywell differential pressure remains steady at 0 psid, alternate methods of verifying that the vacuum breaker is closed are detailed in Technical Requirements Manual (TRM) (Ref. 4), T3.6.1, "Suppression Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.8 (continued) HATCH UNIT 1 B 3.6-45 REVISION 69 BASES SURVEILLANCE SR 3.6.1.8.1 (continued) REQUIREMENTS Chamber-to-Drywell Vacuum Breaker Position Indication," as ACTIONS for inoperable closed position indicator channels. If position indication is reliable (dual or open indication while torus-to-drywell differential pressure is steady at 0 psid), and indicates open, the alternate methods outlined in the TRM T3.6.1 ACTIONS can prove the indication to be in error and the vacuum breaker closed. However, in this case the vacuum breaker is assumed open until otherwise proved to satisfy the leakage test, and this confirmation must be performed within the Technical Specification 3.6.1.8, Required Action B.1, Completion Time of 2 hours. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. A Note is added to this SR which allows suppression chamber-to-drywell vacuum breakers opened in conjunction with the performance of a Surveillance to not be considered as failing this SR. These periods of opening vacuum breakers are controlled by plant procedures and do not represent inoperable vacuum breakers.

SR 3.6.1.8.2 Each required (i.e., required to be OPERABLE for opening) vacuum breaker must be cycled to ensure that it opens adequately to perform its design function and returns to the fully closed position. This ensures that the safety analysis assumptions are valid. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. In addition, this functional test is required within 12 hours after a discharge of steam to the suppression chamber from the safety/relief valves. SR 3.6.1.8.3 Verification of the vacuum breaker opening setpoint is necessary to ensure that the safety analysis assumption regarding vacuum breaker full open differential pressure of 0.5 psid is valid. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.8 HATCH UNIT 1 B 3.6-46 REVISION 69 BASES (continued) REFERENCES 1. FSAR, Section 5.2.

2. Unit 2 FSAR, Section 6.2.1.

3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. 4. Technical Requirements Manual, TLCO 3.6.1.

Suppression Pool Average Temperature B 3.6.2.1 (continued) HATCH UNIT 1 B 3.6-47 REVISION 1 B 3.6 CONTAINMENT SYSTEMS B 3.6.2.1 Suppression Pool Average Temperature

BASES BACKGROUND The suppression chamber is a toroidal shaped, steel pressure vessel containing a volume of water called the suppression pool. The suppression pool is designed to absorb the decay heat and sensible energy released during a reactor blowdown from safety/relief valve discharges or from Design Basis Accidents (DBAs). The suppression pool must quench all the steam released through the downcomer lines during a loss of coolant accident (LOCA). This is the essential mitigative feature of a pressure suppression containment that ensures that the peak containment pressure is maintained below the maximum allowable pressure for DBAs (ASME Code allowable of 62 psig). The suppression pool must also condense steam from steam exhaust lines in the turbine driven systems (i.e., the High Pressure Coolant Injection System and Reactor Core Isolation Cooling System). Suppression pool average temperature (along with LCO 3.6.2.2, "Suppression Pool Water Level") is a key indication of the capacity of the suppression pool to fulfill these requirements. The technical concerns that lead to the development of suppression pool average temperature limits are as follows: a. Complete steam condensation; b. Primary containment peak pressure and temperature;

c. Condensation oscillation loads; and d. Chugging loads. APPLICABLE The postulated DBA against which the primary containment SAFETY ANALYSES performance is evaluated is the entire spectrum of postulated pipe breaks within the primary containment. Inputs to the safety analyses include initial suppression pool water volume and suppression pool temperature (Reference 1 for LOCAs and for the pool temperature analyses required by Reference 2). An initial pool temperature of 110°F is assumed for the Reference 1 analyses. Reactor shutdown at a pool temperature of 110°F and vessel depressurization at a pool temperature of 120°F are assumed for the Reference 1 analyses.

The limit of 105°F, at which testing is terminated, is not used in the Suppression Pool Average Temperature B 3.6.2.1 (continued) HATCH UNIT 1 B 3.6-48 REVISION 1 BASES APPLICABLE safety analyses because DBAs are assumed to not initiate during unit SAFETY ANALYSES testing.

(continued)

Suppression pool average temperature satisfies Criteria 2 and 3 of the NRC Policy Statement (Ref. 4). LCO A limitation on the suppression pool average temperature is required to provide assurance that the containment conditions assumed for the safety analyses are met. This limitation subsequently ensures that peak primary containment pressures and temperatures do not exceed maximum allowable values during a postulated DBA or any transient resulting in heatup of the suppression pool. The LCO requirements are:

a. Average temperature 100°F when any OPERABLE intermediate range monitor (IRM) channel is > 25/40 divisions of full scale on Range 7 and no testing that adds heat to the suppression pool is being performed. This requirement ensures that licensing bases initial conditions are met.

b. Average temperature 105°F when any OPERABLE IRM channel is > 25/40 divisions of full scale on Range 7 and testing that adds heat to the suppression pool is being performed. This required value ensures that the unit has testing flexibility, and was selected to provide margin below the 110°F limit at which reactor shutdown is required. When testing ends, temperature must be restored to 100°F within 24 hours according to Required Action A.2. Therefore, the time period that the temperature is > 100°F is short enough not to cause a significant increase in unit risk.

c. Average temperature 110°F when all OPERABLE IRM channels are 25/40 divisions of full scale on Range 7. This requirement ensures that the unit will be shut down at > 110°F.

The pool is designed to absorb decay heat and sensible heat but could be heated beyond design limits by the steam generated if the reactor is not shut down. Note that 25/40 divisions of full scale on IRM Range 7 is a convenient measure of when the reactor is producing power essentially equivalent to 1% RTP. At this power level, heat input is approximately equal to normal system heat losses. Suppression Pool Average Temperature B 3.6.2.1 (continued) HATCH UNIT 1 B 3.6-49 REVISION 1 BASES (continued) APPLICABILITY In MODES 1, 2, and 3, a DBA could cause significant heatup of the suppression pool. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining suppression pool average temperature within limits is not required in MODE 4 or 5. ACTIONS A.1 and A.2 With the suppression pool average temperature above the specified limit when not performing testing that adds heat to the suppression pool and when above the specified power indication, the initial conditions exceed the conditions assumed for the References 1 and 3 analyses. However, primary containment cooling capability still exists, and the primary containment pressure suppression function will occur at temperatures well above those assumed for safety analyses. Therefore, continued operation is allowed for a limited time. The 24 hour Completion Time is adequate to allow the suppression pool average temperature to be restored below the limit. Additionally, when suppression pool temperature is > 100°F, increased monitoring of the suppression pool temperature is required to ensure that it remains 110°F. The once per hour Completion Time is adequate based on past experience, which has shown that pool temperature increases relatively slowly except when testing that adds heat to the suppression pool is being performed. Furthermore, the once per hour Completion Time is considered adequate in view of other indications in the control room, including alarms, to alert the operator to an abnormal suppression pool average temperature condition. B.1 If the suppression pool average temperature cannot be restored to within limits within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the power must be reduced to < 25/40 divisions of full scale on Range 7 for all OPERABLE IRMs within 12 hours. The 12 hour Completion Time is reasonable, based on operating experience, to reduce power from full power conditions in an orderly manner and without challenging plant systems.

Suppression Pool Average Temperature B 3.6.2.1 (continued) HATCH UNIT 1 B 3.6-50 REVISION 1 BASES ACTIONS C.1 (continued) Suppression pool average temperature is allowed to be > 100°F when any OPERABLE IRM channel is > 25/40 divisions of full scale on Range 7, and when testing that adds heat to the suppression pool is being performed. However, if temperature is > 105°F, all testing must be immediately suspended to preserve the heat absorption capability of the suppression pool. With the testing suspended, Condition A is entered and the Required Actions and associated Completion Times are applicable. D.1, D.2, and D.3 Suppression pool average temperature > 110°F requires that the reactor be shut down immediately. This is accomplished by placing the reactor mode switch in the shutdown position. Further, cooldown to MODE 4 is required at normal cooldown rates (provided pool temperature remains 120°F). Additionally, when suppression pool temperature is > 110°F, increased monitoring of pool temperature is required to ensure that it remains 120°F. The once per 30 minute Completion Time is adequate, based on operating experience. Given the high suppression pool average temperature in this Condition, the monitoring Frequency is increased to twice that of Condition A. Furthermore, the 30 minute Completion Time is considered adequate in view of other indications available in the control room, including alarms, to alert the operator to an abnormal suppression pool average temperature condition. E.1 and E.2 If suppression pool average temperature cannot be maintained at 120°F, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the reactor pressure must be reduced to < 200 psig within 12 hours, and the plant must be brought to at least MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. Continued addition of heat to the suppression pool with suppression pool temperature > 120°F could result in exceeding the design basis maximum allowable values for primary containment temperature or pressure. Furthermore, if a blowdown were to occur when the temperature was > 120°F, the maximum allowable bulk and local temperatures could be exceeded very quickly. Suppression Pool Average Temperature B 3.6.2.1 HATCH UNIT 1 B 3.6-51 REVISION 69 BASES (continued) SURVEILLANCE SR 3.6.2.1.1 REQUIREMENTS The suppression pool average temperature (torus average bulk temperature) is regularly monitored to ensure that the required limits are satisfied. The average temperature is determined by using a weighted average of functional suppression pool water temperature channels. The channels in the lower half of the suppression pool are averaged and the channels in the upper half of the suppression pool are averaged. The suppression pool average temperature is the average of the upper and lower average temperatures. For the situation in which some or all of either the upper half or the lower half temperature channels are inoperable, plant procedures contain instructions on how to determine the suppression pool average temperature using the remaining OPERABLE instruments. Depending upon the location and number of inoperable channels and the plant condition, a correction factor may have to be added to the average temperature calculated from the remaining OPERABLE temperature channels. The correction factor accounts for the inoperable channels and ensures a reasonable value for the average bulk temperature is calculated. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The 5 minute Frequency during testing is justified by the rates at which tests will heat up the suppression pool, has been shown to be acceptable based on operating experience, and provides assurance that allowable pool temperatures are not exceeded. The Frequency is further justified in view of other indications available in the control room, including alarms, to alert the operator to an abnormal suppression pool average temperature condition. REFERENCES 1. GE Report EAS-19-0388, "Elimination of the Suppression Pool Temperature Limit for Plant Hatch Units 1 and 2," March 1988. 2. NUREG-0783. 3. FSAR, Sections 5.2 and 14.4.3.

4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Suppression Pool Water Level B 3.6.2.2 (continued) HATCH UNIT 1 B 3.6-52 REVISION 1 B 3.6 CONTAINMENT SYSTEMS B 3.6.2.2 Suppression Pool Water Level

BASES BACKGROUND The suppression chamber is a toroidal shaped, steel pressure vessel containing a volume of water called the suppression pool. The suppression pool is designed to absorb the energy associated with decay heat and sensible heat released during a reactor blowdown from safety/relief valve (S/RV) discharges or from a Design Basis Accident (DBA). The suppression pool must quench all the steam released through the downcomer lines during a loss of coolant accident (LOCA). This is the essential mitigative feature of a pressure suppression containment, which ensures that the peak containment pressure is maintained below the maximum allowable pressure for DBAs (ASME Code allowable of 62 psig). The suppression pool must also condense steam from the steam exhaust lines in the turbine driven systems (i.e., High Pressure Coolant Injection (HPCI) System and Reactor Core Isolation Cooling (RCIC) System) and provides the main emergency water supply source for the reactor vessel. The suppression pool volume ranges between approximately 85,000 ft3 at the low water level limit of 146 inches and approximately 88,000 ft3 at the high water level limit of 150 inches. If the suppression pool water level is too low, an insufficient amount of water would be available to adequately condense the steam from the S/RV quenchers, main vents, or HPCI and RCIC turbine exhaust lines. Low suppression pool water level could also result in an inadequate emergency makeup water source to the Emergency Core Cooling System. The lower volume would also absorb less steam energy before heating up excessively. Therefore, a minimum suppression pool water level is specified. If the suppression pool water level is too high, it could result in insufficient volume to accommodate noncondensable gases and excessive pool swell loads during a DBA LOCA. Therefore, a maximum pool water level is specified. This LCO specifies an acceptable range to prevent the suppression pool water level from being either too high or too low. APPLICABLE Initial suppression pool water level affects suppression pool SAFETY ANALYSES temperature response calculations, calculated drywell pressure during vent clearing for a DBA, calculated pool swell loads for a DBA LOCA, and calculated loads due to S/RV discharges. Suppression pool Suppression Pool Water Level B 3.6.2.2 (continued) HATCH UNIT 1 B 3.6-53 REVISION 1 BASES APPLICABLE water level must be maintained within the limits specified so that the SAFETY ANALYSES safety analysis of Reference 1 remains valid.

(continued)

Suppression pool water level satisfies Criteria 2 and 3 of the NRC Policy Statement (Ref. 2). LCO A limit that suppression pool water level be 146 inches and 150 inches is required to ensure that the primary containment conditions assumed for the safety analyses are met. Either the high or low water level limits were used in the safety analyses, depending upon which is more conservative for a particular calculation. APPLICABILITY In MODES 1, 2, and 3, a DBA would cause significant loads on the primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. The requirements for maintaining suppression pool water level within limits in MODE 4 or 5 are addressed in LCO 3.5.2, "ECCS - Shutdown." ACTIONS A.1 With suppression pool water level outside the limits, the conditions assumed for the safety analyses are not met. If water level is below the minimum level, the pressure suppression function still exists as long as main vents are covered, HPCI and RCIC turbine exhausts are covered, and S/RV quenchers are covered. If suppression pool water level is above the maximum level, protection against overpressurization still exists due to the margin in the peak containment pressure analysis and the capability of the Drywell Spray System. Therefore, continued operation for a limited time is allowed. The 2 hour Completion Time is sufficient to restore suppression pool water level to within limits. Also, it takes into account the low probability of an event impacting the suppression pool water level occurring during this interval.

Suppression Pool Water Level B 3.6.2.2 HATCH UNIT 1 B 3.6-54 REVISION 69 BASES ACTIONS B.1 and B.2 (continued) If suppression pool water level cannot be restored to within limits within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.2.2.1 REQUIREMENTS Verification of the suppression pool water level is to ensure that the required limits are satisfied. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Sections 5.2 and 14.4.3. 2. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. RHR Suppression Pool Cooling B 3.6.2.3 (continued) HATCH UNIT 1 B 3.6-55 REVISION 1 B 3.6 CONTAINMENT SYSTEMS B 3.6.2.3 Residual Heat Removal (RHR) Suppression Pool Cooling

BASES BACKGROUND Following a Design Basis Accident (DBA), the RHR Suppression Pool Cooling System removes heat from the suppression pool. The suppression pool is designed to absorb the sudden input of heat from the primary system. In the long term, the pool continues to absorb residual heat generated by fuel in the reactor core. Some means must be provided to remove heat from the suppression pool so that the temperature inside the primary containment remains within design limits. This function is provided by two redundant RHR suppression pool cooling subsystems. The purpose of this LCO is to ensure that both subsystems are OPERABLE in applicable MODES. Each RHR subsystem contains two pumps and one heat exchanger and is manually initiated and independently controlled. The two subsystems perform the suppression pool cooling function by circulating water from the suppression pool through the RHR heat exchangers and returning it to the suppression pool. RHR service water, circulating through the tube side of the heat exchangers, exchanges heat with the suppression pool water and discharges this heat to the external heat sink. The heat removal capability of one RHR pump in one subsystem is sufficient to meet the overall DBA pool cooling requirement for loss of coolant accidents (LOCAs) and transient events such as a turbine trip or stuck open safety/relief valve (S/RV). S/RV leakage and high pressure core injection and Reactor Core Isolation Cooling System testing increase suppression pool temperature more slowly. The RHR Suppression Pool Cooling System is also used to lower the suppression pool water bulk temperature following such events. APPLICABLE Reference 1 contains the results of analyses used to predict primary SAFETY ANALYSES containment pressure and temperature following large and small break LOCAs. The intent of the analyses is to demonstrate that the heat removal capacity of the RHR Suppression Pool Cooling System is adequate to maintain the primary containment conditions within design limits. The suppression pool temperature is calculated to remain below the design limit. The RHR Suppression Pool Cooling System satisfies Criterion 3 of the NRC Policy Statement (Ref. 3). RHR Suppression Pool Cooling B 3.6.2.3 (continued) HATCH UNIT 1 B 3.6-56 REVISION 48 BASES (continued) LCO During a DBA, a minimum of one RHR suppression pool cooling subsystem is required to maintain the primary containment peak pressure and temperature below design limits (Ref. 1). To ensure that these requirements are met, two RHR suppression pool cooling subsystems must be OPERABLE with power from two safety related independent power supplies. Therefore, in the event of an accident, at least one subsystem is OPERABLE assuming the worst case single active failure. An RHR suppression pool cooling subsystem is OPERABLE when one of the pumps, the heat exchanger, and associated piping, valves, instrumentation, and controls are OPERABLE. Each RHR suppression pool cooling subsystem is supported by an independent subsystem of the Residual Heat Removal Service Water (RHRSW) System. Specifically, two OPERABLE RHRSW pumps and an OPERABLE flow path, as defined in the Bases for LCO 3.7.1, "Residual Heat Removal Service Water (RHRSW) System," are required to provide the necessary heat transfer from the heat exchanger and, thereby, support each suppression pool cooling subsystem. APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment and cause a heatup and pressurization of primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, the RHR Suppression Pool Cooling System is not required to be OPERABLE in MODE 4 or 5. ACTIONS A.1 With one RHR suppression pool cooling subsystem inoperable, the inoperable subsystem must be restored to OPERABLE status within 7 days. In this Condition, the remaining RHR suppression pool cooling subsystem is adequate to perform the primary containment cooling function. However, the overall reliability is reduced because a single failure in the OPERABLE subsystem could result in reduced primary containment cooling capability. The 7 day Completion Time is acceptable in light of the redundant RHR suppression pool cooling capabilities afforded by the OPERABLE subsystem and the low probability of a DBA occurring during this period. RHR Suppression Pool Cooling B 3.6.2.3 (continued) HATCH UNIT 1 B 3.6-57 REVISION 69 BASES ACTIONS B.1 (continued) With two RHR suppression pool cooling subsystems inoperable, one subsystem must be restored to OPERABLE status within 8 hours. In this condition, there is a substantial loss of the primary containment pressure and temperature mitigation function. The 8 hour Completion Time is based on this loss of function and is considered acceptable due to the low probability of a DBA and because alternative methods to remove heat from primary containment are available.

C.1 and C.2 If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.6.2.3.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the RHR suppression pool cooling mode flow path provides assurance that the proper flow path exists for system operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position provided it can be aligned to the accident position within the time assumed in the accident analysis. This is acceptable since the RHR suppression pool cooling mode is manually initiated. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. RHR Suppression Pool Cooling B 3.6.2.3 HATCH UNIT 1 B 3.6-58 REVISION 15 BASES SURVEILLANCE SR 3.6.2.3.2 REQUIREMENTS (continued) Verifying that each required RHR pump develops a flow rate 7700 gpm while operating in the suppression pool cooling mode with flow through the associated heat exchanger ensures that pump performance has not degraded during the cycle. Flow is a normal test of centrifugal pump performance required by ASME Code, Section XI (Ref. 2). This test confirms one point on the pump design curve, and the results are indicative of overall performance. Such inservice tests confirm component OPERABILITY and detect incipient failures by indicating abnormal performance. The Frequency of this SR is in accordance with the Inservice Testing Program.

REFERENCES 1. FSAR, Sections 5.2 and 14.4.3.

2. ASME, Boiler and Pressure Vessel Code, Section XI.

3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RHR Suppression Pool Spray B 3.6.2.4 (continued) HATCH UNIT 1 B 3.6-59 REVISION 1 B 3.6 CONTAINMENT SYSTEMS B 3.6.2.4 Residual Heat Removal (RHR) Suppression Pool Spray

BASES BACKGROUND Following a Design Basis Accident (DBA), the RHR Suppression Pool Spray System removes heat from the suppression chamber airspace. The suppression pool is designed to absorb the sudden input of heat from the primary system from a DBA or a rapid depressurization of the reactor pressure vessel (RPV) through safety/relief valves. The heat addition to the suppression pool results in increased steam in the suppression chamber, which increases primary containment pressure. Steam blowdown from a DBA can also bypass the suppression pool and end up in the suppression chamber airspace. Some means must be provided to remove heat from the suppression chamber so that the pressure and temperature inside primary containment remain within analyzed design limits. This function is provided by two redundant RHR suppression pool spray subsystems. The purpose of this LCO is to ensure that both subsystems are OPERABLE in applicable MODES. Each of the two RHR suppression pool spray subsystems contains two pumps and one heat exchanger, which are manually initiated and independently controlled. The two subsystems perform the suppression pool spray function by circulating water from the suppression pool through the RHR heat exchangers and returning it to the suppression pool spray spargers. The spargers only accommodate a small portion of the total RHR pump flow; the remainder of the flow returns to the suppression pool through the suppression pool cooling return line. Thus, both suppression pool cooling and suppression pool spray functions are performed when the Suppression Pool Spray System is initiated. RHR service water, circulating through the tube side of the heat exchangers, exchanges heat with the suppression pool water and discharges this heat to the external heat sink. Either RHR suppression pool spray subsystem is sufficient to condense the steam from small bypass leaks from the drywell to the suppression chamber airspace during the postulated DBA. APPLICABLE Reference 1 contains the results of analyses used to predict primary SAFETY ANALYSES containment pressure and temperature following large and small break loss of coolant accidents. The intent of the analyses is to demonstrate that the pressure reduction capacity of the RHR Suppression Pool Spray System is adequate to maintain the primary RHR Suppression Pool Spray B 3.6.2.4 (continued) HATCH UNIT 1 B 3.6-60 REVISION 15 BASES APPLICABLE containment conditions within design limits. The time history for SAFETY ANALYSES primary containment pressure is calculated to demonstrate that the (continued) maximum pressure remains below the design limit. The RHR Suppression Pool Spray System satisfies Criterion 3 of the NRC Policy Statement (Ref. 2). LCO In the event of a DBA, a minimum of one RHR suppression pool spray subsystem is required to mitigate potential bypass leakage paths and maintain the primary containment peak pressure below the design limits (Ref. 1). To ensure that these requirements are met, two RHR suppression pool spray subsystems must be OPERABLE with power from two safety related independent power supplies. Therefore, in the event of an accident, at least one subsystem is OPERABLE assuming the worst case single active failure. An RHR suppression pool spray subsystem is OPERABLE when one of the pumps, the heat exchanger, and associated piping, valves, instrumentation, and controls are OPERABLE. Each RHR suppression pool spray subsystem is supported by an independent subsystem of the Residual Heat Removal Service Water (RHRSW) System. Specifically, two OPERABLE RHRSW pumps and an OPERABLE flow path, as defined in the Bases for LCO 3.7.1, "Residual Heat Removal Service Water (RHRSW) System," are required to provide the necessary heat transfer from the heat exchanger and, thereby, support each suppression pool spray subsystem. APPLICABILITY In MODES 1, 2, and 3, a DBA could cause pressurization of primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining RHR suppression pool spray subsystems OPERABLE is not required in MODE 4 or 5. ACTIONS A.1 With one RHR suppression pool spray subsystem inoperable, the inoperable subsystem must be restored to OPERABLE status within 7 days. In this Condition, the remaining OPERABLE RHR suppression pool spray subsystem is adequate to perform the primary containment bypass leakage mitigation function. RHR Suppression Pool Spray B 3.6.2.4 (continued) HATCH UNIT 1 B 3.6-61 REVISION 15 BASES ACTIONS A.1 (continued) However, the overall reliability is reduced because a single failure in the OPERABLE subsystem could result in reduced primary containment bypass mitigation capability. The 7 day Completion Time was chosen in light of the redundant RHR suppression pool spray capabilities afforded by the OPERABLE subsystem and the low probability of a DBA occurring during this period. B.1 With both RHR suppression pool spray subsystems inoperable, at least one subsystem must be restored to OPERABLE status within 8 hours. In this Condition, there is a substantial loss of the primary containment bypass leakage mitigation function. The 8 hour Completion Time is based on this loss of function and is considered acceptable due to the low probability of a DBA and because alternative methods to remove heat from primary containment are available.

C.1 and C.2 If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.2.4.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the RHR suppression pool spray mode flow path provides assurance that the proper flow paths will exist for system operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position provided it can be aligned to the accident position within the time assumed in the accident analysis. This is acceptable since the RHR suppression pool RHR Suppression Pool Spray B 3.6.2.4 HATCH UNIT 1 B 3.6-62 REVISION 69 BASES SURVEILLANCE SR 3.6.2.4.1 (continued) REQUIREMENTS cooling mode is manually initiated. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. The Surveillance Fequency is controlled under the Surveillance Frequency Control Program. SR 3.6.2.4.2 This Surveillance is performed every 10 years to verify that the spray nozzles are not obstructed and that flow will be provided when required. The Surveillance Fequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Sections 5.2 and 14.4.3.

2. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RHR Drywell Spray B 3.6.2.5 (continued) HATCH UNIT 1 B 3.6-63 REVISION 70 B 3.6 CONTAINMENT SYSTEMS B 3.6.2.5 Residual Heat Removal (RHR) Drywell Spray

BASES BACKGROUND The Drywell Spray is a mode of the RHR system which may be initiated under post accident conditions to reduce the temperature and pressure of the primary containment atmosphere. Each of the two RHR subsystems consists of two pumps, one heat exchanger, containment spray valves, and a spray header in the drywell. RHR drywell spray is a manually initiated function which can only be placed in service if adequate core cooling is assured. A physical interlock prevents opening the spray valves unless reactor water level is above two thirds core height. However, under certain conditions as delineated by the emergency operating procedures, this interlock may be bypassed. Water is pumped from the suppression pool and through the RHR heat exchangers, after which it is diverted to the spray headers in the drywell. The spray then effects a temperature and pressure reduction through the combined effects of evaporative and convective cooling, depending on the drywell atmosphere. If the atmosphere is superheated, a rapid evaporative cooling process will ensue. If the environment in the drywell is saturated, temperature and pressure will be reduced via a convective cooling process. The drywell spray is also operated post-LOCA to wash, or scrub, inorganic iodines and particulates from the drywell atmosphere into the suppression pool. At Plant Hatch, the drywell spray is credited post-LOCA for both the scrubbing function as well as the temperature and pressure reduction effects. The drywell spray is not credited in determining the post-LOCA peak primary containment internal pressure; however, the Hatch radiological dose analysis does take credit for the drywell spray temperature and pressure reduction over time in reducing the post-LOCA primary containment leakage and main steam isolation valve leakage. RHR Service Water (RHRSW), circulating through the tube side of the heat exchangers, supports the drywell spray temperature and pressure reduction function by exchanging heat with the suppression pool water and discharging the heat to the external heat sink. The drywell spray mode of RHR is described in the FSAR, Reference 1. RHR Drywell Spray B 3.6.2.5 (continued) HATCH UNIT 1 B 3.6-64 REVISION 70 BASES (continued) APPLICABLE The RHR drywell spray is credited post-LOCA for scrubbing inorganic SAFETY ANALYSES iodines and particulates from the primary containment atmosphere. This function reduces the amount of airborne activity available for leakage from the primary containment. The RHR drywell spray also reduces the temperature and pressure in the drywell over time, thereby reducing the post-LOCA primary containment and main steam isolation valve leakage to within the assumptions of the Hatch radiological dose analysis. The RHR drywell spray system is not required to maintain the primary containment peak post-LOCA pressure within design limits. Reference 2 contains the results of analyses used to predict the effects of drywell spray on the post accident primary containment atmosphere, as well as the primary containment leak rate analysis. The RHR drywell spray system satisfies criterion 3 of the NRC Policy Statement (Reference 3). LCO In the event of a LOCA, a minimum of one RHR drywell spray subsystem using one RHR pump is required to adequately scrub the inorganic iodines and particulates from the primary containment atmosphere. One RHR drywell spray system using one RHR pump is also adequate to reduce the primary containment temperature and pressure to maintain the primary containment and main steam isolation valve post-accident leakage rates within the limits assumed in the Hatch radiological dose analysis. To ensure these requirements are met, two RHR drywell spray subsystems must be OPERABLE with power supplies from two safety related independent power supplies. Therefore, in the event of an accident, at least one subsystem is OPERABLE assuming the worst case single failure. An RHR drywell spray subsystem is considered OPERABLE when one of the two pumps in the subsystem, the heat exchanger, associated piping, valves, instrumentation, and controls are OPERABLE. Each RHR drywell spray subsystem is supported by an independent subsystem of the RHRSW system. Specifically, two RHRSW pumps and an OPERABLE flow path are required to provide the necessary heat transfer from the heat exchanger and thereby support each drywell spray subsystem.

RHR Drywell Spray B 3.6.2.5 (continued) HATCH UNIT 1 B 3.6-65 REVISION 70 BASES (continued) APPLICABILITY In MODES 1, 2, and 3, a DBA could cause the pressurization of, and the release of fission products into, the primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to pressure and temperature limitations in these MODES. Therefore, maintaining RHR drywell spray subsystems OPERABLE is not required in MODE 4 or 5. ACTIONS A.1 With one drywell spray subsystem inoperable, the inoperable subsystem must be restored to OPERABLE status within 7 days. In this condition, the remaining OPERABLE RHR drywell spray subsystem is adequate to perform the primary containment fission product scrubbing and temperature and pressure reduction functions. However, the overall reliability is reduced because a single failure in the OPERABLE subsystem could result in the loss of the scrubbing and temperature and pressure reduction capabilities of the RHR drywell spray system. The 7 day Completion Time was chosen because of the capability of the redundant and OPERABLE RHR drywell spray subsystem and the low probability of a DBA occurring during this period. B.1 With both RHR drywell spray subsystems inoperable, at least one subsystem must be restored to OPERABLE status within 8 hours. In this Condition, there is a substantial loss of the fission product scrubbing and temperature and pressure reduction functions of the RHR drywell spray system. The 8 hour Completion Time is based on the low probability of a DBA during this period. C.1 and C.2 If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner without challenging plant systems. RHR Drywell Spray B 3.6.2.5 HATCH UNIT 1 B 3.6-66 REVISION 70 BASES (continued) SURVEILLANCE SR 3.6.2.5.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the RHR drywell spray flow path provides assurance that the proper flow paths will exist for system operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the non-accident position provided it can be aligned to the accident position within the time assumed in the accident analysis. This is acceptable since the RHR drywell spray mode is manually initiated. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.6.2.5.2 This surveillance is performed following maintenance which could result in nozzle blockage to verify that the spray nozzles are not obstructed and that flow will be provided when required. The frequency is adequate to detect degradation in performance due to the passive nozzle design and its normally dry state and has been shown to be acceptable through operating experience.

REFERENCES 1. FSAR Section 4.8.

2. Unit 2 FSAR, Section 15.3. 3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

CAD System B 3.6.3.1 (continued) HATCH UNIT 1 B 3.6-67 REVISION 70 B 3.6 CONTAINMENT SYSTEMS B 3.6.3.1 Containment Atmosphere Dilution (CAD) System

BASES BACKGROUND The CAD System functions to maintain combustible gas concentrations within the primary containment at or below the flammability limits following a postulated loss of coolant accident (LOCA) by diluting hydrogen and oxygen with nitrogen. To ensure that a combustible gas mixture does not occur following a LOCA, oxygen concentration is kept 5.0 volume percent (v/o), or hydrogen concentration is kept 4.0 v/o. The CAD System is manually initiated and consists of two independent, 100% capacity subsystems. Each subsystem includes a liquid nitrogen supply tank, ambient vaporizer, and connected piping to supply the drywell and suppression chamber volumes. The Nitrogen Storage Tanks each contain 2000 gallons, which is adequate for 7 days of CAD subsystem operation. (CAD subsystem A is supplied from the Unit 1 Nitrogen Storage Tank, and CAD subsystem B is supplied from the Unit 2 Nitrogen Storage Tank.) The CAD System operates in conjunction with emergency operating procedures that are used to reduce primary containment pressure periodically during CAD System operation. This combination results in a feed and bleed approach to maintaining hydrogen and oxygen concentrations below combustible levels. APPLICABLE To evaluate the potential for hydrogen and oxygen accumulation SAFETY ANALYSES in primary containment following a LOCA, hydrogen and oxygen generation is calculated (as a function of time following the initiation of the accident). The assumptions stated in Reference 1 are used to maximize the amount of hydrogen and oxygen generated. The calculation confirms that when the mitigating systems are actuated in accordance with emergency operating procedures, the peak oxygen concentration in primary containment is 5.0 v/o (Ref. 2). Hydrogen and oxygen may accumulate within primary containment following a LOCA as a result of: a. A metal water reaction between the zirconium fuel rod cladding and the reactor coolant; or CAD System B 3.6.3.1 (continued) HATCH UNIT 1 B 3.6-68 REVISION 70 BASES APPLICABLE b. Radiolytic decomposition of water in the Reactor Coolant SAFETY ANALYSES System.

(continued)

The CAD System satisfies Criterion 3 of the NRC Policy Statement (Ref. 3). LCO Two CAD subsystems must be OPERABLE. This ensures operation of at least one CAD subsystem in the event of a worst case single active failure. Operation of at least one CAD subsystem is designed to maintain primary containment post-LOCA oxygen concentration 5.0 v/o for 7 days. APPLICABILITY In MODES 1 and 2, the CAD System is required to maintain the oxygen concentration within primary containment below the flammability limit of 5.0 v/o following a LOCA. This ensures that the relative leak tightness of primary containment is adequate and prevents damage to safety related equipment and instruments located within primary containment. In MODE 3, both the hydrogen and oxygen production rates and the total amounts produced after a LOCA would be less than those calculated for the Design Basis Accident LOCA. Thus, if the analysis were to be performed starting with a LOCA in MODE 3, the time to reach a flammable concentration would be extended beyond the time conservatively calculated for MODES 1 and 2. The extended time would allow hydrogen removal from the primary containment atmosphere by other means and also allow repair of an inoperable CAD subsystem, if CAD were not available. Therefore, the CAD System is not required to be OPERABLE in MODE 3. In MODES 4 and 5, the probability and consequences of a LOCA are reduced due to the pressure and temperature limitations of these MODES. Therefore, the CAD System is not required to be OPERABLE in MODES 4 and 5. ACTIONS A.1 If one CAD subsystem is inoperable, it must be restored to OPERABLE status within 30 days. In this Condition, the remaining OPERABLE CAD subsystem is adequate to perform the oxygen CAD System B 3.6.3.1 (continued) HATCH UNIT 1 B 3.6-69 REVISION 70 BASES ACTIONS A.1 (continued) control function. However, the overall reliability is reduced because a single failure in the OPERABLE subsystem could result in reduced oxygen control capability. The 30 day Completion Time is based on the low probability of the occurrence of a LOCA that would generate hydrogen and oxygen in amounts capable of exceeding the flammability limit, the amount of time available after the event for operator action to prevent exceeding this limit, and the availability of the OPERABLE CAD subsystem and other hydrogen mitigating systems. B.1 and B.2 With two CAD subsystems inoperable, the ability to perform the hydrogen control function via alternate capabilities must be verified by administrative means within 1 hour. The alternate hydrogen control capabilities are provided by the Primary Containment Purge System. The 1 hour Completion Time allows a reasonable period of time to verify that a loss of hydrogen control function does not exist. In addition, the alternate hydrogen control system capability must be verified once per 12 hours thereafter to ensure its continued availability. Both the initial verification and all subsequent verifications may be performed as an administrative check by examining logs or other information to determine the availability of the alternate hydrogen control system. It does not mean to perform the Surveillances needed to demonstrate OPERABILITY of the alternate hydrogen control system. If the ability to perform the hydrogen control function is maintained, continued operation is permitted with two CAD subsystems inoperable for up to 7 days. Seven days is a reasonable time to allow two CAD subsystems to be inoperable because the hydrogen control function is maintained and because of the low probability of the occurrence of a LOCA that would generate hydrogen in amounts capable of exceeding the flammability limit. CAD System B 3.6.3.1 (continued) HATCH UNIT 1 B 3.6-70 REVISION 70 BASES ACTIONS B.1 and B.2 (continued) With two CAD subsystems inoperable, one CAD subsystem must be restored to OPERABLE status within 7 days. The 7 day Completion Time is based on the low probability of the occurrence of a LOCA that would generate hydrogen in the amounts capable of exceeding the flammability limit, the amount of time available after the event for operator action to prevent exceeding this limit, and the availability of other hydrogen mitigating systems.

C.1 If any Required Action cannot be met within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.3.1.1 REQUIREMENTS Verifying that there is 2000 gallons of liquid nitrogen supply in each Nitrogen Storage Tank will ensure at least 7 days of post-LOCA CAD operation. This minimum volume of liquid nitrogen allows sufficient time after an accident to replenish the nitrogen supply for long term inerting. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.6.3.1.2 Verifying the correct alignment for manual, power operated, and automatic valves in each of the CAD subsystem flow paths provides assurance that the proper flow paths exist for system operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. CAD System B 3.6.3.1 HATCH UNIT 1 B 3.6-71 REVISION 70 BASES SURVEILLANCE SR 3.6.3.1.2 (continued) REQUIREMENTS A valve is also allowed to be in the nonaccident position provided it can be aligned to the accident position within 9 hours. This is acceptable because the CAD System is manually initiated. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. Regulatory Guide 1.7, Revision 0.

2. FSAR, Section 5.2.3.4.

3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Primary Containment Oxygen Concentration B 3.6.3.2 (continued) HATCH UNIT 1 B 3.6-72 REVISION 70 B 3.6 CONTAINMENT SYSTEMS

B 3.6.3.2 Primary Containment Oxygen Concentration

BASES BACKGROUND Boiling water reactors must be designed to withstand events that generate hydrogen either due to the zirconium metal water reaction in the core or due to radiolysis. The primary method to control hydrogen is to inert the primary containment. With the primary containment inert, that is, oxygen concentration < 4.0 volume percent (v/o), a combustible mixture cannot be present in the primary containment for any hydrogen concentration. The capability to inert the primary containment and maintain oxygen < 4.0 v/o works together with the Containment Atmosphere Dilution System (LCO 3.6.3.1, "Containment Atmosphere Dilution (CAD) System") to provide redundant and diverse methods to mitigate events that produce hydrogen. For example, an event that rapidly generates hydrogen from zirconium metal water reaction will result in excessive hydrogen in primary containment, but oxygen concentration will remain < 4.0 v/o and no combustion can occur. Long term generation of both hydrogen and oxygen from radiolytic decomposition of water may eventually result in a combustible mixture in primary containment, except that the CAD System removes hydrogen and oxygen gases faster than they can be produced from radiolysis and again no combustion can occur. This LCO ensures that oxygen concentration does not exceed 4.0 v/o during operation in the applicable conditions.

APPLICABLE The Reference 1 calculations assume that the primary containment SAFETY ANALYSES is inerted when a Design Basis Accident loss of coolant accident occurs. Thus, the hydrogen assumed to be released to the primary containment as a result of metal water reaction in the reactor core will not produce combustible gas mixtures in the primary containment. Oxygen, which is subsequently generated by radiolytic decomposition of water, is diluted and removed by the CAD System more rapidly than it is produced. Primary containment oxygen concentration satisfies Criterion 2 of the NRC Policy Statement (Ref. 2).

Primary Containment Oxygen Concentration B 3.6.3.2 (continued) HATCH UNIT 1 B 3.6-73 REVISION 70 BASES (continued) LCO The primary containment oxygen concentration is maintained < 4.0 v/o to ensure that an event that produces any amount of hydrogen does not result in a combustible mixture inside primary containment.

APPLICABILITY The primary containment oxygen concentration must be within the specified limit when primary containment is inerted, except as allowed by the relaxations during startup and shutdown addressed below. The primary containment must be inert in MODE 1, since this is the condition with the highest probability of an event that could produce hydrogen. Inerting the primary containment is an operational problem because it prevents containment access without an appropriate breathing apparatus. Therefore, the primary containment is inerted as late as possible in the plant startup and de-inerted as soon as possible in the plant shutdown. As long as reactor power is < 15% RTP, the potential for an event that generates significant hydrogen is low and the primary containment need not be inert. Furthermore, the probability of an event that generates hydrogen occurring within the first 24 hours of a startup, or within the last 24 hours before a shutdown, is low enough that these "windows," when the primary containment is not inerted, are also justified. The 24 hour time period is a reasonable amount of time to allow plant personnel to perform inerting or de-inerting.

ACTIONS A.1 If oxygen concentration is 4.0 v/o at any time while operating in MODE 1, with the exception of the relaxations allowed during startup and shutdown, oxygen concentration must be restored to < 4.0 v/o within 24 hours. The 24 hour Completion Time is allowed when oxygen concentration is 4.0 v/o because of the availability of other hydrogen mitigating systems (e.g., the CAD System) and the low probability and long duration of an event that would generate significant amounts of hydrogen occurring during this period.

Primary Containment Oxygen Concentration B 3.6.3.2 HATCH UNIT 1 B 3.6-74 REVISION 70 BASES ACTIONS B.1 (continued) If oxygen concentration cannot be restored to within limits within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, power must be reduced to 15% RTP within 8 hours. The 8 hour Completion Time is reasonable, based on operating experience, to reduce reactor power from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.6.3.2.1 REQUIREMENTS The primary containment (drywell and suppression chamber) must be determined to be inert by verifying that oxygen concentration is < 4.0 v/o. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 5.2.4.9.

2. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Secondary Containment B 3.6.4.1 (continued) HATCH UNIT 1 B 3.6-75 REVISION 70 B 3.6 CONTAINMENT SYSTEMS B 3.6.4.1 Secondary Containment

BASES BACKGROUND The function of the secondary containment is to contain, dilute, and hold up fission products that may leak from primary containment following a Design Basis Accident (DBA). In conjunction with operation of the Standby Gas Treatment (SGT) System and closure of certain valves whose lines penetrate the secondary containment, the secondary containment is designed to reduce the activity level of the fission products prior to release to the environment and to isolate and contain fission products that are released during certain operations that take place inside primary containment, when primary containment is not required to be OPERABLE, or that take place outside primary containment. The secondary containment is a structure that completely encloses the primary containment and those components that may be postulated to contain primary system fluid. This structure forms a control volume that serves to hold up and dilute the fission products. It is possible for the pressure in the control volume to rise relative to the environmental pressure (e.g., due to pump and motor heat load additions). The secondary containment encompasses three separate zones: the Unit 1 reactor building (Zone I), the Unit 2 reactor building (Zone II), and the common refueling floor (Zone III). The secondary containment can be modified to exclude the Unit 2 reactor building (Zone II) provided the following requirements are met:

a. Unit 2 Technical Specifications do not require OPERABILITY of Zone II;

b. All hatches separating Zone III from Zone II are closed and sealed; and

c. At least one door in each access path separating Zone III from Zone II is closed.

Similarly, other zones can be excluded from the secondary containment OPERABILITY requirement during various plant operating conditions with the appropriate controls. For example, during Unit 1 shutdown operations, the secondary containment can be modified to exclude the Unit 1 reactor building (Zone I) (either alone or in combination with excluding Zone II as described above) provided the following requirements are met: Secondary Containment B 3.6.4.1 (continued) HATCH UNIT 1 B 3.6-76 REVISION 70 BASES BACKGROUND a. Unit 1 is not conducting operations with a potential for draining (continued) the reactor vessel (OPDRV);

b. All hatches separating Zone III from Zone I are closed and sealed; and

c. At least one door in each access path separating Zone III from Zone I is closed. To prevent ground level exfiltration while allowing the secondary containment to be designed as a conventional structure, the secondary containment requires support systems to maintain the control volume pressure at less than the external pressure.

Requirements for these systems are specified separately in LCO 3.6.4.2, "Secondary Containment Isolation Valves (SCIVs)," and LCO 3.6.4.3, "Standby Gas Treatment (SGT) System." When one or more zones are excluded from secondary containment, the specific requirements for the support systems will also change (e.g., securing particular SGT or drain isolation valves).

APPLICABLE There are two principal accidents for which credit is taken for SAFETY ANALYSES secondary containment OPERABILITY. These are a loss of coolant accident (LOCA) (Ref. 1) and a fuel handling accident inside secondary containment (Ref. 2). The secondary containment performs no active function in response to either of these limiting events; however, its leak tightness is required to ensure that the release of radioactive materials from the primary containment is restricted to those leakage paths and associated leakage rates assumed in the accident analysis and that fission products entrapped within the secondary containment structure will be treated by the Unit 1 and Unit 2 SGT Systems prior to discharge to the environment. Postulated LOCA leakage paths from the primary containment into secondary containment include those into both the reactor building and refueling floor areas (e.g., drywell head leakage). Secondary containment satisfies Criterion 3 of the NRC Policy Statement (Ref. 4). LCO An OPERABLE secondary containment provides a control volume into which fission products that bypass or leak from primary containment, or are released from the reactor coolant pressure boundary

Secondary Containment B 3.6.4.1 (continued) HATCH UNIT 1 B 3.6-77 REVISION 70 BASES LCO components located in secondary containment, can be diluted and (continued) processed prior to release to the environment. For the secondary containment to be considered OPERABLE, it must have adequate leak tightness to ensure that the required vacuum (0.20 inch of vacuum) can be established and maintained. The secondary containment boundary required to be OPERABLE is dependent on the operating status of both units, as well as the configuration of doors, hatches, refueling floor plugs, SCIVs, and available flow paths to SGT Systems. The required boundary encompasses the zones which can be postulated to contain fission products from accidents required to be considered for the Condition of each unit, and furthermore, must include zones not isolated from the SGT subsystems being credited for meeting LCO 3.6.4.3. Allowed configurations, associated SGT subsystem requirements, and associated SCIV requirements are detailed in the Technical Requirements Manual (Ref. 3). APPLICABILITY In MODES 1, 2, and 3, a LOCA could lead to a fission product release to primary containment that leaks to secondary containment (the reactor building zone and potentially the refueling floor zone). Therefore, secondary containment OPERABILITY is required during the same operating conditions that require primary containment OPERABILITY. In MODES 4 and 5, the probability and consequences of the LOCA are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining secondary containment OPERABLE is not required in MODE 4 or 5 to ensure a control volume, except for other situations for which significant releases of radioactive material can be postulated, such as during OPDRVs, during CORE ALTERATIONS, or during movement of irradiated fuel assemblies in the secondary containment. (Note: Moving irradiated fuel assemblies in the secondary containment may also occur in MODES 1, 2, and 3.) Since CORE ALTERATIONS and movement of irradiated fuel assemblies are only postulated to release radioactive material to the refueling floor zone, the secondary containment configuration may consist of only Zone III during these conditions. Similarly, during OPDRVs while in MODE 4 (vessel head bolted) the release of radioactive materials is only postulated to the associated reactor building, the secondary containment configuration may consist of only Zone I.

Secondary Containment B 3.6.4.1 (continued) HATCH UNIT 1 B 3.6-78 REVISION 70 BASES (continued) ACTIONS A.1 If secondary containment is inoperable, it must be restored to OPERABLE status within 4 hours. The 4 hour Completion Time provides a period of time to correct the problem that is commensurate with the importance of maintaining secondary containment during MODES 1, 2, and 3. This time period also ensures that the probability of an accident (requiring secondary containment OPERABILITY) occurring during periods where secondary containment is inoperable is minimal. B.1 and B.2 If secondary containment cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

C.1, C.2, and C.3 Movement of irradiated fuel assemblies in the secondary containment, CORE ALTERATIONS, and OPDRVs can be postulated to cause fission product release to the secondary containment. In such cases, the secondary containment is the only barrier to release of fission products to the environment. CORE ALTERATIONS and movement of irradiated fuel assemblies must be immediately suspended if the secondary containment is inoperable. Suspension of these activities shall not preclude completing an action that involves moving a component to a safe position. Also, action must be immediately initiated to suspend OPDRVs to minimize the probability of a vessel draindown and subsequent potential for fission product release. Actions must continue until OPDRVs are suspended. Required Action C.1 has been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either Secondary Containment B 3.6.4.1 (continued) HATCH UNIT 1 B 3.6-79 REVISION 70 BASES ACTIONS C.1, C.2, and C.3 (continued) case, inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason to require a reactor shutdown. SURVEILLANCE SR 3.6.4.1.1 and SR 3.6.4.1.2 REQUIREMENTS Verifying that secondary containment equipment hatches and one access door in each access opening are closed ensures that the infiltration of outside air of such a magnitude as to prevent maintaining the desired negative pressure does not occur. Verifying that all such openings are closed provides adequate assurance that exfiltration from the secondary containment will not occur. SR 3.6.4.1.1 also requires equipment hatches to be sealed. In this application, the term "sealed" has no connotation of leak tightness. Maintaining secondary containment OPERABILITY requires verifying one door in the access opening is closed. An access opening contains one inner and one outer door. The intent is not to breach the secondary containment at any time when secondary containment is required. This is achieved by maintaining the inner or outer portion of the barrier closed at all times. However, all secondary containment access doors are normally kept closed, except when the access opening is being used for entry and exit or when maintenance is being performed on an access opening. When the secondary containment configuration excludes Zone I and/or Zone II, these SRs also include verifying the hatches and doors separating the common refueling floor zone from the reactor building(s). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.6.4.1.3 and SR 3.6.4.1.4 The Unit 1 and Unit 2 SGT Systems exhaust the secondary containment atmosphere to the environment through appropriate treatment equipment. To ensure that all fission products are treated, SR 3.6.4.1.3 verifies that the appropriate SGT System(s) will rapidly establish and maintain a negative pressure in the secondary containment. This is confirmed by demonstrating that the required SGT subsystem(s) will draw down the secondary containment to 0.20 inch of vacuum water gauge in 120 seconds (13 seconds of diesel generator startup and breaker closing time is included in the 120 second drawdown time). This cannot be accomplished if the secondary containment boundary is not intact. SR 3.6.4.1.4 Secondary Containment B 3.6.4.1 HATCH UNIT 1 B 3.6-80 REVISION 70 BASES SURVEILLANCE SR 3.6.4.1.3 and SR 3.6.4.1.4 (continued) REQUIREMENTS demonstrates that the required SGT subsystem(s) can maintain 0.20 inch of vacuum water gauge for 1 hour at a flow rate 4000 cfm for each SGT subsystem. The 1 hour test period allows secondary containment to be in thermal equilibrium at steady state conditions. Therefore, these two tests are used to ensure secondary containment boundary integrity. Since these SRs are secondary containment tests, they need not be performed with each SGT subsystem. The SGT subsystems are tested on a STAGGERED TEST BASIS, however, to ensure that in addition to the requirements of LCO 3.6.4.3, each SGT subsystem or combination of subsystems will perform this test. The number of SGT subsystems and the required combinations are dependent on the configuration of the secondary containment and are detailed in the Technical Requirements Manual (Ref. 3). The Note to SR 3.6.4.1.3 and SR 3.6.4.1.4 specifies that the number of required SGT subsystems be one less than the number required to meet LCO 3.6.4.3, "Standby Gas Treatment (SGT) System," for the given configuration. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Subsection 14.4.3.

2. FSAR, Subsection 14.4.4. 3. Technical Requirements Manual, Section 8.0.

4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

SCIVs B 3.6.4.2 (continued) HATCH UNIT 1 B 3.6-81 REVISION 70 B 3.6 CONTAINMENT SYSTEMS B 3.6.4.2 Secondary Containment Isolation Valves (SCIVs)

BASES BACKGROUND The function of the SCIVs, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs). Secondary containment isolation within the time limits specified for those isolation valves designed to close automatically ensures that fission products that leak from primary containment following a DBA, or that are released during certain operations when primary containment is not required to be OPERABLE or take place outside primary containment, are maintained within the secondary containment boundary. The OPERABILITY requirements for SCIVs help ensure that an adequate secondary containment boundary is maintained during and after an accident by minimizing potential paths to the environment. These isolation devices consist of either passive devices or active (automatic) devices. Manual valves, de-activated automatic valves secured in their closed position, check valves with flow through the valve secured, and blind flanges are considered passive devices. Automatic SCIVs close on a secondary containment isolation signal to establish a boundary for untreated radioactive material within secondary containment following a DBA or other accidents. Other penetrations are isolated by the use of valves in the closed position or blind flanges. APPLICABLE The SCIVs must be OPERABLE to ensure the secondary SAFETY ANALYSES containment barrier to fission product releases is established. The principal accidents for which the secondary containment boundary is required are a loss of coolant accident (Ref. 1) and a fuel handling accident inside secondary containment (Ref. 2). The secondary containment performs no active function in response to either of these limiting events, but the boundary established by SCIVs is required to ensure that leakage from the primary containment is processed by the Standby Gas Treatment (SGT) System before being released to the environment. Maintaining SCIVs OPERABLE with isolation times within limits ensures that fission products will remain trapped inside secondary SCIVs B 3.6.4.2 (continued) HATCH UNIT 1 B 3.6-82 REVISION 70 BASES APPLICABLE containment so that they can be treated by the SGT System prior to SAFETY ANALYSES discharge to the environment.

(continued)

SCIVs satisfy Criterion 3 of the NRC Policy Statement (Ref. 4). LCO SCIVs form a part of the secondary containment boundary. The SCIV safety function is related to control of offsite radiation releases resulting from DBAs. The power operated isolation valves are considered OPERABLE when their isolation times are within limits and the valves actuate on an automatic isolation signal. The valves covered by this LCO, along with their associated stroke times, are listed in Reference 3. The normally closed isolation valves or blind flanges are considered OPERABLE when manual valves are closed, or open in accordance with appropriate administrative controls, automatic SCIVs are de-activated and secured in their closed position, and blind flanges are in place. These passive isolation valves or devices are listed in Reference 3. The SCIVs required to be OPERABLE are dependent on the configuration of the secondary containment (which is dependent on the operating status of both units, as well as the configuration of doors, hatches, refueling floor plugs, and available flow paths to SGT Systems). The required boundary encompasses the zones which can be postulated to contain fission products from accidents required to be considered for the condition of each unit, and furthermore, must include zones not isolated from the SGT subsystems being credited for meeting LCO 3.6.4.3, "Standby Gas Treatment (SGT) System." The required SCIVs are those in penetrations communicating with the zones required for secondary containment OPERABILITY and are detailed in Reference 3. APPLICABILITY In MODES 1, 2, and 3, a LOCA could lead to a fission product release to the primary containment that leaks to the secondary containment. Therefore, the OPERABILITY of SCIVs is required. In MODES 4 and 5, the probability and consequences of a LOCA are reduced due to pressure and temperature limitations in these MODES. Therefore, maintaining SCIVs OPERABLE is not required in

SCIVs B 3.6.4.2 (continued) HATCH UNIT 1 B 3.6-83 REVISION 70 BASES APPLICABILITY MODE 4 or 5, except for other situations under which significant (continued) radioactive releases can be postulated, such as during operations with a potential for draining the reactor vessel (OPDRVs), during CORE ALTERATIONS, or during movement of irradiated fuel assemblies in the secondary containment. (Note: Moving irradiated fuel assemblies in the secondary containment may also occur in MODES 1, 2, and 3.) ACTIONS The ACTIONS are modified by three Notes. The first Note allows penetration flow paths to be unisolated intermittently under administrative controls. These controls consist of stationing a dedicated operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated. The second Note provides clarification that for the purpose of this LCO separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable SCIV. Complying with the Required Actions may allow for continued operation, and subsequent inoperable SCIVs are governed by subsequent Condition entry and application of associated Required Actions. The third Note ensures appropriate remedial actions are taken, if necessary, if the affected system(s) are rendered inoperable by an inoperable SCIV. A.1 and A.2 In the event that there are one or more penetration flow paths with one SCIV inoperable, the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this Criterion are a closed and deactivated automatic SCIV, a closed manual valve, and a blind flange. For penetrations isolated in accordance with Required Action A.1, the device used to isolate the penetration should be the closest available device to secondary containment. The Required Action must be completed within the 8 hour Completion Time. The specified time period is reasonable considering the time required to SCIVs B 3.6.4.2 (continued) HATCH UNIT 1 B 3.6-84 REVISION 70 BASES ACTIONS A.1 and A.2 (continued) isolate the penetration, and the probability of a DBA, which requires the SCIVs to close, occurring during this short time is very low. For affected penetrations that have been isolated in accordance with Required Action A.1, the affected penetration must be verified to be isolated on a periodic basis. This is necessary to ensure that secondary containment penetrations required to be isolated following an accident, but no longer capable of being automatically isolated, will be in the isolation position should an event occur. The Completion Time of once per 31 days is appropriate because the isolation devices are operated under administrative controls and the probability of their misalignment is low. This Required Action does not require any testing or device manipulation. Rather, it involves verification that the affected penetration remains isolated. Required Action A.2 is modified by a Note that applies to devices located in high radiation areas and allows them to be verified closed by use of administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment once they have been verified to be in the proper position, is low. B.1 With two SCIVs in one or more penetration flow paths inoperable, the affected penetration flow path must be isolated within 4 hours. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. The 4 hour Completion Time is reasonable considering the time required to isolate the penetration and the probability of a DBA, which requires the SCIVs to close, occurring during this short time, is very low. C.1 and C.2 If any Required Action and associated Completion Time of Condition A or B cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are SCIVs B 3.6.4.2 (continued) HATCH UNIT 1 B 3.6-85 REVISION 70 BASES ACTIONS C.1 and C.2 (continued) reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. D.1, D.2, and D.3 If any Required Action and associated Completion Time of Condition A or B are not met, the plant must be placed in a condition in which the LCO does not apply. If applicable, CORE ALTERATIONS and the movement of irradiated fuel assemblies in the secondary containment must be immediately suspended. Suspension of these activities shall not preclude completion of movement of a component to a safe position. Also, if applicable, actions must be immediately initiated to suspend OPDRVs in order to minimize the probability of a vessel draindown and the subsequent potential for fission product release. Actions must continue until OPDRVs are suspended. Required Action D.1 has been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving fuel while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason to require a reactor shutdown.

SURVEILLANCE SR 3.6.4.2.1 REQUIREMENTS This SR verifies that each secondary containment manual isolation valve and blind flange that is required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside of the secondary containment boundary is within design limits. This SR does not require any testing or valve manipulation. Rather, it involves verification that those isolation devices in secondary containment that are capable of being mispositioned are in the correct position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SCIVs B 3.6.4.2 (continued) HATCH UNIT 1 B 3.6-86 REVISION 70 BASES SURVEILLANCE SR 3.6.4.2.1 (continued) REQUIREMENTS Two Notes have been added to this SR. The first Note applies to valves and blind flanges located in high radiation areas and allows them to be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA reasons. Therefore, the probability of misalignment of these isolation devices, once they have been verified to be in the proper position, is low. A second Note has been included to clarify that SCIVs that are open under administrative controls are not required to meet the SR during the time the SCIVs are open.

SR 3.6.4.2.2 Verifying that the isolation time of each power operated and each automatic SCIV is within limits is required to demonstrate OPERABILITY. The isolation time test ensures that the SCIV will isolate in a time period less than or equal to that assumed in the safety analyses. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.6.4.2.3 Verifying that each automatic SCIV closes on a secondary containment isolation signal is required to prevent leakage of radioactive material from secondary containment following a DBA or other accidents. This SR ensures that each automatic SCIV will actuate to the isolation position on a secondary containment isolation signal. The LOGIC SYSTEM FUNCTIONAL TEST in SR 3.3.6.2.5 overlaps this SR to provide complete testing of the safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SCIVs B 3.6.4.2 HATCH UNIT 1 B 3.6-87 REVISION 70 BASES (continued) REFERENCES 1. FSAR, Subsection 14.3.3.

2. FSAR, Subsection 14.3.4.

3. Technical Requirements Manual, Section 8.0. 4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

SGT System B 3.6.4.3 (continued) HATCH UNIT 1 B 3.6-88 REVISION 70 B 3.6 CONTAINMENT SYSTEMS

B 3.6.4.3 Standby Gas Treatment (SGT) System

BASES BACKGROUND The SGT System is required by 10 CFR 50, Appendix A, GDC 41, "Containment Atmosphere Cleanup" (Ref. 1). The function of the SGT System is to ensure that radioactive materials that leak from the primary containment into the secondary containment following a Design Basis Accident (DBA) are filtered and adsorbed prior to exhausting to the environment. The Unit 1 and Unit 2 SGT Systems each consists of two fully redundant subsystems, each with its own set of dampers, charcoal filter train, and controls. The Unit 1 SGT subsystems' ductwork is separate from the inlet to the filter train to the discharge of the fan. The rest of the ductwork is common. The Unit 2 SGT subsystems' ductwork is separate except for the suction from the drywell and torus, which is common (however, this suction path is not required for subsystem OPERABILITY). Each charcoal filter train consists of (components listed in order of the direction of the air flow):

a. A demister or moisture separator;

b. An electric heater;

c. A prefilter;

d. A high efficiency particulate air (HEPA) filter;

e. Two charcoal adsorbers for Unit 1 subsystems and one charcoal adsorber for Unit 2 subsystems;

f. A second HEPA filter; and

g. An axial vane fan for Unit 1 subsystems and a centrifugal fan for Unit 2 subsystems.

The sizing of the SGT Systems equipment and components is based on the results of an infiltration analysis, as well as an exfiltration analysis of the secondary containment. The internal pressure of the SGT Systems boundary region is maintained at a negative pressure when the system is in operation, to conservatively ensure zero SGT System B 3.6.4.3 (continued) HATCH UNIT 1 B 3.6-89 REVISION 70 BASES BACKGROUND exfiltration of air from the building when exposed to winds as high as (continued) 31 mph. The demister is provided to remove entrained water in the air, while the electric heater reduces the relative humidity of the airstream (Refs. 2 and 3). (However, credit is not taken for the operation of the heater. Accordingly, laboratory testing of the charcoal efficiency is performed at a relative humidity of 95%.) The prefilter removes large particulate matter, while the HEPA filter removes fine particulate matter and protects the charcoal from fouling. The charcoal adsorbers remove gaseous elemental iodine and organic iodides, and the final HEPA filter collects any carbon fines exhausted from the charcoal adsorber. The Unit 1 and Unit 2 SGT Systems automatically start and operate in response to actuation signals indicative of conditions or an accident that could require operation of the system. Following initiation, all required charcoal filter train fans start. Upon verification that the required subsystems are operating, the redundant required subsystem is normally shut down. APPLICABLE The design basis for the Unit 1 and Unit 2 SGT Systems is to SAFETY ANALYSES mitigate the consequences of a loss of coolant accident and fuel handling accidents (Refs. 2 and 3). For all events analyzed, the SGT Systems are shown to be automatically initiated to reduce, via filtration and adsorption, the radioactive material released to the environment. The SGT System satisfies Criterion 3 of the NRC Policy Statement (Ref. 5). LCO Following a DBA, a minimum number of SGT subsystems are required to maintain the secondary containment at a negative pressure with respect to the environment and to process gaseous releases. Meeting the LCO requirements for OPERABLE subsystems ensures operation of the minimum number of SGT subsystems in the event of a single active failure. The required number of SGT subsystems is dependent on the configuration required to meet LCO 3.6.4.1, "Secondary Containment." For secondary containment OPERABILITY consisting of all three zones, the required number of SGT subsystems is four. With secondary containment OPERABILITY consisting of one reactor building and the common refueling floor zones, the required number of SGT subsystem is three. Allowed SGT System B 3.6.4.3 (continued) HATCH UNIT 1 B 3.6-90 REVISION 70 BASES LCO configurations and associated SGT subsystem requirements are (continued) detailed in the Technical Requirements Manual (Ref. 4).

In addition, with secondary containment in modified configurations, the SGT System valves to excluded zone(s) are not included as part of SGT System OPERABILITY (i.e., the valves may be secured closed and are not required to open on an actuation signal). APPLICABILITY In MODES 1, 2, and 3, a LOCA could lead to a fission product release to primary containment that leaks to secondary containment. Therefore, Unit 1 and Unit 2 SGT Systems OPERABILITY are required during these MODES. In MODES 4 and 5, the probability and consequences of a LOCA are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining the SGT Systems in OPERABLE status is not required in MODE 4 or 5, except for other situations under which significant releases of radioactive material can be postulated, such as during operations with a potential for draining the reactor vessel (OPDRVs), during CORE ALTERATIONS, or during movement of irradiated fuel assemblies in the secondary containment. ACTIONS A.1 and B.1 With one required Unit 1 or Unit 2 SGT subsystem inoperable, the inoperable subsystem must be restored to OPERABLE status. In this condition, the remaining required OPERABLE SGT subsystems are adequate to perform the required radioactivity release control function. However, the overall system reliability is reduced because a single failure in one of the remaining required OPERABLE subsystems could result in the radioactivity release control function not being adequately performed. The 7 and 30 day Completion Times are based on consideration of such factors as the availability of the OPERABLE redundant SGT subsystems and the low probability of a DBA occurring during this period. Additionally, the 30 day Completion Time of Required Action A.1 is based on three remaining OPERABLE SGT subsystems, of which two are Unit 2 subsystems, and the secondary containment volume in the Unit 1 reactor building being open to the common refueling floor where the two Unit 2 SGT subsystems can readily provide rapid drawdown of vacuum. Testing and analysis has shown that in this configuration, even with an SGT System B 3.6.4.3 (continued) HATCH UNIT 1 B 3.6-91 REVISION 70 BASES ACTIONS A.1 and B.1 (continued) additional single failure (which is not necessary to assume while in ACTIONS) the secondary containment volume may be drawn to a vacuum in the time required to support assumptions of analyses. C.1 and C.2 If the SGT subsystem cannot be restored to OPERABLE status within the required Completion Time in MODE 1, 2, or 3, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

D.1, D.2.1, D.2.2, and D.2.3 During movement of irradiated fuel assemblies in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, when Required Action A.1 or B.1 cannot be completed within the required Completion Time, the remaining required OPERABLE SGT subsystems should immediately be placed in operation. This action ensures that the remaining subsystems are OPERABLE, that no failures that could prevent automatic actuation have occurred, and that any other failure would be readily detected. An alternative to Required Action D.1 is to immediately suspend activities that represent a potential for releasing radioactive material to the secondary containment, thus placing the plant in a condition that minimizes risk. If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies must immediately be suspended. Suspension of these activities must not preclude completion of movement of a component to a safe position. Also, if applicable, actions must immediately be initiated to suspend OPDRVs in order to minimize the probability of a vessel draindown and subsequent potential for fission product release. Actions must continue until OPDRVs are suspended. SGT System B 3.6.4.3 (continued) HATCH UNIT 1 B 3.6-92 REVISION 70 BASES ACTIONS D.1, D.2.1, D.2.2, and D.2.3 (continued) The Required Actions of Condition D have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason to require a reactor shutdown. E.1 If two or more required SGT subsystems are inoperable in MODE 1, 2 or 3, the Unit 1 and Unit 2 SGT Systems may not be capable of supporting the required radioactivity release control function. Therefore, LCO 3.0.3 must be entered immediately. F.1, F.2, and F.3 When two or more required SGT subsystems are inoperable, if applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in secondary containment must immediately be suspended. Suspension of these activities shall not preclude completion of movement of a component to a safe position. Also, if applicable, actions must immediately be initiated to suspend OPDRVs in order to minimize the probability of a vessel draindown and subsequent potential for fission product release. Actions must continue until OPDRVs are suspended. Required Action F.1 has been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason to require a reactor shutdown.

SGT System B 3.6.4.3 (continued) HATCH UNIT 1 B 3.6-93 REVISION 70 BASES (continued) SURVEILLANCE SR 3.6.4.3.1 REQUIREMENTS Operating each required Unit 1 and Unit 2 SGT subsystem for 15 continuous minutes ensures that they are OPERABLE and that all associated controls are functioning properly. It also ensures that blockage, fan or motor failure, or excessive vibration can be detected for corrective action. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.4.3.2 This SR verifies that the required Unit 1 and Unit 2 SGT filter testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing HEPA filter performance, charcoal adsorber efficiency, minimum system flow rate, and the physical properties of the activated charcoal (general use and following specific operations). Specific test frequencies and additional information are discussed in detail in the VFTP. SR 3.6.4.3.3 This SR verifies that each required Unit 1 and Unit 2 SGT subsystem starts on receipt of an actual or simulated initiation signal. The LOGIC SYSTEM FUNCTIONAL TEST in SR 3.3.6.2.5 overlaps this SR to provide complete testing of the safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SGT System B 3.6.4.3 HATCH UNIT 1 B 3.6-94 REVISION 70 BASES (continued) REFERENCES 1. 10 CFR 50, Appendix A, GDC 41.

2. Unit 1 FSAR, Section 5.3.2.3.

3. Unit 2 FSAR, Sections 6.2.4, 15.2 and 15.3. 4. Technical Requirements Manual, Section 8.0.

5. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RHRSW System B 3.7.1 (continued) HATCH UNIT 1 B 3.7-2 REVISION 78 BASES (continued) APPLICABLE The RHRSW System removes heat from the suppression pool to limit SAFETY ANALYSES the suppression pool temperature and primary containment pressure following a LOCA. This ensures that the primary containment can perform its function of limiting the release of radioactive materials to the environment following a LOCA. The ability of the RHRSW System to support long term cooling of the reactor or primary containment is discussed in the FSAR, Section 10.6 and Unit 2 FSAR, Section 15.4.10.1.1 (Refs. 1 and 2, respectively). These analyses explicitly assume that the RHRSW System will provide adequate cooling support to the equipment required for safe shutdown. These analyses include the evaluation of the long term primary containment response after a design basis LOCA. The safety analyses for long term cooling were performed for various combinations of RHR System failures. The worst case single failure that would affect the performance of the RHRSW System is any failure that would disable one subsystem of the RHRSW System. As discussed in the Unit 2 FSAR, Section 15.4.10.1.1 (Ref. 2) for these analyses, manual initiation of the OPERABLE RHRSW subsystem and the associated RHR System is assumed to occur 10 minutes after a DBA. The RHRSW flow required to support the assumed heat removal rate is 3750 gpm per pump with two pumps operating in one loop with up to 5% tubes plugged in the RHR heat exchanger. In this case, the maximum suppression chamber water temperature and pressure are approximately 210.2°F and 27 psig, respectively, well below the design temperature of 281°F and maximum allowable pressure of 62 psig. The RHRSW System satisfies Criterion 3 of the NRC Policy Statement (Ref. 3).

LCO Two RHRSW subsystems are required to be OPERABLE to provide the required redundancy to ensure that the system functions to remove post accident heat loads, assuming the worst case single active failure occurs coincident with the loss of offsite power. An RHRSW subsystem is considered OPERABLE when:

a. Two pumps are OPERABLE; and b. An OPERABLE flow path is capable of taking suction from the intake structure and transferring the water to the RHR heat

RHRSW System B 3.7.1 (continued) HATCH UNIT 1 B 3.7-4 REVISION 49 BASES ACTIONS B.1 (continued) With one RHRSW pump inoperable in each subsystem, if no additional failures occur in the RHRSW System, and the two OPERABLE pumps are aligned by opening the normally closed cross tie valves (i.e., after an event requiring operation of the RHRSW System), then the remaining OPERABLE pumps and flow paths provide adequate heat removal capacity following a design basis LOCA. However, capability for this alignment is not assumed in long term containment response analysis and an additional single failure in the RHRSW System could reduce the system capacity below that assumed in the safety analysis. Therefore, continued operation is permitted only for a limited time. One inoperable pump is required to be restored to OPERABLE status within 7 days. The 7 day Completion Time for restoring one inoperable RHRSW pump to OPERABLE status is based on engineering judgment, considering the level of redundancy provided.

C.1 Required Action C.1 is intended to handle the inoperability of one RHRSW subsystem for reasons other than Condition A. The Completion Time of 7 days is allowed to restore the RHRSW subsystem to OPERABLE status. With the unit in this condition, the remaining OPERABLE RHRSW subsystem is adequate to perform the RHRSW heat removal function. However, the overall reliability is reduced because a single failure in the OPERABLE RHRSW subsystem could result in loss of RHRSW function. The Completion Time is based on the redundant RHRSW capabilities afforded by the OPERABLE subsystem and the low probability of an event occurring requiring RHRSW during this period. The Required Action is modified by a Note indicating that the applicable conditions of LCO 3.4.7 be entered and Required Actions taken if the inoperable RHRSW subsystem results in an inoperable RHR shutdown cooling subsystem. This is an exception to LCO 3.0.6 and ensures the proper actions are taken for these components. RHRSW System B 3.7.1 (continued) HATCH UNIT 1 B 3.7-5 REVISION 0 BASES ACTIONS D.1 (continued) With both RHRSW subsystems inoperable for reasons other than Condition B (e.g., both subsystems with inoperable flow paths, or one subsystem with an inoperable pump and one subsystem with an inoperable flow path), the RHRSW System is not capable of performing its intended function. At least one subsystem must be restored to OPERABLE status within 8 hours. The 8 hour Completion Time for restoring one RHRSW subsystem to OPERABLE status, is based on the Completion Times provided for the RHR suppression pool cooling and spray functions. The Required Action is modified by a Note indicating that the applicable Conditions of LCO 3.4.7 be entered and Required Actions taken if an inoperable RHRSW subsystem results in an inoperable RHR shutdown cooling subsystem. This is an exception to LCO 3.0.6 and ensures the proper actions are taken for these components.

E.1 and E.2 If the RHRSW subsystems cannot be not restored to OPERABLE status within the associated Completion Times, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. SURVEILLANCE SR 3.7.1.1 REQUIREMENTS Verifying the correct alignment for each manual, power operated, and automatic valve in each RHRSW subsystem flow path provides assurance that the proper flow paths will exist for RHRSW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves are verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position, and yet considered in the correct position, provided it can be realigned to its accident position. This is acceptable because the RHRSW System is a manually initiated system. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being RHRSW System B 3.7.1 HATCH UNIT 1 B 3.7-6 REVISION 78 BASES SURVEILLANCE SR 3.7.1.1 (continued) REQUIREMENTS mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 10.6.

2. Unit 2 FSAR, Section 15.4.10.1.1. 3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. 4. GEH 0000-0126-6532-R1, "Ultimate Heat sink Temperature Increase to 97ºF Impact on DBA-LOCA Analysis and DW Equipment Qualification Analysis," June 2011.

PSW System and UHS B 3.7.2 (continued) HATCH UNIT 1 B 3.7-8 REVISION 72 BASES APPLICABLE The ability of the PSW System to provide adequate cooling to the SAFETY ANALYSES identified safety equipment is an implicit assumption for the safety (continued) analyses evaluated in References 2 and 3. The ability to provide onsite emergency AC power is dependent on the ability of the PSW System to cool the DGs. The long term cooling capability of the RHR, core spray, and RHR service water pumps is also dependent on the cooling provided by the PSW System. In the analysis presented in Reference 1, only one PSW pump is required for safe shutdown, including RHR Shutdown Cooling System requirements. The PSW System, together with the UHS, satisfy Criterion 3 of the NRC Policy Statement (Ref. 4). LCO The PSW subsystems are independent of each other to the degree that each has separate controls, power supplies, and the operation of one does not depend on the other. In the event of a DBA, one PSW pump is required to provide the minimum heat removal capability assumed in the safety analysis for the system to which it supplies cooling water. To ensure this requirement is met, two subsystems, each with two pumps, of PSW must be OPERABLE. At least one pump will operate, if the worst single active failure occurs coincident with the loss of offsite power. A subsystem is considered OPERABLE when it has an OPERABLE UHS, two OPERABLE pumps, and an OPERABLE flow path capable of taking suction from the intake structure and transferring the water to the appropriate equipment. The OPERABILITY of the UHS is based on having a minimum water level in the pump well of the intake structure of 60.5 ft MSL. This value is well above that required to operate one PSW pump at a reduced (post-accident) flow rate. The isolation of the PSW System to components or systems may render those components or systems inoperable, but does not affect the OPERABILITY of the PSW System. APPLICABILITY In MODES 1, 2, and 3, the PSW System and UHS are required to be OPERABLE to support OPERABILITY of the equipment serviced by the PSW System. Therefore, the PSW System and UHS are required to be OPERABLE in these MODES. PSW System and UHS B 3.7.2 (continued) HATCH UNIT 1 B 3.7-9 REVISION 49 BASES APPLICABILITY In MODES 4 and 5, and defueled the OPERABILITY requirements of (continued) the PSW System and UHS are determined by the systems they support and therefore, the requirements are not the same for all facets of operation in MODES 4 and 5 and defueled. Thus, the LCOs of the individual systems, which require portions of the PSW System and the UHS to be OPERABLE, will govern PSW System and UHS requirements during operation in MODES 4 and 5 and defueled. ACTIONS A.1 With one PSW pump inoperable, the inoperable pump must be restored to OPERABLE status within 30 days. With the unit in this condition, the remaining OPERABLE PSW pumps (even allowing for an additional single failure) are adequate to perform the PSW heat removal function; however, the overall reliability is reduced. The 30 day Completion Time is based on the remaining PSW heat removal capability to accommodate additional single failures, and the low probability of an event occurring during this time period. B.1 With one PSW turbine building isolation valve inoperable, the inoperable valve must be restored to OPERABLE status within 30 days. With the unit in this condition, the remaining OPERABLE PSW turbine building isolation valve in the subsystem is adequate to isolate the non-essential loads, and, even allowing for an additional single failure, the other PSW subsystem is adequate to perform the PSW heat removal function; however, the overall reliability is reduced. The 30 day Completion Time is based on the remaining PSW heat removal capability to accommodate additional single failures, and the low probability of an event occurring during this time period.

PSW System and UHS B 3.7.2 (continued) HATCH UNIT 1 B 3.7-10 REVISION 49 BASES ACTIONS C.1 (continued) With one PSW pump inoperable in each subsystem, one inoperable pump must be restored to OPERABLE status within 7 days. With the unit in this condition, the remaining OPERABLE PSW pumps are adequate to perform the PSW heat removal function; however, the overall reliability is reduced. The 7 day Completion Time is based on the remaining PSW heat removal capability to accommodate an additional single failure and the low probability of an event occurring during this time period. D.1 With one PSW turbine building isolation valve inoperable in each subsystem, one inoperable valve must be restored to OPERABLE status within 72 hours. With the unit in this condition, the remaining OPERABLE PSW valves are adequate to perform the PSW nonessential load isolation function; however, the overall reliability is reduced. The 72 hour Completion Time is based on the remaining PSW heat removal capability to accommodate an additional single failure and the low probability of an event occurring during this time period. E.1 With one PSW subsystem inoperable for reasons other than Condition A and Condition B (e.g., inoperable flow path, both pumps inoperable in a loop, or both turbine building isolation valves inoperable in a loop), the PSW subsystem must be restored to OPERABLE status within 72 hours. With the unit in this condition, the remaining OPERABLE PSW subsystem is adequate to perform the PSW System and UHS B 3.7.2 (continued) HATCH UNIT 1 B 3.7-11 REVISION 72 BASES ACTIONS E.1 (continued) heat removal function. However, the overall reliability is reduced because a single failure in the OPERABLE PSW subsystem could result in loss of PSW function. The 72 hour Completion Time is based on the redundant PSW System capabilities afforded by the OPERABLE subsystem, the low probability of an accident occurring during this time period, and is consistent with the allowed Completion Time for restoring an inoperable DG. Required Action E.1 is modified by two Notes indicating that the applicable Conditions of LCO 3.8.1, "AC Sources - Operating," LCO 3.4.7, "Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown," be entered and Required Actions taken if the inoperable PSW subsystem results in an inoperable DG or RHR shutdown cooling subsystem, respectively. This is in accordance with LCO 3.0.6 and ensures the proper actions are taken for these components.

F.1 and F.2 If any Required Action and associated Completion Time of Condition A, B, C, D, or E cannot be met, or both PSW subsystems are inoperable for reasons other than Conditions C and D, or the UHS is determined inoperable, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. SURVEILLANCE SR 3.7.2.1 REQUIREMENTS This SR verifies the UHS is OPERABLE by ensuring the water level in the pump well of the intake structure to be sufficient for the proper operation of the PSW pumps (net positive suction head and pump vortexing are considered in determining this limit). In addition, if a temporary weir is in place, the river level must also correspond to a level in the pump well of the intake structure of 60.5 ft MSL with no weir in place. If the water level is > 61.7 ft MSL, there is sufficient PSW System and UHS B 3.7.2 (continued) HATCH UNIT 1 B 3.7-12 REVISION 72 BASES SURVEILLANCE SR 3.7.2.1 (continued) REQUIREMENTS margin to the minimum level requirement (60.5 ft MSL), so the Surveillance is only required to be performed in accordance with the Surveillance Frequency Control Program. However, if the level is 61.7 ft, the Surveillance must be performed more frequently (every 12 hours), since the conditions are closer to the minimum level limit. SR 3.7.2.2 Verifying the correct alignment for each manual, power operated, and automatic valve in each PSW subsystem flow path provides assurance that the proper flow paths will exist for PSW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position, and yet considered in the correct position, provided it can be automatically realigned to its accident position within the required time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. This SR is modified by a Note indicating that isolation of the PSW System to components or systems may render those components or systems inoperable, but does not affect the OPERABILITY of the PSW System. As such, when all PSW pumps, valves, and piping are OPERABLE, but a branch connection off the main header is isolated, the PSW System is still OPERABLE. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.7.2.3 This SR verifies that the automatic isolation valves of the PSW System will automatically switch to the safety or emergency position to provide cooling water exclusively to the safety related equipment during an accident event. This is demonstrated by the use of an actual or simulated initiation signal. This SR also verifies the automatic start capability (on a LOCA or LOSP signal) of one of the two PSW pumps in each subsystem. PSW System and UHS B 3.7.2 HATCH UNIT 1 B 3.7-13 REVISION 69 BASES SURVEILLANCE SR 3.7.2.3 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 10.7.

2. FSAR, Section 5.2. 3. FSAR, Chapter 14.

4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

DG 1B SSW System B 3.7.3 (continued) HATCH UNIT 1 B 3.7-14 REVISION 0 B 3.7 PLANT SYSTEMS B 3.7.3 Diesel Generator (DG) 1B Standby Service Water (SSW) System

BASES BACKGROUND The DG 1B SSW System is designed to provide cooling water for the removal of heat from the DG 1B. DG 1B is the only component served by the DG 1B SSW System. The DG 1B SSW pump autostarts upon receipt of a DG start signal when power is available to the pump's electrical bus. Cooling water is pumped from the Altamaha River by the DG 1B SSW pump to the essential DG components through the SSW supply header. After removing heat from the components, the water is discharged to the plant service water (PSW) discharge header. The capability exists to manually cross connect the PSW System to supply cooling to the DG 1B during times when the SSW pump is inoperable. A complete description of the DG 1B SSW System is presented in the Unit 2 FSAR, Section 9.2.1 (Ref. 1).

APPLICABLE The ability of the DG 1B SSW System to provide adequate cooling to SAFETY ANALYSES the DG 1B is an implicit assumption for the safety analyses presented in the FSAR, Section 5.2 and Chapter 14 (Refs. 2 and 3, respectively). The ability to provide onsite emergency AC power is dependent on the ability of the DG 1B SSW System to cool the DG 1B. The DG 1B SSW System satisfies Criterion 3 of the NRC Policy Statement (Ref. 4).

LCO The OPERABILITY of the DG 1B SSW System is required to provide a coolant source to ensure effective operation of the DG 1B in the event of an accident or transient. The OPERABILITY of the DG 1B SSW System is based on having an OPERABLE pump and an OPERABLE flow path. An adequate suction source is not addressed in this LCO since the minimum net positive suction head of the DG 1B SSW pump is bounded by the PSW requirements [LCO 3.7.2, "Plant Service Water (PSW) System and Ultimate Heat Sink (UHS)"]. DG 1B SSW System B 3.7.3 (continued) HATCH UNIT 1 B 3.7-15 REVISION 49 BASES (continued) APPLICABILITY The requirements for OPERABILITY of the DG 1B SSW System are governed by the required OPERABILITY of the DG 1B (LCO 3.8.1, "AC Sources - Operating," and LCO 3.8.2, "AC Sources - Shutdown").

ACTIONS A.1, A.2, and A.3 If the DG 1B SSW System is inoperable, the OPERABILITY of the DG 1B is affected due to loss of its cooling source; however, the capability exists to provide cooling to DG 1B from the PSW System of Unit 1. Continued operation is allowed for 60 days if the OPERABILITY of a Unit 1 PSW System, with respect to its capability to provide cooling to the DG 1B, can be verified. This is accomplished by aligning cooling water to DG 1B from the Unit 1 PSW System within 8 hours and verifying this lineup once every 31 days. The 8 hour Completion Time is based on the time required to reasonably complete the Required Action, and the low probability of an event occurring requiring DG 1B during this period. The 31 day verification of the Unit 1 PSW lineup to the DG 1B is consistent with the PSW valve lineup SR. The 60 day Completion Time to restore the DG 1B SSW System to OPERABLE status allows sufficient time to repair the system, yet prevents indefinite operation with cooling water provided from the Unit 1 PSW System. B.1 If cooling water cannot be made available to the DG 1B within the 8 hour Completion Time, or if cooling water cannot be verified to be aligned to DG 1B from a Unit 1 PSW subsystem as required by the 31 day verification Required Action, the DG 1B cannot perform its intended function and must be immediately declared inoperable. In accordance with LCO 3.0.6, this also requires entering into the Applicable Conditions and Required Actions for LCO 3.8.1 or LCO 3.8.2. Additionally, if the DG 1B SSW System is not restored to OPERABLE status within 60 days, DG 1B must be immediately declared inoperable. DG 1B SSW System B 3.7.3 HATCH UNIT 1 B 3.7-16 REVISION 69 BASES (continued) SURVEILLANCE SR 3.7.3.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the DG 1B SSW System flow path provides assurance that the proper flow paths will exist for DG 1B SSW System operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position, and yet be considered in the correct position provided it can be automatically realigned to its accident position, within the required time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.7.3.2 This SR ensures that the DG 1B SSW System pump will automatically start to provide required cooling to the DG 1B when the DG 1B starts and the respective bus is energized. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. Unit 2 FSAR, Section 9.2.1.

2. FSAR, Section 5.2.

3. FSAR, Chapter 14.

4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

MCREC System B 3.7.4 (continued) HATCH UNIT 1 B 3.7-17 REVISION 74 B 3.7 PLANT SYSTEMS B 3.7.4 Main Control Room Environmental Control (MCREC) System

BASES BACKGROUND The MCREC System provides a protected environment from which occupants can control the unit following an uncontrolled release of radioactivity, hazardous chemicals, or smoke. The safety related function of the MCREC System includes two independent and redundant high efficiency air filtration subsystems for emergency treatment of recirculated air and outside supply air and a CRE boundary that limits the inleakage of unfiltered air. Each MCREC subsystem consists of a prefilter, a high efficiency particulate air (HEPA) filter, an activated charcoal adsorber section, a second HEPA filter, a booster fan, and the associated ductwork, valves or dampers, doors, barriers, and instrumentation. Additionally, one air handling unit (AHU) fan is required for each subsystem to assist in the pressurization function. AHU fans are also addressed as part of LCO 3.7.5, "Control Room Air Conditioning (AC) System." Prefilters and HEPA filters remove particulate matter, which may be radioactive. The charcoal adsorbers provide adsorption of gaseous iodine. The CRE is the area within the confines of the CRE boundary that contains the spaces that control room occupants inhabit to control the unit during normal and accident conditions. This area encompasses the control room, and may encompass other non-critical areas to which frequent personnel access or continuous occupancy is not necessary in the event of an accident. The CRE is protected during normal operation, natural events, and accident conditions. The CRE boundary is the combination of walls, floor, roof, ducting, doors, penetrations and equipment that physically form the CRE. The OPERABILITY of the CRE boundary must be maintained to ensure that the inleakage of unfiltered air into the CRE will not exceed the inleakage assumed in the licensing basis analysis of design basis accident (DBA) consequences to CRE occupants. The CRE and its boundary are defined in the Control Room Envelope Habitability Program. The MCREC System is a standby system, parts of which also operate during normal unit operations to maintain the CRE environment. Upon receipt of the initiation signal(s) (indicative of conditions that could result in radiation exposure to CRE occupants), the MCREC System automatically switches to the pressurization mode of operation to minimize infiltration of contaminated air into the CRE. A system of dampers isolates the CRE, and a part of the recirculated air is routed through either of the two filter subsystems. Outside air is MCREC System B 3.7.4 (continued) HATCH UNIT 1 B 3.7-18 REVISION 74 BASES BACKGROUND taken in at the normal ventilation intake and is mixed with the (continued) recirculated air before being passed through one of the charcoal adsorber filter subsystems for removal of airborne radioactive particles and gaseous iodines. The MCREC System is designed to maintain a habitable environment in the CRE for a 30 day continuous occupancy after a DBA without exceeding 5 rem total effective dose equivalent (TEDE). A single MCREC subsystem operating at a subsystem flow rate of 2750 cfm and an outside air flow rate of 400 cfm will pressurize the CRE to 0.1 inches water gauge relative to external areas adjacent to the CRE boundary to minimize infiltration of air from all surrounding areas adjacent to the CRE boundary. MCREC System operation in maintaining CRE habitability is discussed in the Unit 2 FSAR, Sections 6.4 and 9.4.1, (Refs. 1 and 2, respectively). APPLICABLE The ability of the MCREC System to maintain the habitability of the SAFETY ANALYSES CRE is an explicit assumption for the safety analyses presented in the FSAR, Section 5.2 and Chapter 14 (Refs. 3 and 4, respectively). The pressurization mode of the MCREC System is assumed to operate following a DBA, as discussed in the Unit 2 FSAR, Section 6.4.1.2.2 (Ref. 5). The radiological doses to the CRE occupants as a result of the various DBAs are summarized in Reference 6. No single active or passive failure will cause the loss of outside air or recirculated air from the CRE. The MCREC System provides protection from smoke and hazardous chemicals to the CRE occupants. The evaluation of hazardous chemical releases demonstrates that the toxicity limits are not exceeded in the CRE following a hazardous chemical release (Ref. 12). The evaluation of a smoke challenge demonstrates that it will not result in the inability of the CRE occupants to control the reactor either from the control room or from the remote shutdown panels (Ref. 2). The MCREC System satisfies Criterion 3 of the NRC Policy Statement (Ref. 7). LCO Two redundant subsystems of the MCREC System are required to be OPERABLE to ensure that at least one is available, if a single active failure disables the other subsystem. Total MCREC System failure such as from a loss of both ventilation subsystems or from an inoperable CRE boundary, could result in exceeding a dose of 5 rem MCREC System B 3.7.4 (continued) HATCH UNIT 1 B 3.7-19 REVISION 74 BASES LCO TEDE to the CRE occupants in the event of a DBA. (continued) Each MCREC subsystem is considered OPERABLE when the individual components necessary to limit CRE occupant exposure are OPERABLE. A subsystem is considered OPERABLE when its associated:

a. Filter booster fan is OPERABLE; b. HEPA filter and charcoal adsorbers are not excessively restricting flow and are capable of performing their filtration functions;

c. Associated ductwork, valves, and dampers are OPERABLE, and air circulation can be maintained;

d. One AHU fan is OPERABLE, and either operating or having its control switch in "Standby" with OPERABLE automatic start capability; and e. Associated AHU cooling coils, water cooled condensing units, refrigerant compressors, and associated instrumentation and controls to ensure loop seal is maintained.

OPERABILITY of two MCREC subsystems entails satisfying the requirements listed above for each subsystem and, in addition, satisfying other limitations on AHU fan OPERABILITY. For both MCREC subsystems to be OPERABLE, the two required AHU fans must be independently powered; i.e., one fan via 1R24-S002 and one fan via 1R24-S003. (Note that AHU C is treated as powered from 1R24-S002 or S003, depending upon the source of power for 1R24-S029.) Furthermore, with one of the two required AHU fans inoperable (i.e., not independently powered, or not operating or capable of automatic start), one MCREC subsystem shall be declared inoperable. However, the inoperability may be assigned to either MCREC subsystem. OPERABILITY details for various configurations are outlined in the Technical Requirements Manual (TRM) (Ref. 8), Section 2.0. In order for the MCREC subsystems to be considered OPERABLE, the CRE boundary must be maintained such that the CRE occupant dose from a large radioactive release does not exceed the calculated dose in the licensing basis consequence analyses for DBAs, and that CRE occupants are protected from hazardous chemicals and smoke. MCREC System B 3.7.4 (continued) HATCH UNIT 1 B 3.7-20 REVISION 74 BASES LCO The LCO is modified by a Note allowing the CRE boundary to be (continued) opened intermittently under administrative controls. This note only applies to openings in the CRE boundary that can be rapidly restored to the design condition, such as doors, hatches, floor plugs, and access panels. For entry and exit through doors the administrative control of the opening is performed by the person(s) entering or exiting the area. For other openings, these controls should be proceduralized and consist of stationing a dedicated individual at the opening who is in continuous communication with the operators in the CRE. This individual will have a method to rapidly close the opening and to restore the CRE boundary to a condition equivalent to the design condition when a need for CRE isolation is indicated. Each of the main control room exhaust fan ducts is equipped with only one isolation damper (1Z41-F018A/B). During normal system operation, the dampers are maintained closed. However, when an exhaust fan is operated and its associated damper is opened, a single failure could prevent isolation of that penetration and adversely impact main control room habitability. Consequently, when a MCREC system exhaust fan (1Z41-C011A/B) is operated or its associated damper (1Z41-F018A/B) is opened, one of the two MCREC subsystems must be declared inoperable. Optional allowances for inoperable subsystems do not preclude changing the declared inoperable subsystem to best accommodate other plant circumstances; e.g., inoperable diesel generators, Safety Function Determination Program. However, in these instances, the Condition for one inoperable MCREC subsystem shall not be evaluated for Completion Time extensions, in accordance with Section 1.3. APPLICABILITY In MODES 1, 2, and 3, the MCREC System must be OPERABLE to ensure that the CRE will remain habitable during and following a DBA, since the DBA could lead to a fission product release. In MODES 4 and 5, the probability and consequences of a DBA are reduced because of the pressure and temperature limitations in these MODES. Therefore, maintaining the MCREC System OPERABLE is not required in MODE 4 or 5, except for the following situations under which significant radioactive releases can be postulated:

a. During movement of irradiated fuel assemblies in the secondary containment. Moving irradiated fuel assemblies in the secondary containment may also occur in MODES 1, 2, and 3;

b. During CORE ALTERATIONS; and MCREC System B 3.7.4 (continued) HATCH UNIT 1 B 3.7-21 REVISION 74 BASES APPLICABILITY c. During operations with a potential for draining the reactor vessel (continued) (OPDRVs).

ACTIONS A.1 With one MCREC subsystem inoperable, for reasons other than an inoperable CRE boundary, the inoperable MCREC subsystem must be restored to OPERABLE status within 7 days. With the unit in this condition, the remaining OPERABLE MCREC subsystem is adequate to perform the CRE occupant protection function. However, the overall reliability is reduced because a failure in the OPERABLE subsystem could result in loss of the MCREC System function. The 7 day Completion Time is based on the low probability of a DBA occurring during this time period, and that the remaining subsystem can provide the required capabilities. B.1, B.2, and B.3 If the unfiltered inleakage of potentially contaminated air past the CRE boundary and into the CRE can result in CRE occupant radiological dose greater than the calculated dose of the licensing basis analyses of DBA consequences (allowed to be up to 5 rem TEDE), or inadequate protection of CRE occupants from hazardous chemicals or smoke, the CRE boundary is inoperable. Actions must be taken to restore an OPERABLE CRE boundary within 90 days. During the period that the CRE boundary is considered inoperable, action must be initiated to implement mitigating actions to lessen the effect on CRE occupants from the potential hazards of a radiological or chemical event or a challenge from smoke, in accordance with the Control Room Habitability Program. Actions must be taken within 24 hours to verify that in the event of a DBA, the mitigating actions will ensure that CRE occupant radiological exposures will not exceed the calculated dose of the licensing basis analyses of DBA consequences, and that CRE occupants are protected form hazardous chemicals and smoke. These mitigating actions (i.e., actions that are taken to offset the consequences of the inoperable CRE boundary) should be preplanned for implementation upon entry into the condition, regardless of whether entry is intentional or unintentional. The 24 hour Completion Time is reasonable based on the low probability of a DBA occurring during this time period, and the use of mitigating actions. The 90 day Completion Time is reasonable based on the determination that the mitigating actions will ensure protection of CRE occupants within analyzed limits while limiting the

MCREC System B 3.7.4 (continued) HATCH UNIT 1 B 3.7-23 REVISION 74 BASES ACTIONS D.1, D.2.1, D.2.2, and D.2.3 (continued) immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position. Also, if applicable, action must be initiated immediately to suspend OPDRVs to minimize the probability of a vessel draindown and the subsequent potential for fission product release. Actions must continue until the OPDRVs are suspended. E.1 If both MCREC subsystems are inoperable in MODE 1, 2, or 3 for reasons other than an inoperable CRE boundary (i.e., Condition B), the MCREC System may not be capable of performing the intended function and the unit is in a condition outside of the accident analyses. Therefore, LCO 3.0.3 must be entered immediately.

F.1, F.2, and F.3 The Required Actions of Condition F are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require a reactor shutdown. During movement of irradiated fuel assemblies in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, with two MCREC subsystems inoperable or with one or more MCREC subsystems inoperable due to an inoperable CRE boundary, action must be taken immediately to suspend activities that present a potential for releasing radioactivity that might require isolation of the CRE. This places the unit in a condition that minimizes the accident risk. If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position. If applicable, action must be initiated immediately to suspend OPDRVs to minimize the probability of a vessel draindown and subsequent potential for fission product release. Actions must continue until the OPDRVs are suspended. MCREC System B 3.7.4 (continued) HATCH UNIT 1 B 3.7-24a REVISION 74 BASES (continued) SURVEILLANCE SR 3.7.4.1 REQUIREMENTS This SR verifies that a subsystem in a standby mode starts on demand and continues to operate. Standby systems should be checked periodically to ensure that they start and function properly. As the environmental and normal operating conditions of this system are not severe, testing each subsystem once every 31 days provides an adequate check on this system. Since the MCREC System does not have heaters, each subsystem need only be operated for 15 minutes to demonstrate the function of the subsystem. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.7.4.2 This SR verifies that the required MCREC testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing HEPA filter performance, charcoal adsorber efficiency, minimum system flow rate, and the physical properties of the activated charcoal (general use and following specific operations). Specific test Frequencies and additional information are discussed in detail in the VFTP. SR 3.7.4.3 This SR verifies that on an actual or simulated initiation signal, each MCREC subsystem starts and operates. The LOGIC SYSTEM FUNCTIONAL TEST in SR 3.3.7.1.4 overlaps this SR to provide complete testing of the safety function. This Surveillance can be performed with the reactor at power. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.7.4.4 This SR verifies the OPERABILITY of the CRE boundary by testing for unfiltered air inleakage past the CRE boundary and into the CRE. The details of the testing are specified in the Control Room Envelope Habitability Program. The CRE is considered habitable when the radiological dose to CRE occupants calculated in the licensing basis analyses of DBA

MCREC System B 3.7.4 HATCH UNIT 1 B 3.7-24c REVISION 74 BASES REFERENCES 11. Letter from Eric J. Leeds (NRC) to James W. Davis (NEI) (continued) dated January 30, 2004, "NEI Draft White Paper, Use of Generic Letter 91-18, Process and Alternative Source Terms in the Context of Control Room Habitability," (ADAMS Accession No. ML040300694). 12. Unit 2 FSAR Section 15.4. Control Room AC System B 3.7.5 (continued) HATCH UNIT 1 B 3.7-25 REVISION 1 B 3.7 PLANT SYSTEMS

B 3.7.5 Control Room Air Conditioning (AC) System

BASES BACKGROUND The Control Room AC portion of the Main Control Room Environmental Control System (hereafter referred to as the Control Room AC System) provides temperature control for the control room following isolation of the control room. The Control Room AC System consists of three 50% capacity subsystems that provide cooling and heating of control room supply air. Each subsystem consists of an air handling unit (AHU) (i.e., cooling coils and fan), water cooled condensing units, refrigerant compressors, ductwork, dampers, and instrumentation and controls to provide for control room temperature control. The condensing units receive cooling water from the Plant Service Water System. The Control Room AC System is designed to provide a controlled environment under both normal and accident conditions. Two subsystems provide the required temperature control to maintain a suitable control room environment for a sustained occupancy of 14 persons. The design conditions for the control room environment are 72-79°F and < 75% relative humidity. The Control Room AC System operation in maintaining the control room temperature is discussed in the Unit 2 FSAR, Sections 6.4 and 9.4.1 (Ref. 1). APPLICABLE The design basis of the Control Room AC System is to maintain the SAFETY ANALYSES the control room temperature for a 30 day continuous occupancy. The Control Room AC System components are arranged in three 50% capacity safety related subsystems. During emergency operation, the Control Room AC System maintains a habitable environment and ensures the OPERABILITY of components in the control room. A single failure of a component of the Control Room AC System, assuming a loss of offsite power, does not impair the ability of the system to perform its design function. Redundant detectors and controls are provided for control room temperature control. The Control Room AC System is designed in accordance with Seismic Category I requirements. The Control Room AC System is capable of removing sensible and latent heat loads from the control room, including consideration of equipment heat loads and personnel occupancy requirements to ensure equipment OPERABILITY. Control Room AC System B 3.7.5 (continued) HATCH UNIT 1 B 3.7-26 REVISION 39 BASES APPLICABLE The Control Room AC System satisfies Criterion 3 of the NRC Policy SAFETY ANALYSES Statement (Ref. 2).

(continued)  

LCO Three 50% capacity subsystems of the Control Room AC System are required to be OPERABLE to ensure that at least two are available, assuming a single failure disables one of the subsystems. Total system failure could result in the equipment operating temperature exceeding limits. The Control Room AC System is considered OPERABLE when the individual components necessary to maintain the control room temperature are OPERABLE in both subsystems. These components include the AHU cooling coils, AHU fans, water cooled condensing units, refrigerant compressors, ductwork, dampers, and associated instrumentation and controls sufficient to assure manual or automatic operation of the system. OPERABILITY details for various configurations are outlined in Technical Requirements Manual (TRM) (Ref. 3), Section 2.0. It is permissible to provide cooling water from either Unit 1 PSW or Unit 2 PSW. During operation in MODE 1, 2 or 3, when either unit's PSW System is supplying the cooling water to a Control Room AC subsystem, the Control Room AC System OPERABILITY requirements also include the applicable PSW subsystem. Under these conditions, one PSW pump per PSW subsystem is required to supply adequate cooling water to its respective Control Room AC subsystem(s). In addition, during conditions in MODES other than MODES 1, 2, and 3 when the Control Room AC System is required to be OPERABLE (e.g., during CORE ALTERATIONS), the necessary portions of either unit's PSW System and the Ultimate Heat sink are part of the OPERABILITY requirements covered by this LCO. As described above, one PSW pump per PSW subsystem, is adequate to supply cooling water to its respective Control Room AC subsystem(s). APPLICABILITY In MODE 1, 2, or 3, the Control Room AC System must be OPERABLE to ensure that the control room temperature will not exceed equipment OPERABILITY or Control Room habitability limits. In MODES 4 and 5, the probability and consequences of a Design Basis Accident are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining the Control Control Room AC System B 3.7.5 (continued) HATCH UNIT 1 B 3.7-27 REVISION 76 BASES APPLICABILITY Room AC System OPERABLE is not required in MODE 4 or 5, (continued) except for the following situations under which significant radioactive releases can be postulated: a. During movement of irradiated fuel assemblies in the secondary containment. Moving irradiated fuel assemblies in the secondary containment may also occur in MODES 1, 2, and 3; b. During CORE ALTERATIONS; and c. During operations with a potential for draining the reactor vessel (OPDRVs).

ACTIONS A.1 With one control room AC subsystem inoperable, the inoperable control room AC subsystem must be restored to OPERABLE status within 30 days. With the unit in this condition, the remaining OPERABLE control room AC subsystems are adequate to perform the control room air conditioning function. However, the overall reliability is reduced because a single failure in an OPERABLE subsystem could result in loss of the control room air conditioning function. The 30 day Completion Time is based on the low probability of an event occurring requiring control room isolation and, the consideration that the remaining subsystems can provide the required protection. B.1 and B.2 With two control room AC subsystems inoperable, the Control Room AC System may not be capable of performing its intended function. Therefore, the control room area temperature is required to be monitored to ensure that temperature is being maintained such that equipment in the control room is not adversely affected. With the control room temperature being maintained within the temperature limit, 7 days is allowed to restore a Control Room AC subsystem to OPERABLE status. This Completion time is reasonable considering that the control room temperature is being maintained within limits, the availability of the remaining OPERABLE control room AC subsystem, and the low probability of an event occurring requiring control room isolation. Alternate methods of maintaining control room temperature, such as non-safety grade air conditioning systems or fans, can also be used to maintain control room temperature. Control Room AC System B 3.7.5 (continued) HATCH UNIT 1 B 3.7-28 REVISION 76 BASES ACTIONS C.1 and C.2 (continued) With three control room AC subsystems inoperable, the Control Room AC System may not be capable of performing its intended function. Therefore, the control room area temperature is required to be monitored to ensure that temperature is being maintained such that equipment in the control room is not adversely affected. With the control room temperature being maintained within the temperature limit, 72 hours is allowed to restore a Control Room AC subsystem to OPERABLE status. This Completion time is reasonable considering that the control room temperature is being maintained within limits and the low probability of an event occurring requiring control room isolation. Alternate methods of maintaining control room temperature, such as non-safety grade air conditioning systems or fans, can also be used to maintain control room temperature.

D.1 and D.2 In MODE 1, 2, or 3, with any Required Action and associated Completion Time of Condition A, B, or C not met, the unit must be placed in a MODE that minimizes risk. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

E.1, E.2.1, E.2.2, and E.2.3 The Required Actions of Condition E are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require a reactor shutdown. During movement of irradiated fuel assemblies in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, if Required Action and associated Completion Time for Condition A is not met, the OPERABLE control room AC subsystems may be placed immediately in operation. This action ensures that the remaining subsystems are OPERABLE, that no failures that would prevent actuation will occur, and that any active failure will be readily detected.

Control Room AC System B 3.7.5 (continued) HATCH UNIT 1 B 3.7-29 REVISION 76 BASES ACTIONS E.1, E.2.1, E.2.2, and E.2.3 (continued) An alternative to Required Action E.1 is to immediately suspend activities that present a potential for releasing radioactivity that might require isolation of the control room. This places the unit in a condition that minimizes risk. If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position. Also, if applicable, action must be initiated immediately to suspend OPDRVs to minimize the probability of a vessel draindown and subsequent potential for fission product release. Actions must continue until the OPDRVs are suspended. F.1, F.2, and F.3 The Required Actions of Condition F are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not a sufficient reason to require a reactor shutdown. During movement of irradiated fuel assemblies in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, if Required Actions B.1 and B.2 or Required Actions C.1 and C.2 cannot be met within the required Completion Times, action must be taken to immediately suspend activities that present a potential for releasing radioactivity that might require protection of the control room operators. This places the unit in a condition that minimizes risk. If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position. Also, if applicable, action must be initiated immediately to suspend OPDRVs to minimize the probability of a vessel draindown and subsequent potential for fission product release. Actions must continue until the OPDRVs are suspended.

Control Room AC System B 3.7.5 HATCH UNIT 1 B 3.7-30 REVISION 76 BASES SURVEILLANCE SR 3.7.5.1 REQUIREMENTS This SR verifies that the heat removal capability of the system is sufficient to remove the control room heat load assumed in the safety analysis. The SR consists of a combination of testing and calculation. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. Unit 2 FSAR, Sections 6.4 and 9.4.1.

2. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. 3. Technical Requirements Manual, Table T2.1-1.

Main Condenser Offgas B 3.7.6 (continued) HATCH UNIT 1 B 3.7-31 REVISION 70 B 3.7 PLANT SYSTEMS B 3.7.6 Main Condenser Offgas

BASES BACKGROUND During unit operation, steam from the low pressure turbine is exhausted directly into the condenser. Air and noncondensable gases are collected in the condenser, then exhausted through the steam jet air ejectors (SJAEs) to the Main Condenser Offgas System. The offgas from the main condenser normally includes radioactive gases. The Main Condenser Offgas System has been incorporated into the unit design to reduce the gaseous radwaste emission. This system uses a catalytic recombiner to recombine radiolytically dissociated hydrogen and oxygen. The gaseous mixture is cooled by the offgas condenser; the water and condensables are stripped out by the offgas condenser and moisture separator. The radioactivity of the remaining gaseous mixture (i.e., the offgas recombiner effluent) is monitored downstream of the moisture separator prior to entering the holdup line. APPLICABLE The main condenser offgas gross gamma activity rate is an SAFETY ANALYSES initial condition of the Main Condenser Offgas System failure event, discussed in the FSAR, Section 9.4 and Appendix E (Ref. 1). The analysis assumes a gross failure in the Main Condenser Offgas System that results in the rupture of the Main Condenser Offgas System pressure boundary. The gross gamma activity rate is controlled to ensure that, during the event, the calculated offsite doses will be well within the limits of 10 CFR 50.67 (Ref. 2). The main condenser offgas limits satisfy Criterion 2 of the NRC Policy Statement (Ref. 3). LCO To ensure compliance with the assumptions of the Main Condenser Offgas System failure event (Ref. 1), the fission product release rate should be consistent with a noble gas release to the reactor coolant of 100 µCi/MWt-second after decay of 30 minutes. This LCO is established consistent with this requirement (2436 MWt x 100 µCi/MWt-second = 240 mCi/second). The 240 mCi/second limit is conservative for a rated core thermal power of 2804 MWt. Main Condenser Offgas B 3.7.6 (continued) HATCH UNIT 1 B 3.7-32 REVISION 16 BASES (continued) APPLICABILITY The LCO is applicable when steam is being exhausted to the main condenser and the resulting noncondensables are being processed via the Main Condenser Offgas System. This occurs during MODE 1, and during MODES 2 and 3 with any main steam line not isolated and the SJAE in operation. In MODES 4 and 5, steam is not being exhausted to the main condenser and the requirements are not applicable. ACTIONS A.1 If the offgas radioactivity rate limit is exceeded, 72 hours is allowed to restore the gross gamma activity rate to within the limit. The 72 hour Completion Time is reasonable, based on engineering judgment, the time required to complete the Required Action, the large margins associated with permissible dose and exposure limits, and the low probability of a Main Condenser Offgas System rupture.

B.1, B.2, B.3.1, and B.3.2 If the gross gamma activity rate is not restored to within the limits in the associated Completion Time, all main steam lines or the SJAE must be isolated. This isolates the Main Condenser Offgas System from the source of the radioactive steam. The main steam lines are considered isolated if at least one main steam isolation valve in each main steam line is closed, and at least one main steam line drain valve in the drain line is closed. The 12 hour Completion Time is reasonable, based on operating experience, to perform the actions from full power conditions in an orderly manner and without challenging unit systems. An alternative to Required Actions B.1 and B.2 is to place the unit in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

Main Condenser Offgas B 3.7.6 HATCH UNIT 1 B 3.7-33 REVISION 70 BASES (continued) SURVEILLANCE SR 3.7.6.1 REQUIREMENTS This SR, on a 31 day Frequency, requires an isotopic analysis of an offgas sample to ensure that the required limits are satisfied. The noble gases to be sampled are Xe-133, Xe-135, Xe-138, Kr-85m, Kr-87, and Kr-88. If the measured rate of radioactivity increases significantly (by 50% after correcting for expected increases due to changes in THERMAL POWER), an isotopic analysis is also performed within 4 hours after the increase is noted, to ensure that the increase is not indicative of a sustained increase in the radioactivity rate. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note indicating that the SR is not required to be performed until 31 days after any main steam line is not isolated and the SJAE is in operation. Only in this condition can radioactive fission gases be in the Main Condenser Offgas System at significant rates. REFERENCES 1. FSAR, Section 9.4 and Appendix E.

2. 10 CFR 50.67. 3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Main Turbine Bypass System B 3.7.7 (continued) HATCH UNIT 1 B 3.7-34 REVISION 71 B 3.7 PLANT SYSTEMS B 3.7.7 Main Turbine Bypass System

BASES BACKGROUND The Main Turbine Bypass System is designed to control steam pressure when reactor steam generation exceeds turbine requirements during unit startup, sudden load reduction, and cooldown. It allows excess steam flow from the reactor to the condenser without going through the turbine. The bypass capacity of the system with all three bypass valves operable is approximately 21% of the turbine design steam flow; however, as described in the LCO discussion, the bypass valve system may still be operable with less than all three valves operable. Sudden load reductions within the capacity of the steam bypass can be accommodated without reactor scram. The Main Turbine Bypass System consists of three valves connected to the main steam lines between the main steam isolation valves and the turbine stop valves. Each of these three valves is operated by hydraulic cylinders. The bypass valves are controlled by the pressure regulation function of the Turbine Electrohydraulic Control System, as discussed in the FSAR, Section 7.11 (Ref. 1). The bypass valves are normally closed, and the pressure regulator controls the turbine control valves that direct all steam flow to the turbine. If the speed governor or the load limiter restricts steam flow to the turbine, the pressure regulator controls the system pressure by opening the bypass valves. When the bypass valves open, the steam flows from the bypass chest, through connecting piping, to the pressure breakdown assemblies, where a series of orifices are used to further reduce the steam pressure before the steam enters the condenser.

APPLICABLE The Main Turbine Bypass System is assumed to function during SAFETY ANALYSES the feedwater controller failure to maximum flow demand as discussed in the FSAR, Section 14.3.2.1 (Ref. 2). Opening the bypass valves during the pressurization event (subsequent to the resulting main turbine trip) mitigates the increase in reactor vessel pressure, which affects the MCPR during the event. An inoperable Main Turbine Bypass System may result in an MCPR penalty. The Main Turbine Bypass System satisfies Criterion 3 of the NRC Policy Statement (Ref. 4).

Main Turbine Bypass System B 3.7.7 (continued) HATCH UNIT 1 B 3.7-35 REVISION 71 BASES (continued) LCO The Main Turbine Bypass System is required to be OPERABLE to limit peak pressure in the main steam lines and maintain reactor pressure within acceptable limits during events that cause rapid pressurization, so that the Safety Limit MCPR is not exceeded. With the Main Turbine Bypass System inoperable, modifications to the MCPR limits [LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)"] may be applied to allow this LCO to be met. The MCPR limit for the inoperable Main Turbine Bypass System is specified in the COLR. An OPERABLE Main Turbine Bypass System requires the minimum number of bypass valves, specified in the COLR, to open in response to increasing main steam line pressure. This response is within the assumptions of the applicable analysis (Ref. 2). APPLICABILITY The Main Turbine Bypass System is required to be OPERABLE at 24% RTP to ensure that the fuel cladding integrity Safety Limit and the cladding 1% plastic strain limit are not violated during the feedwater controller failure to maximum flow demand transient. As discussed in the Bases for LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)," and LCO 3.2.2, sufficient margin to these limits exists at < 24% RTP. Therefore, these requirements are only necessary when operating at or above this power level. ACTIONS A.1 If the Main Turbine Bypass System is inoperable (e.g., less than the minimum number of bypass valves specified in the COLR are operable), or the MCPR limits for an inoperable Main Turbine Bypass System, as specified in the COLR, are not applied, the assumptions of the design basis transient analysis may not be met. Under such circumstances, prompt action should be taken to restore the Main Turbine Bypass System to OPERABLE status or adjust the MCPR limits accordingly. The 2 hour Completion Time is reasonable, based on the time to complete the Required Action and the low probability of an event occurring during this period requiring the Main Turbine Bypass System.

B.1 If the Main Turbine Bypass System cannot be restored to OPERABLE status or the MCPR limits for an inoperable Main Turbine Bypass System are not applied, THERMAL POWER must be reduced to Main Turbine Bypass System B 3.7.7 (continued) HATCH UNIT 1 B 3.7-36 REVISION 69 BASES ACTIONS B.1 (continued)

 < 24% RTP. As discussed in the Applicability section, operation at < 24% RTP results in sufficient margin to the required limits, and the Main Turbine Bypass System is not required to protect fuel integrity during the turbine generator load rejection transient. The 4 hour Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. SURVEILLANCE SR  3.7.7.1 REQUIREMENTS Cycling each main turbine bypass valve through one complete cycle of full travel demonstrates that the valves are mechanically OPERABLE and will function when required. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.7.7.2 The Main Turbine Bypass System is required to actuate automatically to perform its design function. This SR demonstrates that, with the required system initiation signals, the valves will actuate to their required position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.7.7.3 This SR ensures that the TURBINE BYPASS SYSTEM RESPONSE TIME is in compliance with the assumptions of the appropriate safety analysis. The response time limits are specified in Technical Requirements Manual (Ref. 3). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Main Turbine Bypass System B 3.7.7 HATCH UNIT 1 B 3.7-37 REVISION 69 BASES (continued) REFERENCES 1. FSAR, Section 7.11.

2. FSAR, Section 14.3.2.1.

3. Technical Requirements Manual, Table T5.0-1. 4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Spent Fuel Storage Pool Water Level B 3.7.8 (continued) HATCH UNIT 1 B 3.7-38 REVISION 70 B 3.7 PLANT SYSTEMS B 3.7.8 Spent Fuel Storage Pool Water Level

BASES BACKGROUND The minimum water level in the spent fuel storage pool meets the assumptions of iodine decontamination factors following a fuel handling accident. A general description of the spent fuel storage pool design is found in the FSAR, Section 10.3 (Ref. 1). The assumptions of the fuel handling accident in the spent fuel storage pool are found in Reference 2.

APPLICABLE The water level above the irradiated fuel assemblies is an explicit SAFETY ANALYSES assumption of the fuel handling accident; the point from which the water level is measured is shown in Figure B 3.5.2-1. A fuel handling accident in the spent fuel storage pool was evaluated (Ref. 2) and ensured that the radiological consequences doses were well within the 10 CFR 50.67 limits (Ref. 3) and met the exposure guidelines of Regulatory Guide 1.183 (Ref. 5). A fuel handling accident could release a fraction of the fission product inventory by breaching the fuel rod cladding as discussed in the Regulatory Guide 1.183 (Ref. 5). The fuel handling accident is evaluated for the dropping of an irradiated fuel assembly onto the spent fuel storage pool racks (Ref. 2). The water level in the spent fuel storage pool provides for absorption of water soluble fission product gases and transport delays of soluble and insoluble gases that must pass through the water before being released to the secondary containment atmosphere. This absorption and transport delay reduces the potential radioactivity of the release during a fuel handling accident. The spent fuel storage pool water level satisfies Criterion 2 of the NRC Policy Statement (Ref. 6). LCO The specified water level preserves the assumptions of the fuel handling accident analysis (Ref. 2). As such, it is the minimum required for fuel movement within the spent fuel storage pool. Spent Fuel Storage Pool Water Level B 3.7.8 (continued) HATCH UNIT 1 B 3.7-39 REVISION 70 BASES (continued) APPLICABILITY This LCO applies during movement of irradiated fuel assemblies in the spent fuel storage pool since the potential for a release of fission products exists.

ACTIONS A.1 Required Action A.1 is modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not a sufficient reason to require a reactor shutdown. When the initial conditions for an accident cannot be met, action must be taken to preclude the accident from occurring. If the spent fuel storage pool level is less than required, the movement of irradiated fuel assemblies in the spent fuel storage pool is suspended immediately. Suspension of this activity shall not preclude completion of movement of an irradiated fuel assembly to a safe position. This effectively precludes a spent fuel handling accident from occurring. SURVEILLANCE SR 3.7.8.1 REQUIREMENTS This SR verifies that sufficient water is available in the event of a fuel handling accident. The water level in the spent fuel storage pool must be checked periodically. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 10.3.

2. Unit 2 FSAR, Section 15.3.

3. 10 CFR 50.67. 4. Deleted.

Spent Fuel Storage Pool Water Level B 3.7.8 HATCH UNIT 1 B 3.7-40 REVISION 70 BASES REFERENCES 5. Regulatory Guide 1.183, July 2000. (continued)

6. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Turbine Building Ventilation Exhaust System Fans B 3.7.9 (continued) HATCH UNIT 1 B 3.7-41 REVISION 70 B 3.7 PLANT SYSTEMS B 3.7.9 Turbine Building Ventilation (TB HVAC) Exhaust System Fans

BASES BACKGROUND The control room, as part of the control building, is housed within the Units 1 and 2 turbine building structure. As part of the revised design basis accident (DBA) radiological dose analyses implementing Alternative Source Term (AST), the Units 1 and 2 TB HVAC exhaust system fans are credited to mitigate radiological doses to control room personnel. One of the four TB HVAC exhaust system fans is credited with purging the area around the control room to reduce the activity available for leakage into the control room following a loss of coolant accident, main steam line break, or control rod drop accident. The TB HVAC system was originally designed to support power generation and was not considered an engineered safety feature (ESF) system. The primary power generation design function of the TB HVAC system, consisting of supply and exhaust systems, is to provide air movement for temperature and airborne radioactivity control. To accomplish the power generation design function the TB HVAC system runs continuously during normal plant operation. As part of the implementation of AST, the TB HVAC exhaust system fans (without reliance on the TB HVAC supply system) are credited with performing an ESF design function of mitigating the consequences of the referenced DBAs by purging the activity available for leakage into the control room post-accident. For each unit, air is exhausted from the turbine building by a duct system to the outside environment via the reactor building vent plenum by one of two exhaust fans. The exhaust from the turbine building passes through two 50% capacity filter trains, per unit, but the filtering function is not credited. One of the two 100% capacity exhaust fans per unit runs continuously during normal plant operation. If the operating exhaust fan fails, the standby exhaust fan starts automatically. To accomplish the AST credited purge function post-accident, one of the four TB HVAC exhaust system fans is sufficient to deliver the credited purge flow. The single fan flow capacity necessary to support the original TB HVAC system power generation design functions bounds the AST credited purge flow. The AST dose analyses assume that the turbine building purge flow is manually initiated within 9 hours of the start of the 3 applicable DBAs. This assumption allows time for restarting at least one exhaust fan post-accident following a concurrent loss of offsite power. AST does not take credit for filtration by the TB HVAC exhaust system filter trains. Turbine Building Ventilation Exhaust System Fans B 3.7.9 (continued) HATCH UNIT 1 B 3.7-42 REVISION 70 BASES BACKGROUND In support of crediting a single TB HVAC exhaust system fan for purge (continued) flow post-accident, the TB HVAC exhaust systems have been enhanced as follows. To assure that no single failure exists that would preclude the operation of one fan, two fans are required (one fan from each unit). The TB HVAC exhaust systems and the motor control center panels utilized for the normal non-Class 1E power source for the TB HVAC exhaust systems have been seismically verified to be able to support the purge function following a Hatch design basis earthquake. Finally, in the unlikely event that the normal power supply for the TB HVAC exhaust fan systems cannot be restored prior to 9 hours post-accident with a concurrent loss of offsite power, each of the TB HVAC exhaust fans can be powered, one at a time per unit, via manual transfer switches from an essential motor control center (one essential motor control center per unit) that can receive power from an emergency diesel generator. APPLICABLE The TB HVAC exhaust system fans support maintaining the SAFETY ANALYSES habitability of the control room by purging the area around the control room to reduce the activity available for leakage into the control room following a loss of coolant accident, main steam line break, or control rod drop accident. The TB HVAC exhaust systems are described in Unit 1 FSAR section 10.9.3.4 (Ref. 1) and Unit 2 FSAR section 9.4.4 (Ref. 2). The dose mitigation function of the TB HVAC exhaust systems, specifically crediting purge flow starting 9 hours after the applicable DBAs, is documented in the Unit 1 and 2 safety analysis in Unit 2 FSAR chapter 15 (Ref. 3). The radiological doses to control room personnel as a result of the various DBAs are also documented in Unit 2 FSAR chapter 15 (Ref. 3). No single failure will cause the loss of the credited turbine building purge function. The TB HVAC exhaust system fans satisfy Criterion 3 of the NRC Policy Statement. LCO One Unit 1 TB HVAC exhaust system fan and one Unit 2 TB HVAC exhaust system fan must be OPERABLE to ensure that at least one is available, assuming a single failure disables the other system. Inability to implement the turbine building purge function could result in exceeding a dose of 5 rem to the control room operators in the event of a loss of coolant accident, main steam line break, or control rod drop accident. Turbine Building Ventilation Exhaust System Fans B 3.7.9 (continued) HATCH UNIT 1 B 3.7-43 REVISION 70 BASES LCO One Unit 1 TB HVAC exhaust system fan and one Unit 2 TB HVAC (continued) exhaust system fan are considered OPERABLE when the individual components necessary to control operator exposure are OPERABLE in both systems. Each unit's required TB HVAC exhaust system fan is considered OPERABLE when its associated:

a. One of the two available exhaust fans is OPERABLE,

b. Prefilters, carbon adsorbers, and high efficiency particulate air (HEPA) filters are not excessively restricting flow, c. Associated ductwork and dampers are OPERABLE, and exhaust flow can be maintained, and d. Alternate power supply (from essential motor control centers) and associated manual transfer switches are OPERABLE. OPERABILITY of one Unit 1 TB HVAC exhaust system fan and one Unit 2 TB HVAC exhaust system fan entails satisfying the requirements listed above for each unit's TB HVAC exhaust system fan. For both units' TB HVAC exhaust system fans to be OPERABLE, the two required exhaust fans must be independently powered.

APPLICABILITY In MODES 1, 2, and 3, one Unit 1 TB HVAC exhaust system fan and one Unit 2 TB HVAC exhaust system fan must be OPERABLE to control operator exposure during and following a DBA which could lead to a fission product release in the turbine building. In MODES 4 and 5, the probability and consequences of a DBA with a fission product release in the turbine building are reduced because of the pressure and temperature limitations in these MODES. Therefore, maintaining one Unit 1 TB HVAC exhaust system fan and one Unit 2 TB HVAC exhaust system fan OPERABLE is not required in MODE 4 or 5. ACTIONS A.1 With one unit's required TB HVAC exhaust system fan inoperable, an inoperable TB HVAC exhaust system fan must be restored to OPERABLE status within 7 days. With the unit in this condition, the remaining OPERABLE TB HVAC exhaust system fan is adequate to perform the turbine building purge function. However, the overall reliability is reduced because a single failure related to the OPERABLE Turbine Building Ventilation Exhaust System Fans B 3.7.9 (continued) HATCH UNIT 1 B 3.7-44 REVISION 70 BASES ACTIONS A.1 (continued) TB HVAC exhaust system fan could result in reduced turbine building purge capability. The 7 day Completion Time is based on the low probability of a DBA occurring during this time period, and that the remaining OPERABLE TB HVAC exhaust system fan can provide the required capabilities. B.1 If two required TB HVAC exhaust system fans are inoperable in MODE 1, 2, or 3, the TB HVAC exhaust systems fans cannot perform their turbine building purge function. Actions must be taken to restore one required TB HVAC exhaust system fan to OPERABLE status within 24 hours. The 24 hour Completion Time is reasonable based on the low probability of a DBA occurring during this time period, the purge function is maintained via natural wind-driven ventilation in the turbine building, and the low probability that sufficient activity would be released into the turbine building following a DBA to significantly impact control room habitability via inleakage. C.1 and C.2 In MODE 1, 2, or 3, if the inoperable required TB HVAC exhaust system fans cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE that minimizes risk. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. SURVEILLANCE The Surveillances are modified by a Note to indicate that when a REQUIREMENTS required TB HVAC exhaust system fan, with associated filter trains, ductwork, and dampers, is placed in an inoperable status for performance of required Surveilances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided one of the other TB HVAC exhaust system fans, with associated filter trains, ductwork, and dampers, can perform the turbine building purge function post-accident. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the TB HVAC exhaust system fan, with associated filter trains, ductwork, and dampers, must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the AST dose analyses assumption that the Turbine Building Ventilation Exhaust System Fans B 3.7.9 HATCH UNIT 1 B 3.7-45 REVISION 70 BASES SURVEILLANCE turbine building purge flow is manually initiated within 9 hours of the REQUIREMENTS start of the 3 applicable DBAs. Consequently this testing allowance (continued) does not significantly impact the ability to manually initiate turbine building purge flow within 9 hours. SR 3.7.9.1 This SR verifies that each of the two available TB HVAC exhaust system fans on both Unit 1 and Unit 2, total of four TB HVAC exhaust system fans, starts on demand and continues to operate. One of the two 100% capacity exhaust fans per unit runs continuously during normal plant operation. One of the exhaust fans per unit is in standby. Standby systems should be checked periodically to ensure that they start and function properly. Operating the standby TB HVAC exhaust system fans on both Unit 1 and Unit 2 for 15 minutes demonstrates that each exhaust fan can perform the turbine building purge function by exhausting turbine building air to the reactor building vent plenum and that any blockage, fan or motor failure can be detected for corrective action. As the environmental and normal operating conditions of this system are not severe, testing each subsystem provides an adequate check on this system. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.7.9.2 This SR verifies manual transfer capability to the alternate power supply for each TB HVAC exhaust system fan. Since during normal plant operation each continuously running exhaust fan per unit is using its normal power supply, the standby or alternate power supply from an essential motor control center (one essential motor control center per unit) should be checked periodically to ensure the essential motor control center can provide power to each TB HVAC exhaust system fan via a manual transfer switch. Each of the four TB HVAC exhaust system fans, two per unit, should be connected to the alternate power supply one at a time via a manual transfer switch. This Surveillance can be performed with the reactor at power. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. Unit 1 FSAR, Section 10.9.3.4.

2. Unit 2 FSAR section 9.4.4

3. Unit 2 FSAR, Chapter 15.

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-1 REVISION 1 B 3.8 ELECTRICAL POWER SYSTEMS

B 3.8.1 AC Sources - Operating

BASES BACKGROUND The Unit 1 Class 1E AC Electrical Power Distribution System AC sources consist of the offsite power sources (preferred power sources, normal and alternate), and the onsite standby power sources [diesel generators (DGs) 1A, 1B, and 1C]. As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1), the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Feature (ESF) systems. The Class 1E AC distribution system is divided into redundant load groups, so loss of any one group does not prevent the minimum safety functions from being performed. Each load group has connections to two preferred offsite power supplies and a single DG. Offsite power is supplied to the 230 kV and 500 kV switchyards from the transmission network by eight transmission lines. From the 230 kV switchyards, two electrically and physically separated circuits provide AC power, through startup auxiliary transformers 1C and 1D, to 4.16 kV ESF buses 1E, 1F, and 1G. A detailed description of the offsite power network and circuits to the onsite Class 1E ESF buses is found in the FSAR, Sections 8.3 and 8.4 (Ref. 2). An offsite circuit consists of all breakers, transformers, switches, interrupting devices, cabling, and controls required to transmit power from the offsite transmission network to the onsite Class 1E ESF bus or buses. Startup auxiliary transformer (SAT) 1D provides the normal source of power to the ESF buses 1E, 1F, and 1G. If any 4.16 kV ESF bus loses power, an automatic transfer from SAT 1D to SAT 1C occurs. At this time, 4.16 kV buses 1A and 1B and supply breakers from SAT 1C also trip open, disconnecting all nonessential loads from SAT 1C to preclude overloading of the transformer. SATs 1C and 1D are sized to accommodate the simultaneous starting of all required ESF loads on receipt of an accident signal without the need for load sequencing. However, ESF loads are sequenced when the associated 4.16 kV ESF bus is supplied from SAT 1C. A description of the Unit 2 offsite power sources is provided in the Bases for Unit 2 LCO 3.8.1, "AC Sources - Operating." AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-2 REVISION 1 BASES BACKGROUND The onsite standby power source for 4.16 kV ESF buses 1E, 1F, and (continued) 1G consists of three DGs. DGs 1A and 1C are dedicated to ESF buses 1E and 1G, respectively. DG 1B (the swing DG) is a shared power source and can supply either Unit 1 ESF bus 1F or Unit 2 ESF bus 2F. A DG starts automatically on a loss of coolant accident (LOCA) signal (i.e., low reactor water level signal or high drywell pressure signal) or on an ESF bus degraded voltage or undervoltage signal. After the DG has started, it automatically ties to its respective bus after offsite power is tripped as a consequence of ESF bus undervoltage or degraded voltage, independent of or coincident with a LOCA signal. The DGs also start and operate in the standby mode without tying to the ESF bus on a LOCA signal alone. Following the trip of offsite power, load shed relays strip nonpermanent loads from the ESF bus. When the DG is tied to the ESF bus, loads are then sequentially connected to its respective ESF bus by the automatic load sequence timing devices. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading the DG. In the event of a loss of preferred power, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a LOCA. Certain required plant loads are returned to service in a predetermined sequence in order to prevent overloading of the DGs in the process. After the initiating signal is received, all automatic and permanently connected loads needed to recover the unit or maintain it in a safe condition are returned to service (i.e., the loads are energized.) DGs 1A, 1B, and 1C have the following ratings:

a. 2850 kW - 1000 hours, and

b. 3250 kW - 168 hours. A description of the Unit 2 onsite power sources is provided in the Bases for Unit 2 LCO 3.8.1.

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-3 REVISION 16 BASES (continued) APPLICABLE The initial conditions of DBA and transient analyses in the FSAR, SAFETY ANALYSES Chapters 5 and 6 (Refs. 3 and 4, respectively) and Chapter 14 (Ref. 5), assume ESF systems are OPERABLE. The AC electrical power sources are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.5, Emergency Core Cooling System (ECCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6, Containment Systems. The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining the onsite or offsite AC sources OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite power sources or all onsite AC power sources; and

b. A postulated worst case single failure.

AC sources satisfy Criterion 3 of the NRC Policy Statement (Ref. 14).

LCO Two qualified circuits between the offsite transmission network and the onsite Unit 1 Class 1E Distribution System and three separate and independent DGs (1A, 1B, and 1C) ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an anticipated operational occurrence (AOO) or a postulated DBA. In addition, some components required by Unit 1 are powered from Unit 2 sources (i.e., Standby Gas Treatment (SGT) System) and low pressure coolant injection (LPCI) valve load centers). For SGT, one qualified circuit between the offsite transmission network and the onsite Unit 2 Class 1E Distribution System, and one Unit 2 DG (2A or 2C), capable of supplying power to one required Unit 2 SGT subsystem, must also be OPERABLE. For the LPCI valve load centers, one qualified circuit between the offsite transmission network and the onsite Class 1E Electrical Distribution System capable of supplying power to each of the required LPCI valve load centers must be OPERABLE. The circuits can be any combination of the Unit 2 circuits supplying the 2E and 2G ESF buses and the Unit 1 circuit supplying the 1F ESF bus such that AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-4 REVISION 16 BASES LCO each LPCI valve load center is capable of being supplied. Also, two (continued) DGs capable of supplying power to the required LPCI valve load centers must be OPERABLE. The DGs can be any combination of the Unit 2 DGs (i.e., 2A and 2C DGs) and the swing DG (i.e., DG 1B) such that each LPCI valve load center is capable of being supplied. It is preferable to use the Unit 2 circuits and DGs to supply power to the LPCI valve load centers, since in the case of an LOSP on both Units, one LPCI valve load center would be without power if the swing DG was aligned to the opposite unit, thereby rendering one LPCI subsystem inoperable. The Unit 1 RCIC steam supply valve is powered from the same source as the Division II LPCI valve load center for 10 CFR 50, Appendix R design considerations. Qualified offsite circuits are those that are described in the FSAR, and are part of the licensing basis for the unit. Each offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while connected to the ESF buses. For the purpose of this LCO, each Unit 1 offsite circuit consists of incoming breaker and disconnect to the respective 1C and 1D SATs, the 1C and 1D transformers, and the respective circuit path including feeder breakers to 4.16 kV ESF buses. (However, for design purposes, the offsite circuit excludes the feeder breakers to each 4.16 kV ESF bus). Feeder breakers from each circuit to the 1F ESF bus are required to be OPERABLE. Feeder breakers from each circuit to the 1E and 1G ESF buses are required to be OPERABLE; however, as an alternative, only one feeder breaker per bus to the 1E and 1G ESF buses is required to be OPERABLE, if they are from different SATs (e.g., 1E feeder breaker from the 1C SAT and the 1G feeder breaker from the 1D SAT). The Unit 2 offsite circuit also consists of the incoming breaker and disconnect to the 4.16 kV ESF buses required to be OPERABLE to provide power to the Unit 2 equipment required by LCO 3.6.4.3. Each DG must be capable of starting, accelerating to rated frequency and voltage, and connecting to its respective ESF bus on detection of bus undervoltage. This sequence must be accomplished within 12 seconds. Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the ESF buses. These capabilities are required to be met from a variety of initial conditions, such as DG in standby with the engine hot and DG in standby with the engine at ambient condition. Additional DG capabilities must be demonstrated to meet required Surveillances, e.g., capability of the DG to revert to standby status on an ECCS signal while operating in parallel test mode. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-5 REVISION 49 BASES LCO Proper sequencing of loads, including tripping of nonessential loads, (continued) is a required function for DG OPERABILITY.

The AC sources must be separate and independent (to the extent possible) (Ref. 1) of other AC sources. For the DGs, the separation and independence are complete. For the offsite AC sources, the separation and independence are to the extent practical. A circuit may be connected to more than one ESF bus, with automatic transfer capability to the other circuit OPERABLE, and not violate separation criteria. A circuit that is not connected to an ESF bus is required to have OPERABLE automatic transfer capability to at least two ESF buses (one of which must be to the 1F bus) to support OPERABILITY of that circuit.

APPLICABILITY The AC sources are required to be OPERABLE in MODES 1, 2, and 3 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and

b. Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA. The AC power requirements for MODES 4 and 5 and other conditions in which AC Sources are required, are covered in LCO 3.8.2, "AC Sources - Shutdown."

ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable DG. There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable DG and the provisions of LCO 3.0.4.b, which allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance. A.1 To ensure a highly reliable power source remains with one offsite circuit inoperable, it is necessary to verify the availability of the remaining required offsite circuits on a more frequent basis. Since the AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-6 REVISION 49 BASES ACTIONS A.1 (continued) Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met. However, if a second required circuit fails SR 3.8.1.1, the second offsite circuit is inoperable, and Condition D, for two offsite circuits inoperable, is entered. A.2 Required Action A.2, which only applies if a 4160 V ESF bus cannot be powered from an offsite source, is intended to provide assurance that an event with a coincident single failure of the associated DG does not result in a complete loss of safety function of critical systems. These features are designed with redundant safety related divisions (i.e., single division systems are not included). Redundant required features failures consist of inoperable features associated with a division redundant to the division that has no offsite power. The Completion Time for Required Action A.2 is intended to allow time for the operator to evaluate and repair any discovered inoperabilities. This Completion Time also allows an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. The 4160 V ESF bus has no offsite power supplying its loads; and

b. A redundant required feature on the other division is inoperable.

If, at any time during the existence of this Condition (one offsite circuit inoperable) a redundant required feature subsequently becomes inoperable, this Completion Time would begin to be tracked. Discovering no offsite power to one 4160 V ESF bus of the onsite Class 1E Power Distribution System coincident with one or more inoperable redundant required support or supported features, or both, that are associated with any other ESF bus that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours is acceptable because it minimizes risk while allowing time for restoration before the unit is subjected to transients associated with shutdown.

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-7 REVISION 49 BASES ACTIONS A.2 (continued) The remaining OPERABLE offsite circuits and DGs are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection may have been lost for the required feature's function; however, function is not lost. The 24 hour Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 24 hour Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period. A.3 According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition A for a period that should not exceed 72 hours. With one required offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the plant safety systems. In this condition, however, the remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class 1E Distribution System. The 72 hour Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and the low probability of a DBA occurring during this period. The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet LCO 3.8.1.a, b, or c. If Condition A is entered while, for instance, the swing DG is inoperable, and that DG is subsequently returned OPERABLE, LCO 3.8.1.a, b, or c may already have been not met for up to 14 days. This situation could lead to a total of 17 days, since initial failure to meet LCO 3.8.1.a, b, and c, to restore the offsite circuit. At this time, the swing DG could again become inoperable, the circuit restored OPERABLE, and an additional 14 days (for a total of 31 days) allowed prior to complete restoration of LCO 3.8.1.a, b, and c. The 17 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet LCO 3.8.1.a, b, or c. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 72 hours and 17 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-8 REVISION 49 BASES ACTIONS A.3 (continued) As in Required Action A.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time LCO 3.8.1.a, b, or c was initially not met, instead of at the time that Condition A was entered. B.1 To ensure a highly reliable power source remains with one Unit 1 or the swing DG inoperable, it is necessary to verify the availability of the required offsite circuits on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions must then be entered. B.2 Required Action B.2 is intended to provide assurance that a loss of offsite power, during the period that a Unit 1 or swing DG is inoperable, does not result in a complete loss of safety function of critical systems. These features are designed with redundant safety related divisions (i.e., single division systems are not included). Redundant required features failures consist of inoperable features associated with a division redundant to the division that has an inoperable DG. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins on discovery that both: a. An inoperable Unit 1 or swing DG exists; and

b. A redundant required feature on the other division (Division 1 or 2), or divisions in the case of the Unit 1 and 2 Standby Gas Treatment (SGT) System, is inoperable. If, at any time during the existence of this Condition (one Unit 1 or swing DG inoperable), a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked. BASES AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-9 REVISION 49 ACTIONS B. 2 (continued)

Discovering one required DG inoperable coincident with one or more inoperable redundant required support or supported features, or both, that are associated with the OPERABLE DGs results in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown. The remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period. B.3.1 and B.3.2 Required Action B.3.1 provides an allowance to avoid unnecessary testing of OPERABLE DGs. If it can be determined that the cause of the inoperable DG does not exist on the OPERABLE DG(s), SR 3.8.1.2.a does not have to be performed. If the cause of inoperability exists on other DG(s), they are declared inoperable upon discovery, and Condition F of LCO 3.8.1 is entered. Once the failure is repaired, and the common cause failure no longer exists, Required Action B.3.1 is satisfied. If the cause of the initial inoperable DG cannot be confirmed not to exist on the remaining DG(s), performance of SR 3.8.1.2.a suffices to provide assurance of continued OPERABILITY of those DGs. In the event the inoperable DG is restored to OPERABLE status prior to completing either B.3.1 or B.3.2, the deficiency control program, as appropriate, will continue to evaluate the common cause possibility. This continued evaluation, however, is no longer under the 24 hour constraint imposed while in Condition B. According to Generic Letter 84-15 (Ref. 7), 24 hours is a reasonable time to confirm that the OPERABLE DGs are not affected by the same problem as the inoperable DG.

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-10 REVISION 73 BASES ACTIONS B.4 Regulatory Guide 1.93 (Ref. 6) provides guidance that operation in Condition B may continue for 72 hours. A risk-informed, deterministic evaluation performed for Plant Hatch justifies operation in Condition B for 14 days, provided action is taken to ensure two DGs are dedicated to each Hatch unit. This is accomplished for an inoperable A or C DG by inhibiting the automatic alignment (on a LOCA or LOSP signal) of the swing DG to the other unit. If the inoperable DG is the swing DG, each unit has two dedicated DGs. For an inoperable swing DG, a 72 hour Completion Time applies unless the restrictions specified following this paragraph are satisfied. In Condition B for each defined Completion Time and restriction (if applicable), the remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Unit 1 Class 1E Distribution System. The Completion Times take into account the capacity and capability of the remaining AC sources, reasonable time for maintenance, and low probability of a DBA occurring during this period. The 14 day Completion Time is also subject to additional restrictions for planned maintenance on other plant systems; these are controlled by NMP-GM-031. Use of the 14 day Completion time is permitted as follows :

• For the Unit 1 DGs: Once per DG per operating cycle for performing major overhaul of a DG.

As needed to complete unplanned maintenance. This time shall be minimized.

• For the swing DG: The additional restrictions apply prior to using a Completion Time of greater than 72 hours. The 14 day Completion Time may be used once per Unit 1 operating cycle for performing a major overhaul of the swing DG.

The time may be used as needed to complete unplanned maintenance. This time shall be minimized.

• As needed for the swing DG when it is inhibited from automatically aligning to Unit 1 in order for the 14 day Completion Time to be used for a Unit 2 DG.

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-11 REVISION 49 BASES ACTIONS B.4 (continued) The "AND" connector between the 72 hour and 14 day Completion Times means that both Completion Times apply simultaneously. That is, the 14 day Completion Time for an A or C DG with the swing DG inhibited applies from the time of entry into Condition B, not from the time the swing DG is inhibited. The fourth Completion Time for Required Action B.4 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet LCO 3.8.1.a, b, or c. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently restored OPERABLE, LCO 3.8.1.a, b, or c may already have been not met for up to 72 hours. This situation could lead to a total of 17 days, since initial failure to meet LCO 3.8.1.a, b, and c, to restore the DG. At this time, an offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 72 hours (for a total of 20 days) allowed prior to complete restoration of LCO 3.8.1.a, b, and c. The 17 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet LCO 3.8.1.a, b, or c. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connectors between the Completion Times mean that all Completion Times apply simultaneously, and the more restrictive must be met. As in Required Action B.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time that LCO 3.8.1.a, b, or c was initially not met, instead of the time that Condition B was entered.

C.1 To ensure a highly reliable power source remains with one required Unit 2 DG inoperable, it is necessary to verify the availability of the required offsite circuits on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions must then be entered.

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-12 REVISION 49 BASES ACTIONS C.2 (continued) Required Action C.2 is intended to provide assurance that a loss of offsite power, during the period that one required Unit 2 DG is inoperable, does not result in a complete loss of safety function of critical systems. These features are designed with redundant safety related divisions (i.e., single division systems are not included). Redundant required features failures consist of inoperable features associated with a division redundant to the division that has an inoperable DG. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. An inoperable required Unit 2 DG exists; and b. A redundant required feature on the other division (Division 1 or 2), or divisions in the case of the Unit 1 and 2 SGT System, is inoperable.

If, at any time during the existence of this Condition (required Unit 2 DG inoperable), a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked. Discovering one required Unit 2 DG inoperable coincident with one or more inoperable redundant required support or supported features, or both, that are associated with the OPERABLE DGs results in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown. The remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-13 REVISION 73 BASES ACTIONS C.3.1 and C.3.2 (continued) Required Action C.3.1 provides an allowance to avoid unnecessary testing of OPERABLE DGs. If it can be determined that the cause of the inoperable DG does not exist on the OPERABLE DG, SR 3.8.1.2.a does not have to be performed. If the cause of inoperability exists on other DG(s), they are declared inoperable upon discovery, and Condition F of LCO 3.8.1 is entered. Once the failure is repaired, and the common cause failure no longer exists, Required Action C.3.1 is satisfied. If the cause of the initial inoperable DG cannot be confirmed not to exist on the remaining DG(s), performance of SR 3.8.1.2.a suffices to provide assurance of continued OPERABILITY of those DGs. In the event the inoperable DG is restored to OPERABLE status prior to completing either C.3.1 or C.3.2, the deficiency control program, as appropriate, will continue to evaluate the common cause possibility. This continued evaluation, however, is no longer under the 24 hour constraint imposed while in Condition C. According to Generic Letter 84-15 (Ref. 7), 24 hours is a reasonable time to confirm that the OPERABLE DGs are not affected by the same problem as the inoperable DG. C.4 In Condition C, the remaining OPERABLE offsite circuit is adequate to supply electrical power to the required onsite Unit 2 Class 1E Distribution System. The 7 day Completion Time is based on the shortest restoration time allowed for the systems affected by the inoperable DG in the individual system LCOs. A risk-informed, deterministic evaluation performed for Plant Hatch justifies operation in Condition C for 14 days, provided action is taken to ensure two DGs are dedicated to each Hatch unit. This is accomplished for an inoperable A or C DG by inhibiting the automatic alignment (on a LOCA or LOSP signal) of the swing DG to the other unit. The Completion Times take into account the capacity and capability of the remaining AC sources, reasonable time for maintenance, and low probability of a DBA occurring during this period. Use of the 14 day Completion Time, subject to additional restrictions controlled by NMP-GM-031, is permitted as follows:

• Once per DG per operating cycle for performing a major overhaul of a DG.
• As needed to complete unplanned maintenance. This time shall be minimized.

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-14 REVISION 49 BASES ACTIONS D.1 and D.2 (continued) Required Action D.1 addresses actions to be taken in the event of inoperability of redundant required features concurrent with inoperability of two or more required offsite circuits. Required Action D.1 reduces the vulnerability to a loss of function. The Completion Time for taking these actions is reduced to 12 hours from that allowed with one 4160 V ESF bus without offsite power (Required Action A.2). The rationale for the reduction to 12 hours is that Regulatory Guide 1.93 (Ref. 6) allows a Completion Time of 24 hours for two required offsite circuits inoperable, based upon the assumption that two complete safety divisions are OPERABLE. (While this ACTION allows more than two circuits to be inoperable, Regulatory Guide 1.93 assumed two circuits were all that were required by the LCO, and a loss of those two circuits resulted in a loss of all offsite power to the Class 1E AC Electrical Power Distribution System. Thus, with the Plant Hatch design, a loss of more than two required offsite circuits results in the same conditions assumed in Regulatory Guide 1.93.) When a concurrent redundant required feature failure exists, this assumption is not the case, and a shorter Completion Time of 12 hours is appropriate. These features are designed with redundant safety related divisions, (i.e., single division systems are not included in the list). Redundant required features failures consist of any of these features that are inoperable because any inoperability is on a division redundant to a division with inoperable offsite circuits. The Completion Time for Required Action D.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both: a. All required offsite circuits are inoperable; and b. A redundant required feature is inoperable. If, at any time during the existence of this Condition (two or more required offsite circuits inoperable), a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked. According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition D for a period that should not exceed 24 hours. This level of degradation means that the offsite electrical power system does not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded. This level of degradation generally corresponds to a total loss of the immediately accessible offsite power sources. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-15 REVISION 33 BASES ACTIONS D.1 and D.2 (continued) Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more DGs inoperable. However, two factors tend to decrease the severity of this degradation level: a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure; and

b. The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source.

With two or more of the required offsite circuits inoperable, sufficient onsite AC sources are available to maintain the unit in a safe shutdown condition in the event of a DBA or transient. In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case single failure were postulated as a part of the design basis in the safety analysis. Thus, the 24 hour Completion Time provides a period of time to effect restoration of one of the offsite circuits commensurate with the importance of maintaining an AC electrical power system capable of meeting its design criteria. According to Regulatory Guide 1.93 (Ref. 6), with the available offsite AC sources two less than required by the LCO (which as stated earlier, generally corresponds to a total loss of the immediately accessible offsite power sources; this is the condition experienced by Plant Hatch when two or more required circuits are inoperable), operation may continue for 24 hours. If all required offsite sources are restored within 24 hours, unrestricted operation may continue. If all but one required offsite sources are restored within 24 hours, power operation continues in accordance with Condition A.

E.1 and E.2 Pursuant to LCO 3.0.6, the Distribution System ACTIONS would not be entered even if all AC sources to it were inoperable, resulting in de-energization. Therefore, the Required Actions of Condition E are modified by a Note to indicate that when Condition E is entered with no AC source to any ESF bus, ACTIONS for LCO 3.8.7, "Distribution Systems - Operating," must be immediately entered. This allows AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-16 REVISION 33 BASES ACTIONS E.1 and E.2 (continued) Condition E to provide requirements for the loss of the offsite circuit and one DG without regard to whether a division is de-energized. LCO 3.8.7 provides the appropriate restrictions for a de-energized ESF bus. According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition E for a period that should not exceed 12 hours. In Condition E, individual redundancy is lost in both the offsite electrical power system and the onsite AC electrical power system. However, since power system redundancy is provided by two diverse sources of power, the reliability of the power systems in this Condition may appear higher than that in Condition D (loss of two or more required offsite circuits). This difference in reliability is offset by the susceptibility of this power system configuration to a single bus or switching failure. The 12 hour Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and the low probability of a DBA occurring during this period. F.1 With two or more Unit 1 and swing DGs inoperable, with an assumed loss of offsite electrical power, insufficient standby AC sources are available to power the minimum required ESF functions. Since the offsite electrical power system is the only source of AC power for the majority of ESF equipment at this level of degradation, the risk associated with continued operation for a very short time could be less than that associated with an immediate controlled shutdown. (The immediate shutdown could cause grid instability, which could result in a total loss of AC power.) Since any inadvertent unit generator trip could also result in a total loss of offsite AC power, the time allowed for continued operation is severely restricted. The intent here is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation. According to Regulatory Guide 1.93 (Ref. 6), with two or more DGs inoperable, operation may continue for a period that should not exceed 2 hours. (Regulatory Guide 1.93 assumed the unit has two DGs. Thus, a loss of both DGs results in a total loss of onsite power. Therefore, a loss of more than two DGs, in the Plant Hatch design, results in degradation no worse than that assumed in Regulatory AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-17 REVISION 33 BASES ACTIONS F.1 (continued) Guide 1.93. In addition, the loss of a required Unit 2 DG concurrent with the loss of a Unit 1 or swing DG, is analogous to the loss of a single DG in the Regulatory Guide 1.93 assumptions; thus, entry into this Condition is not required in this case.) G.1 With both Unit 2 DGs and the swing DG inoperable (or otherwise incapable of supplying power to the LPCI valve load centers), and an assumed loss of offsite electrical power, insufficient standby AC sources are available to power the LPCI valve load centers. Since the offsite electrical power system is the only source of AC power for the LPCI valve load centers at this level of degradation, the risk associated with operation for a very short time could be less than that associated with an immediate controlled shutdown. (The immediate shutdown could cause grid instability, which could result in a total loss of AC power.) Since any inadvertent unit generator trip could also result in a total loss of offsite AC power, the time allowed for continued operation is severely restricted. The intent here is to avoid the risk associated with an immediate controlled shutdown and minimize the risk associated with an immediate controlled shutdown and minimize the risk associated with this level of degradation. According to Regulatory Guide 1.93 (Ref. 6), with two or more DGs inoperable, operation may continue for a period that should not exceed 2 hours. (Regulatory Guide 1.93 assumed the unit had two DGs. Thus, a loss of both DGs results in a total loss of onsite power.) Therefore, a loss of both Unit 2 DGs and the swing DG results in degradation no worse than that assumed in Regulatory Guide 1.93, and the 2 hour Completion Time is acceptable. H.1 and H.2 If the inoperable AC electrical power sources cannot be restored to OPERABLE status within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-18 REVISION 33 BASES ACTIONS I.1 (continued) Condition I corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown.

SURVEILLANCE The AC sources are designed to permit inspection and testing of all REQUIREMENTS important areas and features, especially those that have a standby function, in accordance with 10 CFR 50, GDC 18 (Ref. 8). Periodic component tests are supplemented by extensive functional tests during refueling outages under simulated accident conditions. The SRs for demonstrating the OPERABILITY of the DGs are generally consistent with the recommendations of Regulatory Guide 1.9 (Ref. 9), Regulatory Guide 1.108 (Ref. 10), and Regulatory Guide 1.137 (Ref. 11), although Plant Hatch Unit 1 is not committed to these Regulatory Guides. Specific commitments relative to DG testing are described in FSAR Section 8.4 (Ref. 2). Where the SRs discussed herein specify voltage and frequency tolerances, the following summary is applicable. The allowable values for achieving steady state voltage are specified within a range of - 10% (3740 V) and + 2% (4243 V) of 4160 V. The Allowable Value of 3740 V is consistent with Regulatory Guide 1.9 for demonstrating that the DG is capable of attaining the required voltage. A more limiting value of 4243 V is specified as the allowable value for overvoltage due to overvoltage limits on the 600 V buses. The + 2% value maintains the required overvoltage limits. The specified minimum and maximum frequencies of the DG are 58.8 Hz and 61.2 Hz, respectively. These values are equal to +/- 2% of the 60 Hz nominal frequency and are derived from the recommendations found in Regulatory Guide 1.9 (Ref. 9). The SRs are modified by a NOTE to indicate that SR 3.8.1.1 through SR 3.8.1.18 apply only to the Unit 1 AC sources, and that SR 3.8.1.19 applies only to the Unit 2 AC sources. SR 3.8.1.1 This SR ensures proper circuit continuity for the offsite AC electrical power supply to the onsite distribution network and availability of AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-19 REVISION 69 BASES SURVEILLANCE SR 3.8.1.1 (continued) REQUIREMENTS offsite AC electrical power. The breaker alignment verifies that each breaker is in its correct position to ensure that distribution buses and loads are connected to their preferred power source and that appropriate independence of offsite circuits is maintained. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.1.2 This SR helps to ensure the availability of the standby electrical power supply to mitigate DBAs and transients and maintain the unit in a safe shutdown condition, and verifies that the DGs are capable of proper startup, synchronizing, and accepting a load approximately 50% of the continuous load rating. This demonstrates DG capability while minimizing the mechanical stress and wear on the engine. A minimum run time of 60 minutes is required to stabilize engine temperatures, while minimizing the time that the DG is connected to the offsite source. Although no power factor requirements are established by this SR, the DG is normally operated at a power factor between 0.8 lagging and 1.0. The 0.8 value is the design rating of the machine, while 1.0 is an operational limitation. To minimize the wear on moving parts that do not get lubricated when the engine is not running, this SR has been modified by a Note (Note 2) to indicate that all DG starts for this Surveillance may be preceded by an engine prelube period and followed by a warmup prior to loading. For the purposes of this testing, the DGs are started from standby conditions. Standby conditions for a DG mean that the diesel engine coolant and oil are being continuously circulated and temperature is being maintained consistent with manufacturer recommendations. In order to reduce stress and wear on diesel engines, the DG manufacturer recommends a modified start in which the starting speed of DGs is limited, warmup is limited to this lower speed, and the DGs are gradually accelerated to synchronous speed prior to loading. These start procedures are the intent of Note 3. Once voltage and frequency requirements are demonstrated, the DG may be tied to its respective 4160 V emergency bus, as directed by SR 3.8.1.2.b. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-20 REVISION 69 BASES SURVEILLANCE SR 3.8.1.2 (continued) REQUIREMENTS When the DG is tied to its bus, the electrical grid, due to its larger size compared to the DG, will dictate DG voltage and frequency. The DG operator cannot adjust either parameter. Therefore, the voltage and frequency requirements of SR 3.8.1.2.a no longer apply while the DG is tied to its bus and need not be met to satisfy the requirements of SR 3.8.1.2.b. Other SRs, notably SR 3.8.1.9, require that voltage and frequency requirements can be met while the DG is supplying load. SR 3.8.1.5.a requires that the DG starts from standby conditions and achieves required voltage and frequency within 12 seconds. The 12 second start requirement supports the assumptions in the design basis LOCA analysis of FSAR, Chapter 6 (Ref. 4). The 12 second start requirement is not applicable to SR 3.8.1.2 (see Note 3), when a modified start procedure as described above is used. If a modified start is not used, the 12 second start voltage and frequency requirements of SR 3.8.1.5.a apply. Since SR 3.8.1.5.a does require a 12 second start, it is more restrictive than SR 3.8.1.2, and it may be performed in lieu of SR 3.8.1.2. This procedure is the intent of Note 1. To minimize testing of the swing DG, this SR is modified by a note (Note 4) to allow a single test (instead of two tests, one for each unit) to satisfy the requirements for both units, using the starting circuitry of one unit for one periodic test and the starting circuitry of the other unit during the next periodic test. This is allowed since the main purpose of the Surveillance, to ensure DG OPERABILITY, is still being verified on the proper frequency, the starting circuits historically have a very low failure rate, as compared to the DG itself, and that, while each starting circuit is only being tested every second test (due to the staggering of the tests), some portions of the starting circuits are common to both units. If the swing DG fails one of these Surveillance, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit. Note 5 modifies this Surveillance to indicate that diesel engine runs for this Surveillance may include gradual loading, as recommended by the manufacturer, so that mechanical stress and wear on the diesel engine are minimized. Note 6 modifies the Surveillance by stating that starting transients above the upper voltage limit do not invalidate this test.

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-21 REVISION 71 BASES SURVEILLANCE SR 3.8.1.2 (continued) REQUIREMENTS Note 7 modifies this Surveillance by stating that momentary load transients because of changing bus loads do not invalidate this test. Note 8 indicates that this Surveillance is required to be conducted on only one DG at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.1.3 This volume is selected to ensure adequate fuel oil for a minimum of 1 hour of DG operation at full load + 10%.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.1.4 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Periodic removal of water from the fuel oil day tanks eliminates the necessary environment for bacterial survival. This is a means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water in the day tank may come from condensation, rain water, contaminated fuel oil, and breakdown of the fuel oil by bacteria. Checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-22 REVISION 69 BASES SURVEILLANCE SR 3.8.1.4 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is for preventive maintenance. The presence of water does not necessarily represent a failure of this SR provided that accumulated water is removed during performance of this Surveillance. SR 3.8.1.5 This SR helps to ensure the availability of the standby electrical power supply to mitigate DBAs and transients and maintain the unit in a safe shutdown condition. This Surveillance verifies that the DGs are capable of a "fast cold" start, synchronizing, and accepting a load more closely simulating accident loads. A minimum run time of 60 minutes is required to stabilize engine temperatures, while minimizing the time that the DG is connected to the offsite source. SR 3.8.1.5 requires that the DG starts from standby conditions and achieves required voltage and frequency within 12 seconds. The 12 second start requirement supports the assumptions in the design basis LOCA analysis of FSAR Chapter 6 (Ref. 4). Once voltage and frequency requirements are demonstrated, the DG may be tied to its respective 4160 V emergency bus, as directed by SR 3.8.1.2.b. When the DG is tied to its bus, the electrical grid, due to its much larger size compared to the DG, will dictate DG voltage and frequency. The DG operator cannot adjust either parameter. Therefore, the voltage and frequency requirements of SR 3.8.1.2.a no longer apply while the DG is tied to its bus and need not be met to satisfy the requirements of SR 3.8.1.2.b. Other SRs, notably SR 3.8.1.9, require that voltage and frequency requirements can be met while the DG is supplying load. For the purposes of this testing, the DGs are started from standby conditions. Standby conditions for a DG mean that the diesel engine coolant and oil are being continuously circulated and temperature is being maintained consistent with manufacturer recommendations. Although no power factor requirements are established by this SR, the DG is normally operated at a power factor between 0.8 lagging and 1.0. The 0.8 value is the design rating of the machine, while 1.0 is an operational limitation. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-23 REVISION 69 BASES SURVEILLANCE SR 3.8.1.5 (continued) REQUIREMENTS To minimize the wear on moving parts that do not get lubricated when the engine is not running, this SR has been modified by a Note (Note 1) to indicate that all DG starts for this Surveillance may be preceded by an engine prelube period and followed by a warmup prior to loading. Note 2 modifies this Surveillance to indicate that diesel engine runs for this Surveillance may include gradual loading, as recommended by the manufacturer, so that mechanical stress and wear on the diesel engine are minimized. Note 3 modifies this Surveillance by stating that momentary load transients because of changing bus loads do not invalidate this test. Note 4 indicates that this Surveillance is required to be conducted on only one DG at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations. To minimize testing of the swing DG, Note 5 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units, with the DG started using the starting circuitry of one unit and synchronized to the ESF bus of that unit for one periodic test and started using the starting circuitry of the other unit and synchronized to the ESF bus of that unit during the next periodic test. This is allowed since the main purpose of the Surveillance, to ensure DG OPERABILITY, is still being verified on the proper frequency, and each unit's starting circuitry and breaker control circuitry, which is only being tested every second test (due to the staggering of the tests), historically have a very low failure rate. If the swing DG fails one of these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit. SR 3.8.1.6 Transfer of each 4.16 kV ESF bus power supply from the normal offsite circuit to the alternate offsite circuit demonstrates the OPERABILITY of the alternate circuit distribution network to power the shutdown loads. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-24 REVISION 69 BASES SURVEILLANCE SR 3.8.1.6 (continued) REQUIREMENTS This SR is modified by a Note. The reason for the Note is that, during operation with the reactor critical, performance of this SR could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, plant safety systems. Credit may be taken for unplanned events that satisfy this SR. This Surveillance tests the applicable logic associated with the Unit 1 swing bus. The comparable test specified in the Unit 2 Technical Specifications tests the applicable logic associated with the Unit 2 swing bus. Consequently, a test must be performed within the Frequency contained in the Surveillance Frequency Control Program for each unit. The Note specifying the restriction for not performing the test while the unit is in MODE 1 or 2 does not have applicability to Unit 2. As the Surveillance represents separate tests, the Unit 1 Surveillance should not be performed with Unit 1 in MODE 1 or 2 and the Unit 2 test should not be performed with Unit 2 in MODE 1 or 2. SR 3.8.1.7 Each DG is provided with an engine overspeed trip to prevent damage to the engine. Recovery from the transient caused by the loss of a large load could cause diesel engine overspeed, which, if excessive, might result in a trip of the engine. This Surveillance demonstrates the DG load response characteristics and capability to reject the largest single load without exceeding predetermined voltage and frequency and while maintaining a specified margin to the overspeed trip. The largest single load for DGs 1A and 1C is a core spray pump at rated flow (1275 bhp). For DG 1B, the largest single load is a residual heat removal service water pump at rated flow (1225 bhp). This Surveillance may be accomplished by: a) tripping the DG output breaker with the DG carrying greater than or equal to its associated single largest post-accident load while paralleled to offsite power or while solely supplying the bus, or b) tripping its associated single largest post-accident load with the DG solely supplying the bus. Although Plant Hatch Unit 1 is not committed to IEEE-387-1984 (Ref. 12), this SR is consistent with the IEEE-387-1984 requirement that states the load rejection test is acceptable if the increase in diesel speed does not exceed 75% of the

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-25 REVISION 69 BASES SURVEILLANCE SR 3.8.1.7 (continued) REQUIREMENTS difference between synchronous speed and the overspeed trip setpoint, or 15% above synchronous speed, whichever is lower. For all DGs, this represents 65.5 Hz, equivalent to 75% of the difference between nominal speed and the overspeed trip setpoint. The voltage and frequency specified are consistent with the nominal range for the DG. SR 3.8.1.7.a corresponds to the maximum frequency excursion, while SR 3.8.1.7.b is the voltage to which the DG must recover following load rejection. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by two Notes. The reason for Note 1 is that, during operation with the reactor critical, performance of this SR could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, plant safety systems. Credit may be taken for unplanned events that satisfy this SR. In order to ensure that the DG is tested under load conditions that are as close to design basis conditions as possible, testing is performed with only the DG providing power to the associated 4160 V ESF bus. The DG is not synchronized with offsite power. To minimize testing of the swing DG, Note 2 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit (no unit specific DG components are being tested). If the swing DG fails one of these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit.

SR 3.8.1.8 This Surveillance demonstrates the DG capability to reject a full load without overspeed tripping or exceeding the predetermined voltage limits. The DG full load rejection may occur because of a system fault or inadvertent breaker tripping. This Surveillance ensures proper engine generator load response under the simulated test conditions. This test simulates the loss of the total connected load that the DG experiences following a full load rejection and verifies that the DG does not trip upon loss of the load. These acceptance criteria provide AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-26 REVISION 69 BASES SURVEILLANCE SR 3.8.1.8 (continued) REQUIREMENTS DG damage protection. While the DG is not expected to experience this transient during an event, and continues to be available, this response ensures that the DG is not degraded for future application, including reconnection to the bus if the trip initiator can be corrected or isolated. In order to ensure that the DG is tested under load conditions that are as close to design basis conditions as possible, testing must be performed using a power factor 0.88. This power factor is chosen to be representative of the actual design basis inductive loading that the DG would experience. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by three Notes. The reason for Note 1 is that during operation with the reactor critical, performance of this SR could cause perturbations to the electrical distribution systems that would challenge continued steady state operation and, as a result, plant safety systems. Credit may be taken for unplanned events that satisfy this SR. Note 2 is provided in recognition that if the offsite electrical power distribution system is lightly loaded (i.e., system voltage is high), it may not be possible to raise voltage without creating an overvoltage condition on the ESF bus. Therefore, to ensure the bus voltage, supplied ESF loads, and DG are not placed in an unsafe condition during this test, the power factor limit does not have to be met if grid voltage or ESF bus loading does not permit the power factor limit to be met when the DG is tied to the grid. When this occurs, the power factor should be maintained as close to the limit as practicable. To minimize testing of the swing DG, Note 3 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit (no unit specific DG components are being tested). If the swing DG fails one of these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit.

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-27 REVISION 69 BASES SURVEILLANCE SR 3.8.1.9 REQUIREMENTS (continued) This Surveillance demonstrates the as designed operation of the standby power sources during loss of the offsite source and is consistent with Regulatory Guide 1.108 (Ref. 10), paragraph 2.a.(1). This test verifies all actions encountered from the loss of offsite power, including shedding of the nonessential loads and energization of the emergency buses and respective loads from the DG. It further demonstrates the capability of the DG to automatically achieve the required voltage and frequency within the specified time. The DG auto-start time of 12 seconds is derived from requirements of the accident analysis for responding to a design basis large break LOCA. The Surveillance should be continued for a minimum of 5 minutes in order to demonstrate that all starting transients have decayed and stability has been achieved. The requirement to verify the connection and power supply of permanent and auto-connected loads is intended to satisfactorily show the relationship of these loads to the DG loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, Emergency Core Cooling Systems (ECCS) injection valves are not desired to be stroked open, or systems are not capable of being operated at full flow, or RHR systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of the connection and loading of these loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified. For the purpose of this testing, the DGs shall be started from standby conditions, that is, with the engine coolant and oil being continuously circulated and temperature maintained consistent with manufacturer recommendations. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. The reason for Note 2 is that performing the Surveillance would remove a required

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-28 REVISION 69 BASES SURVEILLANCE SR 3.8.1.9 (continued) REQUIREMENTS offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. Credit may be taken for unplanned events that satisfy this SR. This Surveillance tests the applicable logic associated with the Unit 1 swing bus. The comparable test specified in the Unit 2 Technical Specifications tests the applicable logic associated with the Unit 2 swing bus. Consequently, a test must be performed within the Frequency contained in the Surveillance Frequency Control Program for each unit. The Note specifying the restriction for not performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 2. As the Surveillance represents separate tests, the Unit 1 Surveillance should not be performed with Unit 1 in MODE 1, 2, or 3 and the Unit 2 test should not be performed with Unit 2 in MODE 1, 2, or 3. SR 3.8.1.10 This Surveillance demonstrates that the DG automatically starts and achieves the required voltage and frequency within the specified time (12 seconds) from the design basis actuation signal (LOCA signal) and operates for 5 minutes. The 5 minute period provides sufficient time to demonstrate stability. The requirement to verify the connection and power supply of permanent and autoconnected loads is intended to satisfactorily show the relationship of these loads to the loading logic for loading onto offsite power. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, ECCS injection valves are not desired to be stroked open, low pressure injection systems are not capable of being operated at full flow, or RHR systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of the connection and loading of these loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil being continuously circulated and temperature maintained consistent with manufacturer recommendations. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-29 REVISION 69 BASES SURVEILLANCE SR 3.8.1.10 (continued) REQUIREMENTS with the expected fuel cycle lengths. The 24 month Frequency is based on a review of the surveillance test history and Reference 15. This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. The reason for Note 2 is that during operation with the reactor critical, performance of this Surveillance could potentially cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, plant safety systems. Credit may be taken for unplanned events that satisfy this SR. This Surveillance tests the applicable logic associated with the Unit 1 swing bus. The comparable test specified in the Unit 2 Technical Specifications tests the applicable logic associated with the Unit 2 swing bus. Consequently, a test must be performed within the Frequency contained in the Surveillance Frequency Control Program for each unit. The Note specifying the restriction for not performing the test while the unit is in MODE 1 or 2 does not have applicability to Unit 2. As the Surveillance represents separate tests, the Unit 1 Surveillance should not be performed with Unit 1 in MODE 1 or 2 and the Unit 2 test should not be performed with Unit 2 in MODE 1 or 2. SR 3.8.1.11 This Surveillance demonstrates that DG non-critical protective functions (e.g., high jacket water temperature) are bypassed on a loss of voltage signal concurrent with an ECCS initiation signal and critical protective functions (engine overspeed, generator differential current, and low lubricating oil pressure) are available to trip the DG to avert substantial damage to the DG unit. The non-critical trips are bypassed during DBAs and provide an alarm on an abnormal engine condition. This alarm provides the operator with sufficient time to react appropriately. The DG availability to mitigate the DBA is more critical than protecting the engine against minor problems that are not immediately detrimental to emergency operation of the DG. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required DG from AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-30 REVISION 69 BASES SURVEILLANCE SR 3.8.1.11 (continued) REQUIREMENTS service. Credit may be taken for unplanned events that satisfy this SR. This Surveillance tests the applicable logic associated with the Unit 1 swing bus. The comparable test specified in the Unit 2 Technical Specifications tests the applicable logic associated with the Unit 2 swing bus. Consequently, a test must be performed within the Frequency contained in the Surveillance Frequency Control Program for each unit. The Note specifying the restriction for not performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 2. As the Surveillance represents separate tests, the Unit 1 Surveillance should not be performed with Unit 1 in MODE 1 or 2 and the Unit 2 test should not be performed with Unit 2 in MODE 1, 2, or 3. SR 3.8.1.12 Regulatory Guide 1.108 (Ref. 10), paragraph 2.a.(3), requires demonstration once per 24 months that the DGs can start and run continuously at full load capability for an interval of not less than 24 hours. The first 22 hours of this test are performed at 2775 kW and 2825 kW (which is near the continuous rating of the DG), and the last 2 hours of this test are performed at 3000 kW. This is in accordance with commitments described in FSAR Section 8.4 (Ref. 2). The DG starts for this Surveillance can be performed either from standby or hot conditions. The provisions for prelube and warmup, and for gradual loading, discussed in SR 3.8.1.2, are applicable to this SR. In order to ensure that the DG is tested under load conditions that are as close to design conditions as possible, testing must be performed using a power factor 0.88. This power factor is chosen to be representative of the actual design basis inductive loading that the DG could experience. A load band is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-31 REVISION 69 BASES SURVEILLANCE SR 3.8.1.12 (continued) REQUIREMENTS This Surveillance has been modified by four Notes. Note 1 states that momentary transients due to changing bus loads do not invalidate this test. Similarly, momentary power factor transients above the limit do not invalidate the test. The reason for Note 2 is that during operation with the reactor critical, performance of this Surveillance could cause perturbations to the electrical distribution systems that would challenge continued steady state operation and, as a result, plant safety systems. However, it is acceptable to perform this SR in MODES 1 and 2 provided the other two DGs are OPERABLE, since a perturbation can only affect one divisional DG. If during the performance of this Surveillance, one of the other DGs becomes inoperable, this Surveillance is to be suspended. The Surveillance may not be performed in MODES 1 and 2 during inclement weather and unstable grid conditions. Credit may be taken for unplanned events that satisfy this SR. Note 3 is provided in recognition that if the offsite electrical power distribution system is lightly loaded (i.e., system voltage is high), it may not be possible to raise voltage without creating an overvoltage condition on the ESF bus. Therefore, to ensure the bus voltage, supplied ESF loads, and DG are not placed in an unsafe condition during this test, the power factor limit does not have to be met if grid voltage or ESF bus loading does not permit the power factor limit to be met when the DG is tied to the grid. When this occurs, the power factor should be maintained as close to the limit as practicable. To minimize testing of the swing DG, Note 4 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit (no unit specific DG components are being tested). If the swing DG fails one of these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit. SR 3.8.1.13 This Surveillance demonstrates that the diesel engine can restart from a hot condition, such as subsequent to shutdown from normal Surveillances, and achieve the required voltage and frequency within 12 seconds. The 12 second time is derived from the requirements of the accident analysis to respond to a design basis large break LOCA. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-32 REVISION 69 BASES SURVEILLANCE SR 3.8.1.13 (continued) REQUIREMENTS This SR is modified by three Notes. Note 1 ensures that the test is performed with the diesel sufficiently hot. The requirement that the diesel has operated for at least 2 hours at near full load conditions prior to performance of this Surveillance is based on manufacturer recommendations for achieving hot conditions. Momentary transients due to changing bus loads do not invalidate this test. Note 2 allows all DG starts to be preceded by an engine prelube period to minimize wear and tear on the diesel during testing. To minimize testing of the swing DG, Note 3 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit (no unit specific DG components are being tested). If the swing DG fails one of these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit.

SR 3.8.1.14 This Surveillance is consistent with the recommendations of Regulatory Guide 1.108 (Ref. 10), paragraph 2.a.(6), and ensures that the manual synchronization and automatic load transfer from the DG to the offsite source can be made and that the DG can be returned to ready-to-load status when offsite power is restored. It also ensures that the auto-start logic is reset to allow the DG to reload if a subsequent loss of offsite power occurs. The DG is considered to be in ready-to-load status when the DG is at rated speed and voltage, the output breaker is open and can receive an auto-close signal on bus undervoltage, and the load sequence timers are reset. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. Credit may be taken for unplanned events that satisfy this SR. This Surveillance tests the applicable logic associated with the Unit 1 swing bus. The comparable test specified in the Unit 2 Technical Specifications tests the applicable logic associated with the Unit 2 swing bus. Consequently, a test must be performed within the

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-33 REVISION 69 BASES SURVEILLANCE SR 3.8.1.14 (continued) REQUIREMENTS Frequency contained in the Surveillance Frequency Control Program for each unit. The Note specifying the restriction for not performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 2. As the Surveillance represents separate tests, the Unit 1 Surveillance should not be performed with Unit 1 in MODE 1, 2, or 3 and the Unit 2 test should not be performed with Unit 2 in MODE 1, 2, or 3.

SR 3.8.1.15 Demonstration of the test mode override ensures that the DG availability under accident conditions is not compromised as the result of testing. Interlocks to the LOCA sensing circuits cause the DG to automatically reset to ready-to-load operation if an ECCS initiation signal is received during operation in the test mode. Ready-to-load operation is defined as the DG running at rated speed and voltage with the DG output breaker open. Although Plant Hatch Unit 1 is not committed to this standard, this SR is consistent with the provisions for automatic switchover required by IEEE-308 (Ref. 13), paragraph 6.2.6(2). The intent in the requirements associated with SR 3.8.1.15.b is to show that the emergency loading is not affected by the DG operation in test mode. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the emergency loads to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. Credit may be taken for unplanned events that satisfy this SR. This Surveillance tests the applicable logic associated with the Unit 1 swing bus. The comparable test specified in the Unit 2 Technical Specifications tests the applicable logic associated with the Unit 2 swing bus. Consequently, a test must be performed within the

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-34 REVISION 69 BASES SURVEILLANCE SR 3.8.1.15 (continued) REQUIREMENTS Frequency contained in the Surveillance Frequency Control Program for each unit. The Note specifying the restriction for not performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 2. As the Surveillance represents separate tests, the Unit 1 Surveillance should not be performed with Unit 1 in MODE 1, 2, or 3 and the Unit 2 test should not be performed with Unit 2 in MODE 1, 2, or 3.

SR 3.8.1.16 Under accident conditions, loads are sequentially connected to the bus by the automatic load sequence timing devices. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading of the DGs due to high motor starting currents. The 10% load sequence time interval tolerance ensures that sufficient time exists for the DG to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding ESF equipment time delays are not violated. Reference 2 provides a summary of the automatic loading of ESF buses. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. Credit may be taken for unplanned events that satisfy this SR. This Surveillance tests the applicable logic associated with the Unit 1 swing bus. The comparable test specified in the Unit 2 Technical Specifications tests the applicable logic associated with the Unit 2 swing bus. Consequently, a test must be performed within the Frequency contained in the Surveillance Frequency Control Program for each unit. The Note specifying the restriction for not performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 2. As the Surveillance represents separate tests, the Unit 1 Surveillance should not be performed with Unit 1 in MODE 1, 2, or 3 and the Unit 2 test should not be performed with Unit 2 in MODE 1, 2, or 3.

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-35 REVISION 69 BASES SURVEILLANCE SR 3.8.1.17 REQUIREMENTS (continued) In the event of a DBA coincident with a loss of offsite power, the DGs are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded. This Surveillance demonstrates DG operation, as discussed in the Bases for SR 3.8.1.9, during a loss of offsite power actuation test signal in conjunction with an ECCS initiation signal. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil being continuously circulated and temperature maintained consistent with manufacturer recommendations. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. The reason for Note 2 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. Credit may be taken for unplanned events that satisfy this SR. This Surveillance tests the applicable logic associated with the Unit 1 swing bus. The comparable test specified in the Unit 2 Technical Specifications tests the applicable logic associated with the Unit 2 swing bus. Consequently, a test must be performed within the Frequency contained in the Surveillance Frequency Control Program for each unit. The Note specifying the restriction for not performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 2. As the Surveillance represents separate tests, the Unit 1 Surveillance should not be performed with Unit 1 in MODE 1, 2, or 3 and the Unit 2 test should not be performed with Unit 2 in MODE 1, 2, or 3. SR 3.8.1.18 This Surveillance demonstrates that the DG starting independence has not been compromised. Also, this Surveillance demonstrates that each engine can achieve proper speed within the specified time when the DGs are started simultaneously. For the purpose of this testing, AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 1 B 3.8-36 REVISION 69 BASES SURVEILLANCE SR 3.8.1.18 (continued) REQUIREMENTS the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations. It is permissible to place all three DGs in test simultaneously, for the performance of this Surveillance. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.19 With the exception of this Surveillance, all other Surveillances of this Specification (SR 3.8.1.1 through SR 3.8.1.18) are applied only to the Unit 1 DG and offsite circuits, and swing DG. This Surveillance is provided to direct that the appropriate Surveillances for the required Unit 2 DG and offsite circuit are governed by the Unit 2 Technical Specifications. Performance of the applicable Unit 2 Surveillances will satisfy both any Unit 2 requirements, as well as satisfying this Unit 1 SR. Several exceptions are noted to the Unit 2 SRs: SR 3.8.1.6 is excepted since only one Unit 2 circuit is required by the Unit 1 Specification (therefore, there is not necessarily a second circuit to transfer to); SRs 3.8.1.10, 15, and 17 are excepted since they relate to the DG response to a Unit 2 ECCS initiation signal, which is not a necessary function for support of the Unit 1 requirement for an OPERABLE Unit 2 DG. The Frequency required by the applicable Unit 2 SR also governs performance of that SR for both Units. REFERENCES 1. 10 CFR 50, Appendix A, GDC 17.

2. FSAR, Sections 8.3 and 8.4. 3. FSAR, Chapter 5.

4. FSAR, Chapter 6. 5. FSAR, Chapter 14. 6. Regulatory Guide 1.93, December 1974.

AC Sources - Operating B 3.8.1 HATCH UNIT 1 B 3.8-37 REVISION 69BASES REFERENCES 7. Generic Letter 84-15.

(continued) 

8. 10 CFR 50, Appendix A, GDC 18.

9. Regulatory Guide 1.9, March 1971. 10. Regulatory Guide 1.108, August 1977.

11. Regulatory Guide 1.137, October 1979.

12. IEEE Standard 387-1984.

13. IEEE Standard 308-1980. 14. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Diesel Fuel Oil and Transfer, Lube Oil, and Starting Air B 3.8.3 (continued) HATCH UNIT 1 B 3.8-44 REVISION 71 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.3 Diesel Fuel Oil and Transfer, Lube Oil, and Starting Air

BASES BACKGROUND Each diesel generator (DG) is provided with a storage tank. Each tank is connected to a piping network to provide a shared fuel oil storage system. The 33,320 gallons required to be maintained in each of the DG's fuel oil tanks represent a total volume of oil, sufficient to operate any two DGs at 3250 kW for a period of 7 days (Ref. 1). In addition, it provides fuel to also operate the other Unit's required DGs at a load sufficient to maintain power to the components, required to be OPERABLE by the Unit 1 Technical Specifications, for 7 days. This onsite fuel oil capacity is sufficient to operate the DGs for longer than the time to replenish the onsite supply from outside sources. Fuel oil is transferred from storage tank to day tank by either of two transfer pumps associated with each storage tank. Valving is also available so that fuel oil can be transferred between fuel oil storage tanks and the day tanks. Redundancy of pumps and piping precludes the failure of one pump, or the rupture of any pipe, valve, or tank to result in the loss of more than one DG. All outside tanks, pumps, and piping are located underground. For proper operation of the standby DGs, it is necessary to ensure the proper quality of the stored fuel oil. The fuel oil property monitored is the total particulate concentration. Periodic testing of the stored fuel oil total particulate concentration is a method to monitor the potential degradation related to long term storage and the potential impact to fuel filter plugging as a result of high particulate levels. The DG lubrication system is designed to provide sufficient lubrication to permit proper operation of its associated DG under all loading conditions. The system is required to circulate the lube oil to the diesel engine working surfaces and to remove excess heat generated by friction during operation. The onsite storage, in addition to the engine oil sump, is sufficient to ensure 7 days' continuous operation. This supply is sufficient to allow the operator to replenish lube oil from outside sources. Each DG has an air start system with adequate capacity for five successive start attempts on the DG without recharging the air start receivers.

Diesel Fuel Oil and Transfer, Lube Oil, and Starting Air B 3.8.3 (continued) HATCH UNIT 1 B 3.8-45 REVISION 71 BASES (continued) APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY ANALYSES analyses in the FSAR, Chapters 5 and 6 (Ref. 2), and Chapter 14 (Ref. 3), assume Engineered Safety Feature (ESF) systems are OPERABLE. The DGs are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.5, Emergency Core Cooling System (ECCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6, Containment Systems. Since diesel fuel oil and transfer, lube oil, and starting air subsystem support the operation of the standby AC power sources, they satisfy Criterion 3 of the NRC Policy Statement (Ref. 4). LCO Stored diesel fuel oil is required to have sufficient supply for 7 days of full load operation. Included in this requirement is the transfer capability automatically from the Unit 1 and swing DGs storage tanks to the associated day tank and manually from each Unit 1 and swing DG storage tank to the day tanks of each required DG. It is also required to meet specific standards for quality. Additionally, sufficient lube oil supply must be available to ensure the capability to operate at full load for 7 days. This requirement, in conjunction with an ability to obtain replacement supplies within 7 days, supports the availability of DGs required to shut down the reactor and to maintain it in a safe condition for an anticipated operational occurrence (AOO) or a postulated DBA with loss of offsite power. DG day tank fuel oil requirements are addressed in LCO 3.8.1, "AC Sources - Operating," and LCO 3.8.2, "AC Sources - Shutdown." The starting air system is required to have a minimum capacity for five successive DG start attempts without recharging the air start receivers. Only one air start receiver per DG is required, since each air start receiver has the required capacity. APPLICABILITY The AC sources (LCO 3.8.1 and LCO 3.8.2) are required to ensure the availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an AOO or a postulated Diesel Fuel Oil and Transfer, Lube Oil, and Starting Air B 3.8.3 (continued) HATCH UNIT 1 B 3.8-46 REVISION 33 BASES APPLICABILITY DBA. Because stored diesel fuel oil and transfer, lube oil, and starting (continued) air subsystem support LCO 3.8.1 and LCO 3.8.2, stored diesel fuel oil and transfer, lube oil, and starting air are required to be within limits when the associated DG is required to be OPERABLE. ACTIONS The ACTIONS Table is modified by a Note indicating that separate Condition entry is allowed for each DG. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable DG subsystem. Complying with the Required Actions for one inoperable DG subsystem may allow for continued operation, and subsequent inoperable DG subsystem(s) are governed by separate Condition entry and application of associated Required Actions.

A.1 With one or more required DGs with one fuel oil transfer pump inoperable, the inoperable pump must be restored to OPERABLE status within 30 days. With the unit in this condition, the remaining OPERABLE fuel transfer pump is adequate to perform the fuel transfer function. However, the overall reliability is reduced because a single failure in the OPERABLE pump could result in loss of the associated DG and loss of the fuel oil in the respective tank. The 30 day Completion Time is based on the remaining fuel oil transfer capability, and the low probability of the need for the DG concurrent with a worst case single failure.

B.1 In this condition, the 7 day fuel oil supply for a required DG is not available. However, the Condition is restricted to fuel oil level reductions that maintain at least a 6 day supply. These circumstances may be caused by events such as:

a. Full load operation required for an inadvertent start while at minimum required level; or

b. Feed and bleed operations that may be necessitated by increasing particulate levels or any number of other oil quality degradations.

Diesel Fuel Oil and Transfer, Lube Oil, and Starting Air B 3.8.3 (continued) HATCH UNIT 1 B 3.8-47 REVISION 33 BASES ACTIONS B.1 (continued) This restriction allows sufficient time for obtaining the requisite replacement volume and performing the analyses required prior to addition of the fuel oil to the tank. A period of 48 hours is considered sufficient to complete restoration of the required level prior to declaring the DG inoperable. This period is acceptable based on the remaining capacity (> 6 days), the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period. C.1 With a required DG lube oil inventory < 400 gal, sufficient lube oil to support 7 days of continuous DG operation at full load conditions may not be available. However, the Condition is restricted to lube oil volume reductions that maintain at least a 6 day supply. This restriction allows sufficient time for obtaining the requisite replacement volume. A period of 48 hours is considered sufficient to complete restoration of the required volume prior to declaring the DG inoperable. This period is acceptable based on the remaining capacity (> 6 days), the low rate of usage, the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period.

D.1 This Condition is entered as a result of a failure to meet the acceptance criterion for particulates. Normally, trending of particulate levels allows sufficient time to correct high particulate levels prior to reaching the limit of acceptability. Poor sample procedures (bottom sampling), contaminated sampling equipment, and errors in laboratory analysis can produce failures that do not follow a trend. Since the presence of particulates does not mean failure of the fuel oil to burn properly in the diesel engine, since particulate concentration is unlikely to change significantly between Surveillance Frequency intervals, and since proper engine performance has been recently demonstrated (within 31 days), it is prudent to allow a brief period prior to declaring the associated DG inoperable. The 7 day Completion Time allows for further evaluation, resampling, and re-analysis of the DG fuel oil. Diesel Fuel Oil and Transfer, Lube Oil, and Starting Air B 3.8.3 (continued) HATCH UNIT 1 B 3.8-48 REVISION 69 BASES ACTIONS E.1 (continued) With required starting air receiver pressure < 225 psig, sufficient capacity for five successive DG start attempts does not exist. However, as long as the receiver pressure is 170 psig, there is adequate capacity for at least one start attempt, and the DG can be considered OPERABLE while the air receiver pressure is restored to the required limit. A period of 48 hours is considered sufficient to complete restoration to the required pressure prior to declaring the DG inoperable. This period is acceptable based on the remaining air start capacity, the fact that most DG starts are accomplished on the first attempt, and the low probability of an event during this brief period. F.1 With a Required Action and associated Completion Time of Condition A, B, C, D, or E not met, one or more required DG fuel oil transfer subsystems inoperable for reasons other than Condition A, one or more required DG fuel oil storage tanks with fuel oil level not within limits for reasons other than Condition B, or the stored diesel lube oil or the required starting air subsystem not within limits for reasons other than addressed by Condition C or E, the associated DG may be incapable of performing its intended function and must be immediately declared inoperable. SURVEILLANCE SR 3.8.3.1 REQUIREMENTS This SR provides verification that there is an adequate inventory of fuel oil in the Unit 1 and swing DG storage tanks to support the required DGs' operation for 7 days at the assumed load. (See B 3.8.3.) The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.3.2 This Surveillance ensures that sufficient lubricating oil inventory (combined inventory in the DG lubricating oil sump and stored in the warehouse) is available to support at least 7 days of full load operation for each required DG. The 400 gal requirement is based on the DG manufacturer's consumption values for the run time of the DG. . Diesel Fuel Oil and Transfer, Lube Oil, and Starting Air B 3.8.3 (continued) HATCH UNIT 1 B 3.8-49 REVISION 69 BASES SURVEILLANCE SR 3.8.3.2 (continued) REQUIREMENTS Implicit in this SR is the requirement to verify the capability to transfer the lube oil from its storage location to the DG, since the DG lube oil sump does not hold adequate inventory for 7 days of full load operation without the level reaching the manufacturer's recommended minimum level. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.3.3 This SR verifies that the required Unit 1 and swing DG fuel oil testing is performed in a accordance with the Diesel Fuel Oil Testing Program. Tests are a means of monitoring the potential degradation related to long term storage and the potential impact to fuel filter plugging as a result of high particulate levels. Specific sampling requirements, frequencies, and additional information are discussed in detail in the Diesel Fuel Oil Testing Program. SR 3.8.3.4 This Surveillance ensures that, without the aid of the refill compressor, sufficient air start capacity for each required DG is available. The system design requirements provide for a minimum of five engine start cycles without recharging. A start cycle is defined by the DG vendor, but usually is measured in terms of time (seconds of cranking) or engine cranking speed. The pressure specified in this SR is intended to reflect the lowest value at which the five starts can be accomplished using one air receiver. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.3.5 This Surveillance demonstrates that each required Unit 1 and swing DG fuel oil transfer pump operates and transfers fuel oil from its associated storage tank to its associated day tank. It is required to Diesel Fuel Oil and Transfer, Lube Oil, and Starting Air B 3.8.3 (continued) HATCH UNIT 1 B 3.8-50 REVISION 69 BASES SURVEILLANCE SR 3.8.3.5 (continued) REQUIREMENTS support continuous operation of standby power sources. This Surveillance provides assurance that the fuel oil transfer pumps are OPERABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the controls and control systems for automatic fuel transfer are OPERABLE. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.3.6 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Periodic removal of water from the required Unit 1 and swing DG fuel storage tanks once every 184 days eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water in the storage tank may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and from breakdown of the fuel oil by bacteria. Checking for and removal of accumulated water minimizes fouling and provide data regarding the watertight integrity of the fuel oil system. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.3.7 This Surveillance demonstrates that each required Unit 1 and swing DG fuel oil transfer pump operates and transfers fuel oil from its associated storage tank to each required DG's day tank. It is required to support continuous operation of standby power sources, since fuel from three storage tanks is needed to supply fuel for two DGs to meet the 7 day supply requirement discussed in the Background section of these Bases. This Surveillance provides assurance that the fuel oil transfer pumps are OPERABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the controls and control systems for manual fuel transfer are OPERABLE.

Diesel Fuel Oil and Transfer, Lube Oil, and Starting Air B 3.8.3 HATCH UNIT 1 B 3.8-51 REVISION 69 BASES SURVEILLANCE SR 3.8.3.7 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 8.4.

2. FSAR, Chapters 5 and 6. 3. FSAR, Chapter 14.

4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

DC Sources - Operating B 3.8.4 (continued) HATCH UNIT 1 B 3.8-52 REVISION 33 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.4 DC Sources - Operating

BASES BACKGROUND The DC electrical power system provides the AC emergency power system with control power. It also provides both motive and control power to selected safety related equipment. As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1), the DC electrical power system is designed to have sufficient independence, redundancy, and testability to perform its safety functions, assuming a single failure. The DC electrical power system also conforms to the recommendations of Regulatory Guide 1.6 (Ref. 2) and IEEE-308 (Ref. 3). The station service DC power sources provide both motive and control power to selected safety related and nonsafety related equipment. Each DC subsystem is energized by one 125/250 V station service battery and three 125 V battery chargers (two normally inservice chargers and one standby charger). Each battery is exclusively associated with a single 125/250 VDC bus. Each set of battery chargers exclusively associated with a 125/250 VDC subsystem cannot be interconnected with any other 125/250 VDC subsystem. The normal and backup chargers are supplied from the same AC load groups for which the associated DC subsystem supplies the control power. The loads between the redundant 125/250 VDC subsystem are not transferable except for the Automatic Depressurization System, the logic circuits and valves of which are normally fed from the Division 1 DC system. The diesel generator (DG) DC power sources provide control and instrumentation power for their respective DG and their respective offsite circuit supply breakers. In addition, DG 1A power source provides circuit breaker control power for the respective Division I loads on 4160 VAC buses 1E and 1F, and DG 1C power source provides circuit breaker control power for the respective Division II loads on 4160 VAC buses 1F and 1G. Each DG DC subsystem is energized by one 125 V battery and two 125 V battery chargers (one normally inservice charger and one standby charger). During normal operation, the DC loads are powered from the respective station service and DG battery chargers with the batteries floating on the system. In case of loss of normal power to any battery charger, the DC loads are automatically powered from the associated battery. This will DC Sources - Operating B 3.8.4 (continued) HATCH UNIT 1 B 3.8-53 REVISION 33 BASES BACKGROUND result in the discharging of the associated battery (and affect the (continued) battery cell parameters).

The DC power distribution system is described in more detail in Bases for LCO 3.8.7, "Distribution System - Operating," and LCO 3.8.8, "Distribution System - Shutdown." Each battery has adequate storage capacity to carry the required load continuously for approximately 2 hours (Ref. 4). Each DC battery subsystem is separately housed in a ventilated room apart from its charger and distribution panels. Each subsystem is located in an area separated physically and electrically from the other subsystems to ensure that a single failure in one subsystem does not cause a failure in a redundant subsystem. There is no sharing between redundant Class 1E subsystems such as batteries, battery chargers, or distribution panels. The batteries for DC electrical power subsystems are sized to produce required capacity at 80% of nameplate rating, corresponding to warranted capacity at end of life. The minimum design voltage limit is 105/210 V. Each battery charger of DC electrical power subsystem has ample power output capacity for the steady state operation of connected loads required during normal operation, while at the same time maintaining a fully charged battery. Each battery charger has sufficient capacity to restore the battery from the design minimum charge to its fully charged state within 24 hours while supplying normal steady state loads (Ref. 4). A description of the Unit 2 DC power sources is provided in the Bases for Unit 2 LCO 3.8.4, "DC Sources - Operating." APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY ANALYSES analyses in the FSAR, Chapters 5 and 6 (Ref. 5), and Chapter 14 (Ref. 6), assume that Engineered Safety Feature (ESF) systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the DGs, emergency auxiliaries, and control and switching during all MODES of operation. The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining DC sources OPERABLE during accident conditions in the event of: DC Sources - Operating B 3.8.4 (continued) HATCH UNIT 1 B 3.8-54 REVISION 33 BASES APPLICABLE a. An assumed loss of all offsite AC power sources or all onsite SAFETY ANALYSES AC power sources; and (continued)

b. A postulated worst case single failure. The DC sources satisfy Criterion 3 of the NRC Policy Statement (Ref. 13). LCO The Unit 1 DC electrical power subsystems -- with: 1) each station service DC subsystem consisting of two 125 V batteries in series, two battery chargers, and the corresponding control equipment and interconnecting cabling supplying power to the associated bus; and 2) each DG DC subsystem consisting of one battery bank, one battery charger, and the corresponding control equipment and interconnecting cabling -- are required to be OPERABLE to ensure the availability of the required power to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA. In addition, some components required by Unit 1 require power from Unit 2 sources (e.g., Standby Gas Treatment (SGT) System and Low Pressure Coolant Injection (LPCI) valve load centers). Therefore, the Unit 2 DG DC and the swing DG DC electrical power subsystems needed to provide DC power to the required Unit 2 components are also required to be OPERABLE. Thus, loss of any DC electrical power subsystem does not prevent the minimum safety function from being performed (Ref. 4). APPLICABILITY The DC electrical power sources are required to be OPERABLE in MODES 1, 2, and 3 to ensure safe unit operation and to ensure that: a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and b. Adequate core cooling is provided, and containment integrity and other vital functions are maintained in the event of a postulated DBA.

The DC electrical power requirements for MODES 4 and 5, and other conditions in which DC Sources are required, are addressed in the Bases for LCO 3.8.5, "DC Sources - Shutdown." DC Sources - Operating B 3.8.4 (continued) HATCH UNIT 1 B 3.8-55 REVISION 33 BASES (continued) ACTIONS A.1 If one or more of the required Unit 2 DG DC electrical power subsystems is inoperable (e.g., inoperable battery, inoperable battery charger(s), or inoperable battery charger and associated inoperable battery), or if the swing DG DC electrical power subsystem is inoperable due to performance of SR 3.8.4.7 or SR 3.8.4.8, and a loss of function has not occurred as described in Condition E, the remaining DC electrical power subsystems have the capacity to support a safe shutdown and to mitigate an accident condition. In the case of an inoperable required Unit 2 DG DC electrical power subsystem, continued power operation should not exceed 7 days, since a subsequent postulated worst case single failure could result in the loss of certain safety functions (e.g., SGT System and LPCI valve load centers). The 7 day Completion Time takes into account the capacity and capability of the remaining DC sources, and is based on the shortest restoration time allowed for the systems affected by the inoperable DC source in the respective system Specification. In the case of an inoperable swing DG DC electrical power subsystem, since a subsequent postulated worst case single failure could result in the loss of minimum necessary DC electrical subsystems to mitigate a postulated worst case accident, continued power operation should also not exceed 7 days. The 7 day Completion Time is based upon the swing DG DC electrical power subsystem being inoperable due to performance of SR 3.8.4.7 or SR 3.8.4.8. Performance of these two SRs will result in inoperability of the DC battery. Since this battery is common to both units, more time is provided to restore the battery, if the battery is inoperable for performance of required Surveillances, to preclude the need to perform a dual unit shutdown to perform these Surveillances. The swing DG DC electrical power subsystem also does not provide power to the same type of equipment as the other DG DC sources (e.g., breaker control power for 4160 V loads is not provided by the swing DG battery). The Completion Time also takes into account the capacity and capability of the remaining DC sources. B.1 If a Unit 1 or swing DG DC electrical power subsystem is inoperable (for reasons other than Condition A), the remaining DC electrical power subsystems have the capacity to support a safe shutdown and to mitigate an accident condition. Since a subsequent postulated worst case single failure could result in the loss of minimum necessary DC electrical subsystems to mitigate a postulated worst DC Sources - Operating B 3.8.4 (continued) HATCH UNIT 1 B 3.8-56 REVISION 33 BASES ACTIONS B.1 (continued) . case accident, continued power operation should not exceed 12 hours. The 12 hour Completion Time provides a period of time to correct the problem commensurate with the importance of maintaining the DG DC electrical power subsystem OPERABLE. (The DG DC electrical power subsystem affects both the DG and the offsite circuit, as well as the breaker closure power for various 4160 VAC loads, but does not affect 125/250 VDC station service loads.)

C.1 Condition C represents one Unit 1 station service division with a loss of ability to completely respond to an event, and a potential loss of ability to remain energized during normal operation. It is therefore imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for complete loss of DC power to the affected division. The 2 hour limit is consistent with the allowed time for an inoperable DC Distribution System division. If one of the required DC electrical power subsystems is inoperable (e.g., inoperable battery, inoperable battery charger(s), or inoperable battery charger and associated inoperable battery), the remaining DC electrical power subsystems have the capacity to support a safe shutdown and to mitigate an accident condition. Since a subsequent postulated worst case single failure could result in the loss of minimum necessary DC electrical subsystems to mitigate a postulated worst case accident, continued power operation should not exceed 2 hours. The 2 hour Completion Time is based on Regulatory Guide 1.93 (Ref. 7) and reflects a reasonable time to assess unit status as a function of the inoperable DC electrical power subsystem and, if the DC electrical power subsystem is not restored to OPERABLE status, to prepare to effect an orderly and safe unit shutdown. D.1 and D.2 If the DC electrical power subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. The Completion Time DC Sources - Operating B 3.8.4 (continued) HATCH UNIT 1 B 3.8-57 REVISION 69 BASES ACTIONS D.1 and D.2 (continued) to bring the unit to MODE 4 is consistent with the time required in Regulatory Guide 1.93 (Ref. 7).

E.1 Condition E corresponds to a level of degradation in the DC electrical power subsystems that causes a required safety function to be lost. When more than one DC source is lost, and this results in the loss of a required function, the plant is in a condition outside the accident analysis. Therefore, no additional time is justified for continued operation. LCO 3.0.3 must be entered immediately to commence a controlled shutdown. SURVEILLANCE The SRs are modified by a Note to indicate that SR 3.8.4.1 through REQUIREMENTS SR 3.8.4.8 apply only to the Unit 1 DC sources, and that SR 3.8.4.9 applies only to the Unit 2 DC sources.

SR 3.8.4.1 Verifying battery terminal voltage while on float charge for the batteries helps to ensure the effectiveness of the charging system and the ability of the batteries to perform their intended function. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery (or battery cell) and maintain the battery (or a battery cell) in a fully charged state. Voltage requirements are based on the nominal design voltage of the battery and are consistent with the initial voltages assumed in the battery sizing calculations. The voltage requirement for battery terminal voltage is based on the open circuit voltage of a lead-calcium cell of nominal 1.215 specific gravity. Without regard to other battery parameters, this voltage is indicative of a battery that is capable of performing its required safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.4.2 Visual inspection to detect corrosion of the battery cells and connections, or measurement of the resistance of each inter-cell, DC Sources - Operating B 3.8.4 (continued) HATCH UNIT 1 B 3.8-58 REVISION 69 BASES SURVEILLANCE SR 3.8.4.2 (continued) REQUIREMENTS inter-rack, inter-tier, and terminal connection, provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance. The connection resistance limits are established to maintain connection resistance as low as reasonably possible to minimize the overall voltage drop across the battery and the possibility of battery damage due to heating of connections. The resistance values for each battery connection are located in the Technical Requirements Manual (Ref. 9). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.4.3 Visual inspection of the battery cells, cell plates, and battery racks provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.4.4 and SR 3.8.4.5 Visual inspection and resistance measurements of inter-cell, inter-rack, inter-tier, and terminal connections provides an indication of physical damage or abnormal deterioration that could indicate degraded battery condition. The anti-corrosion material is used to help ensure good electrical connections and to reduce terminal deterioration. The visual inspection for corrosion is not intended to require removal of and inspection under each terminal connection. The removal of visible corrosion is a preventive maintenance SR. The presence of visible corrosion does not necessarily represent a failure of this SR, provided visible corrosion is removed during performance of this Surveillance. DC Sources - Operating B 3.8.4 (continued) HATCH UNIT 1 B 3.8-59 REVISION 69 BASES SURVEILLANCE SR 3.8.4.4 and SR 3.8.4.5 (continued) REQUIREMENTS The connection resistance limits are established to maintain connection resistance as low as reasonably possible to minimize the overall voltage drop across the battery and the possibility of battery damage due to heating of connections. The resistance values for each battery connection are located in the Technical Requirements Manual (Ref. 9). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.4.6 Battery charger capability requirements are based on the design capacity of the chargers (Ref. 4). According to Regulatory Guide 1.32 (Ref. 10), each battery charger supply is required to be based on the largest combined demands of the various steady state loads and the charging capacity to restore the battery from the design minimum charge state to the fully charged state, irrespective of the status of the unit during these demand occurrences. The minimum required amperes and duration ensures that these requirements can be satisfied. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.4.7 A battery service test is a special test of the battery's capability, as found, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The discharge rate and test length corresponds to the design duty cycle requirements as specified in Reference 4. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by two Notes. Note 1 allows the performance of a modified performance discharge test in lieu of a service test.

DC Sources - Operating B 3.8.4 (continued) HATCH UNIT 1 B 3.8-60 REVISION 69 BASES SURVEILLANCE SR 3.8.4.7 (continued) REQUIREMENTS The modified performance discharge test is a simulated duty cycle consisting of just two rates: the 1 minute rate published for the battery or the largest current load of the duty cycle, followed by the test rate employed for the performance test, both of which envelope the duty cycle of the service test. Since the ampere-hours removed by a rated 1 minute discharge represent a very small portion of the battery capacity, the test rate can be changed to that for the performance test without compromising the results of the performance discharge test. The battery terminal voltage for the modified performance discharge test should remain above the minimum battery terminal voltage specified in the battery service test for the duration of time equal to that of the service test. A modified performance discharge test is a test of the battery capacity and its ability to provide a high rate, short duration load (usually the highest rate of the duty cycle). This will often confirm the battery's ability to meet the critical period of the load duty cycle, in addition to determining its percentage of rated capacity. Initial conditions for the modified performance discharge test should be identical to those specified for a service discharge test. The reason for Note 2 is that performing the Surveillance would remove a required DC electrical power subsystem from service, perturb the electrical distribution system, and challenge safety systems. Credit may be taken for unplanned events that satisfy the Surveillance. The swing DG DC battery is exempted from this restriction, since it is required by both units' LCO 3.8.4 and cannot be performed in the manner required by the Note without resulting in a dual unit shutdown.

SR 3.8.4.8 A battery performance discharge test is a constant current capacity test to detect any change in the capacity determined by the acceptance test. Initial conditions consistent with IEEE-450 need to be met prior to the performing of a battery performance discharge test. The test results reflect the overall effects of usage and age. A battery modified performance discharge test is described in the Bases for SR 3.8.4.7. Either the battery performance discharge test or the modified performance discharge test is acceptable for satisfying SR 3.8.4.8; however, only the modified performance discharge test DC Sources - Operating B 3.8.4 (continued) HATCH UNIT 1 B 3.8-61 REVISION 69 BASES SURVEILLANCE SR 3.8.4.8 (continued) REQUIREMENTS may be used to satisfy SR 3.8.4.8, while satisfying the requirements of SR 3.8.4.7 at the same time. The acceptance criteria for this Surveillance is consistent with IEEE-450 (Ref. 8) and IEEE-485 (Ref. 12). These references recommend that the battery be replaced if its capacity is below 80% of the manufacturer's rating. Although there may be ample capacity, the battery rate of deterioration is rapidly increasing. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required DC electrical power subsystem from service, perturb the electrical distribution system, and challenge safety systems. Credit may be taken for unplanned events that satisfy the Surveillance. The swing DG DC battery is exempted from this restriction, since it is required by both units' LCO 3.8.4 and cannot be performed in the manner required by the Note without resulting in a dual unit shutdown. SR 3.8.4.9 With the exception of this Surveillance, all other Surveillances of this Specification (SR 3.8.4.1 through SR 3.8.4.8) are applied only to the Unit 1 DC sources. This Surveillance is provided to direct that the appropriate Surveillances for the required Unit 2 DC sources are governed by the Unit 2 Technical Specifications. Performance of the applicable Unit 2 Surveillances will satisfy both any Unit 2 requirements, as well as satisfying this Unit 1 SR. The Frequency required by the applicable Unit 2 SR also governs performance of that SR for both Units.

DC Sources - Operating B 3.8.4 HATCH UNIT 1 B 3.8-62 REVISION 69 BASES (continued) REFERENCES 1. 10 CFR 50, Appendix A, GDC 17.

2. Regulatory Guide 1.6.

3. IEEE Standard 308-1971. 4. FSAR, Section 8.5.

5. FSAR, Chapters 5 and 6.

6. FSAR, Chapter 14.

7. Regulatory Guide 1.93, December 1974. 8. IEEE Standard 450-1987. 9. Technical Requirements Manual, Section 9.0.

10. Regulatory Guide 1.32, February 1977. 11. Not used. 12. IEEE Standard 485-1983.

13. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

14. Not used.

Battery Cell Parameters B 3.8.6 (continued) HATCH UNIT 1 B 3.8-67 REVISION 33B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.6 Battery Cell Parameters

BASES BACKGROUND This LCO delineates the limits on electrolyte temperature, level, float voltage, and specific gravity for the DC electrical power subsystems batteries. A discussion of these batteries and their OPERABILITY requirements is provided in the Bases for LCO 3.8.4, "DC Sources - Operating," and LCO 3.8.5, "DC Sources - Shutdown." APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY ANALYSES analyses in the FSAR, Chapters 5 and 6 (Ref. 1), and Chapter 14 (Ref. 2), assume Engineered Safety Feature systems are OPERABLE. The DC electrical power subsystems provide normal and emergency DC electrical power for the diesel generators (DGs), emergency auxiliaries, and control and switching during all MODES of operation. The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining at least one division of DC sources OPERABLE during accident conditions, in the event of: a. An assumed loss of all offsite AC or all onsite AC power; and

b. A postulated worst case single failure.

Since battery cell parameters support the operation of the DC electrical power subsystems, they satisfy Criterion 3 of the NRC Policy Statement (Ref. 4). LCO Battery cell parameters must remain within acceptable limits to ensure availability of the required DC power to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence or a postulated DBA. Cell parameter limits are established to allow continued DC electrical system function even with Category A and B limits not met. Battery Cell Parameters B 3.8.6 (continued) HATCH UNIT 1 B 3.8-68 REVISION 33BASES (continued) APPLICABILITY The battery cell parameters are required solely for the support of the associated DC electrical power subsystem. Therefore, these cell parameters are only required when the DC power source is required to be OPERABLE. Refer to the Applicability discussions in Bases for LCO 3.8.4 and LCO 3.8.5. ACTIONS A Note has been added providing that, for this LCO, separate Condition entry is allowed for each battery. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable battery. Complying with the Required Actions for battery cell parameters allows for restoration and continued operation, and subsequent out of limit battery cell parameters may be governed by separate Condition entry and application of associated Required Actions. A.1, A.2, and A.3 With parameters of one or more cells in one or more batteries not within limits (i.e., Category A limits not met or Category B limits not met, or Category A and B limits not met) but within the Category C limits specified in Table 3.8.6-1, the battery is degraded but there is still sufficient capacity to perform the intended function. Therefore, the affected battery is not required to be considered inoperable solely as a result of Category A or B limits not met, and continued operation is permitted for a limited period. The pilot cell electrolyte level and float voltage are required to be verified to meet the Category C limits within 1 hour (Required Action A.1). This check provides a quick indication of the status of the remainder of the battery cells. One hour provides time to inspect the electrolyte level and to confirm the float voltage of the pilot cells. One hour is considered a reasonable amount of time to perform the required verification. Verification that the Category C limits are met (Required Action A.2) provides assurance that during the time needed to restore the parameters to the Category A and B limits, the battery is still capable of performing its intended function. A period of 24 hours is allowed to complete the initial verification because specific gravity measurements must be obtained for each connected cell. Taking into consideration both the time required to perform the required verification and the assurance that the battery cell parameters are not severely degraded, this time is considered reasonable. The Battery Cell Parameters B 3.8.6 (continued) HATCH UNIT 1 B 3.8-69 REVISION 69BASES ACTIONS A.1, A.2, and A.3 (continued) verification is repeated at 7 day intervals until the parameters are restored to Category A and B limits. This periodic verification is consistent with the normal Frequency of pilot cell surveillances. Continued operation is only permitted for 31 days before battery cell parameters must be restored to within Category A and B limits. Taking into consideration that, while battery capacity is degraded, sufficient capacity exists to perform the intended function and to allow time to fully restore the battery cell parameters to normal limits, this time is acceptable for operation prior to declaring the associated DC battery inoperable. B.1 When any battery parameter is outside the Category C limit for any connected cell, sufficient capacity to supply the maximum expected load requirement is not ensured and the corresponding DC electrical power subsystem must be declared inoperable. Additionally, other potentially extreme conditions, such as not completing the Required Actions of Condition A within the required Completion Time or average electrolyte temperature of representative cells falling below the appropriate limit (65°F for station service and 40°F for DG batteries), also are cause for immediately declaring the associated DC electrical power subsystem inoperable. SURVEILLANCE SR 3.8.6.1 REQUIREMENTS This SR verifies that Category A battery cell parameters are consistent with IEEE-450 (Ref. 3), which recommends regular battery inspections including voltage, specific gravity, and electrolyte level of pilot cells. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.6.2 The 92 day inspection of specific gravity, cell voltage, and level is consistent with IEEE-450 (Ref. 3). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. In addition, within 24 hours of a battery overcharge > 150 V, the battery must be demonstrated to meet Category B limits. This inspection Battery Cell Parameters B 3.8.6 (continued) HATCH UNIT 1 B 3.8-70 REVISION 69BASES SURVEILLANCE SR 3.8.6.2 (continued) REQUIREMENTS is also consistent with IEEE-450 (Ref. 3), which recommends special inspections following a severe overcharge, to ensure that no significant degradation of the battery occurs as a consequence of such overcharge.

SR 3.8.6.3 This Surveillance verification that the average temperature of representative cells is within limits is consistent with a recommendation of IEEE-450 (Ref. 3) that states that the temperature of electrolyte in representative cells should be determined in accordance with the Surveillance Frequency Control Program. Lower than normal temperatures act to inhibit or reduce battery capacity. This SR ensures that the operating temperatures remain within an acceptable operating range. This limit is based on IEEE-450 or the manufacturer's recommendations when provided.

Table 3.8.6-1 This table delineates the limits on electrolyte level, float voltage, and specific gravity for three different categories. The meaning of each category is discussed below. Category A defines the normal parameter limit for each designated pilot cell in each battery. The cells selected as pilot cells are those whose temperature, voltage, and electrolyte specific gravity approximate the condition of the entire battery. The Category A limits specified for electrolyte level are based on manufacturer's recommendations and are consistent with the guidance in IEEE-450 (Ref. 3), with the extra 1/4 inch allowance above the high water level indication for operating margin to account for temperature and charge effects. In addition to this allowance, footnote (a) to Table 3.8.6-1 permits the electrolyte level to be above the specified maximum level during equalizing charge, provided it is not overflowing. These limits ensure that the plates suffer no physical damage, and that adequate electron transfer capability is maintained in the event of transient conditions. IEEE-450 (Ref. 3) recommends that electrolyte level readings should be made only after the battery has been at float charge for at least 72 hours. The Category A limit specified for float voltage is 2.13 V per cell. Battery Cell Parameters B 3.8.6 (continued) HATCH UNIT 1 B 3.8-71 REVISION 69BASES SURVEILLANCE Table 3.8.6-1 (continued) REQUIREMENTS This value is based on the recommendation of IEEE-450 (Ref. 3), which states that prolonged operation of cells below 2.13 V can reduce the life expectancy of cells. The Category A limit specified for specific gravity for each pilot cell is 1.200 (0.015 below the manufacturer's fully charged nominal specific gravity) or a battery charging current that had stabilized at a low value. This value is characteristic of a charged cell with adequate capacity. According to IEEE-450 (Ref. 3), the specific gravity readings are based on a temperature of 77°F (25°C). The specific gravity readings are corrected for actual electrolyte temperature and level. For each 3°F (1.67°C) above 77°F (25°C), 1 point (0.001) is added to the reading; 1 point is subtracted for each 3°F below 77°F. The specific gravity of the electrolyte in a cell increases with a loss of water due to electrolysis or evaporation. Level correction will be in accordance with manufacturer's recommendations. Category B defines the normal parameter limits for each connected cell. The term "connected cell" excludes any battery cell that may be jumpered out. The Category B limits specified for electrolyte level and float voltage are the same as those specified for Category A and have been discussed above. The Category B limit specified for specific gravity for each connected cell is 1.195 (0.020 below the manufacturer's fully charged, nominal specific gravity) with the average of all connected cells 1.205 (0.010 below the manufacturer's fully charged, nominal specific gravity). These values are based on manufacturer's recommendations. The minimum specific gravity value required for each cell ensures that the effects of a highly charged or newly installed cell do not mask overall degradation of the battery. Category C defines the limits for each connected cell. These values, although reduced, provide assurance that sufficient capacity exists to perform the intended function and maintain a margin of safety. When any battery parameter is outside the Category C limit, the assurance of sufficient capacity described above no longer exists, and the battery must be declared inoperable. The Category C limits specified for electrolyte level (above the top of the plates and not overflowing) ensure that the plates suffer no physical damage and maintain adequate electron transfer capability. Battery Cell Parameters B 3.8.6 HATCH UNIT 1 B 3.8-72 REVISION 69BASES SURVEILLANCE Table 3.8.6-1 (continued) REQUIREMENTS The Category C limit for voltage is based on IEEE-450 (Ref. 3), which states that a cell voltage of 2.07 V or below, under float conditions and not caused by elevated temperature of the cell, indicates internal cell problems and may require cell replacement. The Category C Allowable Value of average specific gravity 1.195, is based on manufacturer's recommendations (0.020 below the manufacturer's recommended fully charged, nominal specific gravity). In addition to that limit, it is required that the specific gravity for each connected cell must be no less than 0.020 below the average of all connected cells. This limit ensures that the effect of a highly charged or new cell does not mask overall degradation of the battery. The footnotes to Table 3.8.6-1 that apply to specific gravity are applicable to Category A, B, and C specific gravity. Footnote (b) of Table 3.8.6-1 requires the above mentioned correction for electrolyte level and temperature, with the exception that level correction is not required when battery charging current, while on float charge, is < 1 amp for station service batteries and < 0.5 amp for DG batteries. This current provides, in general, an indication of overall battery condition. Because of specific gravity gradients that are produced during the recharging process, delays of several days may occur while waiting for the specific gravity to stabilize. A stabilized charger current is an acceptable alternative to specific gravity measurement for determining the state of charge of the designated pilot cell. This phenomenon is discussed in IEEE-450 (Ref. 3). Footnote (c) to Table 3.8.6-1 allows the float charge current to be used as an alternate to specific gravity for up to 7 days following a battery recharge. REFERENCES 1. FSAR, Chapters 5 and 6.

2. FSAR, Chapter 14. 3. IEEE Standard 450-1987.

4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Distribution Systems - Operating B 3.8.7 (continued) HATCH UNIT 1 B 3.8-73 REVISION 33B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.7 Distribution Systems - Operating

BASES BACKGROUND The onsite Class 1E AC and DC electrical power distribution system is divided into redundant and independent AC and DC electrical power distribution subsystems. The primary AC distribution system consists of three 4.16 kV Engineered Safety Feature (ESF) buses each having an offsite source of power as well as a dedicated onsite diesel generator (DG) source. Each 4.16 kV ESF bus is normally connected to a normal source startup auxiliary transformer (SAT) (1D). During a loss of the normal offsite power source to the 4.16 kV ESF buses, the alternate supply breaker from SAT 1C attempts to close. If all offsite sources are unavailable, the onsite emergency DGs supply power to the 4.16 kV ESF buses. The secondary plant distribution system includes 600 VAC emergency buses 1C and 1D and associated load centers, and transformers. There are two independent 125/250 VDC station service electrical power distribution subsystems and three independent 125 VDC DG electrical power distribution subsystems that support the necessary power for ESF functions. A description of the Unit 2 AC and DC electrical power distribution system is provided in the Bases for Unit 2 LCO 3.8.7, "Distribution System - Operating." The list of required Unit 1 distribution buses is presented in LCO 3.8.7. APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY ANALYSES analyses in the FSAR, Chapters 5 and 6 (Ref. 1), and Chapter 14 (Ref. 2), assume ESF systems are OPERABLE. The AC and DC electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.5, Emergency Core Distribution Systems - Operating B 3.8.7 (continued) HATCH UNIT 1 B 3.8-74 REVISION 33BASES APPLICABLE Cooling Systems (ECCS) and Reactor Core Isolation Cooling (RCIC) SAFETY ANALYSES System; and Section 3.6 Containment Systems.

(continued)

The OPERABILITY of the AC and DC electrical power distribution subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining distribution systems OPERABLE during accident conditions in the event of: a. An assumed loss of all offsite power sources or all onsite AC electrical power sources; and b. A postulated worst case single failure. The AC and DC electrical power distribution system satisfies Criterion 3 of the NRC Policy Statement (Ref. 4). LCO The Unit 1 AC and DC electrical power distribution subsystems are required to be OPERABLE. The required Unit 1 electrical power distribution subsystems listed in LCO 3.8.7 ensure the availability of AC and DC electrical power for the systems required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA. Should one or more buses not listed in LCO 3.8.7 become inoperable due to a failure not affecting the OPERABILITY of a bus listed in LCO 3.8.7 (e.g., a breaker supplying a single MCC faults open), the individual loads on the bus would be considered inoperable, and the appropriate Conditions and Required Actions of the LCOs governing the individual loads would be entered. If however, one or more of these buses is inoperable due to a failure also affecting the OPERABILITY of a bus listed in LCO 3.8.7 (e.g., loss of a 4.16 kV ESF bus, which results in de-energization of all buses powered from the 4.16 kV ESF bus), the Conditions and Required Actions of the LCO for the individual loads are not required to be entered, since LCO 3.0.6 allows this exception (i.e., the loads are inoperable due to inoperability of a support system governed by a Technical Specification; the 4.16 kV ESF bus). In addition, since some components required by Unit 1 receive power through Unit 2 electrical power distribution subsystems (e.g., Standby Gas Treatment (SGT) System and low pressure coolant injection (LPCI) valve load centers), the Unit 2 AC and DC electrical power distribution subsystems needed to support the required equipment must also be OPERABLE.

Distribution Systems - Operating B 3.8.7 (continued) HATCH UNIT 1 B 3.8-76 REVISION 33BASES (continued) ACTIONS A.1 If one or more of the required Unit 2 AC or DC electrical power distribution subsystems are inoperable, and a loss of function has not occurred as described in Condition F, the remaining AC and DC electrical power distribution subsystems have the capacity to support a safe shutdown and to mitigate an accident condition. Since a subsequent postulated worst case single failure could, however, result in the loss of certain safety functions (e.g., SGT System and LPCI valve load centers), continued power operation should not exceed 7 days. The 7 day Completion Time takes into account the capacity and capability of the remaining AC and DC electrical power distribution subsystems, and is based on the shortest restoration time allowed for the systems affected by the inoperable AC and DC electrical power distribution subsystem in the respective system Specification.

B.1 If a Unit 1 or swing DG DC electrical power distribution subsystem is inoperable, the remaining DC electrical power distribution subsystems have the capacity to support a safe shutdown and to mitigate an accident condition. Since a subsequent postulated worst case single failure could, however, result in the loss of minimum necessary DC electrical subsystems to mitigate a postulated worst case accident, continued power operation should not exceed 12 hours. The 12 hour Completion Time provides a period of time to correct the problem commensurate with the importance of maintaining the DG DC electrical power distribution subsystem OPERABLE. (The DG DC electrical power distribution subsystem affects both the DG and the offsite circuit, as well as the breaker closure power for various 4160 VAC loads, but does not affect 125/250 VDC station service loads). The 12 hour time limit before requiring a unit shutdown in this Condition is acceptable because: a. There is a potential for decreased safety if the unit operators' attention is diverted from the evaluations and actions necessary to restore power to the affected bus(es) to the actions associated with taking the unit to shutdown within this time limit.

b. The potential for an event in conjunction with a single failure of a redundant component in the division with AC power. [The redundant component is verified OPERABLE in accordance with Specification 5.5.10, "Safety Function Determination Program (SFDP)."]

Distribution Systems - Operating B 3.8.7 (continued) HATCH UNIT 1 B 3.8-77 REVISION 33BASES ACTIONS B.1 (continued) The second Completion Time for Required Action B.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet LCO 3.8.7.a. If Condition B is entered while, for instance, a Unit 1 or swing AC bus is inoperable and subsequently returned OPERABLE, LCO 3.8.7.a may already have been not met for up to 8 hours. This situation could lead to a total duration of 20 hours, since initial failure of LCO 3.8.7.a, to restore the Unit 1 and swing DG DC distribution system. At this time a Unit 1 or swing AC bus could again become inoperable, and Unit 1 and swing DG DC distribution system could be restored OPERABLE. This could continue indefinitely. This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This results in establishing the "time zero" at the time LCO 3.8.7.a was initially not met, instead of at the time Condition B was entered. The 16 hour Completion Time is an acceptable limitation on this potential to fail to meet LCO 3.8.7.a indefinitely. C.1 With one or more required Unit 1 or swing AC buses, load centers, motor control centers, or distribution panels in one subsystem inoperable, the remaining AC electrical power distribution subsystems are capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining power distribution subsystems could result in the minimum required ESF functions not being supported. Therefore, the required AC buses, load centers, motor control centers, and distribution panels must be restored to OPERABLE status within 8 hours. The Condition C postulated worst scenario is one 4160 V bus without AC power (i.e., no offsite power to the 4160 V bus and the associated DG inoperable). In this condition, the unit is more vulnerable to a complete loss of Unit 1 AC power. It is, therefore, imperative that the unit operators' attention be focused on minimizing the potential for loss of power to the remaining buses by stabilizing the unit, and on restoring power to the affected buses. The 8 hour time limit before requiring a unit shutdown in this Condition is acceptable because:

Distribution Systems - Operating B 3.8.7 (continued) HATCH UNIT 1 B 3.8-78 REVISION 33BASES ACTIONS C.1 (continued) a. There is a potential for decreased safety if the unit operators' attention is diverted from the evaluations and actions necessary to restore power to the affected bus(es) to the actions associated with taking the unit to shutdown within this time limit.

b. The potential for an event in conjunction with a single failure of a redundant component in the division with AC power. [The redundant component is verified OPERABLE in accordance with Specification 5.5.10, "Safety Function Determination Program (SFDP)."] The second Completion Time for Required Action C.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet LCO 3.8.7.a. If Condition C is entered while, for instance, a Unit 1 station service DC bus is inoperable and subsequently returned OPERABLE, LCO 3.8.7.a may already have been not met for up to 2 hours. This situation could lead to a total duration of 10 hours, since initial failure of LCO 3.8.7.a, to restore the Unit 1 and swing AC distribution system. At this time a Unit 1 station service DC bus could again become inoperable, and Unit 1 and swing AC distribution system could be restored OPERABLE. This could continue indefinitely. This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This results in establishing the "time zero" at the time LCO 3.8.7.a was initially not met, instead of at the time Condition C was entered. The 16 hour Completion Time is an acceptable limitation on this potential to fail to meet LCO 3.8.7.a indefinitely.

D.1 With one Unit 1 station service DC bus inoperable, the remaining DC electrical power distribution subsystem is capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining DC electrical power distribution subsystems could result in the minimum required ESF functions not being supported. Therefore, the required Unit 1 DC buses must be restored to OPERABLE status within 2 hours by powering the bus from the associated battery or charger. Distribution Systems - Operating B 3.8.7 (continued) HATCH UNIT 1 B 3.8-79 REVISION 33BASES ACTIONS D.1 (continued) Condition D represents one Unit 1 division without adequate DC power, potentially with both the battery significantly degraded and the associated charger nonfunctioning. In this situation the plant is significantly more vulnerable to a complete loss of all Unit 1 station service DC power. It is, therefore, imperative that the operator's attention focus on stabilizing the plant, minimizing the potential for loss of power to the remaining division, and restoring power to the affected division. This 2 hour limit is more conservative than Completion Times allowed for the majority of components that would be without power. Taking exception to LCO 3.0.2 for components without adequate DC power, which would have Required Action Completion Times shorter than 2 hours, is acceptable because of: a. The potential for decreased safety when requiring a change in plant conditions (i.e., requiring a shutdown) while not allowing stable operations to continue; b. The potential for decreased safety when requiring entry into numerous applicable Conditions and Required Actions for components without DC power, while not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected division; and

c. The potential for an event in conjunction with a single failure of a redundant component. The 2 hour Completion Time for DC buses is consistent with Regulatory Guide 1.93 (Ref. 3). The second Completion Time for Required Action D.1 establishes a limit on the maximum time allowed for any combination of required distribution subsystems to be inoperable during any single contiguous occurrence of failing to meet LCO 3.8.7.a. If Condition D is entered while, for instance, Unit 1 or swing AC bus is inoperable and subsequently restored OPERABLE, LCO 3.8.7.a may already have been not met for up to 8 hours. This situation could lead to a total duration of 10 hours, since initial failure of LCO 3.8.7.a, to restore the Unit 1 station service DC distribution system. At this time, Unit 1 or swing AC bus could again become inoperable, and Unit 1 station service DC distribution system could be restored OPERABLE. This could continue indefinitely.

Distribution Systems - Operating B 3.8.7 (continued) HATCH UNIT 1 B 3.8-80 REVISION 69BASES ACTIONS D.1 (continued) This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This allowance results in establishing the "time zero" at the time LCO 3.8.7.a was initially not met, instead of at the time Condition D was entered. The 16 hour Completion Time is an acceptable limitation on this potential of failing to meet the LCO indefinitely. E.1 and E.2 If the inoperable distribution subsystem cannot be restored to OPERABLE status within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

F.1 Condition F corresponds to a level of degradation in the electrical power distribution system that causes a required safety function to be lost. When more than one AC or DC electrical power distribution subsystem is lost, and this results in the loss of a required function, the plant is in a condition outside the accident analysis. Therefore, no additional time is justified for continued operation. LCO 3.0.3 must be entered immediately to commence a controlled shutdown. SURVEILLANCE SR 3.8.7.1 REQUIREMENTS This Surveillance verifies that the AC and DC electrical power distribution systems are functioning properly, with the correct circuit breaker alignment. The correct breaker alignment ensures the appropriate separation and independence of the electrical buses are maintained, and the appropriate voltage is available to each required bus. The verification of proper voltage availability on the buses ensures that the required voltage is readily available for motive as well as control functions for critical system loads connected to these buses. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Distribution Systems - Operating B 3.8.7 HATCH UNIT 1 B 3.8-81 REVISION 69BASES REFERENCES 1. FSAR, Chapters 5 and 6.

2. FSAR, Chapter 14. 3. Regulatory Guide 1.93, December 1974.

4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Distribution Systems - Shutdown B 3.8.8 (continued) HATCH UNIT 1 B 3.8-82 REVISION 33B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.8 Distribution Systems - Shutdown

BASES BACKGROUND A description of the AC and DC electrical power distribution system is provided in the Bases for LCO 3.8.7, "Distribution Systems - Operating."

APPLICABLE The initial conditions of Design Basis Accident and transient analyses SAFETY ANALYSES in the FSAR, Chapters 5 and 6 (Ref. 1), and Chapter 14 (Ref. 2), assume Engineered Safety Feature (ESF) systems are OPERABLE. The AC and DC electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. The OPERABILITY of the AC and DC electrical power distribution system is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY. The OPERABILITY of the minimum AC and DC electrical power sources and associated power distribution subsystems during MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment ensures that:

a. The facility can be maintained in the shutdown or refueling condition for extended periods; b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and c. Adequate power is provided to mitigate events postulated during shutdown, such as an inadvertent draindown of the vessel or a fuel handling accident.

The AC and DC electrical power distribution systems satisfy Criterion 3 of the NRC Policy Statement (Ref. 3).

Distribution Systems - Shutdown B 3.8.8 (continued) HATCH UNIT 1 B 3.8-83 REVISION 33BASES (continued) LCO Various combinations of subsystems, equipment, and components are required OPERABLE by other LCOs, depending on the specific plant condition. Implicit in those requirements is the required OPERABILITY of necessary support required features. This LCO explicitly requires energization of the portions of the Unit 1 electrical distribution system necessary to support OPERABILITY of Technical Specifications required systems, equipment, and components -- both specifically addressed by their own LCO, and implicitly required by the definition of OPERABILITY. In addition, some components that may be required by Unit 1 receive power through Unit 2 electrical power distribution subsystems (e.g., Standby Gas Treatment (SGT) System and Low Pressure Coolant Injection valve load centers). Therefore, the Unit 2 AC and DC electrical power distribution subsystems needed to support the required equipment must also be OPERABLE. Maintaining these portions of the distribution system energized ensures the availability of sufficient power to operate the plant in a safe manner to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents and inadvertent reactor vessel draindown). APPLICABILITY The AC and DC electrical power distribution subsystems required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment provide assurance that: a. Systems to provide adequate coolant inventory makeup are available for the irradiated fuel in the core in case of an inadvertent draindown of the reactor vessel; b. Systems needed to mitigate a fuel handling accident are available; c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and

d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition. The AC and DC electrical power distribution subsystem requirements for MODES 1, 2, and 3 are covered in LCO 3.8.7.

Distribution Systems - Shutdown B 3.8.8 (continued) HATCH UNIT 1 B 3.8-84 REVISION 33BASES (continued) ACTIONS A.1, A.2.1, A.2.2, A.2.3, A.2.4, and A.2.5 Although redundant required features may require redundant electrical power distribution subsystems to be OPERABLE, one OPERABLE distribution subsystem may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS, fuel movement, and operations with a potential for draining the reactor vessel. By allowing the option to declare required features associated with an inoperable distribution subsystem inoperable, appropriate restrictions are implemented in accordance with the affected distribution subsystem LCO's Required Actions. In many instances this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made, (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies in the secondary containment, and any activities that could result in inadvertent draining of the reactor vessel). Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC and DC electrical power distribution subsystems and to continue this action until restoration is accomplished in order to provide the necessary power to the plant safety systems. Notwithstanding performance of the above conservative Required Actions, a required residual heat removal - shutdown cooling (RHR SDC) subsystem may be inoperable. In this case, Required Actions A.2.1 through A.2.4 do not adequately address the concerns relating to coolant circulation and heat removal. Pursuant to LCO 3.0.6, the RHR SDC ACTIONS would not be entered. Therefore, Required Action A.2.5 is provided to direct declaring RHR SDC inoperable, which results in taking the appropriate RHR SDC ACTIONS. The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required distribution subsystems should be completed as quickly as possible in order to minimize the time the plant safety systems may be without power. Distribution Systems - Shutdown B 3.8.8 HATCH UNIT 1 B 3.8-85 REVISION 69BASES (continued) SURVEILLANCE SR 3.8.8.1 REQUIREMENTS This Surveillance verifies that the AC and DC electrical power distribution subsystem is functioning properly, with the buses energized. The verification of proper voltage availability on the buses ensures that the required voltage is readily available for motive as well as control functions for critical system loads connected to these buses. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Chapters 5 and 6.

2. FSAR, Chapter 14. 3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Refueling Equipment Interlocks B 3.9.1 (continued) HATCH UNIT 1 B 3.9-1 REVISION 0B 3.9 REFUELING OPERATIONS B 3.9.1 Refueling Equipment Interlocks

BASES BACKGROUND Refueling equipment interlocks restrict the operation of the refueling equipment or the withdrawal of control rods to reinforce unit procedures that prevent the reactor from achieving criticality during refueling. The refueling interlock circuitry senses the conditions of the refueling equipment and the control rods. Depending on the sensed conditions, interlocks are actuated to prevent the operation of the refueling equipment or the withdrawal of control rods. GDC 26 of 10 CFR 50, Appendix A, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1). The control rods, when fully inserted, serve as the system capable of maintaining the reactor subcritical in cold conditions during all fuel movement activities and accidents. Instrumentation is provided to sense the position of the refueling platform, the loading of the refueling platform fuel grapple, and the full insertion of all control rods. Additionally, inputs are provided for the loading of the refueling platform frame-mounted hoist, the loading of the refueling platform trolley-mounted hoist, the full retraction of the fuel grapple, and the loading of the service platform hoist. With the reactor mode switch in the shutdown or refueling position, the indicated conditions are combined in logic circuits to determine if all restrictions on refueling equipment operations and control rod insertion are satisfied. A control rod not at its full-in position interrupts power to the refueling equipment and prevents operating the equipment over the reactor core when loaded with a fuel assembly. Conversely, the refueling equipment located over the core and loaded with fuel inserts a control rod withdrawal block in the Control Rod Drive System to prevent withdrawing a control rod. The refueling platform has two mechanical switches that open before the platform or any of its hoists are physically located over the reactor vessel. All refueling hoists have switches that open when the hoists are loaded with fuel. The refueling interlocks use these indications to prevent operation of the refueling equipment with fuel loaded over the core whenever any

Refueling Equipment Interlocks B 3.9.1 (continued) HATCH UNIT 1 B 3.9-2 REVISION 0BASES BACKGROUND control rod is withdrawn, or to prevent control rod withdrawal (continued) whenever fuel loaded refueling equipment is over the core (Ref. 2).

The hoist switches open at a load lighter than the weight of a single fuel assembly in water. APPLICABLE The refueling interlocks are explicitly assumed in the FSAR analyses SAFETY ANALYSES for the control rod removal error during refueling (Ref. 3) and the fuel assembly insertion error during refueling (Ref. 4). These analyses evaluate the consequences of control rod withdrawal during refueling and also fuel assembly insertion with a control rod withdrawn. A prompt reactivity excursion during refueling could potentially result in fuel failure with subsequent release of radioactive material to the environment. Criticality and, therefore, subsequent prompt reactivity excursions are prevented during the insertion of fuel, provided all control rods are fully inserted during the fuel insertion. The refueling interlocks accomplish this by preventing loading of fuel into the core with any control rod withdrawn or by preventing withdrawal of a rod from the core during fuel loading. The refueling platform location switches activate at a point outside of the reactor core such that, with a fuel assembly loaded and a control rod withdrawn, the fuel is not over the core. Refueling equipment interlocks satisfy Criterion 3 of the NRC Policy Statement (Ref. 5). LCO To prevent criticality during refueling, the refueling interlocks ensure that fuel assemblies are not loaded with any control rod withdrawn. To prevent these conditions from developing, the all-rods-in, the refueling platform position, the refueling platform fuel grapple fuel loaded, the refueling platform trolley-mounted hoist fuel loaded, the refueling platform frame-mounted hoist fuel loaded, the refueling platform fuel grapple full-up position, and the service platform hoist fuel loaded inputs are required to be OPERABLE. These inputs are combined in logic circuits, which provide refueling equipment or control rod blocks to prevent operations that could result in criticality during refueling operations. Refueling Equipment Interlocks B 3.9.1 (continued) HATCH UNIT 1 B 3.9-3 REVISION 57 BASES (continued) APPLICABILITY In MODE 5, a prompt reactivity excursion could cause fuel damage and subsequent release of radioactive material to the environment. The refueling equipment interlocks protect against prompt reactivity excursions during MODE 5. The interlocks are required to be OPERABLE during in-vessel fuel movement with refueling equipment associated with the interlocks. In MODES 1, 2, 3, and 4, the reactor pressure vessel head is on, and CORE ALTERATIONS are not possible. Therefore, the refueling interlocks are not required to be OPERABLE in these MODES. ACTIONS A.1, A.2.1, and A.2.2 With one or more of the required refueling equipment interlocks inoperable, the unit must be placed in a condition in which the LCO does not apply. Therefore, Required Action A.1 requires that in-vessel fuel movement with the affected refueling equipment must be immediately suspended. This action ensures that operations are not performed with equipment that would potentially not be blocked from unacceptable operations (e.g., loading fuel into a cell with a control rod withdrawn). Suspension of in-vessel fuel movement shall not preclude completion of movement of a component to a safe position. Alternatively, Required Actions A.2.1 and A.2.2 require a control rod withdrawal block to be inserted, and all control rods to be subsequently verified to be fully inserted. Required Action A.2.1 ensures no control rods can be withdrawn, because a block to control rod withdrawal is in place. The withdrawal block utilized must ensure that if rod withdrawal is requested, the rod will not respond (i.e., it will remain inserted). Required Action A.2.2 is performed after placing the rod withdrawal block in effect, and provides a verification that all control rods are fully inserted. This verification that all control rods are fully inserted is in addition to the periodic verification required by SR 3.9.3.1. Like Required Action A.1, Required Actions A.2.1 and A.2.2 ensure unacceptable operations are blocked (e.g., loading fuel into a cell with the control rod withdrawn).

Refuel Position One-Rod-Out Interlock B 3.9.2 (continued) HATCH UNIT 1 B 3.9-5 REVISION 0B 3.9 REFUELING OPERATIONS B 3.9.2 Refuel Position One-Rod-Out Interlock

BASES BACKGROUND The refuel position one-rod-out interlock restricts the movement of control rods to reinforce unit procedures that prevent the reactor from becoming critical during refueling operations. During refueling operations, no more than one control rod is permitted to be withdrawn. GDC 26 of 10 CFR 50, Appendix A, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1). The control rods serve as the system capable of maintaining the reactor subcritical in cold conditions. The refuel position one-rod-out interlock prevents the selection of a second control rod for movement when any other control rod is not fully inserted (Ref. 2). It is a logic circuit that has redundant channels. It uses the all-rods-in signal (from the control rod full-in position indicators discussed in LCO 3.9.4, "Control Rod Position Indication") and a rod selection signal (from the Reactor Manual Control System). This Specification ensures that the performance of the refuel position one-rod-out interlock in the event of a Design Basis Accident meets the assumptions used in the safety analysis of Reference 3. APPLICABLE The refueling position one-rod-out interlock is explicitly assumed SAFETY ANALYSES in the FSAR analysis for the control rod withdrawal error during refueling (Ref. 3). This analysis evaluates the consequences of control rod withdrawal during refueling. A prompt reactivity excursion during refueling could potentially result in fuel failure with subsequent release of radioactive material to the environment. The refuel position one-rod-out interlock and adequate SDM (LCO 3.1.1, "Shutdown Margin (SDM)") prevent criticality by preventing withdrawal of more than one control rod. With one control rod withdrawn, the core will remain subcritical, thereby preventing any prompt critical excursion. The refuel position one-rod-out interlock satisfies Criterion 3 of the NRC Policy Statement (Ref. 4). Refuel Position One-Rod-Out Interlock B 3.9.2 (continued) HATCH UNIT 1 B 3.9-6 REVISION 0BASES (continued) LCO To prevent criticality during MODE 5, the refuel position one-rod-out interlock ensures no more than one control rod may be withdrawn. Both channels of the refuel position one-rod-out interlock are required to be OPERABLE and the reactor mode switch must be locked in the refuel position to support the OPERABILITY of these channels. APPLICABILITY In MODE 5, with the reactor mode switch in the refuel position, the OPERABLE refuel position one-rod-out interlock provides protection against prompt reactivity excursions. In MODES 1, 2, 3, and 4, the refuel position one-rod-out interlock is not required to be OPERABLE and is bypassed. In MODES 1 and 2, the Reactor Protection System (LCO 3.3.1.1) and the control rods (LCO 3.1.3) provide mitigation of potential reactivity excursions. In MODES 3 and 4, with the reactor mode switch in the shutdown position, a control rod block (LCO 3.3.2.1) ensures all control rods are inserted, thereby preventing criticality during shutdown conditions. ACTIONS A.1 and A.2 With one or both channels of the refueling position one-rod-out interlock inoperable, the refueling interlocks may not be capable of preventing more than one control rod from being withdrawn. This condition may lead to criticality. Control rod withdrawal must be immediately suspended, and action must be immediately initiated to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Action must continue until all such control rods are fully inserted. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and, therefore, do not have to be inserted. SURVEILLANCE SR 3.9.2.1 REQUIREMENTS Proper functioning of the refueling position one-rod-out interlock requires the reactor mode switch to be in Refuel. During control rod withdrawal in MODE 5, improper positioning of the reactor mode switch could, in some instances, allow improper bypassing of required interlocks. Therefore, this Surveillance imposes an additional level of assurance that the refueling position one-rod-out interlock will be Refuel Position One-Rod-Out Interlock B 3.9.2 HATCH UNIT 1 B 3.9-7 REVISION 69BASES SURVEILLANCE SR 3.9.2.1 (continued) REQUIREMENTS OPERABLE when required. By "locking" the reactor mode switch in the proper position (i.e., removing the reactor mode switch key from the console while the reactor mode switch is positioned in refuel), an additional administrative control is in place to preclude operator errors from resulting in unanalyzed operation. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.9.2.2 Performance of a CHANNEL FUNCTIONAL TEST on each channel demonstrates the associated refuel position one-rod-out interlock will function properly when a simulated or actual signal indicative of a required condition is injected into the logic. The CHANNEL FUNCTIONAL TEST may be performed by any series of sequential, overlapping, or total channel steps so that the entire channel is tested. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. To perform the required testing, the applicable condition must be entered (i.e., a control rod must be withdrawn from its full-in position). Alternatively, the control rod withdrawal, and the attempted withdrawal of the second control rod, may be simulated. In either case, SR 3.9.2.2 has been modified by a Note that states the CHANNEL FUNCTIONAL TEST is not required to be performed until 1 hour after any control rod is withdrawn.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 26.

2. FSAR, Section 7.6.3.

3. FSAR, Section 14.3.3.3. 4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Control Rod Position B 3.9.3 (continued) HATCH UNIT 1 B 3.9-8 REVISION 0B 3.9 REFUELING OPERATIONS B 3.9.3 Control Rod Position

BASES BACKGROUND Control rods provide the capability to maintain the reactor subcritical under all conditions and to limit the potential amount and rate of reactivity increase caused by a malfunction in the Control Rod Drive System. During refueling, movement of control rods is limited by the refueling interlocks (LCO 3.9.1 and LCO 3.9.2) or the control rod block with the reactor mode switch in the shutdown position (LCO 3.3.2.1). GDC 26 of 10 CFR 50, Appendix A, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1). The control rods serve as the system capable of maintaining the reactor subcritical in cold conditions. The refueling interlocks allow a single control rod to be withdrawn at any time unless fuel is being loaded into the core. To preclude loading fuel assemblies into the core with a control rod withdrawn, all control rods must be fully inserted. This prevents the reactor from achieving criticality during refueling operations. APPLICABLE Prevention and mitigation of prompt reactivity excursions during SAFETY ANALYSES refueling are provided, when required, by the refueling interlocks (LCO 3.9.1 and LCO 3.9.2), the SDM (LCO 3.1.1), the intermediate range monitor neutron flux scram (LCO 3.3.1.1), and the control rod block instrumentation (LCO 3.3.2.1). The safety analysis for the control rod withdrawal error during refueling in the FSAR (Ref. 2) assumes the functioning of the refueling interlocks and adequate SDM. The analysis for the fuel assembly insertion error (Ref. 3) assumes all control rods are fully inserted. Thus, prior to fuel reload, all control rods must be fully inserted to minimize the probability of an inadvertent criticality. Control rod position satisfies Criterion 3 of the NRC Policy Statement (Ref. 4). LCO All control rods must be fully inserted during applicable refueling conditions to minimize the probability of an inadvertent criticality during refueling.

Control Rod Position B 3.9.3 HATCH UNIT 1 B 3.9-9 REVISION 69BASES (continued) APPLICABILITY During MODE 5, loading fuel into core cells with the control rods withdrawn may result in inadvertent criticality. Therefore, the control rods must be inserted before loading fuel into a core cell. All control rods must be inserted before loading fuel to ensure that a fuel loading error does not result in loading fuel into a core cell with the control rod withdrawn. In MODES 1, 2, 3, and 4, the reactor pressure vessel head is on, and no fuel loading activities are possible. Therefore, this Specification is not applicable in these MODES. ACTIONS A.1 With all control rods not fully inserted during the applicable conditions, an inadvertent criticality could occur that is not analyzed in the FSAR. All fuel loading operations must be immediately suspended. Suspension of these activities shall not preclude completion of movement of a component to a safe position.

SURVEILLANCE SR 3.9.3.1 REQUIREMENTS During refueling, to ensure that the reactor remains subcritical, all control rods must be fully inserted prior to and during fuel loading. Periodic checks of the control rod position ensure this condition is maintained. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. 10 CFR 50, Appendix A, GDC 26.

2. FSAR, Section 14.3.3.3.

3. FSAR, Section 14.3.3.4. 4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Control Rod Position IndicationB 3.9.4(continued)HATCH UNIT 1B 3.9-10REVISION 0B 3.9 REFUELING OPERATIONSB 3.9.4 Control Rod Position IndicationBASESBACKGROUNDThe full-in position indication channel for each control rod providesnecessary information to the refueling interlocks to prevent inadvertentcriticalities during refueling operations. During refueling, the refuelinginterlocks (LCO 3.9.1 and LCO 3.9.2) use the full-in position indicationchannel to limit the operation of the refueling equipment and themovement of the control rods. The absence of the full-in position channel signal for any control rod removes the all-rods-in permissivefor the refueling equipment interlocks and prevents fuel loading. Also,this condition causes the refuel position one-rod-out interlock to notallow the withdrawal of any other control rod.GDC 26 of 10 CFR 50, Appendix A, requires that one of the tworequired independent reactivity control systems be capable of holdingthe reactor core subcritical under cold conditions (Ref. 1). The controlrods serve as the system capable of maintaining the reactorsubcritical in cold conditions.APPLICABLEPrevention and mitigation of prompt reactivity excursions duringSAFETY ANALYSESrefueling are provided, when required, by the refueling interlocks(LCO 3.9.1 and LCO 3.9.2), the SDM (LCO 3.1.1), the intermediaterange monitor neutron flux scram (LCO 3.3.1.1), and the control rodblock instrumentation (LCO 3.3.2.1).The safety analysis for the control rod withdrawal error duringrefueling (Ref. 2) assumes the functioning of the refueling interlocksand adequate SDM. The analysis for the fuel assembly insertion error(Ref. 3) assumes all control rods are fully inserted. The full-in position indication channel is required to be OPERABLE so that the refuelinginterlocks can ensure that fuel cannot be loaded with any control rodwithdrawn and that no more than one control rod can be withdrawn ata time.Control rod position indication satisfies Criterion 3 of the NRC PolicyStatement (Ref. 4). Control Rod Position IndicationB 3.9.4(continued)HATCH UNIT 1B 3.9-11REVISION 0BASES (continued)LCOEach control rod full-in position indication channel must beOPERABLE to provide the required input to the refueling interlocks. Achannel is OPERABLE if it provides correct position indication to therefueling interlock logic.APPLICABILITYDuring MODE 5, the control rods must have OPERABLE full-inposition indication channels to ensure the applicable refueling interlocks will be OPERABLE.In MODES 1 and 2, requirements for control rod position are specifiedin LCO 3.1.3, "Control Rod OPERABILITY." In MODES 3 and 4, with the reactor mode switch in the shutdown position, a control rod block(LCO 3.3.2.1) ensures all control rods are inserted, thereby preventingcriticality during shutdown conditions.ACTIONSA Note has been provided to modify the ACTIONS related to controlrod position indication channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequentdivisions, subsystems, components, or variables expressed in theCondition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifiesthat Required Actions of the Condition continue to apply for eachadditional failure, with Completion Times based on initial entry into theCondition. However, the Required Actions for inoperable control rodposition indication channels provide appropriate compensatory measures for separate inoperable channels. As such, this Note hasbeen provided, which allows separate Condition entry for eachinoperable required control rod position indication channel.A.1.1, A.1.2, A.1.3, A.2.1, and A.2.2With one or more required full-in position indication channelsinoperable, compensating actions must be taken to protect againstpotential reactivity excursions from fuel assembly insertions orcontrol rod withdrawals. This may be accomplished by immediatelysuspending in-vessel fuel movement and control rod withdrawal, and immediately initiating action to fully insert all insertable control rods incore cells containing one or more fuel assemblies. Actions mustcontinue until all insertable control rods in core cells containing oneor more fuel assemblies are fully inserted. Suspension ofin-vessel fuel movements and control rod withdrawal shall not preclude moving a component to a safe position. Control Rod Position IndicationB 3.9.4HATCH UNIT 1B 3.9-12REVISION 0BASESACTIONSA.1.1, A.1.2, A.1.3, A.2.1, and A.2.2 (continued)Alternatively, actions must be immediately initiated to fully insert thecontrol rod(s) associated with the inoperable full-in positionindicator(s) and disarm (electrically or hydraulically) the drive(s) to ensure that the control rod is not withdrawn. A control rod can behydraulically disarmed by closing the drive water and exhaust waterisolation valves. A control rod can be electrically disarmed bydisconnecting power from all four direction control valve solenoids.Actions must continue until all associated control rods are fullyinserted and drives are disarmed. Under these conditions (control rodfully inserted and disarmed), an inoperable full-in channel may be bypassed to allow refueling operations to proceed. An alternatemethod must be used to ensure the control rod is fully inserted (e.g.,use the "00" notch position indication).SURVEILLANCESR 3.9.4.1REQUIREMENTSThe full-in position indication channels provide input to the one-rod-outinterlock and other refueling interlocks that require an all-rods-inpermissive. The interlocks are actuated when the full-in positionindication for any control rod is not present, since this indicates that allrods are not fully inserted. Therefore, testing of the full-in position indication channels is performed to ensure that when a control rod iswithdrawn, the full-in position indication is not present. The full-inposition indication channel is considered inoperable even with thecontrol rod fully inserted, if it would continue to indicate full-in with thecontrol rod withdrawn. Performing the SR each time a control rod iswithdrawn from the full-in position is considered adequate because ofthe procedural controls on control rod withdrawals and the visual and audible indications available in the control room to alert the operator tocontrol rods not fully inserted.REFERENCES1.10 CFR 50, Appendix A, GDC 26.2.FSAR, Section 14.3.3.3.3.FSAR, Section 14.3.3.4.4.NRC No. 93-102, "Final Policy Statement on TechnicalSpecification Improvements," July 23, 1993. Control Rod OPERABILITY - Refueling B 3.9.5 (continued) HATCH UNIT 1 B 3.9-13 REVISION 0B 3.9 REFUELING OPERATIONS B 3.9.5 Control Rod OPERABILITY - Refueling

BASES BACKGROUND Control rods are components of the Control Rod Drive (CRD) System, the primary reactivity control system for the reactor. In conjunction with the Reactor Protection System, the CRD System provides the means for the reliable control of reactivity changes during refueling operation. In addition, the control rods provide the capability to maintain the reactor subcritical under all conditions and to limit the potential amount and rate of reactivity increase caused by a malfunction in the CRD System. GDC 26 of 10 CFR 50, Appendix A, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1). The CRD System is the system capable of maintaining the reactor subcritical in cold conditions.

APPLICABLE Prevention and mitigation of prompt reactivity excursions during SAFETY ANALYSES refueling are provided, when required, by refueling interlocks (LCO 3.9.1 and LCO 3.9.2), the SDM (LCO 3.1.1), the intermediate range monitor neutron flux scram (LCO 3.3.1.1), and the control rod block instrumentation (LCO 3.3.2.1). The safety analyses for the control rod withdrawal error during refueling (Ref. 2) and the fuel assembly insertion error (Ref. 3) evaluate the consequences of control rod withdrawal during refueling and also fuel assembly insertion with a control rod withdrawn. A prompt reactivity excursion during refueling could potentially result in fuel failure with subsequent release of radioactive material to the environment. Control rod scram provides protection should a prompt reactivity excursion occur. Control rod OPERABILITY during refueling satisfies Criterion 3 of the NRC Policy Statement (Ref. 4). LCO Each withdrawn control rod must be OPERABLE. The withdrawn control rod is considered OPERABLE if the scram accumulator pressure is 940 psig and the control rod is capable of being automatically inserted upon receipt of a scram signal. Inserted control Control Rod OPERABILITY - Refueling B 3.9.5 (continued) HATCH UNIT 1 B 3.9-14 REVISION 69BASES LCO rods have already completed their reactivity control function, and (continued) therefore, are not required to be OPERABLE. APPLICABILITY During MODE 5, withdrawn control rods must be OPERABLE to ensure that in a scram the control rods will insert and provide the required negative reactivity to maintain the reactor subcritical. For MODES 1 and 2, control rod requirements are found in LCO 3.1.2, "Reactivity Anomalies"; LCO 3.1.3, "Control Rod OPERABILITY"; LCO 3.1.4, "Control Rod Scram Times"; and LCO 3.1.5, "Control Rod Scram Accumulators." During MODES 3 and 4, control rods are not able to be withdrawn since the reactor mode switch is in shutdown and a control rod block is applied. This provides adequate requirements for control rod OPERABILITY during these conditions. ACTIONS A.1 With one or more withdrawn control rods inoperable, action must be immediately initiated to fully insert the inoperable control rod(s). Inserting the control rod(s) ensures the shutdown and scram capabilities are not adversely affected. Actions must continue until the inoperable control rod(s) is fully inserted.

SURVEILLANCE SR 3.9.5.1 and SR 3.9.5.2 REQUIREMENTS During MODE 5, the OPERABILITY of control rods is primarily required to ensure a withdrawn control rod will automatically insert if a signal requiring a reactor shutdown occurs. Because no explicit analysis exists for automatic shutdown during refueling, the shutdown function is satisfied if the withdrawn control rod is capable of automatic insertion and the associated CRD scram accumulator pressure is 940 psig. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.9.5.1 is modified by a Note that allows 7 days after withdrawal of the control rod to perform the Surveillance. This acknowledges that Control Rod OPERABILITY - Refueling B 3.9.5 HATCH UNIT 1 B 3.9-15 REVISION 0BASES SURVEILLANCE SR 3.9.5.1 and SR 3.9.5.2 (continued) REQUIREMENTS the control rod must first be withdrawn before performance of the Surveillance, and therefore avoids potential conflicts with SR 3.0.3 and SR 3.0.4. REFERENCES 1. 10 CFR 50, Appendix A, GDC 26.

2. FSAR, Section 14.3.3.3. 3. FSAR, Section 14.3.3.4.

4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RPV Water Level B 3.9.6 (continued) HATCH UNIT 1 B 3.9-16 REVISION 70B 3.9 REFUELING OPERATIONS B 3.9.6 Reactor Pressure Vessel (RPV) Water Level

BASES BACKGROUND The movement of fuel assemblies or handling of control rods within the RPV requires a minimum water level of 23 ft above the top of the irradiated fuel assemblies seated within the RPV. The point from which the water level is measured is shown in Figure B.5.2-1. During refueling, this maintains a sufficient water level in the reactor vessel cavity. Sufficient water is necessary to retain iodine fission product activity in the water in the event of a fuel handling accident (Refs. 1 and 2). Sufficient iodine activity would be retained to limit offsite doses from the accident to well within the 10 CFR 50.67 limits, as provided by the guidance of Reference 1. APPLICABLE During movement of fuel assemblies or handling of control rods, the SAFETY ANALYSES water level in the RPV is an initial condition design parameter in the analysis of a fuel handling accident in containment postulated by Regulatory Guide 1.183 (Ref. 1). Analysis of the fuel handling accident inside containment is described in Reference 2. With a minimum water level of 23 ft and a minimum decay time of 24 hours prior to fuel handling, the analysis and test programs demonstrate that the iodine release due to a postulated fuel handling accident is adequately captured by the water and that offsite doses are maintained within allowable limits (Ref. 4). The related assumptions include the worst case dropping of an irradiated fuel assembly onto the reactor core loaded with irradiated fuel assemblies. RPV water level satisfies Criterion 2 of the NRC Policy Statement (Ref. 5). LCO A minimum water level of 23 ft above the top of the irradiated fuel assemblies seated within the RPV is required to ensure that the radiological consequences of a postulated fuel handling accident are within acceptable limits, as provided by the guidance of Reference 1. The point from which the water level is measured is shown in Figure B 3.5.2-1.

RPV Water Level B 3.9.6 (continued) HATCH UNIT 1 B 3.9-17 REVISION 70BASES (continued) APPLICABILITY LCO 3.9.6 is applicable when moving fuel assemblies or handling control rods (i.e., movement with other than the normal control rod drive) within the RPV. The LCO minimizes the possibility of a fuel handling accident in containment that is beyond the assumptions of the safety analysis. If irradiated fuel is not present within the RPV, there can be no significant radioactivity release as a result of a postulated fuel handling accident. Requirements for fuel handling accidents in the spent fuel storage pool are covered by LCO 3.7.8, "Spent Fuel Storage Pool Water Level." ACTIONS A.1 If the water level is < 23 ft above the top of the irradiated fuel assemblies seated within the RPV, all operations involving movement of fuel assemblies and handling of control rods within the RPV shall be suspended immediately to ensure that a fuel handling accident cannot occur. The suspension of fuel movement and control rod handling shall not preclude completion of movement of a component to a safe position. SURVEILLANCE SR 3.9.6.1 REQUIREMENTS Verification of a minimum water level of 23 ft above the top of the irradiated fuel assemblies seated within the RPV ensures that the design basis for the postulated fuel handling accident analysis during refueling operations is met. Water at the required level limits the consequences of damaged fuel rods, which are postulated to result from a fuel handling accident in containment (Ref. 2). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. RPV Water Level B 3.9.6 HATCH UNIT 1 B 3.9-18 REVISION 70BASES (continued) REFERENCES 1. Regulatory Guide 1.183, July 2000.

2. Unit 2 FSAR, Section 15.3. 3. Deleted 4. 10 CFR 50.67.

5. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RHR - High Water Level B 3.9.7 (continued) HATCH UNIT 1 B 3.9-19 REVISION 22 B 3.9 REFUELING OPERATIONS B 3.9.7 Residual Heat Removal (RHR) - High Water Level

BASES BACKGROUND The purpose of the RHR System in MODE 5 is to remove decay heat and sensible heat from the reactor coolant, as required by GDC 34 (Ref. 1). Each of the two shutdown cooling loops of the RHR System can provide the required decay heat removal. Each loop consists of two motor driven pumps, a heat exchanger, and associated piping and valves. Both loops have a common suction from the same recirculation loop. Each pump discharges the reactor coolant, after it has been cooled by circulation through the respective heat exchangers, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the RHR Service Water System. The RHR shutdown cooling mode is manually controlled. In addition to the RHR subsystems, the volume of water above the reactor pressure vessel (RPV) flange provides a heat sink for decay heat removal. APPLICABLE With the unit in MODE 5, the RHR System is not required to mitigate SAFETY ANALYSES any events or accidents evaluated in the safety analyses. The RHR System is required for removing decay heat to maintain the temperature of the reactor coolant. The RHR System satisfies Criterion 4 of the NRC Policy Statement (Ref. 3). LCO Only one RHR shutdown cooling subsystem is required to be OPERABLE and in operation in MODE 5 with irradiated fuel in the RPV and the water level 22 ft 1/8 inches above the RPV flange (equivalent to 21 ft of water above the top of irradiated fuel assemblies seated in the spent fuel storage pool racks; the point from which the water level is measured is shown in Figure B 3.5.2-1.) Only one subsystem is required because the volume of water above the RPV flange provides backup decay heat removal capability. An OPERABLE RHR shutdown cooling subsystem consists of an RHR pump and the associated heat exchanger, an RHRSW pump providing cooling to the heat exchanger with sufficient flow to maintain RHR - High Water Level B 3.9.7 (continued) HATCH UNIT 1 B 3.9-20 REVISION 1 BASES LCO reactor coolant temperature in the desired range, valves, piping, (continued) instruments, and controls to ensure an OPERABLE flow path. In MODE 5, the RHR cross tie valve is not required to be closed; thus, the valve may be opened to allow RHR pumps in one loop to discharge through the opposite recirculation loop to make a complete subsystem. In addition, the RHRSW cross tie valves may be open to allow RHRSW pumps in one loop to provide cooling to a heat exchanger in the opposite loop to make a complete subsystem. Additionally, each RHR shutdown cooling subsystem is considered OPERABLE if it can be manually aligned (remote or local) in the shutdown cooling mode for removal of decay heat. Operation (either continuous or intermittent) of one subsystem can maintain and reduce the reactor coolant temperature as required (sufficient to maintain reactor coolant temperature in the desired range). However, to ensure adequate core flow to allow for accurate average reactor coolant temperature monitoring, nearly continuous operation is required. A Note is provided to allow a 2 hour exception to shut down the operating subsystem every 8 hours. The LCO consists of two separate requirements. Either requirement can be not met (and the associated Condition entered) without necessarily affecting the other (and without necessarily entering the other associated Condition). For example, an operating RHR shutdown cooling subsystem can be removed from operation, yet remain OPERABLE for the decay heat removal function. (Manual alignment and operation can satisfy OPERABILITY.) Conversely, an RHR shutdown cooling subsystem (or recirculation pump) can remain in operation, circulating reactor coolant; however, if the RHR heat exchanger cannot remove decay heat, the subsystem is inoperable. The LCO Notes follow this separation of requirements: an exception to circulating reactor coolant (Note 1) does not result in an exception to the OPERABILITY requirement, and an exception to the RHR shutdown cooling subsystem OPERABILITY requirements does not result in an exception to the requirement for circulating reactor coolant (Note 2). APPLICABILITY One RHR shutdown cooling subsystem must be OPERABLE and in operation in MODE 5, with irradiated fuel in the RPV and the water level 22 ft 1/8 inches above the top of the RPV flange, to provide decay heat removal. RHR shutdown cooling subsystem requirements in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS). RHR Shutdown Cooling subsystem requirements in MODE 5 with irradiated fuel in the RPV and the water level < 22 ft 1/8 inches above the RPV flange are given in LCO 3.9.8, "Residual Heat Removal (RHR) - Low Water Level." RHR - High Water Level B 3.9.7 (continued) HATCH UNIT 1 B 3.9-21 REVISION 1 BASES (continued) ACTIONS A.1 With no RHR shutdown cooling subsystem OPERABLE, an alternate method of decay heat removal must be established within 1 hour. In this condition, the volume of water above the RPV flange provides adequate capability to remove decay heat from the reactor core. However, the overall reliability is reduced because loss of water level could result in reduced decay heat removal capability. The 1 hour Completion Time is based on decay heat removal function and the probability of a loss of the available decay heat removal capabilities. Furthermore, verification of the functional availability of these alternate method(s) must be reconfirmed every 24 hours thereafter. This will ensure continued heat removal capability. Alternate decay heat removal methods are available to the operators for review and preplanning in the unit's Operating Procedures. For example, this may include the use of the Fuel Pool Cooling System, the Reactor Water Cleanup System, operating with the regenerative heat exchanger bypassed, or any other subsystem that can remove heat from the coolant. The method used to remove the decay heat should be the most prudent choice based on unit conditions. B.1, B.2, B.3, and B.4 If no RHR shutdown cooling subsystem is OPERABLE and an alternate method of decay heat removal is not available in accordance with Required Action A.1, actions shall be taken immediately to suspend operations involving an increase in reactor decay heat load by suspending loading of irradiated fuel assemblies into the RPV. Additional actions are required to minimize any potential fission product release to the environment. This includes ensuring: 1) secondary containment (at least including the common refueling floor zone) is OPERABLE; 2) sufficient standby gas treatment subsystem(s) are OPERABLE to maintain the secondary containment at a negative pressure with respect to the environment (dependent on secondary containment configuration, refer to Reference 2; single failure protection is not required while in this ACTION); and

3) secondary containment isolation capability is available in each secondary containment penetration flow path not isolated that is assumed to be isolated to mitigate radioactive releases (i.e., one secondary containment isolation valve and associated instrumentation are OPERABLE or other acceptable administrative controls to assure isolation capability. The administrative controls can consist of RHR - High Water Level B 3.9.7 (continued) HATCH UNIT 1 B 3.9-22 REVISION 69 BASES ACTIONS B.1, B.2, B.3, and B.4 (continued) stationing a dedicated operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated.). This may be performed as an administrative check, by examining logs or other information to determine whether the components are out of service for maintenance or other reasons. It is not necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, a Surveillance may need to be performed to restore the component to OPERABLE status. Actions must continue until all required components are OPERABLE. C.1 and C.2 If no RHR shutdown cooling subsystem is in operation, an alternate method of coolant circulation is required to be established within 1 hour. The Completion Time is modified such that the 1 hour is applicable separately for each occurrence involving a loss of coolant circulation. During the period when the reactor coolant is being circulated by an alternate method (other than by the required RHR shutdown cooling subsystem), the reactor coolant temperature must be periodically monitored to ensure proper functioning of the alternate method. The once per hour Completion Time is deemed appropriate. SURVEILLANCE SR 3.9.7.1 REQUIREMENTS This Surveillance demonstrates that the required RHR shutdown cooling subsystem is in operation and circulating reactor coolant. The required flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

RHR - High Water Level B 3.9.7 HATCH UNIT 1 B 3.9-23 REVISION 40 BASES (continued) REFERENCES 1. 10 CFR 50, Appendix A, GDC 34.

2. Technical Requirements Manual, Section 8.0. 3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RHR - Low Water Level B 3.9.8 (continued) HATCH UNIT 1 B 3.9-24 REVISION 1B 3.9 REFUELING OPERATIONS B 3.9.8 Residual Heat Removal (RHR) - Low Water Level

BASES BACKGROUND The purpose of the RHR System in MODE 5 is to remove decay heat and sensible heat from the reactor coolant, as required by GDC 34 (Ref. 1). Each of the two shutdown cooling loops of the RHR System can provide the required decay heat removal. Each loop consists of two motor driven pumps, a heat exchanger, and associated piping and valves. Both loops have a common suction from the same recirculation loop. Each pump discharges the reactor coolant, after it has been cooled by circulation through the respective heat exchangers, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the RHR Service Water System. The RHR shutdown cooling mode is manually controlled. APPLICABLE With the unit in MODE 5, the RHR System is not required to SAFETY ANALYSES mitigate any events or accidents evaluated in the safety analyses. The RHR System is required for removing decay heat to maintain the temperature of the reactor coolant. The RHR System satisfies Criterion 4 of the NRC Policy Statement (Ref. 3). LCO In MODE 5 with irradiated fuel in the reactor pressure vessel (RPV) and the water level < 22 ft 1/8 inches above the RPV flange, two RHR shutdown cooling subsystems must be OPERABLE. An OPERABLE RHR shutdown cooling subsystem consists of an RHR pump and the associated heat exchanger, an RHRSW pump providing cooling to the heat exchanger with sufficient flow to maintain reactor coolant temperature in the desired range, valves, piping, instruments, and controls to ensure an OPERABLE flow path. The two required RHR shutdown cooling subsystems have a common suction source and are allowed to have a common heat exchanger and common discharge piping. Since the piping and heat exchangers are passive components that are assumed not to fail, they are allowed to be common to both subsystems. Thus, to meet the LCO, both RHR pumps in one loop or one RHR pump in each of the two loops must be OPERABLE. If the RHR - Low Water Level B 3.9.8 (continued) HATCH UNIT 1 B 3.9-25 REVISION 1BASES LCO two required subsystems consist of an RHR pump in each loop, both (continued) heat exchangers are required, since one heat exchanger will not be common to both subsystems. In MODE 5, the RHR cross tie valve is not required to be closed; thus, the valve may be opened to allow pumps in one loop to discharge through the opposite recirculation loop to make a complete subsystem. Similarly, to meet the LCO, the cooling supply for the heat exchanger(s) requires two RHRSW pumps (either one pump in each RHRSW loop or two pumps in one RHRSW loop). With one RHR heat exchanger common to both RHR shutdown cooling subsystems, each RHRSW pump is required to be capable of providing cooling to that heat exchanger (Note: the RHRSW cross tie valves may be open to allow RHRSW pump(s) in one loop to provide cooling to a heat exchanger in the opposite loop to make a complete subsystem.), or with both heat exchangers required, each heat exchanger is required to have an RHRSW pump capable of providing coolant to that heat exchanger. Additionally, each RHR shutdown cooling subsystem is considered OPERABLE if it can be manually aligned (remote or local) in the shutdown cooling mode for removal of decay heat. Operation (either continuous or intermittent) of one subsystem can maintain and reduce the reactor coolant temperature as required (sufficient to maintain reactor coolant temperature in the desired range). However, to ensure adequate core flow to allow for accurate average reactor coolant temperature monitoring, nearly continuous operation is required. A Note is provided to allow a 2 hour exception to shut down the operating subsystem every 8 hours. The LCO consists of two separate requirements. Either requirement can be not met (and the associated Condition entered) without necessarily affecting the other (and without necessarily entering the other associated Condition). For example, an operating RHR shutdown cooling subsystem can be removed from operation, yet remain OPERABLE for the decay heat removal function. (Manual alignment and operation can satisfy OPERABILITY.) Conversely, an RHR shutdown cooling subsystem (or recirculation pump) can remain in operation, circulating reactor coolant; however, if the RHR heat exchanger cannot remove decay heat, the subsystem is inoperable. The LCO Notes follow this separation of requirements: an exception to circulating reactor coolant (Note 1) does not result in an exception to the OPERABILITY requirement, and an exception to the RHR shutdown cooling subsystem OPERABILITY requirements does not result in an exception to the requirement for circulating reactor coolant (Note 2). RHR - Low Water Level B 3.9.8 (continued) HATCH UNIT 1 B 3.9-26 REVISION 1BASES (continued) APPLICABILITY Two RHR shutdown cooling subsystems are required to be OPERABLE, and one must be in operation in MODE 5, with irradiated fuel in the RPV and the water level < 22 ft 1/8 inches above the top of the RPV flange, to provide decay heat removal. RHR shutdown cooling subsystem requirements in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS). RHR shutdown cooling subsystem requirements in MODE 5 with irradiated fuel in the RPV and the water level 22 ft 1/8 inches above the RPV flange are given in LCO 3.9.7, "Residual Heat Removal (RHR) - High Water Level." ACTIONS A.1 With one of the two required RHR shutdown cooling subsystems inoperable, the remaining subsystem is capable of providing the required decay heat removal. However, the overall reliability is reduced. Therefore an alternate method of decay heat removal must be provided. With both required RHR shutdown cooling subsystems inoperable, an alternate method of decay heat removal must be provided in addition to that provided for the initial RHR shutdown cooling subsystem inoperability. This re-establishes backup decay heat removal capabilities, similar to the requirements of the LCO. The 1 hour Completion Time is based on the decay heat removal function and the probability of a loss of the available decay heat removal capabilities. Furthermore, verification of the functional availability of this alternate method(s) must be reconfirmed every 24 hours thereafter. This will ensure continued heat removal capability. Alternate decay heat removal methods are available to the operators for review and preplanning in the unit's Operating Procedures. For example, this may include the use of the Reactor Water Cleanup System, operating with the regenerative heat exchanger bypassed. The method used to remove decay heat should be the most prudent choice based on unit conditions. B.1, B.2, and B.3 With the required RHR shutdown cooling subsystem(s) inoperable and the required alternate method(s) of decay heat removal not available in accordance with Required Action A.1, additional actions are required to minimize any potential fission product release to the environment. This includes ensuring: 1) secondary containment (at least including the common refueling floor zone) is OPERABLE; RHR - Low Water Level B 3.9.8 (continued) HATCH UNIT 1 B 3.9-27 REVISION 1BASES ACTIONS B.1, B.2, and B.3 (continued)

2) sufficient standby gas treatment subsystem(s) are OPERABLE to maintain the secondary containment at a negative pressure with respect to the environment (dependent on secondary containment configuration, refer to Reference 2; single failure protection is not required while in this ACTION); and 3) secondary containment isolation capability is available in each associated secondary containment penetration flow path not isolated that is assumed to be isolated to mitigate radioactive releases (i.e., one secondary containment isolation valve and associated instrumentation are OPERABLE or other acceptable administrative controls to assure isolation capability. The administrative controls can consist of stationing a dedicated operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated.). This may be performed as an administrative check, by examining logs or other information to determine whether the components are out of service for maintenance or other reasons. It is not necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, the Surveillance may need to be performed to restore the component to OPERABLE status. Actions must continue until all required components are OPERABLE.

C.1 and C.2 If no RHR shutdown cooling subsystem is in operation, an alternate method of coolant circulation is required to be established within 1 hour. The Completion Time is modified such that the 1 hour is applicable separately for each occurrence involving a loss of coolant circulation. During the period when the reactor coolant is being circulated by an alternate method (other than by the required RHR shutdown cooling subsystem), the reactor coolant temperature must be periodically monitored to ensure proper functioning of the alternate method. The once per hour Completion Time is deemed appropriate.

RHR - Low Water Level B 3.9.8 HATCH UNIT 1 B 3.9-28 REVISION 69BASES (continued) SURVEILLANCE SR 3.9.8.1 REQUIREMENTS This Surveillance demonstrates that one required RHR shutdown cooling subsystem is in operation and circulating reactor coolant. The required flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. 10 CFR 50, Appendix A, GDC 34.

2. Technical Requirements Manual, Section 8.0.

3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

>

<

Reactor Mode Switch Interlock Testing B 3.10.2 (continued) HATCH UNIT 1 B 3.10-6 REVISION 56 B 3.10 SPECIAL OPERATIONS

B 3.10.2 Reactor Mode Switch Interlock Testing

BASES BACKGROUND The purpose of this Special Operations LCO is to permit operation of the reactor mode switch from one position to another to confirm certain aspects of associated interlocks during periodic tests and calibrations in MODES 3, 4, and 5. The reactor mode switch is a conveniently located, multiposition, keylock switch provided to select the necessary scram functions for various plant conditions (Ref. 1). The reactor mode switch selects the appropriate trip relays for scram functions and provides appropriate bypasses. The mode switch positions and related scram interlock functions are summarized as follows:

a. Shutdown - Initiates a reactor scram; bypasses main steam line isolation scram; b. Refuel - Selects Neutron Monitoring System (NMS) scram function for low neutron flux level operation (but does not disable the average power range monitor scram); bypasses main steam line isolation scram; c. Startup/Hot Standby - Selects NMS scram function for low neutron flux level operation (intermediate range monitors and average power range monitors); bypasses main steam line isolation; and

d. Run - Selects NMS scram function for power range operation.

The reactor mode switch also provides interlocks for such functions as control rod blocks, scram discharge volume trip bypass, refueling interlocks, and main steam isolation valve isolations.

APPLICABLE The acceptance criterion for reactor mode switch interlock SAFETY ANALYSES testing is to prevent fuel failure by precluding reactivity excursions or core criticality. The interlock functions of the shutdown and refuel positions normally maintained for the reactor mode switch in MODES 3, 4, and 5 are provided to preclude reactivity excursions that could potentially result in fuel failure. Interlock testing that requires moving the reactor mode switch to other positions (run, startup/hot standby, or refuel) while in MODE 3, 4, or 5 requires administratively Reactor Mode Switch Interlock Testing B 3.10.2 (continued) HATCH UNIT 1 B 3.10-7 REVISION 56 BASES APPLICABLE maintaining all control rods inserted and no other CORE SAFETY ANALYSES ALTERATIONS in progress. With all control rods inserted in core cells (continued) containing one or more fuel assemblies, and no CORE ALTERATIONS in progress, there are no credible mechanisms for unacceptable reactivity excursions during the planned interlock testing. For postulated accidents, such as control rod removal error during refueling or loading of fuel with a control rod withdrawn, the accident analysis demonstrates that fuel failure will not occur (Refs. 2 and 3). The withdrawal of a single control rod will not result in criticality when adequate SDM is maintained. Also, loading fuel assemblies into the core with a single control rod withdrawn will not result in criticality (provided adequate SDM is maintained), thereby preventing fuel failure. As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of the NRC Policy Statement apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases. LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. MODES 3, 4, and 5 operations not specified in Table 1.1-1 can be performed in accordance with other Special Operations LCOs (i.e., LCO 3.10.1, "Inservice Leak and Hydrostatic Testing Operation"; LCO 3.10.3, "Single Control Rod Withdrawal - Hot Shutdown"; LCO 3.10.4, "Single Control Rod Withdrawal - Cold Shutdown"; and LCO 3.10.8, "SDM Test - Refueling") without meeting this LCO or its ACTIONS. If any testing is performed that involves the reactor mode switch interlocks and requires repositioning beyond that specified in Table 1.1-1 for the current MODE of operation, the testing can be performed, provided all interlock functions potentially defeated are administratively controlled. In MODES 3, 4, and 5 with the reactor mode switch in shutdown as specified in Table 1.1-1, all control rods are fully inserted and a control rod block is initiated. Therefore, all control rods in core cells that contain one or more fuel assemblies must be verified fully inserted while in MODES 3, 4, and 5, with the reactor mode switch in other than the shutdown position. The additional LCO requirement to preclude CORE ALTERATIONS is appropriate for MODE 5 operations, as discussed below, and is inherently met in MODES 3 and 4 by the definition of CORE ALTERATIONS, which cannot be performed with the vessel head in place. Reactor Mode Switch Interlock Testing B 3.10.2 (continued) HATCH UNIT 1 B 3.10-8 REVISION 56 BASES LCO In MODE 5, with the reactor mode switch in the refuel position, only (continued) one control rod can be withdrawn under the refuel position one-rod-out interlock (LCO 3.9.2, "Refuel Position One-Rod-Out Interlock"). The refueling equipment interlocks (LCO 3.9.1, "Refueling Equipment Interlocks") appropriately control other CORE ALTERATIONS. Due to the increased potential for error in controlling these multiple interlocks, and the limited duration of tests involving the reactor mode switch position, conservative controls are required, consistent with MODES 3 and 4. The additional controls of administratively not permitting other CORE ALTERATIONS will adequately ensure that the reactor does not become critical during these tests. APPLICABILITY Any required periodic interlock testing involving the reactor mode switch, while in MODES 1 and 2, can be performed without the need for Special Operations exceptions. Mode switch manipulations in these MODES would likely result in unit trips. In MODES 3, 4, and 5, this Special Operations LCO is only permitted to be used to allow reactor mode switch interlock testing that cannot conveniently be performed without this allowance or testing which must be performed prior to entering another MODE. Such interlock testing may consist of required Surveillances, or may be the result of maintenance, repair, or troubleshooting activities. In MODES 3, 4, and 5, the interlock functions provided by the reactor mode switch in shutdown (i.e., all control rods inserted and incapable of withdrawal) and refueling (i.e., refueling interlocks to prevent inadvertent criticality during CORE ALTERATIONS) positions can be administratively controlled adequately during the performance of certain tests. ACTIONS A.1, A.2, A.3.1, and A.3.2 These Required Actions are provided to restore compliance with the Technical Specifications overridden by this Special Operations LCO. Restoring compliance will also result in exiting the Applicability of this Special Operations LCO. All CORE ALTERATIONS except for control rod insertion, if in progress, are immediately suspended in accordance with Required Action A.1, and all insertable control rods in core cells that contain one or more fuel assemblies are fully inserted within 1 hour, in accordance with Required Action A.2. This will preclude potential mechanisms that could lead to criticality. Suspension of CORE Reactor Mode Switch Interlock Testing B 3.10.2 HATCH UNIT 1 B 3.10-9 REVISION 69 BASES ACTIONS A.1, A.2, A.3.1, and A.3.2 (continued) ALTERATIONS shall not preclude the completion of movement of a component to a safe condition. Placing the reactor mode switch in the shutdown position will ensure that all inserted control rods remain inserted and result in operating in accordance with Table 1.1-1. Alternatively, if in MODE 5, the reactor mode switch may be placed in the refuel position, which will also result in operating in accordance with Table 1.1-1. A Note is added to Required Action A.3.2 to indicate that this Required Action is not applicable in MODES 3 and 4, since only the shutdown position is allowed in these MODES. The allowed Completion Time of 1 hour for Required Action A.2, Required Action A.3.1, and Required Action A.3.2 provides sufficient time to normally insert the control rods and place the reactor mode switch in the required position, based on operating experience, and is acceptable given that all operations that could increase core reactivity have been suspended. SURVEILLANCE SR 3.10.2.1 and SR 3.10.2.2 REQUIREMENTS Meeting the requirements of this Special Operations LCO maintains operation consistent with or conservative to operating with the reactor mode switch in the shutdown position (or the refuel position for MODE 5). The functions of the reactor mode switch interlocks that are not in effect, due to the testing in progress, are adequately compensated for by the Special Operations LCO requirements. The administrative controls are to be periodically verified to ensure that the operational requirements continue to be met. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 7.2.3.7.

2. FSAR, Section 14.3.3.3.

3. FSAR, Section 14.3.3.4.

Single Control Rod Withdrawal - Hot Shutdown B 3.10.3 (continued) HATCH UNIT 1 B 3.10-10 REVISION 56 B 3.10 SPECIAL OPERATIONS

B 3.10.3 Single Control Rod Withdrawal - Hot Shutdown

BASES BACKGROUND The purpose of this MODE 3 Special Operations LCO is to permit the withdrawal of a single control rod for testing while in hot shutdown, by imposing certain restrictions. In MODE 3, the reactor mode switch is in the shutdown position, and all control rods are inserted and blocked from withdrawal. Many systems and functions are not required in these conditions, due to the other installed interlocks that are actuated when the reactor mode switch is in the shutdown position. However, circumstances may arise while in MODE 3 that present the need to withdraw a single control rod for various tests (e.g., friction tests, scram timing, and coupling integrity checks). These single control rod withdrawals are normally accomplished by selecting the refuel position for the reactor mode switch. This Special Operations LCO provides the appropriate additional controls to allow a single control rod withdrawal in MODE 3.

APPLICABLE With the reactor mode switch in the refuel position, the analyses for SAFETY ANALYSES control rod withdrawal during refueling are applicable and, provided the assumptions of these analyses are satisfied in MODE 3, these analyses will bound the consequences of an accident. Explicit safety analyses in the FSAR (Ref. 1) demonstrate that the functioning of the refueling interlocks and adequate SDM will preclude unacceptable reactivity excursions. Refueling interlocks restrict the movement of control rods to reinforce operational procedures that prevent the reactor from becoming critical. These interlocks prevent the withdrawal of more than one control rod. Under these conditions, since only one control rod can be withdrawn, the core will always be shut down even with the highest worth control rod withdrawn if adequate SDM exists. The control rod scram function provides backup protection to normal refueling procedures and the refueling interlocks, which prevent inadvertent criticalities during refueling. Alternate backup protection can be obtained by ensuring that a five by five array of control rods, centered on the withdrawn control rod, are inserted and incapable of withdrawal. Single Control Rod Withdrawal - Hot Shutdown B 3.10.3 (continued) HATCH UNIT 1 B 3.10-11 REVISION 56 BASES APPLICABLE As described in LCO 3.0.7, compliance with Special Operations LCOs SAFETY ANALYSES is optional, and therefore, no criteria of the NRC Policy Statement (continued) apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases. LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 3 with the reactor mode switch in the refuel position can be performed in accordance with other Special Operations LCOs (i.e., LCO 3.10.2, "Reactor Mode Switch Interlock Testing") without meeting this Special Operations LCO or its ACTIONS. However, if a single control rod withdrawal is desired in MODE 3, controls consistent with those required during refueling must be implemented and this Special Operations LCO applied. "Withdrawal," in this application, includes the actual withdrawal of the control rod, as well as maintaining the control rod in a position other than the full-in position, and reinserting the control rod. The refueling interlocks of LCO 3.9.2, "Refuel Position One-Rod-Out Interlock," required by this Special Operations LCO, will ensure that only one control rod can be withdrawn. To back up the refueling interlocks (LCO 3.9.2), the ability to scram the withdrawn control rod in the event of an inadvertent criticality is provided by this Special Operations LCO's requirements in Item d.1. Alternately, provided a sufficient number of control rods in the vicinity of the withdrawn control rod are known to be inserted and incapable of withdrawal (Item d.2), the possibility of criticality on withdrawal of this control rod is sufficiently precluded, so as not to require the scram capability of the withdrawn control rod. Also, once this alternate (Item d.2) is completed, the SDM requirement to account for both the withdrawn-untrippable control rod, and the highest worth control rod may be changed to allow the withdrawn-untrippable control rod to be the single highest worth control rod.

APPLICABILITY Control rod withdrawals are adequately controlled in MODES 1, 2, and 5 by existing LCOs. In MODES 3 and 4, control rod withdrawal is only allowed if performed in accordance with this Special Operations LCO or Special Operations LCO 3.10.4, and if limited to one control rod. This allowance is only provided with the reactor mode switch in the refuel position. For these conditions, the one-rod-out interlock (LCO 3.9.2), control rod position indication (LCO 3.9.4, "Control Rod Single Control Rod Withdrawal - Hot Shutdown B 3.10.3 (continued) HATCH UNIT 1 B 3.10-12 REVISION 56 BASES APPLICABILITY Position Indication"), full insertion requirements for all other control (continued) rods and scram functions (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," and LCO 3.9.5, Control Rod OPERABILITY - Refueling"), or the added administrative controls in Item d.2 of this Special Operations LCO, minimize potential reactivity excursions. ACTIONS A Note has been provided to modify the ACTIONS related to a single control rod withdrawal while in MODE 3. Section 1.3, Completion Times, specifies once a Condition has been entered, subsequent divisions, subsystems, components or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for each requirement of the LCO not met provide appropriate compensatory measures for separate requirements that are not met. As such, a Note has been provided that allows separate Condition entry for each requirement of the LCO.

A.1 If one or more of the requirements specified in this Special Operations LCO are not met, the ACTIONS applicable to the stated requirements of the affected LCOs are immediately entered as directed by Required Action A.1. Required Action A.1 has been modified by a Note that clarifies the intent of any other LCO's Required Action to insert all control rods. This Required Action includes exiting this Special Operations Applicability by returning the reactor mode switch to the shutdown position. A second Note has been added, which clarifies that this Required Action is only applicable if the requirements not met are for an affected LCO. A.2.1 and A.2.2 Required Actions A.2.1 and A.2.2 are alternate Required Actions that can be taken instead of Required Action A.1 to restore compliance with the normal MODE 3 requirements, thereby exiting this Special Operations LCO's Applicability. Actions must be initiated immediately to insert all insertable control rods. Actions must continue until all such control rods are fully inserted. Placing the reactor mode switch in the shutdown position will ensure all inserted rods remain inserted Single Control Rod Withdrawal - Hot Shutdown B 3.10.3 HATCH UNIT 1 B 3.10-13 REVISION 69 BASES ACTIONS A.2.1 and A.2.2 (continued) and restore operation in accordance with Table 1.1-1. The allowed Completion Time of 1 hour to place the reactor mode switch in the shutdown position provides sufficient time to normally insert the control rods. SURVEILLANCE SR 3.10.3.1, SR 3.10.3.2, and SR 3.10.3.3 REQUIREMENTS The other LCOs made applicable in this Special Operations LCO are required to have their Surveillances met to establish that this Special Operations LCO is being met. If the local array of control rods is inserted and disarmed while the scram function for the withdrawn rod is not available, periodic verification in accordance with SR 3.10.3.2 is required to preclude the possibility of criticality. SR 3.10.3.2 has been modified by a Note, which clarifies that this SR is not required to be met if SR 3.10.3.1 is satisfied for LCO 3.10.3.d.1 requirements, since SR 3.10.3.2 demonstrates that the alternative LCO 3.10.3.d.2 requirements are satisfied. Also, SR 3.10.3.3 verifies that all control rods other than the control rod being withdrawn are fully inserted. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 14.3.3.3. Single Control Rod Withdrawal - Cold Shutdown B 3.10.4 (continued) HATCH UNIT 1 B 3.10-14 REVISION 56 B 3.10 SPECIAL OPERATIONS B 3.10.4 Single Control Rod Withdrawal - Cold Shutdown

BASES BACKGROUND The purpose of this MODE 4 Special Operations LCO is to permit the withdrawal of a single control rod for testing or maintenance, while in cold shutdown, by imposing certain restrictions. In MODE 4, the reactor mode switch is in the shutdown position, and all control rods are inserted and blocked from withdrawal. Many systems and functions are not required in these conditions, due to the installed interlocks associated with the reactor mode switch in the shutdown position. Circumstances may arise while in MODE 4, however, that present the need to withdraw a single control rod for various tests (e.g., friction tests, scram time testing, and coupling integrity checks). Certain situations may also require the removal of the associated control rod drive (CRD). These single control rod withdrawals and possible subsequent removals are normally accomplished by selecting the refuel position for the reactor mode switch.

APPLICABLE With the reactor mode switch in the refuel position, the analyses for SAFETY ANALYSES control rod withdrawal during refueling are applicable and, provided the assumptions of these analyses are satisfied in MODE 4, these analyses will bound the consequences of an accident. Explicit safety analyses in the FSAR (Ref. 1) demonstrate that the functioning of the refueling interlocks and adequate SDM will preclude unacceptable reactivity excursions. Refueling interlocks restrict the movement of control rods to reinforce operational procedures that prevent the reactor from becoming critical. These interlocks prevent the withdrawal of more than one control rod. Under these conditions, since only one control rod can be withdrawn, the core will always be shut down even with the highest worth control rod withdrawn if adequate SDM exists. The control rod scram function provides backup protection in the event normal refueling procedures and the refueling interlocks fail to prevent inadvertent criticalities during refueling. Alternate backup protection can be obtained by ensuring that a five by five array of control rods, centered on the withdrawn control rod, are inserted and incapable of withdrawal. This alternate backup protection is required when removing a CRD because this removal renders the withdrawn control rod incapable of being scrammed. Single Control Rod Withdrawal - Cold Shutdown B 3.10.4 (continued) HATCH UNIT 1 B 3.10-15 REVISION 56 BASES APPLICABLE As described in LCO 3.0.7, compliance with Special Operations LCOs SAFETY ANALYSES is optional, and therefore, no criteria of the NRC Policy Statement (continued) apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases. LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 4 with the reactor mode switch in the refuel position can be performed in accordance with other LCOs (i.e., Special Operations LCO 3.10.2, "Reactor Mode Switch Interlock Testing") without meeting this Special Operations LCO or its ACTIONS. If a single control rod withdrawal is desired in MODE 4, controls consistent with those required during refueling must be implemented and this Special Operations LCO applied. "Withdrawal," in this application, includes the actual withdrawal of the control rod, as well as maintaining the control rod in a position other than the full-in position, and reinserting the control rod. The refueling interlocks of LCO 3.9.2, "Refuel Position One-Rod-Out Interlock," required by this Special Operations LCO will ensure that only one control rod can be withdrawn. At the time CRD removal begins, the disconnection of the position indication probe will cause LCO 3.9.4, "Control Rod Position Indication," and therefore, LCO 3.9.2 to fail to be met. Therefore, prior to commencing CRD removal, a control rod withdrawal block is required to be inserted to ensure that no additional control rods can be withdrawn and that compliance with this Special Operations LCO is maintained. To back up the refueling interlocks (LCO 3.9.2) or the control rod withdrawal block, the ability to scram the withdrawn control rod in the event of an inadvertent criticality is provided by the Special Operations LCO requirements in Item c.1. Alternatively, when the scram function is not OPERABLE, or when the CRD is to be removed, a sufficient number of rods in the vicinity of the withdrawn control rod are required to be inserted and made incapable of withdrawal (Item c.2). This precludes the possibility of criticality upon withdrawal of this control rod. Also, once this alternate (Item c.2) is completed, the SDM requirement to account for both the withdrawn-untrippable control rod, and the highest worth control rod may be changed to allow the withdrawn-untrippable control rod to be the single highest worth control rod.

Single Control Rod Withdrawal - Cold Shutdown B 3.10.4 (continued) HATCH UNIT 1 B 3.10-16 REVISION 56 BASES (continued) APPLICABILITY Control rod withdrawals are adequately controlled in MODES 1, 2, and 5 by existing LCOs. In MODES 3 and 4, control rod withdrawal is only allowed if performed in accordance with Special Operations LCO 3.10.3, or this Special Operations LCO, and if limited to one control rod. This allowance is only provided with the reactor mode switch in the refuel position. During these conditions, the full insertion requirements for all other control rods, the one-rod-out interlock (LCO 3.9.2), control rod position indication (LCO 3.9.4), and scram functions [LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," and LCO 3.9.5, "Control Rod OPERABILITY - Refueling"], or the added administrative controls in Item b.2 and Item c.2 of this Special Operations LCO, provide mitigation of potential reactivity excursions. ACTIONS A Note has been provided to modify the ACTIONS related to a single control rod withdrawal while in MODE 4. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for each requirement of the LCO not met provide appropriate compensatory measures for separate requirements that are not met. As such, a Note has been provided that allows separate Condition entry for each requirement of the LCO. A.1, A.2.1, and A.2.2 If one or more of the requirements of this Special Operations LCO are not met with the affected control rod insertable, these Required Actions restore operation consistent with normal MODE 4 conditions (i.e., all rods inserted) or with the exceptions allowed in this Special Operations LCO. Required Action A.1 has been modified by a Note that clarifies that the intent of any other LCO's Required Actions to insert all control rods. This Required Action includes exiting this Special Operations Applicability by returning the reactor mode switch to the shutdown position. A second Note has been added to Required Action A.1 to clarify that this Required Action is only applicable if the requirements not met are for an affected LCO. Single Control Rod Withdrawal - Cold Shutdown B 3.10.4 (continued) HATCH UNIT 1 B 3.10-17 REVISION 69 BASES ACTIONS A.1, A.2.1, and A.2.2 (continued) Required Actions A.2.1 and A.2.2 are specified, based on the assumption that the control rod is being withdrawn. If the control rod is still insertable, actions must be immediately initiated to fully insert all insertable control rods and within 1 hour place the reactor mode switch in the shutdown position. Actions must continue until all such control rods are fully inserted. The allowed Completion Time of 1 hour for placing the reactor mode switch in the shutdown position provides sufficient time to normally insert the control rods. B.1, B.2.1, and B.2.2 If one or more of the requirements of this Special Operations LCO are not met with the affected control rod not insertable, withdrawal of the control rod and removal of the associated CRD must be immediately suspended. If the CRD has been removed, such that the control rod is not insertable, the Required Actions require the most expeditious action be taken to either initiate action to restore the CRD and insert its control rod, or initiate action to restore compliance with this Special Operations LCO. SURVEILLANCE SR 3.10.4.1, SR 3.10.4.2, SR 3.10.4.3, and SR 3.10.4.4 REQUIREMENTS The other LCOs made applicable by this Special Operations LCO are required to have their associated surveillances met to establish that this Special Operations LCO is being met. If the local array of control rods is inserted and disarmed while the scram function for the withdrawn rod is not available, periodic verification is required to ensure that the possibility of criticality remains precluded. Verification that all the other control rods are fully inserted is required to meet the SDM requirements. Verification that a control rod withdrawal block has been inserted ensures that no other control rods can be inadvertently withdrawn under conditions when position indication instrumentation is inoperable for the affected control rod. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.10.4.2 and SR 3.10.4.4 have been modified by Notes, which clarify that these SRs are not required to be met if the alternative requirements demonstrated by SR 3.10.4.1 are satisfied. Single Control Rod Withdrawal - Cold Shutdown B 3.10.4 HATCH UNIT 1 B 3.10-18 REVISION 56 BASES (continued) REFERENCES 1. FSAR, Section 14.3.3.3.

Single CRD Removal - Refueling B 3.10.5 (continued) HATCH UNIT 1 B 3.10-19 REVISION 56 B 3.10 SPECIAL OPERATIONS

B 3.10.5 Single Control Rod Drive (CRD) Removal - Refueling

BASES BACKGROUND The purpose of this MODE 5 Special Operations LCO is to permit the removal of a single CRD during refueling operations by imposing certain administrative controls. Refueling interlocks restrict the movement of control rods and the operation of the refueling equipment to reinforce operational procedures that prevent the reactor from becoming critical during refueling operations. During refueling operations, no more than one control rod is permitted to be withdrawn from a core cell containing one or more fuel assemblies. The refueling interlocks use the full-in position indicators to determine the position of all control rods. If the full-in position signal is not present for every control rod, then the all-rods-in permissive for the refueling equipment interlocks is not present and fuel loading is prevented. Also, the refuel position one-rod-out interlock will not allow the withdrawal of a second control rod. The control rod scram function provides backup protection in the event normal refueling procedures, and the refueling interlocks described above, fail to prevent inadvertent criticalities during refueling. The requirement for this function to be OPERABLE precludes the possibility of removing the CRD once a control rod is withdrawn from a core cell containing one or more fuel assemblies. This Special Operations LCO provides controls sufficient to ensure the possibility of an inadvertent criticality is precluded, while allowing a single CRD to be removed from a core cell containing one or more fuel assemblies. The removal of the CRD involves disconnecting the position indication probe, which causes noncompliance with LCO 3.9.4, "Control Rod Position Indication," and, therefore, LCO 3.9.1, "Refueling Equipment Interlocks," and LCO 3.9.2, "Refueling Position One-Rod-Out Interlock." The CRD removal also requires isolation of the CRD from the CRD Hydraulic System, thereby causing inoperability of the control rod (LCO 3.9.5, "Control Rod OPERABILITY - Refueling"). APPLICABLE With the reactor mode switch in the refuel position, the analyses for SAFETY ANALYSES control rod withdrawal during refueling are applicable and, provided the assumptions of these analyses are satisfied, these analyses will bound the consequences of accidents. Explicit safety analyses in the FSAR (Ref. 1) demonstrate that proper operation of the refueling interlocks and adequate SDM will preclude unacceptable reactivity excursions. Single CRD Removal - Refueling B 3.10.5 (continued) HATCH UNIT 1 B 3.10-20 REVISION 56 BASES APPLICABLE Refueling interlocks restrict the movement of control rods and the SAFETY ANALYSES operation of the refueling equipment to reinforce operational (continued) procedures that prevent the reactor from becoming critical. These interlocks prevent the withdrawal of more than one control rod. Under these conditions, since only one control rod can be withdrawn, the core will always be shut down even with the highest worth control rod withdrawn if adequate SDM exists. By requiring all other control rods to be inserted and a control rod withdrawal block initiated, the function of the inoperable one-rod-out interlock (LCO 3.9.2) is adequately maintained. This Special Operations LCO requirement to suspend all CORE ALTERATIONS adequately compensates for the inoperable all rods in permissive for the refueling equipment interlocks (LCO 3.9.1). The control rod scram function provides backup protection to normal refueling procedures and the refueling interlocks, which prevent inadvertent criticalities during refueling. Since the scram function and refueling interlocks may be suspended, alternate backup protection required by this Special Operations LCO is obtained by ensuring that a five by five array of control rods, centered on the withdrawn control rod, are inserted and are incapable of being withdrawn (by insertion of a control rod block). As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of the NRC Policy Statement apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases. LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 5 with any of the following LCOs, LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," LCO 3.3.8.2, "Reactor Protection System (RPS) Electric Power Monitoring," LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, or LCO 3.9.5 not met, can be performed in accordance with the Required Actions of these LCOs without meeting this Special Operations LCO or its ACTIONS. However, if a single CRD removal from a core cell containing one or more fuel assemblies is desired in MODE 5, controls consistent with those required by LCO 3.3.1.1, LCO 3.3.8.2, LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, and LCO 3.9.5 must be implemented, and this Special Operations LCO applied. By requiring all other control rods to be inserted and a control rod withdrawal block initiated, the function of the inoperable one-rod-out Single CRD Removal - Refueling B 3.10.5 (continued) HATCH UNIT 1 B 3.10-21 REVISION 56 BASES LCO interlock (LCO 3.9.2) is adequately maintained. This Special (continued) Operations LCO requirement to suspend all CORE ALTERATIONS adequately compensates for the inoperable all rods in permissive for the refueling equipment interlocks (LCO 3.9.1). Ensuring that the five by five array of control rods, centered on the withdrawn control rod, are inserted and incapable of withdrawal adequately satisfies the backup protection that LCO 3.3.1.1 and LCO 3.9.2 would have otherwise provided. Also, once these requirements (Items a, b, and c) are completed, the SDM requirement to account for both the withdrawn-untrippable control rod and the highest worth control rod may be changed to allow the withdrawn-untrippable control rod to be the single highest worth control rod. APPLICABILITY Operation in MODE 5 is controlled by existing LCOs. The allowance to comply with this Special Operations LCO in lieu of the ACTIONS of LCO 3.3.1.1, LCO 3.3.8.2, LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, and LCO 3.9.5 is appropriately controlled with the additional administrative controls required by this Special Operations LCO, which reduce the potential for reactivity excursions. ACTIONS A.1, A.2.1, and A.2.2 If one or more of the requirements of this Special Operations LCO are not met, the immediate implementation of these Required Actions restores operation consistent with the normal requirements for failure to meet LCO 3.3.1.1, LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, and LCO 3.9.5 (i.e., all control rods inserted) or with the allowances of this Special Operations LCO. The Completion Times for Required Action A.1, Required Action A.2.1, and Required Action A.2.2 are intended to require that these Required Actions be implemented in a very short time and carried through in an expeditious manner to either initiate action to restore the CRD and insert its control rod, or initiate action to restore compliance with this Special Operations LCO. Actions must continue until either Required Action A.2.1 or Required Action A.2.2 is satisfied.

Single CRD Removal - Refueling B 3.10.5 HATCH UNIT 1 B 3.10-22 REVISION 69 BASES (continued) SURVEILLANCE SR 3.10.5.1, SR 3.10.5.2, SR 3.10.5.3, SR 3.10.5.4, REQUIREMENTS and SR 3.10.5.5 Verification that all the control rods, other than the control rod withdrawn for the removal of the associated CRD, are fully inserted is required to ensure the SDM is within limits. Verification that the local five by five array of control rods, other than the control rod withdrawn for removal of the associated CRD, is inserted and disarmed, while the scram function for the withdrawn rod is not available, is required to ensure that the possibility of criticality remains precluded. Verification that a control rod withdrawal block has been inserted ensures that no other control rods can be inadvertently withdrawn under conditions when position indication instrumentation is inoperable for the withdrawn control rod. The Surveillance for LCO 3.1.1, which is made applicable by this Special Operations LCO, is required in order to establish that this Special Operations LCO is being met. Verification that no other CORE ALTERATIONS are being made is required to ensure the assumptions of the safety analysis are satisfied. While not required by this LCO, verification of the core loading may be prudent to ensure that a fuel loading error has not invalidated the assumptions of the safety analysis. Periodic verification of the administrative controls established by this Special Operations LCO is prudent to preclude the possibility of an inadvertent criticality. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 14.3.3.3.

Multiple Control Rod Withdrawal - Refueling B 3.10.6 (continued) HATCH UNIT 1 B 3.10-23 REVISION 56 B 3.10 SPECIAL OPERATIONS

B 3.10.6 Multiple Control Rod Withdrawal - Refueling

BASES BACKGROUND The purpose of this MODE 5 Special Operations LCO is to permit multiple control rod withdrawal during refueling by imposing certain administrative controls. Refueling interlocks restrict the movement of control rods and the operation of the refueling equipment to reinforce operational procedures that prevent the reactor from becoming critical during refueling operations. During refueling operations, no more than one control rod is permitted to be withdrawn from a core cell containing one or more fuel assemblies. When all four fuel assemblies are removed from a cell, the control rod may be withdrawn with no restrictions. Any number of control rods may be withdrawn and removed from the reactor vessel if their cells contain no fuel. The refueling interlocks use the full-in position indicators to determine the position of all control rods. If the full-in position signal is not present for every control rod, then the all rods in permissive for the refueling equipment interlocks is not present and fuel loading is prevented. Also, the refuel position one-rod-out interlock will not allow the withdrawal of a second control rod. To allow more than one control rod to be withdrawn during refueling, these interlocks must be defeated. This Special Operations LCO establishes the necessary administrative controls to allow bypassing the full-in position indicators.

APPLICABLE Explicit safety analyses in the FSAR (Ref. 1) demonstrate that the SAFETY ANALYSES functioning of the refueling interlocks and adequate SDM will prevent unacceptable reactivity excursions during refueling. To allow multiple control rod withdrawals, control rod removals, associated control rod drive (CRD) removal, or any combination of these, the full-in position indication is allowed to be bypassed for each withdrawn control rod if all fuel has been removed from the cell. With no fuel assemblies in the core cell, the associated control rod has no reactivity control function and is not required to remain inserted. Prior to reloading fuel into the cell, however, the associated control rod must be inserted to ensure that an inadvertent criticality does not occur, as evaluated in the Reference 1 analysis. Multiple Control Rod Withdrawal - Refueling B 3.10.6 (continued) HATCH UNIT 1 B 3.10-24 REVISION 56 BASES APPLICABLE As described in LCO 3.0.7, compliance with Special Operations LCOs SAFETY ANALYSES is optional, and therefore, no criteria of the NRC Policy Statement (continued) apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases. LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 5 with either LCO 3.9.3, "Control Rod Position," LCO 3.9.4, "Control Rod Position Indication," or LCO 3.9.5, "Control Rod OPERABILITY - Refueling," not met, can be performed in accordance with the Required Actions of these LCOs without meeting this Special Operations LCO or its ACTIONS. If multiple control rod withdrawal or removal, or CRD removal is desired, all four fuel assemblies are required to be removed from the associated cells. Prior to entering this LCO, any fuel remaining in a cell whose CRD was previously removed under the provisions of another LCO must be removed. "Withdrawal", in this application, includes the actual withdrawal of the control rod as well as maintaining the control rod in a position other than the full-in position, and reinserting the control rod. When fuel is loaded into the core with multiple control rods withdrawn, special spiral reload sequences are used to ensure that reactivity additions are minimized. Spiral reloading encompasses reloading a cell (four fuel locations immediately adjacent to a control rod) on the edge of a continuous fueled region (the cell can be loaded in any sequence). Otherwise, all control rods must be fully inserted before loading fuel.

APPLICABILITY Operation in MODE 5 is controlled by existing LCOs. The exceptions from other LCO requirements (e.g., the ACTIONS of LCO 3.9.3, LCO 3.9.4, or LCO 3.9.5) allowed by this Special Operations LCO are appropriately controlled by requiring all fuel to be removed from cells whose full-in indicators are allowed to be bypassed.

Multiple Control Rod Withdrawal - Refueling B 3.10.6 HATCH UNIT 1 B 3.10-25 REVISION 69 BASES (continued) ACTIONS A.1, A.2, A.3.1, and A.3.2 If one or more of the requirements of this Special Operations LCO are not met, the immediate implementation of these Required Actions restores operation consistent with the normal requirements for refueling (i.e., all control rods inserted in core cells containing one or more fuel assemblies) or with the exceptions granted by this Special Operations LCO. The Completion Times for Required Action A.1, Required Action A.2, Required Action A.3.1, and Required Action A.3.2 are intended to require that these Required Actions be implemented in a very short time and carried through in an expeditious manner to either initiate action to restore the affected CRDs and insert their control rods, or initiate action to restore compliance with this Special Operations LCO. SURVEILLANCE SR 3.10.6.1, SR 3.10.6.2, and SR 3.10.6.3 REQUIREMENTS Periodic verification of the administrative controls established by this Special Operations LCO is prudent to preclude the possibility of an inadvertent criticality. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 14.3.3.3.

SDM Test - Refueling B 3.10.8 (continued) HATCH UNIT 1 B 3.10-30 REVISION 56 B 3.10 SPECIAL OPERATIONS

B 3.10.8 SHUTDOWN MARGIN (SDM) Test - Refueling

BASES BACKGROUND The purpose of this MODE 5 Special Operations LCO is to permit SDM testing to be performed for those plant configurations in which the reactor pressure vessel (RPV) head is either not in place or the head bolts are not fully tensioned. LCO 3.1.1, "SHUTDOWN MARGIN (SDM)," requires that adequate SDM be demonstrated following fuel movements or control rod replacement within the RPV. The demonstration must be performed prior to or within 4 hours after criticality is reached. This SDM test may be performed prior to or during the first startup following the refueling. Performing the SDM test prior to startup requires the test to be performed while in MODE 5, with the vessel head bolts less than fully tensioned (and possibly with the vessel head removed). While in MODE 5, the reactor mode switch is required to be in the shutdown or refuel position, where the applicable control rod blocks ensure that the reactor will not become critical. The SDM test requires the reactor mode switch to be in the startup/hot standby position, since more than one control rod will be withdrawn for the purpose of demonstrating adequate SDM. This Special Operations LCO provides the appropriate additional controls to allow withdrawing more than one control rod from a core cell containing one or more fuel assemblies when the reactor vessel head bolts are less than fully tensioned. APPLICABLE Prevention and mitigation of unacceptable reactivity excursions SAFETY ANALYSES during control rod withdrawal, with the reactor mode switch in the startup/hot standby position while in MODE 5, is provided by the intermediate range monitor (IRM) neutron flux scram [LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation"], and control rod block instrumentation (LCO 3.3.2.1, "Control Rod Block Instrumentation"). The limiting reactivity excursion during startup conditions while in MODE 5 is the control rod drop accident (CRDA). CRDA analyses assume that the reactor operator follows prescribed withdrawal sequences. For SDM tests performed within these defined sequences, the analyses of References 1 and 2 are applicable. However, for some sequences developed for the SDM testing, the control rod patterns assumed in the safety analyses of References 1 and 2 may not be met. Therefore, special CRDA analyses, performed in accordance with an NRC approved methodology, may be required SDM Test - Refueling B 3.10.8 (continued) HATCH UNIT 1 B 3.10-31 REVISION 56 BASES APPLICABLE to demonstrate the SDM test sequence will not result in unacceptable SAFETY ANALYSES consequences should a CRDA occur during the testing. For the (continued) purpose of this test, the protection provided by the normally required MODE 5 applicable LCOs, in addition to the requirements of this LCO, will maintain normal test operations as well as postulated accidents within the bounds of the appropriate safety analyses (Refs. 1 and 2). In addition to the added requirements for the RWM, Average Power Range Monitors, and control rod coupling, the notch out mode is specified for out of sequence withdrawals. Requiring the notch out mode limits withdrawal steps to a single notch, which limits inserted reactivity, and allows adequate monitoring of changes in neutron flux, which may occur during the test. As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of the NRC Policy Statement apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. SDM tests may be performed while in MODE 2, in accordance with Table 1.1-1, without meeting this Special Operations LCO or its ACTIONS. For SDM tests performed while in MODE 5, additional requirements must be met to ensure that adequate protection against potential reactivity excursions is available. To provide additional scram protection beyond the normally required IRMs, the Average Power Range Monitors are also required to be OPERABLE (LCO 3.3.1.1, Functions 2.a, 2.d, and 2.e) as though the reactor were in MODE 2. Because multiple control rods will be withdrawn and the reactor will potentially become critical, the approved control rod withdrawal sequence must be enforced by the RWM (LCO 3.3.2.1, Function 2, MODE 2), or must be verified by a second licensed operator or other qualified member of the technical staff. To provide additional protection against an inadvertent criticality, control rod withdrawals that do not conform to the banked position withdrawal sequence specified in LCO 3.1.6, "Rod Pattern Control," (i.e., out of sequence control rod withdrawals) must be made in the individual notched withdrawal mode to minimize the potential reactivity insertion associated with each movement. Coupling integrity of withdrawn control rods is required to minimize the probability of a CRDA and ensure proper functioning of the withdrawn control rods, if they are required to scram. Because the reactor vessel head may be removed during these tests, no other CORE ALTERATIONS may be in SDM Test - Refueling B 3.10.8 (continued) HATCH UNIT 1 B 3.10-32 REVISION 56 BASES LCO progress. Furthermore, since the control rod scram function with the (continued) RCS at atmospheric pressure relies solely on the CRD accumulator, it is essential that the CRD charging water header remain pressurized. This Special Operations LCO then allows changing the Table 1.1-1 reactor mode switch position requirements to include the startup/hot standby position, such that the SDM tests may be performed while in MODE 5. APPLICABILITY These SDM test Special Operations requirements are only applicable if the SDM tests are to be performed while in MODE 5 with the reactor vessel head removed or the head bolts not fully tensioned. Additional requirements during these tests to enforce control rod withdrawal sequences and restrict other CORE ALTERATIONS provide protection against potential reactivity excursions. Operations in all other MODES are unaffected by this LCO. ACTIONS A.1 With one or more control rods discovered uncoupled during this Special Operation, a controlled insertion of each uncoupled control rod is required; either to attempt recoupling, or to preclude a control rod drop. This controlled insertion is preferred since, if the control rod fails to follow the drive as it is withdrawn (i.e., is "stuck" in an inserted position), placing the reactor mode switch in the shutdown position per Required Action B.1 could cause substantial secondary damage. If recoupling is not accomplished, operation may continue, provided the control rods are fully inserted within 3 hours and disarmed (electrically or hydraulically) within 4 hours. Inserting a control rod ensures the shutdown and scram capabilities are not adversely affected. The control rod is disarmed to prevent inadvertent withdrawal during subsequent operations. The control rods can be hydraulically disarmed by closing the drive water and exhaust water isolation valves. Electrically, the control rods can be disarmed by disconnecting power from all four directional control valve solenoids. Required Action A.1 is modified by a Note that allows the RWM to be bypassed if required to allow insertion of the inoperable control rods and continued operation. LCO 3.3.2.1 "Control Rod Block Instrumentation," ACTIONS provide additional requirements when the RWM is bypassed to ensure compliance with the CRDA analysis.

SDM Test - Refueling B 3.10.8 (continued) HATCH UNIT 1 B 3.10-33 REVISION 56 BASES ACTIONS A.1 (continued) The allowed Completion Times are reasonable, considering the small number of allowed inoperable control rods, and provide time to insert and disarm the control rods in an orderly manner and without challenging plant systems. Condition A is modified by a Note allowing separate Condition entry for each uncoupled control rod. This is acceptable since the Required Actions for this Condition provide appropriate compensatory actions for each uncoupled control rod. Complying with the Required Actions may allow for continued operation. Subsequent uncoupled control rods are governed by subsequent entry into the Condition and application of the Required Actions.

B.1 With one or more of the requirements of this LCO not met for reasons other than an uncoupled control rod, the testing should be immediately stopped by placing the reactor mode switch in the shutdown or refuel position. This results in a condition that is consistent with the requirements for MODE 5 where the provisions of this Special Operations LCO are no longer required.

SURVEILLANCE SR 3.10.8.1, SR 3.10.8.2, and SR 3.10.8.3 REQUIREMENTS LCO 3.3.1.1, Functions 2.a, 2.d, and 2.e, made applicable in this Special Operations LCO, are required to have their Surveillances met to establish that this Special Operations LCO is being met. However, the control rod withdrawal sequences during the SDM tests may be enforced by the RWM (LCO 3.3.2.1, Function 2, MODE 2 requirements) or by a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff (e.g., a qualified shift technical advisor or reactor engineer). As noted, either the applicable SRs for the RWM (LCO 3.3.2.1) must be satisfied according to the applicable Frequencies (SR 3.10.8.2), or the proper movement of control rods must be verified (SR 3.10.8.3). This latter verification (i.e., SR 3.10.8.3) must be performed during control rod movement to prevent deviations from the specified sequence. These Surveillances provide adequate assurance that the specified test sequence is being followed.

SDM Test - Refueling B 3.10.8 HATCH UNIT 1 B 3.10-34 REVISION 69 BASES SURVEILLANCE SR 3.10.8.4 REQUIREMENTS (continued) Periodic verification of the administrative controls established by this LCO will ensure that the reactor is operated within the bounds of the safety analysis. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.10.8.5 Coupling verification is performed to ensure the control rod is connected to the control rod drive mechanism and will perform its intended function when necessary. The verification is required to be performed any time a control rod is withdrawn to the full-out notch position, or prior to declaring the control rod OPERABLE after work on the control rod or CRD System that could affect coupling. This Frequency is acceptable, considering the low probability that a control rod will become uncoupled when it is not being moved, as well as operating experience related to uncoupling events. SR 3.10.8.6 CRD charging water header pressure verification is performed to ensure the motive force is available to scram the control rods in the event of a scram signal. Since the reactor is depressurized in MODE 5, there is insufficient reactor pressure to scram the control rods. Verification of charging water header pressure ensures that if a scram were required, capability for rapid control rod insertion would exist. The minimum charging water header pressure of 940 psig, which is below the expected pressure of 1100 psig, still ensures sufficient pressure for rapid control rod insertion. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. NEDE-24011-P-A-US, "General Electric Standard Application for Reactor Fuel, Supplement for United States" (revision specified in the COLR).

2. Letter from T. Pickens (BWROG) to G. C. Lainas, NRC, "Amendment 17 to General Electric Licensing Topical Report NEDE-24011-P-A," August 15, 1986.

(continued) HATCH UNIT 2 i REVISION 75 TABLE OF CONTENTS B 2.0 SAFETY LIMITS (SLs) ......................................................................... B 2.0-1 B 2.1.1 Reactor Core SLs .................................................................................. B 2.0-1 B 2.1.2 Reactor Coolant System (RCS) Pressure SL ........................................ B 2.0-5 B 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY ... B 3.0-1 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY .................. B 3.0-9 B 3.1 REACTIVITY CONTROL SYSTEMS .................................................... B 3.1-1 B 3.1.1 SHUTDOWN MARGIN (SDM) .............................................................. B 3.1-1 B 3.1.2 Reactivity Anomalies ............................................................................. B 3.1-7 B 3.1.3 Control Rod OPERABILITY ................................................................... B 3.1-11 B 3.1.4 Control Rod Scram Times ..................................................................... B 3.1-19 B 3.1.5 Control Rod Scram Accumulators ......................................................... B 3.1-25 B 3.1.6 Rod Pattern Control ............................................................................... B 3.1-30 B 3.1.7 Standby Liquid Control (SLC) System ................................................... B 3.1-35 B 3.1.8 Scram Discharge Volume (SDV) Vent and Drain Valves ...................... B 3.1-42 B 3.2 POWER DISTRIBUTION LIMITS .......................................................... B 3.2-1 B 3.2.1 AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR) .................................................................................. B 3.2-1 B 3.2.2 MINIMUM CRITICAL POWER RATIO (MCPR) ................................... B 3.2-5 B 3.2.3 LINEAR HEAT GENERATION RATE ................................................... B 3.2-9 (continued) HATCH UNIT 2 ii REVISION 79 TABLE OF CONTENTS (continued) B 3.3 INSTRUMENTATION ............................................................................ B 3.3-1 B 3.3.1.1 Reactor Protection System (RPS) Instrumentation ............................... B 3.3-1 B 3.3.1.2 Source Range Monitor (SRM) Instrumentation ..................................... B 3.3-33 B 3.3.2.1 Control Rod Block Instrumentation ........................................................ B 3.3-42 B 3.3.2.2 Feedwater and Main Turbine High Water Level Trip Instrumentation ............................................................................ B 3.3-53 B 3.3.3.1 Post Accident Monitoring (PAM) Instrumentation .................................. B 3.3-59 B 3.3.3.2 Remote Shutdown System .................................................................... B 3.3-70 B 3.3.4.1 End of Cycle Recirculation Pump Trip (EOC-RPT) Instrumentation ............................................................................ B 3.3-75 B 3.3.4.2 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT) Instrumentation ...................................................... B 3.3-84 B 3.3.5.1 Emergency Core Cooling System (ECCS) Instrumentation .................. B 3.3-92 B 3.3.5.2 Reactor Core Isolation Cooling (RCIC) System Instrumentation ........... B 3.3-125 B 3.3.6.1 Primary Containment Isolation Instrumentation..................................... B 3.3-135 B 3.3.6.2 Secondary Containment Isolation Instrumentation ................................ B 3.3-161 B 3.3.6.3 Low-Low Set (LLS) Instrumentation ...................................................... B 3.3-171 B 3.3.7.1 Main Control Room Environmental Control (MCREC) System Instrumentation ............................................................................ B 3.3-179 B 3.3.8.1 Loss of Power (LOP) Instrumentation ................................................... B 3.3-185 B 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring ............... B 3.3-193 (continued) HATCH UNIT 2 iii REVISION 79 TABLE OF CONTENTS (continued) B 3.4 REACTOR COOLANT SYSTEM (RCS) .............................................. B 3.4-1 B 3.4.1 Recirculation Loops Operating .............................................................. B 3.4-1 B 3.4.2 Jet Pumps ............................................................................................. B 3.4-6 B 3.4.3 Safety/Relief Valves (S/RVs) ................................................................ B 3.4-10 B 3.4.4 RCS Operational LEAKAGE.................................................................. B 3.4-14 B 3.4.5 RCS Leakage Detection Instrumentation .............................................. B 3.4-19 B 3.4.6 RCS Specific Activity ............................................................................. B 3.4-25 B 3.4.7 Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown .............................................................................. B 3.4-29 B 3.4.8 Residual Heat Removal (RHR) Shutdown Cooling System - Cold Shutdown ............................................................................ B 3.4-35 B 3.4.9 RCS Pressure and Temperature (P/T) Limits ........................................ B 3.4-40 B 3.4.10 Reactor Steam Dome Pressure............................................................. B 3.4-50

B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM ............... B 3.5-1 B 3.5.1 ECCS - Operating ................................................................................. B 3.5-1 B 3.5.2 ECCS - Shutdown ................................................................................. B 3.5-15 B 3.5.3 RCIC System ......................................................................................... B 3.5-21 (continued) HATCH UNIT 2 iv REVISION 77 TABLE OF CONTENTS (continued) B 3.6 CONTAINMENT SYSTEMS .................................................................. B 3.6-1 B 3.6.1.1 Primary Containment ............................................................................. B 3.6-1 B 3.6.1.2 Primary Containment Air Lock ............................................................... B 3.6-6 B 3.6.1.3 Primary Containment Isolation Valves (PCIVs) .................................... B 3.6-13 B 3.6.1.4 Drywell Pressure ................................................................................... B 3.6-28 B 3.6.1.5 Drywell Air Temperature ........................................................................ B 3.6-30 B 3.6.1.6 Low-Low Set (LLS) Valves .................................................................... B 3.6-33 B 3.6.1.7 Reactor Building-to-Suppression Chamber Vacuum Breakers ............. B 3.6-37 B 3.6.1.8 Suppression Chamber-to-Drywell Vacuum Breakers ............................ B 3.6-42 B 3.6.2.1 Suppression Pool Average Temperature .............................................. B 3.6-48 B 3.6.2.2 Suppression Pool Water Level .............................................................. B 3.6-53 B 3.6.2.3 Residual Heat Removal (RHR) Suppression Pool Cooling ................... B 3.6-56 B 3.6.2.4 Residual Heat Removal (RHR) Suppression Pool Spray ...................... B 3.6-60 B 3.6.2.5 Residual Heat Removal (RHR) Drywell Spray ...................................... B 3.6-64 B 3.6.3.2 Primary Containment Oxygen Concentration ........................................ B 3.6-68 B 3.6.3.3 Drywell Cooling System Fans................................................................ B 3.6-71 B 3.6.4.1 Secondary Containment ........................................................................ B 3.6-76 B 3.6.4.2 Secondary Containment Isolation Valves (SCIVs) ............................... B 3.6-82 B 3.6.4.3 Standby Gas Treatment (SGT) System ................................................. B 3.6-89 (continued) HATCH UNIT 2 v REVISION 74 TABLE OF CONTENTS (continued) B 3.7 PLANT SYSTEMS ................................................................................ B 3.7-1 B 3.7.1 Residual Heat Removal Service Water (RHRSW) System ................... B 3.7-1 B 3.7.2 Plant Service Water (PSW) System and Ultimate Heat Sink (UHS) .......................................................................................... B 3.7-7 B 3.7.3 Diesel Generator (DG) 1B Standby Service Water (SSW) System ......................................................................................... B 3.7-14 B 3.7.4 Main Control Room Environmental Control (MCREC) System ............. B 3.7-17 B 3.7.5 Control Room Air Conditioning (AC) System ......................................... B 3.7-25 B 3.7.6 Main Condenser Offgas ........................................................................ B 3.7-31 B 3.7.7 Main Turbine Bypass System ................................................................ B 3.7-34 B 3.7.8 Spent Fuel Storage Pool Water Level ................................................... B 3.7-38 B 3.7.9 Turbine Building Ventilation (TB HVAC) Exhaust System Fans B 3.7-41

B 3.8 ELECTRICAL POWER SYSTEMS ....................................................... B 3.8-1 B 3.8.1 AC Sources - Operating ........................................................................ B 3.8-1 B 3.8.2 AC Sources - Shutdown ........................................................................ B 3.8-38 B 3.8.3 Diesel Fuel Oil and Transfer, Lube Oil, and Starting Air ........................ B 3.8-44 B 3.8.4 DC Sources - Operating ........................................................................ B 3.8-52 B 3.8.5 DC Sources - Shutdown ........................................................................ B 3.8-63 B 3.8.6 Battery Cell Parameters ........................................................................ B 3.8-67 B 3.8.7 Distribution Systems - Operating ........................................................... B 3.8-73 B 3.8.8 Distribution Systems - Shutdown........................................................... B 3.8-82 HATCH UNIT 2 vi REVISION 79 TABLE OF CONTENTS (continued)

B 3.9 REFUELING OPERATIONS ................................................................. B 3.9-1 B 3.9.1 Refueling Equipment Interlocks ............................................................. B 3.9-1 B 3.9.2 Refuel Position One-Rod-Out Interlock ................................................. B 3.9-5 B 3.9.3 Control Rod Position ............................................................................. B 3.9-8 B 3.9.4 Control Rod Position Indication ............................................................. B 3.9-10 B 3.9.5 Control Rod OPERABILITY - Refueling ................................................ B 3.9-13 B 3.9.6 Reactor Pressure Vessel (RPV) Water Level ........................................ B 3.9-16 B 3.9.7 Residual Heat Removal (RHR) - High Water Level ............................... B 3.9-19 B 3.9.8 Residual Heat Removal (RHR) - Low Water Level ................................ B 3.9-24 B 3.10 SPECIAL OPERATIONS ...................................................................... B 3.10-1 B 3.10.1 Inservice Leak and Hydrostatic Testing Operation ................................ B 3.10-1 B 3.10.2 Reactor Mode Switch Interlock Testing ................................................. B 3.10-6 B 3.10.3 Single Control Rod Withdrawal - Hot Shutdown .................................... B 3.10-10 B 3.10.4 Single Control Rod Withdrawal - Cold Shutdown .................................. B 3.10-14 B 3.10.5 Single Control Rod Drive (CRD) Removal - Refueling .......................... B 3.10-19 B 3.10.6 Multiple Control Rod Withdrawal - Refueling ......................................... B 3.10-23 B 3.10.7 Control Rod Testing - Operating............................................................ B 3.10-26 B 3.10.8 SHUTDOWN MARGIN (SDM) Test - Refueling .................................... B 3.10-30

LIST OF FIGURES B 3.5.2-1 Top of Irradiated Fuel Assembly............................................................ B 3.5-20

Reactor Core SLs B 2.1.1 (continued) HATCH UNIT 2 B 2.0-2 REVISION 85 BASES BACKGROUND to a structurally weaker form. This weaker form may lose its integrity, (continued) resulting in an uncontrolled release of activity to the reactor coolant.

The reactor vessel water level SL ensures that adequate core cooling capability is maintained during all MODES of reactor operation. Establishment of Emergency Core Cooling System initiation setpoints higher than this safety limit provides margin such that the safety limit will not be reached or exceeded.

APPLICABLE The fuel cladding must not sustain damage as a result of normal SAFETY ANALYSES operation and AOOs. The reactor core SLs are established to preclude violation of the fuel design criterion that a MCPR limit is to be established, such that at least 99.9% of the fuel rods in the core would not be expected to experience the onset of transition boiling. The Reactor Protection System setpoints [LCO3.3.1.1, "Reactor Protection System (RPS) Instrumentation"], in combination with the other LCOs, are designed to prevent any anticipated combination of transient conditions for Reactor Coolant System water level, pressure, and THERMAL POWER level that would result in reaching the MCPR Safety Limit.

2.1.1.1 Fuel Cladding Integrity GE critical power correlations are applicable for all critical power calculations at pressures 685 psig and core flows 10% of rated flow. For operation at low pressures or low flows, another basis is used, as follows: Since the pressure drop in the bypass region is essentially all elevation head, the core pressure drop at low power and flows will always be > 4.5 psi. Analyses (Ref. 2) show that with a bundle flow of 28 x 103 lb/hr, bundle pressure drop is nearly independent of bundle power and has a value of 3.5 psi. Thus, the bundle flow with a 4.5 psi driving head will be > 28 x 103 lb/hr. Full scale ATLAS test data taken at pressures from 14.7 psia to 800 psia indicate that the fuel assembly critical power at this flow is approximately 3.35 MWt. With the design peaking factors, this corresponds to a THERMAL POWER > 50% RTP. Thus, a THERMAL POWER limit of 24% RTP for reactor pressure < 685 psig is conservative.

Reactor Core SLs B 2.1.1 HATCH UNIT 2 B 2.0-4 REVISION 75 BASES APPLICABLE 2.1.1.3 Reactor Vessel Water Level (continued) SAFETY ANALYSES active fuel must be adjusted for assemblies with a fuel length not 150 inches. For example, the top of the active fuel for GE13 fuel is 162.44 inches below instrument zero since the fuel length for this fuel type is 146 inches. The Core Operating Limits Report identifies fuel types and fuel lengths used in the current operating cycle.

SAFETY LIMITS The reactor core SLs are established to protect the integrity of the fuel clad barrier to the release of radioactive materials to the environs. SL 2.1.1.1 and SL 2.1.1.2 ensure that the core operates within the fuel design criteria. SL 2.1.1.3 ensures that the reactor vessel water level is greater than the top of the active irradiated fuel in order to prevent elevated clad temperatures and resultant clad perforations. APPLICABILITY SLs 2.1.1.1, 2.1.1.2, and 2.1.1.3 are applicable in all MODES.

SAFETY LIMIT Exceeding an SL may cause fuel damage and create a potential for VIOLATIONS radioactive doses in excess of 10 CFR 50.67 limits (Ref. 3). Therefore, it is required to insert all insertable control rods and restore compliance with the SLs within 2 hours. The 2 hour Completion Time ensures that the operators take prompt remedial action and also ensures that the probability of an accident occurring during this period is minimal. REFERENCES 1. 10 CFR 50, Appendix A, GDC 10.

2. NEDE-24011-P-A, "General Electric Standard Application for Reactor Fuels," (revision specified in the COLR).

3. 10 CFR 50.67.

RCS Pressure SL B 2.1.2 (continued) HATCH UNIT 2 B 2.0-5 REVISION 75 B 2.0 SAFETY LIMITS (SLs)

B 2.1.2 Reactor Coolant System (RCS) Pressure SL

BASES BACKGROUND The SL on reactor steam dome pressure protects the RCS against overpressurization. In the event of fuel cladding failure, fission products are released into the reactor coolant. The RCS then serves as the primary barrier in preventing the release of fission products into the atmosphere. Establishing an upper limit on reactor steam dome pressure ensures continued RCS integrity. Per 10 CFR 50, Appendix A, GDC 14, "Reactor Coolant Pressure Boundary," and GDC 15, "Reactor Coolant System Design" (Ref. 1), the reactor coolant pressure boundary (RCPB) shall be designed with sufficient margin to ensure that the design conditions are not exceeded during normal operation and anticipated operational occurrences (AOOs). During normal operation and AOOs, RCS pressure is limited from exceeding the design pressure by more than 10%, in accordance with Section III of the ASME Code (Ref. 2). To ensure system integrity, all RCS components are hydrostatically tested at 125% of design pressure, in accordance with ASME Code requirements, prior to initial operation when there is no fuel in the core. Any further hydrostatic testing with fuel in the core may be done under LCO 3.10.1, "Inservice Leak and Hydrostatic Testing Operation." Following inception of unit operation, RCS components shall be pressure tested in accordance with the requirements of ASME Code, Section XI (Ref. 3). Overpressurization of the RCS could result in a breach of the RCPB, reducing the number of protective barriers designed to prevent radioactive doses from exceeding the limits specified in 10 CFR 50.67 (Ref. 4). If this occurred in conjunction with a fuel cladding failure, fission products could enter the containment atmosphere.

APPLICABLE The RCS safety/relief valves and the Reactor Protection System SAFETY ANALYSES Reactor Vessel Steam Dome Pressure - High Function have settings established to ensure that the RCS pressure SL will not be exceeded. The RCS pressure SL has been selected such that it is at a pressure below which it can be shown that the integrity of the system is not endangered. The reactor pressure vessel is designed to Section III of the ASME, Boiler and Pressure Vessel Code, 1968 Edition, including RCS Pressure SL B 2.1.2 HATCH UNIT 2 B 2.0-6 REVISION 75 BASES APPLICABLE Addenda through the Summer of 1970 (Ref. 5), which permits a SAFETY ANALYSES maximum pressure transient of 110%, 1375 psig, of design pressure (continued) 1250 psig. The SL of 1325 psig, as measured in the reactor steam dome, is equivalent to 1375 psig at the lowest elevation of the RCS. The RCS is designed to Section III of the ASME, Boiler and Pressure Vessel Code, 1980 Edition, including addenda through Winter 1981 (Ref. 6), for the reactor recirculation piping, which permits a maximum pressure transient of 110% of design pressures of 1250 psig for suction piping and 1450 psig for discharge piping. The RCS pressure SL is selected to be the lowest transient overpressure allowed by the applicable codes. SAFETY LIMITS The maximum transient pressure allowable in the RCS pressure vessel under the ASME Code, Section III, is 110% of design pressure. The maximum transient pressure allowable in the RCS piping, valves, and fittings is 110% of design pressures of 1250 psig for suction piping and 1450 psig for discharge piping. The most limiting of these two allowances is the 110% of the reactor vessel and recirculation suction piping design pressure; therefore, the SL on maximum allowable RCS pressure is established at 1325 psig as measured at the reactor steam dome. APPLICABILITY SL 2.1.2 applies in all MODES. SAFETY LIMIT Exceeding the RCS pressure SL may cause immediate RCS failure VIOLATIONS and create a potential for radioactive doses in excess of 10 CFR 50.67 limits (Ref. 4). Therefore, it is required to insert all insertable control rods and restore compliance with the SL within 2 hours. The 2 hour Completion Time ensures that the operators take prompt remedial action. (continued)

RCS Pressure SL B 2.1.2 HATCH UNIT 2 B 2.0-7 REVISION 75 BASES REFERENCES 1. 10 CFR 50, Appendix A, GDC 14 and GDC 15.

2. ASME, Boiler and Pressure Vessel Code, Section III, Article NB-7000.

3. ASME, Boiler and Pressure Vessel Code, Section XI, Article IW-5000.

4. 10 CFR 50.67. 5. ASME, Boiler and Pressure Vessel Code, Section III, 1968 Edition, Addenda Summer of 1970. 6. ASME, Boiler and Pressure Vessel Code, Section III, 1980 Edition, Addenda Winter of 1981.

LCO Applicability B 3.0 (continued) HATCH UNIT 2 B 3.0-5 REVISION 55 BASES (continued) LCO 3.0.4 LCO 3.0.4 establishes limitations on changes in MODES or other specified conditions in the Applicability when an LCO is not met. It allows placing the unit in a MODE or other specified condition stated in that Applicability (e.g., the Applicability desired to be entered) when unit conditions are such that the requirements of the LCO would not be met, in accordance with LCO 3.0.4.a, LCO 3.0.4.b, or LCO 3.0.4.c. LCO 3.0.4.a allows entry into a MODE or other specified condition in the Applicability with the LCO not met when the associated ACTIONS to be entered permit continued operation in the MODE or other specified condition in the Applicability for an unlimited period of time. Compliance with Required Actions that permit continued operation of the unit for an unlimited period of time in a MODE or other specified condition provides an acceptable level of safety for continued operation. This is without regard to the status of the unit before or after the MODE change. Therefore, in such cases, entry into a MODE or other specified condition in the Applicability may be made in accordance with the provisions in the Required Actions. LCO 3.0.4.b allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering the MODE or other specified condition in the Applicability, and establishment of risk management actions, if appropriate. The risk assessment may use quantitative, qualitative, or blended approaches, and the risk assessment will be conducted using the plant program, procedures, and criteria in place to implement 10 CFR 50.65(a)(4), which requires that risk impacts of maintenance activities be assessed and managed. The risk assessment, for the purposes of LCO 3.0.4.b, must take into account all inoperable Technical Specification equipment regardless of whether the equipment is included in the normal 10 CFR 50.65(a)(4) risk assessment scope. The risk assessments will be conducted using the procedures and guidance endorsed by Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." Regulatory Guide 1.182 endorses the guidance in Section 11 of NUMARC 93-01, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants." These documents address general guidance for conduct of the risk assessment, quantitative and qualitative guidelines for establishing risk management actions, and example risk management actions. These include actions to plan and conduct other activities in a manner that controls overall risk, increased risk awareness by shift and management personnel, actions to reduce the duration of the LCO Applicability B 3.0 (continued) HATCH UNIT 2 B 3.0-6 REVISION 55 BASES LCO 3.0.4 condition, actions to minimize the magnitude of risk increases (continued) (establishment of backup success paths or compensatory measures), and determination that the proposed MODE change is acceptable. Consideration should also be given to the probability of completing restoration such that the requirements of the LCO would be met prior to the expiration of ACTIONS Completion Times that would require exiting the Applicability. LCO 3.0.4.b may be used with single or multiple systems and components unavailable. NUMARC 93-01 provides guidance relative to consideration of simultaneous unavailability of multiple systems and components. The results of the risk assessment shall be considered in determining the acceptability of entering the MODE or other specified condition in the Applicability, and any corresponding risk management actions. The LCO 3.0.4.b risk assessments do not have to be documented. The Technical Specifications allow continued operation with equipment unavailable in MODE 1 for the duration of the Completion Time. Since this is allowable, and since in general the risk impact in that particular mode bounds the risk of transitioning into and through the applicable MODES or other specified conditions in the Applicability of the LCO, the use of the LCO 3.0.4.b allowance should be generally acceptable, as long as the risk is assessed and managed as stated above. However, there is a small subset of systems and components that have been determined to be more important to risk, and use of the LCO 3.0.4.b is prohibited. The LCOs governing these systems and components contain Notes prohibiting the use of LCO 3.0.4.b by stating that LCO 3.0.4.b is not applicable. LCO 3.0.4.c allows entry into a MODE or other specified condition of the Applicability with the LCO not met based on a Note in the Specification which states LCO 3.0.4.c is applicable. These specific allowances permit entry into MODES or other specified conditions in the Applicability when the associated ACTIONS to be entered do not provide for continued operation for an unlimited period of time and a risk assessment has not been performed. This allowance may apply to all the ACTIONS or to a specific Required Action of a Specification. The risk assessments performed to justify the use of LCO 3.0.4.b usually only consider systems and components. For this reason, LCO 3.0.4.c is typically applied to Specifications which describe values and parameters (e.g., Drywell Air Temperature, Drywell Pressure, MCRP) and may be applied to other Specifications based on NRC plant-specific approval. LCO Applicability B 3.0 (continued) HATCH UNIT 2 B 3.0-7 REVISION 55 BASES LCO 3.0.4 The provisions of this Specification should not be interpreted as (continued) endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability. The provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unit shutdown. In this context, a unit shutdown is defined as a change in MODE or other specified condition in the Applicability associated with transitioning from MODE 1 to MODE 2, MODE 2 to MODE 3, and MODE 3 to MODE 4. Upon entry into a MODE or other specified condition in the Applicability with the LCO not met, LCO 3.0.1 and LCO 3.0.2 require entry into the applicable Conditions and Required Actions until the Condition is resolved, until the LCO is met, or until the unit is not within the Applicability of the Technical Specification. Surveillances do not have to be performed on the associated inoperable equipment (or on variables outside the specified limits) as permitted by SR 3.0.1. Therefore, utilizing LCO 3.0.4 is not a violation of SR 3.0.1 or SR 3.0.4 for any Surveillances that have not been performed on inoperable equipment. However, SRs must be met to ensure OPERABILITY prior to declaring the associated equipment OPERABLE (or variable within limits) and restoring compliance with the affected LCO. LCO 3.0.5 LCO 3.0.5 establishes the allowance for restoring equipment to service under administrative controls when it has been removed from service or declared inoperable to comply with ACTIONS. The sole purpose of this Specification is to provide an exception to LCO 3.0.2 [e.g., to not comply with the applicable Required Action(s)] to allow the performance of SRs to demonstrate:

a. The OPERABILITY of the equipment being returned to service; or

b. The OPERABILITY of other equipment.

The administrative controls ensure the time the equipment is returned to service in conflict with the requirements of the ACTIONS is limited to the time absolutely necessary to perform the allowed SRs. This Specification does not provide time to perform any other preventive or corrective maintenance. LCO Applicability B 3.0 (continued) HATCH UNIT 2 B 3.0-8 REVISION 55 BASES LCO 3.0.5 An example of demonstrating the OPERABILITY of the equipment (continued) being returned to service is reopening a containment isolation valve that has been closed to comply with Required Actions and must be reopened to perform the SRs. An example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to prevent the trip function from occurring during the performance of an SR on another channel in the other trip system. A similar example of demonstrating the OPERABILITY of other equipment is taking an inoperable channel or trip system out of the tripped condition to permit the logic to function and indicate the appropriate response during the performance of an SR on another channel in the same trip system. LCO 3.0.6 LCO 3.0.6 establishes an exception to LCO 3.0.2 for support systems that have an LCO specified in the Technical Specifications (TS). This exception is provided because LCO 3.0.2 would require that the Conditions and Required Actions of the associated inoperable supported system LCO be entered solely due to the inoperability of the support system. This exception is justified because the actions that are required to ensure the plant is maintained in a safe condition are specified in the support system LCO's Required Actions. These Required Actions may include entering the supported system's Conditions and Required Actions or may specify other Required Actions. When a support system is inoperable and there is an LCO specified for it in the TS, the supported system(s) are required to be declared inoperable if determined to be inoperable as a result of the support system inoperability. However, it is not necessary to enter into the supported systems' Conditions and Required Actions unless directed to do so by the support system's Required Actions. The potential confusion and inconsistency of requirements related to the entry into multiple support and supported systems LCOs' Conditions and Required Actions are eliminated by providing all the actions that are necessary to ensure the plant is maintained in a safe condition in the support system's Required Actions. However, there are instances where a support system's Required Action may either direct a supported system to be declared inoperable or direct entry into Conditions and Required Actions for the supported system. This may occur immediately or after some specified delay to perform some other Required Action. Regardless of whether it is immediate or after some delay, when a support system's Required Action directs a supported system to be declared inoperable or directs LCO Applicability B 3.0 (continued) HATCH UNIT 2 B 3.0-9 REVISION 55 BASES LCO 3.0.6 entry into Conditions and Required Actions for a supported system, (continued) the applicable Conditions and Required Actions shall be entered in accordance with LCO 3.0.2. Specification 5.5.10, "Safety Function Determination Program (SFDP)," ensures loss of safety function is detected and appropriate actions are taken. Upon failure to meet two or more LCOs concurrently, an evaluation shall be made to determine if loss of safety function exists. Additionally, other limitations, remedial actions, or compensatory actions may be identified as a result of the support system inoperability and corresponding exception to entering supported system Conditions and Required Actions. The SFDP implements the requirements of LCO 3.0.6. Cross division checks to identify a loss of safety function for those support systems that support safety systems are required. The cross division check verifies that the supported systems of the redundant OPERABLE support system are OPERABLE, thereby ensuring safety function is retained. If this evaluation determines that a loss of safety function exists, the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists are required to be entered. LCO 3.0.7 There are certain special tests and operations required to be performed at various times over the life of the unit. These special tests and operations are necessary to demonstrate select unit performance characteristics, to perform special maintenance activities, and to perform special evolutions. Special Operations LCOs in Section 3.10 allow specified TS requirements to be changed to permit performances of these special tests and operations, which otherwise could not be performed if required to comply with the requirements of these TS. Unless otherwise specified, all the other TS requirements remain unchanged. This will ensure all appropriate requirements of the MODE or other specified condition not directly associated with or required to be changed to perform the special test or operation will remain in effect. The Applicability of a Special Operations LCO represents a condition not necessarily in compliance with the normal requirements of the TS. Compliance with Special Operations LCOs is optional. A special operation may be performed either under the provisions of the appropriate Special Operations LCO or under the other applicable TS requirements. If it is desired to perform the special operation under the provisions of the Special Operations LCO, the requirements of the LCO Applicability B 3.0 (continued) HATCH UNIT 2 B 3.0-10 REVISION 78 BASES LCO 3.0.7 Special Operations LCO shall be followed. When a Special (continued) Operations LCO requires another LCO to be met, only the requirements of the LCO statement are required to be met regardless of that LCO's Applicability (i.e., should the requirements of this other LCO not be met, the ACTIONS of the Special Operations LCO apply, not the ACTIONS of the other LCO). However, there are instances where the Special Operations LCO's ACTIONS may direct the other LCO's ACTIONS be met. The Surveillances of the other LCO are not required to be met, unless specified in the Special Operations LCO. If conditions exist such that the Applicability of any other LCO is met, all the other LCO's requirements (ACTIONS and SRs) are required to be met concurrent with the requirements of the Special Operations LCO. LCO 3.0.8 LCO 3.0.8 establishes conditions under which systems are considered to remain capable of performing their intended safety function when associated snubbers are not capable of providing their associated support function(s). This LCO states that the supported system is not considered to be inoperable solely due to one or more snubbers not capable of performing their associated support function(s). This is appropriate because a limited length of time is allowed for maintenance, testing, or repair of one or more snubbers not capable of performing their associated support function(s) and appropriate compensatory measures are specified in the snubber requirements, which are located outside of the Technical Specifications (TS) under licensed control. The snubber requirements do not meet the criteria in 10 CFR 50.36(c)(2)(ii), and, as such, are appropriate for control by the licensee. Every time the provisions of LCO 3.0.8 are used, it must be confirmed that at least one train (or subsystem) of systems supported by the inoperable snubbers would remain capable of performing their required safety or support functions for postulated design loads other than seismic loads. LCO 3.0.8 does not apply to snubbers with only non-seismic loads. If the allowed time expires and the snubber(s) are unable to perform their associated support function(s), the affected supported system's LCO(s) must be declared not met and the Conditions and Required Actions entered in accordance with LCO 3.0.2.

LCO 3.0.8.a applies when one or more snubbers are not capable of providing their associated support function(s) to a single train or subsystem of a multiple train or subsystem supported system or to a single train or subsystem supported system. LCO 3.0.8.a allows 72 hours to restore the snubber(s) before declaring the supported system inoperable. The 72 hour Completion Time is reasonable

SDM B 3.1.1 (continued) HATCH UNIT 2 B 3.1-1 REVISION 0 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.1 SHUTDOWN MARGIN (SDM) BASES BACKGROUND SDM requirements are specified to ensure:

a. The reactor can be made subcritical from all operating conditions and transients and Design Basis Events; b. The reactivity transients associated with postulated accident conditions are controllable within acceptable limits; and

c. The reactor will be maintained sufficiently subcritical to preclude inadvertent criticality in the shutdown condition. These requirements are satisfied by the control rods, as described in GDC 26 (Ref. 1), which can compensate for the reactivity effects of the fuel and water temperature changes experienced during all operating conditions.

APPLICABLE SHUTDOWN MARGIN is an explicit assumption in several of the SAFETY ANALYSES evaluations contained in FSAR Chapter 15. The control rod drop accident (CRDA) analysis (Refs. 2 and 3) assumes the core is subcritical with the highest worth control rod withdrawn. Typically, the first control rod withdrawn has a very high reactivity worth and, should the core be critical during the withdrawal of the first control rod, the consequences of a CRDA could exceed the fuel damage limits for a CRDA (see Bases for LCO 3.1.6, "Rod Pattern Control"). Also, SDM is assumed as an initial condition for the control rod removal error during refueling (Ref. 4) and fuel assembly insertion error during refueling (Ref. 5) accidents. The analysis of these reactivity insertion events assumes the refueling interlocks are OPERABLE when the reactor is in the refueling mode of operation. These interlocks prevent the withdrawal of more than one control rod from the core during refueling. (Special consideration and requirements for multiple control rod withdrawal during refueling are covered in Special Operations LCO 3.10.6, "Multiple Control Rod Withdrawal - Refueling.") The analysis assumes this condition is acceptable since the core will be shut down with the highest worth control rod withdrawn, if adequate SDM has been demonstrated.

SDM B 3.1.1 (continued) HATCH UNIT 2 B 3.1-2 REVISION 0 BASES APPLICABLE Prevention or mitigation of reactivity insertion events is necessary to SAFETY ANALYSES limit energy deposition in the fuel to prevent significant fuel damage, (continued) which could result in undue release of radioactivity. Adequate SDM ensures inadvertent criticalities and potential CRDAs involving high worth control rods (namely the first control rod withdrawn) will not cause significant fuel damage. SDM satisfies Criterion 2 of the NRC Policy Statement (Ref. 9). LCO The specified SDM limit accounts for the uncertainty in the demonstration of SDM by testing. Separate SDM limits are provided for testing where the highest worth control rod is determined analytically or by measurement. This is due to the reduced uncertainty in the SDM test when the highest worth control rod is determined by measurement. When SDM is evaluated by calculations not associated with a test (e.g., to confirm SDM during the fuel loading sequence), additional margin is included to account for uncertainties in the calculation. To ensure adequate SDM during the design process, a design margin is included to account for uncertainties in the design calculations (Ref. 6).

APPLICABILITY In MODES 1 and 2, SDM must be provided because subcriticality with the highest worth control rod withdrawn is assumed in the CRDA analysis (Ref. 2). In MODES 3 and 4, SDM is required to ensure the reactor will be held subcritical with margin for a single withdrawn control rod. SDM is required in MODE 5 to prevent an open vessel, inadvertent criticality during the withdrawal of a single control rod from a core cell containing one or more fuel assemblies (Ref. 4) or fuel assembly insertion error (Ref. 5).

ACTIONS A.1 With SDM not within the limits of the LCO in MODE 1 or 2, SDM must be restored within 6 hours. Failure to meet the specified SDM may be caused by a control rod that cannot be inserted. The allowed Completion Time of 6 hours is acceptable, considering that the reactor can still be shut down, assuming no failures of additional control rods to insert, and the low probability of an event occurring during this interval. SDMB 3.1.1(continued)HATCH UNIT 2B 3.1-3REVISION 1BASESACTIONSB.1(continued)If the SDM cannot be restored, the plant must be brought to MODE 3in 12 hours, to prevent the potential for further reductions in availableSDM (e.g., additional stuck control rods). The allowed Completion Time of 12 hours is reasonable, based on operating experience, toreach MODE 3 from full power conditions in an orderly manner andwithout challenging plant systems.C.1With SDM not within limits in MODE 3, the operator must immediatelyinitiate action to fully insert all insertable control rods. Action mustcontinue until all insertable control rods are fully inserted. This actionresults in the least reactive condition for the core.D.1, D.2, D.3, and D.4With SDM not within limits in MODE 4, the operator must immediatelyinitiate action to fully insert all insertable control rods. Action must continue until all insertable control rods are fully inserted. This actionresults in the least reactive condition for the core. Action must also beinitiated within 1 hour to provide means for control of potentialradioactive releases. This includes ensuring: 1) secondarycontainment (at least including the Unit 2 reactor building zone) is OPERABLE; 2) sufficient Standby Gas Treatment (SGT) subsystem(s)are OPERABLE to maintain the secondary containment at a negativepressure with respect to the environment (dependent on secondarycontainment configuration, refer to Reference 8; single failureprotection is not required while in this ACTION); and 3) secondary containment isolation capability is available in each associatedsecondary containment penetration flow path not isolated that isassumed to be isolated to mitigate radioactivity releases (i.e., at leastone secondary containment isolation valve and associatedinstrumentation are OPERABLE, or other acceptable administrativecontrols to assure isolation capability. The administrative controls canconsist of stationing a dedicated operator, who is in continuous communication with the control room, at the controls of the isolationdevice. In this way, the penetration can be rapidly isolated when aneed for secondary containment isolation is indicated.). This may beperformed as an administrative check, by examining logs or otherinformation, to determine if the components are out of service for maintenance or other reasons. It is not necessary to perform theSurveillances needed to demonstrate the OPERABILITY of the SDMB 3.1.1(continued)HATCH UNIT 2B 3.1-4REVISION 1BASESACTIONSD.1, D.2, D.3, and D.4 (continued)components. If, however, any required component is inoperable, thenit must be restored to OPERABLE status. In this case, SRs may needto be performed to restore the component to OPERABLE status. Actions must continue until all required components are OPERABLE.E.1, E.2, E.3, E.4, and E.5With SDM not within limits in MODE 5, the operator must immediatelysuspend CORE ALTERATIONS that could reduce SDM, (e.g., insertion of fuel in the core or the withdrawal of control rods).Suspension of these activities shall not preclude completion ofmovement of a component to a safe condition. Inserting control rodswill reduce the total reactivity and therefore, is excluded from thesuspended actions. Removing fuel, while allowable under these Required Actions, should be evaluated for axial reactivity effectsbefore removal.Action must also be immediately initiated to fully insert all insertablecontrol rods in core cells containing one or more fuel assemblies. Action must continue until all insertable control rods in core cellscontaining one or more fuel assemblies have been fully inserted.Control rods in core cells containing no fuel assemblies do not affectthe reactivity of the core and therefore do not have to be inserted.Action must also be initiated within 1 hour to provide means for controlof potential radioactive releases. This includes ensuring:1) secondary containment (at least including the common refuelingfloor zone) is OPERABLE; 2) sufficient SGT subsystem(s) areOPERABLE to maintain the secondary containment at a negative pressure with respect to the environment (dependent on secondarycontainment configuration, refer to Reference 8; single failureprotection is not required while in this ACTION); and 3) secondarycontainment isolation capability is available in each associatedsecondary containment penetration flow path not isolated that isassumed to be isolated to mitigate radioactivity releases (i.e., at leastone secondary containment isolation valve and associated instrumentation are OPERABLE, or other acceptable administrativecontrols to assure isolation capability. The administrative controls canconsist of stationing a dedicated operator, who is in continuouscommunication with the control room, at the controls of the isolationdevice. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated.). This may beperformed as an administrative check, by examining logs or other SDMB 3.1.1(continued)HATCH UNIT 2B 3.1-5REVISION 1BASESACTIONSE.1, E.2, E.3, E.4, and E.5 (continued)information, to determine if the components are out of service formaintenance or other reasons. It is not necessary to perform theSurveillances needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, thenit must be restored to OPERABLE status. In this case, SRs may need to be performed to restore the component to OPERABLE status.Action must continue until all required components are OPERABLE.SURVEILLANCESR 3.1.1.1REQUIREMENTSAdequate SDM must be verified to ensure that the reactor can bemade subcritical from any initial operating condition. This can beaccomplished via a test, an evaluation, or a combination of the two.Adequate SDM is demonstrated by testing before or during the first startup after fuel movement or shuffling within the reactor pressurevessel, or control rod replacement. Control rod replacement refers tothe decoupling and removal of a control rod from a core location, andsubsequent replacement with a new control rod or a control rod fromanother core location. Since core reactivity will vary during the cycle as a function of fuel depletion and poison burnup, the beginning ofcycle (BOC) test must also account for changes in core reactivityduring the cycle. Therefore, to obtain the SDM, the initial value mustbe changed by the value, "R", which is the difference between thecalculated value of minimum SDM during the operating cycle and the calculated BOC SDM. If the value of R is positive (that is, BOC is thepoint in the cycle with the minimum SDM), no correction to the BOCmeasured value is required (Ref. 7). For the SDM demonstrationswhere the highest worth rod is determined solely on calculation,additional margin (0.10% k/k) must be added to the SDM limit of0.28% k/k to account for uncertainties in the calculation of the highestworth control rod.The SDM may be demonstrated during an in-sequence control rodwithdrawal, in which the highest worth control rod is analyticallydetermined, or during local criticals, where the highest worth controlrod is determined by testing. Local critical tests require the withdrawal of out of sequence control rods. This testing would therefore requirebypassing of the Rod Worth Minimizer to allow the out of sequencewithdrawal, and therefore additional requirements must be met (seeLCO 3.10.7, "Control Rod Testing - Operating").

Reactivity Anomalies B 3.1.2 (continued) HATCH UNIT 2 B 3.1-7 REVISION 73 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.2 Reactivity Anomalies

BASES BACKGROUND In accordance with GDC 26, GDC 28, and GDC 29 (Ref. 1), reactivity shall be controllable such that subcriticality is maintained under cold conditions and specified acceptable fuel design limits are not exceeded during normal operation and anticipated operational occurrences. Therefore, reactivity anomaly is used as a measure of the predicted versus measured (i.e., monitored) core reactivity during power operation. The continual confirmation of core reactivity is necessary to ensure that the Design Basis Accident (DBA) and transient safety analyses remain valid. A large reactivity anomaly could be the result of unanticipated changes in fuel reactivity or control rod worth or operation at conditions not consistent with those assumed in the predictions of core reactivity, and could potentially result in a loss of SDM or violation of acceptable fuel design limits. Comparing predicted versus measured core reactivity validates the nuclear methods used in the safety analysis and supports the SDM demonstrations [LCO 3.1.1, "SHUTDOWN MARGIN (SDM)"] in assuring the reactor can be brought safely to cold, subcritical conditions. When the reactor core is critical or in normal power operation, a reactivity balance exists and the net reactivity is zero. A comparison of predicted and measured reactivity is convenient under such a balance, since parameters are being maintained relatively stable under steady state power conditions. The positive reactivity inherent in the core design is balanced by the negative reactivity of the control components, thermal feedback, neutron leakage, and materials in the core that absorb neutrons, such as burnable poison, producing zero net reactivity. In order to achieve the required fuel cycle energy output, the uranium enrichment in the new fuel loading and the fuel loaded in the previous cycles provide excess positive reactivity beyond that required to sustain steady state operation at the beginning of cycle (BOC). When the reactor is critical at RTP and operating moderator temperature, the excess positive reactivity is compensated by burnable poisons (e.g., gadolinia), control rods, and whatever neutron poisons (mainly xenon and samarium) are present in the fuel. The predicted core reactivity, as represented by core keffective (keff), is calculated by a 3D core simulator code as a function of cycle exposure. This calculation is performed for projected operating states and conditions throughout the cycle. The monitored core keff is calculated by the core monitoring system for actual plant conditions and is then compared to the predicted value for the cycle exposure. Reactivity Anomalies B 3.1.2 (continued) HATCH UNIT 2 B 3.1-8 REVISION 73 BASES (continued) APPLICABLE Accurate prediction of core reactivity is either an explicit or implicit SAFETY ANALYSES assumption in the accident analysis evaluations (Ref. 2). In particular, SDM and reactivity transients, such as control rod withdrawal accidents or rod drop accidents, are very sensitive to accurate prediction of core reactivity. These accident analysis evaluations rely on computer codes that have been qualified against available test data, operating plant data, and analytical benchmarks. Monitoring reactivity anomaly provides additional assurance that the nuclear methods provide an accurate representation of the core reactivity. The comparison between measured and predicted initial core reactivity provides a normalization for the calculational models used to predict core reactivity. If the measured and predicted core keff(s) for identical core conditions at BOC do not reasonably agree, then the assumptions used in the reload cycle design analysis or the calculation models used to predict core keff may not be accurate. If reasonable agreement between measured and predicted core reactivity exists at BOC, then the prediction may be normalized to the measured value. Thereafter, any significant deviations in the measured core keff from the predicted core keff that develop during fuel depletion may be an indication that the assumptions of the DBA and transient analyses are no longer valid, or that an unexpected change in core conditions has occurred. Reactivity anomalies satisfy Criterion 2 of the NRC Policy Statement (Ref. 3). LCO The reactivity anomaly limit is established to ensure plant operation is maintained within the assumptions of the safety analyses. Large differences between monitored and predicted core reactivity may indicate that the assumptions of the DBA and transient analyses are no longer valid, or that the uncertainties in the "Nuclear Design Methodology" are larger than expected. A limit on the difference between the monitored core keff and the predicted core keff of +/- 1% k/k has been established based on engineering judgment. A > 1% deviation in reactivity from that predicted is larger than expected for normal operation and should therefore be evaluated. APPLICABILITY In MODE 1, most of the control rods are withdrawn and steady state operation is typically achieved. Under these conditions, the comparison between predicted and monitored core reactivity provides an effective measure of the reactivity anomaly. In MODE 2, control rods are typically being withdrawn during a startup. In MODES 3 and 4, all control rods are fully inserted and therefore the reactor is in the least reactive state, where monitoring core reactivity is not Reactivity Anomalies B 3.1.2 (continued) HATCH UNIT 2 B 3.1-9 REVISION 73 BASES APPLICABILITY necessary. In MODE 5, fuel loading results in a continually changing (continued) core reactivity. SDM requirements (LCO 3.1.1) ensure that fuel movements are performed within the bounds of the safety analysis, and an SDM demonstration is required during the first startup following operations that could have altered core reactivity (e.g., fuel movement, control rod replacement, shuffling). The SDM test, required by LCO 3.1.1, provides a direct comparison of the predicted and monitored core reactivity at cold conditions; therefore, reactivity anomaly is not required during these conditions.

ACTIONS A.1 Should an anomaly develop between measured and predicted core reactivity, the core reactivity difference must be restored to within the limit to ensure continued operation is within the core design assumptions. Restoration to within the limit could be performed by an evaluation of the core design and safety analysis to determine the reason for the anomaly. This evaluation normally reviews the core conditions to determine their consistency with input to design calculations. Measured core and process parameters are also normally evaluated to determine that they are within the bounds of the safety analysis, and safety analysis calculational models may be reviewed to verify that they are adequate for representation of the core conditions. The required Completion Time of 72 hours is based on the low probability of a DBA occurring during this period, and allows sufficient time to assess the physical condition of the reactor and complete the evaluation of the core design and safety analysis.

B.1 If the core reactivity cannot be restored to within the 1% k/k limit, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.1.2.1 REQUIREMENTS Verifying the reactivity difference between the monitored and predicted core keff(s) is within the limits of the LCO provides added assurance that plant operation is maintained within the assumptions Reactivity Anomalies B 3.1.2 HATCH UNIT 2 B 3.1-10 REVISION 73 BASES SURVEILLANCE SR 3.1.2.1 (continued) REQUIREMENTS of the DBA and transient analyses. The core monitoring system calculates the core keff for the reactor conditions obtained from plant instrumentation. A comparison of the monitored core keff to the predicted core keff at the same cycle exposure is used to calculate the reactivity difference. The comparison is required when the core reactivity has potentially changed by a significant amount. This may occur following a refueling in which new fuel assemblies are loaded, fuel assemblies are shuffled within the core, or control rods are replaced or shuffled. Control rod replacement refers to the decoupling and removal of a control rod from a core location, and subsequent replacement with a new control rod or a control rod from another core location. Also, core reactivity changes during the cycle. The 24 hour interval after reaching equilibrium conditions following a startup is based on the need for equilibrium xenon concentrations in the core, such that an accurate comparison between the monitored and predicted core keff(s) can be made. For the purposes of this SR, the reactor is assumed to be at equilibrium conditions when steady state operations (no control rod movement or core flow changes) at 75% RTP have been obtained. The 1000 MWD/T (short ton) Frequency was developed, considering the relatively slow change in core reactivity with exposure and operating experience related to variations in core reactivity. This comparison requires the core to be operating at power levels which minimize the uncertainties and measurement errors, in order to obtain meaningful results. Therefore, the comparison is only done when in MODE 1. REFERENCES 1. 10 CFR 50, Appendix A, GDC 26, GDC 28, and GDC 29.

2. FSAR, Chapter 15. 3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Control Rod OPERABILITY B 3.1.3 (continued) HATCH UNIT 2 B 3.1-11 REVISION 0 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.3 Control Rod OPERABILITY

BASES BACKGROUND Control rods are components of the Control Rod Drive (CRD) System, which is the primary reactivity control system for the reactor. In conjunction with the Reactor Protection System, the CRD System provides the means for the reliable control of reactivity changes to ensure under conditions of normal operation, including anticipated operational occurrences, that specified acceptable fuel design limits are not exceeded. In addition, the control rods provide the capability to hold the reactor core subcritical under all conditions and to limit the potential amount and rate of reactivity increase caused by a malfunction in the CRD System. The CRD System is designed to satisfy the requirements of GDC 26, GDC 27, GDC 28, and GDC 29 (Ref. 1). The CRD System consists of 137 locking piston control rod drive mechanisms (CRDMs) and a hydraulic control unit for each drive mechanism. The locking piston type CRDM is a double acting hydraulic piston, which uses condensate water as the operating fluid. Accumulators provide additional energy for scram. An index tube and piston, coupled to the control rod, are locked at fixed increments by a collet mechanism. The collet fingers engage notches in the index tube to prevent unintentional withdrawal of the control rod, but without restricting insertion. This Specification, along with LCO 3.1.4, "Control Rod Scram Times," and LCO 3.1.5, "Control Rod Scram Accumulators," ensure that the performance of the control rods in the event of a Design Basis Accident (DBA) or transient meets the assumptions used in the safety analyses of References 2, 3, and 4. APPLICABLE The analytical methods and assumptions used in the evaluations SAFETY ANALYSES involving control rods are presented in References 2, 3, and 4. The control rods provide the primary means for rapid reactivity control (reactor scram), for maintaining the reactor subcritical and for limiting the potential effects of reactivity insertion events caused by malfunctions in the CRD System. The capability to insert the control rods provides assurance that the assumptions for scram reactivity in the DBA and transient analyses are not violated. Since the SDM ensures the reactor will be subcritical with the highest worth control rod withdrawn (assumed single failure), Control Rod OPERABILITY B 3.1.3 (continued) HATCH UNIT 2 B 3.1-12 REVISION 0 BASES APPLICABLE the additional failure of a second control rod to insert, if required, SAFETY ANALYSES could invalidate the demonstrated SDM and potentially limit the ability (continued) of the CRD System to hold the reactor subcritical. If the control rod is stuck at an inserted position and becomes decoupled from the CRD, a control rod drop accident (CRDA) can possibly occur. Therefore, the requirement that all control rods be OPERABLE ensures the CRD System can perform its intended function. The control rods also protect the fuel from damage which could result in release of radioactivity. The limits protected are the MCPR Safety Limit (SL) (see Bases for SL 2.1.1, "Reactor Core SLs" and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)"), the 1% cladding plastic strain fuel design limit (see Bases for LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)"), and the fuel damage limit (see Bases for LCO 3.1.6, "Rod Pattern Control") during reactivity insertion events. The negative reactivity insertion (scram) provided by the CRD System provides the analytical basis for determination of plant thermal limits and provides protection against fuel damage limits during a CRDA. The Bases for LCO 3.1.4, LCO 3.1.5, and LCO 3.1.6 discuss in more detail how the SLs are protected by the CRD System. Control rod OPERABILITY satisfies Criterion 3 of the NRC Policy Statement (Ref. 6). LCO The OPERABILITY of an individual control rod is based on a combination of factors, primarily, the scram insertion times, the control rod coupling integrity, and the ability to determine the control rod position. Accumulator OPERABILITY is addressed by LCO 3.1.5. The associated scram accumulator status for a control rod only affects the scram insertion times; therefore, an inoperable accumulator does not immediately require declaring a control rod inoperable. Although not all control rods are required to be OPERABLE to satisfy the intended reactivity control requirements, strict control over the number and distribution of inoperable control rods is required to satisfy the assumptions of the DBA and transient analyses. APPLICABILITY In MODES 1 and 2, the control rods are assumed to function during a DBA or transient and are therefore required to be OPERABLE in these MODES. In MODES 3 and 4, with the mode switch in shutdown, control rod block prevents withdrawal of control rods. This Control Rod OPERABILITY B 3.1.3 (continued) HATCH UNIT 2 B 3.1-13 REVISION 0 BASES APPLICABILITY provides adequate requirements for control rod OPERABILITY during (continued) these conditions. Control rod requirements in MODE 5 are located in LCO 3.9.5, "Control Rod OPERABILITY - Refueling."

ACTIONS The ACTIONS Table is modified by a Note indicating that a separate Condition entry is allowed for each control rod. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable control rod. Complying with the Required Actions may allow for continued operation, and subsequent inoperable control rods are governed by subsequent Condition entry and application of associated Required Actions. A.1, A.2, and A.3 A control rod is considered stuck if it will not insert by either CRD drive water or scram pressure. With a fully inserted control rod stuck, no actions are required as long as the control rod remains fully inserted. The Required Actions are modified by a Note, which allows the rod worth minimizer (RWM) to be bypassed if required to allow continued operation. LCO 3.3.2.1, "Control Rod Block Instrumentation," provides additional requirements when the RWM is bypassed to ensure compliance with the CRDA analysis. With one withdrawn control rod stuck, the associated control rod drive must be disarmed in 2 hours. The allowed Completion Time of 2 hours is acceptable, considering the reactor can still be shut down, assuming no additional control rods fail to insert, and provides a reasonable time to perform the Required Action in an orderly manner. The control rod must be isolated from both scram and normal insert and withdraw pressure. Isolating the control rod from scram and normal insert and withdraw pressure prevents damage to the CRDM. The control rod should be isolated from scram and normal insert and withdraw pressure, while maintaining cooling water to the CRD. Monitoring of the insertion capability of each withdrawn control rod must also be performed within 24 hours. SR 3.1.3.2 and SR 3.1.3.3 perform periodic tests of the control rod insertion capability of withdrawn control rods. Testing each withdrawn control rod ensures that a generic problem does not exist. The allowed Completion Time of 24 hours provides a reasonable time to test the control rods, considering the potential for a need to reduce power to perform the tests. Required Action A.2 is modified by a Note, which states that the requirement is not applicable when THERMAL POWER is less than or equal to the actual low power setpoint (LPSP) of the RWM Control Rod OPERABILITY B 3.1.3 (continued) HATCH UNIT 2 B 3.1-14 REVISION 0 BASES ACTIONS A.1, A.2, and A.3 (continued) since the notch insertions may not be compatible with the requirements of rod pattern control (LCO 3.1.6) and the RWM (LCO 3.3.2.1). To allow continued operation with a withdrawn control rod stuck, an evaluation of adequate SDM is also required within 72 hours. Should a DBA or transient require a shutdown, to preserve the single failure criterion, an additional control rod would have to be assumed to fail to insert when required. Therefore, the original SDM demonstration may not be valid. The SDM must therefore be evaluated (by measurement or analysis) with the stuck control rod at its stuck position and the highest worth OPERABLE control rod assumed to be fully withdrawn. The allowed Completion Time of 72 hours to verify SDM is adequate, considering that with a single control rod stuck in a withdrawn position, the remaining OPERABLE control rods are capable of providing the required scram and shutdown reactivity. Failure to reach MODE 4 is only likely if an additional control rod adjacent to the stuck control rod also fails to insert during a required scram. Even with the postulated additional single failure of an adjacent control rod to insert, sufficient reactivity control remains to reach and maintain MODE 3 conditions (Ref. 5). B.1 and B.2 With two or more withdrawn control rods stuck, the stuck control rods must be isolated from scram pressure within 2 hours and the plant brought to MODE 3 within 12 hours. The control rods must be isolated from both scram and normal insert and withdraw pressure. Isolating the control rod from scram and normal insert and withdraw pressure prevents damage to the CRDM. The control rod should be isolated from scram and normal insert and withdraw pressure, while maintaining cooling water to the CRD. The allowed Completion Time is acceptable, considering the low probability of a CRDA occurring during this interval. The occurrence of more than one control rod stuck at a withdrawn position increases the probability that the reactor cannot be shut down if required. Insertion of all insertable control rods eliminates the possibility of an additional failure of a control rod to insert. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. Control Rod OPERABILITY B 3.1.3 (continued) HATCH UNIT 2 B 3.1-15 REVISION 0 BASES ACTIONS C.1 and C.2 (continued) With one or more control rods inoperable for reasons other than being stuck in the withdrawn position, operation may continue, provided the control rods are fully inserted within 3 hours and disarmed (electrically or hydraulically) within 4 hours. Inserting a control rod ensures the shutdown and scram capabilities are not adversely affected. The control rod is disarmed to prevent inadvertent withdrawal during subsequent operations. The control rods can be hydraulically disarmed by closing the drive water and exhaust water isolation valves. The control rods can be electrically disarmed by disconnecting power from all four directional control valve solenoids. Required Action C.1 is modified by a Note, which allows the RWM to be bypassed if required to allow insertion of the inoperable control rods and continued operation. LCO 3.3.2.1 provides additional requirements when the RWM is bypassed to ensure compliance with the CRDA analysis. The allowed Completion Times are reasonable, considering the small number of allowed inoperable control rods, and provide time to insert and disarm the control rods in an orderly manner and without challenging plant systems.

D.1 and D.2 Out of sequence control rods may increase the potential reactivity worth of a dropped control rod during a CRDA. At 10% RTP, the generic licensing basis banked position withdrawal sequence (BPWS) analysis (Ref. 5) assumes inserted control rods not in compliance with BPWS to be separated by at least two OPERABLE control rods in all directions, including the diagonal. Plant specific BPWS analysis may justify relaxed requirements on inoperable control rod separability. Therefore, if two or more inoperable control rods are not in compliance with BPWS (and not separated by at least two OPERABLE control rods, unless the plant specific analysis relaxes this requirement), action must be taken to restore compliance with BPWS or restore the control rod(s) to OPERABLE status. Condition D is modified by a Note indicating that the Condition is not applicable when > 10% RTP, since the BPWS is not required to be followed under these conditions, as described in the Bases for LCO 3.1.6. The allowed Completion Time of 4 hours is acceptable, considering the low probability of a CRDA occurring. Control Rod OPERABILITY B 3.1.3 (continued) HATCH UNIT 2 B 3.1-16 REVISION 79 BASES ACTIONS E.1 (continued) If any Required Action and associated Completion Time of Condition A, C, or D are not met, or there are nine or more inoperable control rods, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours. This ensures all insertable control rods are inserted and places the reactor in a condition that does not require the active function (i.e., scram) of the control rods. The number of control rods permitted to be inoperable when operating above 10% RTP (e.g., no CRDA considerations) could be more than the value specified, but the occurrence of a large number of inoperable control rods could be indicative of a generic problem, and investigation and resolution of the potential problem should be undertaken. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.1.3.1 REQUIREMENTS The position of each control rod must be determined to ensure adequate information on control rod position is available to the operator for determining control rod OPERABILITY and controlling rod patterns. Control rod position may be determined by the use of OPERABLE position indicators, by moving control rods to a position with an OPERABLE indicator, or by the use of other appropriate methods. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.1.3.2 and SR 3.1.3.3 Control rod insertion capability is demonstrated by inserting each partially or fully withdrawn control rod at least one notch and observing that the control rod moves. The control rod may then be returned to its original position. This ensures the control rod is not stuck and is free to insert on a scram signal. These Surveillances are not required when THERMAL POWER is less than or equal to the actual LPSP of the RWM, since the notch insertions may not be compatible with the requirements of the Banked Position Withdrawal Sequence (BPWS) (LCO 3.1.6) and the RWM (LCO 3.3.2.1). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Control Rod OPERABILITY B 3.1.3 HATCH UNIT 2 B 3.1-17 REVISION 79 BASES SURVEILLANCE SR 3.1.3.2 and SR 3.1.3.3 (continued) REQUIREMENTS At any time, if a control rod is immovable, a determination of that control rod's trippability (capable of insertion by scram, i.e., OPERABILITY) must be made and appropriate action taken. These SRs are each modified by a Note that allows 7 days and 31 days, respectively, after withdrawal of the control rod and THERMAL POWER is greater than the LPSP to perform the Surveillance. This acknowledges that the control rod must first be withdrawn and THERMAL POWER must be greater than the LPSP before performance of the Surveillance, and therefore avoids potential conflicts with SR 3.0.3 and SR 3.0.4. SR 3.1.3.4 Verifying that the scram time for each control rod to notch position 06 is 7 seconds provides reasonable assurance that the control rod will insert when required during a DBA or transient, thereby completing its shutdown function. This SR is performed in conjunction with the control rod scram time testing of SR 3.1.4.1, SR 3.1.4.2, SR 3.1.4.3, and SR 3.1.4.4. The LOGIC SYSTEM FUNCTIONAL TEST in LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," and the functional testing of SDV vent and drain valves in LCO 3.1.8, "Scram Discharge Volume (SDV) Vent and Drain Valves," overlap this Surveillance to provide complete testing of the assumed safety function. The associated Frequencies are acceptable, considering the more frequent testing performed to demonstrate other aspects of control rod OPERABILITY and operating experience, which shows scram times do not significantly change over an operating cycle.

SR 3.1.3.5 Coupling verification is performed to ensure the control rod is connected to the CRDM and will perform its intended function when necessary. The Surveillance requires verifying a control rod does not go to the withdrawn overtravel position. The overtravel position Control Rod OPERABILITY B 3.1.3 HATCH UNIT 2 B 3.1-18 REVISION 1 BASES SURVEILLANCE SR 3.1.3.5 (continued) REQUIREMENTS feature provides a positive check on the coupling integrity since only an uncoupled CRD can reach the overtravel position. The verification is required to be performed any time a control rod is withdrawn to the full-out position (notch position 48) or prior to declaring the control rod OPERABLE after work on the control rod or CRD System that could affect coupling. This includes control rods inserted one notch and then returned to the full-out position during the performance of SR 3.1.3.2. This Frequency is acceptable, considering the low probability that a control rod will become uncoupled when it is not being moved and operating experience related to uncoupling events. REFERENCES 1. 10 CFR 50, Appendix A, GDC 26, GDC 27, GDC 28, and GDC 29. 2. FSAR, Section 4.2.3.2. 3. FSAR, Supplement 5A.4.3. 4. FSAR, Section 15.1. 5. NEDO-21231, "Banked Position Withdrawal Sequence," Section 7.2, January 1977. 6. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Control Rod Scram Times B 3.1.4 (continued) HATCH UNIT 2 B 3.1-19 REVISION 0 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.4 Control Rod Scram Times

BASES BACKGROUND The scram function of the Control Rod Drive (CRD) System controls reactivity changes during abnormal operational transients to ensure that specified acceptable fuel design limits are not exceeded (Ref. 1). The control rods are scrammed by positive means using hydraulic pressure exerted on the CRD piston. When a scram signal is initiated, control air is vented from the scram valves, allowing them to open by spring action. Opening the exhaust valve reduces the pressure above the main drive piston to atmospheric pressure, and opening the inlet valve applies the accumulator or reactor pressure to the bottom of the piston. Since the notches in the index tube are tapered on the lower edge, the collet fingers are forced open by cam action, allowing the index tube to move upward without restriction because of the high differential pressure across the piston. As the drive moves upward and the accumulator pressure reduces below the reactor pressure, a ball check valve opens, letting the reactor pressure complete the scram action. If the reactor pressure is low, such as during startup, the accumulator will fully insert the control rod in the required time without assistance from reactor pressure. APPLICABLE The analytical methods and assumptions used in evaluating the SAFETY ANALYSES control rod scram function are presented in References 2, 3, and 4. The Design Basis Accident (DBA) and transient analyses assume that all of the control rods scram at a specified insertion rate. The resulting negative scram reactivity forms the basis for the determination of plant thermal limits (e.g., the MCPR). Other distributions of scram times (e.g., several control rods scramming slower than the average time with several control rods scramming faster than the average time) can also provide sufficient scram reactivity. Surveillance of each individual control rod's scram time ensures the scram reactivity assumed in the DBA and transient analyses can be met. The scram function of the CRD System protects the MCPR Safety Limit (SL) (see Bases for SL 2.1.1, "Reactor Core SLs," and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)") and the 1% cladding plastic strain fuel design limit (see Bases for LCO 3.2.1, Control Rod Scram Times B 3.1.4 (continued) HATCH UNIT 2 B 3.1-20 REVISION 0 BASES APPLICABLE "AVERAGE PLANAR LINEAR HEAT GENERATION RATE SAFETY ANALYSES (APLHGR)"), which ensure that no fuel damage will occur if these (continued) limits are not exceeded. Above 800 psig, the scram function is designed to insert negative reactivity at a rate fast enough to prevent the actual MCPR from becoming less than the MCPR SL, during the analyzed limiting power transient. Below 800 psig, the scram function is assumed to perform during the control rod drop accident (Ref. 5) and, therefore, also provides protection against violating fuel damage limits during reactivity insertion accidents (see Bases for LCO 3.1.6, "Rod Pattern Control"). For the reactor vessel overpressure protection analysis, the scram function, along with the safety/relief valves, ensures that the peak vessel pressure is maintained within the applicable ASME Code limits. Control rod scram times satisfy Criterion 3 of the NRC Policy Statement (Ref. 8). LCO The scram times specified in Table 3.1.4-1 (in the accompanying LCO) are required to ensure that the scram reactivity assumed in the DBA and transient analysis is met (Ref. 6). To account for single failures and "slow" scramming control rods, the scram times specified in Table 3.1.4-1 are faster than those assumed in the design basis analysis. The scram times have a margin that allows up to approximately 7% of the control rods (e.g., 137 x 7% 10) to have scram times exceeding the specified limits (i.e., "slow" control rods) assuming a single stuck control rod (as allowed by LCO 3.1.3, "Control Rod OPERABILITY") and an additional control rod failing to scram per the single failure criterion. The scram times are specified as a function of reactor steam dome pressure to account for the pressure dependence of the scram times. The scram times are specified relative to measurements based on reed switch positions, which provide the control rod position indication. The reed switch closes ("pickup") when the index tube passes a specific location and then opens ("dropout") as the index tube travels upward. Verification of the specified scram times in Table 3.1.4-1 is accomplished through measurement of the "dropout" times. To ensure that local scram reactivity rates are maintained within acceptable limits, no more than two of the allowed "slow" control rods may occupy adjacent locations. Table 3.1.4-1 is modified by two Notes, which state that control rods with scram times not within the limits of the Table are considered "slow" and that control rods with scram times > 7 seconds are considered inoperable as required by SR 3.1.3.4. Control Rod Scram Times B 3.1.4 (continued) HATCH UNIT 2 B 3.1-21 REVISION 0 BASES LCO This LCO applies only to OPERABLE control rods since inoperable (continued) control rods will be inserted and disarmed (LCO 3.1.3). Slow scramming control rods may be conservatively declared inoperable and not accounted for as "slow" control rods. APPLICABILITY In MODES 1 and 2, a scram is assumed to function during transients and accidents analyzed for these plant conditions. These events are assumed to occur during startup and power operation; therefore, the scram function of the control rods is required during these MODES. In MODES 3 and 4, with the mode switch in shutdown control rod block prevents withdrawal of control rods. This provides adequate requirements for control rod scram capability during these conditions. Scram requirements in MODE 5 are contained in LCO 3.9.5, "Control Rod OPERABILITY - Refueling." ACTIONS A.1 When the requirements of this LCO are not met, the rate of negative reactivity insertion during a scram may not be within the assumptions of the safety analysis. Therefore, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE The four SRs of this LCO are modified by a Note stating that during REQUIREMENTS a single control rod scram time Surveillance, the CRD pumps shall be isolated from the associated scram accumulator. With the CRD pump isolated, (i.e., charging valve closed) the influence of the CRD pump head does not affect the single control rod scram times. During a full core scram, the CRD pump head would be seen by all control rods and would have a negligible effect on the scram insertion times.

SR 3.1.4.1 The scram reactivity used in DBA and transient analyses is based on an assumed control rod scram time. Measurement of the scram times with reactor steam dome pressure 800 psig demonstrates Control Rod Scram Times B 3.1.4 (continued) HATCH UNIT 2 B 3.1-22 REVISION 79 BASES SURVEILLANCE SR 3.1.4.1 (continued) REQUIREMENTS acceptable scram times for the transients analyzed in References 3 and 4. Maximum scram insertion times occur at a reactor steam dome pressure of approximately 800 psig because of the competing effects of reactor steam dome pressure and stored accumulator energy. Therefore, demonstration of adequate scram times at reactor steam dome pressure 800 psig ensures that the measured scram times will be within the specified limits at higher pressures. Limits are specified as a function of reactor pressure to account for the sensitivity of the scram insertion times with pressure and to allow a range of pressures over which scram time testing can be performed. To ensure that scram time testing is performed within a reasonable time following fuel movement within the reactor pressure vessel or after a shutdown 120 days or longer, control rods are required to be tested before exceeding 40% RTP. In the event fuel movement is limited to selected core cells, it is the intent of this SR that only those CRDs associated with the core cells affected by the fuel movements are required to be scram time tested. This Frequency is acceptable considering the additional surveillances performed for control rod OPERABILITY, the frequent verification of adequate accumulator pressure, and the required testing of control rods affected by work on control rods or the CRD System. SR 3.1.4.2 Additional testing of a sample of control rods is required to verify the continued performance of the scram function during the cycle. A representative sample contains at least 10% of the control rods. The sample remains representative if no more than 7.5% of the control rods in the sample tested are determined to be "slow". With more than 7.5% of the sample declared to be "slow" per the criteria in Table 3.1.4-1, additional control rods are tested until this 7.5% criterion (i.e., 7.5% of the entire sample size) is satisfied, or until the total number of "slow" control rods (throughout the core, from all Surveillances) exceeds the LCO limit. For planned testing, the control rods selected for the sample should be different for each test. Data from inadvertent scrams should be used whenever possible to avoid unnecessary testing at power, even if the control rods with data may have been previously tested in a sample. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Control Rod Scram Times B 3.1.4 (continued) HATCH UNIT 2 B 3.1-23 REVISION 79 BASES SURVEILLANCE SR 3.1.4.3 REQUIREMENTS (continued) When work that could affect the scram insertion time is performed on a control rod or the CRD System, testing must be done to demonstrate that each affected control rod retains adequate scram performance over the range of applicable reactor pressures from zero to the maximum permissible pressure. The scram testing must be performed once before declaring the control rod OPERABLE. The required scram time testing must demonstrate the affected control rod is still within acceptable limits. The limits for reactor pressures < 800 psig, required by footnote (b), are included in the Technical Requirements Manual (Ref. 7) and are established based on a high probability of meeting the acceptance criteria at reactor pressures 800 psig. The limits for reactor pressures 800 psig are found in Table 3.1.4-1. If testing demonstrates the affected control rod does not meet these limits, but is within the 7 second limit of Table 3.1.4-1, Note 2, the control rod can be declared OPERABLE and "slow." Specific examples of work that could affect the scram times are (but are not limited to) the following: removal of any CRD for maintenance or modification; replacement of a control rod; and maintenance or modification of a scram solenoid pilot valve, scram valve, accumulator, isolation valve or check valve in the piping required for scram. The Frequency of once prior to declaring the affected control rod OPERABLE is acceptable because of the capability to test the control rod over a range of operating conditions and the more frequent surveillances on other aspects of control rod OPERABILITY. SR 3.1.4.4 When work that could affect the scram insertion time is performed on a control rod or CRD System, testing must be done to demonstrate each affected control rod is still within the limits of Table 3.1.4-1 with the reactor steam dome pressure 800 psig. Where work has been performed at high reactor pressure, the requirements of SR 3.1.4.3 and SR 3.1.4.4 can be satisfied with one test. However, for a control rod affected by work performed while shutdown, a zero pressure test and a high pressure test may be required. This testing ensures that, Control Rod Scram Times B 3.1.4 HATCH UNIT 2 B 3.1-24 REVISION 46 BASES SURVEILLANCE SR 3.1.4.4 (continued) REQUIREMENTS prior to withdrawing the control rod for continued operation, the control rod scram performance is acceptable for operating reactor pressure conditions. Alternatively, a control rod scram test during hydrostatic pressure testing could also satisfy both criteria. The Frequency of once prior to exceeding 40% RTP is acceptable because of the capability to test the control rod over a range of operating conditions and the more frequent surveillances on other aspects of control rod OPERABILITY. This test is also used to demonstrate control rod OPERABILITY when 40% RTP after work that could affect the scram insertion time is performed on the CRD System. REFERENCES 1. 10 CFR 50, Appendix A, GDC 10.

2. FSAR, Paragraph 4.2.3.2. 3. FSAR, Supplement 5A.4.3.

4. FSAR, Section 15.1.

5. NEDE-24011-P-A, "General Electric Standard Application for Reactor Fuel," (revision specified in the COLR).

6. Letter from R. F. Janecek (BWROG) to R. W. Starostecki (NRC), "BWR Owners' Group Revised Reactivity Control Systems Technical Specifications," BWROG-8754, September 17, 1987. 7. Technical Requirements Manual, Table T5.0-1. 8. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Control Rod Scram Accumulators B 3.1.5 (continued) HATCH UNIT 2 B 3.1-25 REVISION 0 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.5 Control Rod Scram Accumulators

BASES BACKGROUND The control rod scram accumulators are part of the Control Rod Drive (CRD) System and are provided to ensure that the control rods scram under varying reactor conditions. The control rod scram accumulators store sufficient energy to fully insert a control rod at any reactor vessel pressure. The accumulator is a hydraulic cylinder with a free floating piston. The piston separates the water used to scram the control rods from the nitrogen, which provides the required energy. The scram accumulators are necessary to scram the control rods within the required insertion times of LCO 3.1.4, "Control Rod Scram Times." APPLICABLE The analytical methods and assumptions used in evaluating the SAFETY ANALYSES control rod scram function are presented in References 1, 2, and 3. The Design Basis Accident (DBA) and transient analyses assume that all of the control rods scram at a specified insertion rate. OPERABILITY of each individual control rod scram accumulator, along with LCO 3.1.3, "Control Rod OPERABILITY," and LCO 3.1.4, ensures that the scram reactivity assumed in the DBA and transient analyses can be met. The existence of an inoperable accumulator may invalidate prior scram time measurements for the associated control rod. The scram function of the CRD System, and therefore the OPERABILITY of the accumulators, protects the MCPR Safety Limit (see Bases for SL 2.1.1, "Reactor Core SLs," and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)") and 1% cladding plastic strain fuel design limit (see Bases for LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)"), which ensure that no fuel damage will occur if these limits are not exceeded (see Bases for LCO 3.1.4). In addition, the scram function at low reactor vessel pressure (i.e., startup conditions) provides protection against violating fuel damage limits during reactivity insertion accidents (see Bases for LCO 3.1.6, "Rod Pattern Control"). Control rod scram accumulators satisfy Criterion 3 of the NRC Policy Statement (Ref. 4).

Control Rod Scram Accumulators B 3.1.5 (continued) HATCH UNIT 2 B 3.1-26 REVISION 0 BASES (continued) LCO The OPERABILITY of the control rod scram accumulators is required to ensure that adequate scram insertion capability exists when needed over the entire range of reactor pressures. The OPERABILITY of the scram accumulators is based on maintaining adequate accumulator pressure. APPLICABILITY In MODES 1 and 2, the scram function is required for mitigation of DBAs and transients, and therefore the scram accumulators must be OPERABLE to support the scram function. In MODES 3 and 4, with the mode switch in shutdown, control rod block prevents withdrawal of control rods. This provides adequate requirements for control rod scram accumulator OPERABILITY during these conditions. Requirements for scram accumulators in MODE 5 are contained in LCO 3.9.5, "Control Rod OPERABILITY - Refueling." ACTIONS The ACTIONS Table is modified by a Note indicating that a separate Condition entry is allowed for each control rod scram accumulator. This is acceptable since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable accumulator. Complying with the Required Actions may allow for continued operation and subsequent inoperable accumulators governed by subsequent Condition entry and application of associated Required Actions.

A.1 and A.2 With one control rod scram accumulator inoperable and the reactor steam dome pressure 900 psig, the control rod may be declared "slow," since the control rod will still scram at the reactor operating pressure but may not satisfy the scram times in Table 3.1.4-1. Required Action A.1 is modified by a Note indicating that declaring the control rod "slow" only applies if the associated control scram time was within the limits of Table 3.1.4-1 during the last scram time test. Otherwise, the control rod would already be considered "slow" and the further degradation of scram performance with an inoperable accumulator could result in excessive scram times. In this event, the associated control rod is declared inoperable (Required Action A.2) and LCO 3.1.3 is entered. This would result in requiring the affected control rod to be fully inserted and disarmed, thereby satisfying its intended function, in accordance with ACTIONS of LCO 3.1.3. Control Rod Scram Accumulators B 3.1.5 (continued) HATCH UNIT 2 B 3.1-27 REVISION 0 BASES ACTIONS A.1 and A.2 (continued) The allowed Completion Time of 8 hours is reasonable, based on the large number of control rods available to provide the scram function and the ability of the affected control rod to scram only with reactor pressure at high reactor pressures. B.1, B.2.1, and B.2.2 With two or more control rod scram accumulators inoperable and reactor steam dome pressure 900 psig, adequate pressure must be supplied to the charging water header. With inadequate charging water pressure, all of the accumulators could become inoperable, resulting in a potentially severe degradation of the scram performance. Therefore, within 20 minutes from discovery of charging water header pressure < 940 psig concurrent with Condition B, adequate charging water header pressure must be restored. The allowed Completion Time of 20 minutes is reasonable to place a CRD pump into service to restore the charging water header pressure, if required. This Completion Time is based on the ability of the reactor pressure alone to fully insert all control rods. The control rod may be declared "slow," since the control rod will still scram using only reactor pressure, but may not satisfy the times in Table 3.1.4-1. Required Action B.2.1 is modified by a Note indicating that declaring the control rod "slow" only applies if the associated control scram time is within the limits of Table 3.1.4-1 during the last scram time test. Otherwise, the control rod would already be considered "slow" and the further degradation of scram performance with an inoperable accumulator could result in excessive scram times. In this event, the associated control rod is declared inoperable (Required Action B.2.2) and LCO 3.1.3 entered. This would result in requiring the affected control rod to be fully inserted and disarmed, thereby satisfying its intended function in accordance with ACTIONS of LCO 3.1.3. The allowed Completion Time of 1 hour is reasonable, based on the ability of only the reactor pressure to scram the control rods and the low probability of a DBA or transient occurring while the affected accumulators are inoperable.

Control Rod Scram Accumulators B 3.1.5 (continued) HATCH UNIT 2 B 3.1-28 REVISION 79 BASES ACTIONS C.1 and C.2 (continued) With one or more control rod scram accumulators inoperable and the reactor steam dome pressure < 900 psig, the pressure supplied to the charging water header must be adequate to ensure that accumulators remain charged. With the reactor steam dome pressure < 900 psig, the function of the accumulators in providing the scram force becomes much more important since the scram function could become severely degraded during a depressurization event or at low reactor pressures. Therefore, immediately upon discovery of charging water header pressure < 940 psig concurrent with Condition C, all control rods associated with inoperable accumulators must be verified to be fully inserted. Withdrawn control rods with inoperable accumulators may fail to scram under these low pressure conditions. The associated control rods must also be declared inoperable within 1 hour. The allowed Completion Time of 1 hour is reasonable for Required Action C.2, considering the low probability of a DBA or transient occurring during the time that the accumulator is inoperable. D.1 The reactor mode switch must be immediately placed in the shutdown position if either Required Action and associated Completion Time associated with the loss of the CRD charging pump (Required Actions B.1 and C.1) cannot be met. This ensures that all insertable control rods are inserted and that the reactor is in a condition that does not require the active function (i.e., scram) of the control rods. This Required Action is modified by a Note stating that the action is not applicable if all control rods associated with the inoperable scram accumulators are fully inserted, since the function of the control rods has been performed. SURVEILLANCE SR 3.1.5.1 REQUIREMENTS SR 3.1.5.1 requires that the accumulator pressure be checked periodically to ensure adequate accumulator pressure exists to provide sufficient scram force. The primary indicator of accumulator OPERABILITY is the accumulator pressure. A minimum accumulator pressure is specified, below which the capability of the accumulator to perform its intended function becomes degraded and the accumulator is considered inoperable. The minimum accumulator pressure of 940 psig is well below the expected pressure of 1100 psig (Ref. 1). Control Rod Scram Accumulators B 3.1.5 HATCH UNIT 2 B 3.1-29 REVISION 79 BASES SURVEILLANCE SR 3.1.5.1 (continued) REQUIREMENTS Declaring the accumulator inoperable when the minimum pressure is not maintained ensures that significant degradation in scram times does not occur. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 4.2.3.2. 2. FSAR, Supplement 5A.4.3.

3. FSAR, Section 15.1. 4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Rod Pattern Control B 3.1.6 (continued) HATCH UNIT 2 B 3.1-30 REVISION 0 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.6 Rod Pattern Control

BASES BACKGROUND Control rod patterns during startup conditions are controlled by the operator and the rod worth minimizer (RWM) (LCO 3.3.2.1, "Control Rod Block Instrumentation"), so that only specified control rod sequences and relative positions are allowed over the operating range of all control rods inserted to 10% RTP. The sequences limit the potential amount of reactivity addition that could occur in the event of a Control Rod Drop Accident (CRDA). This Specification assures that the control rod patterns are consistent with the assumptions of the CRDA analyses of References 1 and 2. APPLICABLE The analytical methods and assumptions used in evaluating the SAFETY ANALYSES CRDA are summarized in References 1 and 2. CRDA analyses assume that the reactor operator follows prescribed withdrawal sequences. These sequences define the potential initial conditions for the CRDA analysis. The RWM (LCO 3.3.2.1) provides backup to operator control of the withdrawal sequences to ensure that the initial conditions of the CRDA analysis are not violated. Prevention or mitigation of positive reactivity insertion events is necessary to limit the energy deposition in the fuel, thereby preventing significant fuel damage which could result in the undue release of radioactivity. Since the failure consequences for UO2 have been shown to be insignificant below fuel energy depositions of 300 cal/gm (Ref. 3), the fuel damage limit of 280 cal/gm provides a margin of safety from significant core damage which would result in release of radioactivity (Refs. 4 and 5). Generic evaluations (Refs. 1 and 6) of a design basis CRDA (i.e., a CRDA resulting in a peak fuel energy deposition of 280 cal/gm) have shown that if the peak fuel enthalpy remains below 280 cal/gm, then the maximum reactor pressure will be less than the required ASME Code limits (Ref. 7) and the calculated offsite doses will be well within the required limits (Ref. 5). Control rod patterns analyzed in Reference 1 follow the banked position withdrawal sequence (BPWS). The BPWS is applicable from the condition of all control rods fully inserted to 10% RTP (Ref. 2). For the BPWS, the control rods are required to be moved in groups, with all control rods assigned to a specific group required to be within specified banked positions (e.g., between notches 08 and 12). The Rod Pattern Control B 3.1.6 (continued) HATCH UNIT 2 B 3.1-31 REVISION 66 BASES APPLICABLE banked positions are established to minimize the maximum SAFETY ANALYSES incremental control rod worth without being overly restrictive during (continued) normal plant operation. Generic analysis of the BPWS (Ref. 1) has demonstrated that the 280 cal/gm fuel damage limit will not be violated during a CRDA while following the BPWS mode of operation. The evaluation provided by the generic BPWS analysis (Ref. 8) allows a limited number (i.e., eight) and corresponding distribution of fully inserted, inoperable control rods that are not in compliance with the sequence. This analysis may be modified by plant specific evaluations. When performing a shutdown of the plant, an optional BPWS control rod sequence (Ref. 10) may be used provided that all withdrawn control rods have been confirmed to be coupled. The rods may be inserted without the need to stop at intermediate positions since the possibility of a CRDA is eliminated by the confirmation that withdrawn control rods are coupled. When using the Reference 10 control rod sequence for shutdown, the rod worth minimizer may be reprogrammed to enforce the requirements of the improved BPWS control rod insertion process, or bypassed in accordance with the allowance provided in the Applicability Note for the Rod Worth Minimizer in Table 3.3.2.1-1. In order to use the Reference 10 BPWS shutdown process, an extra check is required in order to consider a control rod to be "confirmed" to be coupled. This extra check ensures that no Single Operator Error can result in an incorrect coupling check. For purposes of this shutdown process, the method for confirming that control rods are coupled varies depending on the position of the control rod in the core. Details on this coupling confirmation requirement are provided in Reference 10. If the requirements for use of the BPWS control rod insertion process contained in Reference 10 are followed, the plant is considered to be in compliance with BPWS requirements, as required by LCO 3.1.6. Rod pattern control satisfies Criterion 3 of the NRC Policy Statement (Ref. 9). LCO Compliance with the prescribed control rod sequences minimizes the potential consequences of a CRDA by limiting the initial conditions to those consistent with the BPWS. This LCO only applies to OPERABLE control rods. For inoperable control rods required to be inserted, separate requirements are specified in LCO 3.1.3, "Control Rod OPERABILITY," consistent with the allowances for inoperable control rods in the BPWS. Rod Pattern Control B 3.1.6 (continued) HATCH UNIT 2 B 3.1-32 REVISION 66 BASES (continued) APPLICABILITY In MODES 1 and 2, when THERMAL POWER is 10% RTP, the CRDA is a Design Basis Accident and, therefore, compliance with the assumptions of the safety analysis is required. When THERMAL POWER is > 10% RTP, there is no credible control rod configuration that results in a control rod worth that could exceed the 280 cal/gm fuel damage limit during a CRDA (Ref. 2). In MODES 3, 4, and 5, since the reactor is shut down and only a single control rod can be withdrawn from a core cell containing fuel assemblies, adequate SDM ensures that the consequences of a CRDA are acceptable, since the reactor will remain subcritical with a single control rod withdrawn. ACTIONS A.1 and A.2 With one or more OPERABLE control rods not in compliance with the prescribed control rod sequence, actions may be taken to either correct the control rod pattern or declare the associated control rods inoperable within 8 hours. Noncompliance with the prescribed sequence may be the result of "double notching," drifting from a control rod drive cooling water transient, leaking scram valves, or a power reduction to 10% RTP before establishing the correct control rod pattern. The number of OPERABLE control rods not in compliance with the prescribed sequence is limited to eight, to prevent the operator from attempting to correct a control rod pattern that significantly deviates from the prescribed sequence. When the control rod pattern is not in compliance with the prescribed sequence, all control rod movement must be stopped except for moves needed to correct the rod pattern, or scram if warranted. Required Action A.1 is modified by a Note which allows the RWM to be bypassed to allow the affected control rods to be returned to their correct position. LCO 3.3.2.1 requires verification of control rod movement by a second licensed operator or other qualified member of the technical staff. This ensures that the control rods will be moved to the correct position. A control rod not in compliance with the prescribed sequence is not considered inoperable except as required by Required Action A.2. The allowed Completion Time of 8 hours is reasonable, considering the restrictions on the number of allowed out of sequence control rods and the low probability of a CRDA occurring during the time the control rods are out of sequence. B.1 and B.2 If nine or more OPERABLE control rods are out of sequence, the control rod pattern significantly deviates from the prescribed sequence. Rod Pattern Control B 3.1.6 (continued) HATCH UNIT 2 B 3.1-33 REVISION 79 BASES ACTIONS B.1 and B.2 (continued) Control rod withdrawal should be suspended immediately to prevent the potential for further deviation from the prescribed sequence. Control rod insertion to correct control rods withdrawn beyond their allowed position is allowed since, in general, insertion of control rods has less impact on control rod worth than withdrawals have. Required Action B.1 is modified by a Note which allows the RWM to be bypassed to allow the affected control rods to be returned to their correct position. LCO 3.3.2.1 requires verification of control rod movement by a second licensed operator or other qualified member of the technical staff. When nine or more OPERABLE control rods are not in compliance with BPWS, the reactor mode switch must be placed in the shutdown position within 1 hour. With the mode switch in shutdown, the reactor is shut down, and as such, does not meet the applicability requirements of this LCO. The allowed Completion Time of 1 hour is reasonable to allow insertion of control rods to restore compliance, and is appropriate relative to the low probability of a CRDA occurring with the control rods out of sequence. SURVEILLANCE SR 3.1.6.1 REQUIREMENTS The control rod pattern is periodically verified to be in compliance with the BPWS to ensure the assumptions of the CRDA analyses are met. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. RWM provides control rod blocks to enforce the required sequence and is required to be OPERABLE when operating at 10% RTP.

REFERENCES 1. NEDE-24011-P-A-US, "General Electric Standard Application for Reactor Fuel, Supplement for United States," (revision specified in the COLR). 2. Letter from T. A. Pickens (BWROG) to G. C. Lainas (NRC), "Amendment 17 to General Electric Licensing Topical Report NEDE-24011-P-A," BWROG-8644, August 15, 1988.

3. NUREG-0979, Section 4.2.1.3.2, April 1983

4. NUREG-0800, Section 15.4.9, Revision 2, July 1981.

Rod Pattern Control B 3.1.6 HATCH UNIT 2 B 3.1-34 REVISION 74 BASES REFERENCES 5. 10 CFR 50.67. (continued)

6. NEDO-21778-A, "Transient Pressure Rises Affected Fracture Toughness Requirements for Boiling Water Reactors,"

December 1978. 7. ASME, Boiler and Pressure Vessel Code. 8. NEDO-21231, "Banked Position Withdrawal Sequence," January 1977. 9. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. 10. NEDO-33091-A, Revision 2, "Improved BPWS Control Rod Insertion Process," July 2004. SLC System B 3.1.7 (continued) HATCH UNIT 2 B 3.1- REVISION 74 B 3.1 REACTIVITY CONTROL SYSTEMS

B 3.1.7 Standby Liquid Control (SLC) System

BASES BACKGROUND The SLC System provides the capability of bringing the reactor, at any time in a fuel cycle, from full power and minimum control rod inventory (which is at the peak of the xenon transient) to a subcritical condition with the reactor in the most reactive, xenon free state without taking credit for control rod movement. Additionally, the SLC system provides sufficient buffering agent to maintain the suppression pool pH at or above 7.0 following a Design Basis Accident (DBA) LOCA involving fuel damage. Maintaining the suppression pool pH at or above 7.0 will preclude the re-evolution of iodine from the suppression pool water following a DBA LOCA. The SLC System satisfies the requirements of 10 CFR 50.62 (Ref. 1) on anticipated transient without scram. The SLC System consists of a sodium pentaborate solution storage tank, two positive displacement pumps, two explosive valves that are provided in parallel for redundancy, and associated piping and valves used to transfer borated water from the storage tank to the reactor pressure vessel (RPV). The borated solution is discharged near the bottom of the core shroud, where it then mixes with the cooling water rising through the core. A smaller tank containing demineralized water is provided for testing purposes. APPLICABLE The SLC System is manually initiated from the main control room, SAFETY ANAYSES as directed by the emergency operating procedures, if the operator believes the reactor cannot be shut down, or kept shut down, with the control rods. The SLC System is used in the event that enough control rods cannot be inserted to accomplish shutdown and cooldown in the normal manner. The SLC System injects borated water into the reactor core to add negative reactivity to compensate for all of the various reactivity effects that could occur during plant operations. To meet this objective, it is necessary to inject a quantity of boron, which produces a concentration of 800 ppm of natural boron equivalent, in the reactor coolant at 70°F. To allow for potential leakage and imperfect mixing in the reactor system, an amount of boron equal to 25% of the amount cited above is added (Ref. 2). The Region A volume versus concentration limits in Figure 3.1.7-1 and the Region A temperature versus concentration limits in Figure 3.1.7-2 are calculated such that the required concentration is achieved accounting for dilution in the RPV with high water level and including the water volume in the residual heat removal shutdown cooling piping and in the recirculation loop piping. This quantity of borated solution is the SLC System B 3.1.7 (continued) HATCH UNIT 2 B 3.1-36 REVISION 74 BASES APPLICABLE amount that is above the pump suction shutoff level in the boron SAFETY ANALYSES solution storage tank. No credit is taken for the portion of the tank (continued) volume that cannot be injected. The SLC system is also used to control suppression pool pH in the event of a DBA LOCA by injecting sodium pentaborate into the reactor vessel. The sodium pentaborate is then transported to the suppression pool and mixed by ECCS flow recirculation through the reactor, out of the break, and into the suppression chamber. The amount of sodium pentaborate solution that must be available for injection following a DBA LOCA is determined as part of the DBA LOCA radiological analysis. This quantity is maintained in the storage tank as specified in the Technical Specifications. The SLC System satisfies Criterion 4 of the NRC Policy Statement (Ref. 3).

LCO The OPERABILITY of the SLC System provides backup capability for reactivity control independent of normal reactivity control provisions provided by the control rods and provides sufficient buffering agent to maintain the suppression pool pH at or above 7.0 following a DBA LOCA involving fuel damage. The OPERABILITY of the SLC System is based on the conditions of the borated solution in the storage tank and the availability of a flow path to the RPV, including the OPERABILITY of the pumps and valves. Two SLC subsystems are required to be OPERABLE; each contains an OPERABLE pump, an explosive valve, and associated piping, valves, and instruments and controls to ensure an OPERABLE flow path. APPLICABILITY In MODES 1 and 2, shutdown capability is required. In MODES 3 and 4, with the mode switch in shutdown, control rod block prevents withdrawal of control rods. This provides adequate controls to ensure that the reactor remains subcritical. In MODE 5, only a single control rod can be withdrawn from a core cell containing fuel assemblies. Demonstration of adequate SDM [LCO 3.1.1, "SHUTDOWN MARGIN (SDM)"] ensures that the reactor will not become critical. Therefore, the SLC System is not required to be OPERABLE when only a single control rod can be withdrawn. ACTIONS A.1 If the sodium pentaborate solution concentration is not within the 10 CFR 50.62 limits (not within Region A of Figure 3.1.7-1 or 3.1.7-2), but greater than original licensing basis limits (within Region B of SLC System B 3.1.7 (continued) HATCH UNIT 2 B 3.1-37 REVISION 74 BASES ACTIONS A.1 (continued) Figure 3.1.7-1 or 3.1.7-2), the solution must be restored to within Region A limits in 72 hours. It should be noted that the lowest acceptable concentration in Region is 5%. It is not necessary under these conditions to enter Condition C for both SLC subsystems inoperable, since the SLC subsystems are capable of performing their original design basis functions. Because of the low probability of an event and the fact that the SLC System capability still exists for vessel injection under these conditions, the allowed Completion Time of 72 hours is acceptable and provides adequate time to restore concentration to within limits. The second Completion Time for Required Action A.1 establishes a limit on the maximum time allowed for any combination of concentration out of limits or inoperable SLC subsystems during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, an SLC subsystem is inoperable and that subsystem is subsequently returned to OPERABLE, the LCO may already have been not met for up to 7 days. This situation could lead to a total duration of 10 days (7 days in Condition B, followed by 3 days in Condition A), since initial failure of the LCO, to restore the SLC System. Then an SLC subsystem could be found inoperable again, and concentration could be restored to within limits. This could continue indefinitely. This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock," resulting in establishing the "time zero" at the time the LCO was initially not met instead of at the time Condition A was entered. The 10 day Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely. B.1 If one SLC subsystem is inoperable for reasons other than Condition A, the inoperable subsystem must be restored to OPERABLE status within 7 days. In this condition, the remaining OPERABLE subsystem is adequate to perform the shutdown function and provide adequate buffering agent to the suppression pool. However, the overall reliability is reduced because a single failure in the remaining OPERABLE subsystem could result in reduced SLC System capability. The 7 day Completion Time is based on the availability of an OPERABLE subsystem capable of performing the intended SLC System functions and the low probability of a DBA or severe transient occurring requiring SLC injection. The second Completion Time for Required Action B.1 establishes a limit on the maximum time allowed for any combination of concentration out of SLC System B 3.1.7 (continued) HATCH UNIT 2 B 3.1-38 REVISION 79 BASES ACTIONS B.1 (continued) limits or inoperable SLC subsystems during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, concentration is out of limits, and is subsequently returned to within limits, the LCO may already have been not met for up to 3 days. This situation could lead to a total duration of 10 days (3 days in Condition A, followed by 7 days in Condition B), since initial failure of the LCO, to restore the SLC System. Then concentration could be found out of limits again, and the SLC subsystem could be restored to OPERABLE. This could continue indefinitely. This Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock," resulting in establishing the "time zero" at the time the LCO was initially not met instead of at the time Condition B was entered. The 10 day Completion Time is an acceptable limitation on this potential to fail to meet the LCO indefinitely. C.1 If both SLC subsystems are inoperable for reasons other than Condition A, at least one subsystem must be restored to OPERABLE status within 8 hours. The allowed Completion Time of 8 hours is considered acceptable given the low probability of a DBA or transient occurring requiring SLC injection.

D.1 If any Required Action and associated Completion Time is not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.1.7.1, SR 3.1.7.2, and SR 3.1.7.3 REQUIREMENTS SR 3.1.7.1 through SR 3.1.7.3 verify certain characteristics of the SLC System (e.g., the volume and temperature of the borated solution in the storage tank), thereby ensuring SLC System OPERABILITY without disturbing normal plant operation. These Surveillances SLC System B 3.1.7 (continued) HATCH UNIT 2 B 3.1-39 REVISION 79 BASES SURVEILLANCE SR 3.1.7.1, SR 3.1.7.2, and SR 3.1.7.3 (continued) REQUIREMENTS ensure that the proper borated solution volume and temperature, including the temperature of the pump suction piping, are maintained (within Region A limits of Figures 3.1.7-1 and 3.1.7-2). Maintaining a minimum specified borated solution temperature is important in ensuring that the boron remains in solution and does not precipitate out in the storage tank or in the pump suction piping. The temperature versus concentration curve of Figure 3.1.7-2 ensures that a 10°F margin will be maintained above the saturation temperature. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.1.7.4 and SR 3.1.7.6 SR 3.1.7.4 verifies the continuity of the explosive charges in the injection valves to ensure that proper operation will occur if required. Other administrative controls, such as those that limit the shelf life of the explosive charges, must be followed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.1.7.6 verifies that each valve in the system is in its correct position, but does not apply to the squib (i.e., explosive) valves. Verifying the correct alignment for manual and power operated valves in the SLC System flow path provides assurance that the proper flow paths will exist for system operation. A valve is also allowed to be in the nonaccident position provided it can be aligned to the accident position from the control room, or locally by a dedicated operator at the valve control. This is acceptable since the SLC System is a manually initiated system. This Surveillance also does not apply to valves that are locked, sealed, or otherwise secured in position since they are verified to be in the correct position prior to locking, sealing, or securing. This verification of valve alignment does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.1.7.5 This Surveillance requires an examination of the sodium pentaborate solution by using chemical analysis to ensure that the proper SLC System B 3.1.7 (continued) HATCH UNIT 2 B 3.1-40 REVISION 79 BASES SURVEILLANCE SR 3.1.7.5 (continued) REQUIREMENTS concentration of boron exists in the storage tank (within Region A limits of Figures 3.1.7-1 and 3.1.7-2). SR 3.1.7.5 must be performed anytime sodium pentaborate or water is added to the storage tank solution to determine that the boron solution concentration is within the specified limits. SR 3.1.7.5 must also be performed any time the temperature is restored to within the Region A limits of Figure 3.1.7-2, to ensure that no significant boron precipitation occurred. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.1.7.7 Demonstrating that each SLC System pump develops a flow rate 41.2 gpm at a discharge pressure 1232 psig ensures that pump performance has not degraded during the fuel cycle. This minimum pump flow rate requirement ensures that, when combined with the sodium pentaborate solution concentration requirements, the rate of negative reactivity insertion from the SLC System will adequately compensate for the positive reactivity effects encountered during power reduction, cooldown of the moderator, and xenon decay. Additionally, the minimum pump flow rate requirement ensures that adequate buffering agent will reach the suppression pool to maintain pH at or above 7.0 post-LOCA. This test confirms one point on the pump design curve and is indicative of overall performance. Such inservice inspections confirm component OPERABILITY, trend performance, and detect incipient failures by indicating abnormal performance. The Frequency of this Surveillance is in accordance with the Inservice Testing Program.

SR 3.1.7.8 and SR 3.1.7.9 These Surveillances ensure that there is a functioning flow path from the sodium pentaborate solution storage tank to the RPV, including the firing of an explosive valve. The replacement charge for the explosive valve shall be from the same manufactured batch as the one fired or from another batch that has been certified by having one of that batch successfully fired. The Surveillance may be performed in separate steps to prevent injecting boron into the RPV. An acceptable method for verifying flow from the pump to the RPV is to pump demineralized water from a test tank through one SLC System B 3.1.7 HATCH UNIT 2 B 3.1-41 REVISION 79 BASES SURVEILLANCE SR 3.1.7.8 and SR 3.1.7.9 (continued) REQUIREMENTS SLC subsystem and into the RPV. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Demonstrating that all heat traced piping between the sodium pentaborate solution storage tank and the suction inlet to the injection pumps is unblocked ensures that there is a functioning flow path for injecting the sodium pentaborate solution. An acceptable method for verifying that the suction piping is unblocked is to pump from the storage tank to the test tank. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This is especially true in light of the temperature verification of this piping required by SR 3.1.7.3. However, if, in performing SR 3.1.7.3, it is determined that the temperature of this piping has fallen below the specified minimum, SR 3.1.7.9 must be performed once within 24 hours after the piping temperature is restored to within the Region A limits of Figure 3.1.7-2.

SR 3.1.7.10 Enriched sodium pentaborate solution is made by mixing granular, enriched sodium pentaborate with water. Isotopic tests on the granular sodium pentaborate to verify the actual B-10 enrichment must be performed prior to addition to the SLC tank in order to ensure that the proper B-10 atom percentage is being used. REFERENCES 1. 10 CFR 50.62.

2. FSAR, Section 4.2.3.4.3.

3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

SDV Vent and Drain Valves B 3.1.8 (continued) HATCH UNIT 2 B 3.1-42 REVISION 74 B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1.8 Scram Discharge Volume (SDV) Vent and Drain Valves

BASES BACKGROUND The SDV vent and drain valves are normally open and discharge any accumulated water in the SDV to ensure that sufficient volume is available at all times to allow a complete scram. During a scram, the SDV vent and drain valves close to contain reactor water. The SDV is a volume of header piping that connects to each hydraulic control unit (HCU) and drains into an instrument volume. There are two SDVs (headers) and two instrument volumes, each receiving approximately one half of the control rod drive (CRD) discharges. The two instrument volumes are connected to a common drain line with two valves in series. Each header is connected to a common vent line with two valves in series for a total of four vent valves. The header piping is sized to receive and contain all the water discharged by the CRDs during a scram. The design and functions of the SDV are described in Reference 1.

APPLICABLE The Design Basis Accident and transient analyses assume all of the SAFETY ANALYSES control rods are capable of scramming. The acceptance criteria for the SDV vent and drain valves are that they operate automatically to: a. Close during scram to limit the amount of reactor coolant discharged so that adequate core cooling is maintained and offsite doses remain within the limits of 10 CFR 50.67 (Ref. 2); and

b. Open on scram reset to maintain the SDV vent and drain path open so that there is sufficient volume to accept the reactor coolant discharged during a scram.

Isolation of the SDV can also be accomplished by manual closure of the SDV valves. Additionally, the discharge of reactor coolant to the SDV can be terminated by scram reset or closure of the HCU manual isolation valves. For a bounding leakage case, the offsite doses are well within the limits of 10 CFR 50.67 (Ref. 2), and adequate core cooling is maintained (Ref. 3). The SDV vent and drain valves allow continuous drainage of the SDV during normal plant operation to ensure that the SDV has sufficient capacity to contain the reactor coolant discharge during a full core scram. To automatically ensure this capacity, a reactor scram (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation") is initiated if the SDV water level in SDV Vent and Drain Valves B 3.1.8 (continued) HATCH UNIT 2 B 3.1-43 REVISION 66 BASES APPLICABLE the instrument volume exceeds a specified setpoint. The setpoint is SAFETY ANALYSES chosen so that all control rods are inserted before the SDV has (continued) insufficient volume to accept a full scram. SDV vent and drain valves satisfy Criterion 3 of the NRC Policy Statement (Ref. 4). LCO The OPERABILITY of all SDV vent and drain valves ensures that the SDV vent and drain valves will close during a scram to contain reactor water discharged to the SDV piping. Since the vent and drain lines are provided with two valves in series, the single failure of one valve in the open position will not impair the isolation function of the system. Additionally, the valves are required to open on scram reset to ensure that a path is available for the SDV piping to drain freely at other times. APPLICABILITY In MODES 1 and 2, scram may be required; therefore, the SDV vent and drain valves must be OPERABLE. In MODES 3 and 4, with the mode switch in shutdown, control rod block prevents withdrawal of control rods. This provides adequate controls to ensure that only a single control rod can be withdrawn. Also, during MODE 5, only a single control rod can be withdrawn from a core cell containing fuel assemblies. Therefore, the SDV vent and drain valves are not required to be OPERABLE in these MODES since the reactor is subcritical and only one rod may be withdrawn and subject to scram. ACTIONS The ACTIONS Table is modified by Note 1 indicating that a separate Condition entry is allowed for each SDV vent and drain line. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable SDV line. Complying with the Required Actions may allow for continued operation, and subsequent inoperable SDV lines are governed by subsequent Condition entry and application of associated Required Actions. When a line is isolated, the potential for an inadvertent scram due to high SDV level is increased. During these periods, the line may be unisolated under administrative control. This allows any accumulated water in the line to be drained, to preclude a reactor scram on SDV high level. This is acceptable since the administrative controls ensure the valve can be closed quickly, by a dedicated operator, if a scram occurs with the valve open. SDV Vent and Drain Valves B 3.1.8 (continued) HATCH UNIT 2 B 3.1-44 REVISION 66 BASES ACTIONS A.1 (continued) When one SDV vent or drain valve is inoperable in one or more lines, the associated line must be isolated to contain the reactor coolant during a scram. The 7 day Completion Time is reasonable, given the level of redundancy in the lines and the low probability of a scram occurring during the time the valve(s) are inoperable and the line is not isolated. The SDV is still isolable since the redundant valve in the affected line is OPERABLE. During these periods, the single failure criterion may not be preserved, and a higher risk exists to allow reactor water out of the primary system during a scram.

B.1 If both valves in a line are inoperable, the line must be isolated to contain the reactor coolant during a scram. The 8 hour Completion Time to isolate the line is based on the low probability of a scram occurring while the line is not isolated and unlikelihood of significant CRD seal leakage. C.1 If any Required Action and associated Completion Time is not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.1.8.1 REQUIREMENTS During normal operation, the SDV vent and drain valves should be in the open position (except when performing SR 3.1.8.2) to allow for drainage of the SDV piping. Verifying that each valve is in the open SDV Vent and Drain Valves B 3.1.8 (continued) HATCH UNIT 2 B 3.1-45 REVISION 79 BASES SURVEILLANCE SR 3.1.8.1 (continued) REQUIREMENTS position ensures that the SDV vent and drain valves will perform their intended functions during normal operation. This SR does not require any testing or valve manipulation; rather, it involves verification that the valves are in the correct position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.1.8.2 During a scram, the SDV vent and drain valves should close to contain the reactor water discharged to the SDV piping. Cycling each valve through its complete range of motion (closed and open) ensures that the valve will function properly during a scram. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.1.8.3 SR 3.1.8.3 is an integrated test of the SDV vent and drain valves to verify total system performance. After receipt of a simulated or actual scram signal, the closure of the SDV vent and drain valves is verified. The closure time of 60 seconds after receipt of a scram signal is based on the bounding leakage case evaluated in the accident analysis (Ref. 1). Similarly, after receipt of a simulated or actual scram reset signal, the opening of the SDV vent and drain valves is verified. Although not explicitly stated in the SR, the valves are required to open prior to receipt of a control rod block on high SDV level. This criterion ensures the valves can open in time to preclude a scram on SDV high level and maintain sufficient volume in the SDV to receive and contain the water discharged by the control rod drives during a scram per the requirements of the applicable safety analysis (Ref.1). The LOGIC SYSTEM FUNCTIONAL TEST in LCO 3.3.1.1 and the scram time testing of control rods in LCO 3.1.3 overlap this Surveillance to provide complete testing of the assumed safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SDV Vent and Drain Valves B 3.1.8 HATCH UNIT 2 B 3.1-46 REVISION 79 BASES (continued) REFERENCES 1. FSAR, Section 4.2.3.2.2.3.

2. 10 CFR 50.67.

3. NUREG-0803, "Generic Safety Evaluation Report Regarding Integrity of BWR Scram System Piping," August 1981. 4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

APLHGR B 3.2.1 (continued) HATCH UNIT 2 B 3.2-1 REVISION 43 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.1 AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)

BASES BACKGROUND The APLHGR is a measure of the average LHGR of all the fuel rods in a fuel assembly at any axial location. Limits on the APLHGR are specified to ensure that the peak cladding temperature (PCT) during the postulated design basis loss of coolant accident (LOCA) does not exceed the limits specified in 10 CFR 50.46. APPLICABLE The analytical methods and assumptions used in evaluating LOCA SAFETY ANALYSES and normal operation that determine the APLHGR limits are presented in References 1, 3, 4, 6, 9, and 10. APLHGR limits are developed as a function of exposure and operating states to ensure adherence to 10 CFR 50.46 during the limiting LOCA (Refs. 6, 7, 9, and 10). LOCA analyses are performed to ensure that the above determined APLHGR limits are adequate to meet the PCT and maximum oxidation limits of 10 CFR 50.46. The analysis is performed using calculational models that are consistent with the requirements of 10 CFR 50, Appendix K. A complete discussion of the analysis code is provided in Reference 10. The PCT following a postulated LOCA is a function of the average heat generation rate of all the rods of a fuel assembly at any axial location and is not strongly influenced by the rod to rod power distribution within an assembly. The APLHGR limits specified are equivalent to the LHGR of the highest powered fuel rod assumed in the LOCA analysis divided by an assumed conservatively small local peaking factor. Some off-rated operating states require the reduction or set down of the rated APLHGR limit through multiplier factors (MAPFACs). A flow dependent multiplier, MAPFACf , is necessary at core flows below 61% to provide protection for LOCA events (Ref. 12). For single recirculation loop operation, the MAPFACf multiplier is limited to a maximum value specified in the Core Operating Limits Report (COLR). This maximum limit is due to the conservative analysis assumption of an earlier departure from nucleate boiling with one recirculation loop available, resulting in a more severe cladding heatup during a LOCA. APLHGR B 3.2.1 (continued) HATCH UNIT 2 B 3.2-2 REVISION 43 BASES APPLICABLE The APLHGR satisfies Criterion 2 of the NRC Policy Statement SAFETY ANALYSES (Ref. 11).

(continued)    LCO The APLHGR limits specified in the COLR are the result of the LOCA analyses. The limit is determined by multiplying the MAPFACf factor times the exposure dependent APLHGR limits. For single recirculation loop operations, the MAPFACf multiplier is limited to a maximum value specified in the Core Operating Limits Report (COLR). APPLICABILITY The APLHGR limits are primarily derived from fuel design evaluations and LOCA analyses that are assumed to occur at high power levels.

Design calculations (Ref. 7) and operating experience have shown that as power is reduced, the margin to the required APLHGR limits increases. This trend continues down to the power range of 5% to 15% RTP when entry into MODE 2 occurs. When in MODE 2, the intermediate range monitor scram function provides prompt scram initiation during any significant transient, thereby effectively removing any APLHGR limit compliance concern in MODE 2. Therefore, at THERMAL POWER levels 24% RTP, the reactor is operating with substantial margin to the APLHGR limits; thus, this LCO is not required. ACTIONS A.1 If any APLHGR exceeds the required limits, an assumption regarding an initial condition of the LOCA may not be met. Therefore, prompt action should be taken to restore the APLHGR(s) to within the required limits such that the plant operates within analyzed conditions and within design limits of the fuel rods. The 2 hour Completion Time is sufficient to restore the APLHGR(s) to within its limits and is acceptable based on the low probability of a LOCA occurring simultaneously with the APLHGR out of specification. APLHGR B 3.2.1 (continued) HATCH UNIT 2 B 3.2-3 REVISION 79 BASES ACTIONS B.1 (continued) If the APLHGR cannot be restored to within its required limits within the associated Completion Time, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, THERMAL POWER must be reduced to < 24% RTP within 4 hours. The allowed Completion Time is reasonable, based on operating experience, to reduce THERMAL POWER to < 24% RTP in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.2.1.1 REQUIREMENTS APLHGRs are required to be initially calculated within 12 hours after THERMAL POWER is 24% RTP and periodically thereafter. They are compared to the specified limits in the COLR to ensure that the reactor is operating within the assumptions of the safety analysis. The 12 hour allowance after THERMAL POWER 24% RTP is achieved is acceptable given the large inherent margin to operating limits at low power levels. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. NEDE-24011-P-A "General Electric Standard Application for Reactor Fuel," (revision specified in the COLR). 2. (Not used) 3. FSAR, Chapter 6. 4. FSAR, Chapter 15. 5. (Not used) 6. NEDC-32749P, "Extended Power Uprate Safety Analysis Report for Edwin I. Hatch Units 1 and 2," July 1997. 7. NEDC-30474-P "Average Power Range Monitor, Rod Block Monitor and Technical Specification Improvements (ARTS) Program for E.I. Hatch Nuclear Plant, Units 1 and 2," December 1983. 8. (Not used) APLHGR B 3.2.1 HATCH UNIT 2 B 3.2-4 REVISION 43 BASES REFERENCES 9. NEDC-32720P, "Hatch Units 1 and 2 SAFER/GESTR-LOCA (continued) Loss of Coolant Accident Analysis," March 1997.

10. GE-NE-0000-0000-9200-02P, "Hatch Units 1 and 2 ECCS-LOCA Evaluation for GE-14," March 2002.

11. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. 12. Letter from Global Nuclear Fuel, M. E. Harding to E. B. Gibson, January 22, 2004, "Plant Hatch Technical Specification Modification to include LHGR."

MCPR B 3.2.2 (continued) HATCH UNIT 2 B 3.2-5 REVISION 0 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.2 MINIMUM CRITICAL POWER RATIO (MCPR)

BASES BACKGROUND MCPR is a ratio of the fuel assembly power that would result in the onset of boiling transition to the actual fuel assembly power. The MCPR Safety Limit (SL) is set such that 99.9% of the fuel rods are expected to avoid boiling transition if the limit is not violated (refer to the Bases for SL 2.1.1.2). The operating limit MCPR is established to ensure that no fuel damage results during anticipated operational occurrences (AOOs). Although fuel damage does not necessarily occur if a fuel rod actually experienced boiling transition (Ref. 1), the critical power at which boiling transition is calculated to occur has been adopted as a fuel design criterion. The onset of transition boiling is a phenomenon that is readily detected during the testing of various fuel bundle designs. Based on these experimental data, correlations have been developed to predict critical bundle power (i.e., the bundle power level at the onset of transition boiling) for a given set of plant parameters (e.g., reactor vessel pressure, flow, and subcooling). Because plant operating conditions and bundle power levels are monitored and determined relatively easily, monitoring the MCPR is a convenient way of ensuring that fuel failures due to inadequate cooling do not occur. APPLICABLE The analytical methods and assumptions used in evaluating the SAFETY ANALYSES the AOOs to establish the operating limit MCPR are presented in References 2, 3, 4, 5, 6, 7, and 8. To ensure that the MCPR SL is not exceeded during any transient event that occurs with moderate frequency, limiting transients have been analyzed to determine the largest reduction in critical power ratio (CPR). The types of transients evaluated are loss of flow, increase in pressure and power, positive reactivity insertion, and coolant temperature decrease. The limiting transient yields the largest change in CPR (CPR). When the largest CPR is added to the MCPR SL, the required operating limit MCPR is obtained. The MCPR operating limits derived from the transient analysis are dependent on the operating core flow and power state (MCPRf and MCPRp, respectively) to ensure adherence to fuel design limits during the worst transient that occurs with moderate frequency, (Refs. 6, 7, and 8). Flow dependent MCPR limits are determined by steady state thermal hydraulic methods with key physics response inputs MCPR B 3.2.2 (continued) HATCH UNIT 2 B 3.2-6 REVISION 42 BASES APPLICABLE benchmarked using the three dimensional BWR simulator code SAFETY ANALYSES (Ref. 9) to analyze slow flow runout transients. The operating limit is (continued) dependent on the maximum core flow limiter setting in the Recirculation Flow Control System. Power dependent MCPR limits (MCPRp) are determined mainly by the one dimensional transient code (Ref. 10). Due to the sensitivity of the transient response to initial core flow levels at power levels below those at which the turbine stop valve closure and turbine control valve fast closure scrams are bypassed, high and low flow MCPRp operating limits are provided for operating between 24% RTP and the previously mentioned bypass power level. The MCPR satisfies Criterion 2 of the NRC Policy Statement (Ref. 11). LCO The MCPR operating limits specified in the COLR are the result of the Design Basis Accident (DBA) and transient analysis. The operating limit MCPR is determined by the larger of the MCPRf and MCPRp limits. APPLICABILITY The MCPR operating limits are primarily derived from transient analyses that are assumed to occur at high power levels. Below 24% RTP, the reactor is operating at a minimum recirculation pump speed and the moderator void ratio is small. Surveillance of thermal limits below 24% RTP is unnecessary due to the large inherent margin that ensures that the MCPR SL is not exceeded even if a limiting transient occurs. Statistical analyses indicate that the nominal value of the initial MCPR expected at 24% RTP is > 3.5. Studies of the variation of limiting transient behavior have been performed over the range of power and flow conditions. These studies encompass the range of key actual plant parameter values important to typically limiting transients. The results of these studies demonstrate that a margin is expected between performance and the MCPR requirements, and that margins increase as power is reduced to 24% RTP. This trend is expected to continue to the 5% to 15% power range when entry into MODE 2 occurs. When in MODE 2, the intermediate range monitor provides rapid scram initiation for any significant power increase transient, which effectively eliminates any MCPR compliance concern. Therefore, at THERMAL POWER levels < 24% RTP, the reactor is operating with substantial margin to the MCPR limits and this LCO is not required. MCPR B 3.2.2 (continued) HATCH UNIT 2 B 3.2-7 REVISION 79 BASES (continued) ACTIONS A.1 If any MCPR is outside the required limits, an assumption regarding an initial condition of the design basis transient analyses may not be met. Therefore, prompt action should be taken to restore the MCPR(s) to within the required limits such that the plant remains operating within analyzed conditions. The 2 hour Completion Time is normally sufficient to restore the MCPR(s) to within its limits and is acceptable based on the low probability of a transient or DBA occurring simultaneously with the MCPR out of specification. B.1 If the MCPR cannot be restored to within its required limits within the associated Completion Time, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, THERMAL POWER must be reduced to < 24% RTP within 4 hours. The allowed Completion Time is reasonable, based on operating experience, to reduce THERMAL POWER to < 24% RTP in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.2.2.1 REQUIREMENTS The MCPR is required to be initially calculated within 12 hours after THERMAL POWER is 24% RTP and periodically thereafter. It is compared to the specified limits in the COLR to ensure that the reactor is operating within the assumptions of the safety analysis. The 12 hour allowance after THERMAL POWER 24% RTP is achieved is acceptable given the large inherent margin to operating limits at low power levels. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.2.2.2 Because the transient analysis takes credit for conservatism in the scram speed performance, it must be demonstrated that the specific scram speed distribution is consistent with that used in the transient analysis. SR 3.2.2.2 determines the value of , which is a measure of the actual scram speed distribution compared with the assumed distribution. The MCPR operating limit is then determined based on an interpolation between the applicable limits for Option A (scram MCPR B 3.2.2 HATCH UNIT 2 B 3.2-8 REVISION 0 BASES SURVEILLANCE SR 3.2.2.2 (continued) REQUIREMENTS times of LCO 3.1.4, "Control Rod Scram Times") and Option B (realistic scram times) analyses. The parameter must be determined once within 72 hours after each set of scram time tests required by SR 3.1.4.1 and SR 3.1.4.2 because the effective scram speed distribution may change during the cycle. The 72 hour Completion Time is acceptable due to the relatively minor changes in expected during the fuel cycle. REFERENCES 1. NUREG-0562, June 1979. 2. NEDE-24011-P-A, "General Electric Standard Application for Reactor Fuel," (revision specified in the COLR).

3. FSAR, Chapter 4. 4. FSAR, Chapter 6. 5. FSAR, Chapter 15. 6. NEDO-24205, "E.I. Hatch Nuclear Plant Units 1 and 2 Single-Loop Operation," August 1989. 7. NEDO-24395, "Load Line Limit Analysis," October 1980.

8. NEDC-30474-P, "Average Power Range Monitor, Rod Block Monitor and Technical Specification Improvements (ARTS)

Program for E.I. Hatch Nuclear Plant, Units 1 and 2," December 1983.

9. NEDO-30130-A, "Steady State Nuclear Methods," May 1985. 10. NEDO-24154, "Qualification of the One-Dimensional Core Transient Model for Boiling Water Reactors," October 1978. 11. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

LHGR B 3.2.3 (continued) HATCH UNIT 2 B 3.2-9 REVISION 74 B 3.2 POWER DISTRIBUTION LIMITS B 3.2.3 LINEAR HEAT GENERATION RATE (LHGR)

BASES BACKGROUND The LHGR is a measure of the heat generation rate of a fuel rod in a fuel assembly at any axial location. Limits on LHGR are specified to ensure that fuel thermal-mechanical design limits are not exceeded anywhere in the core during normal operation, including anticipated operational occurrences (AOOs), and to ensure that the peak clad temperature (PCT) during postulated design basis loss of coolant accident (LOCA) does not exceed the limits specified in 10 CFR 50.46. Exceeding the LHGR limit could potentially result in fuel damage and subsequent release of radioactive materials into the reactor coolant. Fuel design limits are specified to ensure that fuel system damage, fuel rod failure, or inability to cool the fuel does not occur during the anticipated operating conditions identified in Reference 2. APPLICABLE The analytical methods and assumptions used in evaluating the SAFETY ANALYSES fuel system design limits are presented in References 1 and 2. The analytical methods and assumptions used in evaluating AOOs and normal operation that determine the LHGR limits are presented in Reference 2. The fuel assembly is designed to ensure (in conjunction with the core nuclear and thermal hydraulic design, plant equipment, instrumentation, and protection systems) that fuel damage will not result in the release of radioactive materials in excess of the guidelines of 10 CFR, Parts 20 and 50. The mechanisms that could cause fuel damage during operational transients and that are considered in fuel evaluations include: a. Rupture of the fuel rod cladding caused by strain from the relative expansion of the UO2 pellet and cladding. b. Severe overheating of the fuel rod cladding caused by inadequate cooling. A value of 1% plastic strain of the fuel cladding has been defined as the limit below which fuel damage caused by overstraining of the fuel cladding is not expected to occur (Ref. 3). Fuel design evaluations have been performed and demonstrate that the 1% fuel cladding plastic strain design limit and certain other fuel design limits described in reference 1 are not exceeded during LHGR B 3.2.3 (continued) HATCH UNIT 2 B 3.2-10 REVISION 43 BASES APPLICABLE continuous operation with LHGRs up to the operating limit specified in SAFETY ANALYSES the Core Operating Limits Report (COLR). The analysis also includes (continued) allowances for short-term transient operation above the operating limit to account for AOOs, plus an allowance for densification power spiking. LHGR limits are developed as a function of exposure and the various operating core flow and power states to ensure adherence to fuel design limits during the limiting AOOs (Refs. 4 and 5). Off-rated operating states require the reduction or set down of the rated LHGR limit through multiplier factors (LHGRFACs) (Ref. 9). Flow dependent multipliers, LHGRFACf, are determined (Ref. 5) using the three dimensional BWR simulator code (Ref. 6) to analyze slow flow runout transients. The flow dependent multiplier is dependent on the maximum core flow runout capability. The maximum runout flow is dependent on the existing setting of the core flow limiter in the Recirculation Flow Control System. Based on analyses of limiting plant transients (other than core flow increases) over a range of power and flow conditions, power dependent multipliers, LHGRFACp, also are generated. Due to the sensitivity of the transient response to initial core flow levels at power levels below those at which turbine stop valve closure and turbine control valve fast closure scram trips are bypassed, both high and low core flow LHGRFACp limits are provided for operation at power levels between 24% RTP and the previously mentioned bypass power level. The exposure dependent LHGR limits are reduced by LHGRFACp and LHGRFACf at various operating conditions to ensure that all fuel design criteria are met for normal operation and AOOs. A complete discussion of the analysis code is provided in Reference 7. LOCA analyses are performed to ensure that the above determined LHGR limits are adequate to meet the PCT and maximum oxidation limits of 10 CFR 50.46. See Section B 3.2.1 for more details. For single recirculation loop operation, the LHGR operating limit is as specified in the COLR, and the LHGRFAC multiplier is limited to a maximum as specified in the COLR. The maximum limit is due to the conservative analysis assumption of an earlier departure from nucleate boiling with one recirculation loop available, resulting in a more severe cladding heatup during a LOCA. The LHGR satisfies Criterion 2 of the NRC Policy Statement (Ref. 8). LHGR B 3.2.3 (continued) HATCH UNIT 2 B 3.2-11 REVISION 43 BASES (continued) LCO The LHGR is a basic assumption in the fuel design analysis. The fuel has been designed to operate at rated core power with sufficient design margin to the LHGR limit calculated to cause a 1% fuel cladding plastic strain as well as the other design limits described in Ref. 1. For two recirculation loops operating, the limit is determined by multiplying the smaller of the LHGRFACf and LHGRFACp factors times the exposure dependent LHGR limits. These values are specified in the COLR. With only one recirculation loop in operation, in conformance with the requirements of LCO 3.4.1, "Recirculation Loops Operating," the limit is determined by multiplying the exposure dependent LHGR limit by the smaller of either LHGRFACf, LHGRFACp, and a maximum value allowed during single loop operation as specified in the COLR.

APPLICABILITY The LHGR limits are derived from fuel design analysis that is limiting at high power level conditions. At core thermal power levels < 24% RTP, the reactor is operating with a substantial margin to the LHGR limits and, therefore, the specification is only required when the reactor is operating at 24% RTP. ACTIONS A.1 If any LHGR exceeds its required limit, an assumption regarding an initial condition of the fuel design analysis is not met. Therefore, prompt action should be taken to restore the LHGR(s) to within its required limits such that the plant is operating within analyzed conditions and within the design limits of the fuel rods. The 2 hour Completion Time is normally sufficient to restore the LHGR(s) to within its limits and is acceptable based on the low probability of a transient or LOCA occurring simultaneously with the LHGR out of specification. B.1 If the LHGR cannot be restored to within its required limits within the associated Completion Time, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, THERMAL POWER is reduced to < 24% RTP within 4 hours. The allowed Completion Time is reasonable, based on operating experience, to reduce THERMAL POWER to < 24% RTP in an orderly manner and without challenging plant systems. LHGR B 3.2.3 HATCH UNIT 2 B 3.2-12 REVISION 79 BASES (continued) SURVEILLANCE SR 3.2.3.1 REQUIREMENTS The LHGR is required to be initially calculated within 12 hours after THERMAL POWER is 24% RTP and periodically thereafter. It is compared to the specified limits in the COLR to ensure that the reactor is operating within the assumptions of the safety analysis. The 12 hour allowance after THERMAL POWER 24% RTP is achieved is acceptable given the large inherent margin to operating limits at lower power levels. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. NEDE-24011-P-A, "General Electric Standard Application for Reactor Fuel."

2. FSAR, Chapter 15 (Unit 2).

3. NUREG-0800, Section II.A.2(g), Revision 2, July 1981.

4. NEDC-32749P, "Extended Power Uprate Safety Analysis Report for Edwin I. Hatch Units 1 and 2," July 1997.

5. NEDC-30474-P, "Average Power Range Monitor, Rod Block Monitor and Technical Specification Improvements (ARTS)

Program for E. I. Hatch Nuclear Plant, Units 1 and 2," December 1983. 6. NRC approval of "Amendment 26 to GE Licensing Topical Report NEDE-24011-P-A, "GESTAR II"-Implementing Improved GE Steady-State Methods (TAC No. MA6481)," November 10, 1999.

7. NEDO-24154-A, "Qualification of the One-Dimensional Core Transient Model (ODYN) for Boiling Water Reactors," August 1986, and NEDE-24154-P-A, Supplement 1, Volume 4, Revision 1, February 2000. 8. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. 9. Letter from Global Nuclear Fuel, M. E. Harding to E. B. Gibson, January 22, 2004, "Plant Hatch Technical Specification Modification to include LHGR."

RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-1 REVISION 0 B 3.3 INSTRUMENTATION B 3.3.1.1 Reactor Protection System (RPS) Instrumentation

BASES BACKGROUND The RPS initiates a reactor scram when one or more monitored parameters exceed their specified limits, to preserve the integrity of the fuel cladding and the Reactor Coolant System (RCS) and minimize the energy that must be absorbed following a loss of coolant accident (LOCA). This can be accomplished either automatically or manually. The protection and monitoring functions of the RPS have been designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and equipment performance. The LSSS are defined in this Specification as the Allowable Values, which, in conjunction with the LCOs, establish the threshold for protective system action to prevent exceeding acceptable limits, including Safety Limits (SLs) during Design Basis Accidents (DBAs). The RPS, as shown in the FSAR, Section 7.2 (Ref. 1), includes sensors, relays, bypass circuits, and switches that are necessary to cause initiation of a reactor scram. Functional diversity is provided by monitoring a wide range of dependent and independent parameters. The input parameters to the scram logic are from instrumentation that monitors reactor vessel water level; reactor vessel pressure; neutron flux; main steam line isolation valve position; turbine control valve (TCV) fast closure, trip oil pressure; turbine stop valve (TSV) position; drywell pressure; and scram discharge volume (SDV) water level; as well as reactor mode switch in shutdown position and manual scram signals. There are at least four redundant sensor input signals from each of these parameters (with the exception of the reactor mode switch in shutdown scram signal). Most channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs an RPS trip signal to the trip logic. The RPS is comprised of two independent trip systems (A and B) with two logic channels in each trip system (logic channels A1 and A2, B1 and B2) as shown in Reference 1. The outputs of the logic channels in a trip system are combined in a one-out-of-two logic so that either channel can trip the associated trip system. The tripping of both trip systems will produce a reactor scram. This logic arrangement is RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-2 REVISION 0 BASES BACKGROUND referred to as a one-out-of-two taken twice logic. Each trip system (continued) can be reset by use of a reset switch. If a full scram occurs (both trip systems trip), a relay prevents reset of the trip systems for 10 seconds after the full scram signal is received. This 10 second delay on reset ensures that the scram function will be completed. Two scram pilot valves are located in the hydraulic control unit for each control rod drive (CRD). Each scram pilot valve is solenoid operated, with the solenoids normally energized. The scram pilot valves control the air supply to the scram inlet and outlet valves for the associated CRD. When either scram pilot valve solenoid is energized, air pressure holds the scram valves closed and, therefore, both scram pilot valve solenoids must be de-energized to cause a control rod to scram. The scram valves control the supply and discharge paths for the CRD water during a scram. One of the scram pilot valve solenoids for each CRD is controlled by trip system A, and the other solenoid is controlled by trip system B. Any trip of trip system A in conjunction with any trip in trip system B results in de-energizing both solenoids, air bleeding off, scram valves opening, and control rod scram. The backup scram valves, which energize on a full scram signal to depressurize the scram air header, are also controlled by the RPS. Additionally, the RPS System controls the SDV vent and drain valves such that when both trip systems trip, the SDV vent and drain valves close to isolate the SDV. APPLICABLE The actions of the RPS are assumed in the safety analyses of SAFETY ANALYSES, References 2, 3, and 4. The RPS initiates a reactor scram when LCO, and monitored parameter values exceed the Allowable Values, specified APPLICABILITY by the setpoint methodology and listed in Table 3.3.1.1-1 to preserve the integrity of the fuel cladding, the reactor coolant pressure boundary (RCPB), and the containment by minimizing the energy that must be absorbed following a LOCA. RPS instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 11). Functions not specifically credited in the accident analysis are retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis. The OPERABILITY of the RPS is dependent on the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.1.1-1. Each Function must have a required number of OPERABLE channels per RPS trip system, with their setpoints within RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-3 REVISION 42 BASES APPLICABLE the specified Allowable Value, where appropriate. The setpoint is SAFETY ANALYSES, calibrated consistent with applicable setpoint methodology LCO, and assumptions (nominal trip setpoint). Each channel must also respond APPLICABILITY within its assumed response time, where appropriate. (continued) Allowable Values are specified for each RPS Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the actual setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50 49) are accounted for. The OPERABILITY of scram pilot valves and associated solenoids, backup scram valves, and SDV valves, described in the Background section, are not addressed by this LCO. The individual Functions are required to be OPERABLE in the MODES or other specified conditions specified in the Table, which may require an RPS trip to mitigate the consequences of a design basis accident or transient. To ensure a reliable scram function, a combination of Functions are required in each MODE to provide primary and diverse initiation signals. The only MODES specified in Table 3.3.1.1-1 are MODES 1 (which encompasses 27.6% RTP) and 2, and MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies. No RPS Function is required in MODES 3 and 4 since all control rods are fully inserted and the Reactor Mode Switch Shutdown Position control rod withdrawal block RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-4 REVISION 37 BASES APPLICABLE (LCO 3.3.2.1) does not allow any control rod to be withdrawn. In SAFETY ANALYSES MODE 5, control rods withdrawn from a core cell containing no fuel LCO, and assemblies do not affect the reactivity of the core and, therefore, are APPLICABILITY not required to have the capability to scram. Provided all other control (continued) rods remain inserted, no RPS Function is required. In this condition, the required SDM (LCO 3.1.1) and refuel position one-rod-out interlock (LCO 3.9.2) ensure that no event requiring RPS will occur. The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

Intermediate Range Monitor (IRM) 1.a. Intermediate Range Monitor Neutron Flux - High The IRMs monitor neutron flux levels from the upper range of the source range monitor (SRM) to the lower range of the average power range monitors (APRMs). The IRMs are capable of generating trip signals that can be used to prevent fuel damage resulting from abnormal operating transients in the intermediate power range. In this power range, the most significant source of reactivity change is due to control rod withdrawal. The IRM mitigates control rod withdrawal error events and is diverse from the rod worth minimizer (RWM), which monitors and controls the movement of control rods at low power. The RWM prevents the withdrawal of an out of sequence control rod during startup that could result in an unacceptable neutron flux excursion (Ref. 5). The IRM provides mitigation of the neutron flux excursion. To demonstrate the capability of the IRM System to mitigate control rod withdrawal events, generic analyses have been performed (Ref. 6) to evaluate the consequences of control rod withdrawal events during startup that are mitigated only by the IRM. This analysis, which assumes that one IRM channel in each trip system is bypassed, demonstrates that the IRMs provide protection against local control rod withdrawal errors and results in peak fuel energy depositions below the 170 cal/gm fuel failure threshold criterion. Reference 21 provides a more recent analysis which shows that even with reduced IRM OPERABILITY requirements, the 170 cal/gm criterion is still satisfied. The IRMs are also capable of limiting other reactivity excursions during startup, such as cold water injection events, although no credit is specifically assumed. The IRM System is divided into two groups of IRM channels, with four IRM channels inputting to each trip system. The analysis of RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-5 REVISION 41 BASES APPLICABLE 1.a. Intermediate Range Monitor Neutron Flux - High (continued) SAFETY ANALYSES, LCO, and Reference 6 assumes that one channel in each trip system is APPLICABILITY bypassed. However, as previously described, Reference 21 provides more recent analysis which shows that, even with two IRMs operable per trip system, adequate protection is provided for reactivity events in the intermediate range. This trip is active in each of the 10 ranges of the IRM, which must be selected by the operator to maintain the neutron flux within the monitored level of an IRM range. The analysis of Reference 6 has adequate conservatism to permit an IRM Allowable Value of 120 divisions of a 125 division scale. The Intermediate Range Monitor Neutron Flux - High Function must be OPERABLE during MODE 2 when control rods may be withdrawn and the potential for criticality exists. In MODE 5, when a cell with fuel has its control rod withdrawn, the IRMs provide monitoring for and protection against unexpected reactivity excursions. In MODE 1, the APRM System and the RWM provide protection against control rod withdrawal error events and the IRMs are not required.

1.b. Intermediate Range Monitor - Inop This trip signal provides assurance that a minimum number of IRMs are OPERABLE. Any time an IRM mode switch is moved to any position other than "Operate," the detector voltage drops below a preset level, or when a module is not plugged in, an inoperative trip signal will be received by the RPS unless the IRM is bypassed. This Function was not specifically credited in the accident analysis but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis. Four channels of Intermediate Range Monitor - Inop with two channels in each trip system are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. Since this Function is not assumed in the safety analysis, there is no Allowable Value for this Function. This Function is required to be OPERABLE when the Intermediate Range Monitor Neutron Flux - High Function is required. RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-6 REVISION 21 BASES APPLICABLE 2. Average Power Range Monitor (APRM) SAFETY ANALYSES, LCO, and The APRM channels provide the primary indication of neutron flux APPLICABILITY within the core and respond almost instantaneously to neutron flux (continued) increases. The APRM channels receive input signals from the local power range monitors (LPRMs) within the reactor core to provide an indication of the power distribution and local power changes. The APRM channels average these LPRM signals to provide a continuous indication of average reactor power from a few percent to greater than RTP. Each APRM also includes an Oscillation Power Range Monitor (OPRM) Upscale Function which monitors small groups of LPRM signals to detect thermal-hydraulic instabilities. The APRM System is divided into 4 APRM channels and 4 two-out-of-four voter channels. Each APRM channel provides inputs to each of the four voter channels. The four voter channels are divided into two groups of two each, with each group of two providing inputs to one RPS trip system. The APRM System is designed to allow one APRM channel, but no voter channels, to be bypassed. A trip from any one unbypassed APRM will result in a "half-trip" in all four voter channels, but no trip inputs to either RPS trip system. APRM trip Functions 2.a, 2.b, 2.c, and 2.d are voted independently of OPRM Upscale Function 2.f. Therefore, any Function 2.a, 2.b, 2.c, or 2.d trip from any two unbypassed APRM channels will result in a full-trip in each of the four voter channels, which in turn results in two trip inputs into each RPS trip logic channel (A1, A2, B1, and B2). Similarly, a Function 2.f trip from any two unbypassed APRM channels will result in a full-trip from each of the four voter channels. Three of the four APRM channels and all four of the voter channels are required to be OPERABLE to ensure that no single failure will preclude a scram on a valid signal. In addition, to provide adequate coverage of the entire core, consistent with the design bases for APRM Functions 2.a, 2.b, and 2.c, at least 17 LPRM inputs, with at least three LPRM inputs from each of the four axial levels at which the LPRMs are located, are required for each APRM channel. For APRM Function 2.F, OPRM Upscale, LPRMs are assigned to "cells" of three detectors with a minimum of one detector per cell. The minimum number of LPRM inputs for APRM Functions 2a, 2b, and 2c must be met for OPRM Upscale Function 2.f to be OPERABLE. 2.a. Average Power Range Monitor Neutron Flux - High (Setdown) For operation at low power (i.e., MODE 2), the Average Power Range Monitor Neutron Flux - High (Setdown) Function is capable of generating a trip signal that prevents fuel damage resulting from RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-7 REVISION 42 BASES APPLICABLE 2.a. Average Power Range Monitor Neutron Flux - High (Setdown) SAFETY ANALYSES, (continued) LCO, and APPLICABILITY abnormal operating transients in this power range. For most operation at low power levels, the Average Power Range Monitor Neutron Flux - High (Setdown) Function will provide a secondary scram to the Intermediate Range Monitor Neutron Flux - High Function because of the relative setpoints. With the IRMs at Range 9 or 10, it is possible that the Average Power Range Monitor Neutron Flux - High (Setdown) Function will provide the primary trip signal for a corewide increase in power. No specific safety analyses take direct credit for the Average Power Range Monitor Neutron Flux - High (Setdown) Function. However, this Function indirectly ensures that before the reactor mode switch is placed in the run position, reactor power does not exceed 24% RTP (SL 2.1.1.1) when operating at low reactor pressure and low core flow. Therefore, it indirectly prevents fuel damage during significant reactivity increases with THERMAL POWER < 24% RTP. The Allowable Value is based on preventing significant increases in power when THERMAL POWER is < 24% RTP. The Average Power Range Monitor Neutron Flux - High (Setdown) Function must be OPERABLE during MODE 2 when control rods may be withdrawn since the potential for criticality exists. In MODE 1, the Average Power Range Monitor Neutron Flux - High Function provides protection against reactivity transients and the RWM and rod block monitor protect against control rod withdrawal error events.

2.b. Average Power Range Monitor Simulated Thermal Power - High The Average Power Range Monitor Simulated Thermal Power - High Function monitors neutron flux to approximate the THERMAL POWER being transferred to the reactor coolant. The APRM neutron flux is electronically filtered with a time constant representative of the fuel heat transfer dynamics to generate a signal proportional to the THERMAL POWER in the reactor. The trip level is varied as a function of recirculation drive flow (i.e., at lower core flows, the setpoint is reduced proportional to the reduction in power experienced as core flow is reduced with a fixed control rod pattern) but is clamped at an upper limit that is always lower than the Average Power Range Monitor Neutron Flux - High Function Allowable Value. RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-8 REVISION 21 BASES APPLICABLE 2.b. Average Power Range Monitor Simulated Thermal Power - High SAFETY ANALYSES, (continued) LCO, and APPLICABILITY The Average Power Range Monitor Simulated Thermal Power - High Function provides protection against transients where THERMAL POWER increases slowly (such as the loss of feedwater heating event) and protects the fuel cladding integrity by ensuring that the MINIMUM CRITICAL POWER RATIO (MCPR) Safety Limit (SL) is not exceeded. During these events, the THERMAL POWER increase does not significantly lag the neutron flux response and, because of a lower trip setpoint, will initiate a scram before the high neutron flux scram. For rapid neutron flux increase events, the THERMAL POWER lags the neutron flux and the Average Power Range Monitor Neutron Flux - High Function will provide a scram signal before the Average Power Range Monitor Simulated Thermal Power - High Function setpoint and associated time delay are exceeded. Each APRM channel uses one total drive flow signal representative of total core flow. The total drive flow signal is generated by the flow processing logic, which is part of the APRM channel. The flow is calculated by summing two flow transmitter signals, one from each of the two recirculation loop flows. The flow processing logic OPERABILITY is part of the APRM channel OPERABILITY requirements for this Function. The clamped Allowable Value is based on analyses that take credit for the Average Power Range Monitor Simulated Thermal Power - High Function for the mitigation of the loss of feedwater heating event. The time constant is based on the fuel heat transfer dynamics and provides a signal proportional to the THERMAL POWER. The Average Power Range Monitor Simulated Thermal Power - High Function is required to be OPERABLE in MODE 1 when there is the possibility of generating excessive THERMAL POWER and potentially exceeding the SL applicable to high pressure and core flow conditions (MCPR SL). During MODES 2 and 5, other IRM and APRM Functions provide protection for fuel cladding integrity. 2.c. Average Power Range Monitor Neutron Flux - High The Average Power Range Monitor Neutron Flux - High Function is capable of generating a trip signal to prevent fuel damage or excessive RCS pressure. For the overpressurization protection analysis of Reference 4, the Average Power Range Monitor Neutron RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-9 REVISION 21 BASES APPLICABLE 2.c. Average Power Range Monitor Neutron Flux - High (continued) SAFETY ANALYSES, LCO, and Flux - High Function is assumed to terminate the main steam isolation APPLICABILITY valve (MSIV) closure event and, along with the safety/relief valves (S/RVs), limits the peak reactor pressure vessel (RPV) pressure to less than the ASME Code limits. The control rod drop accident (CRDA) analysis (Ref. 7) takes credit for the Average Power Range Monitor Neutron Flux - High Function to terminate the CRDA. The Allowable Value is based on the Analytical Limit assumed in the CRDA analyses. The Average Power Range Monitor Neutron Flux - High Function is required to be OPERABLE in MODE 1 where the potential consequences of the analyzed transients could result in the SLs (e.g., MCPR and RCS pressure) being exceeded. Although the Average Power Range Monitor Neutron Flux - High Function is assumed in the CRDA analysis, which is applicable in MODE 2, the Average Power Range Monitor Neutron Flux - High (Setdown) Function conservatively bounds the assumed trip and, together with the assumed IRM trips, provides adequate protection. Therefore, the Average Power Range Monitor Neutron Flux - High Function is not required in MODE 2. 2.d. Average Power Range Monitor - Inop This Function (Inop) provides assurance that the minimum number of APRM channels is OPERABLE. For any APRM channel, any time: 1) its mode switch is in any position other than "Operate," 2) an APRM module is unplugged, or 3) the automatic self-test system detects a critical fault with the APRM channel, an Inop trip signal is sent to all four voter channels. Inop trips from two or more unbypassed APRM channels result in a trip output from all four voter channels to their associated trip system. This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis. There is no Allowable Value for this Function. This Function is required to be OPERABLE in the MODES where the APRM Functions are required. RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-10 REVISION 21 BASES APPLICABLE 2.e. Two-out-of-Four Voter SAFETY ANALYSES, LCO, and The Two-out-of-Four Voter Function provides the interface between APPLICABILITY the APRM Functions, including the OPRM Upscale Function, and the (continued) final RPS trip system logic. As such, it is required to be OPERABLE in the MODES where the APRM Functions are required and is necessary to support the safety analysis applicable to each of those Functions. Therefore, the Two-out-of-Four Voter Function is required to be OPERABLE in MODES 1 and 2. All four voter channels are required to be OPERABLE. Each voter channel also includes self-diagnostic functions. If any voter channel detects a critical fault in its own processing, an Inop trip is issued from that voter channel to the associated trip system. The Two-out-of-Four Voter Function votes APRM Functions 2.a, 2.b, 2.c, and 2.d independently of Function 2.f. The voter also includes separate outputs to the RPS for the two independently voted sets of Functions, each of which is redundant (four total inputs). Voter Function 2.e must be declared inoperable if any of its functionality is inoperable. However, due to the independent voting of APRM trips and the redundancy of outputs, there may be conditions where Voter Function 2.e is inoperable, but trip capability for one or more of the other APRM Functions through that voter is still maintained. This may be considered when determining the condition of other APRM Functions resulting from partial inoperability of Voter Function 2.e. There is no Allowable Value for this Function.

2.f Oscillation Power Range Monitor (OPRM) Upscale The OPRM Upscale Function provides compliance with GDC 10 and GDC 12, thereby providing protection from exceeding the fuel MCPR SL due to anticipated thermal-hydraulic power oscillations. References 14, 15, and 16 describe three algorithms for detecting thermal-hydraulic instability related neutron flux oscillations: the period based detection algorithm, the amplitude based algorithm, and the growth rate algorithm. All three are implemented in the OPRM Upscale Function, but the safety analysis takes credit only for the period based detection algorithm. The remaining algorithms provide defense in depth and additional protection against unanticipated oscillations. OPRM Upscale Function OPERABILITY for Technical Specifications purposes is based only on the period based detection algorithm. RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-11 REVISION 21 BASES APPLICABLE 2.f Oscillation Power Range Monitor (OPRM) Upscale (continued) SAFETY ANALYSES, LCO, and The OPRM Upscale Function receives input signals from the LPRMs APPLICABILITY within the reactor core, which are combined into "cells" for evaluation by the OPRM algorithms. The OPRM Upscale Function is required to be OPERABLE when the plant is in MODE 1. Within the region of power-flow operation where anticipated events could lead to thermal-hydraulic instability and related neutron flux oscillations, the automatic trip is enabled when THERMAL POWER, as indicated by APRM Simulated Thermal Power, is 25% RTP and reactor core flow, as indicated by recirculation drive flow, is < 60% of rated flow. An OPRM Upscale trip is issued from an APRM channel when the period based detection algorithm in that channel detects oscillatory changes in the neutron flux, indicated by the combined signals of the LPRM detectors in a cell, with period confirmations and relative cell amplitude exceeding specified setpoints. One or more cells in a channel exceeding the trip conditions will result in a channel trip. An OPRM Upscale trip is also issued from the channel if either the growth rate or amplitude based algorithm detects growing oscillatory changes in the neutron flux for one or more cells in that channel. Three of the four channels are required to be OPERABLE. Each channel is capable of detecting thermal-hydraulic instabilities by detecting the related neutron flux oscillations and issuing a trip signal before the MCPR SL is exceeded. There is no Allowable Value for this Function. 3. Reactor Vessel Steam Dome Pressure - High An increase in the RPV pressure during reactor operation compresses the steam voids and results in a positive reactivity insertion. This causes the neutron flux and THERMAL POWER transferred to the reactor coolant to increase, which could challenge the integrity of the fuel cladding and the RCPB. No specific safety analysis takes direct credit for this Function. However, the Reactor Vessel Steam Dome Pressure - High Function initiates a scram for transients that result in a pressure increase, counteracting the pressure increase by rapidly reducing core power. For the overpressurization protection analysis of Reference 4, reactor scram (the analyses conservatively assume scram on the Average Power Range Monitor Neutron Flux - High signal, not the Reactor Vessel Steam Dome Pressure - High signal), RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-12 REVISION 21 BASES APPLICABLE 3. Reactor Vessel Steam Dome Pressure - High (continued) SAFETY ANALYSES, LCO, and along with the S/RVs, limits the peak RPV pressure to less than the APPLICABILITY ASME Section III Code limits. High reactor pressure signals are initiated from four pressure transmitters that sense reactor pressure. The Reactor Vessel Steam Dome Pressure - High Allowable Value is chosen to provide a sufficient margin to the ASME Section III Code limits during the event. Four channels of Reactor Vessel Steam Dome Pressure - High Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. The Function is required to be OPERABLE in MODES 1 and 2 when the RCS is pressurized and the potential for pressure increase exists.

4. Reactor Vessel Water Level - Low, Level 3 Low RPV water level indicates the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, a reactor scram is initiated at Level 3 to substantially reduce the heat generated in the fuel from fission. The Reactor Vessel Water Level - Low, Level 3 Function is assumed in the analysis of the recirculation line break (Ref. 3). The reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the Emergency Core Cooling Systems (ECCS),

ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Reactor Vessel Water Level - Low, Level 3 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low, Level 3 Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. The Reactor Vessel Water Level - Low, Level 3 Allowable Value is selected to ensure that: (a) during normal operation the steam dryer skirt is not uncovered (this protects available recirculation pump net RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-13 REVISION 14 BASES APPLICABLE 4. Reactor Vessel Water Level - Low, Level 3 (continued) SAFETY ANALYSES, LCO, and positive suction head (NPSH) from significant carryunder) and, APPLICABILITY (b) for transients involving loss of all normal feedwater flow, initiation of the low pressure ECCS subsystems at Reactor Vessel Water - Low Low Low, Level 1 will not be required. The Function is required in MODES 1 and 2 where considerable energy exists in the RCS resulting in the limiting transients and accidents. ECCS initiations at Reactor Vessel Water Level - Low Low, Level 2 and Low Low Low, Level 1 provide sufficient protection for level transients in all other MODES.

5. Main Steam Isolation Valve - Closure MSIV closure results in loss of the main turbine and the condenser as a heat sink for the nuclear steam supply system and indicates a need to shut down the reactor to reduce heat generation. Therefore, a reactor scram is initiated on a Main Steam Isolation Valve - Closure signal before the MSIVs are completely closed in anticipation of the complete loss of the normal heat sink and subsequent overpressurization transient. However, for the overpressurization protection analysis of Reference 4, the Average Power Range Monitor Neutron Flux - High Function, along with the S/RVs, limits the peak RPV pressure to less than the ASME Code limits. That is, the direct scram on position switches for MSIV closure events is not assumed in the overpressurization analysis. Additionally, MSIV closure is assumed in the transients analyzed in Reference 2 (e.g., low steam line pressure, manual closure of MSIVs, high steam line flow). The reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the ECCS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. MSIV closure signals are initiated from position switches located on each of the eight MSIVs. Each MSIV has two position switches; one inputs to RPS trip system A while the other inputs to RPS trip system B. Thus, each RPS trip system receives an input from eight Main Steam Isolation Valve - Closure channels, each consisting of one position switch. The logic for the Main Steam Isolation Valve - Closure Function is arranged such that either the inboard or outboard valve on three or more of the main steam lines must close in order for a scram to occur. In addition, certain combinations of valves closed in two lines will result in a half-scram.

RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-14 REVISION 14 BASES APPLICABLE 5. Reactor Vessel Water Level - Low, Level 3 (continued) SAFETY ANALYSES, LCO, and The Main Steam Isolation Valve - Closure Allowable Value is specified APPLICABILITY to ensure that a scram occurs prior to a significant reduction in steam flow, thereby reducing the severity of the subsequent pressure transient. Sixteen channels of the Main Steam Isolation Valve - Closure Function, with eight channels in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude the scram from this Function on a valid signal. This Function is only required in MODE 1 since, with the MSIVs open and the heat generation rate high, a pressurization transient can occur if the MSIVs close. In MODE 2, the heat generation rate is low enough so that the other diverse RPS functions provide sufficient protection.

6. Drywell Pressure - High High pressure in the drywell could indicate a break in the RCPB. A reactor scram is initiated to minimize the possibility of fuel damage and to reduce the amount of energy being added to the coolant and the drywell. The Drywell Pressure - High Function is a secondary scram signal to Reactor Vessel Water Level - Low, Level 3 for LOCA events inside the drywell. However, no credit is taken for a scram initiated from this Function for any of the DBAs analyzed in the FSAR. This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

High drywell pressure signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and indicative of a LOCA inside primary containment. Four channels of Drywell Pressure - High Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. The Function is required in MODES 1 and 2 where considerable energy exists in the RCS, resulting in the limiting transients and accidents.

RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-15 REVISION 14 BASES APPLICABLE 7.a. and 7.b. Scram Discharge Volume Water Level - High SAFETY ANALYSES LCO, and The SDV receives the water displaced by the motion of the CRD APPLICABILITY pistons during a reactor scram. Should this volume fill to a point (continued) where there is insufficient volume to accept the displaced water, control rod insertion would be hindered. Therefore, a reactor scram is initiated while the remaining free volume is still sufficient to accommodate the water from a full core scram. The two types of Scram Discharge Volume Water Level - High Functions are an input to the RPS logic. No credit is taken for a scram initiated from these Functions for any of the design basis accidents or transients analyzed in the FSAR. However, they are retained to ensure the RPS remains OPERABLE. SDV water level is measured by two diverse methods. The level in each of the two SDVs is measured by two float type level switches and two thermal probes for a total of eight level signals. The outputs of these devices are arranged so that there is a signal from a level switch and a thermal probe to each RPS logic channel. The level measurement instrumentation satisfies the recommendations of Reference 8. The Allowable Value is chosen low enough to ensure that there is sufficient volume in the SDV to accommodate the water from a full scram. Four channels of each type of Scram Discharge Volume Water Level - High Function, with two channels of each type in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from these Functions on a valid signal. These Functions are required in MODES 1 and 2, and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn. At all other times, this Function may be bypassed. 8. Turbine Stop Valve - Closure Closure of the TSVs results in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, a reactor scram is initiated on a TSV - Closure signal before the TSVs are completely closed in anticipation of the transients that would result from the closure of these valves. The Turbine Stop Valve - Closure Function is the primary scram signal for the turbine trip event analyzed in Reference 2. For this event, the RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-16 REVISION 42 BASES APPLICABLE 8. Turbine Stop Valve - Closure (continued) SAFETY ANALYSES, LCO, and reactor scram reduces the amount of energy required to be absorbed APPLICABILITY and, along with the actions of the End of Cycle Recirculation Pump Trip (EOC-RPT) System, ensures that the MCPR SL is not exceeded. Turbine Stop Valve - Closure signals are initiated from position switches located on each of the four TSVs. Two independent position switches are associated with each stop valve. One of the two switches provides input to RPS trip system A; the other, to RPS trip system B. Thus, each RPS trip system receives an input from four Turbine Stop Valve - Closure channels, each consisting of one position switch. The logic for the Turbine Stop Valve - Closure Function is such that three or more TSVs must be closed to produce a scram. In addition, certain combinations of two valves closed will result in a half-scram. This Function must be enabled at THERMAL POWER 27.6% RTP. This is normally accomplished automatically by pressure switches sensing turbine first stage pressure; therefore, opening of the turbine bypass valves may affect this Function. The Turbine Stop Valve - Closure Allowable Value is selected to be high enough to detect imminent TSV closure, thereby reducing the severity of the subsequent pressure transient. Eight channels of Turbine Stop Valve - Closure Function, with four channels in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function if the TSVs should close. This Function is required, consistent with analysis assumptions, whenever THERMAL POWER is 27.6% RTP. This Function is not required when THERMAL POWER is < 27.6% RTP since the Reactor Vessel Steam Dome Pressure - High and the Average Power Range Monitor Neutron Flux - High Functions are adequate to maintain the necessary safety margins.

9. Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Fast closure of the TCVs results in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, a reactor scram is initiated on TCV fast closure in anticipation of the transients that would result from the closure of these valves. The Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Function is the primary scram signal for the generator load rejection event analyzed in Reference 2. For this event, the reactor scram reduces the amount of energy required to be RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-17 REVISION 42 BASES APPLICABLE 9. Turbine Control Valve Fast Closure, Trip Oil Pressure - Low SAFETY ANALYSES, (continued)

LCO, and APPLICABILITY absorbed and, along with the actions of the EOC-RPT System, ensures that the MCPR SL is not exceeded. Turbine Control Valve Fast Closure, Trip Oil Pressure - Low signals are initiated by the electrohydraulic control (EHC) fluid pressure at each control valve. One pressure switch is associated with each control valve, and the signal from each switch is assigned to a separate RPS logic channel. This Function must be enabled at THERMAL POWER 27.6% RTP. This is normally accomplished automatically by pressure switches sensing turbine first stage pressure; therefore, opening of the turbine bypass valves may affect this Function. The Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Allowable Value is selected high enough to detect imminent TCV fast closure. Four channels of Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Function with two channels in each trip system arranged in a one-out-of-two logic are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. This Function is required, consistent with the analysis assumptions, whenever THERMAL POWER is 27.6% RTP. This Function is not required when THERMAL POWER is < 27.6% RTP, since the Reactor Vessel Steam Dome Pressure - High and the Average Power Range Monitor Neutron Flux - High Functions are adequate to maintain the necessary safety margins.

10. Reactor Mode Switch - Shutdown Position The Reactor Mode Switch - Shutdown Position Function provides signals, via the manual scram logic channels, to each of the four RPS logic channels, which are redundant to the automatic protective instrumentation channels and provide manual reactor trip capability.

This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis. The reactor mode switch is a single switch with four channels, each of which provides input into one of the RPS logic channels. RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-18 REVISION 14 BASES APPLICABLE 10. Reactor Mode Switch - Shutdown Position (continued) SAFETY ANALYSES, LCO and There is no Allowable Value for this Function, since the channels are APPLICABILITY mechanically actuated based solely on reactor mode switch position. Four channels of Reactor Mode Switch - Shutdown Position Function, with two channels in each trip system, are available and required to be OPERABLE. The Reactor Mode Switch - Shutdown Position Function is required to be OPERABLE in MODES 1 and 2, and MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn.

11. Manual Scram The Manual Scram push button channels provide signals, via the manual scram logic channels, to each of the four RPS logic channels, which are redundant to the automatic protective instrumentation channels and provide manual reactor trip capability. This Function was not specifically credited in the accident analysis but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

There is one Manual Scram push button channel for each of the four RPS logic channels. In order to cause a scram it is necessary that at least one channel in each trip system be actuated. There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons. Four channels of Manual Scram with two channels in each trip system arranged in a one-out-of-two logic are available and required to be OPERABLE in MODES 1 and 2, and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn. ACTIONS A Note has been provided to modify the ACTIONS related to RPS instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition,

RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-19 REVISION 21 BASES ACTIONS discovered to be inoperable or not within limits, will not result in (continued) separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable RPS instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable RPS instrumentation channel.

A.1 and A.2 Because of the diversity of sensors available to provide trip signals and the redundancy of the RPS design, an allowable out of service time of 12 hours has been shown to be acceptable (Refs. 9, 13, and

17) to permit restoration of any inoperable channel to OPERABLE status. However, this out of service time is only acceptable provided the associated Function's inoperable channel is in one trip system and the Function still maintains RPS trip capability (refer to Required Actions B.1, B.2, and C.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel or the associated trip system must be placed in the tripped condition per Required Actions A.1 and A.2. Placing the inoperable channel in trip (or the associated trip system in trip) would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.

Alternatively, if it is not desired to place the channel (or trip system) in trip (e.g., as in the case where placing the inoperable channel in trip would result in a full scram), Condition D must be entered and its Required Action taken. As noted, Required Action A.2 is not applicable for APRM Functions 2.a, 2.b, 2.c, 2.d, and 2.f. Inoperability of one required APRM channel affects both trip systems; thus, Required Action A.1 must be satisfied. This is the only action (other than restoring OPERABILITY) that will restore capability to accommodate a single failure. Inoperability of more than one required APRM channel of the same trip function results in loss of trip capability and entry into Condition C, as well as entry into Condition A for each channel. B.1 and B.2 Condition B exists when, for any one or more Functions, at least one required channel is inoperable in each trip system. In this condition RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-20 REVISION 21 BASES ACTIONS B.1 and B.2 (continued) provided at least one channel per trip system is OPERABLE, the RPS still maintains trip capability for that Function, but cannot accommodate a single failure in either trip system. Required Actions B.1 and B.2 limit the time the RPS scram logic, for any Function, would not accommodate single failure in both trip systems (e.g., one-out-of-one and one-out-of-one arrangement for a typical four channel Function). The reduced reliability of this logic arrangement was not evaluated in References 9, 13, and 17 for the 12 hour Completion Time. Within the 6 hour allowance, the associated Function will have all required channels OPERABLE or in trip (or any combination) in one trip system. Completing one of these Required Actions restores RPS to a reliability level equivalent to that evaluated in References 9, 13, and 17 which justified a 12 hour allowable out of service time as presented in Condition A. The trip system in the more degraded state should be placed in trip or, alternatively, all the inoperable channels in that trip system should be placed in trip (e.g., a trip system with two inoperable channels could be in a more degraded state than a trip system with four inoperable channels if the two inoperable channels are in the same Function while the four inoperable channels are all in different Functions). The decision of which trip system is in the more degraded state should be based on prudent judgment and take into account current plant conditions (i.e., what MODE the plant is in). If this action would result in a scram or RPT, it is permissible to place the other trip system or its inoperable channels in trip. The 6 hour Completion Time is judged acceptable based on the remaining capability to trip, the diversity of the sensors available to provide the trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of a scram. Alternately, if it is not desired to place the inoperable channels (or one trip system) in trip (e.g., as in the case where placing the inoperable channel or associated trip system in trip would result in a scram or RPT), Condition D must be entered and its Required Action taken. As noted, Condition B is not applicable for APRM Functions 2.a, 2.b, 2.c, 2.d, and 2.f. Inoperability of an APRM channel affects both trip systems and is not associated with a specific trip system, as are the APRM two-out-of-four voter and other non-APRM channels for which Condition B applies. For an inoperable APRM channel, Required RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-21 REVISION 21 BASES ACTIONS B.1 and B.2 (continued) Action A.1 must be satisfied, and is the only action (other than restoring OPERABILITY) that will restore capability to accommodate a single failure. Inoperability of a Function in more than one required APRM channel results in loss of trip capability for that Function and entry into Condition C, as well as entry into Condition A for each channel. Because Conditions A and C provide Required Actions that are appropriate for the inoperability of APRM Functions 2.a, 2.b, 2.c, 2.d, and 2.f, and these Functions are not associated with specific trip systems as are the APRM two-out-of-four voter and other non-APRM channels, Condition B does not apply. C.1 Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same trip system for the same Function result in the Function not maintaining RPS trip capability. A Function is considered to be maintaining RPS trip capability when sufficient channels are OPERABLE or in trip (or the associated trip system is in trip), such that both trip systems will generate a trip signal from the given Function on a valid signal. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

D.1 Required Action D.1 directs entry into the appropriate Condition referenced in Table 3.3.1.1-1. The applicable Condition specified in the Table is Function and MODE or other specified condition dependent and may change as the Required Action of a previous Condition is completed. Each time an inoperable channel has not met any Required Action of Condition A, B, or C and the associated Completion Time has expired, Condition D will be entered for that channel and provides for transfer to the appropriate subsequent Condition.

RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-22 REVISION 21 BASES ACTIONS E.1, F.1, G.1, and J.1 (continued) If the channel(s) is not restored to OPERABLE status or placed in trip (or the associated trip system placed in trip) within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. The allowed Completion Times are reasonable, based on operating experience, to reach the specified condition from full power conditions in an orderly manner and without challenging plant systems. In addition, the Completion Time of Required Actions E.1 and J.1 are consistent with the Completion Time provided in LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)." H.1 If the channel(s) is not restored to OPERABLE status or placed in trip (or the associated trip system placed in trip) within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by immediately initiating action to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and are, therefore, not required to be inserted. Action must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted. I.1 If OPRM Upscale trip capability is not maintained, Condition I exists. Reference 13 justifies use of an alternate method to detect and suppress oscillations for a limited period of time. The alternate method is procedurally established consistent with the guidelines identified in Reference 18 requiring manual operator action to scram the plant if certain predefined events occur. The 12 hour Completion Time is based on engineering judgment to allow orderly transition to the alternate method while limiting the period of time during which no automatic or alternate detect and suppress trip capability is formally in place. Based on the small probability of an instability event occurring, the 12 hour Completion Time is judged to be reasonable.

RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-23 REVISION 79 BASES ACTIONS I.2 (continued) The alternate method to detect and suppress oscillations implemented in accordance with Required Action I.1 was evaluated based on use up to 120 days (Ref. 13). The evaluation, based on engineering judgment, concluded that the likelihood of an instability event that could not be adequately handled by the alternate method during this 120 day period is negligibly small. The 120 day period is intended to be an outside limit to allow for the case where design changes or extensive analysis may be required to understand or correct some unanticipated characteristic of the instability detection algorithms or equipment. This action is not intended to be, and was not evaluated as, a routine alternative to returning failed or inoperable equipment to OPERABLE status. Correction of routine equipment failure or inoperability is expected to normally be accomplished within the Completion Times allowed for Required Actions for Conditions A and B. SURVILLANCE As noted at the beginning of the SRs, the SRs for each RPS REQUIREMENTS instrumentation Function are located in the SRs column of Table 3.3.1.1-1. The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours, provided the associated Function maintains RPS trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 9) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the RPS will trip when necessary. SR 3.3.1.1.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-24 REVISION 79 BASES SURVILLANCE SR 3.3.1.1.1 (continued) REQUIREMENTS between instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO. SR 3.3.1.1.2 To ensure that the APRMs are accurately indicating the true core average power, the APRMs are calibrated to the reactor power calculated from a heat balance. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. A restriction to satisfying this SR when < 24% RTP is provided that requires the SR to be met only at 24% RTP because it is difficult to accurately maintain APRM indication of core THERMAL POWER consistent with a heat balance when < 24% RTP. At low power levels, a high degree of accuracy is unnecessary because of the large, inherent margin to thermal limits (MCPR and APLHGR). At 24% RTP, the Surveillance is required to have been satisfactorily performed in accordance with SR 3.0.2. A Note is provided which allows an increase in THERMAL POWER above 24% if the Frequency is not met per SR 3.0.2. In this event, the SR must be performed within 12 hours after reaching or exceeding 24% RTP. Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR.

RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-25 REVISION 79 BASES SURVEILLANCE SR 3.3.1.1.3 REQUIREMENTS (continued) (Not used.) SR 3.3.1.1.4 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. As noted, SR 3.3.1.1.4 is not required to be performed when entering MODE 2 from MODE 1, since testing of the MODE 2 required IRM Functions cannot be performed in MODE 1 without utilizing jumpers, lifted leads, or movable links. This allows entry into MODE 2 if the 7 day Frequency is not met per SR 3.0.2. In this event, the SR must be performed within 12 hours after entering MODE 2 from MODE 1. Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.1.1.5 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.1.6 and SR 3.3.1.1.7 These Surveillances are established to ensure that no gaps in neutron flux indication exist from subcritical to power operation for monitoring core reactivity status. The overlap between SRMs and IRMs is required to be demonstrated to ensure that reactor power will not be increased into a neutron flux region without adequate indication. This is required prior to RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-26 REVISION 79 BASES SURVEILLANCE SR 3.3.1.1.6 and SR 3.3.1.1.7 (continued) REQUIREMENTS withdrawing SRMs from the fully inserted position since indication is being transitioned from the SRMs to the IRMs. The overlap between IRMs and APRMs is of concern when reducing power into the IRM range. On power increases, the system design will prevent further increases (by initiating a rod block) if adequate overlap is not maintained. Overlap between IRMs and APRMs exists when sufficient IRMs and APRMs concurrently have onscale readings such that the transition between MODE 1 and MODE 2 can be made without either APRM downscale rod block, or IRM upscale rod block. Overlap between the SRMs and IRMs similarly exists when, prior to withdrawing an SRM from its fully inserted position, its associated IRMs have cleared their downscale rod block Allowable Values, prior to the SRM having reached its upscale rod block Allowable Value. Plant procedures should be consulted to determine the associated detectors. As noted, SR 3.3.1.1.7 is only required to be met during entry into MODE 2 from MODE 1. That is, after the overlap requirement has been met and indication has transitioned to the IRMs, maintaining overlap is not required (APRMs may be reading downscale once in MODE 2). If overlap for a group of channels is not demonstrated (e.g., IRM/APRM overlap), the reason for the failure of the Surveillance should be determined and the appropriate channel(s) declared inoperable. Only those appropriate channels that are required in the current MODE or condition should be declared inoperable. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.1.1.8 LPRM gain settings are determined from the local flux profiles measured by the Traversing Incore Probe (TIP) System. This establishes the relative local flux profile for appropriate representative input to the APRM System. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-27 REVISION 79 BASES SURVEILLANCE SR 3.3.1.1.9 and SR 3.3.1.1.12 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.1.10 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. For the APRM Functions, this test supplements the automatic self-test functions that operate continuously in the APRM and voter channels. The APRM CHANNEL FUNCTIONAL TEST covers the APRM channels (including recirculation flow processing applicable to Function 2.b only), the two-out-of-four voter channels, and the interface connections to the RPS trip systems from the voter channels. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. For Function 2.a, a Note that requires this SR to be performed within 12 hours of entering MODE 2 from MODE 1 is provided. Testing of the MODE 2 APRM Function cannot be performed in MODE 1 without utilizing jumpers or lifted leads. This Note allows entry into MODE 2 from MODE 1 if the associated Frequency is not met per SR 3.0.2.

SR 3.3.1.1.11 This SR ensures that scrams initiated from the Turbine Stop Valve - Closure and Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Functions will not be inadvertently bypassed when THERMAL RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-28 REVISION 79 BASES SURVEILLANCE SR 3.3.1.1.11 (continued) REQUIREMENTS POWER is 27.6% RTP. This involves calibration of the bypass channels. Adequate margins for the instrument setpoint methodologies are incorporated into the actual setpoint. Because main turbine bypass flow can affect this setpoint nonconservatively (THERMAL POWER is derived from turbine first stage pressure), the main turbine bypass valves must remain closed during the calibration at THERMAL POWER 27.6% RTP to ensure that the calibration is valid. If any bypass channel's setpoint is nonconservative (i.e., the Functions are bypassed at 27.6% RTP, either due to open main turbine bypass valve(s) or other reasons), then the affected Turbine Stop Valve - Closure and Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Functions are considered inoperable. Alternatively, the bypass channel can be placed in the conservative condition (nonbypass). If placed in the nonbypass condition (Turbine Stop Valve - Closure and Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Functions are enabled), this SR is met and the channel is considered OPERABLE. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.1.13 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies that the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. For MSIV - Closure, SDV Water Level - High (Float Switch), and TSV - Closure Functions, this SR also includes a physical inspection and actuation of the switches. For the APRM Simulated Thermal Power - High Function, this SR also includes calibrating the associated recirculation loop flow channel. Note 1 states that neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Changes in neutron detector sensitivity are compensated for by performing the calorimetric calibration (SR 3.3.1.1.2) and the LPRM calibration against the TIPs (SR 3.3.1.1.8). A second Note is provided that requires the IRM SRs RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-29 REVISION 79 BASES SURVEILLANCE SR 3.3.1.1.13 (continued) REQUIREMENTS to be performed within 12 hours of entering MODE 2 from MODE 1. Testing of the MODE 2 IRM Functions cannot be performed in MODE 1 without utilizing jumpers, lifted leads or movable links. This Note allows entry into MODE 2 from MODE 1 if the associated Frequency is not met per SR 3.0.2. Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.1.1.14 (Not used.) SR 3.3.1.1.15 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The functional testing of control rods (LCO 3.1.3), and SDV vent and drain valves (LCO 3.1.8), overlaps this Surveillance to provide complete testing of the assumed safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The LOGIC SYSTEM FUNCTIONAL TEST for APRM Function 2.e simulates APRM and OPRM trip conditions at the two-out-of-four voter channel inputs to check all combinations of two tripped inputs to the two-out-of-four logic in the voter channels and APRM related redundant RPS relays.

SR 3.3.1.1.16 This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the accident RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-30 REVISION 79 BASES SURVEILLANCE SR 3.3.1.1.16 (continued) REQUIREMENTS analysis. This test may be performed in one measurement or in overlapping segments, with verification that all components are tested. The RPS RESPONSE TIME acceptance criteria are included in Reference 10. RPS RESPONSE TIME for APRM two-out-of-four Voter Function 2.e includes the output relays of the voter and the associated RPS relays and contactors. (The digital portions of the APRM and two-out-of-four voter channels are excluded from RPS RESPONSE TIME testing because self-testing and calibration check the time base of the digital electronics.) Confirmation of the time base is adequate to assure required response times are met. Neutron detectors are excluded from RPS RESPONSE TIME testing because the principles of detector operation virtually ensure an instantaneous response time. The Note allows neutron detectors to be excluded from RPS RESPONSE TIME testing because the principles of detector operation virtually ensure an instantaneous response time. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Note: SR 3.3.1.1.16 for Function 2.e confirms the response time of that function, and also confirms the response time of loop components common to APRM - Two Out of Four Voter logic and other RPS loops. SR 3.3.1.1.17 This SR ensures that scrams initiated from OPRM Upscale Function 2.f will not be inadvertently bypassed when THERMAL POWER, as indicated by APRM Simulated Thermal Power, is 25% RTP and core flow, as indicated by recirculation drive flow, is < 60% rated core flow. This normally involves confirming the bypass setpoints. Adequate margins for the instrument setpoint methodologies are incorporated into the actual setpoint. The actual Surveillance ensures that the OPRM Upscale Function is enabled (not bypassed) for the correct values of APRM Simulated Thermal Power and recirculation drive flow. Other Surveillances ensure that the APRM Simulated Thermal Power and recirculation flow properly correlate with THERMAL POWER and core flow, respectively. If any bypass setpoint is nonconservative (i.e., the OPRM Upscale Function is bypassed when APRM Simulated Thermal Power is 25% and recirculation drive flow is < 60% rated), then the affected channel is considered inoperable for the OPRM Upscale Function. RPS Instrumentation B 3.3.1.1 (continued) HATCH UNIT 2 B 3.3-31 REVISION 79 BASES SURVEILLANCE SR 3.3.1.1.17 (continued) REQUIREMENTS Alternatively, the bypass setpoint may be adjusted to place the channel in a conservative condition (unbypass). If placed in the unbypass condition, this SR is met and the channel is considered OPERABLE. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 7.2.

2. FSAR, Chapter 15. 3. FSAR, Subsection 6.3.3.

4. FSAR, Supplement 5A.

5. FSAR, Subsection 15.1.12.

6. NEDO-23842, "Continuous Control Rod Withdrawal in the Startup Range," April 18, 1978.

7. FSAR, Subsection 15.1.38.

8. P. Check (NRC) letter to G. Lainas (NRC), "BWR Scram Discharge System Safety Evaluation," December 1, 1980.

9. NEDO-30851-P-A, "Technical Specification Improvement Analyses for BWR Reactor Protection System," March 1988.

10. Technical Requirements Manual, Table T5.0-1.

11. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

12. NEDO-32291, "System Analyses for Elimination of Selected Response Time Testing Requirements," January 1994.

13. NEDC-32410P-A, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function," October 1995.

RPS Instrumentation B 3.3.1.1 HATCH UNIT 2 B 3.3-32 REVISION 79 BASES REFERENCES 14. NEDO-31960-A, "BWR Owners' Group Long-Term Stability (continued) Solutions Licensing Methodology," November 1995.

15. NEDO-31960-A, Supplement 1, "BWR Owners' Group Long-Term Stability Solutions Licensing Methodology,"

November 1995.

16. NEDO-32465-A, "BWR Owners' Group Long-Term Stability Detect and Suppress Solutions Licensing Basis Methodology and Reload Applications," March 1996. 17. NEDO-32410P-A, Supplement 1, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function," November 1997. 18. Letter, L.A. England (BWROG) to M.J. Virgilio, "BWR Owners' Group Guidelines for Stability Interim Corrective Action," June 6, 1994. 19. NEDO-32291-A, Supplement 1, "System Analyses for the Elimination of Selected Response Time Testing Requirements," October 1999.

20. Not used.

21. GE Letter NSA 02-250, "Plant Hatch IRM Technical Specifications," April 19, 2002. 22. Not used.

SRM Instrumentation B 3.3.1.2 (continued) HATCH UNIT 2 B 3.3-33 REVISION 14 B 3.3 INSTRUMENTATION B 3.3.1.2 Source Range Monitor (SRM) Instrumentation

BASES BACKGROUND The SRMs provide the operator with information relative to the neutron flux level at very low flux levels in the core. As such, the SRM indication is used by the operator to monitor the approach to criticality and determine when criticality is achieved. The SRMs are maintained fully inserted until the count rate is greater than a minimum allowed count rate (a control rod block is set at this condition). After SRM to intermediate range monitor (IRM) overlap is demonstrated (as required by SR 3.3.1.1.6), the SRMs are normally fully withdrawn from the core. The SRM subsystem of the Neutron Monitoring System (NMS) consists of four channels. Each of the SRM channels can be bypassed, but only one at any given time, by the operation of a bypass switch. Each channel includes one detector that can be physically positioned in the core. Each detector assembly consists of a miniature fission chamber with associated cabling, signal conditioning equipment, and electronics associated with the various SRM functions. The signal conditioning equipment converts the current pulses from the fission chamber to analog DC currents that correspond to the count rate. Each channel also includes indication, alarm, and control rod blocks. However, this LCO specifies OPERABILITY requirements only for the monitoring and indication functions of the SRMs. During refueling, shutdown, and low power operations, the primary indication of neutron flux levels is provided by the SRMs or special movable detectors connected to the normal SRM circuits. The SRMs provide monitoring of reactivity changes during fuel or control rod movement and give the control room operator early indication of subcritical multiplication that could be indicative of an approach to criticality. APPLICABLE Prevention and mitigation of prompt reactivity excursions during SAFETY ANALYSES refueling and low power operation is provided by LCO 3.9.1, "Refueling Equipment Interlocks"; LCO 3.1.1, "SHUTDOWN MARGIN (SDM)"; LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation"; IRM Neutron Flux - High and Average Power Range Monitor (APRM) Neutron Flux - High(Setdown) Functions; and LCO 3.3.2.1, "Control Rod Block Instrumentation." SRM Instrumentation B 3.3.1.2 (continued) HATCH UNIT 2 B 3.3-34 REVISION 0 BASES APPLICABLE The SRMs have no safety function and are not assumed to function SAFETY ANALYSES during any FSAR design basis accident or transient analysis. (continued) However, the SRMs provide the only on scale monitoring of neutron flux levels during startup and refueling. Therefore, they are being retained in Technical Specifications. LCO During startup in MODE 2, three of the four SRM channels are required to be OPERABLE to monitor the reactor flux level prior to and during control rod withdrawal, subcritical multiplication and reactor criticality, and neutron flux level and reactor period until the flux level is sufficient to maintain the IRMs on Range 3 or above. All but one of the channels are required in order to provide a representation of the overall core response during those periods when reactivity changes are occurring throughout the core. In MODES 3 and 4, with the reactor shut down, two SRM channels provide redundant monitoring of flux levels in the core. In MODE 5, during a spiral offload or reload, an SRM outside the fueled region will no longer be required to be OPERABLE, since it is not capable of monitoring neutron flux in the fueled region of the core. Thus, CORE ALTERATIONS are allowed in a quadrant with no OPERABLE SRM in an adjacent quadrant provided the Table 3.3.1.2-1, footnote (b), requirement that the bundles being spiral reloaded or spiral offloaded are all in a single fueled region containing at least one OPERABLE SRM is met. Spiral reloading and offloading encompass reloading or offloading a cell on the edge of a continuous fueled region (the cell can be reloaded or offloaded in any sequence). In nonspiral routine operations, two SRMs are required to be OPERABLE to provide redundant monitoring of reactivity changes occurring in the reactor core. Because of the local nature of reactivity changes during refueling, adequate coverage is provided by requiring one SRM to be OPERABLE in the quadrant of the reactor core where CORE ALTERATIONS are being performed, and the other SRM to be OPERABLE in an adjacent quadrant containing fuel. These requirements ensure that the reactivity of the core will be continuously monitored during CORE ALTERATIONS. Special movable detectors, according to footnote (c) of Table 3.3.1.2-1, may be used in place of the normal SRM nuclear detectors. These special detectors must be connected to the normal SRM circuits in the NMS, such that the applicable neutron flux

SRM Instrumentation B 3.3.1.2 (continued) HATCH UNIT 2 B 3.3-35 REVISION 0 BASES LCO indication can be generated. These special detectors provide more (continued) flexibility in monitoring reactivity changes during fuel loading, since they can be positioned anywhere within the core during refueling. They must still meet the location requirements of SR 3.3.1.2.2 and all other required SRs for SRMs. For an SRM channel to be considered OPERABLE, it must be providing neutron flux monitoring indication.

APPLICABILITY The SRMs are required to be OPERABLE in MODES 2, 3, 4, and 5 prior to the IRMs being on scale on Range 3 to provide for neutron monitoring. In MODE 1, the APRMs provide adequate monitoring of reactivity changes in the core; therefore, the SRMs are not required. In MODE 2, with IRMs on Range 3 or above, the IRMs provide adequate monitoring and the SRMs are not required. ACTIONS A.1 and B.1 In MODE 2, with the IRMs on Range 2 or below, SRMs provide the means of monitoring core reactivity and criticality. With any number of the required SRMs inoperable, the ability to monitor neutron flux is degraded. Therefore, a limited time is allowed to restore the inoperable channels to OPERABLE status. Provided at least one SRM remains OPERABLE, Required Action A.1 allows 4 hours to restore the required SRMs to OPERABLE status. This time is reasonable because there is adequate capability remaining to monitor the core, there is limited risk of an event during this time, and there is sufficient time to take corrective actions to restore the required SRMs to OPERABLE status or to establish alternate IRM monitoring capability. During this time, control rod withdrawal and power increase is not precluded by this Required Action. Having the ability to monitor the core with at least one SRM, proceeding to IRM Range 3 or greater (with overlap required by SR 3.3.1.1.6), and thereby exiting the Applicability of this LCO, is acceptable for ensuring adequate core monitoring and allowing continued operation. With three required SRMs inoperable, Required Action B.1 allows no positive changes in reactivity (control rod withdrawal must be immediately suspended) due to inability to monitor the changes. Required Action A.1 still applies and allows 4 hours to restore SRM Instrumentation B 3.3.1.2 (continued) HATCH UNIT 2 B 3.3-36 REVISION 0 BASES ACTIONS A.1 and B.1 (continued) monitoring capability prior to requiring control rod insertion. This allowance is based on the limited risk of an event during this time, provided that no control rod withdrawals are allowed, and the desire to concentrate efforts on repair, rather than to immediately shut down, with no SRMs OPERABLE. C.1 In MODE 2, if the required number of SRMs is not restored to OPERABLE status within the allowed Completion Time, the reactor shall be placed in MODE 3. With all control rods fully inserted, the core is in its least reactive state with the most margin to criticality. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. D.1 and D.2 With one or more required SRMs inoperable in MODE 3 or 4, the neutron flux monitoring capability is degraded or nonexistent. The requirement to fully insert all insertable control rods ensures that the reactor will be at its minimum reactivity level while no neutron monitoring capability is available. Placing the reactor mode switch in the shutdown position prevents subsequent control rod withdrawal by maintaining a control rod block. The allowed Completion Time of 1 hour is sufficient to accomplish the Required Action, and takes into account the low probability of an event requiring the SRM occurring during this interval. E.1 and E.2 With one or more required SRMs inoperable in MODE 5, the ability to detect local reactivity changes in the core during refueling is degraded. CORE ALTERATIONS must be immediately suspended and action must be immediately initiated to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Suspending CORE ALTERATIONS prevents the two most probable causes of reactivity changes, fuel loading and control rod withdrawal, from occurring. Inserting all insertable control rods ensures that the reactor will be at its minimum reactivity given that fuel is present in the

SRM Instrumentation B 3.3.1.2 (continued) HATCH UNIT 2 B 3.3-37 REVISION 0 BASES ACTIONS E.1 and E.2 (continued) core. Suspension of CORE ALTERATIONS shall not preclude completion of the movement of a component to a safe, conservative position. Action (once required to be initiated) to insert control rods must continue until all insertable rods in core cells containing one or more fuel assemblies are inserted. SURVEILLANCE As Noted at the beginning of the SRs, the SRs for each SRM REQUIREMENTS Applicable MODE or other specified conditions are found in the SRs column of Table 3.3.1.2-1. The Surveillances are modified by a second Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours, provided the other required channel (or channels when 3 channels are required) is OPERABLE. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. The Note is based upon a NRC Safety Evaluation Report (Ref.1) which concluded that the 6 hour testing allowance does not significantly reduce the probability of detecting power changes, when necessary.

SR 3.3.1.2.1 and SR 3.3.1.2.3 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on another channel. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including SRM Instrumentation B 3.3.1.2 (continued) HATCH UNIT 2 B 3.3-38 REVISION 79 BASES SURVEILLANCE SR 3.3.1.2.1 and SR 3.3.1.2.3 (continued) REQUIREMENTS indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO. SR 3.3.1.2.2 To provide adequate coverage of potential reactivity changes in the core when the fueled region encompasses more than one SRM, one SRM is required to be OPERABLE in the quadrant where CORE ALTERATIONS are being performed, and the other OPERABLE SRM must be in an adjacent quadrant containing fuel. Note 1 states that the SR is required to be met only during CORE ALTERATIONS. It is not required to be met at other times in MODE 5 since core reactivity changes are not occurring. This Surveillance consists of a review of plant logs to ensure that SRMs required to be OPERABLE for given CORE ALTERATIONS are, in fact, OPERABLE. In the event that only one SRM is required to be OPERABLE (when the fueled region encompasses only one SRM), per Table 3.3.1.2-1, footnote (b), only the a. portion of this SR is required. Note 2 clarifies that more than one of the three requirements can be met by the same OPERABLE SRM. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.1.2.4 This Surveillance consists of a verification of the SRM instrument readout to ensure that the SRM reading is greater than a specified minimum count rate, which ensures that the detectors are indicating count rates indicative of neutron flux levels within the core. This surveillance also requires the signal to noise ratio to be verified to be 2:1. A signal to noise ratio that meets this requirement ensures the detectors are inserted to an acceptable operating level. Therefore, to meet this portion of the surveillance, it is necessary only to verify the SRM Instrumentation B 3.3.1.2 (continued) HATCH UNIT 2 B 3.3-39 REVISION 79 BASES SURVEILLANCE SR 3.3.1.2.4 (continued) REQUIREMENTS detectors are inserted to the same operating level as they were when SR 3.3.1.2.5 and SR 3.3.1.2.6 were performed satisfactorily. SR 3.3.1.2.5 and SR 3.3.1.2.6 require the actual ratio (and hence, an acceptable operating level) to be determined periodically while the detectors are required to be OPERABLE. With few fuel assemblies loaded, the SRMs will not have a high enough count rate to satisfy the SR. Therefore, allowances are made for loading sufficient "source" material, in the form of irradiated fuel assemblies, to establish the minimum count rate. To accomplish this, the SR is modified by a Note (Note 1) that states that the count rate is not required to be met on an SRM that has less than or equal to four fuel assemblies adjacent to the SRM and no other fuel assemblies are in the associated core quadrant. With four or fewer fuel assemblies loaded around each SRM and no other fuel assemblies in the associated core quadrant, even with a control rod withdrawn, the configuration will not be critical. In addition, Note 2 states that this requirement does not have to be met during spiral unloading. If the core is being unloaded in this manner, the various core configurations encountered will not be critical. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.1.2.5 and SR 3.3.1.2.6 Performance of a CHANNEL FUNCTIONAL TEST demonstrates the associated channel will function properly. SR 3.3.1.2.5 is required in MODE 5, and the 7 day Frequency ensures that the channels are OPERABLE while core reactivity changes could be in progress. This Frequency is reasonable, based on operating experience and on other Surveillances (such as a CHANNEL CHECK), that ensure proper functioning between CHANNEL FUNCTIONAL TESTS. SR 3.3.1.2.6 is required in MODE 2 with IRMs on Range 2 or below, and in MODES 3 and 4. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Determination of the signal to noise ratio also ensures that the detectors are inserted to an acceptable operating level. In a fully withdrawn condition, the detectors are sufficiently removed from the fueled region of the core to essentially eliminate neutrons from reaching the detector. Any count rate obtained while the detectors are fully withdrawn is assumed to be "noise" only. SRM Instrumentation B 3.3.1.2 (continued) HATCH UNIT 2 B 3.3-40 REVISION 79 BASES SURVEILLANCE SR 3.3.1.2.5 and SR 3.3.1.2.6 (continued) REQUIREMENTS The Note to the SR 3.3.1.2.6 allows the Surveillance to be delayed until entry into the specified condition of the Applicability (THERMAL POWER decreased to IRM Range 2 or below). The SR must be performed within 12 hours after IRMs are on Range 2 or below. The allowance to enter the Applicability with the Frequency not met is reasonable, based on the limited time of 12 hours allowed after entering the Applicability and the inability to perform the Surveillance while at higher power levels. Although the Surveillance could be performed while on IRM Range 3, the plant would not be expected to maintain steady state operation at this power level. In this event, the 12 hour Frequency is reasonable, based on the SRMs being otherwise verified to be OPERABLE (i.e., satisfactorily performing the CHANNEL CHECK) and the time required to perform the Surveillances.

SR 3.3.1.2.7 Performance of a CHANNEL CALIBRATION verifies the performance of the SRM detectors and associated circuitry. The Frequency considers the plant conditions required to perform the test, the ease of performing the test, and the likelihood of a change in the system or component status. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The neutron detectors are excluded from the CHANNEL CALIBRATION (Note 1) because they cannot readily be adjusted. The detectors are fission chambers that are designed to have a relatively constant sensitivity over the range and with an accuracy specified for a fixed useful life. Note 2 to the Surveillance allows the Surveillance to be delayed until entry into the specified condition of the Applicability. The SR must be performed in MODE 2 within 12 hours of entering MODE 2 with IRMs on Range 2 or below. The allowance to enter the Applicability with the Frequency not met is reasonable, based on the limited time of 12 hours allowed after entering the Applicability and the inability to perform the Surveillance while at higher power levels. Although the Surveillance could be performed while on IRM Range 3, the plant would not be expected to maintain steady state operation at this power level. In this event, the 12 hour Frequency is reasonable, based on the SRMs being otherwise verified to be OPERABLE (i.e., satisfactorily performing the CHANNEL CHECK) and the time required to perform the Surveillances. SRM Instrumentation B 3.3.1.2 HATCH UNIT 2 B 3.3-41 REVISION 79 BASES REFERENCES 1. NRC Safety Evaluation Report for Amendment 125, April 30, 1993.

Control Rod Block Instrumentation B 3.3.2.1 (continued) HATCH UNIT 2 B 3.3-42 REVISION 16 B 3.3 INSTRUMENTATION B 3.3.2.1 Control Rod Block Instrumentation

BASES BACKGROUND Control rods provide the primary means for control of reactivity changes. Control rod block instrumentation includes channel sensors, logic circuitry, switches, and relays that are designed to ensure that the fuel cladding integrity safety limit (SL), and the specified fuel design limits are not violated during postulated transients and accidents. During high power operation, the rod block monitor (RBM) provides protection for control rod withdrawal error events. During low power operations, control rod blocks from the rod worth minimizer (RWM) enforce specific control rod sequences designed to mitigate the consequences of the control rod drop accident (CRDA). During shutdown conditions, control rod blocks from the Reactor Mode Switch - Shutdown Position Function ensure that all control rods remain inserted to prevent inadvertent criticalities. The purpose of the RBM is to limit control rod withdrawal if localized neutron flux exceeds a predetermined setpoint during control rod manipulations. It is assumed to function to block further control rod withdrawal to preclude a violation of the MCPR SL or a specified acceptable fuel design limit (SAFDL). The RBM supplies a trip signal to the Reactor Manual Control System (RMCS) to appropriately inhibit control rod withdrawal during power operation above the low power range setpoint. The RBM has two channels, either of which can initiate a control rod block when the channel output exceeds the control rod block setpoint. One RBM channel inputs into one RMCS rod block circuit and the other RBM channel inputs into the second RMCS rod block circuit. The RBM channel signal is generated by averaging a set of local power range monitor (LPRM) signals at various core heights surrounding the control rod being withdrawn. A signal from one of the four redundant average power range monitor (APRM) channels supplies a reference signal for one of the RBM channels, and a signal from another of the APRM channels supplies the reference signal to the second RBM channel. This reference signal is used to determine which RBM range setpoint (low, intermediate, or high) is enabled. If the APRM is indicating less than the low power range setpoint, the RBM is automatically bypassed. The RBM is also automatically bypassed if a peripheral control rod is selected (Ref. 1). A rod block signal is also generated if an RBM Downscale trip or an Inoperable trip occurs. The Downscale trip will occur if the RBM channel signal decreases below the Downscale trip setpoint after the RBM signal has Control Rod Block Instrumentation B 3.3.2.1 (continued) HATCH UNIT 2 B 3.3-43 REVISION 35 BASES BACKGROUND been normalized. The Inoperable trip will occur during the nulling (continued) (normalization) sequence, if: the RBM channel fails to null, too few LPRM inputs are available, a module is not plugged in, or the function switch is moved to any position other than "Operate." The purpose of the RWM is to control rod patterns during startup and shutdown, such that only specified control rod sequences and relative positions are allowed over the operating range from all control rods inserted to 10% RTP. The sequences effectively limit the potential amount and rate of reactivity increase during a CRDA. Prescribed control rod sequences are stored in the RWM, which will initiate control rod withdrawal and insert blocks when the actual sequence deviates beyond allowances from the stored sequence. The RWM determines the actual sequence based position indication for each control rod. The RWM also uses APRM power signals to determine when the reactor power is above the preset power level at which the RWM is automatically bypassed (Ref. 2). The RWM is a single channel system that provides input into both RMCS rod block circuits. With the reactor mode switch in the shutdown position, a control rod withdrawal block is applied to all control rods to ensure that the shutdown condition is maintained. This Function prevents inadvertent criticality as the result of a control rod withdrawal during MODE 3 or 4, or during MODE 5 when the reactor mode switch is required to be in the shutdown position. The reactor mode switch has two channels, each inputting into a separate RMCS rod block circuit. A rod block in either RMCS circuit will provide a control rod block to all control rods.

1. Rod Block Monitor The RBM is designed to prevent violation of the MCPR SL and the cladding 1% plastic strain fuel design limit that may result from a single control rod withdrawal error (RWE) event. The analytical methods and assumptions used in evaluating the RWE event are summarized in Reference 3. A statistical analysis of RWE events was performed to determine the RBM response for both channels for each event. From these responses, the fuel thermal performance as a function of RBM Allowable Value was determined. The Allowable Values are chosen as a function of power level. Based on the specified Allowable Values, operating limits are established.

The RBM Function satisfies Criterion 3 of the NRC Policy Statement (Ref. 10). Control Rod Block Instrumentation B 3.3.2.1 (continued) HATCH UNIT 2 B 3.3-44 REVISION 66 BASES APPLICABLE 1. Rod Block Monitor (continued) SAFETY ANALYSES, LCO, and Two channels of the RBM are required to be OPERABLE, with their APPLICABILITY setpoints within the appropriate Allowable Values, to ensure that no single instrument failure can preclude a rod block from this Function. The setpoints are calibrated consistent with applicable setpoint methodology (nominal trip setpoint). Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Values between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor power), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50 49) are accounted for. The RBM is assumed to mitigate the consequences of an RWE event when operating 29% RTP. Below this power level, the consequences of an RWE event will not violate the MCPR SL or the 1% plastic strain design limit; therefore, the RBM is not required to be OPERABLE (Ref. 3). 2. Rod Worth Minimizer The RWM enforces the banked position withdrawal sequence (BPWS) to ensure that the initial conditions of the CRDA analysis are not violated. The analytical methods and assumptions used in evaluating the CRDA are summarized in References 4, 5, 6, 7, and 14. In addition, the Reference 6 analysis (Generic BPWS analysis) may be modified by plant specific evaluations. The standard BPWS requires that control rods be moved in groups, with all control rods assigned to a specific group required to be within specified banked positions. Control Rod Block Instrumentation B 3.3.2.1 (continued) HATCH UNIT 2 B 3.3-45 REVISION 66 BASES APPLICABLE 2. Rod Worth Minimizer (continued) SAFETY ANALYSES, LCO, and Requirements that the control rod sequence is in compliance with the APPLICABILITY BPWS are specified in LCO 3.1.6, "Rod Pattern Control." When performing a shutdown of the plant, an optional BPWS control rod sequence (Ref. 14) may be used if the coupling of each withdrawn control rod has been confirmed. The rods may be inserted without the need to stop at intermediate positions. When using the Reference 14 control rod insertion sequence for shutdown, the rod worth minimizer may be reprogrammed to enforce the requirements of the improved BPWS control rod insertion process, or it can be bypassed if it is not programmed to reflect the optional BPWS shutdown sequence, as permitted by the Applicability Note for the RWM in Table 3.3.2.1-1. The RWM Function satisfies Criterion 3 of the NRC Policy Statement (Ref. 10). Since the RWM is a system designed to act as a backup to operator control of the rod sequences, only one channel of the RWM is available and required to be OPERABLE (Ref. 7). Special circumstances provided for in the Required Action of LCO 3.1.3, "Control Rod OPERABILITY," and LCO 3.1.6 may necessitate bypassing the RWM to allow continued operation with inoperable control rods, or to allow correction of a control rod pattern not in compliance with the BPWS. The RWM may be bypassed as required by these conditions, but then it must be considered inoperable and the Required Actions of this LCO followed. Compliance with the BPWS, and therefore OPERABILITY of the RWM, is required in MODES 1 and 2 when THERMAL POWER is < 10% RTP. When THERMAL POWER is > 10% RTP, there is no possible control rod configuration that results in a control rod worth that could exceed the 280 cal/gm fuel damage limit during a CRDA (Refs. 5 and 7). In MODES 3 and 4, all control rods are required to be inserted into the core; therefore, a CRDA cannot occur. In MODE 5, since only a single control rod can be withdrawn from a core cell containing fuel assemblies, adequate SDM ensures that the consequences of a CRDA are acceptable, since the reactor will be subcritical. 3. Reactor Mode Switch - Shutdown Position During MODES 3 and 4, and during MODE 5 when the reactor mode switch is required to be in the shutdown position, the core is assumed Control Rod Block Instrumentation B 3.3.2.1 (continued) HATCH UNIT 2 B 3.3-46 REVISION 66 BASES APPLICABLE 3. Reactor Mode Switch - Shutdown Position (continued) SAFETY ANALYSES, LCO, and to be subcritical; therefore, no positive reactivity insertion events are APPLICABILITY analyzed. The Reactor Mode Switch - Shutdown Position control rod withdrawal block ensures that the reactor remains subcritical by blocking control rod withdrawal, thereby preserving the assumptions of the safety analysis. The Reactor Mode Switch - Shutdown Position Function satisfies Criterion 3 of the NRC Policy Statement (Ref. 10). Two channels are required to be OPERABLE to ensure that no single channel failure will preclude a rod block when required. There is no Allowable Value for this Function since the channels are mechanically actuated based solely on reactor mode switch position. During shutdown conditions (MODE 3, 4, or 5), no positive reactivity insertion events are analyzed because assumptions are that control rod withdrawal blocks are provided to prevent criticality. Therefore, when the reactor mode switch is in the shutdown position, the control rod withdrawal block is required to be OPERABLE. During MODE 5 with the reactor mode switch in the refueling position, the refuel position one-rod-out interlock (LCO 3.9.2, "Refuel Position One-Rod-Out Interlock") provides the required control rod withdrawal blocks.

ACTIONS A.1 With one RBM channel inoperable, the remaining OPERABLE channel is adequate to perform the control rod block function; however, overall reliability is reduced because a single failure in the remaining OPERABLE channel can result in no control rod block capability for the RBM. For this reason, Required Action A.1 requires restoration of the inoperable channel to OPERABLE status. The Completion Time of 24 hours is based on the low probability of the event occurring coincident with a failure in the remaining OPERABLE channel. B.1 If Required Action A.1 is not met and the associated Completion Time has expired, the inoperable channel must be placed in trip within 1 hour. If both RBM channels are inoperable, the RBM is not capable of performing its intended function; thus, one channel must also be placed in trip. This initiates a control rod withdrawal block, thereby ensuring that the RBM function is met. Control Rod Block Instrumentation B 3.3.2.1 (continued) HATCH UNIT 2 B 3.3-47 REVISION 66 BASES ACTIONS B.1 (continued) The 1 hour Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities and is acceptable because it minimizes risk while allowing time for restoration or tripping of inoperable channels.

C.1, C.2.1.1, C.2.1.2, and C.2.2 With the RWM inoperable during a reactor startup, the operator is still capable of enforcing the prescribed control rod sequence. However, the overall reliability is reduced because a single operator error can result in violating the control rod sequence. Therefore, control rod movement must be immediately suspended except by scram. Alternatively, startup may continue if at least 12 control rods have already been withdrawn, or a reactor startup with an inoperable RWM during withdrawal of one or more of the first 12 rods was not performed in the last calendar year (i.e., in the last 12 months). These requirements minimize the number of reactor startups initiated with RWM inoperable. Required Actions C.2.1.1 and C.2.1.2 require verification of these conditions by review of plant logs and control room indications. Once Required Action C.2.1.1 or C.2.1.2 is satisfactorily completed, control rod withdrawal may proceed in accordance with the restrictions imposed by Required Action C.2.2. Required Action C.2.2 allows for the RWM Function to be performed manually and requires a double check of compliance with the prescribed rod sequence by a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff (e.g., a qualified shift technical advisor or reactor engineer). The RWM may be bypassed under these conditions to allow continued operations. In addition, Required Actions of LCO 3.1.3 and LCO 3.1.6 may require bypassing the RWM, during which time the RWM must be considered inoperable with Condition C entered and its Required Actions taken. D.1 With the RWM inoperable during a reactor shutdown, the operator is still capable of enforcing the prescribed control rod sequence. Required Action D.1 allows for the RWM Function to be performed manually and requires a double check of compliance with the prescribed rod sequence by a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff. The RWM may be bypassed under these conditions to allow the reactor shutdown to continue. Control Rod Block Instrumentation B 3.3.2.1 (continued) HATCH UNIT 2 B 3.3-48 REVISION 66 BASES ACTIONS E.1 and E.2 (continued) With one Reactor Mode Switch - Shutdown Position control rod withdrawal block channel inoperable, the remaining OPERABLE channel is adequate to perform the control rod withdrawal block function. However, since the Required Actions are consistent with the normal action of an OPERABLE Reactor Mode Switch - Shutdown Position Function (i.e., maintaining all control rods inserted), there is no distinction between having one or two channels inoperable. In both cases (one or both channels inoperable), suspending all control rod withdrawal and initiating action to fully insert all insertable control rods in core cells containing one or more fuel assemblies will ensure that the core is subcritical with adequate SDM ensured by LCO 3.1.1. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and are therefore not required to be inserted. Action must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted. SURVEILLANCE As noted at the beginning of the SRs, the SRs for each Control REQUIREMENTS Rod Block instrumentation Function are found in the SRs column of Table 3.3.2.1-1. The Surveillances are modified by a second Note to indicate that when an RBM channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains control rod block capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 9) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that a control rod block will be initiated when necessary. SR 3.3.2.1.1 A CHANNEL FUNCTIONAL TEST is performed for each RBM channel to ensure that the entire channel will perform the intended function. It includes the Reactor Manual Control System input. Control Rod Block Instrumentation B 3.3.2.1 (continued) HATCH UNIT 2 B 3.3-49 REVISION 79 BASES SURVEILLANCE SR 3.3.2.1.1 (continued) REQUIREMENTS Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.2.1.2 and SR 3.3.2.1.3 A CHANNEL FUNCTIONAL TEST is performed for the RWM to ensure that the entire system will perform the intended function. The CHANNEL FUNCTIONAL TEST for the RWM is performed by attempting to withdraw a control rod not in compliance with the prescribed sequence and verifying a control rod block occurs. This test is performed as soon as possible after the applicable conditions are entered. As noted in the SRs, SR 3.3.2.1.2 is not required to be performed until 1 hour after any control rod is withdrawn at < 10% RTP in MODE 2, and SR 3.3.2.1.3 is not required to be performed until 1 hour after THERMAL POWER is < 10% RTP in MODE 1. This allows entry into MODE 2 (and if entered during a shutdown, concurrent power reduction to < 10% RTP) for SR 3.3.2.1.2 and THERMAL POWER reduction to < 10% RTP in MODE 1 for SR 3.3.2.1.3 to perform the required Surveillances if the Frequency is not met per SR 3.0.2. The 1 hour allowance is based on operating experience and in consideration of providing a reasonable time in which to complete the SRs. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.2.1.4 The RBM setpoints are automatically varied as a function of power. Three Allowable Values are specified in Table 3.3.2.1-1, each within a specific power range. The power at which the control rod block Allowable Values automatically change are based on the APRM signal's input to each RBM channel. Below the minimum power setpoint, the RBM is automatically bypassed. These power Allowable Values must be verified periodically to be less than or equal to the specified values. If any power range setpoint is nonconservative, then the affected RBM channel is considered inoperable. Alternatively, the power range channel can be placed in the conservative condition (i.e., enabling the proper RBM setpoint). If placed in this condition, the SR is met and the RBM channel is not considered inoperable. As noted, neutron detectors are excluded from the Surveillance because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Neutron detectors are adequately Control Rod Block Instrumentation B 3.3.2.1 (continued) HATCH UNIT 2 B 3.3-50 REVISION 79 BASES SURVEILLANCE SR 3.3.2.1.4 (continued) REQUIREMENTS tested in SR 3.3.1.1.2 and SR 3.3.1.1.8. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.2.1.5 The RWM is automatically bypassed when power is above a specified value. The power level is determined from APRM power signals. The automatic bypass setpoint must be verified periodically to be 10% RTP. If the RWM low power setpoint is nonconservative, then the RWM is considered inoperable. Alternately, the low power setpoint channel can be placed in the conservative condition (nonbypass). If placed in the nonbypassed condition, the SR is met and the RWM is not considered inoperable. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.2.1.6 A CHANNEL FUNCTIONAL TEST is performed for the Reactor Mode Switch - Shutdown Position Function to ensure that the entire channel will perform the intended function. The CHANNEL FUNCTIONAL TEST for the Reactor Mode Switch - Shutdown Position Function is performed by attempting to withdraw any control rod with the reactor mode switch in the shutdown position and verifying a control rod block occurs. As noted in the SR, the Surveillance is not required to be performed until 1 hour after the reactor mode switch is in the shutdown position, since testing of this interlock with the reactor mode switch in any other position cannot be performed without using jumpers, lifted leads, or movable links. This allows entry into MODES 3 and 4 if the Frequency is not met per SR 3.0.2. The 1 hour allowance is based on operating experience and in consideration of providing a reasonable time in which to complete the SR. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.2.1.7 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the Control Rod Block Instrumentation B 3.3.2.1 (continued) HATCH UNIT 2 B 3.3-51 REVISION 79 BASES SURVEILLANCE SR 3.3.2.1.7 (continued) REQUIREMENTS measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. As noted, neutron detectors are excluded from the CHANNEL CALIBRATION because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Neutron detectors are adequately tested in SR 3.3.1.1.8. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.1.8 The RWM will only enforce the proper control rod sequence if the rod sequence is properly input into the RWM computer. This SR ensures that the proper sequence is loaded into the RWM so that it can perform its intended function. The Surveillance is performed once prior to declaring RWM OPERABLE following loading of sequence into RWM, since this is when rod sequence input errors are possible.

REFERENCES 1. FSAR, Section 7.6.2.2.5.

2. FSAR, Section 7.6.8.2.6.

3. NEDC-30474-P, "Average Power Range Monitor, Rod Block Monitor, and Technical Specification Improvements (ARTS)

Program for Edwin I. Hatch Nuclear Plants," December 1983.

4. NEDE-24011-P-A-US, "General Electrical Standard Application for Reload Fuel," Supplement for United States, (revision specified in the COLR). 5. Letter from T.A. Pickens (BWROG) to G.C. Lainas (NRC), "Amendment 17 to General Electric Licensing Topical Report NEDE-24011-P-A," BWROG-8644, August 15, 1986.

6. NEDO-21231, "Banked Position Withdrawal Sequence," January 1977.

Control Rod Block Instrumentation B 3.3.2.1 HATCH UNIT 2 B 3.3-52 REVISION 79 BASES REFERENCES 7. NRC SER, "Acceptance of Referencing of Licensing Topical (continued) Report NEDE-24011-P-A," "General Electric Standard Application for Reactor Fuel, Revision 8, Amendment 17," December 27, 1987. 8. NEDC-30851-P-A, "Technical Specification Improvement Analysis for BWR Control Rod Block Instrumentation," October 1988.

9. GENE-770-06-1, "Bases for Changes To Surveillance Test Intervals And Allowed Out-Of-Service Times For Selected Instrumentation Technical Specifications," February 1991. 10. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

11. Not used.

12. Not used. 13. Not used.

14. NEDO-33091-A, Revision 2, "Improved BPWS Control Rod Insertion Process," July 2004.

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 (continued) HATCH UNIT 2 B 3.3-53 REVISION 42 B 3.3 INSTRUMENTATION

B 3.3.2.2 Feedwater and Main Turbine High Water Level Trip Instrumentation

BASES BACKGROUND The feedwater and main turbine high water level trip instrumentation is designed to detect a potential failure of the Feedwater Level Control System that causes excessive feedwater flow. With excessive feedwater flow, the water level in the reactor vessel rises toward the high water level setpoint, causing the trip of the two feedwater pump turbines and the main turbine. Reactor Vessel Water Level - High signals are provided by level sensors that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level in the reactor vessel (variable leg). Three channels of Reactor Vessel Water Level - High instrumentation are provided as input to a two-out-of-three initiation logic that trips the two feedwater pump turbines and the main turbine. The channels include electronic equipment (e.g., trip relays) that compare measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a main feedwater and turbine trip signal to the trip logic. A trip of the feedwater pump turbines limits further increase in reactor vessel water level by limiting further addition of feedwater to the reactor vessel. A trip of the main turbine and closure of the stop valves protects the turbine from damage due to water entering the turbine.

APPLICABLE The feedwater and main turbine high water level trip instrumentation SAFETY ANALYSES is assumed to be capable of providing a turbine trip in the design basis transient analysis for a feedwater controller failure, maximum demand event (Ref. 1). The high level trip indirectly initiates a reactor scram from the main turbine trip (above 27.6% RTP) and trips the feedwater pumps, thereby terminating the event. The reactor scram mitigates the reduction in MCPR. Feedwater and main turbine high water level trip instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 3).

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 (continued) HATCH UNIT 2 B 3.3-54 REVISION 42 BASES (continued) LCO The LCO requires three channels of the Reactor Vessel Water Level - High instrumentation to be OPERABLE to ensure that no single instrument failure will prevent the feedwater pump turbines and main turbine trip on a valid Reactor Vessel Water Level - High signal. Two of the three channels are needed to provide trip signals in order for the feedwater and main turbine trips to occur. Each channel must have its setpoint set within the specified Allowable Value of SR 3.3.2.2.2. The Allowable Value is set to ensure that the thermal limits are not exceeded during the event. The setpoint is calibrated to be consistent with the applicable setpoint methodology assumptions (nominal trip setpoint). Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip relay) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for. APPLICABILITY The feedwater and main turbine high water level trip instrumentation is required to be OPERABLE at 24% RTP to ensure that the specified acceptable fuel design limits are not violated during the feedwater controller failure, maximum demand event. As discussed in the Bases for LCO 3.2.1, "Average Planar Linear Heat Generation Rate (APLHGR)," and LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)," sufficient margin to these limits exists below 24% RTP; therefore, these requirements are only necessary when operating at or above this power level. Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 (continued) HATCH UNIT 2 B 3.3-55 REVISION 0 BASES (continued) ACTIONS A Note has been provided to modify the ACTIONS related to feedwater and main turbine high water level trip instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable feedwater and main turbine high water level trip instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable feedwater and main turbine high water level trip instrumentation channel. A.1 With one channel inoperable, the remaining two OPERABLE channels can provide the required trip signal. However, overall instrumentation reliability is reduced because a single failure in one of the remaining channels concurrent with feedwater controller failure, maximum demand event, may result in the instrumentation not being able to perform its intended function. Therefore, continued operation is only allowed for a limited time with one channel inoperable. If the inoperable channel cannot be restored to OPERABLE status within the Completion Time, the channel must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue with no further restrictions. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in a feedwater or main turbine trip), Condition C must be entered and its Required Action taken. The Completion Time of 7 days is based on the low probability of the event occurring coincident with a single failure in a remaining OPERABLE channel. B.1 With two or more channels inoperable, the feedwater and main turbine high water level trip instrumentation cannot perform its design function (feedwater and main turbine high water level trip capability is Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 (continued) HATCH UNIT 2 B 3.3-56 REVISION 42 BASES ACTIONS B.1 (continued) not maintained). Therefore, continued operation is only permitted for a 2 hour period, during which feedwater and main turbine high water level trip capability must be restored. The trip capability is considered maintained when sufficient channels are OPERABLE or in trip such that the feedwater and main turbine high water level trip logic will generate a trip signal on a valid signal. This requires two channels to each be OPERABLE or in trip. If the required channels cannot be restored to OPERABLE status or placed in trip, Condition C must be entered and its Required Action taken. The 2 hour Completion Time is sufficient for the operator to take corrective action, and takes into account the likelihood of an event requiring actuation of feedwater and main turbine high water level trip instrumentation occurring during this period. It is also consistent with the 2 hour Completion Time provided in LCO 3.2.2 for Required Action A.1, since this instrumentation's purpose is to preclude a MCPR violation. C.1 With the required channels not restored to OPERABLE status or placed in trip, THERMAL POWER must be reduced to < 24% RTP within 4 hours. As discussed in the Applicability section of the Bases, operation below 24% RTP results in sufficient margin to the required limits, and the feedwater and main turbine high water level trip instrumentation is not required to protect fuel integrity during the feedwater controller failure, maximum demand event. The allowed Completion Time of 4 hours is based on operating experience to reduce THERMAL POWER to < 24% RTP from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE The Surveillances are modified by a Note to indicate that when a REQUIREMENTS channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains feedwater and main turbine high water level trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 2) assumption of the average time required to perform channel Surveillance. That analysis Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 (continued) HATCH UNIT 2 B 3.3-57 REVISION 79 BASES SURVEILLANCE demonstrated that the 6 hour testing allowance does not significantly REQUIREMENTS reduce the probability that the feedwater pump turbines and main (continued) turbine will trip when necessary. SR 3.3.2.2.1 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. Due to the high turbine trip and reactor scram potential incurred when valving reactor water level differential pressure transmitters into and out of service, it is acceptable to perform the CHANNEL FUNCTIONAL TEST for this logic from the input of the alarm unit. This is consistent with the CHANNEL FUNCTIONAL TEST definition requiring the signal to be injected "as close to the sensor as practicable." Additionally, due to the physical location of the turbine trip relays and their close proximity to other sensitive equipment, accessibility is extremely limited. Verification of relay actuation and associated relay contact status by accessing the relay introduces a high potential for turbine trip and reactor scram. One contact from each turbine trip relay energizes an amber light indicating relay actuation. Therefore, it is acceptable to terminate the test at the turbine trip relay, utilizing light indication for relay status. These allowances are only acceptable if the CHANNEL CALIBRATION and the LOGIC SYSTEM FUNCTIONAL TEST overlap both the initiation and termination point of this CHANNEL FUNCTIONAL TEST such that the entire trip logic is tested. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.2.2.2 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology.

Feedwater and Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 HATCH UNIT 2 B 3.3-58 REVISION 79 BASES SURVEILLANCE SR 3.3.2.2.2 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.2.3 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the feedwater and main turbine valves is included as part of this Surveillance and overlaps the LOGIC SYSTEM FUNCTIONAL TEST to provide complete testing of the assumed safety function. Therefore, if a valve is incapable of operating, the associated instrumentation channels would also be inoperable. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 15.1.7. 2. GENE-770-06-1, "Bases for Changes to Surveillance Test Intervals and Allowed Out-Of-Service Times for Selected Instrumentation Technical Specifications," February 1991. 3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. 4. Not used.

5. Not used.

PAM Instrumentation B 3.3.3.1 (continued) HATCH UNIT 2 B 3.3-59 REVISION 1 B 3.3 INSTRUMENTATION B 3.3.3.1 Post Accident Monitoring (PAM) Instrumentation

BASES BACKGROUND The primary purpose of the PAM instrumentation is to display plant variables that provide information required by the control room operators during accident situations. This information provides the necessary support for the operator to take the manual actions for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for Design Basis Events. The instruments that monitor these variables are designated as Type A, Category I, and non-Type A, Category I, in accordance with Regulatory Guide 1.97 (Ref. 1). The OPERABILITY of the accident monitoring instrumentation ensures that there is sufficient information available on selected plant parameters to monitor and assess plant status and behavior following an accident. This capability is consistent with the recommendations of Reference 1.

APPLICABLE The PAM instrumentation LCO ensures the OPERABILITY of SAFETY ANALYSES Regulatory Guide 1.97, Type A variables so that the control room operating staff can: a. Perform the diagnosis specified in the Emergency Operating Procedures (EOPs). These variables are restricted to preplanned actions for the primary success path of Design Basis Accidents (DBAs), (e.g., loss of coolant accident (LOCA)), and b. Take the specified, preplanned, manually controlled actions for which no automatic control is provided, which are required for safety systems to accomplish their safety function. The PAM instrumentation LCO also ensures OPERABILITY of Category I, non-Type A, variables so that the control room operating staff can:

a. Determine whether systems important to safety are performing their intended functions;

b. Determine the potential for causing a gross breach of the barriers to radioactivity release;

PAM Instrumentation B 3.3.3.1 (continued) HATCH UNIT 2 B 3.3-60 REVISION 1 BASES APPLICABLE c. Determine whether a gross breach of a barrier has occurred; SAFETY ANALYSES and (continued)

d. Initiate action necessary to protect the public and for an estimate of the magnitude of any impending threat.

The plant specific Regulatory Guide 1.97 Analysis (Ref. 2) documents the process that identified Type A and Category I, non-Type A, variables. Accident monitoring instrumentation that satisfies the definition of Type A in Regulatory Guide 1.97 meets Criterion 3 of the NRC Policy Statement (Ref. 3). Category I, non-Type A, instrumentation is retained in Technical Specifications (TS) because they are intended to assist operators in minimizing the consequences of accidents. Therefore, these Category I variables are important for reducing public risk. LCO LCO 3.3.3.1 requires two OPERABLE channels for most of the Functions to ensure that no single failure prevents the operators from being presented with the information necessary to determine the status of the plant and to bring the plant to, and maintain it in, a safe condition following that accident. Furthermore, provision of two channels allows a CHANNEL CHECK during the post accident phase to confirm the validity of displayed information. The exceptions to the two channel requirement are the primary containment isolation valve (PCIV) position, Reactor Vessel Water Level (0 to +400 inches), Suppression Pool Water Temperature, Drywell Temperature in Vicinity of Reactor Level Instrument Reference Leg, and Diesel Generator (DG) Parameters. For the PCIV position, the important information is the status of the primary containment penetrations. The LCO requires one position indicator for each active (e.g., automatic) PCIV. This is sufficient to redundantly verify the isolation status of each isolable penetration either via indicated status of the active valve and prior knowledge of passive valve or via system boundary status. If a normally active PCIV is known to be closed and deactivated, position indication is not needed to determine status. Therefore, the position indication for closed and deactivated valves is not required to be OPERABLE. For the Reactor Vessel Water Level (0 to +400 inches), there is only one installed indicator covering this range. For the Suppression Pool Water Temperature, there are two required instruments per quadrant, since two instruments alone cannot provide adequate indication of PAM Instrumentation B 3.3.3.1 (continued) HATCH UNIT 2 B 3.3-61 REVISION 41 BASES LCO bulk average temperature. For the Drywell Temperature, indications (continued) are required near all reactor vessel water level reference legs whose indicators are affected by post accident temperature changes in the drywell. For the DG parameters, there are three DGs, thus, one instrument per DG is required. The following list is a discussion of the specified instrument Functions listed in Table 3.3.3.1-1.

1. Reactor Steam Dome Pressure Reactor steam dome pressure is a Type A variable provided to support monitoring of Reactor Coolant System (RCS) integrity and to verify operation of the Emergency Core Cooling Systems (ECCS). Two independent pressure transmitters with a range of 0 psig to 1500 psig monitor pressure. Wide range recorders are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel. 2. Reactor Vessel Water Level Reactor vessel water level is a Category I variable for all ranges and is also a Type A variable for the -150 inches to +60 inches range. They are provided to support monitoring of core cooling and to verify operation of the ECCS. Four different range channels provide the PAM Reactor Vessel Water Level Function. The water level channels measure from 400 inches above the steam dryer skirt down to a point just below the bottom of the active fuel. Water level is measured by independent differential pressure transmitters for each required channel. The output from these channels is recorded on independent recorders or read on indicators, which is the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel. The reactor vessel water level instruments are compensated, where appropriate, for variation in reactor water density and are calibrated to be most accurate at operational pressure and temperature.

Temperature corrections are made, where appropriate, based on drywell temperature (see Function 10 discussion). PAM Instrumentation B 3.3.3.1 (continued) HATCH UNIT 2 B 3.3-62 REVISION 1 BASES LCO 3. Suppression Pool Water Level (continued) Suppression pool water level is a Category 1 variable provided to detect a breach in the reactor coolant pressure boundary (RCPB). This variable is also used to verify and provide long term surveillance of ECCS function. The wide range and narrow range suppression pool water level measurement provides the operator with sufficient information to assess the status of both the RCPB and the water supply to the ECCS. The wide range water level indicators monitor the suppression pool water level from the center line of the ECCS suction lines to the top of the pool, while the narrow range water level indicators monitor the water level around its normal level. Two wide range and two narrow range suppression pool water level signals are transmitted from separate differential pressure transmitters and are continuously recorded on recorders (for the narrow range signals) and read on indicators (for the wide range signals) in the control room. These recorders are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel.

4. Drywell Pressure Drywell pressure is a Category I variable provided to detect breach of the RCPB and to verify ECCS functions that operate to maintain RCS integrity. Three different range drywell pressure channels receive signals that are transmitted from separate pressure transmitters and are continuously recorded and displayed on six control room recorders. These recorders are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channel. 5. Drywell Area Radiation (High Range)

Drywell area radiation (high range) is a Category I variable provided to monitor the potential of significant radiation releases and to provide release assessment for use by operators in determining the need to invoke site emergency plans. Two radiation signals are transmitted from separate monitors and are continuously recorded on two recorders in the control room. These recorders are the primary indication used by the operator during an accident. Therefore, the PAM specification deals specifically with this portion of the instrument channel. PAM Instrumentation B 3.3.3.1 (continued) HATCH UNIT 2 B 3.3-63 REVISION 51 BASES LCO 6. Primary Containment Isolation Valve (PCIV) Position (continued) PCIV position is provided for verification of containment integrity. In the case of PCIV position, the important information is the isolation status of the containment penetration. The LCO requires one channel of valve position indication in the control room to be OPERABLE for each active PCIV in a containment penetration flow path, i.e., two total channels of PCIV position indication for a penetration flow path with two active valves. For containment penetrations with only one active PCIV having control room indication, Note (b) requires a single channel of valve position indication to be OPERABLE. This is sufficient to redundantly verify the isolation status of each isolable penetration via indicated status of the active valve, as applicable, and prior knowledge of passive valve or system boundary status. If a penetration flow path is isolated, position indication for the PCIV(s) in the associated penetration flow path is not needed to determine status. Therefore, the position indication for valves in an isolated penetration flow path is not required to be OPERABLE. The indication for each PCIV consists of green and red indicator lights that illuminate to indicate whether the PCIV is fully open, fully closed, or in a mid-position. Therefore, the PAM specification deals specifically with this portion of the instrumentation channel.

7., 8. (Deleted)

9. Suppression Pool Water Temperature Suppression pool water temperature is a Type A variable provided to detect a condition that could potentially lead to containment breach and to verify the effectiveness of ECCS actions taken to prevent containment breach. The suppression pool water temperature PAM Instrumentation B 3.3.3.1 (continued) HATCH UNIT 2 B 3.3-64 REVISION 72 BASES LCO 9. Suppression Pool Water Tempterature (continued) instrumentation allows operators to detect trends in suppression pool water temperature in sufficient time to take action to prevent steam quenching vibrations in the suppression pool. Fifteen active RTD elements are used for RG 1.97 compliance. Eleven of these devices are grouped together to provide an average measure of the upper region of the suppression pool. These input to a single recorder. The other four RTDs are used to measure the lower region of the suppression pool and are spaced almost equilaterally. They input to two recorders. However, to ensure the average temperature of the suppression pool is monitored, only two of these RTDs per quadrant are needed, since other means are available to ensure the average bulk suppression pool temperature is known if a few of the RTDs are inoperable. These recorders are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channels.

10. Drywell Temperature in the Vicinity of Reactor Vessel Level Instrument Reference Leg Drywell temperature in the vicinity of reactor vessel level instrument reference legs is a Type A variable provided to measure drywell temperature so that proper compensation of reactor water level instruments can be accomplished. The drywell temperature is measured by six RTDs in the vicinity of the associated reference legs with the output being recorded on recorders in the control room. This is the primary indication used by the operator during an accident. Therefore, the PAM specification deals specifically with this portion of the instrumentation channel. 11. Diesel Generator Parameters Diesel generator (DG) parameters are Type A variables provided to allow the operator to ensure proper operation of the DGs and to control the DGs post accident. Each of the four parameters (output voltage, output current, output power, and battery voltage) is monitored for each of the two unit specific DGs and the swing DG and is read on indicators in the control room. These are the primary indication used by the operator during an accident. Therefore, the PAM Specification deals specifically with this portion of the instrument channels.

PAM Instrumentation B 3.3.3.1 (continued) HATCH UNIT 2 B 3.3-65 REVISION 55 BASES LCO 12. RHR Service Water Flow (continued) RHR service water flow is a Type A variable provided to support the containment cooling function. The RHR Service Water flow signals are transmitted from separate flow transmitters (one per subsystem) and are continuously read on two control room indicators. These indicators are the primary indication used by the operator during an accident. Therefore, the PAM specification deals specifically with this portion of the instrument channel.

APPLICABILITY The PAM instrumentation LCO is applicable in MODES 1 and 2. These variables are related to the diagnosis and preplanned actions required to mitigate DBAs. The applicable DBAs are assumed to occur in MODES 1 and 2. In MODES 3, 4, and 5, plant conditions are such that the likelihood of an event that would require PAM instrumentation is extremely low; therefore, PAM instrumentation is not required to be OPERABLE in these MODES. ACTIONS A Note has been provided to modify the ACTIONS related to PAM instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable PAM instrumentation channels provide appropriate compensatory measures for separate Functions. As such, a Note has been provided that allows separate Condition entry for each inoperable PAM Function. PAM Instrumentation B 3.3.3.1 (continued) HATCH UNIT 2 B 3.3-66 REVISION 1 BASES ACTIONS A.1 (continued) When one or more Functions have one required channel that is inoperable, the required inoperable channel must be restored to OPERABLE status within 30 days. The 30 day Completion Time is based on operating experience and takes into account the remaining OPERABLE channels (or, in the case of a Function that has only one required channel, other non-Regulatory Guide 1.97 instrument channels to monitor the Function), the passive nature of the instrument (no critical automatic action is assumed to occur from these instruments), and the low probability of an event requiring PAM instrumentation during this interval.

B.1 If a channel has not been restored to OPERABLE status in 30 days, this Required Action specifies initiation of action in accordance with Specification 5.6.6, which requires a written report to be submitted to the NRC. This report discusses the results of the root cause evaluation of the inoperability and identifies proposed restorative actions. This action is appropriate in lieu of a shutdown requirement, since alternative actions are identified before loss of functional capability, and given the likelihood of plant conditions that would require information provided by this instrumentation. C.1 When one or more Functions have two or more required channels that are inoperable (i.e., two channels inoperable in the same Function), all but one channel in the Function should be restored to OPERABLE status within 7 days. The Completion Time of 7 days is based on the relatively low probability of an event requiring PAM instrument operation and the availability of alternate means to obtain the required information. Continuous operation with two required channels inoperable in a Function is not acceptable because the alternate indications may not fully meet all performance qualification requirements applied to the PAM instrumentation. Therefore, requiring restoration of one inoperable channel of the Function limits the risk that the PAM Function will be in a degraded condition should an accident occur. PAM Instrumentation B 3.3.3.1 (continued) HATCH UNIT 2 B 3.3-67 REVISION 1 BASES ACTIONS D.1 (continued) This Required Action directs entry into the appropriate Condition referenced in Table 3.3.3.1-1. The applicable Condition referenced in the Table is Function dependent. Each time an inoperable channel has not met the Required Action of Condition C, and the associated Completion Time has expired, Condition D is entered for that channel and provides for transfer to the appropriate subsequent Condition. E.1 For the majority of Functions in Table 3.3.3.1-1, if any Required Action and associated Completion Time of Condition C is not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. F.1 Since alternate means of monitoring drywell area radiation have been developed and tested, the Required Action is not to shut down the plant, but rather to follow the directions of Specification 5.6.6. These alternate means may be temporarily installed if the normal PAM channel cannot be restored to OPERABLE status within the allotted time. The report provided to the NRC should discuss the alternate means used, describe the degree to which the alternate means are equivalent to the installed PAM channels, justify the areas in which they are not equivalent, and provide a schedule for restoring the normal PAM channels. SURVEILLANCE As noted at the beginning of the SRs, the following SRs apply to REQUIREMENTS each PAM instrumentation Function in Table 3.3.3.1-1.

The Surveillances are modified by a second Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours, provided the other required channel(s) in the associated Function are OPERABLE. Upon completion of the Surveillance, or expiration of the PAM Instrumentation B 3.3.3.1 (continued) HATCH UNIT 2 B 3.3-68 REVISION 79 BASES SURVEILLANCE 6 hour allowance, the channel must be returned to OPERABLE status REQUIREMENTS or the applicable Condition entered and Required Actions taken. The (continued) Note is based upon a NRC Safety Evaluation Report (Ref. 2) which concluded that the 6 hour testing allowance does not significantly reduce the probability of properly monitoring post accident parameters, when necessary. SR 3.3.3.1.1 Performance of the CHANNEL CHECK once every 31 days ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel against a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.3.1.2 CHANNEL CALIBRATION is a complete check of the instrument loop, including the sensor. The test verifies the channel responds to measured parameter with the necessary range and accuracy. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. PAM Instrumentation B 3.3.3.1 HATCH UNIT 2 B 3.3-69 REVISION 79 BASES (continued) REFERENCES 1. Regulatory Guide 1.97, "Instrumentation for Light Water Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident," Revision 2, December 1980. 2. NRC Safety Evaluation Report, "Edwin I. Hatch Nuclear Plant, Unit Nos. 1 and 2, Conformance to Regulatory Guide 1.97," dated July 30, 1985.

3. NRC No.93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Remote Shutdown System B 3.3.3.2 (continued) HATCH UNIT 2 B 3.3-70 REVISION 1 B 3.3 INSTRUMENTATION

B 3.3.3.2 Remote Shutdown System

BASES BACKGROUND The Remote Shutdown System provides the control room operator with sufficient instrumentation and controls to place and maintain the plant in a safe shutdown condition from a location other than the control room. This capability is necessary to protect against the possibility of the control room becoming inaccessible. A safe shutdown condition is defined as MODE 3. With the plant in MODE 3, the Reactor Core Isolation Cooling (RCIC) System, the safety/relief valves, and the Residual Heat Removal Shutdown Cooling System can be used to remove core decay heat and meet all safety requirements. The long term supply of water for the RCIC and the ability to operate shutdown cooling from outside the control room allow extended operation in MODE 3. In the event that the control room becomes inaccessible, the operators can establish control at the remote shutdown panel and place and maintain the plant in MODE 3. Not all controls and necessary transfer switches are located at the remote shutdown panel. Some controls and transfer switches will have to be operated locally at the switchgear, motor control panels, or other local stations. The plant automatically reaches MODE 3 following a plant shutdown and can be maintained safely in MODE 3 for an extended period of time. The OPERABILITY of the Remote Shutdown System control and instrumentation Functions ensures that there is sufficient information available on selected plant parameters to place and maintain the plant in MODE 3 should the control room become inaccessible. APPLICABLE The Remote Shutdown System is required to provide equipment SAFETY ANALYSES at appropriate locations outside the control room with a design capability to promptly shut down the reactor to MODE 3, including the necessary instrumentation and controls, to maintain the plant in a safe condition in MODE 3. The criteria governing the design and the specific system requirements of the Remote Shutdown System are located in 10 CFR 50, Appendix A, GDC 19 (Ref. 1).

Remote Shutdown System B 3.3.3.2 (continued) HATCH UNIT 2 B 3.3-71 REVISION 1 BASES APPLICABLE The Remote Shutdown System is considered an important contributor SAFETY ANALYSES to reducing the risk of accidents; as such, it meets Criterion 4 of the (continued) NRC Policy Statement (Ref. 3).

LCO The Remote Shutdown System LCO provides the requirements for the OPERABILITY of the instrumentation and controls necessary to place and maintain the plant in MODE 3 from a location other than the control room. The instrumentation and controls required are listed in Reference 2. The controls, instrumentation, and transfer switches are those required for: a. Reactor pressure vessel (RPV) pressure control; b. Decay heat removal;

c. RPV inventory control; and d. Safety support systems for the above functions, including Plant Service Water System, Residual Heat Removal Service Water System, and onsite power, including the diesel generators (DGs). The Remote Shutdown System is OPERABLE if all instrument and control channels needed to support the remote shutdown function are OPERABLE. In some cases, the required information or control capability may be available from several alternate sources. In these cases, the Remote Shutdown System is OPERABLE as long as one channel of any of the alternate information or control sources for each Function is OPERABLE. The Remote Shutdown System instruments and control circuits covered by this LCO do not need to be energized to be considered OPERABLE. This LCO is intended to ensure that the instruments and control circuits will be OPERABLE if plant conditions require that the Remote Shutdown System be placed in operation. APPLICABILITY The Remote Shutdown System LCO is applicable in MODES 1 and 2. This is required so that the plant can be placed and maintained in MODE 3 for an extended period of time from a location other than the control room.

Remote Shutdown System B 3.3.3.2 (continued) HATCH UNIT 2 B 3.3-72 REVISION 55 BASES APPLICABILITY This LCO is not applicable in MODES 3, 4, and 5. In these MODES, (continued) the plant is already subcritical and in a condition of reduced Reactor Coolant System energy. Under these conditions, considerable time is available to restore necessary instrument control Functions if control room instruments or control becomes unavailable. Consequently, the TS do not require OPERABILITY in MODES 3, 4, and 5. ACTIONS A Note has been provided to modify the ACTIONS related to Remote Shutdown System Functions. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable Remote Shutdown System Functions provide appropriate compensatory measures for separate Functions. As such, a Note has been provided that allows separate Condition entry for each inoperable Remote Shutdown System Function. A.1 Condition A addresses the situation where one or more required Functions of the Remote Shutdown System is inoperable. This includes any Function listed in Reference 2, as well as the control and transfer switches. The Required Action is to restore the Function to OPERABLE status within 30 days. The Completion Time is based on operating experience and the low probability of an event that would require evacuation of the control room.

Remote Shutdown System B 3.3.3.2 (continued) HATCH UNIT 2 B 3.3-73 REVISION 79 BASES ACTIONS B.1 (continued) If the Required Action and associated Completion Time of Condition A are not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours. The allowed Completion Time is reasonable, based on operating experience, to reach the required MODE from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE The Surveillances are modified by a Note to indicate that when an REQUIREMENTS instrument channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. The Note is based upon a NRC Safety Evaluation Report (Reference 1) which concluded that the 6 hour testing allowance does not significantly reduce the probability of monitoring required parameters, when necessary.

SR 3.3.3.2.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. As specified in the Surveillance, a CHANNEL CHECK is only required for those channels that are normally energized. Remote Shutdown System B 3.3.3.2 HATCH UNIT 2 B 3.3-74 REVISION 79 BASES SURVEILLANCE SR 3.3.3.2.1 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.3.2.2 SR 3.3.3.2.2 verifies each required Remote Shutdown System transfer switch and control circuit performs the intended function. This verification is performed from the remote shutdown panel and locally, as appropriate. Operation of equipment from the remote shutdown panel is not necessary. The Surveillance can be satisfied by performance of a continuity check, or in the case of the DG controls, the routine Surveillances of LCO 3.8.1 (since local control is utilized during the performance of some of the Surveillances of LCO 3.8.1). This will ensure that if the control room becomes inaccessible, the plant can be placed and maintained in MODE 3 from the remote shutdown panel and the local control stations. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.3.2.3 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. The test verifies the channel responds to measured parameter values with the necessary range and accuracy. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. 10 CFR 50, Appendix A, GDC 19.

2. Technical Requirements Manual, Table T6.0-1. 3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

EOC-RPT Instrumentation B 3.3.4.1 (continued) HATCH UNIT 2 B 3.3-75 REVISION 68 B 3.3 INSTRUMENTATION B 3.3.4.1 End of Cycle Recirculation Pump Trip (EOC-RPT) Instrumentation

BASES BACKGROUND The EOC-RPT instrumentation initiates a recirculation pump trip (RPT) to reduce the peak reactor pressure and power resulting from turbine trip or generator load rejection transients to provide additional margin to core thermal MCPR Safety Limits (SLs). The need for the additional negative reactivity in excess of that normally inserted on a scram reflects end of cycle reactivity considerations. Depending on the MCPR operating limit, flux shapes at the end of cycle could be such that the control rods would not be able to ensure that thermal limits are maintained by inserting sufficient negative reactivity during the first few feet of rod travel upon a scram caused by Turbine Stop Valve (TSV) - Closure or Turbine Control Valve (TCV) Fast Closure, Trip Oil Pressure - Low. The physical phenomenon involved is that the void reactivity feedback due to a pressurization transient can add positive reactivity at a faster rate than the control rods can add negative reactivity. EOC-RPT allows a margin improvement which in turn allows a reduction in the MCPR operating limit. The EOC-RPT instrumentation, as discussed in Reference 1, is composed of sensors that detect initiation of closure of the TSVs or fast closure of the TCVs, combined with relays, logic circuits, and fast acting circuit breakers that interrupt power from the recirculation pump adjustable speed drives (ASD) to each of the recirculation pump motors. The channels include electronic equipment (e.g., trip relays) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs an EOC-RPT signal to the trip logic. When the RPT breakers trip open, the recirculation pumps coast down under their own inertia. The EOC-RPT has two identical trip systems, either of which can actuate an RPT. Each EOC-RPT trip system is a two-out-of-two logic for each Function; thus, either two TSV - Closure or two TCV Fast Closure, Trip Oil Pressure - Low signals are required for a trip system to actuate. If either trip system actuates, both recirculation pumps will trip. There are two EOC-RPT breakers in series per recirculation pump. One trip system trips one of the two EOC-RPT breakers for each recirculation pump, and the second trip system trips the other EOC-RPT breaker for each recirculation pump. EOC-RPT Instrumentation B 3.3.4.1 (continued) HATCH UNIT 2 B 3.3-76 REVISION 42 BASES (continued) APPLICABLE The TSV - Closure and the TCV Fast Closure, Trip Oil SAFETY ANALYSES, Pressure - Low Functions are designed to trip the recirculation LCO, and pumps in the event of a turbine trip or generator load rejection to APPLICABILITY mitigate the increase in neutron flux, heat flux, and reactor pressure, and to increase the margin to the MCPR SL. The analytical methods and assumptions used in evaluating the turbine trip and generator load rejection are summarized in References 2 and 3. To mitigate pressurization transient effects, the EOC-RPT must trip the recirculation pumps after initiation of closure movement of either the TSVs or the TCVs. The combined effects of this trip and a scram reduce fuel bundle power more rapidly than a scram alone, resulting in an increased margin to the MCPR SL. Alternatively, MCPR limits for an inoperable EOC-RPT, as specified in the COLR, are sufficient to prevent violation of the MCPR Safety Limit. The EOC-RPT function is automatically disabled when turbine first stage pressure is < 27.6% RTP. EOC-RPT instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 6). The OPERABILITY of the EOC-RPT is dependent on the OPERABILITY of the individual instrumentation channel Functions. Each Function must have a required number of OPERABLE channels in each trip system, with their setpoints within the specified Allowable Value of SR 3.3.4.1.3. The setpoint is calibrated consistent with applicable setpoint methodology assumptions (nominal trip setpoint). Channel OPERABILITY also includes the associated EOC-RPT breakers. Each channel (including the associated EOC-RPT breakers) must also respond within its assumed response time. Allowable Values are specified for each EOC-RPT Function specified in the LCO. Nominal trip setpoints are specified in the setpoint calculations. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The nomial setspoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Each Allowable Value specified is more conservative than the analytical limit assumed in the transient and accident analysis in order to account for instrument uncertainties appropriate to the Function. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., TSV position), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip EOC-RPT Instrumentation B 3.3.4.1 (continued) HATCH UNIT 2 B 3.3-77 REVISION 42 BASES APPLICABLE relay) changes state. The analytic limits are derived from the limiting SAFETY ANALYSES, values of the process parameters obtained from the safety analysis. LCO, and The Allowable Values are derived from the analytic limits, corrected APPLICABILITY for calibration, process, and some of the instrument errors. The trip (continued) setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for. The specific Applicable Safety Analysis, LCO, and Applicability discussions are listed below on a Function by Function basis. Alternatively, since this instrumentation protects against a MCPR SL violation, with the instrumentation inoperable, modifications to the MCPR limits (LCO 3.2.2) may be applied to allow this LCO to be met. The MCPR penalty for the EOC-RPT inoperable condition is specified in the COLR. Turbine Stop Valve - Closure Closure of the TSVs and a main turbine trip result in the loss of a heat sink and increases reactor pressure, neutron flux, and heat flux that must be limited. Therefore, an RPT is initiated on a TSV - Closure signal before the TSVs are completely closed in anticipation of the effects that would result from closure of these valves. EOC-RPT decreases reactor power and aids the reactor scram in ensuring that the MCPR SL is not exceeded during the worst case transient. Closure of the TSVs is determined by measuring the position of each valve. While there are two separate position switches associated with each stop valve, only the signal from one switch for each TSV is used, with each of the four channels being assigned to a separate trip channel. The logic for the TSV - Closure Function is such that two or more TSVs must be closed to produce an EOC-RPT. This Function must be enabled at THERMAL POWER 27.6% RTP. This is normally accomplished automatically by pressure switches sensing turbine first stage pressure; therefore, opening of the turbine bypass valves may affect this Function. Four channels of TSV - Closure, with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure will preclude an EOC-RPT from this Function on a valid signal. The TSV - Closure Allowable Value is selected to detect imminent TSV closure.

EOC-RPT Instrumentation B 3.3.4.1 (continued) HATCH UNIT 2 B 3.3-78 REVISION 42 BASES APPLICABLE Turbine Stop Valve - Closure (continued) SAFETY ANALYSES, LCO, and This protection is required, consistent with the safety analysis APPLICABILITY assumptions, whenever THERMAL POWER is 27.6% RTP. Below 27.6% RTP, the Reactor Vessel Steam Dome Pressure - High and the Average Power Range Monitor (APRM) Neutron Flux - High Functions of the Reactor Protection System (RPS) are adequate to maintain the necessary margin to the MCPR Safety Limit. Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Fast closure of the TCVs during a generator load rejection results in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, an RPT is initiated on TCV Fast Closure, Trip Oil Pressure - Low in anticipation of the transients that would result from the closure of these valves. The EOC-RPT decreases reactor power and aids the reactor scram in ensuring that the MCPR SL is not exceeded during the worst case transient. Fast closure of the TCVs is determined by measuring the electrohydraulic control fluid pressure at each control valve. There is one pressure switch associated with each control valve, and the signal from each switch is assigned to a separate trip channel. The logic for the TCV Fast Closure, Trip Oil Pressure - Low Function is such that two or more TCVs must be closed (pressure transmitter trips) to produce an EOC-RPT. This Function must be enabled at THERMAL POWER 27.6% RTP. This is normally accomplished automatically by pressure switches sensing turbine first stage pressure; therefore, opening of the turbine bypass valves may affect this Function. Four channels of TCV Fast Closure, Trip Oil Pressure - Low, with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure will preclude an EOC-RPT from this Function on a valid signal. The TCV Fast Closure, Trip Oil Pressure - Low Allowable Value is selected high enough to detect imminent TCV fast closure. This protection is required consistent with the safety analysis whenever THERMAL POWER is 27.6% RTP. Below 27.6% RTP, the Reactor Vessel Steam Dome Pressure - High and the APRM Neutron Flux - High Functions of the RPS are adequate to maintain the necessary margin to the MCPR SL. EOC-RPT Instrumentation B 3.3.4.1 (continued) HATCH UNIT 2 B 3.3-79 REVISION 1 BASES (continued) ACTIONS A Note has been provided to modify the ACTIONS related to EOC-RPT instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable EOC-RPT instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable EOC-RPT instrumentation channel. A.1 and A.2 With one or more channels inoperable, but with EOC-RPT trip capability maintained (refer to Required Actions B.1 and B.2 Bases), the EOC-RPT System is capable of performing the intended function. However, the reliability and redundancy of the EOC-RPT instrumentation is reduced such that a single failure in the remaining trip system could result in the inability of the EOC-RPT System to perform the intended function. Therefore, only a limited time is allowed to restore compliance with the LCO. Because of the diversity of sensors available to provide trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of an EOC-RPT, 72 hours is provided to restore the inoperable channels (Required Action A.1) or apply the EOC-RPT inoperable MCPR limit. Alternately, the inoperable channels may be placed in trip (Required Action A.2) since this would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. As noted, placing the channel in trip with no further restrictions is not allowed if the inoperable channel is the result of an inoperable breaker, since this may not adequately compensate for the inoperable breaker (e.g., the breaker may be inoperable such that it will not open). If it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an RPT, or if the inoperable channel is the result of an inoperable breaker), Condition C must be entered and its Required Actions taken.

EOC-RPT Instrumentation B 3.3.4.1 (continued) HATCH UNIT 2 B 3.3-80 REVISION 42 BASES ACTIONS B.1 and B.2 (continued) Required Actions B.1 and B.2 are intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in the Function not maintaining EOC-RPT trip capability. A Function is considered to be maintaining EOC-RPT trip capability when sufficient channels are OPERABLE or in trip, such that the EOC-RPT System will generate a trip signal from the given Function on a valid signal and both recirculation pumps can be tripped. Alternately, Required Action B.2 requires the MCPR limit for inoperable EOC-RPT, as specified in the COLR, to be applied. This also restores the margin to MCPR assumed in the safety analysis. The 2 hour Completion Time is sufficient time for the operator to take corrective action, and takes into account the likelihood of an event requiring actuation of the EOC-RPT instrumentation during this period. It is also consistent with the 2 hour Completion Time provided in LCO 3.2.2 for Required Action A.1, since this instrumentation's purpose is to preclude a MCPR violation. C.1 and C.2 With any Required Action and associated Completion Time not met, THERMAL POWER must be reduced to < 27.6% RTP within 4 hours. Alternately, the associated recirculation pump may be removed from service, since this performs the intended function of the instrumentation. The allowed Completion Time of 4 hours is reasonable, based on operating experience, to reduce THERMAL POWER to < 27.6% RTP from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE The Surveillances are modified by a Note to indicate that when a REQUIREMENTS channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains EOC-RPT trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 4) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the recirculation pumps will trip when necessary. EOC-RPT Instrumentation B 3.3.4.1 (continued) HATCH UNIT 2 B 3.3-81 REVISION 79 BASES SUREVILLANCE SR 3.3.4.1.1 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.4.1.2 This SR ensures that an EOC-RPT initiated from the TSV - Closure and TCV Fast Closure, Trip Oil Pressure - Low Functions will not be inadvertently bypassed when THERMAL POWER is 27.6% RTP. This involves calibration of the bypass channels. Adequate margins for the instrument setpoint methodologies are incorporated into the actual setpoint. Because main turbine bypass flow can affect this setpoint nonconservatively (THERMAL POWER is derived from first stage pressure) the main turbine bypass valves must remain closed during the calibration at THERMAL POWER 27.6% RTP to ensure that the calibration is valid. If any bypass channel's setpoint is nonconservative (i.e., the Functions are bypassed at 27.6% RTP, either due to open main turbine bypass valves or other reasons), the affected TSV - Closure and TCV Fast Closure, Trip Oil Pressure - Low Functions are considered inoperable. Alternatively, the bypass channel can be placed in the conservative condition (nonbypass). If placed in the nonbypass condition (Turbine Stop Valve - Closure and Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Functions are enabled), this SR is met with the channel considered OPERABLE. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.4.1.3 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. For the TSV - Closure Function, this SR also includes a physical inspection and actuation of the switches. EOC-RPT Instrumentation B 3.3.4.1 (continued) HATCH UNIT 2 B 3.3-82 REVISION 79 BASES SURVEILLANCE SR 3.3.4.1.3 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.4.1.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the pump breakers is included as a part of this test, overlapping the LOGIC SYSTEM FUNCTIONAL TEST, to provide complete testing of the associated safety function. Therefore, if a breaker is incapable of operating, the associated instrument channel(s) would also be inoperable. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.4.1.5 This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the accident analysis. The EOC-RPT SYSTEM RESPONSE TIME acceptance criteria are included in Reference 5. A Note to the Surveillance states that breaker interruption (i.e., trip) time may be assumed from the most recent performance of SR 3.3.4.1.6. This is allowed since the time to open the contacts after energization of the trip coil and the arc suppression time are short and do not appreciably change, due to the design of the breaker opening device and the fact that the breaker is not routinely cycled. Response times cannot be determined at power because operation of final actuated devices is required. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.4.1.6 This SR ensures that the RPT breaker interruption time is provided to the EOC-RPT SYSTEM RESPONSE TIME test. Breaker interruption (i.e., trip) time is defined as a breaker response time plus arc suppression time. Breaker response time is the time from application of voltage to the trip coil until the main contacts separate. Arc

EOC-RPT Instrumentation B 3.3.4.1 HATCH UNIT 2 B 3.3-83 REVISION 79 BASES SURVEILLANCE SR 3.3.4.1.6 REQUIREMENTS suppression time is the time from main contact separation until the complete suppression of the electrical arc across the open contacts. Breaker response shall be verified by testing and added to the manufacturer's design arc suppression time to determine breaker interruption time. The breaker arc suppression time shall be validated by the performance of periodic contact gap measurements in accordance with plant procedures. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Subsection 7.6.10. 2. FSAR, Subsections 15.1.1, 15.1.2, and 15.1.3.

3. FSAR, Paragraph 5.5.16.1 and Subsection 7.6.10. 4. GENE-770-06-1, "Bases For Changes To Surveillance Test Intervals And Allowed Out-Of-Service Times For Selected Instrumentation Technical Specifications," February 1991.

5. Technical Requirements Manual, Table T5.0-1. 6. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

ATWS-RPT Instrumentation B 3.3.4.2 (continued) HATCH UNIT 2 B 3.3-84 REVISION 3 B 3.3 INSTRUMENTATION

B 3.3.4.2 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT) Instrumentation BASES BACKGROUND The ATWS-RPT System initiates an RPT, adding negative reactivity, following events in which a scram does not (but should) occur, to lessen the effects of an ATWS event. Tripping the recirculation pumps adds negative reactivity from the increase in steam voiding in the core area as core flow decreases. When Reactor Vessel Water Level - ATWS-RPT Level or Reactor Steam Dome Pressure - High setpoint is reached, the recirculation pump drive motor breakers trip. The ATWS-RPT System (Ref. 1) includes sensors, relays, bypass capability, circuit breakers, and switches that are necessary to cause initiation of an RPT. The channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs an ATWS-RPT signal to the trip logic. The ATWS-RPT consists of two independent trip systems, with two channels of Reactor Steam Dome Pressure - High and two channels of Reactor Vessel Water Level - ATWS-RPT Level in each trip system. Each ATWS-RPT trip system is a two-out-of-two logic for each Function. Thus, either two Reactor Water Level - ATWS-RPT Level or two Reactor Pressure - High signals are needed to trip a trip system. The outputs of the channels in a trip system are combined in a logic so that either trip system will trip both recirculation pumps (by tripping the respective drive motor breakers). There is one drive motor breaker provided for each of the two recirculation pumps for a total of two breakers. The output of each trip system is provided to both recirculation pump breakers. APPLICABLE The ATWS-RPT is not assumed in the safety analysis. The SAFETY ANALYSES ATWS-RPT initiates an RPT to aid in preserving the integrity of the LCO, and fuel cladding following events in which a scram does not, but should, APPLICABILITY occur. Based on its contribution to the reduction of overall plant risk, however, the instrumentation meets Criterion 4 of the NRC Policy Statement (Ref. 3).

ATWS-RPT Instrumentation B 3.3.4.2 (continued) HATCH UNIT 2 B 3.3-85 REVISION 1 BASES APPLICABLE The OPERABILITY of the ATWS-RPT is dependent on the SAFETY ANALYSES OPERABILITY of the individual instrumentation channel Functions. LCO, and Each Function must have a required number of OPERABLE channels APPLICABILITY in each trip system, with their setpoints within the specified Allowable (continued) Value of SR 3.3.4.2.3. The setpoint is calibrated consistent with applicable setpoint methodology assumptions (nominal trip setpoint). Channel OPERABILITY also includes the associated recirculation pump drive motor breakers. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Allowable Values are specified for each ATWS-RPT Function specified in the LCO. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for. The individual Functions are required to be OPERABLE in MODE 1 to protect against common mode failures of the Reactor Protection System by providing a diverse trip to mitigate the consequences of a postulated ATWS event. The Reactor Steam Dome Pressure - High and Reactor Vessel Water Level - ATWS-RPT Level Functions are required to be OPERABLE in MODE 1, since the reactor is producing significant power and the recirculation system could be at high flow. During this MODE, the potential exists for pressure increases or low water level, assuming an ATWS event. In MODE 2, the reactor is at low power and the recirculation system is at low flow; thus, the potential is low for a pressure increase or low water level, assuming an ATWS event. Therefore, the ATWS-RPT is not necessary. In MODES 3 and 4, the reactor is shut down with all control rods inserted; thus, an ATWS event is not significant and the possibility of ATWS-RPT Instrumentation B 3.3.4.2 (continued) HATCH UNIT 2 B 3.3-86 REVISION 28 BASES APPLICABLE a significant pressure increase or low water level is negligible. In SAFETY ANALYSES MODE 5, the one rod out interlock ensures that the reactor remains LCO, and subcritical; thus, an ATWS event is not significant. In addition, the APPLICABILITY reactor pressure vessel (RPV) head is not fully tensioned and no (continued) pressure transient threat to the reactor coolant pressure boundary (RCPB) exists. The specific Applicable Safety Analyses and LCO discussions are listed below on a Function by Function basis.

a. Reactor Vessel Water Level - ATWS-RPT Level Low RPV water level indicates the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the ATWS-RPT System is initiated at a low level to aid in maintaining level above the top of the active fuel. The reduction of core flow reduces the neutron flux and THERMAL POWER and, therefore, the rate of coolant boiloff. The top of active fuel is defined in "Applicable Safety Analyses" for Safety Limit 2.1.1.3, "Reactor Vessel Water Level," found in the Bases for Safety Limit 2.1.1, "Reactor Core SLs."

Reactor vessel water level signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - ATWS-RPT Level with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure can preclude an ATWS-RPT from this Function on a valid signal. The Reactor Vessel Water Level - ATWS-RPT Level Allowable Value is chosen so that the system will not be initiated after a Level 3 scram until feedwater, HPCI, and RCIC have failed to stop the level excursion.

b. Reactor Steam Dome Pressure - High Excessively high RPV pressure may rupture the RCPB. An increase in the RPV pressure during reactor operation compresses the steam voids and results in a positive reactivity insertion. This increases neutron flux and THERMAL POWER, ATWS-RPT Instrumentation B 3.3.4.2 (continued) HATCH UNIT 2 B 3.3-87 REVISION 9 BASES APPLICABLE b. Reactor Steam Dome Pressure - High (continued) SAFETY ANALYSES, LCO, and which could potentially result in fuel failure and APPLICABILITY overpressurization. The Reactor Steam Dome Pressure - High Function initiates an RPT for transients that result in a pressure increase, counteracting the pressure increase by rapidly reducing core power generation. For the overpressurization event, the RPT aids in the termination of the ATWS event and, along with the safety/relief valves, limits the peak RPV pressure to less than the ASME Section III Code limits.

The Reactor Steam Dome Pressure - High signals are initiated from four pressure transmitters that monitor reactor steam dome pressure. Four channels of Reactor Steam Dome Pressure - High, with two channels in each trip system, are available and are required to be OPERABLE to ensure that no single instrument failure can preclude an ATWS-RPT from this Function on a valid signal. The Reactor Steam Dome Pressure - High Allowable Value is chosen to provide an adequate margin to the ASME Section III Code limits. ACTIONS A Note has been provided to modify the ACTIONS related to ATWS-RPT instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable ATWS-RPT instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable ATWS-RPT instrumentation channel. A.1 and A.2 With one or more channels inoperable, but with ATWS-RPT capability for each Function maintained (refer to Required Actions B.1 and C.1 Bases), the ATWS-RPT System is capable of performing the intended function. However, the reliability and redundancy of the ATWS-RPT instrumentation is reduced, such that a single failure in the remaining ATWS-RPT Instrumentation B 3.3.4.2 (continued) HATCH UNIT 2 B 3.3-88 REVISION 1 BASES ACTIONS A.1 and A.2 (continued) trip system could result in the inability of the ATWS-RPT System to perform the intended function. Therefore, only a limited time is allowed to restore the inoperable channels to OPERABLE status. Because of the diversity of sensors available to provide trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of ATWS-RPT, 14 days is provided to restore the inoperable channel (Required Action A.1). Alternately, the inoperable channel may be placed in trip (Required Action A.2), since this would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. As noted, placing the channel in trip with no further restrictions is not allowed if the inoperable channel is the result of an inoperable breaker, since this may not adequately compensate for the inoperable breaker (e.g., the breaker may be inoperable such that it will not open). If it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel would result in an RPT), or if the inoperable channel is the result of an inoperable breaker, Condition D must be entered and its Required Actions taken. B.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in the Function not maintaining ATWS-RPT trip capability. A Function is considered to be maintaining ATWS-RPT trip capability when sufficient channels are OPERABLE or in trip such that the ATWS-RPT System will generate a trip signal from the given Function on a valid signal, and both recirculation pumps can be tripped. The 72 hour Completion Time is sufficient for the operator to take corrective action (e.g., restoration or tripping of channels) and takes into account the likelihood of an event requiring actuation of the ATWS-RPT instrumentation during this period and that one Function is still maintaining ATWS-RPT trip capability. C.1 Required Action C.1 is intended to ensure that appropriate Actions are taken if multiple, inoperable, untripped channels within both Functions result in both Functions not maintaining ATWS-RPT trip capability. ATWS-RPT Instrumentation B 3.3.4.2 (continued) HATCH UNIT 2 B 3.3-89 REVISION 79 BASES ACTIONS C.1 (continued) The description of a Function maintaining ATWS-RPT trip capability is discussed in the Bases for Required Action B.1 above. The 1 hour Completion Time is sufficient for the operator to take corrective action and takes into account the likelihood of an event requiring actuation of the ATWS-RPT instrumentation during this period.

D.1 and D.2 With any Required Action and associated Completion Time not met, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 2 within 6 hours (Required Action D.2). Alternately, the associated recirculation pump may be removed from service since this performs the intended function of the instrumentation (Required Action D.1). The allowed Completion Time of 6 hours is reasonable, based on operating experience, both to reach MODE 2 from full power conditions and to remove a recirculation pump from service in an orderly manner and without challenging plant systems.

SURVEILLANCE The Surveillances are modified by a Note to indicate that when a REQUIREMENTS channel is placed in an inoperable status solely for performance of required Surveillances, entry into the associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains ATWS-RPT trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 2) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the recirculation pumps will trip when necessary. SR 3.3.4.2.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally ATWS-RPT Instrumentation B 3.3.4.2 (continued) HATCH UNIT 2 B 3.3-90 REVISION 79 BASES SURVEILLANCE SR 3.3.4.2.1 (continued) REQUIREMENTS a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.4.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.4.2.3 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology.

ATWS-RPT Instrumentation B 3.3.4.2 HATCH UNIT 2 B 3.3-91 REVISION 79 BASES SURVEILLANCE SR 3.3.4.2.3 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.4.2.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the pump breakers is included as part of this Surveillance and overlaps the LOGIC SYSTEM FUNCTIONAL TEST to provide complete testing of the assumed safety function. Therefore, if a breaker is incapable of operating, the associated instrument channel(s) would be inoperable. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 7.6.10.7.

2. GENE-770-06-1, "Bases for Changes To Surveillance Test Intervals and Allowed Out-of-Service Times For Selected Instrumentation Technical Specifications," February 1991.

3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-92 REVISION 1 B 3.3 INSTRUMENTATION B 3.3.5.1 Emergency Core Cooling System (ECCS) Instrumentation

BASES BACKGROUND The purpose of the ECCS instrumentation is to initiate appropriate responses from the systems to ensure that the fuel is adequately cooled in the event of a design basis accident or transient. For most anticipated operational occurrences and Design Basis Accidents (DBAs), a wide range of dependent and independent parameters are monitored. The ECCS instrumentation actuates core spray (CS), low pressure coolant injection (LPCI), high pressure coolant injection (HPCI), Automatic Depressurization System (ADS), and the diesel generators (DGs). The equipment involved with each of these systems is described in the Bases for LCO 3.5.1, "ECCS - Operating." Core Spray System The CS System may be initiated by automatic means. Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low Low, Level 1 or Drywell Pressure - High. Each of these diverse variables is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units for each Function are connected to relays which send signals to two trip systems, with each trip system arranged in a one-out-of-two taken twice logic (each trip unit sends a signal to both trip systems). Each trip system can initiate both core spray pumps. Upon receipt of an automatic initiation signal, the CS pumps are started immediately after power is available. The high drywell pressure and low water level initiation signals automatically reset once the conditions clear. The CS test line isolation valve, which is also a primary containment isolation valve (PCIV), is closed on a CS initiation signal to allow full system flow assumed in the accident analyses and maintain primary containment isolated in the event CS is not operating. The CS pump discharge flow is monitored by a flow transmitter. When the pump is running and discharge flow is low enough so that pump overheating may occur, the minimum flow return line valve is opened. The valve is automatically closed if flow is above the ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-93 REVISION 1 BASES BACKGROUND Core Spray System (continued) minimum flow setpoint to allow the full system flow assumed in the accident analysis. The CS System also monitors the pressure in the reactor to ensure that, before the injection valves open, the reactor pressure has fallen to a value below the CS System's maximum design pressure. The variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic. Low Pressure Coolant Injection System The LPCI is an operating mode of the Residual Heat Removal (RHR) System, with two LPCI subsystems. The LPCI subsystems may be initiated by automatic means. Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low Low, Level 1 or Drywell Pressure - High. Each of these diverse variables is monitored by four redundant transmitters, which, in turn, are connected to four trip units. The outputs of the trip units for each Function are connected to relays which send signals to two trip systems, with each trip system arranged in a one-out-of-two taken twice logic (each trip unit sends a signal to both trip systems). Each trip system can initiate all four LPCI pumps. Upon receipt of an automatic initiation signal, all LPCI pumps will start immediately if power is provided by the 2D Startup Auxiliary Transformer (SAT). If power is provided by the 2C SAT or the DGs, the LPCI C pump starts within 1 second when power is available, and the LPCI A, B, and D pumps are started after a 10 second delay. This limits the loading of the 2C SAT and the standby power sources. Once an initiation signal is received, the signal is sealed in and must be manually reset when the signal clears. Each LPCI subsystem's discharge flow is monitored by a flow transmitter. When a pump is running and discharge flow is low enough so that pump overheating may occur, the respective minimum flow return line valve is opened. If flow is above the minimum flow setpoint, the valve is automatically closed to allow the full system flow assumed in the analyses. The RHR test line suppression pool cooling isolation valve, suppression pool spray isolation valves, and containment spray ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-94 REVISION 1 BASES BACKGROUND Low Pressure Coolant Injection System (continued) isolation valves (which are also PCIVs) are also closed on a LPCI initiation signal to allow the full system flow assumed in the accident analyses and maintain primary containment isolated in the event LPCI is not operating. The LPCI System monitors the pressure in the reactor to ensure that, before an injection valve opens, the reactor pressure has fallen to a value below the LPCI System's maximum design pressure. The variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic. Additionally, instruments are provided to close the recirculation pump discharge valves to ensure that LPCI flow does not bypass the core when it injects into the recirculation lines. The variable is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic. Low reactor water level in the shroud is detected by two additional instruments to automatically isolate other modes of RHR (e.g., suppression pool cooling) when LPCI is required. Manual overrides for these isolations are provided.

High Pressure Coolant Injection System The HPCI System may be initiated by automatic means. Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low, Level 2 or Drywell Pressure - High. Each of these variables is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic for each Function. Once an initiation signal is received, the signal is sealed in and must be manually reset when the signal clears. The HPCI pump discharge flow is monitored by a flow transmitter. When the pump is running and discharge flow is low enough so that pump overheating may occur, the minimum flow return line valve is opened. The valve is automatically closed if flow is above the minimum flow setpoint to allow the full system flow assumed in the accident analysis. ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-95 REVISION 1 BASES BACKGROUND High Pressure Coolant Injection System (continued) The HPCI test line isolation valves are closed upon receipt of a HPCI initiation signal to allow the full system flow assumed in the accident analysis. The HPCI System also monitors the water levels in the condensate storage tank (CST) and the suppression pool because these are the two sources of water for HPCI operation. Reactor grade water in the CST is the normal source. Upon receipt of a HPCI initiation signal, the CST suction valve is automatically signaled to open (it is normally in the open position) unless both suppression pool suction valves are open. If the water level in the CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. Two level switches are used to detect low water level in the CST. Either switch can cause the suppression pool suction valves to open and the CST suction valve to close. The suppression pool suction valves also automatically open and the CST suction valve closes if high water level is detected in the suppression pool (one-out-of-two logic similar to the CST water level logic). To prevent losing suction to the pump, the suction valves are interlocked so that one suction path must be open before the other automatically closes. The HPCI provides makeup water to the reactor until the reactor vessel water level reaches the Reactor Vessel Water Level - High, Level 8 trip, at which time the HPCI turbine trips, which causes the turbine's stop valve and the injection valves to close. The logic is two-out-of-two to provide high reliability of the HPCI System. The HPCI System automatically restarts if a Reactor Vessel Water Level - Low Low, Level 2 signal is subsequently received. If HPCI restart is desired prior to a level 2 signal being received, the level 8 trip must be manually reset (once the signal clears).

Automatic Depressurization System The ADS may be initiated by automatic means. Automatic initiation occurs when signals indicating Reactor Vessel Water Level - Low Low Low, Level 1; Drywell Pressure - High or ADS Bypass Low Water Level Actuation Timer; confirmed Reactor Vessel Water Level - Low, Level 3; and CS or LPCI Pump Discharge Pressure - High are all present and the ADS Initiation Timer has timed out. There are two transmitters each for Reactor Vessel Water Level - Low Low Low, Level 1 and Drywell Pressure - High, and one transmitter for confirmed Reactor Vessel Water Level - Low, Level 3 in each of the ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-96 REVISION 1 BASES BACKGROUND Automatic Depressurization System (continued) two ADS trip systems. Each of these transmitters connects to a trip unit, which then drives a relay whose contacts form the initiation logic. Each ADS trip system includes a time delay between satisfying the initiation logic and the actuation of the ADS valves. The ADS Initiation Timer time delay setpoint chosen is long enough that the HPCI has sufficient operating time to recover to a level above Level 1, yet not so long that the LPCI and CS Systems are unable to adequately cool the fuel if the HPCI fails to maintain that level. An alarm in the control room is annunciated when either of the timers is timing. Resetting the ADS initiation signals resets the ADS Initiation Timers. The ADS also monitors the discharge pressures of the four LPCI pumps and the two CS pumps. Each ADS trip system includes two discharge pressure permissive transmitters from both CS and from two LPCI pumps (i.e., LPCI pumps A and D input to ADS trip system A, and LPCI pumps B and C input to ADS trip system B). The signals are used as a permissive for ADS actuation, indicating that there is a source of core coolant available once the ADS has depressurized the vessel. Any one of the six low pressure pumps is sufficient to permit automatic depressurization. The ADS logic in each trip system is arranged in two strings. Each string has a contact from each of the following variables: Reactor Vessel Water Level - Low Low Low, Level 1; Drywell Pressure - High; and Low Water Level Actuation Timer. One of the two strings in each trip system must also have a confirmed Reactor Vessel Water Level - Low, Level 3. The Reactor Vessel Water Level - Low Low Low, Level 1 and Drywell Pressure - High or Low Water Level Actuation Timer contacts in both logic strings must close, the Reactor Vessel Water Level - Low, Level 3 contact in the one logic string must close, the ADS initiation timer must time out, and a CS or LPCI pump discharge pressure signal must be present to initiate an ADS trip system. Either the A or B trip system will cause all the ADS relief valves to open. Once the Drywell Pressure - High signal, the ADS Low Water Level Actuation Timer, or the ADS initiation signal is present, it is individually sealed in until manually reset. Manual inhibit switches are provided in the control room for the ADS; however, their function is not required for ADS OPERABILITY (provided ADS is not inhibited when required to be OPERABLE).

ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-97 REVISION 1 BASES BACKGROUND Diesel Generators (continued) The DGs may be initiated by either automatic or manual means. Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low Low, Level 1 or Drywell Pressure - High. Refer to the Bases for LCO 3.3.8.1, "Loss of Power (LOP) Instrumentation," for a discussion of the DG LOP initiation signals. Each of these diverse variables is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays which send signals to two trip systems, with each trip system arranged in a one-out-of-two taken twice logic (each trip unit sends a signal to both trip systems). Each trip system can initiate all three DGs (2A, 1B, and 2C). The DGs receive their initiation signals from the CS System initiation logic. The DGs can also be started manually from the control room and locally from the associated DG room. Upon receipt of an initiation signal, each DG is automatically started, is ready to load in approximately 12 seconds, and will run in standby conditions (rated voltage and speed, with the DG output breaker open). Each DG will only energize its respective Engineered Safety Feature bus if a loss of offsite power occurs on its associated bus. (Refer to Bases for LCO 3.3.8.1.) The DG initiation signal is automatically reset once the condition clears.

Plant Service Water (PSW) Turbine Building (T/B) Isolation Valves The PSW T/B isolation may be initiated by either automatic or manual means. Automatic isolation occurs for conditions of Reactor Vessel Water Level - Low Low Low, Level 1 or Drywell Pressure - High. Each of these diverse variables is monitored by four redundant transmitters, which are, in turn, connected to four trip units. The outputs of the trip units are connected to relays whose contacts are connected to a one-out-of-two taken twice logic to close all four PSW T/B isolation valves. The PSW T/B isolation valves receive their isolation signal from the CS System initiation logic. The PSW T/B isolation valves can also be closed manually from the control room. Upon receipt of an initiation signal, each PSW T/B isolation valve is automatically closed. The signal is automatically reset once the condition clears (allowing the valves to be manually reopened). APPLICABLE The actions of the ECCS are explicitly assumed in the safety analyses SAFETY ANALYSES, of References 1, 2, 3, and 4. The ECCS is initiated to preserve the LCO, and integrity of the fuel cladding by limiting the post LOCA peak cladding APPLICABILITY temperature to less than the 10 CFR 50.46 limits.

ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-98 REVISION 4 BASES APPLICABLE ECCS instrumentation satisfies Criterion 3 of the NRC Policy SAFETY ANALYSES, Statement (Ref. 6). Certain instrumentation Functions are retained for LCO, and other reasons and are described below in the individual Functions APPLICABILITY discussion. (continued) The OPERABILITY of the ECCS instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.1-1. Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. The setpoint is calibrated consistent with applicable setpoint methodology assumptions (nominal trip setpoint). Table 3.3.5.1-1, footnote (b), is added to show that certain ECCS instrumentation Functions are also required to be OPERABLE to perform DG initiation and actuation of the PSW T/B isolation. Allowable Values are specified for each ECCS Function specified in the table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis, where applicable. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined, accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for. In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions that may require ECCS (or DG) initiation to mitigate the consequences of a design basis transient or accident. To ensure reliable ECCS and DG function, a combination of Functions is required to provide primary and secondary initiation signals. ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-99 REVISION 1 BASES APPLICABLE The specific Applicable Safety Analyses, LCO, and Applicability SAFETY ANALYSES, discussions are listed below on a Function by Function basis. LCO, and APPLICABILITY (continued) 1. Core Spray and Low Pressure Coolant Injection Systems 1.a., 2.a. Reactor Vessel Water Level - Low Low Low, Level 1 Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. The low pressure ECCS, associated DGs, and PSW T/B isolation are initiated at Level 1 to ensure that core spray and flooding functions are available to prevent or minimize fuel damage. The Reactor Vessel Water Level - Low Low Low, Level 1 is one of the Functions assumed to be OPERABLE and capable of initiating the ECCS during the transients analyzed in Reference 3. In addition, the Reactor Vessel Water Level - Low Low Low, Level 1 Function is directly assumed in the analysis of the recirculation line break (Ref. 4). The core cooling function of the ECCS, along with the scram action of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Reactor Vessel Water Level - Low Low Low, Level 1 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Reactor Vessel Water Level - Low Low Low, Level 1 Allowable Value is chosen to allow time for the low pressure injection/spray subsystems to activate and provide adequate cooling. Four channels of Reactor Vessel Water Level - Low Low Low, Level 1 Function are only required to be OPERABLE when the ECCS, DG(s), or PSW System are required to be OPERABLE to ensure that no single instrument failure can preclude ECCS and DG initiation and PSW T/B isolation. Refer to LCO 3.5.1 and LCO 3.5.2, "ECCS - Shutdown," for Applicability Bases for the low pressure ECCS subsystems; LCO 3.8.1, "AC Sources - Operating" and LCO 3.8.2, "AC Sources - Shutdown," for Applicability Bases for the DGs; and LCO 3.7.2, "Plant Service Water (PSW) System," for Applicability Bases for the PSW System. ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-100 REVISION 1 BASES APPLICABLE 1.b., 2.b. Drywell Pressure - High SAFETY ANALYSES, LCO, and High pressure in the drywell could indicate a break in the reactor APPLICABILITY coolant pressure boundary (RCPB). The low pressure ECCS, (continued) associated DGs, and PSW T/B isolation are initiated upon receipt of the Drywell Pressure - High Function in order to minimize the possibility of fuel damage. The Drywell Pressure - High Function, along with the Reactor Water Level - Low Low Low, Level 1 Function, is directly assumed in the analysis of the recirculation line break (Ref. 4). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. High drywell pressure signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment. The Drywell Pressure - High Function is required to be OPERABLE when the ECCS, DG(s), or PSW Systems are required to be OPERABLE in conjunction with times when the primary containment is required to be OPERABLE. Thus, four channels of the CS and LPCI Drywell Pressure - High Function are required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single instrument failure can preclude ECCS and DG initiation and PSW T/B isolation. In MODES 4 and 5, the Drywell Pressure - High Function is not required, since there is insufficient energy in the reactor to pressurize the primary containment to the Drywell Pressure - High setpoint. Refer to LCO 3.5.1 for Applicability Bases for the low pressure ECCS subsystems; LCO 3.8.1 for Applicability Bases for the DGs; and LCO 3.7.2 for Applicability Bases for the PSW System.

1.c., 2.c. Reactor Steam Dome Pressure - Low (Injection Permissive) Low reactor steam dome pressure signals are used as permissives for the low pressure ECCS subsystems. This ensures that, prior to opening the injection valves of the low pressure ECCS subsystems, the reactor pressure has fallen to a value below these subsystems' maximum design pressure. The Reactor Steam Dome Pressure - Low is one of the Functions assumed to be OPERABLE and capable of permitting initiation of the ECCS during the transients analyzed in Reference 3. In addition, the Reactor Steam Dome Pressure - Low Function is directly assumed in the analysis of the recirculation line break (Refs. 2 and 4). The core cooling function of the ECCS, along ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-101 REVISION 1 BASES APPLICABLE 1.c., 2.c. Reactor Steam Dome Pressure - Low (Injection Permissive) SAFETY ANALYSES, (continued) LCO, and APPLICABILITY with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Steam Dome Pressure - Low signals are initiated from four pressure transmitters that sense the reactor dome pressure. The Allowable Value is low enough to prevent overpressuring the equipment in the low pressure ECCS, but high enough to ensure that the ECCS injection prevents the fuel peak cladding temperature from exceeding the limits of 10 CFR 50.46. Four channels of Reactor Steam Dome Pressure - Low Function are only required to be OPERABLE when the ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude ECCS initiation. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems. 1.d., 2.g. Core Spray and Low Pressure Coolant Injection Pump Discharge Flow - Low (Bypass) The minimum flow instruments are provided to protect the associated low pressure ECCS pump from overheating when the pump is operating and the associated injection valve is not fully open. The minimum flow line valve is opened when low flow is sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump. The LPCI and CS Pump Discharge Flow - Low Functions are assumed to be OPERABLE and capable of closing the minimum flow valves to ensure that the low pressure ECCS flows assumed during the transients and accidents analyzed in References 1, 2, 3, and 4 are met. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. One flow transmitter per ECCS subsystem is used to detect the associated subsystems' flow rates. The logic is arranged such that each transmitter causes its associated minimum flow valve to open. The logic will close the minimum flow valve once the closure setpoint is exceeded. The LPCI minimum flow valves are time delayed such that the valves will not open for 10 seconds after the switches detect low flow. The time delay is provided to limit reactor vessel inventory loss during the startup of the RHR shutdown cooling mode. The Pump Discharge Flow - Low Allowable Values are high enough to ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-102 REVISION 1 BASES APPLICABLE 1.d., 2.g. Core Spray and Low Pressure Coolant Injection Pump SAFETY ANALYSES, Discharge Flow - Low (Bypass) (continued) LCO, and APPLICABILITY ensure that the pump flow rate is sufficient to protect the pump, yet low enough (based on engineering judgment) to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core. Each channel of Pump Discharge Flow - Low Function (two CS channels and two LPCI channels) is only required to be OPERABLE when the associated ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude the ECCS function. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the low pressure ECCS subsystems.

2.d. Reactor Steam Dome Pressure - Low (Recirculation Discharge Valve Permissive) Low reactor steam dome pressure signals are used as permissives for recirculation discharge valve closure. This ensures that the LPCI subsystems inject into the proper RPV location assumed in the safety analysis. The Reactor Steam Dome Pressure - Low is one of the Functions assumed to be OPERABLE and capable of closing the valve during the transients analyzed in Reference 3. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Steam Dome Pressure - Low Function is directly assumed in the analysis of the recirculation line break (Refs. 2 and 4). The Reactor Steam Dome Pressure - Low signals are initiated from four pressure transmitters that sense the reactor dome pressure. The Allowable Value is chosen to ensure that the valves close prior to commencement of LPCI injection flow into the core, as assumed in the safety analysis. Four channels of the Reactor Steam Dome Pressure - Low Function are only required to be OPERABLE in MODES 1, 2, and 3 with the associated recirculation pump discharge valve open. With the valve(s) closed, the function of the instrumentation has been performed; thus, the Function is not required. In MODES 4 and 5, the loop injection location is not critical since LPCI injection through the recirculation loop in either direction will still ensure that LPCI flow reaches the core (i.e., there is no significant reactor steam dome back pressure). ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-103 REVISION 1 BASES APPLICABLE 2.e. Reactor Vessel Shroud Level - Level 0 SAFETY ANALYSES, LCO, and The Level 0 Function is provided as a permissive to allow the RHR APPLICABILITY System to be manually aligned from the LPCI mode to the (continued) suppression pool cooling/spray or drywell spray modes. The permissive ensures that water in the vessel is approximately two thirds core height before the manual transfer is allowed. This ensures that LPCI is available to prevent or minimize fuel damage. This function may be overridden during accident conditions as allowed by plant procedures. Reactor Vessel Shroud Level - Level 0 Function is implicitly assumed in the analysis of the recirculation line break (Refs. 2 and 4) since the analysis assumes that no LPCI flow diversion occurs when reactor water level is below level 0. Reactor Vessel Shroud Level - Level 0 signals are initiated from two level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Reactor Vessel Shroud Level - Level 0 Allowable Value is chosen to allow the low pressure core flooding systems to activate and provide adequate cooling before allowing a manual transfer. Two channels of the Reactor Vessel Shroud Level - Level 0 Function are only required to be OPERABLE in MODES 1, 2, and 3. In MODES 4 and 5, the specified initiation time of the LPCI subsystems is not assumed, and other administrative controls are adequate to control the valves that this Function isolates (since the systems that the valves are opened for are not required to be OPERABLE in MODES 4 and 5 and are normally not used). 2.f. Low Pressure Coolant Injection Pump Start - Time Delay Relay The purpose of this time delay is to stagger the start of the LPCI pumps that are in each of Divisions 1 and 2, thus limiting the starting transients on the 4.16 kV emergency buses. This Function is only necessary when power is being supplied from the standby power source (DG). The LPCI Pump Start - Time Delay Relays are assumed to be OPERABLE in the accident and transient analyses requiring ECCS initiation. That is, the analyses assume that the pumps will initiate when required and excess loading will not cause failure of the power sources. There are seven LPCI Pump Start - Time Delay Relays, two in each of the RHR pump start logic circuits with the exception of the C pump, which has only one. The one time delay for the LPCI C pump is ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-104 REVISION 28 BASES APPLICABLE 2.f. Low Pressure Coolant Injection Pump Start - Time Delay Relay SAFETY ANALYSES, (continued) LCO, and APPLICABILITY associated with trip (pump start) logic B, starting LPCI C pump within 1 second upon an initiation signal. Trip logic A has no associated time delay relay for the LPCI C pump, starting the pump immediately upon an initiation signal. Therefore, to satisfy the required channels per Function for LPCI C pump, either the time delay relay associated with trip logic B must be OPERABLE or trip logic A must be OPERABLE. The intent of SR 3.3.5.1.4 for Function 2.f, LPCI C pump start--trip logic A, is captured by SR 3.3.5.1.5. Therefore, a satisfactory performance of SR 3.3.5.1.5 for LPCI C pump start--trip logic A also satisfies the requirements of SR 3.3.5.1.4 for that Function. While each time delay relay is dedicated to a single pump start logic, a single failure of a LPCI Pump Start - Time Delay Relay could result in the failure of the two low pressure ECCS pumps, powered from the same Engineered Safety Feature (ESF) bus, to perform their intended function within the assumed ECCS RESPONSE TIME (e.g., as in the case where both ECCS pumps on one ESF bus start simultaneously due to an inoperable time delay relay). This still leaves four of the six low pressure ECCS pumps OPERABLE; thus, the single failure criterion is met (i.e., loss of one instrument does not preclude ECCS initiation). The Allowable Value for the LPCI Pump Start - Time Delay Relays is chosen to be long enough so that most of the starting transient of the first pump is complete before starting the second pump on the same 4.16 kV emergency bus and short enough so that ECCS operation is not degraded. Each LPCI Pump Start - Time Delay Relay Function is required to be OPERABLE only when the associated LPCI subsystem is required to be OPERABLE. Refer to LCO 3.5.1 and LCO 3.5.2 for Applicability Bases for the LPCI subsystems.

3. HPCI System 3.a. Reactor Vessel Water Level - Low Low, Level 2 Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the HPCI System is initiated at Level 2 to maintain level above the top of the active fuel. The top of active fuel is defined in "Applicable Safety Analyses" for Safety Limit 2.1.1.3, "Reactor Vessel Water Level," found in the Bases for Safety Limit 2.1.1, "Reactor Core SLs." While HPCI is not assumed to be ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-105 REVISION 28 BASES APPLICABLE 3.a. Reactor Vessel Water Level - Low Low, Level 2 (continued) SAFETY ANALYSES, LCO, and OPERABLE in any DBA or transient analysis, the Reactor Vessel APPLICABILITY Water Level - Low Low, Level 2 is one of the Functions capable of initiating HPCI during the transients analyzed in References 1 and 3 and during a LOCA (Refs. 2 and 4). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Therefore, this Function meets Criterion 4 of the NRC Policy Statement (Ref. 7). Reactor Vessel Water Level - Low Low, Level 2 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value is selected at the Reactor Core Isolation Cooling (RCIC) System Level 2 Allowable Value for convenience. Refer to LCO 3.3.5.2, "Reactor Core Isolation Cooling (RCIC) System Instrumentation," for the Bases discussion of this Function. Four channels of Reactor Vessel Water Level - Low Low, Level 2 Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation. Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.b. Drywell Pressure - High High pressure in the drywell could indicate a break in the RCPB. The HPCI System is initiated upon receipt of the Drywell Pressure - High Function in order to minimize the possibility of fuel damage. While HPCI is not assumed to be OPERABLE in any DBA or transient analysis, the Drywell Pressure - High Function is capable of initiating HPCI during a LOCA (Refs. 2 and 4). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Therefore, this Function meets Criterion 4 of the NRC Policy Statement (Ref. 7). High drywell pressure signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible to be indicative of a LOCA inside primary containment. ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-106 REVISION 1 BASES APPLICABLE 3.b. Drywell Pressure - High (continued) SAFETY ANALYSES, LCO, and Four channels of the Drywell Pressure - High Function are required to APPLICABILITY be OPERABLE when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation. Refer to LCO 3.5.1 for the Applicability Bases for the HPCI System.

3.c. Reactor Vessel Water Level - High, Level 8 High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel. Therefore, the Level 8 signal is used to trip the HPCI turbine to prevent overflow into the main steam lines (MSLs). The Reactor Vessel Water Level - High, Level 8 Function is not assumed in the accident and transient analyses. It was retained since it is a potentially significant contributor to risk, thus it meets Criterion 4 of the NRC Policy Statement (Ref. 7). Reactor Vessel Water Level - High, Level 8 signals for HPCI are initiated from two level transmitters from the narrow range water level measurement instrumentation. This ensures that no single instrument failure can preclude HPCI initiation. The Reactor Vessel Water Level - High, Level 8 Allowable Value is chosen to prevent flow from the HPCI System from overflowing into the MSLs. Two channels of Reactor Vessel Water Level - High, Level 8 Function are required to be OPERABLE only when HPCI is required to be OPERABLE. Refer to LCO 3.5.1 for HPCI Applicability Bases. 3.d. Condensate Storage Tank Level - Low Low level in the CST indicates the unavailability of an adequate supply of makeup water from this normal source. Normally the suction valves between HPCI and the CST are open and, upon receiving a HPCI initiation signal, water for HPCI injection would be taken from the CST. However, if the water level in the CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. This ensures that an adequate supply of makeup water is available to the HPCI pump. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CST suction valve automatically closes. While HPCI is not assumed to be OPERABLE in any DBA or transient analysis, the Function is implicitly assumed if HPCI is to be ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-107 REVISION 35 BASES APPLICABLE 3.d. Condensate Storage Tank Level - Low (continued) SAFETY ANALYSES, LCO, and utilized, since the long term use of HPCI during a DBA requires the APPLICABILITY HPCI suction source to be the suppression pool. As such, this Function meets Criterion 4 of the NRC Policy Statement (Ref. 7). Condensate Storage Tank Level - Low signals are initiated from two level switches. The Condensate Storage Tank Level - Low Function Allowable Value is high enough to ensure adequate pump suction head while water is being taken from the CST. Two channels of the Condensate Storage Tank Level - Low Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source. Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.e. Suppression Pool Water Level - High Excessively high suppression pool water could result in the loads on the suppression pool exceeding design values should there be a blowdown of the reactor vessel pressure through the safety/relief valves. Therefore, signals indicating high suppression pool water level are used to transfer the suction source of HPCI from the CST to the suppression pool to eliminate the possibility of HPCI continuing to provide additional water from a source outside containment. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CST suction valve automatically closes. While HPCI is not assumed to be OPERABLE in any DBA or transient analysis, this Function is implicitly assumed if HPCI is to be utilized, since the long term use of HPCI during a DBA requires the HPCI suction source to be the suppression pool. As such, this Function meets Criterion 4 of the NRC Policy Statement (Ref. 7). Suppression Pool Water Level - High signals are initiated from two level transmitters. The Allowable Value for the Suppression Pool Water Level - High Function is chosen to ensure that HPCI will be aligned for suction from the suppression pool before the water level reaches the point at which suppression pool design loads would be exceeded. Two channels of Suppression Pool Water Level - High Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source. Refer to LCO 3.5.1 for HPCI Applicability Bases. ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-108 REVISION 1 BASES APPLICABLE 3.f. High Pressure Coolant Injection Pump Discharge Flow - Low SAFETY ANALYSES, (Bypass) LCO, and APPLICABILITY The minimum flow instruments are provided to protect the HPCI pump (continued) from overheating when the pump is operating and the associated injection valve is not fully open. The minimum flow line valve is opened when low flow is sensed, and the valve is automatically closed when the flow rate is adequate to protect the pump. While HPCI is not assumed to be OPERABLE in any DBA or transient analysis, the High Pressure Coolant Injection Pump Discharge Flow - Low Function is capable of closing the minimum flow valve to ensure that the HPCI flow provided, if HPCI is utilized during the transients and accidents analyzed in References 1, 2, and 3, is adequate. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Therefore, this Function meets Criterion 4 of the NRC Policy Statement (Ref. 7). One flow transmitter is used to detect the HPCI System's flow rate. The logic is arranged such that the transmitter causes the minimum flow valve to open. The logic will close the minimum flow valve once the closure setpoint is exceeded. The High Pressure Coolant Injection Pump Discharge Flow - Low Allowable Value is high enough to ensure that pump flow rate is sufficient to protect the pump, yet low enough (based on engineering judgment) to ensure that the closure of the minimum flow valve is initiated to allow full flow into the core. One channel is required to be OPERABLE when the HPCI is required to be OPERABLE. Refer to LCO 3.5.1 for HPCI Applicability Bases.

4., 5. Automatic Depressurization System 4.a., 5.a. Reactor Vessel Water Level - Low Low Low, Level 1 Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, ADS receives one of the signals necessary for initiation from this Function. The Reactor Vessel Water Level - Low Low Low, Level 1 is one of the Functions assumed to be OPERABLE and capable of initiating the ADS during the accident analyzed in References 2 and 4. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-109 REVISION 1 BASES APPLICABLE 4.a., 5.a. Reactor Vessel Water Level - Low Low Low, Level 1 SAFETY ANALYSES, (continued) LCO, and APPLICABILITY Reactor Vessel Water Level - Low Low Low, Level 1 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low Low Low, Level 1 Function are required to be OPERABLE only when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip system A, while the other two channels input to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases. The Reactor Vessel Water Level - Low Low Low, Level 1 Allowable Value is chosen to allow time for the low pressure core flooding systems to initiate and provide adequate cooling.

4.b., 5.b. Drywell Pressure - High High pressure in the drywell could indicate a break in the RCPB. Therefore, ADS receives one of the signals necessary for initiation from this Function in order to minimize the possibility of fuel damage. The Drywell Pressure - High is assumed to be OPERABLE and capable of initiating the ADS during the accidents analyzed in References 2 and 4. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Drywell Pressure - High signals are initiated from four pressure transmitters that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment. Four channels of Drywell Pressure - High Function are only required to be OPERABLE when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip system A, while the other two channels input to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases. 4.c., 5.c. Automatic Depressurization System Initiation Timer The purpose of the Automatic Depressurization System Initiation Timer is to delay depressurization of the reactor vessel to allow the ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-110 REVISION 1 BASES APPLICABLE 4.c., 5.c. Automatic Depressurization System Initiation Timer SAFETY ANALYSES, (continued) LCO, and APPLICABILITY HPCI System time to maintain reactor vessel water level. Since the rapid depressurization caused by ADS operation is one of the most severe transients on the reactor vessel, its occurrence should be limited. By delaying initiation of the ADS Function, the operator is given the chance to monitor the success or failure of the HPCI System to maintain water level, and then to decide whether or not to allow ADS to initiate, to delay initiation further by recycling the timer, or to inhibit initiation permanently. The Automatic Depressurization System Initiation Timer Function is assumed to be OPERABLE for the accident analyses of References 2 and 4 that require ECCS initiation and assume failure of the HPCI System. There are two Automatic Depressurization System Initiation Timer relays, one in each of the two ADS trip systems. The Allowable Value for the Automatic Depressurization System Initiation Timer is chosen so that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling. Two channels of the Automatic Depressurization System Initiation Timer Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.d., 5.d. Reactor Vessel Water Level - Low, Level 3 The Reactor Vessel Water Level - Low, Level 3 Function is used by the ADS only as a confirmatory low water level signal. ADS receives one of the signals necessary for initiation from Reactor Vessel Water Level - Low Low Low, Level 1 signals. In order to prevent spurious initiation of the ADS due to spurious Level 1 signals, a Level 3 signal must also be received before ADS initiation commences. Reactor Vessel Water Level - Low, Level 3 signals are initiated from two level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Allowable Value for Reactor Vessel Water Level - Low, Level 3 is selected at the RPS Level 3 scram Allowable Value for convenience. Refer to LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," for the Bases discussion of this Function. ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-111 REVISION 22 BASES APPLICABLE 4.d., 5.d. Reactor Vessel Water Level - Low, Level 3 (continued) SAFETY ANALYSES, LCO, and Two channels of Reactor Vessel Water Level - Low, Level 3 Function APPLICABILITY are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases. 4.e., 4.f., 5.e., 5.f. Core Spray and Low Pressure Coolant Injection Pump Discharge Pressure - High The Pump Discharge Pressure - High signals from the CS and LPCI pumps are used as permissives for ADS initiation, indicating that there is a source of low pressure cooling water available once the ADS has depressurized the vessel. Pump Discharge Pressure - High is one of the Functions assumed to be OPERABLE and capable of permitting ADS initiation during the events analyzed in References 2 and 4 with an assumed HPCI failure. For these events, the ADS depressurizes the reactor vessel so that the low pressure ECCS can perform the core cooling functions. This core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Pump discharge pressure signals are initiated from twelve pressure transmitters, two on the discharge side of each of the six low pressure ECCS pumps. In order to generate an ADS permissive in one trip system, it is necessary that only one pump (one channel for each LPCI pump, 2 channels for each CS pump, or 1 channel from one CS pump and the opposite channel for the other pump) indicate the high discharge pressure condition. The Pump Discharge Pressure - High Allowable Value is less than the pump discharge pressure when the pump is operating in a minimum flow mode and high enough to avoid any condition that results in a discharge pressure permissive when the CS and LPCI pumps are aligned for injection and the pumps are not running. The actual operating point of this function is not assumed in any transient or accident analysis. Twelve channels of Core Spray and Low Pressure Coolant Injection Pump Discharge Pressure - High Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two CS channels associated with CS pump A and four LPCI channels associated with LPCI pumps A and D are required for trip system A. Two CS channels associated with CS pump B and four LPCI channels ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-112 REVISION 1 BASES APPLICABLE 4.e., 4.f., 5.e., 5.f. Core Spray and Low Pressure Coolant Injection SAFETY ANALYSES, Pump Discharge Pressure - High (continued) LCO, and APPLICABILITY associated with LPCI pumps B and C are required for trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.g., 5.g. Automatic Depressurization System Low Water Level Actuation Timer One of the signals required for ADS initiation is Drywell Pressure - High. However, if the event requiring ADS initiation occurs outside the drywell (e.g., main steam line break outside containment), a high drywell pressure signal may never be present. Therefore, the Automatic Depressurization System Low Water Level Actuation Timer is used to bypass the Drywell Pressure - High Function after a certain time period has elapsed. Operation of the Automatic Depressurization System Low Water Level Actuation Timer Function is not assumed in any accident analysis. The instrumentation is retained in the TS because ADS is part of the primary success path for mitigation of a DBA. There are four Automatic Depressurization System Low Water Level Actuation Timer relays, two in each of the two ADS trip systems. The Allowable Value for the Automatic Depressurization System Low Water Level Actuation Timer is chosen to ensure that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling. Four channels of the Automatic Depressurization System Low Water Level Actuation Timer Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Refer to LCO 3.5.1 for ADS Applicability Bases. ACTIONS A Note has been provided to modify the ACTIONS related to ECCS instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable ECCS ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-113 REVISION 9 BASES ACTIONS instrumentation channels provide appropriate compensatory (continued) measures for separate inoperable Condition entry for each inoperable ECCS instrumentation channel. A.1 Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.1-1. The applicable Condition referenced in the table is Function dependent. Each time a channel is discovered inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition. B.1, B.2, and B.3 Required Actions B.1 and B.2 are intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in automatic initiation capability being lost for the same feature(s) in both divisions. Required Action B.1 features would be those that are initiated by Functions 1.a, 1.b, 2.a, and 2.b (e.g., low pressure ECCS). The Required Action B.2 system would be HPCI. For low pressure ECCS, since each inoperable channel would have Required Action B.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated low pressure ECCS, DGs, and PSW System to be declared inoperable. However, since channels in both associated low pressure ECCS subsystems (e.g., both CS subsystems) are inoperable and untripped, and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in the associated low pressure ECCS, DGs, and PSW System being concurrently declared inoperable. In this situation (loss of automatic initiation capability), the 24 hour allowance of Required Action B.3 is not appropriate and the feature(s) associated with theinoperable, untripped channels must be declared inoperable within 1 hour. As noted (Note 1 to Required Action B.1), Required Action B.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the low pressure ECCS is not assumed and the probability of a LOCA is lower. However, as stated on page 95 of the Safety Evaluation by the Office of Nuclear Reactor Regulation for Unit 1 Amendment 195 and Unit 2 Amendment 135, Georgia Power Company committed to not use the 24 hour allowance of Required Action B.3 for Function 1.a (for CS ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-114 REVISION 9 BASES ACTIONS B.1, B.2, and B.3 (continued) Level 1 initiation) and Function 2.a (for LPCI Level 1 initiation) when in MODE 4 or 5. Instead, the ACTIONS of TS 3.5.2, ECCS - Shutdown, will be entered immediately for the inoperable ECCS subsystems. This commitment does not apply to the Function 1.a and Function 2.a initiation of the associated DG and the isolation of the associated PSW turbine building isolation valves. There is no similar Note provided for Required Action B.2 since HPCI instrumentation is not required in MODES 4 and 5; thus, a Note is not necessary. Notes are also provided (Note 2 to Required Action B.1 and the Note to Required Action B.2) to delineate which Required Action is applicable for each Function that requires entry into Condition B if an associated channel is inoperable. This ensures that the proper loss of initiation capability check is performed. Required Action B.1 (the Required Action for certain inoperable channels in the low pressure ECCS subsystems) is not applicable to Function 2.e, since this Function provides backup to administrative controls ensuring that operators do not divert LPCI flow from injecting into the core when needed. Thus, a total loss of Function 2.e capability for 24 hours is allowed, since the LPCI subsystems remain capable of performing their intended function. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action B.1, the Completion Time only begins upon discovery that features in the same system (e.g., both CS subsystems) cannot be automatically initiated due to inoperable, untripped channels within the same Function as described in the paragraph above. For Required Action B.2, the Completion Time only begins upon discovery that the HPCI System cannot be automatically initiated due to inoperable, untripped channels for the associated Function as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status. If ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-115 REVISION 1 BASES ACTIONS B.1, B.2, and B.3 (continued) the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action B.3. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken. C.1 and C.2 Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the same Function result in automatic initiation capability being lost for the same feature(s) in both divisions. Required Action C.1 features would be those that are initiated by Functions 1.c, 2.c, 2.d, and 2.f (i.e., low pressure ECCS). In this situation (loss of automatic initiation capability), the 24 hour allowance of Required Action C.2 is not appropriate and the feature(s) associated with the inoperable channels must be declared inoperable within 1 hour. Since each inoperable channel would have Required Action C.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated system to be declared inoperable. However, since channels for both low pressure ECCS subsystems are inoperable (e.g., both CS subsystems), and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in both subsystems being concurrently declared inoperable. For Functions 1.c, 2.c, and 2.d, the affected portions are the associated low pressure ECCS pumps. Two failure modes exist for Function 2.f. If the time delay fails such that the pump start is delayed in excess of the specified time, the inoperable supported features are the associated pump and the associated DG. However, if the time delay fails such that the pump start is quicker than the specified time, the inoperable supported feature is the associated DG. The associated DG can be restored to OPERABLE status by preventing the affected pump from starting on an initiation signal.

ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-116 REVISION 1 BASES ACTIONS C.1 and C.2 (continued) As noted (Note 1), Required Action C.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of automatic initiation capability for 24 hours (as allowed by Required Action C.2) is allowed during MODES 4 and 5. Note 2 states that Required Action C.1 is only applicable for Functions 1.c, 2.c, 2.d, and 2.f. Required Action C.1 is not applicable to Function 3.c (which also requires entry into this Condition if a channel in this Function is inoperable), since the loss of one channel results in a loss of the Function (two-out-of-two logic). This loss was considered during the development of Reference 5 and considered acceptable for the 24 hours allowed by Required Action C.2. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action C.1, the Completion Time only begins upon discovery that the same feature in both subsystems (e.g., both CS subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels. Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would either cause the initiation or it would not necessarily result in a safe state for the channel in all events.

D.1, D.2.1, and D.2.2 Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic component initiation capability for the HPCI System. In this situation (loss of automatic ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-117 REVISION 1 BASES ACTIONS D.1, D.2.1, and D.2.2 (continued) suction swap), the 24 hour allowance of Required Actions D.2.1 and D.2.2 is not appropriate and the HPCI System must be declared inoperable within 1 hour after discovery of loss of HPCI initiation capability. As noted, Required Action D.1 is only applicable if the HPCI pump suction is not aligned to the suppression pool, since, if aligned, the Function is already performed. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action D.1, the Completion Time only begins upon discovery that the HPCI System cannot be automatically aligned to the suppression pool due to inoperable, untripped channels in the same Function as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1 or the suction source must be aligned to the suppression pool per Required Action D.2.2. Placing the inoperable channel in trip performs the intended function of the channel (shifting the suction source to the suppression pool). Performance of either of these two Required Actions will allow operation to continue. If Required Action D.2.1 or D.2.2 is performed, measures should be taken to ensure that the HPCI System piping remains filled with water. Alternately, if it is not desired to perform Required Actions D.2.1 and D.2.2 (e.g., as in the case where shifting the suction source could drain down the HPCI suction piping), Condition H must be entered and its Required Action taken. E.1 and E.2 Required Action E.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the Core Spray and Low Pressure Coolant Injection Pump Discharge Flow - Low Bypass Functions result in automatic initiation capability being lost for the ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-118 REVISION 1 BASES ACTIONS E.1 and E.2 (continued) same feature(s) in both divisions. For Required Action E.1, the features would be those that are initiated by Functions 1.d and 2.g (e.g., low pressure ECCS). Since each inoperable channel would have Required Action E.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected low pressure ECCS pump(s) to be declared inoperable. However, since channels for more than one low pressure ECCS pump are inoperable, and the Completion Times started concurrently for the channels of the low pressure ECCS pumps, this results in the affected low pressure ECCS pumps being concurrently declared inoperable. In this situation (loss of minimum flow capability), the 7 day allowance of Required Action E.2 is not appropriate and the subsystem associated with each inoperable channel must be declared inoperable within 1 hour. As noted (Note 1 to Required Action E.1), Required Action E.1 is only applicable in MODES 1, 2, and 3. In MODES 4 and 5, the specific initiation time of the ECCS is not assumed and the probability of a LOCA is lower. Thus, a total loss of initiation capability for 7 days (as allowed by Required Action E.2) is allowed during MODES 4 and 5. A Note is also provided (Note 2 to Required Action E.1) to delineate that Required Action E.1 is only applicable to low pressure ECCS Functions. Required Action E.1 is not applicable to HPCI Function 3.f since the loss of one channel results in a loss of the Function (one-out-of-one logic). This loss was considered during the development of Reference 5 and considered acceptable for the 7 days allowed by Required Action E.2. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action E.1, the Completion Time only begins upon discovery that the same feature in both subsystems (e.g., both CS subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels. If the instrumentation that controls the pump minimum flow valve is inoperable, such that the valve will not automatically open, extended pump operation with no injection path available could lead to pump overheating and failure. If there were a failure of the instrumentation, such that the valve would not automatically close, a portion of the ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-119 REVISION 1 BASES ACTIONS E.1 and E.2 (continued) pump flow could be diverted from the reactor vessel injection path, causing insufficient core cooling. These consequences can be averted by the operator's manual control of the valve, which would be adequate to maintain ECCS pump protection and required flow. Furthermore, other ECCS pumps would be sufficient to complete the assumed safety function if no additional single failure were to occur. The 7 day Completion Time of Required Action E.2 to restore the inoperable channel to OPERABLE status is reasonable based on the remaining capability of the associated ECCS subsystems, the redundancy available in the ECCS design, and the low probability of a DBA occurring during the allowed out of service time. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events. F.1 and F.2 Required Action F.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within similar ADS trip system A and B Functions result in automatic initiation capability being lost for the ADS. In this situation (loss of automatic initiation capability), the 96 hour or 8 day allowance, as applicable, of Required Action F.2 is not appropriate and all ADS valves must be declared inoperable within 1 hour after discovery of loss of ADS initiation capability. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action F.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable, untripped channels within similar ADS trip system functions as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-120 REVISION 1 BASES ACTIONS F.1 and F.2 (continued) service time of 8 days has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE. If either HPCI or RCIC is inoperable, the time is shortened to 96 hours. If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours, the 96 hours begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable, untripped channel cannot exceed 8 days. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable, untripped channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action F.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition H must be entered and its Required Action taken.

G.1 and G.2 Required Action G.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within similar ADS trip system Functions result in automatic initiation capability being lost for the ADS. In this situation (loss of automatic initiation capability), the 96 hour or 8 day allowance, as applicable, of Required Action G.2 is not appropriate, and all ADS valves must be declared inoperable within 1 hour after discovery of loss of ADS initiation capability. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action G.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-121 REVISION 1 BASES ACTIONS G.1 and G.2 (continued) Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 5) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE (Required Action G.2). If either HPCI or RCIC is inoperable, the time shortens to 96 hours. If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours, the 96 hours begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable channel cannot exceed 8 days. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition H must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.

H.1 With any Required Action and associated Completion Time not met, the associated feature(s) may be incapable of performing the intended function, and the supported feature(s) associated with inoperable untripped channels must be declared inoperable immediately. Two failure modes exist for Function 2.f. If the time delay fails such that the pump start is delayed in excess of the specified time, the inoperable supported features are the associated pump and the associated DG. However, if the time delay fails such that the pump start is quicker than the specified time, the inoperable supported feature is the associated DG. The associated DG can be restored to OPERABLE status by preventing the affected pump from starting on an initiation signal. SURVEILLANCE As noted in the beginning of the SRs, the SRs for each ECCS REQUIREMENTS instrumentation Function are found in the SRs column of Table 3.3.5.1-1. The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-122 REVISION 79 BASES SURVEILLANCE required Surveillances, entry into associated Conditions and Required REQUIREMENTS Actions may be delayed for up to 6 hours as follows: (a) for (continued) Functions 3.c and 3.f; and (b) for Functions other than 3.c and 3.f provided the associated Function or the redundant Function maintains initiation capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 5) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the ECCS will initiate when necessary. SR 3.3.5.1.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.5.1.2 and SR 3.3.5.1.3 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. ECCS Instrumentation B 3.3.5.1 (continued) HATCH UNIT 2 B 3.3-123 REVISION 79 BASES SURVEILLANCE SR 3.3.5.1.2 and SR 3.3.5.1.3 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.1.4 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.1.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.1, LCO 3.5.2, LCO 3.7.2, LCO 3.8.1, and LCO 3.8.2 overlaps this Surveillance to complete testing of the assumed safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 5.2.

2. FSAR, Section 6.3. 3. FSAR, Chapter 15. 4. NEDC-31376-P, "Edwin I. Hatch Nuclear Power Plant, SAFER/GESTR-LOCA, Loss-of-Coolant Accident Analysis,"

December 1986. ECCS Instrumentation B 3.3.5.1 HATCH UNIT 2 B 3.3-124 REVISION 79 BASES REFERENCES 5. NEDC-30936-P-A, "BWR Owners' Group Technical (continued) Specification Improvement Analyses for ECCS Actuation Instrumentation, Part 2," December 1988. 6. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. RCIC System Instrumentation B 3.3.5.2 (continued) HATCH UNIT 2 B 3.3-125 REVISION 1 B 3.3 INSTRUMENTATION B 3.3.5.2 Reactor Core Isolation Cooling (RCIC) System Instrumentation

BASES BACKGROUND The purpose of the RCIC System instrumentation is to initiate actions to ensure adequate core cooling when the reactor vessel is isolated from its primary heat sink (the main condenser) and normal coolant makeup flow from the Reactor Feedwater System is unavailable, such that RCIC System initiation occurs and maintains sufficient reactor water level such that initiation of the low pressure Emergency Core Cooling System (ECCS) pumps does not occur. A more complete discussion of RCIC System operation is provided in the Bases of LCO 3.5.3, "RCIC System." The RCIC System may be initiated by automatic means. Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low, Level 2. The variable is monitored by four transmitters that are connected to four trip units. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic arrangement. Once initiated, the RCIC logic seals in and can be reset by the operator only when the reactor vessel water level signals have cleared. The RCIC test line isolation valve is closed on a RCIC initiation signal to allow full system flow. The RCIC System also monitors the water levels in the condensate storage tank (CST) and the suppression pool since these are the two sources of water for RCIC operation. Reactor grade water in the CST is the normal source. Upon receipt of a RCIC initiation signal, the CST suction valve is automatically signaled to open (it is normally in the open position) unless the pump suction valves from the suppression pool are open. If the water level in the CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. Two level switches are used to detect low water level in the CST. Either switch can cause the suppression pool suction valves to open and the CST suction valve to close. The suppression pool suction valves also automatically open and the CST suction valve closes if high water level is detected in the suppression pool (one-out-of-two logic similar to the CST water level logic). To prevent losing suction to the pump, the suction valves are interlocked so that one suction path must be open before the other automatically closes.

RCIC System Instrumentation B 3.3.5.2 (continued) HATCH UNIT 2 B 3.3-126 REVISION 6 BASES BACKGROUND The RCIC System provides makeup water to the reactor until the (continued) reactor vessel water level reaches the high water level (Level 8) trip (two-out-of-two logic), at which time the RCIC steam supply, and cooling water supply valves close (the injection valve also closes due to the closure of the steam supply valves). The RCIC System restarts if vessel level again drops to the low level initiation point (Level 2). APPLICABLE The function of the RCIC System to provide makeup coolant to the SAFETY ANALYSES, reactor is used to respond to transient events. The RCIC System LCO, and is not an Engineered Safety Feature System and no credit is taken APPLICABILITY in the safety analyses for RCIC System operation. Based on its contribution to the reduction of overall plant risk, however, the system, and therefore its instrumentation, meets Criterion 4 of the NRC Policy Statement (Ref. 2). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion. The OPERABILITY of the RCIC System instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.2-1. Each Function must have a required number of OPERABLE channels with their setpoints within the specified Allowable Values, where appropriate. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The setpoint is calibrated consistent with applicable setpoint methodology assumptions (nominal trip setpoint). Allowable Values are specified for each RCIC System instrumentation Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Each Allowable Value specified accounts for instrument uncertainties appropriate to the Function. These uncertainties are described in the setpoint methodology. The individual Functions are required to be OPERABLE in MODE 1, and in MODES 2 and 3 with reactor steam dome pressure > 150 psig since this is when RCIC is required to be OPERABLE. (Refer to LCO 3.5.3 for Applicability Bases for the RCIC System.) The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

RCIC System Instrumentation B 3.3.5.2 (continued) HATCH UNIT 2 B 3.3-127 REVISION 28 BASES APPLICABLE 1. Reactor Vessel Water Level - Low Low, Level 2 SAFETY ANALYSES, LCO, and Low reactor pressure vessel (RPV) water level indicates that normal APPLICABILITY feedwater flow is insufficient to maintain reactor vessel water level (continued) and that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the RCIC System is initiated at Level 2 to assist in maintaining water level above the top of the active fuel. The top of active fuel is defined in "Applicable Safety Analyses" for Safety Limit 2.1.1.3, "Reactor Vessel Water Level," found in the Bases for Safety Limit 2.1.1, "Reactor Core SLs." Reactor Vessel Water Level - Low Low, Level 2 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value is set high enough such that for complete loss of feedwater flow, the RCIC System flow with high pressure coolant injection assumed to fail will be sufficient to avoid initiation of low pressure ECCS at Level 1. Four channels of Reactor Vessel Water Level - Low Low, Level 2 Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC initiation. (Refer to LCO 3.5.3 for RCIC Applicability Bases.)

2. Reactor Vessel Water Level - High, Level 8 High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel. Therefore, the Level 8 signal is used to close the RCIC steam supply and cooling water supply valves to prevent overflow into the main steam lines (MSLs). (The injection valve also closes due to the closure of the steam supply valve.) Reactor Vessel Water Level - High, Level 8 signals for RCIC are initiated from two level transmitters from the narrow range water level measurement instrumentation, which sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel Water Level - High, Level 8 Allowable Value is high enough to preclude isolating the injection valve of the RCIC RCIC System Instrumentation B 3.3.5.2 (continued) HATCH UNIT 2 B 3.3-128 REVISION 1 BASES APPLICABLE 2. Reactor Vessel Water Level - High, Level 8 (continued) SAFETY ANALYSES LCO, and during normal operation, yet low enough to trip the RCIC System prior APPLICABILITY to water overflowing into the MSLs. Two channels of Reactor Vessel Water Level - High, Level 8 Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC initiation. (Refer to LCO 3.5.3 for RCIC Applicability Bases.)

3. Condensate Storage Tank Level - Low Low level in the CST indicates the unavailability of an adequate supply of makeup water from this normal source. Normally, the suction valve between the RCIC pump and the CST is open and, upon receiving a RCIC initiation signal, water for RCIC injection would be taken from the CST. However, if the water level in the CST falls below a preselected level, first the suppression pool suction valves automatically open, and then the CST suction valve automatically closes. This ensures that an adequate supply of makeup water is available to the RCIC pump. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CST suction valve automatically closes. Two level switches are used to detect low water level in the CST. The Condensate Storage Tank Level - Low Function Allowable Value is set high enough to ensure adequate pump suction head while water is being taken from the CST.

Two channels of Condensate Storage Tank Level - Low Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC swap to suppression pool source. (Refer to LCO 3.5.3 for RCIC Applicability Bases.)

4. Suppression Pool Water Level - High Excessively high suppression pool water level could result in the loads on the suppression pool exceeding design values should there be a blowdown of the reactor vessel pressure through the safety/relief valves. Therefore, signals indicating high suppression pool water level are used to transfer the suction source of RCIC from the CST to RCIC System Instrumentation B 3.3.5.2 (continued) HATCH UNIT 2 B 3.3-129 REVISION 1 BASES APPLICABLE 4. Suppression Pool Water Level - High (continued) SAFETY ANALYSES, LCO, and the suppression pool to eliminate the possibility of RCIC continuing to APPLICABILITY provide additional water from a source outside primary containment. This Function satisfies Criterion 3 of the NRC Policy Statement. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CST suction valve automatically closes. Suppression Pool Water Level - High signals are initiated from two level switches. The Allowable Value for the Suppression Pool Water Level - High Function is set low enough to ensure that RCIC will be aligned to take suction from the suppression pool before the water level reaches the point at which suppression design loads would be exceeded. Two channels of Suppression Pool Water Level - High Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC swap to suppression pool source. Refer to LCO 3.5.3 for RCIC Applicability Bases. ACTIONS A Note has been provided to modify the ACTIONS related to RCIC System instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable RCIC System instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable RCIC System instrumentation channel.

A.1 Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.2-1. The applicable Condition referenced in the Table is Function dependent. Each time a channel is discovered to be inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition. RCIC System Instrumentation B 3.3.5.2 (continued) HATCH UNIT 2 B 3.3-130 REVISION 1 BASES ACTIONS B.1 and B.2 (continued) Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic initiation capability for the RCIC System. In this situation (loss of automatic initiation capability), the 24 hour allowance of Required Action B.2 is not appropriate, and the RCIC System must be declared inoperable within 1 hour after discovery of loss of RCIC initiation capability. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action B.1, the Completion Time only begins upon discovery that the RCIC System cannot be automatically initiated due to inoperable, untripped Reactor Vessel Water Level - Low Low, Level 2 channels as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. Because of the redundancy of sensors available to provide initiation signals and the fact that the RCIC System is not assumed in any accident or transient analysis, an allowable out of service time of 24 hours has been shown to be acceptable (Ref. 1) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action B.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition E must be entered and its Required Action taken.

C.1 A risk based analysis was performed and determined that an allowable out of service time of 24 hours (Ref. 1) is acceptable to permit restoration of any inoperable channel to OPERABLE status (Required Action C.1). A Required Action (similar to Required Action B.1) limiting the allowable out of service time, if a loss of automatic RCIC initiation capability exists, is not required. This RCIC System Instrumentation B 3.3.5.2 (continued) HATCH UNIT 2 B 3.3-131 REVISION 1 BASES ACTIONS C.1 (continued) Condition applies to the Reactor Vessel Water Level - High, Level 8 Function whose logic is arranged such that any inoperable channel will result ina loss of automatic RCIC initiation capability (loss of high water level trip capability). As stated above, this loss of automatic RCIC initiation capability was analyzed and determined to be acceptable. The Required Action does not allow placing a channel in trip since this action would not necessarily result in a safe state for the channel in all events. D.1, D.2.1, and D.2.2 Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in automatic component initiation capability being lost for the feature(s). For Required Action D.1, the RCIC System is the only associated feature. In this situation (loss of automatic suction swap), the 24 hour allowance of Required Actions D.2.1 and D.2.2 is not appropriate, and the RCIC System must be declared inoperable within 1 hour from discovery of loss of RCIC initiation capability. As noted, Required Action D.1 is only applicable if the RCIC pump suction is not aligned to the suppression pool since, if aligned, the Function is already performed. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action D.1, the Completion Time only begins upon discovery that the RCIC System cannot be automatically aligned to the suppression pool due to inoperable, untripped channels in the same Function as described in the paragraph above. The 1 hour Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. Because of the redundancy of sensors available to provide initiation signals and the fact that the RCIC System is not assumed in any accident or transient analysis, an allowable out of service time of 24 hours has been shown to be acceptable (Ref. 1) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1, which performs the intended function of the channel (shifting the suction source to the RCIC System Instrumentation B 3.3.5.2 (continued) HATCH UNIT 2 B 3.3-132 REVISION 79 BASES ACTIONS D.1, D.2.1, and D.2.2 (continued) suppression pool). Alternatively, Required Action D.2.2 allows the manual alignment of the RCIC suction to the suppression pool, which also performs the intended function. If Required Action D.2.1 or D.2.2 is performed, measures should be taken to ensure that the RCIC System piping remains filled with water. If it is not desired to perform Required Actions D.2.1 and D.2.2 (e.g., as in the case where shifting the suction source could drain down the RCIC suction piping), Condition E must be entered and its Required Action taken. E.1 With any Required Action and associated Completion Time not met, the RCIC System may be incapable of performing the intended function, and the RCIC System must be declared inoperable immediately. SURVEILLANCE As noted in the beginning of the SRs, the SRs for each RCIC System REQUIREMENTS instrumentation Function are found in the SRs column of Table 3.3.5.2-1. The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed as follows: (a) for up to 6 hours for Function 2; and (b) for up to 6 hours for Functions 1, 3, and 4, provided the associated Function maintains trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 1) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the RCIC will initiate when necessary. SR 3.3.5.2.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a parameter on other similar channels. It is based on the assumption that RCIC System Instrumentation B 3.3.5.2 (continued) HATCH UNIT 2 B 3.3-133 REVISION 79 BASES SURVEILLANCE SR 3.3.5.2.1 (continued) REQUIREMENTS instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.5.2.2 and SR 3.3.5.2.3 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.2.4 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology.

RCIC System Instrumentation B 3.3.5.2 HATCH UNIT 2 B 3.3-134 REVISION 79 BASES SURVEILLANCE SR 3.3.5.2.4 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.2.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.3 overlaps this Surveillance to provide complete testing of the safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. GENE-770-06-2, "Addendum to Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991. 2. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. Primary Containment Isolation Instrumentation B 3.3.6.1 (continue HATCH UNIT 2 B 3.3-135 REVISION 1 B 3.3 INSTRUMENTATION B 3.3.6.1 Primary Containment Isolation Instrumentation

BASES BACKGROUND The primary containment isolation instrumentation automatically initiates closure of appropriate primary containment isolation valves (PCIVs). The function of the PCIVs, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs). Primary containment isolation within the time limits specified for those isolation valves designed to close automatically ensures that the release of radioactive material to the environment will be consistent with the assumptions used in the analyses for a DBA. The isolation instrumentation includes the sensors, relays, and switches that are necessary to cause initiation of primary containment and reactor coolant pressure boundary (RCPB) isolation. Most channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a primary containment isolation signal to the isolation logic. Functional diversity is provided by monitoring a wide range of independent parameters. The input parameters to the isolation logics are (a) reactor vessel water level, (b) area ambient and differential temperatures, (c) main steam line (MSL) flow measurement, (d) Standby Liquid Control (SLC) System initiation, (e) condenser vacuum, (f) main steam line pressure, (g) high pressure coolant injection (HPCI) and reactor core isolation cooling (RCIC) steam line flow, (h) drywell radiation and pressure, (i) HPCI and RCIC steam line pressure, (j) HPCI and RCIC turbine exhaust diaphragm pressure, and (k) reactor steam dome pressure. Redundant sensor input signals from each parameter are provided for initiation of isolation. The only exception is SLC System initiation. Primary containment isolation instrumentation has inputs to the trip logic of the isolation functions listed below.

1. Main Steam Line Isolation Most MSL Isolation Functions receive inputs from four channels. The outputs from these channels are combined in a one-out-of-two taken twice logic to initiate isolation of all main steam isolation valves (MSIVs). The outputs from the same channels are arranged into two two-out-of-two logic trip systems to isolate all MSL drain valves and Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 2 B 3.3-136 REVISION 1 BASES BACKGROUND 1. Main Steam Line Isolation (continued) reactor water sample valves. The MSL drain line has two isolation valves with one two-out-of-two logic system associated with each valve. The reactor water sample line also has two isolation valves with similar logic.

The exceptions to this arrangement are the Main Steam Line Flow - High Function and Area Temperature Functions. The Main Steam Line Flow - High Function uses 16 flow channels, four for each steam line. One channel from each steam line inputs to one of the four trip strings. Two trip strings make up each trip system and both trip systems must trip to cause an MSL isolation. Each trip string has four inputs (one per MSL), any one of which will trip the trip string. The trip strings are arranged in a one-out-of-two taken twice logic. This is effectively a one-out-of-eight taken twice logic arrangement to initiate isolation of the MSIVs. Similarly, the 16 flow channels are connected into two two-out-of-two logic trip systems (effectively, two one-out-of-four twice logic), with each trip system isolating one of the two MSL drain valves and one of the two reactor water sample valves. The Main Steam Tunnel Temperature - High Function receives input from 16 channels. The logic is arranged similar to the Main Steam Line Flow - High Function. The Turbine Building Area Temperature - High Function receives input from 64 channels. Four channels from each steam line inputs to one of the four trip strings. Two trip strings make up each trip system and both trip systems must trip to cause an MSL isolation. Each trip string has 16 inputs (4 per MSL), any one of which will trip the trip string. The trip strings are arranged in a one-out-of-two taken twice logic. This is effectively a one-out-of-thirty-two taken twice logic trip system to isolate all MSIVs. Similarly, the inputs are arranged in two one-out-of-sixteen twice logic trip systems, with each trip system isolating one of the two MSL drain valves and one of the two reactor water sample valves. MSL Isolation Functions isolate the Group 1 valves.

2. Primary Containment Isolation Most Primary Containment Isolation Functions receive inputs from four channels. The outputs from these channels are arranged into two two-out-of-two logic trip systems. One trip system initiates isolation of all inboard primary containment isolation valves, while the other trip system initiates isolation of all outboard primary containment isolation valves. Each logic closes one of the two valves on each

Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 2 B 3.3-139 REVISION 1 BASES APPLICABLE are retained for other reasons and are described below in the SAFETY ANALYSES, individual Functions discussion. LCO, and APPLICABILITY The OPERABILITY of the primary containment instrumentation is (continued) dependent on the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.6.1-1. Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The setpoint is calibrated consistent with applicable setpoint methodology assumptions (nominal trip setpoint). Each channel must also respond within its assumed response time, where appropriate. Allowable Values are specified for each Primary Containment Isolation Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for. Certain Emergency Core Cooling Systems (ECCS) and RCIC valves (e.g., minimum flow) also serve the dual function of automatic PCIVs. The signals that isolate these valves are also associated with the automatic initiation of the ECCS and RCIC. The instrumentation requirements and ACTIONS associated with these signals are addressed in LCO 3.3.5.1, "Emergency Core Cooling Systems (ECCS) Instrumentation," and LCO 3.3.5.2, "Reactor Core Isolation Cooling (RCIC) System Instrumentation," and are not included in this LCO. Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 2 B 3.3-140 REVISION 74 BASES APPLICABLE In general, the individual Functions are required to be OPERABLE in SAFETY ANALYSES, MODES 1, 2, and 3 consistent with the Applicability for LCO 3.6.1.1, LCO, and "Primary Containment." Functions that have different Applicabilities APPLICABILITY are discussed below in the individual Functions discussion. (continued) The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

1. Main Steam Line Isolation 1.a. Reactor Vessel Water Level - Low Low Low, Level 1 Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result.

Therefore, isolation of the MSIVs and other interfaces with the reactor vessel occurs to prevent offsite dose limits from being exceeded. The Reactor Vessel Water Level - Low Low Low, Level 1 Function is one of the many Functions assumed to be OPERABLE and capable of providing isolation signals. The Reactor Vessel Water Level - Low Low Low, Level 1 Function associated with isolation is assumed in the analysis of the recirculation line break (Ref. 1). The isolation of the MSLs on Level 1 supports actions to ensure that offsite dose limits are not exceeded for a DBA. Reactor vessel water level signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low Low Low, Level 1 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Reactor Vessel Water Level - Low Low Low, Level 1 Allowable Value is chosen to be the same as the ECCS Level 1 Allowable Value (LCO 3.3.5.1) to ensure that the MSLs isolate on a potential loss of coolant accident (LOCA) to prevent offsite doses from exceeding 10 CFR 50.67 limits. This Function isolates the Group 1 valves.

Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 2 B 3.3-141 REVISION 85 BASES APPLICABLE 1.b. Main Steam Line Pressure - Low SAFETY ANALYSES, LCO, and Low MSL pressure with the reactor at power indicates that there may APPLICABILITY be a problem with the turbine pressure regulation, which could result (continued) in a low reactor vessel water level condition and the RPV cooling down more than 100°F/hr if the pressure loss is allowed to continue. The Main Steam Line Pressure - Low Function is directly assumed in the analysis of the pressure regulator failure (Ref. 2). For this event, the closure of the MSIVs ensures that the RPV temperature change limit (100°F/hr) is not reached. In addition, this Function supports actions to ensure that Safety Limit 2.1.1.1 is not exceeded. (This Function closes the MSIVs prior to pressure decreasing below 685 psig, which results in a scram due to MSIV closure, thus reducing reactor power to < 24% RTP.) The MSL low pressure signals are initiated from four switches that are connected to the MSL header. The switches are arranged such that, even though physically separated from each other, each switch is able to detect low MSL pressure. Four channels of Main Steam Line Pressure - Low Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Value was selected to be high enough to prevent excessive RPV depressurization. The Main Steam Line Pressure - Low Function is only required to be OPERABLE in MODE 1 since this is when the assumed transient can occur (Ref. 2). This Function isolates the Group 1 valves.

1.c. Main Steam Line Flow - High Main Steam Line Flow - High is provided to detect a break of the MSL and to initiate closure of the MSIVs. If the steam were allowed to continue flowing out of the break, the reactor would depressurize and the core could uncover. If the RPV water level decreases too far, fuel damage could occur. Therefore, the isolation is initiated on high flow to prevent or minimize core damage. The Main Steam Line Flow - High Function is directly assumed in the analysis of the main steam line break (MSLB) (Ref. 2). The isolation action, along with the scram function of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46 and offsite doses do not exceed the 10 CFR 50.67 limits. Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 2 B 3.3-142 REVISION 48 BASES APPLICABLE 1.c. Main Steam Line Flow - High (continued) SAFETY ANALYSES, LCO, and The MSL flow signals are initiated from 16 transmitters that are APPLICABILITY connected to the four MSLs. The transmitters are arranged such that, even though physically separated from each other, all four connected to one MSL would be able to detect the high flow. Four channels of Main Steam Line Flow - High Function for each unisolated MSL (two channels per trip system) are available and are required to be OPERABLE so that no single instrument failure will preclude detecting a break in any individual MSL. The Allowable Value is chosen to ensure that offsite dose limits are not exceeded due to the break. The Allowable Value corresponds to 173 psid, which is the parameter monitored on control room instruments. This Function isolates the Group 1 valves. 1.d. Condenser Vacuum - Low The Condenser Vacuum-Low Function is provided to prevent overpressurization of the main condenser in the event of a loss of the main condenser vacuum. Since the integrity of the condenser is an assumption in offsite dose calculations, the Condenser Vacuum - Low Function is assumed to be OPERABLE and capable of initiating closure of the MSIVs. The closure of the MSIVs is initiated to prevent the addition of steam that would lead to additional condenser pressurization and possible rupture of the diaphragm installed to protect the turbine exhaust hood, thereby preventing a potential radiation leakage path following an accident. Condenser vacuum pressure signals are derived from four pressure switches that sense the pressure in the condenser. Four channels of Condenser Vacuum - Low Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Value is chosen to prevent damage to the condenser due to pressurization, thereby ensuring its integrity for offsite dose analysis. As noted (footnote (a) to Table 3.3.6.1-1), the channels are not required to be OPERABLE in MODES 2 and 3 when all turbine stop valves (TSVs) are closed, since the potential for condenser overpressurization is minimized. Switches are provided to manually bypass the channels when all TSVs are closed. This Function isolates the Group 1 valves. Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 2 B 3.3-143 REVISION 74 BASES APPLICABLE 1.e., 1.f. Area Temperature - High SAFETY ANALYSES, LCO, and Area temperature is provided to detect a leak in the RCPB and APPLICABILITY provides diversity to the high flow instrumentation. The isolation (continued) occurs when a very small leak has occurred. If the small leak is allowed to continue without isolation, offsite dose limits may be reached. However, credit for these instruments is not taken in any transient or accident analysis in the FSAR, since bounding analyses are performed for large breaks, such as MSLBs. Area temperature signals are initiated from RTDs (for the Main Steam Tunnel Temperature - High Function) or a thermocouple/temperature switch combination (for the Turbine Building Area Temperature - High Function) located in the area being monitored. While 16 channels of Main Steam Tunnel Temperature - High Function are available, only 12 channels (6 per trip system) are required to be OPERABLE. This will ensure that no single instrument failure can preclude the isolation function, assuming a line break on any line (the instruments assigned to monitor one line can still detect a leak on another line due to their close proximity to one another and the small confines of the area). While 64 channels of Turbine Building Area Temperature - High Function are available, only 32 channels are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. Each channel has one temperature element. The 32 channel requirement is further divided up, as noted in footnote (b), into 16 channels per trip system with 8 per trip string. Each trip string shall have 2 channels per main steam line, with no more than 40 feet separating any two OPERABLE channels. In addition, no unmonitored area should exceed 40 feet in length. The ambient temperature monitoring Allowable Value is chosen to detect a leak equivalent to between 1% and 10% rated steam flow. These Functions isolate the Group 1 valves.

2. Primary Containment Isolation 2.a. Reactor Vessel Water Level - Low, Level 3 Low RPV water level indicates that the capability to cool the fuel may be threatened. The valves whose penetrations communicate with the primary containment are isolated to limit the release of fission products. The isolation of the primary containment on Level 3 supports actions to ensure that offsite dose limits of 10 CFR 50.67 are not exceeded. The Reactor Vessel Water Level - Low, Level 3 Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 2 B 3.3-144 REVISION 74 BASES APPLICABLE 2.a. Reactor Vessel Water Level - Low, Level 3 (continued) SAFETY ANALYSES, LCO, and Function associated with isolation is implicitly assumed in the FSAR APPLICABILITY analysis as these leakage paths are assumed to be isolated post LOCA.

Reactor Vessel Water Level - Low, Level 3 signals are initiated from level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low, Level 3 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Reactor Vessel Water Level - Low, Level 3 Allowable Value was chosen to be the same as the RPS Level 3 scram Allowable Value (LCO 3.3.1.1), since isolation of these valves is not critical to orderly plant shutdown. This Function isolates the Group 2, 6, 7, 10, 11, and 12 valves.

2.b. Drywell Pressure - High High drywell pressure can indicate a break in the RCPB inside the primary containment. The isolation of some of the primary containment isolation valves on high drywell pressure supports actions to ensure that offsite dose limits of 10 CFR 50.67 are not exceeded. The Drywell Pressure - High Function, associated with isolation of the primary containment, is implicitly assumed in the FSAR accident analysis as these leakage paths are assumed to be isolated post LOCA. High drywell pressure signals are initiated from pressure transmitters that sense the pressure in the drywell. Four channels of Drywell Pressure - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Value was selected to be the same as the ECCS Drywell Pressure - High Allowable Value (LCO 3.3.5.1), since this may be indicative of a LOCA inside primary containment. This Function isolates the Group 2, 7, 10, 11, and 12 valves.

Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 2 B 3.3-145 REVISION 1 BASES APPLICABLE 2.c. Drywell Radiation - High SAFETY ANALYSES, LCO, and High drywell radiation indicates possible gross failure of the fuel APPLICABILITY cladding. Therefore, when Drywell Radiation - High is detected, an (continued) isolation is initiated to limit the release of fission products. However, this Function is not assumed in any accident or transient analysis in the FSAR because other leakage paths (e.g., MSIVs) are more limiting. The drywell radiation signals are initiated from radiation detectors that are located in the drywell. Two channels of Drywell Radiation - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Value is low enough to promptly detect gross failures in the fuel cladding. This Function isolates the Group 2, 18 inch containment vent and purge valves. 2.d., 2.e. Reactor Building and Refueling Floor Exhaust Radiation - High High secondary containment exhaust radiation is an indication of possible gross failure of the fuel cladding. The release may have originated from the primary containment due to a break in the RCPB. When Exhaust Radiation - High is detected, valves whose penetrations communicate with the primary containment atmosphere are isolated to limit the release of fission products. The Exhaust Radiation - High signals are initiated from radiation detectors that are located near the ventilation exhaust ductwork coming from the reactor building and the refueling floor zones, respectively. The signal from each detector is input to an individual monitor whose trip outputs are assigned to an isolation channel. Four channels of Reactor Building Exhaust - High Function and four channels of Refueling Floor Exhaust - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Values are chosen to ensure radioactive releases do not exceed offsite dose limits.

Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 2 B 3.3-146 REVISION 5 BASES APPLICABLE 2.d., 2.e. Reactor Building and Refueling Floor Exhaust SAFETY ANALYSES, Radiation - High (continued) LCO, and APPLICABILITY These Functions isolate the Group 2 (18 inch containment purge and vent), 7, 10, 11, and 12 valves. 3., 4. High Pressure Coolant Injection and Reactor Core Isolation Cooling Systems Isolation 3.a., 4.a. HPCI and RCIC Steam Line Flow - High Steam Line Flow - High Functions are provided to detect a break of the RCIC or HPCI steam lines and initiate closure of the steam line isolation valves of the appropriate system. If the steam is allowed to continue flowing out of the break, the reactor will depressurize and the core can uncover. Therefore, the isolations are initiated on high flow to prevent or minimize core damage. The isolation action, along with the scram function of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Specific credit for these Functions is not assumed in any FSAR accident analyses since the bounding analysis is performed for large breaks such as recirculation and MSL breaks. However, these instruments prevent the RCIC or HPCI steam line breaks from becoming bounding. The HPCI and RCIC Steam Line Flow - High signals are initiated from transmitters (two for HPCI and two for RCIC) that are connected to the system steam lines. Two channels of both HPCI and RCIC Steam Line Flow - High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Values are chosen to be low enough to ensure that the trip occurs to prevent fuel damage and maintains the MSLB event as the bounding event. The Allowable Values correspond to 212 inches water column for HPCI and 153 inches water column for RCIC, which are the parameters monitored on control room instruments. These Functions isolate the Group 3 (and 2E41-F041) and 4 valves, as appropriate.

Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 2 B 3.3-147 REVISION 1 BASES APPLICABLE 3.b., 4.b. HPCI and RCIC Steam Supply Line Pressure - Low SAFETY ANALYSES, LCO, and Low MSL pressure indicates that the pressure of the steam in the APPLICABILITY HPCI or RCIC turbine may be too low to continue operation of the (continued) associated system's turbine. These isolations are for equipment protection and are not assumed in any transient or accident analysis in the FSAR. However, they also provide a diverse signal to indicate a possible system break. These instruments are included in Technical Specifications (TS) because of the potential for risk due to possible failure of the instruments preventing HPCI and RCIC initiations. Therefore, they meet Criterion 4 of the NRC Policy Statement (Ref. 7). The HPCI and RCIC Steam Supply Line Pressure - Low signals are initiated from transmitters (four for HPCI and four for RCIC) that are connected to the system steam line. Four channels of both HPCI and RCIC Steam Supply Line Pressure - Low Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Values are selected to be high enough to prevent damage to the system's turbine. These Functions isolate the Group 3 (and 2E41-F041) and 4 valves, as appropriate. These Functions serve as permissives for the Drywell Pressure - High isolation of the Group 8 and 9 valves, as appropriate.

3.c., 4.c. HPCI and RCIC Turbine Exhaust Diaphragm Pressure - High High turbine exhaust diaphragm pressure indicates that the pressure may be too high to continue operation of the associated system's turbine. That is, one of two exhaust diaphragms has ruptured and pressure is reaching turbine casing pressure limits. These isolations are for equipment protection and are not assumed in any transient or accident analysis in the FSAR. These instruments are included in the TS because of the potential for risk due to possible failure of the instruments preventing HPCI and RCIC initiations. Therefore, they meet Criterion 4 of the NRC Policy Statement (Ref. 7). The HPCI and RCIC Turbine Exhaust Diaphragm Pressure - High signals are initiated from transmitters (four for HPCI and four for RCIC) that are connected to the area between the rupture diaphragms on each system's turbine exhaust line. Four channels of both HPCI and RCIC Turbine Exhaust Diaphragm Pressure - High Functions are Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 2 B 3.3-148 REVISION 1 BASES APPLICABLE 3.c., 4.c. HPCI and RCIC Turbine Exhaust Diaphragm SAFETY ANALYSES, Pressure - High (continued) LCO, and APPLICABILITY available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Values are low enough to prevent damage to the system's turbine. These Functions isolate the Group 3 (and 2E41-F041) and 4 valves, as appropriate. 3.d., 4.d. Drywell Pressure - High High drywell pressure can indicate a break in the RCPB. The HPCI and RCIC isolation of the turbine exhaust vacuum breakers is provided to prevent communication with the drywell when high drywell pressure exists. A potential leakage path exists via the turbine exhaust. The isolation is delayed until the system becomes unavailable for injection (i.e., low steam line pressure). The isolation of the HPCI and RCIC turbine exhaust by Drywell Pressure - High is indirectly assumed in the FSAR accident analysis because the turbine exhaust leakage path is not assumed to contribute to offsite doses. High drywell pressure signals are initiated from pressure transmitters that sense the pressure in the drywell. Two channels of both HPCI and RCIC Drywell Pressure - High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Value was selected to be the same as the ECCS Drywell Pressure - High Allowable Value (LCO 3.3.5.1), since this is indicative of a LOCA inside primary containment. This Function isolates the Group 8 and 9 valves.

3.e., 3.f., 3.h., 3.i., 4.e., 4.g., 4.h. Area and Differential Temperature - High Area and differential temperatures are provided to detect a leak from the associated system steam piping. The isolation occurs when a very small leak has occurred and is diverse to the high flow instrumentation. If the small leak is allowed to continue without isolation, offsite dose limits may be reached. These Functions are not Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 2 B 3.3-149 REVISION 1 BASES APPLICABLE 3.e., 3.f., 3.h., 3.i., 4.e., 4.g., 4.h. Area and Differential SAFETY ANALYSES, Temperature - High (continued) LCO, and APPLICABILITY assumed in any FSAR transient or accident analysis, since bounding analyses are performed for large breaks such as recirculation or MSL breaks. Area and Differential Temperature - High signals are initiated from RTDs that are appropriately located to protect the system that is being monitored. Two instruments monitor each area. Two channels for each HPCI and RCIC Area and Differential Temperature - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Suppression Pool Area Ambient Temperature and Differential Temperature - High Functions are delayed by the Suppression Pool Area Temperature - Time Delay Relays. The Allowable Values are set low enough to detect a leak equivalent to 25 gpm. These Functions isolate the Group 3 (and 2E41-F041) and 4 valves, as appropriate. 3.g., 4.f. Suppression Pool Area Temperature - Time Delay Relay The Suppression Pool Area Temperature - Time Delay Relays are provided to allow all the other systems that may be leaking into the pool area (as indicated by the high temperature) to be isolated before HPCI and/or RCIC are automatically isolated. This ensures maximum HPCI and RCIC System operation by preventing isolations due to leaks in other systems. These Functions are not assumed in any FSAR transient or accident analysis. There are four time delay relays (two for HPCI and two for RCIC). The time delay relays delay the Suppression Pool Area Ambient Temperature and Differential Temperature - High Functions. Two channels each for both HPCI and RCIC Suppression Pool Area Temperature - Time Delay Relay Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Values are based on maximizing the availability of the HPCI and RCIC systems. That is, they provide sufficient time to isolate all other potential leakage sources in the suppression pool area before HPCI and RCIC are isolated. Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 2 B 3.3-150 REVISION 1 BASES APPLICABLE 3.g., 4.f. Suppression Pool Area Temperature - Time Delay Relay SAFETY ANALYSES, (continued) LCO, and APPLICABILITY These Functions isolate the Group 3 (and 1E41-F041) and 4 valves, as appropriate.

5. Reactor Water Cleanup System Isolation 5.a., 5.b. Area and Area Ventilation Differential Temperature - High RWCU area and area ventilation differential temperatures are provided to detect a leak from the RWCU System. The isolation occurs even when very small leaks have occurred. If the small leak continues without isolation, offsite dose limits may be reached. Credit for these instruments is not taken in any transient or accident analysis in the FSAR, since bounding analyses are performed for large breaks such as recirculation or MSL breaks.

Area and area ventilation differential temperature signals are initiated from temperature elements that are located in the area that is being monitored. Six RTDs provide input to the Area Temperature - High Function (two per area). Six channels are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. Twelve RTDs provide input to the Area Ventilation Differential Temperature - High Function. The output of these RTDs is used to determine the differential temperature. Each channel consists of a differential temperature instrument that receives inputs from RTDs that are located in the inlet and outlet of the area cooling system and for a total of six available channels (two per area). Six channels are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Area and Area Ventilation Differential Temperature - High Allowable Values are set low enough to detect a leak equivalent to 25 gpm. These Functions isolate the Group 5 valves. 5.c. SLC System Initiation The isolation of the RWCU System is required when the SLC System has been initiated to prevent dilution and removal of the boron Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 2 B 3.3-151 REVISION 1 BASES APPLICABLE 5.c. SLC System Initiation (continued) SAFETY ANALYSES, LCO, and solution by the RWCU System (Ref. 3). SLC System initiation signal APPLICABILITY is initiated from the SLC pump start signal. There is no Allowable Value associated with this Function since the channel is mechanically actuated based solely on the position of the SLC System initiation switch. One channel of the SLC System Initiation Function is available and is required to be OPERABLE only in MODES 1 and 2, since these are the only MODES where the reactor can be critical, and these MODES are consistent with the Applicability for the SLC System (LCO 3.1.7). As noted (footnote (c) to Table 3.3.6.1-1), this Function is only required to close one of the Group 5 RWCU isolation valves since the signal only provides input into one of the two trip systems.

5.d. Reactor Vessel Water Level - Low Low, Level 2 Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of some interfaces with the reactor vessel occurs to isolate the potential sources of a break. The isolation of the RWCU System on Level 2 supports actions to ensure that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Vessel Water Level - Low Low, Level 2 Function associated with RWCU isolation is not directly assumed in the FSAR safety analyses because the RWCU System line break is bounded by breaks of larger systems (recirculation and MSL breaks are more limiting). Reactor Vessel Water Level - Low Low, Level 2 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low Low, Level 2 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 2 B 3.3-152 REVISION 1 BASES APPLICABLE 5.d. Reactor Vessel Water Level - Low Low, Level 2 (continued) SAFETY ANALYSES, LCO, and The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value APPLICABILITY was chosen to be the same as the ECCS Reactor Vessel Water Level - Low Low, Level 2 Allowable Value (LCO 3.3.5.1), since the capability to cool the fuel may be threatened. This Function isolates the Group 5 valves. 6. RHR Shutdown Cooling System Isolation 6.a. Reactor Steam Dome Pressure - High The Reactor Steam Dome Pressure - High Function is provided to isolate the shutdown cooling portion of the Residual Heat Removal (RHR) System. This interlock is provided only for equipment protection to prevent an intersystem LOCA scenario, and credit for the interlock is not assumed in the accident or transient analysis in the FSAR. The Reactor Steam Dome Pressure - High signals are initiated from two transmitters that are connected to different taps on the RPV. Two channels of Reactor Steam Dome Pressure - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Function is only required to be OPERABLE in MODES 1, 2, and 3, since these are the only MODES in which the reactor can be pressurized; thus, equipment protection is needed. The Allowable Value was chosen to be low enough to protect the system equipment from overpressurization. This Function isolates the Group 6 valves (and 2E11-F009).

6.b. Reactor Vessel Water Level - Low, Level 3 Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of some reactor vessel interfaces occurs to begin isolating the potential sources of a break. The Reactor Vessel Water Level - Low, Level 3 Function associated with RHR Shutdown Cooling System isolation is not directly assumed in safety analyses because a break of the RHR Shutdown Cooling Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 2 B 3.3-153 REVISION 28 BASES APPLICABLE 6.b. Reactor Vessel Water Level - Low, Level 3 (continued) SAFETY ANALYSES, LCO, and System is bounded by breaks of the recirculation and MSL. The APPLICABILITY RHR Shutdown Cooling System isolation on Level 3 supports actions to ensure that the RPV water level does not drop below the top of the active fuel during a vessel draindown event caused by a leak (e.g., pipe break or inadvertent valve opening) in the RHR Shutdown Cooling System. The top of active fuel is defined in "Applicable Safety Analyses" for Safety Limit 2.1.1.3, "Reactor Vessel Water Level," found in the Bases for Safety Limit 2.1.1, "Reactor Core SLs." Reactor Vessel Water Level - Low, Level 3 signals are initiated from four level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of the Reactor Vessel Water Level - Low, Level 3 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. As noted (footnote (d) to Table 3.3.6.1-1), only two channels of the Reactor Vessel Water Level - Low, Level 3 Function are required to be OPERABLE in MODES 4 and 5 (and must input into the same trip system), provided the RHR Shutdown Cooling System integrity is maintained. System integrity is maintained provided the piping is intact and no maintenance is being performed that has the potential for draining the reactor vessel through the system. The Reactor Vessel Water Level - Low, Level 3 Allowable Value was chosen to be the same as the RPS Reactor Vessel Water Level - Low, Level 3 Allowable Value (LCO 3.3.1.1), since the capability to cool the fuel may be threatened. The Reactor Vessel Water Level - Low, Level 3 Function is only required to be OPERABLE in MODES 3, 4, and 5 to prevent this potential flow path from lowering the reactor vessel level to the top of the fuel. In MODES 1 and 2, another isolation (i.e., Reactor Steam Dome Pressure - High) and administrative controls ensure that this flow path remains isolated to prevent unexpected loss of inventory via this flow path. This Function isolates the Group 6 valves (and 2E11-F009).

ACTIONS A Note has been provided to modify the ACTIONS related to primary containment isolation instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 2 B 3.3-154 REVISION 1 BASES ACTIONS subsequent divisions, subsystems, components, or variables (continued) expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable primary containment isolation instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable primary containment isolation instrumentation channel.

A.1 Because of the diversity of sensors available to provide isolation signals and the redundancy of the isolation design, an allowable out of service time of 12 hours for Functions 2.a, 2.b, and 6.b and 24 hours for Functions other than Functions 2.a, 2.b, and 6.b has been shown to be acceptable (Refs. 4 and 5) to permit restoration of any inoperable channel to OPERABLE status. This out of service time is only acceptable provided the associated Function is still maintaining isolation capability (refer to Required Action B.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue with no further restrictions. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an isolation), Condition C must be entered and its Required Action taken. B.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in automatic isolation capability being lost for the associated penetration flow path(s). The MSL Isolation Functions are considered to be maintaining isolation capability when sufficient channels are OPERABLE or in trip, such that both trip systems will generate a trip signal from the given Function on a valid signal. The other isolation functions are considered to be maintaining isolation capability when sufficient channels are OPERABLE or in trip, such that one trip system will generate a trip signal from the given Function Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 2 B 3.3-155 REVISION 1 BASES ACTIONS B.1 (continued) on a valid signal. This ensures that one of the two PCIVs in the associated penetration flow path can receive an isolation signal from the given Function. As noted, this Condition is not applicable for Function 5.c (SLC System Initiation), since the loss of the single channel results in a loss of the Function (one-out-of-one logic). This loss was considered during the development of Reference 5 and considered acceptable for the 24 hours allowed by Required Action A.1. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. C.1 Required Action C.1 directs entry into the appropriate Condition referenced in Table 3.3.6.1-1. The applicable Condition specified in Table 3.3.6.1-1 is Function and MODE or other specified condition dependent and may change as the Required Action of a previous Condition is completed. Each time an inoperable channel has not met any Required Action of Condition A or B and the associated Completion Time has expired, Condition C will be entered for that channel and provides for transfer to the appropriate subsequent Condition. D.1, D.2.1, and D.2.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the associated MSLs may be isolated (Required Action D.1), and, if allowed (i.e., plant safety analysis allows operation with an MSL isolated), operation with that MSL isolated may continue. Isolating the affected MSL accomplishes the safety function of the inoperable channel. This Required Action will generally only be used if a Function 1.c channel is inoperable and untripped. The associated MSL(s) to be isolated are those whose Main Steam Line Flow - High Function channel(s) are inoperable. Alternately, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours and in MODE 4 within Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 2 B 3.3-156 REVISION 1 BASES ACTIONS D.1, D.2.1, and D.2.2 (continued) 36 hours (Required Actions D.2.1 and D.2.2). The Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

E.1 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 2 within 6 hours. The allowed Completion Time of 6 hours is reasonable, based on operating experience, to reach MODE 2 from full power conditions in an orderly manner and without challenging plant systems. F.1 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, plant operations may continue if the affected penetration flow path(s) is isolated. Isolating the affected penetration flow path(s) accomplishes the safety function of the inoperable channels. For the RWCU Area and Area Ventilation Differential Temperature -High Functions, the affected penetration flow path(s) may be considered isolated by isolating only that portion of the system in the associated room monitored by the inoperable channel. That is, if the RWCU pump room A area channel is inoperable, the pump room A area can be isolated while allowing continued RWCU operation utilizing the B RWCU pump. Alternately, if it is not desired to isolate the affected penetration flow path(s) (e.g., as in the case where isolating the penetration flow path(s) could result in a reactor scram), Condition G must be entered and its Required Actions taken. The 1 hour Completion Time is acceptable because it minimizes risk while allowing sufficient time for personnel to isolate the affected penetration flow path(s). Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 2 B 3.3-157 REVISION 1 BASES ACTIONS G.1 and G.2 (continued) If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, or any Required Action of Condition F is not met and the associated Completion Time has expired, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. H.1 and H.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the SLC System is declared inoperable or the RWCU System is isolated. Since this Function is required to ensure that the SLC System performs its intended function, sufficient remedial measures are provided by declaring the SLC System inoperable or isolating the RWCU System. The 1 hour Completion Time is acceptable because it minimizes risk while allowing sufficient time for personnel to isolate the RWCU System. I.1 and I.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the associated penetration flow path should be closed. However, if the shutdown cooling function is needed to provide core cooling, these Required Actions allow the penetration flow path to remain unisolated provided action is immediately initiated to restore the channel to OPERABLE status or to isolate the RHR Shutdown Cooling System (i.e., provide alternate decay heat removal capabilities so the penetration flow path can be isolated). Actions must continue until the channel is restored to OPERABLE status or the RHR Shutdown Cooling System is isolated.

SURVEILLANCE As noted at the beginning of the SRs, the SRs for each Primary REQUIREMENTS Containment Isolation instrumentation Function are found in the SRs column of Table 3.3.6.1-1. Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 2 B 3.3-158 REVISION 79 BASES SURVEILLANCE The Surveillances are modified by a Note to indicate that when a REQUIREMENTS channel is placed in an inoperable status solely for performance of (continued) required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains isolation capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 4 and 5) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the PCIVs will isolate the penetration flow path(s) when necessary. SR 3.3.6.1.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO. SR 3.3.6.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended

Primary Containment Isolation Instrumentation B 3.3.6.1 (continued) HATCH UNIT 2 B 3.3-159 REVISION 79 BASES SURVEILLANCE SR 3.3.6.1.2 (continued) REQUIREMENTS function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.6.1.3, SR 3.3.6.1.4, and SR 3.3.6.1.5 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.6.1.6 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required isolation logic for a specific channel. The system functional testing performed on PCIVs in LCO 3.6.1.3 overlaps this Surveillance to provide complete testing of the assumed safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.6.1.7 This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the accident analysis. The instrument response times must be added to the PCIV closure times to obtain the ISOLATION SYSTEM RESPONSE TIME.ISOLATION SYSTEM RESPONSE TIME acceptance criteria are included in Reference 6. This test may be performed in one measurement, or in overlapping segments, with verification that all components are tested.

Primary Containment Isolation Instrumentation B 3.3.6.1 HATCH UNIT 2 B 3.3-160 REVISION 79 BASES SURVEILLANCE SR 3.3.6.1.7 (continued) REQUIREMENTS A Note to the Surveillance states that channel sensors are excluded from ISOLATION SYSTEM RESPONSE TIME testing. The exclusion of the channel sensors is supported by Reference 8 which indicates that the sensors' response times are a small fraction of the total response time. Even if the sensors experienced response time degradation, they would be expected to respond in the microsecond to millisecond range until complete failure. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 6.3.

2. FSAR, Chapter 15.

3. FSAR, Paragraph 4.2.3.4.2. 4. NEDC-31677P-A, "Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation," July 1990. 5. NEDC-30851P-A Supplement 2, "Technical Specifications Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation," March 1989.

6. Technical Requirements Manual, Table T5.0-1.

7. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

8. NEDO-32291, "System Analyses for Elimination of Selected Response Time Testing Requirements," January 1994.

Secondary Containment Isolation Instrumentation B 3.3.6.2 (continued) HATCH UNIT 2 B 3.3-161 REVISION 79 B 3.3 INSTRUMENTATION B 3.3.6.2 Secondary Containment Isolation Instrumentation

BASES BACKGROUND The secondary containment isolation instrumentation automatically initiates closure of appropriate secondary containment isolation valves (SCIVs) and starts the Standby Gas Treatment (SGT) System. The function of these systems, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs) (Refs. 1 and 2). Secondary containment isolation and establishment of vacuum with the SGT System within the assumed time limits ensures that fission products that leak from primary containment following a DBA, or are released outside primary containment, or are released during certain operations when primary containment is not required to be OPERABLE are maintained within applicable limits. The isolation instrumentation includes the sensors, relays, and switches that are necessary to cause initiation of secondary containment isolation. Most channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a secondary containment isolation signal to the isolation logic. Functional diversity is provided by monitoring a wide range of independent parameters. The input parameters to the isolation logic are (1) reactor vessel water level, (2) drywell pressure, (3) reactor building exhaust high radiation, and (4) refueling floor exhaust high radiation. Redundant sensor input signals from each parameter are provided for initiation of isolation. The outputs of the logic channels in a trip system are arranged into two two-out-of-two trip system logics. Any trip system initiates all SGT subsystems and isolates the automatic isolation valves (dampers) in each secondary containment penetration. Each logic closes at least one of the two valves in each secondary containment penetration and starts the required SGT subsystems, so that operation of either logic isolates the secondary containment and provides for the necessary filtration of fission products. APPLICABLE The isolation signals generated by the secondary containment SAFETY ANALYSES, isolation instrumentation are implicitly assumed in the safety analyses LCO, and of References 1 and 2 to initiate closure of valves and start the SGT APPLICABILITY System to limit offsite doses.

Secondary Containment Isolation Instrumentation B 3.3.6.2 (continued) HATCH UNIT 2 B 3.3-162 REVISION 79 BASES APPLICABLE Refer to LCO 3.6.4.2, "Secondary Containment Isolation Valves SAFETY ANALYSES, (SCIVs), " and LCO 3.6.4.3, "Standby Gas Treatment (SGT) System," LCO, and Applicable Safety Analyses Bases for more detail of the safety APPLICABILITY analyses. (continued) The secondary containment isolation instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 7). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion. The OPERABILITY of the secondary containment isolation instrumentation is dependent on the OPERABILITY of the individual instrumentation channel Functions. Each Function must have the required number of OPERABLE channels with their setpoints set within the specified Allowable Values, as shown in Table 3.3.6.2-1. The setpoint is calibrated consistent with applicable setpoint methodology assumptions (nominal trip setpoint). A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Each channel must also respond within its assumed response time, where appropriate. Allowable Values are specified for each Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

Secondary Containment Isolation Instrumentation B 3.3.6.2 (continued) HATCH UNIT 2 B 3.3-163 REVISION 79 BASES APPLICABLE In general, the individual Functions are required to be OPERABLE in SAFETY ANALYSES the MODES or other specified conditions when SCIVs and the SGT LCO, and System are required. APPLICABILITY (continued) The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

1. Reactor Vessel Water Level - Low Low, Level 2 Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. An isolation of the secondary containment and actuation of the SGT System are initiated in order to minimize the potential of an offsite dose release. The Reactor Vessel Water Level - Low Low, Level 2 Function is one of the Functions assumed to be OPERABLE and capable of providing isolation and initiation signals. The isolation and initiation systems on Reactor Vessel Water Level - Low Low, Level 2 support actions to ensure that any offsite releases are within the limits calculated in the safety analysis (Refs. 3 and 4). Reactor Vessel Water Level - Low Low, Level 2 signals are initiated from level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low Low, Level 2 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value was chosen to be the same as the High Pressure Coolant Injection/Reactor Core Isolation Cooling (HPCI/RCIC) Reactor Vessel Water Level - Low Low, Level 2 Allowable Value (LCO 3.3.5.1 and LCO 3.3.5.2), since this could indicate that the capability to cool the fuel is being threatened. The Reactor Vessel Water Level - Low Low, Level 2 Function is required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists in the Reactor Coolant System (RCS); thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. In MODES 4 and 5, the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES; thus, this Function is not required. In addition, the Function is also required to be OPERABLE during operations with a potential for draining the reactor vessel Secondary Containment Isolation Instrumentation B 3.3.6.2 (continued) HATCH UNIT 2 B 3.3-164 REVISION 79 BASES APPLICABLE 1. Reactor Vessel Water Level - Low Low, Level 2 (continued) SAFETY ANALYSES, LCO, and (OPDRVs) because the capability of isolating potential sources of APPLICABILITY leakage must be provided to ensure that offsite dose limits are not exceeded if core damage occurs.

2. Drywell Pressure - High High drywell pressure can indicate a break in the reactor coolant pressure boundary (RCPB). An isolation of the secondary containment and actuation of the SGT System are initiated in order to minimize the potential of an offsite dose release. The isolation on high drywell pressure supports actions to ensure that any offsite releases are within the limits calculated in the safety analysis. However, the Drywell Pressure - High Function associated with isolation is not assumed in any FSAR accident or transient analyses.

It is retained for the overall redundancy and diversity of the secondary containment isolation instrumentation as required by the NRC approved licensing basis. High drywell pressure signals are initiated from pressure transmitters that sense the pressure in the drywell. Four channels of Drywell Pressure - High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude performance of the isolation function. The Allowable Value was chosen to be the same as the ECCS Drywell Pressure - High Function Allowable Value (LCO 3.3.5.1) since this is indicative of a loss of coolant accident (LOCA). The Drywell Pressure - High Function is required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists in the RCS; thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. This Function is not required in MODES 4 and 5 because the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES.

3., 4. Reactor Building and Refueling Floor Exhaust Radiation - High High secondary containment exhaust radiation is an indication of possible gross failure of the fuel cladding. The release may have originated from the primary containment due to a break in the RCPB or the refueling floor due to a fuel handling accident. When Exhaust Secondary Containment Isolation Instrumentation B 3.3.6.2 (continued) HATCH UNIT 2 B 3.3-165 REVISION 79 BASES APPLICABLE 3., 4. Reactor Building and Refueling Floor Exhaust SAFETY ANALYSES, Radiation - High (continued) LCO, and APPLICABILITY Radiation - High is detected, secondary containment isolation and actuation of the SGT System are initiated to limit the release of fission products as assumed in the FSAR safety analyses (Ref. 4). The Exhaust Radiation - High signals are initiated from radiation detectors that are located near the ventilation exhaust ductwork coming from the reactor building and the refueling floor zones, respectively. The signal from each detector is input to an individual monitor whose trip outputs are assigned to an isolation channel. Four channels of Reactor Building Exhaust Radiation - High Function and four channels of Refueling Floor Exhaust Radiation - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Allowable Values are chosen to ensure radioactive releases do not exceed offsite dose limits. The Reactor Building and Refueling Floor Exhaust Radiation - High Functions are required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists; thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. In MODES 4 and 5, the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES; thus, these Functions are not required. The Reactor Building Exhaust Radiation - High Function is also required to be OPERABLE during OPDRVs (in MODE 4 and MODE 5) because the capability of detecting radiation releases due to fuel failures (due to fuel uncovery) must be provided to ensure that offsite dose limits are not exceeded. The Refueling Floor Exhaust Radiation - High Function is also required to be OPERABLE during CORE ALTERATIONS, MODE 5 OPDRVs, and movement of irradiated fuel assemblies in the secondary containment because the capability of detecting radiation releases due to fuel failures (e.g., due to a dropped fuel assembly) must be provided to ensure that offsite dose limits are not exceeded. ACTIONS A Note has been provided to modify the ACTIONS related to secondary containment isolation instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Secondary Containment Isolation Instrumentation B 3.3.6.2 (continued) HATCH UNIT 2 B 3.3-166 REVISION 79 BASES ACTIONS Section 1.3 also specifies that Required Actions of the Condition (continued) continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable secondary containment isolation instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable secondary containment isolation instrumentation channel. A.1 Because of the diversity of sensors available to provide isolation signals and the redundancy of the isolation design, an allowable out of service time of 12 hours for Function 2, and 24 hours for Functions other than Function 2, has been shown to be acceptable (Refs. 5 and 6) to permit restoration of any inoperable channel to OPERABLE status. This out of service time is only acceptable provided the associated Function is still maintaining isolation capability (refer to Required Action B.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an undesired isolation), Condition C must be entered and its Required Actions taken.

B.1 Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic isolation capability for the associated secondary containment penetration flow path(s) or a complete loss of automatic initiation capability for the Unit 1 and Unit 2 SGT Systems. A Function is considered to be maintaining secondary containment isolation capability when sufficient channels are OPERABLE or in trip, such that one trip system will generate a trip signal from the given Function on a valid signal. This ensures that one of the two SCIVs in each penetration flow path, and the required Unit 1 and Unit 2 SGT subsystems can be initiated on an isolation signal from the given Function.

Secondary Containment Isolation Instrumentation B 3.3.6.2 (continued) HATCH UNIT 2 B 3.3-167 REVISION 79 BASES ACTIONS B.1 (continued) The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

C.1.1, C.1.2, C.2.1, and C.2.2 If any Required Action and associated Completion Time of Condition A or B are not met, the ability to isolate the secondary containment and start the required Unit 1 and Unit 2 SGT Systems cannot be ensured. Therefore, further actions must be performed to ensure the ability to maintain the secondary containment function. Isolating the associated flow paths (closing the ventilation supply and exhaust automatic isolation dampers) and starting the associated SGT subsystem(s) (Required Actions C.1.1 and C.2.1) performs the intended function of the instrumentation and allows operation to continue. Alternately, declaring the associated SCIVs or SGT subsystem(s) inoperable (Required Actions C.1.2 and C.2.2) is also acceptable since the Required Actions of the respective LCOs (LCO 3.6.4.2 and LCO 3.6.4.3) provide appropriate actions for the inoperable components. Since each trip system affects multiple SGT subsystems, Required Actions C.2.1 and C.2.2 can be performed independently on each SGT subsystem. That is, one SGT subsystem can be started (Required Action C.2.1) while another SGT subsystem can be declared inoperable (Required Action C.2.2). One hour is sufficient for personnel to establish required plant conditions or to declare the associated components inoperable without unnecessarily challenging plant systems. SURVEILLANCE As noted at the beginning of the SRs, the SRs for each Secondary REQUIREMENTS Containment Isolation instrumentation Function are located in the SRs column of Table 3.3.6.2-1. The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains isolation capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must Secondary Containment Isolation Instrumentation B 3.3.6.2 (continued) HATCH UNIT 2 B 3.3-168 REVISION 79 BASES SURVEILLANCE be returned to OPERABLE status or the applicable Condition entered REQUIREMENTS and Required Actions taken. This Note is based on the reliability (continued) analysis (Refs. 5 and 6) assumption of the average time required to perform channel surveillance. That analysis demonstrated the 6 hour testing allowance does not significantly reduce the probability that the SCIVs will isolate the associated penetration flow paths and that the SGT System will initiate when necessary. SR 3.3.6.2.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel status during normal operational use of the displays associated with channels required by the LCO. SR 3.3.6.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Secondary Containment Isolation Instrumentation B 3.3.6.2 (continued) HATCH UNIT 2 B 3.3-169 REVISION 79 BASES SURVEILLANCE SR 3.3.6.2.3 and SR 3.3.6.2.4 REQUIREMENTS (continued) A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.6.2.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required isolation logic for a specific channel. The system functional testing performed on SCIVs and the SGT System in LCO 3.6.4.2 and LCO 3.6.4.3, respectively, overlaps this Surveillance to provide complete testing of the assumed safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 6.3.

2. FSAR, Section 15.

3. FSAR, Section 15.1.40. 4. FSAR, Sections 15.1.39 and 15.1.41.

5. NEDC-31677P-A, "Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation," July 1990.

Secondary Containment Isolation Instrumentation B 3.3.6.2 HATCH UNIT 2 B 3.3-170 REVISION 79 BASES REFERENCES 6. NEDC-30851P-A Supplement 2, "Technical Specifications (continued) Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation," March 1989. 7. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. LLS Instrumentation B 3.3.6.3 (continued) HATCH UNIT 2 B 3.3-171 REVISION 79 B 3.3 INSTRUMENTATION

B 3.3.6.3 Low-Low Set (LLS) Instrumentation

BASES BACKGROUND The LLS logic and instrumentation is designed to mitigate the effects of postulated thrust loads on the safety/relief valve (S/RV) discharge lines by preventing subsequent actuations with an elevated water leg in the S/RV discharge line. It also mitigates the effects of postulated pressure loads on the torus shell or suppression pool by preventing multiple actuations in rapid succession of the S/RVs subsequent to their initial actuation. Upon initiation, the LLS logic will assign preset opening and closing setpoints to four preselected S/RVs. These setpoints are selected such that the LLS S/RVs will stay open longer; thus, releasing more steam (energy) to the suppression pool, and hence more energy (and time) will be required for repressurization and subsequent S/RV openings. The LLS logic increases the time between (or prevents) subsequent actuations to allow the high water leg created from the initial S/RV opening to return to (or fall below) its normal water level; thus, reducing thrust loads from subsequent actuations to within their design limits. In addition, the LLS is designed to limit S/RV subsequent actuations to one valve, so torus loads will also be reduced. The LLS instrumentation logic is arranged in two divisions with Logic channels A and C in one division and Logic channels B and D in the other division (Ref. 1). Each LLS logic channel (e.g., Logic A channel) controls one LLS valve. The LLS logic channels will not actuate their associated LLS valves at their LLS setpoints until the arming portion of the associated LLS logic is satisfied. Arming occurs when any one of the 11 S/RVs opens, as indicated by a signal from one of the redundant pressure switches located on its tailpipe, coincident with a high reactor pressure signal. Each division receives tailpipe arming signals from dedicated tailpipe pressure switches on each of the 11 S/RVs, 6 in one LLS logic (e.g., Logic C) and 5 in the other LLS logic (e.g., Logic A). Each LLS logic (e.g., Logic A) receives the reactor pressure arming signal from a different reactor pressure transmitter and trip unit. These arming signals seal in until reset. The arming signal from one logic is sent to the other logic within the same division and performs the same function as the tailpipe arming signal (i.e., Logic A will arm if it has received a high reactor pressure signal and Logic C has armed).

LLS Instrumentation B 3.3.6.3 (continued) HATCH UNIT 2 B 3.3-172 REVISION 79 BASES BACKGROUND After arming, opening of each LLS valve is by a two-out-of-two logic (continued) from two reactor pressure transmitters and two trip units set to trip at the required LLS opening setpoint. The LLS valve recloses when reactor pressure has decreased to the reclose setpoint of one of the two trip units used to open the valve one (one-out-of-two logic). This logic arrangement prevents single instrument failures from precluding the LLS S/RV function. The channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a LLS initiation signal to the initiation logic. APPLICABLE The LLS instrumentation and logic function ensures that the SAFETY ANALYSES containment loads remain within the primary containment design basis (Ref. 2). The LLS instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 4). LCO The LCO requires OPERABILITY of sufficient LLS instrumentation channels to ensure successfully accomplishing the LLS function assuming any single instrumentation channel failure within the LLS logic. Therefore, the OPERABILITY of the LLS instrumentation is dependent on the OPERABILITY of the instrumentation channel Function specified in Table 3.3.6.3-1. Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Value. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The setpoint is calibrated consistent with applicable setpoint methodology assumptions (nominal trip setpoint). Allowable Values are specified for each LLS actuation Function in Table 3.3.6.3-1. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the LLS Instrumentation B 3.3.6.3 (continued) HATCH UNIT 2 B 3.3-173 REVISION 79 BASES LCO setpoint, the associated device (e.g., trip unit) changes state. The (continued) analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for. The Tailpipe Pressure Switch Allowable Value is based on ensuring that a proper arming signal is sent to the LLS logic. That is, the pressure switch is initiated only when an S/RV has opened. The Reactor Steam Dome Pressure - High was chosen to be the same as the Reactor Protection System (RPS) Reactor Steam Dome Pressure Allowable Value (LCO 3.3.1.1) because it would be expected that LLS would be needed for pressurization events. Providing LLS after a scram has been initiated would prevent false initiations of LLS at 100% power. The LLS valve open and close Allowable Values are based on the safety analysis performed in Reference 2.

APPLICABILITY The LLS instrumentation is required to be OPERABLE in MODES 1, 2, and 3 since considerable energy is in the nuclear system and the S/RVs may be needed to provide pressure relief. If the S/RVs are needed, then the LLS function is required to ensure that the primary containment design basis is maintained. In MODES 4 and 5, the reactor pressure is low enough that the overpressure limit cannot be approached by assumed operational transients or accidents. Thus, LLS instrumentation and associated pressure relief is not required. ACTIONS A.1 The failure of any reactor steam dome pressure instrument channel to provide the arming, S/RV opening pressure, and S/RV closing pressure signals for an individual LLS valve does not affect the ability of the other LLS S/RVs to perform their LLS function. Therefore, 24 hours is provided to restore the inoperable channel(s) to LLS Instrumentation B 3.3.6.3 (continued) HATCH UNIT 2 B 3.3-174 REVISION 79 BASES ACTIONS A.1 (continued) OPERABLE status (i.e., restore the LLS valve's initiation capability). If the inoperable channel(s) cannot be restored to OPERABLE status within the allowable out of service time, Condition D must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action could result in an instrumented LLS valve actuation. The 24 hour Completion Time is considered appropriate because of the redundancy in the design (4 LLS valves are provided and any 1 LLS valve can perform the LLS function) and the very low probability of multiple LLS instrumentation channel failures, which render the remaining LLS S/RVs inoperable, occurring together with an event requiring the LLS function during the 24 hour Completion Time. The 24 hour Completion Time is also based on the reliability analysis of Reference 3. B.1 Although the LLS circuitry is designed so that operation of a single tailpipe pressure switch will result in arming both LLS logics in its associated division, each tailpipe pressure switch provides a direct input to only one LLS logic (e.g., Logic A). Since each LLS logic normally receives at least five S/RV pressure switch inputs (and also receives the other S/RV signals from the other logic in the same division by an arming signal), the LLS logic and instrumentation remains capable of performing its safety function if any S/RV tailpipe pressure switch instrument channel becomes inoperable. Therefore, it is acceptable for plant operation to continue with only one tailpipe pressure switch OPERABLE on each S/RV. However, this is only acceptable provided each LLS valve is maintaining initiation capability. (Refer to Required Actions A.1 and D.1 Bases.) Required Action B.1 requires restoration of the tailpipe pressure switches to OPERABLE status prior to entering MODE 2 or 3 from MODE 4 to ensure that all switches are OPERABLE at the beginning of a reactor startup (this is because the switches are not accessible during plant operation). The Required Actions do not allow placing the channel in trip since this action could result in a LLS valve actuation. LLS Instrumentation B 3.3.6.3 (continued) HATCH UNIT 2 B 3.3-175 REVISION 79 BASES ACTIONS C.1 (continued) A failure of two pressure switch channels associated with one S/RV tailpipe could result in the loss of the LLS function (i.e., multiple actuations of the S/RV would go undetected by the LLS logic). However, there is a total of 11 S/RVs. Therefore, it would be very unlikely that a single S/RV would be required to arm all the LLS logic. Therefore, it is acceptable to allow 14 days to restore one pressure switch of the associated S/RV to OPERABLE status (Required Action C.1). However, this allowable out of service time is only acceptable provided each LLS is maintaining initiation capability (Refer to Required Action A.1 and D.1 Bases). If one inoperable tailpipe pressure switch cannot be restored to OPERABLE status within the allowable out of service time, Condition D must be entered and its Required Action taken. The Required Actions do not allow placing the channels in trip since this action could result in a LLS valve actuation. A Note has been provided in the Condition to modify the Required Actions and Completion Times conventions related to LLS Function 3 channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable LLS Function 3 channels provide appropriate compensatory measures for separate inoperable Condition entry for each S/RV with inoperable tailpipe pressure switches.

D.1 If any Required Action and associated Completion Time of Conditions A, B, or C are not met, or two or more LLS valves with initiation capability not maintained, the LLS valves may be incapable of performing their intended function. Therefore, the associated LLS valve(s) must be declared inoperable immediately.

SURVEILLANCE As noted at the beginning of the SRs, the SRs for each LLS REQUIREMENTS instrumentation Function are located in the SRs column of Table 3.3.6.3-1. LLS Instrumentation B 3.3.6.3 (continued) HATCH UNIT 2 B 3.3-176 REVISION 79 BASES SURVEILLANCE The Surveillances are also modified by a Note to indicate that when a REQUIREMENTS channel is placed in an inoperable status solely for performance of (continued) required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains LLS initiation capability. LLS initiation capability is maintained provided three LLS valves are maintaining initiation capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 3) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the LLS valves will initiate when necessary. SR 3.3.6.3.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on another channel. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with channels required by the LCO. SR 3.3.6.3.2, SR 3.3.6.3.3, and SR 3.3.6.3.4 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended LLS Instrumentation B 3.3.6.3 (continued) HATCH UNIT 2 B 3.3-177 REVISION 79 BASES SURVEILLANCE SR 3.3.6.3.2, SR 3.3.6.3.3, and SR 3.3.6.3.4 (continued) REQUIREMENTS function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. A portion of the S/RV tailpipe pressure switch instrument channels are located inside the primary containment. The Note for SR 3.3.6.3.3, "Only required to be performed prior to entering MODE 2 during each scheduled outage > 72 hours when entry is made into primary containment," is based on the location of these instruments, ALARA considerations, and compatibility with the Completion Time of the associated Required Action (Required Action B.1). For this Note, a scheduled outage is a refueling outage or an outage for which at least a 72 hour period exists between discovery of an off-normal condition and a corresponding change in power level. Outage duration is measured from the time the generator is removed from the grid to the time the generator is tied to the grid, i.e., "breaker-to-breaker." SR 3.3.6.3.5 CHANNEL CALIBRATION is a complete check of the instrument loop and sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.6.3.6 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required actuation logic for a specified channel. The system functional testing performed in LCO 3.4.3, "Safety/Relief Valves(S/RVs) and LCO 3.6.1.8, "Low-Low Set (LLS) Safety/Relief Valves (S/RVs)," for S/RVs overlaps this test to provide complete testing of the assumed safety function. LLS Instrumentation B 3.3.6.3 HATCH UNIT 2 B 3.3-178 REVISION 79 BASES SURVEILLANCE SR 3.3.6.3.6 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 7.4.4.

2. FSAR, Section 5.5.17. 3. GENE-770-06-1, "Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991. 4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

MCREC System Instrumentation B 3.3.7.1 (continued) HATCH UNIT 2 B 3.3-179 REVISION 79 B 3.3 INSTRUMENTATION

B 3.3.7.1 Main Control Room Environmental Control (MCREC) System Instrumentation

BASES BACKGROUND The MCREC System is designed to provide a radiologically controlled environment to ensure the habitability of the control room for the safety of control room operators under all plant conditions. Two independent MCREC subsystems are each capable of fulfilling the stated safety function. The instrumentation and controls for the MCREC System automatically initiate action to pressurize the main control room (MCR) to minimize the consequences of radioactive material in the control room environment. In the event of a Control Room Air Inlet Radiation - High signal, the MCREC System is automatically started in the pressurization mode. The air is then recirculated through the charcoal filter, and sufficient outside air is drawn in through the normal intake to maintain the MCR slightly pressurized with respect to the turbine building. The MCREC System instrumentation has two trip systems, either of which can initiate both MCREC subsystems (Ref. 1). Each of the two trip systems for the Control Room Air Inlet Radiation - High is arranged in a one-out-of-one logic. The channels include electronic equipment (e.g., trip relays) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a MCREC System initiation signal to the initiation logic. APPLICABLE The ability of the MCREC System to maintain the habitability of the SAFETY ANALYSES, MCR is explicitly assumed for certain accidents as discussed in the LCO, and FSAR safety analyses (Refs. 2, 3, 4, and 5). MCREC System APPLICABILITY operation ensures that the radiation exposure of control room personnel, through the duration of any one of the postulated accidents, does not exceed the limits set by GDC 19 of 10 CFR 50, Appendix A. MCREC System instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 7). The OPERABILITY of the MCREC System instrumentation is dependent upon the OPERABILITY of the Control Room Air Inlet Radiation - High instrumentation channel Function. The Function must have a required number of OPERABLE channels, with their MCREC System Instrumentation B 3.3.7.1 (continued) HATCH UNIT 2 B 3.3-180 REVISION 79 BASES APPLICABLE setpoints within the specified Allowable Value of SR 3.3.7.1.3. A SAFETY ANALYSES, channel is inoperable if its actual trip setpoint is not within its required LCO, and Allowable Value. The setpoint is calibrated consistent with applicable APPLICABILITY setpoint methodology assumptions (nominal trip setpoint). (continued) Allowable Values are specified for the MCREC System Control Room Air Inlet Radiation - High Function. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip relay) changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environmental effects (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for. The control room air inlet radiation monitors measure radiation levels exterior to the inlet ducting of the MCR. A high radiation level may pose a threat to MCR personnel; thus, automatically initiating the MCREC System. The Control Room Air Inlet Radiation - High Function consists of two independent monitors. Two channels of Control Room Air Inlet Radiation - High are available and are required to be OPERABLE to ensure that no single instrument failure can preclude MCREC System initiation. The Allowable Value was selected to ensure protection of the control room personnel. The Control Room Air Inlet Radiation - High Function is required to be OPERABLE in MODES 1, 2, and 3 and during CORE ALTERATIONS, OPDRVs, and movement of irradiated fuel assemblies in the secondary containment, to ensure that control room personnel are protected during a LOCA, fuel handling event, or MCREC System Instrumentation B 3.3.7.1 (continued) HATCH UNIT 2 B 3.3-181 REVISION 79 BASES APPLICABLE vessel draindown event. During MODES 4 and 5, when these SAFETY ANALYSES, specified conditions are not in progress (e.g., CORE ALTERATIONS) , LCO, and the probability of a LOCA or fuel damage is low; thus, the Function APPLICABILITY is not required. (continued) ACTIONS A Note has been provided to modify the ACTIONS related to MCREC System instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable MCREC System instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable MCREC System instrumentation channel.

A.1 and A.2 Because of the diversity of sensors available to provide initiation signals and the redundancy of the MCREC System design, an allowable out of service time of 6 hours is provided to permit restoration of any inoperable channel to OPERABLE status. However, this out of service time is only acceptable provided the Control Room Air Inlet Radiation - High Function is still maintaining MCREC System initiation capability. The Function is considered to be maintaining MCREC System initiation capability when sufficient channels are OPERABLE or in trip such that one trip system will generate an initiation signal from the given Function on a valid signal. In this situation (loss of MCREC System initiation capability), the 6 hour allowance of Required Action A.2 is not appropriate. If the Function is not maintaining MCREC System initiation capability, the MCREC System must be declared inoperable within 1 hour of discovery of the loss of MCREC System initiation capability as described above. The 1 hour Completion Time (A.1) is acceptable because it minimizes risk while allowing time for restoring or tripping of channels. MCREC System Instrumentation B 3.3.7.1 (continued) HATCH UNIT 2 B 3.3-182 REVISION 79 BASES ACTIONS A.1 and A.2 (continued) If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.2. Placing the inoperable channel in trip performs the intended function of the channel (starts both MCREC subsystems in the pressurization mode). Alternately, if it is not desired to place the channel in trip (e.g., as in the case where it is not desired to start the subsystem), Condition B must be entered and its Required Action taken. The 6 hour Completion Time is based on the consideration that this Function provides the primary signal to start the MCREC System; thus, ensuring that the design basis of the MCREC System is met.

B.1 and B.2 With any Required Action and associated Completion Time not met, the associated MCREC subsystem(s) must be placed in the pressurization mode of operation per Required Action B.1 to ensure that control room personnel will be protected in the event of a Design Basis Accident. The method used to place the MCREC subsystem(s) in operation must provide for automatically re-initiating the subsystem(s) upon restoration of power following a loss of power to the MCREC subsystem(s). Alternately, if it is not desired to start the subsystem(s), the MCREC subsystem(s) associated with inoperable, untripped channels must be declared inoperable within 1 hour. Since each trip system can affect both MCREC subsystems, Required Actions B.1 and B.2 can be performed independently on each MCREC subsystem. That is, one MCREC subsystem can be placed in the pressurization Mode (Required Action B.1) while the other MCREC subsystem can be declared inoperable (Required Action B.2). The 1 hour Completion Time is acceptable because it minimizes risk while allowing time for restoring or tripping of channels. SURVEILLANCE The Surveillances are modified by a Note to indicate that when a REQUIREMENTS Control Room Air Inlet Radiation - High channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours, provided the other channel is OPERABLE. Upon completion of the Surveillance, or expiration of the 6 hour MCREC System Instrumentation B 3.3.7.1 (continued) HATCH UNIT 2 B 3.3-183 REVISION 79 BASES SURVEILLANCE allowance, the channel must be returned to OPERABLE status or the REQUIREMENTS applicable Condition entered and Required Actions taken. This Note (continued) is based on the reliability analysis (Ref. 6) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour testing allowance does not significantly reduce the probability that the MCREC System will initiate when necessary. SR 3.3.7.1.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION. Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channel status during normal operational use of the displays associated with channels required by the LCO.

SR 3.3.7.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. MCREC System Instrumentation B 3.3.7.1 HATCH UNIT 2 B 3.3-184 REVISION 79 BASES SURVEILLANCE SR 3.3.7.1.3 REQUIREMENTS (continued) A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.7.1.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.7.4, "Main Control Room Environmental Control (MCREC) System," overlaps this Surveillance to provide complete testing of the assumed safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 7.3.5 2. FSAR, Chapter 6. 3. FSAR, Section 6.4.1.2.2. 4. FSAR, Chapter 15. 5. FSAR, Table 15.1-28. 6. GENE-770-06-1, "Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991. 7. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. LOP Instrumentation B 3.3.8.1 (continued) HATCH UNIT 2 B 3.3-185 REVISION 79 B 3.3 INSTRUMENTATION

B 3.3.8.1 Loss of Power (LOP) Instrumentation

BASES BACKGROUND Successful operation of the required safety functions of the Emergency Core Cooling Systems (ECCS) is dependent upon the availability of adequate power sources for energizing the various components such as pump motors, motor operated valves, and the associated control components. The LOP instrumentation monitors the 4.16 kV emergency buses. Offsite power is the preferred source of power for the 4.16 kV emergency buses. If the monitors determine that insufficient power is available, the buses are disconnected from the offsite power sources and connected to the onsite diesel generator (DG) power sources. Each 4.16 kV emergency bus has its own independent LOP instrumentation and associated trip logic. The voltage for each bus is monitored at two levels: 4.16 kV Emergency Bus Undervoltage Loss of Voltage and Degraded Voltage, however, only the Loss of Voltage Function is part of this LCO. The Loss of Voltage Function causes various bus transfers and disconnects and is monitored by two undervoltage relays for each emergency bus, whose outputs are arranged in a two-out-of-two logic configuration for all affected components except the DGs. The DG start logic configuration is one-out-of-two (Ref. 1). The channels include electronic equipment (e.g., trip units) that compares measured input signals with pre-established setpoints. When the setpoint is exceeded, the channel output relay actuates, which then outputs a LOP trip signal to the trip logic. Each 4.16 kV emergency bus has its own independent LOP alarm instrumentation to provide an anticipatory alarm and the initiation of corrective measures to restore emergency bus voltages. The alarms are set higher than the LOP trip relays. The alarm setpoints are approximately midway between the calculated minimum expected voltage and the calculated minimum required voltage, based on the maximum expected operating (i.e., non-LOCA) load conditions. The alarm setpoints signify that adequate voltage is available for normal operations. The LOP anticipatory alarms provide a total time delay of 65 seconds to reduce the possibility of nuisance alarms, while permitting prompt detection of potential low voltage conditions. Each 4.16 kV emergency bus has a dedicated low voltage annunciator fed by two relays and their associated time delays. The logic for the annunciation function is arranged in a one-out-of-two configuration. LOP Instrumentation B 3.3.8.1 (continued) HATCH UNIT 2 B 3.3-186 REVISION 79 BASES (continued) APPLICABLE The LOP instrumentation is required for Engineered Safety Features SAFETY ANALYSES, to function in any accident with a loss of offsite power. The required LCO, and channels of LOP instrumentation ensure that the ECCS and other APPLICABILITY assumed systems powered from the DGs, provide plant protection in the event of any of the Reference 2, 3, and 4 analyzed accidents in which a loss of offsite power is assumed. The initiation of the DGs on loss of offsite power, and subsequent initiation of the ECCS, ensure that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Accident analyses credit the loading of the DG based on the concurrent loss of offsite power during a loss of coolant accident. The diesel starting and loading times have been included in the delay time associated with each safety system component requiring DG supplied power following a loss of offsite power. The LOP alarm instrumentation is required to initiate manual actions to restore the 4.16 kV emergency bus voltages or to initiate a plant shutdown. The required channels of LOP alarm instrumentation ensure the initiation of manual actions to protect the ECCS and other assumed systems from degraded voltage without initiating an unnecessary automatic disconnect from the preferred offsite power source. The occurrence of an undervoltage degraded voltage condition credits the manual actions to mitigate the condition and ensure plant safety is maintained. The LOP instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 5), except that credit is taken for manual actions. The OPERABILITY of the LOP instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.8.1-1. Each Function must have a required number of OPERABLE channels per 4.16 kV emergency bus, with their setpoints within the specified Allowable Values. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The setpoint is calibrated consistent with applicable procedures (nominal trip setpoint). The Allowable Values are specified for the 4.16 kV Emergency Bus Undervoltage Function. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected, based on engineering judgment, to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within the Allowable Value, is acceptable. Trip setpoints are those predetermined values of output and time delay at which an action LOP Instrumentation B 3.3.8.1 (continued) HATCH UNIT 2 B 3.3-187 REVISION 79 BASES APPLICABLE should take place. The setpoints are compared to the actual process SAFETY ANALYSES, parameter (e.g., degraded voltage), and when the measured output LCO, and value of the process parameter exceeds the setpoint and time delay, APPLICABILITY the associated device (e.g., trip relay) changes state. (continued) The 4.16 kV undervoltage degraded voltage trip setpoints were determined in accordance with the NRC staff positions contained in an NRC letter dated June 2, 1977, except that manual actions are credited for restoring bus voltages or initiating a plant shutdown in the range of 78.8 to 92% of 4.16 kV. The undervoltage degraded voltage setpoint represents a point on the inverse time characteristic curve for the relay. The anticipatory alarm setpoints are approximately midway between the calculated minimum expected voltage and the calculated minimum required voltage, based on maximum expected operating; i.e., non-LOCA, conditions. The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

1. 4.16 kV Emergency Bus Undervoltage (Loss of Voltage) Loss of voltage on a 4.16 kV emergency bus indicates that offsite power may be completely lost to the respective emergency bus and is unable to supply sufficient power for proper operation of the applicable equipment. Therefore, the power supply to the bus is transferred from offsite power to DG power when the voltage on the bus drops below the Loss of Voltage Function Allowable Values (loss of voltage with a short time delay). This ensures that adequate power will be available to the required equipment. The Bus Undervoltage Allowable Values are low enough to prevent inadvertent power supply transfer, but high enough to ensure that power is available to the required equipment. The Time Delay Allowable Values are long enough to provide time for the offsite power supply to recover to normal voltages, but short enough to ensure that power is available to the required equipment. Two channels of 4.16 kV Emergency Bus Undervoltage (Loss of Voltage) Function per associated emergency bus are only required to be OPERABLE when the associated DG is required to be OPERABLE to ensure that no single instrument failure can preclude the DG function. (Two channels input to each of the three DGs.) Refer to LCO 3.8.1, "AC Sources - Operating," and 3.8.2, "AC Sources -

Shutdown," for Applicability Bases for the DGs. LOP Instrumentation B 3.3.8.1 (continued) HATCH UNIT 2 B 3.3-188 REVISION 79 BASES APPLICABLE 2. 4.16 kV Emergency Bus Undervoltage (Degraded Voltage) SAFETY ANALYSES, LCO, and A reduced voltage condition on a 4.16 kV emergency bus indicates APPLICABILITY that, while offsite power may not be completely lost to the respective (continued) emergency bus, available power may be insufficient for starting large ECCS motors without risking damage to the motors that could disable the ECCS function. Therefore, power supply to the bus is transferred from offsite power to onsite DG power when the voltage on the bus drops below the Degraded Voltage Function Allowable Values (degraded voltage with a time delay). This ensures that adequate power will be available to the required equipment. The Bus Undervoltage Allowable Values are low enough to prevent inadvertent power supply transfer, but high enough to ensure that sufficient power is available to the large ECCS motors. The Time Delay Allowable Values are long enough for the offsite power supply to usually recover. This minimizes the potential that short duration disturbances will adversely impact the availability of the offsite power supply. Manual actions are credited in the range of 78.8 to 92% of 4.16 kV to restore bus voltages or to initiate a plant shutdown. The range specified for manual actions indicates that sufficient power is available to the large ECCS motors; however, sufficient voltage for equipment at lower voltages required for LOCA conditions may not be available. Two channels of 4.16 kV Emergency Bus Undervoltage (Degraded Voltage) Function per associated bus are only required to be OPERABLE when the associated DG is required to be OPERABLE to ensure that no single instrument failure can preclude the DG function. (Two channels input to each of the three emergency buses and DGs.) Refer to LCO 3.8.1 and LCO 3.8.2 for Applicability Bases for the DGs.

3. 4.16 kV Emergency Bus Undervoltage (Anticipatory Alarm) A reduced voltage condition on a 4.16 kV emergency bus indicates that, while offsite power is adequate for normal operating conditions, available power may be marginal for some equipment required for LOCA conditions. Therefore, the anticipatory alarms actuate when the 4.16 kV bus voltages approach the minimum required voltage for normal; i.e., non-LOCA conditions. This ensures that manual actions will be initiated to restore the bus voltages or to initiate a plant shutdown.

LOP Instrumentation B 3.3.8.1 (continued) HATCH UNIT 2 B 3.3-189 REVISION 79 BASES APPLICABLE 3. 4.16 kV Emergency Bus Undervoltage (Anticipatory Alarm) SAFETY ANALYSES, (continued) LCO, and APPLICABILITY One channel of the 4.16 kV Emergency Bus Undervoltage (Anticipatory Alarm) Function per the associated bus is only required to be OPERABLE when the associated DG is required to be OPERABLE. (Two channels input to each of the three emergency buses.) ACTIONS A Note has been provided to modify the ACTIONS related to LOP instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable LOP instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable LOP instrumentation channel.

A.1 With one or more channels of Function 1 or 2 inoperable, the Function does not maintain initiation capability for the associated emergency bus. Therefore, only 1 hour is allowed to restore the inoperable channel to OPERABLE status. The Required Action does not allow placing a channel in trip since this action will result in a DG initiation. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

B.1 Each 4.16 kV bus has a dedicated annunciator fed by two relays and their associated time delays in a one-out-of-two logic configuration. Only one relay and its associated time delay is required to be OPERABLE. Therefore, the loss of the required relay or time delay renders Function 3 incapable of performing the intended function. LOP Instrumentation B 3.3.8.1 (continued) HATCH UNIT 2 B 3.3-190 REVISION 79 BASES ACTIONS B.1 (continued) Since the intended function is to alert personnel to a lowering voltage condition and the voltage reading is available for each bus on the control room front panels, the Required Action is verification of the voltage to be above the annunciator setpoint (nominal) hourly.

C.1 If any Required Action and associated Completion Time are not met, the associated Function does not maintain initiation capability for the associated emergency bus. Therefore, the associated DG(s) is declared inoperable immediately. This requires entry into applicable Conditions and Required Actions of LCO 3.8.1 and LCO 3.8.2, which provide appropriate actions for the inoperable DG(s). SURVEILLANCE As noted at the beginning of the SRs, the SRs for each LOP REQUIREMENTS instrumentation Function are located in the SRs column of Table 3.3.8.1-1. The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the associated Function maintains initiation capability (for Functions 1 and 2) and annunciation capability (for Function 3). Functions 1 and 2 maintain initiation capability provided that, for 2 of the 3 emergency buses, the following can be initiated by the Function: DG start, disconnect from the offsite power source, DG output breaker closure, load shed, and activation of the ECCS pump power permissive. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken.

SR 3.3.8.1.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation or a failure of annunciation has not occurred. A CHANNEL CHECK is defined for Function 3 to be a comparison of the annunciator status to the bus voltage and an annunciator test confirming the annunciator is capable of lighting and sounding. A CHANNEL CHECK will detect gross channel failure or an annunciator failure; thus, it is key to verifying the instrumentation continues to LOP Instrumentation B 3.3.8.1 (continued) HATCH UNIT 2 B 3.3-191 REVISION 79 BASES ACTIONS SR 3.3.8.1.1 (continued) operate properly between each CHANNEL CALIBRATION. If a channel is outside the match criteria, it may be an indication that the instrument has drifted outside its limit. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with channels required by the LCO. SR 3.3.8.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.8.1.3 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.8.1.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required actuation logic for a specific channel. LOP Instrumentation B 3.3.8.1 HATCH UNIT 2 B 3.3-192 REVISION 79 BASES SURVEILLANCE SR 3.3.8.1.4 (continued) REQUIREMENTS The system functional testing performed in LCO 3.8.1 and LCO 3.8.2 overlaps this Surveillance to provide complete testing of the assumed safety functions. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 8.3.1.

2. FSAR, Section 5.2.

3. FSAR, Section 6.3. 4. FSAR, Chapter 15.

5. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RPS Electric Power Monitoring B 3.3.8.2 (continued) HATCH UNIT 2 B 3.3-193 REVISION 79 B 3.3 INSTRUMENTATION

B 3.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring

BASES BACKGROUND RPS Electric Power Monitoring System is provided to isolate the RPS bus from the motor generator (MG) set or an alternate power supply in the event of overvoltage, undervoltage, or underfrequency. This system protects the loads connected to the RPS bus against unacceptable voltage and frequency conditions (Ref. 1) and forms an important part of the primary success path of the essential safety circuits. Some of the essential equipment powered from the RPS buses includes the RPS logic, scram solenoids, and various valve isolation logic (e.g., residual heat removal shutdown cooling). RPS electric power monitoring assembly will detect any abnormal high or low voltage or low frequency condition in the outputs of the two MG sets or the alternate power supply and will de-energize its respective RPS bus, thereby causing all safety functions normally powered by this bus to de-energize. In the event of failure of an RPS Electric Power Monitoring System (e.g., both inseries electric power monitoring assemblies), the RPS loads may experience significant effects from the unregulated power supply. Deviation from the nominal conditions can potentially cause damage to the scram solenoids and other Class 1E devices. In the event of a low voltage condition for an extended period of time, the scram solenoids can chatter and potentially lose their pneumatic control capability, resulting in a loss of primary scram action. In the event of an overvoltage condition, the RPS logic relays and scram solenoids, as well as the main steam isolation valve (MSIV) solenoids, may experience a voltage higher than their design voltage. If the overvoltage condition persists for an extended time period, it may cause equipment degradation and the loss of plant safety function. Two redundant Class 1E circuit breakers are connected in series between each RPS bus and its MG set, and between each RPS bus and its alternate power supply. Each of these circuit breakers has an associated independent set of Class 1E overvoltage, undervoltage, and underfrequency sensing logic. Together, a circuit breaker and its sensing logic constitute an electric power monitoring assembly. If the output of the MG set or the alternate power supply exceeds predetermined limits of overvoltage, undervoltage, or underfrequency, RPS Electric Power Monitoring B 3.3.8.2 (continued) HATCH UNIT 2 B 3.3-194 REVISION 79 BASES BACKGROUND a trip coil driven by this logic circuitry opens the circuit breaker, which (continued) removes the associated power supply from service. APPLICABLE The RPS electric power monitoring is necessary to meet the SAFETY ANALYSES assumptions of the safety analyses by ensuring that the equipment powered from the RPS buses can perform its intended function. RPS electric power monitoring provides protection to the RPS and other systems that receive power from the RPS buses, by acting to disconnect the RPS from the power supply under specified conditions that could damage the RPS bus powered equipment. RPS electric power monitoring satisfies Criterion 3 of the NRC Policy Statement (Ref. 3). LCO The OPERABILITY of each RPS electric power monitoring assembly is dependent on the OPERABILITY of the overvoltage, undervoltage, and underfrequency logic, as well as the OPERABILITY of the associated circuit breaker. Two electric power monitoring assemblies are required to be OPERABLE for each inservice power supply. This provides redundant protection against any abnormal voltage or frequency conditions to ensure that no single RPS electric power monitoring assembly failure can preclude the function of RPS bus powered components. Each inservice electric power monitoring assembly's trip logic setpoints are required to be within the specified Allowable Value. The setpoint is calibrated consistent with applicable procedures (nominal trip setpoint). Allowable Values are specified for each RPS electric power monitoring assembly trip logic (refer to SR 3.3.8.2.2). Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected, based on engineering judgment and operational experience, to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., overvoltage), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. RPS Electric Power Monitoring B 3.3.8.2 (continued) HATCH UNIT 2 B 3.3-195 REVISION 79 BASES LCO The Allowable Values for the instrument settings are based on the (continued) RPS continuously providing 57 Hz, 120 V +/- 10% (to all equipment), and 115 V +/- 10 V (to scram and MSIV solenoids). The most limiting voltage requirement and associated line losses determine the settings of the electric power monitoring instrument channels. The settings are calculated based on the loads on the buses and RPS MG set or alternate power supply being 120 VAC and 60 Hz. APPLICABILITY The operation of the RPS electric power monitoring assemblies is essential to disconnect the RPS bus powered components from the MG set or alternate power supply during abnormal voltage or frequency conditions. Since the degradation of a nonclass 1E source supplying power to the RPS bus can occur as a result of any random single failure, the OPERABILITY of the RPS electric power monitoring assemblies is required when the RPS bus powered components are required to be OPERABLE. This results in the RPS Electric Power Monitoring System OPERABILITY being required in MODES 1, 2, and 3; and in MODES 4 and 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies or with both residual heat removal (RHR) shutdown cooling isolation valves open. ACTIONS A.1 If one RPS electric power monitoring assembly for an inservice power supply (MG set or alternate) is inoperable, or one RPS electric power monitoring assembly on each inservice power supply is inoperable, the OPERABLE assembly will still provide protection to the RPS bus powered components under degraded voltage or frequency conditions. However, the reliability and redundancy of the RPS Electric Power Monitoring System is reduced, and only a limited time (72 hours) is allowed to restore the inoperable assembly to OPERABLE status. If the inoperable assembly cannot be restored to OPERABLE status, the associated power supply(s) must be removed from service (Required Action A.1). This places the RPS bus in a safe condition. An alternate power supply with OPERABLE power monitoring assemblies may then be used to power the RPS bus. The 72 hour Completion Time takes into account the remaining OPERABLE electric power monitoring assembly and the low probability of an event requiring RPS electric power monitoring protection occurring during this period. It allows time for plant RPS Electric Power Monitoring B 3.3.8.2 (continued) HATCH UNIT 2 B 3.3-196 REVISION 79 BASES ACTIONS A.1 (continued) operations personnel to take corrective actions or to place the plant in the required condition in an orderly manner and without challenging plant systems. Alternately, if it is not desired to remove the power supply from service (e.g., as in the case where removing the power supply(s) from service would result in a scram or isolation), Condition C or D, as applicable, must be entered and its Required Actions taken. B.1 If both power monitoring assemblies for an inservice power supply (MG set or alternate) are inoperable or both power monitoring assemblies in each inservice power supply are inoperable, the system protective function is lost. In this condition, 1 hour is allowed to restore one assembly to OPERABLE status for each inservice power supply. If one inoperable assembly for each inservice power supply cannot be restored to OPERABLE status, the associated power supply(s) must be removed from service within 1 hour (Required Action B.1). An alternate power supply with OPERABLE assemblies may then be used to power one RPS bus. The 1 hour Completion Time is sufficient for the plant operations personnel to take corrective actions and is acceptable because it minimizes risk while allowing time for restoration or removal from service of the electric power monitoring assemblies. Alternately, if it is not desired to remove the power supply(s) from service (e.g., as in the case where removing the power supply(s) from service would result in a scram or isolation), Condition C or D, as applicable, must be entered and its Required Actions taken.

C.1 and C.2 If any Required Action and associated Completion Time of Condition A or B are not met in MODE 1, 2, or 3, a plant shutdown must be performed. This places the plant in a condition where minimal equipment, powered through the inoperable RPS electric power monitoring assembly(s), is required and ensures that the safety function of the RPS (e.g., scram of control rods) is not required. The plant shutdown is accomplished by placing the plant in MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the RPS Electric Power Monitoring B 3.3.8.2 (continued) HATCH UNIT 2 B 3.3-197 REVISION 79 BASES ACTIONS C.1 and C.2 (continued) required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

D.1, D.2.1, and D.2.2 If any Required Action and associated Completion Time of Condition A or B are not met in MODE 4 or 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies or with both RHR shutdown cooling valves open, the operator must immediately initiate action to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Required Action D.1 results in the least reactive condition for the reactor core and ensures that the safety function of the RPS (e.g., scram of control rods) is not required. In addition, action must be immediately initiated to either restore one electric power monitoring assembly to OPERABLE status for the inservice power source supplying the required instrumentation powered from the RPS bus (Required Action D.2.1) or to isolate the RHR Shutdown Cooling System (Required Action D.2.2). Required Action D.2.1 is provided because the RHR Shutdown Cooling System may be needed to provide core cooling. All actions must continue until the applicable Required Actions are completed. SURVEILLANCE The Surveillances are modified by a Note to indicate that when an REQUIREMENTS RPS electric power monitoring assembly is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided the other RPS electric power monitoring assembly for the associated power supply maintains trip capability. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the assembly must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. SR 3.3.8.2.1 A CHANNEL FUNCTIONAL TEST is performed on each overvoltage, undervoltage, and underfrequency channel to ensure that the entire channel will perform the intended function. Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. RPS Electric Power Monitoring B 3.3.8.2 (continued) HATCH UNIT 2 B 3.3-198 REVISION 79 BASES SURVEILLANCE SR 3.3.8.2.1 (continued) REQUIREMENTS As noted in the Surveillance, the CHANNEL FUNCTIONAL TEST is only required to be performed while the plant is in a condition in which the loss of the RPS bus will not jeopardize steady state power operation (the design of the system is such that the power source must be removed from service to conduct the Surveillance). The 24 hours is intended to indicate an outage of sufficient duration to allow for scheduling and proper performance of the Surveillance. The Note in the Surveillance is based on guidance provided in Generic Letter 91-09 (Ref. 2). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.8.2.2 CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations, consistent with the plant specific setpoint methodology. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.3.8.2.3 Performance of a system functional test demonstrates that, with a required system actuation (simulated or actual) signal, the logic of the system will automatically trip open the associated power monitoring assembly. Only one signal per power monitoring assembly is required to be tested. This Surveillance overlaps with the CHANNEL CALIBRATION to provide complete testing of the safety function. The system functional test of the Class 1E circuit breakers is included as part of this test to provide complete testing of the safety function. If the breakers are incapable of operating, the associated electric power monitoring assembly would be inoperable. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. RPS Electric Power Monitoring B 3.3.8.2 HATCH UNIT 2 B 3.3-199 REVISION 79 BASES (continued) REFERENCES 1. FSAR, Section 8.3.1.1.4.B.

2. NRC Generic Letter 91-09, "Modification of Surveillance Interval for the Electrical Protective Assemblies in Power Supplies for the Reactor Protection System." 3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Recirculation Loops Operating B 3.4.1 (continued) HATCH UNIT 2 B 3.4-1 REVISION 68 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.1 Recirculation Loops Operating BASES BACKGROUND The Reactor Coolant Recirculation System is designed to provide a forced coolant flow through the core to remove heat from the fuel. The forced coolant flow removes more heat from the fuel than would be possible with just natural circulation. The forced flow, therefore, allows operation at significantly higher power than would otherwise be possible. The recirculation system also controls reactivity over a wide span of reactor power by varying the recirculation flow rate to control the void content of the moderator. The Reactor Coolant Recirculation System consists of two recirculation pump loops external to the reactor vessel. These loops provide the piping path for the driving flow of water to the reactor vessel jet pumps. Each external loop contains one variable speed motor driven recirculation pump, an adjustable speed drive (ASD) to control pump speed and associated piping, jet pumps, valves, and instrumentation. The recirculation loops are part of the reactor coolant pressure boundary and are located inside the drywell structure. The jet pumps are reactor vessel internals. The recirculated coolant consists of saturated water from the steam separators and dryers that has been subcooled by incoming feedwater. This water passes down the annulus between the reactor vessel wall and the core shroud. A portion of the coolant flows from the vessel, through the two external recirculation loops, and becomes the driving flow for the jet pumps. Each of the two external recirculation loops discharges high pressure flow into an external manifold, from which individual recirculation inlet lines are routed to the jet pump risers within the reactor vessel. The remaining portion of the coolant mixture in the annulus becomes the suction flow for the jet pumps. This flow enters the jet pump at suction inlets and is accelerated by the driving flow. The drive flow and suction flow are mixed in the jet pump throat section. The total flow then passes through the jet pump diffuser section into the area below the core (lower plenum), gaining sufficient head in the process to drive the required flow upward through the core. The subcooled water enters the bottom of the fuel channels and contacts the fuel cladding, where heat is transferred to the coolant. As it rises, the coolant begins to boil, creating steam voids within the fuel channel that continue until the coolant exits the core. Because of reduced moderation, the steam voiding introduces negative reactivity that must be compensated for to maintain or to increase reactor power. The recirculation flow control allows operators to increase recirculation flow and sweep some of the voids from the fuel channel, overcoming the negative reactivity void Recirculation Loops Operating B 3.4.1 (continued) HATCH UNIT 2 B 3.4-2 REVISION 68 BASES BACKGROUND effect. Thus, the reason for having variable recirculation flow is to (continued) compensate for reactivity effects of boiling over a wide range of power generation (i.e., 55 to 100% of RTP) without having to move control rods and disturb desirable flux patterns. In addition, core flow as a function of core thermal power, is usually maintained such that core thermal-hydraulic oscillations do not occur. These oscillations can occur during two-loop operation, as well as single-loop and no-loop operation. Plant procedures include requirements of this LCO as well as other vendor and NRC recommended requirements and actions to minimize the potential of core thermal-hydraulic oscillations. Each recirculation loop is manually started from the control room. The ASD provides regulation of individual recirculation loop drive flows. The flow in each loop is manually controlled. APPLICABLE The operation of the Reactor Coolant Recirculation System is an SAFETY ANALYSES initial condition assumed in the design basis loss of coolant accident (LOCA) (Ref. 1). During a LOCA caused by a recirculation loop pipe break, the intact loop is assumed to provide coolant flow during the first few seconds of the accident. The initial core flow decrease is rapid because the recirculation pump in the broken loop ceases to pump reactor coolant to the vessel almost immediately. The pump in the intact loop coasts down relatively slowly. This pump coastdown governs the core flow response for the next several seconds until the jet pump suction is uncovered (Ref. 1). The analyses assume that both loops are operating at the same flow prior to the accident. However, the LOCA analysis was reviewed for the case with a flow mismatch between the two loops, with the pipe break assumed to be in the loop with the higher flow. While the flow coastdown and core response are potentially more severe in this assumed case (since the intact loop starts at a lower flow rate and the core response is the same as if both loops were operating at a lower flow rate), a small mismatch has been determined to be acceptable based on engineering judgment. The recirculation system is also assumed to have sufficient flow coastdown characteristics to maintain fuel thermal margins during abnormal operational occurrences (AOOs) (Ref. 2), which are analyzed in Chapter 15 of the FSAR. A plant specific LOCA analysis has been performed assuming only one operating recirculation loop. This analysis has demonstrated that, in the event of a LOCA caused by a pipe break in the operating recirculation loop, the Emergency Core Cooling System response will provide adequate core cooling, provided the LHGR and APLHGR requirements are modified accordingly (Refs. 1 and 3). Recirculation Loops Operating B 3.4.1 (continued) HATCH UNIT 2 B 3.4-3 REVISION 43 BASES APPLICABLE The transient analyses of Chapter 15 of the FSAR have also been SAFETY ANALYSES performed for single recirculation loop operation (Ref. 3) and (continued) demonstrate sufficient flow coastdown characteristics to maintain fuel thermal margins during the abnormal operational transients analyzed provided the MCPR requirements are modified. During single recirculation loop operation, modification to the Reactor Protection System (RPS) average power range monitor (APRM) instrument setpoints is also required to account for the different relationships between recirculation drive flow and reactor core flow. The MCPR setpoints for single loop operation are specified in the COLR. The APRM Simulated Thermal Power - High setpoint is in LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation." Recirculation loops operating satisfies Criterion 2 of the NRC Policy Statement (Ref. 4). LCO Two recirculation loops are normally required to be in operation with their flows matched within the limits specified in SR 3.4.1.1 to ensure that during a LOCA caused by a break of the piping of one recirculation loop the assumptions of the LOCA analysis are satisfied. With only one recirculation loop in operation, modifications to the required APLHGR limits [(LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)"], MCPR limits [LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)"], LHGR limits [LCO 3.2.3, "LINEAR HEAT GENERATION RATE (LHGR)"], and APRM Simulated Thermal Power - High setpoint (LCO 3.3.1.1) must be applied to allow continued operation consistent with the assumptions of References 1 and 3. APPLICABILITY In MODES 1 and 2, requirements for operation of the Reactor Coolant Recirculation System are necessary since there is considerable energy in the reactor core and the limiting design basis transients and accidents are assumed to occur. In MODES 3, 4, and 5, the consequences of an accident are reduced and the coastdown characteristics of the recirculation loops are not important.

Recirculation Loops Operating B 3.4.1 (continued) HATCH UNIT 2 B 3.4-4 REVISION 43 BASES (continued) ACTIONS A.1 With the requirements of the LCO not met, the recirculation loops must be restored to operation with matched flows within 24 hours. A recirculation loop is considered not in operation when the pump in that loop is idle or when the mismatch between total jet pump flows of the two loops is greater than required limits. The loop with the lower flow must be considered not in operation. Should a LOCA or AOO occur with one recirculation loop not in operation, the core flow coastdown and resultant core response may not be bounded by the LOCA analyses or the AOO analyses. Therefore, only a limited time is allowed to restore the inoperable loop to operating status. Alternatively, if the single loop requirements of the LCO are applied to operating limits and RPS setpoints, operation with only one recirculation loop would satisfy the requirements of the LCO and the initial conditions of the accident or AOO sequence. The 24 hour Completion Time is based on the low probability of an accident or AOO occurring during this time period, on a reasonable time to complete the Required Action, and on frequent core monitoring by operators allowing abrupt changes in core flow conditions to be quickly detected. This Required Action does not require tripping the recirculation pump in the lowest flow loop when the mismatch between total jet pump flows of the two loops is greater than the required limits. However, in cases where large flow mismatches occur, low flow or reverse flow can occur in the low flow loop jet pumps, causing vibration of the jet pumps. If zero or reverse flow is detected, the condition should be alleviated by changing pump speeds to re-establish forward flow or by tripping the pump. B.1 With any Required Action and associated Completion Time of Condition A not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours. In this condition, the recirculation loops are not required to be operating because of the reduced severity of Design Basis Accidents and minimal dependence on the recirculation loop coastdown characteristics. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. Recirculation Loops Operating B 3.4.1 HATCH UNIT 2 B 3.4-5 REVISION 79 BASES (continued) SURVEILLANCE SR 3.4.1.1 REQUIREMENTS This SR ensures the recirculation loops are within the allowable limits for mismatch. At low core flow (i.e., < 70% of rated core flow), the MCPR requirements provide larger margins to the fuel cladding integrity Safety Limit such that the potential adverse effect of early boiling transition during a LOCA is reduced. A larger flow mismatch can therefore be allowed when core flow is < 70% of rated core flow. The recirculation loop jet pump flow, as used in this Surveillance, is the summation of the flows from all of the jet pumps associated with a single recirculation loop. The mismatch is measured in terms of percent of rated core flow. If the flow mismatch exceeds the specified limits, the loop with the lower flow is considered not in operation. The SR is not required when both loops are not in operation since the mismatch limits are meaningless during single loop or natural circulation operation. The Surveillance must be performed within 24 hours after both loops are in operation. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.1.2 (Not used.) REFERENCES 1. NEDC-32720P, "E. I. Hatch Nuclear Plant Units 1 and 2 SAFER/GESTR-LOCA Loss-of-Coolant Accident Analysis," March 1997. 2. FSAR, Section 5.5.1.4. 3. NEDO-24205, "E. I. Hatch Nuclear Plant Units 1 and 2 Single-Loop Operation," August 1979. 4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. Jet Pumps B 3.4.2 (continued) HATCH UNIT 2 B 3.4-6 REVISION 0 B 3.4 REACTOR COOLANT SYSTEM (RCS) B 3.4.2 Jet Pumps

BASES BACKGROUND The Reactor Coolant Recirculation System is described in the Background section of the Bases for LCO 3.4.1, "Recirculation Loops Operating," which discusses the operating characteristics of the system and how these characteristics affect the Design Basis Accident (DBA) analyses. The jet pumps are part of the Reactor Coolant Recirculation System and are designed to provide forced circulation through the core to remove heat from the fuel. The jet pumps are located in the annular region between the core shroud and the vessel inner wall. Because the jet pump suction elevation is at two-thirds core height, the vessel can be reflooded and coolant level maintained at two-thirds core height even with the complete break of the recirculation loop pipe that is located below the jet pump suction elevation. Each reactor coolant recirculation loop contains 10 jet pumps. Recirculated coolant passes down the annulus between the reactor vessel wall and the core shroud. A portion of the coolant flows from the vessel, through the two external recirculation loops, and becomes the driving flow for the jet pumps. Each of the two external recirculation loops discharges high pressure flow into an external manifold from which individual recirculation inlet lines are routed to the jet pump risers within the reactor vessel. The remaining portion of the coolant mixture in the annulus becomes the suction flow for the jet pumps. This flow enters the jet pump at suction inlets and is accelerated by the drive flow. The drive flow and suction flow are mixed in the jet pump throat section. The total flow then passes through the jet pump diffuser section into the area below the core (lower plenum), gaining sufficient head in the process to drive the required flow upward through the core.

APPLICABLE Jet pump OPERABILITY is an explicit assumption in the design SAFETY ANALYSES basis loss of coolant accident (LOCA) analysis evaluated in Reference 1. The capability of reflooding the core to two-thirds core height is dependent upon the structural integrity of the jet pumps. If the structural system, including the beam holding a jet pump inlet mixer in Jet Pumps B 3.4.2 (continued) HATCH UNIT 2 B 3.4-7 REVISION 0 BASES APPLICABLE place, fails, jet pump displacement and performance degradation SAFETY ANALYSES could occur, resulting in an increased flow area through the jet pump (continued) and a lower core flooding elevation. This could adversely affect the water level in the core during the reflood phase of a LOCA as well as the assumed blowdown flow during a LOCA. Jet pumps satisfy Criterion 2 of the NRC Policy Statement (Ref. 4). LCO The structural failure of any of the jet pumps could cause significant degradation in the ability of the jet pumps to allow reflooding to two-thirds core height during a LOCA. OPERABILITY of all jet pumps is required to ensure that operation of the Reactor Coolant Recirculation System will be consistent with the assumptions used in the licensing basis analysis (Ref. 1). APPLICABILITY In MODES 1 and 2, the jet pumps are required to be OPERABLE since there is a large amount of energy in the reactor core and since the limiting DBAs are assumed to occur in these MODES. This is consistent with the requirements for operation of the Reactor Coolant Recirculation System (LCO 3.4.1). In MODES 3, 4, and 5, the Reactor Coolant Recirculation System is not required to be in operation, and when not in operation, sufficient flow is not available to evaluate jet pump OPERABILITY. ACTIONS A.1 An inoperable jet pump can increase the blowdown area and reduce the capability of reflooding during a design basis LOCA. If one or more of the jet pumps are inoperable, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours. The Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems.

Jet Pumps B 3.4.2 (continued) HATCH UNIT 2 B 3.4-8 REVISION 0 BASES (continued) SURVEILLANCE SR 3.4.2.1 REQUIREMENTS This SR is designed to detect significant degradation in jet pump performance that precedes jet pump failure (Ref. 2). This SR is required to be performed only when the loop has forced recirculation flow since surveillance checks and measurements can only be performed during jet pump operation. The jet pump failure of concern is a complete mixer displacement due to jet pump beam failure. Jet pump plugging is also of concern since it adds flow resistance to the recirculation loop. Significant degradation is indicated if the specified criteria confirm unacceptable deviations from established patterns or relationships. The allowable deviations from the established patterns have been developed based on the variations experienced at plants during normal operation and with jet pump assembly failures (Refs. 2 and 3). Each recirculation loop must satisfy one of the performance criteria provided. Since refueling activities (fuel assembly replacement or shuffle, as well as any modifications to fuel support orifice size or core plate bypass flow) can affect the relationship between core flow, jet pump flow, and recirculation loop flow, these relationships may need to be re-established each cycle. Similarly, initial entry into extended single loop operation may also require establishment of these relationships. During the initial weeks of operation under such conditions, while base-lining new "established patterns", engineering judgement of the daily surveillance results is used to detect significant abnormalities which could indicate a jet pump failure. The recirculation pump speed operating characteristics (pump flow and loop flow versus pump speed) are determined by the flow resistance from the loop suction through the jet pump nozzles. A change in the relationship indicates a plug, flow restriction, loss in pump hydraulic performance, leakage, or new flow path between the recirculation pump discharge and jet pump nozzle. For this criterion, the pump flow and loop flow versus pump speed relationship must be verified. Individual jet pumps in a recirculation loop normally do not have the same flow. The unequal flow is due to the drive flow manifold, which does not distribute flow equally to all risers. The flow (or jet pump diffuser to lower plenum differential pressure) pattern or relationship of one jet pump to the loop average is repeatable. An appreciable change in this relationship is an indication that increased (or reduced) resistance has occurred in one of the jet pumps.

Jet Pumps B 3.4.2 HATCH UNIT 2 B 3.4-9 REVISION 79 BASES SURVEILLANCE SR 3.4.2.1 (continued) REQUIREMENTS The deviations from normal are considered indicative of a potential problem in the recirculation drive flow or jet pump system (Ref. 2). Normal flow ranges and established jet pump flow and differential pressure patterns are established by plotting historical data as discussed in Reference 2. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by two Notes. Note 1 allows this Surveillance not to be performed until 4 hours after the associated recirculation loop is in operation, since these checks can only be performed during jet pump operation. The 4 hours is an acceptable time to establish conditions appropriate for data collection and evaluation. Note 2 allows this SR not to be performed when THERMAL POWER is 25% of RTP and not until 24 hours after exceeding 25% RTP. During low flow conditions, jet pump noise approaches the threshold response of the associated flow instrumentation and precludes the collection of repeatable and meaningful data. The 24 hours is an acceptable time to establish conditions appropriate to perform this SR. REFERENCES 1. NEDC-31376P, "E.I. Hatch Nuclear Plant Units 1 and 2 SAFER/GESTR-LOCA Loss-of-Coolant Accident Analysis," December 1986.

2. GE Service Information Letter No. 330, "Jet Pump Beam Cracks," June 9, 1990.

3. NUREG/CR-3052, "Closeout of IE Bulletin 80-07: BWR Jet Pump Assembly Failure," November 1984.

4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

S/RVs B 3.4.3 (continued) HATCH UNIT 2 B 3.4-11 REVISION 77 BASES APPLICABLE flux (i.e., failure of the direct scram associated with MSIV position) SAFETY ANALYSES (Ref. 1). For the purpose of the analyses, 10 of 11 S/RVs are (continued) assumed to operate in the safety mode. The analysis results demonstrate that the design S/RV capacity is capable of maintaining reactor pressure below the ASME Code limit of 110% of vessel design pressure (110% x 1250 psig = 1375 psig). This LCO helps to ensure that the acceptance limit of 1375 psig is met during the Design Basis Event. From an overpressure standpoint, the design basis events are bounded by the MSIV closure with flux scram event described above. Reference 2 discusses additional events that are expected to actuate the S/RVs. S/RVs satisfy Criterion 3 of the NRC Policy Statement (Ref. 3). LCO The S/RV safety function requires 10 of 11 S/RVs to be OPERABLE to satisfy the assumptions of the safety analysis (Refs. 1, 2, and 4), although margins to the ASME Vessel Overpressure Limit are substantial. The requirements of this LCO are applicable only to the capability of the S/RVs to mechanically open to relieve excess pressure when the lift setpoint is exceeded (safety function). The S/RV setpoints are established to ensure that the ASME Code limit on peak reactor pressure is satisfied. The ASME Code specifications require the lowest safety valve setpoint to be at or below vessel design pressure (1250 psig) and the highest safety valve to be set so that the total accumulated pressure does not exceed 110% of the design pressure for overpressurization conditions. The transient evaluations in the FSAR are based on these setpoints, but also include the additional uncertainties of +/- 3% of the nominal setpoint drift to provide an added degree of conservatism. Operation with fewer valves OPERABLE than specified, or with setpoints outside the ASME limits, could result in a more severe reactor response to a transient than predicted, possibly resulting in the ASME Code limit on reactor pressure being exceeded. APPLICABILITY In MODES 1, 2, and 3, 10 of 11 S/RVs must be OPERABLE, since considerable energy may be in the reactor core and the limiting design basis transients are assumed to occur in these MODES. The S/RVs may be required to provide pressure relief to discharge energy S/RVs B 3.4.3 (continued) HATCH UNIT 2 B 3.4-12 REVISION 77 BASES APPLICABILITY from the core until such time that the Residual Heat Removal (RHR)

(continued) System is capable of dissipating the core heat. 

In MODE 4, decay heat is low enough for the RHR System to provide adequate cooling, and reactor pressure is low enough that the overpressure limit is unlikely to be approached by assumed operational transients or accidents. In MODE 5, the reactor vessel head is unbolted or removed and the reactor is at atmospheric pressure. The S/RV function is not needed during these conditions. ACTIONS A.1 and A.2 With 1 S/RV inoperable, no action is required, because an analysis demonstrated that the remaining 10 SR/Vs are capable of providing the necessary overpressure protection. (See Reference 4.) With two or more S/RVs inoperable, a transient may result in the violation of the ASME Code limit on reactor pressure. The plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.4.3.1 REQUIREMENTS This Surveillance requires that the S/RVs will open at the pressures assumed in the safety analysis of Reference 1. The demonstration of the S/RV safety lift settings must be performed during shutdown, since this is a bench test, to be done in accordance with the Inservice Testing Program. The lift setting pressure shall correspond to ambient conditions of the valves at nominal operating temperatures and pressures. The S/RV setpoint is +/- 3% for OPERABILITY; however, the valves are reset to +/- 1% during the Surveillance to allow for drift. The Frequency of this SR is in accordance with the Inservice Testing Program.

S/RVs B 3.4.3 HATCH UNIT 2 B 3.4-13 REVISION 77 BASES (continued) REFERENCES 1. FSAR, Supplement 5A.

2. FSAR, Section 15.

3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

4. NEDC-32041P, "Safety Review for Edwin I. Hatch Nuclear Power Plant Units 1 and 2 Updated Safety/Relief Valve Performance Requirements," April 1996.

RCS Operational LEAKAGE B 3.4.4 (continued) HATCH UNIT 2 B 3.4-14 REVISION 77 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.4 RCS Operational LEAKAGE

BASES BACKGROUND The RCS includes systems and components that contain or transport the coolant to or from the reactor core. The pressure containing components of the RCS and the portions of connecting systems out to and including the isolation valves define the reactor coolant pressure boundary (RCPB). The joints of the RCPB components are welded or bolted. During plant life, the joint and valve interfaces can produce varying amounts of reactor coolant LEAKAGE, through either normal operational wear or mechanical deterioration. Limits on RCS operational LEAKAGE are required to ensure appropriate action is taken before the integrity of the RCPB is impaired. This LCO specifies the types and limits of LEAKAGE. This protects the RCS pressure boundary described in 10 CFR 50.2, 10 CFR 50.55a(c), and GDC 55 of 10 CFR 50, Appendix A (References 1, 2, and 3). The safety significance of RCS LEAKAGE from the RCPB varies widely depending on the source, rate, and duration. Therefore, detection of LEAKAGE in the primary containment is necessary. Methods for quickly separating the identified LEAKAGE from the unidentified LEAKAGE are necessary to provide the operators quantitative information to permit them to take corrective action should a leak occur that is detrimental to the safety of the facility or the public. A limited amount of leakage inside primary containment is expected from auxiliary systems that cannot be made 100% leaktight. Leakage from these systems should be detected and isolated from the primary containment atmosphere, if possible, so as not to mask RCS operational LEAKAGE detection. This LCO deals with protection of the RCPB from degradation and the core from inadequate cooling, in addition to preventing the accident analyses radiation release assumptions from being exceeded. The consequences of violating this LCO include the possibility of a loss of coolant accident.

APPLICABLE The allowable RCS operational LEAKAGE limits are based on the SAFETY ANALYSES predicted and experimentally observed behavior of pipe cracks. The normally expected background LEAKAGE due to equipment design RCS Operational LEAKAGE B 3.4.4 (continued) HATCH UNIT 2 B 3.4-15 REVISION 77 BASES APPLICABLE and the detection capability of the instrumentation for determining SAFETY ANALYSES system LEAKAGE were also considered. The evidence from (continued) experiments suggests that, for LEAKAGE even greater than the specified unidentified LEAKAGE limits, the probability is small that the imperfection or crack associated with such LEAKAGE would grow rapidly. The unidentified LEAKAGE flow limit allows time for corrective action before the RCPB could be significantly compromised. The 5 gpm limit is a small fraction of the calculated flow from a critical crack in the primary system piping. Crack behavior from experimental programs (Refs. 4 and 5) shows that leakage rates of hundreds of gallons per minute will precede crack instability (Ref. 6). The low limit on increase in unidentified LEAKAGE assumes a failure mechanism of intergranular stress corrosion cracking (IGSCC) that produces tight cracks. This flow increase limit is capable of providing an early warning of such deterioration. No applicable safety analysis assumes the total LEAKAGE limit. The total LEAKAGE limit considers RCS inventory makeup capability and drywell floor sump capacity. RCS operational LEAKAGE satisfies Criterion 2 of the NRC Policy Statement (Ref. 9). LCO RCS operational LEAKAGE shall be limited to:

a. Pressure Boundary LEAKAGE No pressure boundary LEAKAGE is allowed, being indicative of material degradation. LEAKAGE of this type is unacceptable as the leak itself could cause further deterioration, resulting in higher LEAKAGE. Violation of this LCO could result in continued degradation of the RCPB. LEAKAGE past seals and gaskets is not pressure boundary LEAKAGE.

b. Unidentified LEAKAGE The 5 gpm of unidentified LEAKAGE is allowed as a reasonable minimum detectable amount that the containment air monitoring and drywell sump level monitoring equipment can RCS Operational LEAKAGE B 3.4.4 (continued) HATCH UNIT 2 B 3.4-16 REVISION 77 BASES LCO b. Unidentified LEAKAGE (continued) detect within a reasonable time period. Violation of this LCO could result in continued degradation of the RCPB.

c. Total LEAKAGE The total LEAKAGE limit is based on a reasonable minimum detectable amount. The limit also accounts for LEAKAGE from known sources (identified LEAKAGE). Violation of this LCO indicates an unexpected amount of LEAKAGE and, therefore, could indicate new or additional degradation in an RCPB component or system. d. Unidentified LEAKAGE Increase An unidentified LEAKAGE increase of > 2 gpm within the previous 24 hour period indicates a potential flaw in the RCPB and must be quickly evaluated to determine the source and extent of the LEAKAGE. The increase is measured relative to the steady state value; temporary changes in LEAKAGE rate as a result of transient conditions (e.g., startup) are not considered. As such, the 2 gpm increase limit is only applicable in MODE 1 when operating pressures and temperatures are established. Violation of this LCO could result in continued degradation of the RCPB. APPLICABILITY In MODES 1, 2, and 3, the RCS operational LEAKAGE LCO applies, because the potential for RCPB LEAKAGE is greatest when the reactor is pressurized.

In MODES 4 and 5, RCS operational LEAKAGE limits are not required since the reactor is not pressurized and stresses in the RCPB materials and potential for LEAKAGE are reduced.

ACTIONS A.1 With RCS unidentified or total LEAKAGE greater than the limits, actions must be taken to reduce the leak. Because the LEAKAGE limits are conservatively below the LEAKAGE that would constitute a critical crack size, 4 hours is allowed to reduce the LEAKAGE rates before the reactor must be shut down. If an unidentified LEAKAGE RCS Operational LEAKAGE B 3.4.4 (continued) HATCH UNIT 2 B 3.4-17 REVISION 79 BASES ACTIONS A.1 (continued) has been identified and quantified, it may be reclassified and considered as identified LEAKAGE; however, the total LEAKAGE would remain unchanged. The total LEAKAGE must be averaged over the previous 24 hours for comparison to the limit.

B.1 An unidentified LEAKAGE increase of > 2 gpm within a 24 hour period is an indication of a potential flaw in the RCPB and must be quickly evaluated. Although the increase does not necessarily violate the absolute unidentified LEAKAGE limit, certain susceptible components must be determined not to be the source of the LEAKAGE increase within the required Completion Time. The 4 hour Completion Time is reasonable to properly reduce the LEAKAGE increase before the reactor must be shut down without unduly jeopardizing plant safety.

C.1 and C.2 If any Required Action and associated Completion Time of Condition A or B is not met or if pressure boundary LEAKAGE exists, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant safety systems. SURVEILLANCE SR 3.4.4.1 REQUIREMENTS The RCS LEAKAGE is monitored by a variety of instruments designed to provide alarms when LEAKAGE is indicated and to quantify the various types of LEAKAGE. Leakage detection instrumentation is discussed in more detail in the Bases for LCO 3.4.5, "RCS Leakage Detection Instrumentation." Sump level and flow rate are typically monitored to determine actual LEAKAGE rates; however, any method may be used to quantify LEAKAGE within the guidelines of Reference 7. The Surveillance Frequency is controlled under the RCS Operational LEAKAGE B 3.4.4 HATCH UNIT 2 B 3.4-18 REVISION 79 BASES SURVEILLANCE SR 3.4.4.1 (continued) REQUIREMENTS Surveillance Frequency Control Program. The identified portion of the total LEAKAGE is usually determined by the drywell equipment drain sump monitoring system which collects expected leakage, not indicative of a degraded RCS boundary. The system equipment and operation is identical to that of the drywell floor drain monitoring system described in the Bases for LCO 3.4.5, "RCS Leakage Detection Instrumentation." If a contributor to the unidentified LEAKAGE has been identified and quantified, it may be reclassified and considered as identified LEAKAGE. REFERENCES 1. 10 CFR 50.2.

2. 10 CFR 50.55a(c).

3. 10 CFR 50, Appendix A, GDC 55. 4. GEAP-5620, "Failure Behavior in ASTM A106B Pipes Containing Axial Through-Wall Flaws," April 1968. 5. NUREG-75/067, "Investigation and Evaluation of Cracking in Austenitic Stainless Steel Piping of Boiling Water Reactors," October 1975. 6. FSAR, Section 5.2.7.5.2.

7. Regulatory Guide 1.45, May 1973. 8. Not used 9. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RCS Leakage Detection Instrumentation B 3.4.5 (continued) HATCH UNIT 2 B 3.4-19 REVISION 77 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.5 RCS Leakage Detection Instrumentation

BASES BACKGROUND GDC 30 of 10 CFR 50, Appendix A (Ref. 1), requires means for detecting and, to the extent practical, identifying the location of the source of RCS LEAKAGE. Limits on LEAKAGE from the reactor coolant pressure boundary (RCPB) are required so that appropriate action can be taken before the integrity of the RCPB is impaired. Leakage detection systems for the RCS are provided to alert the operators when leakage rates above normal background levels are detected and also to supply quantitative measurement of leakage rates. The Bases for LCO 3.4.4, "RCS Operational LEAKAGE," discuss the limits on RCS LEAKAGE rates. Systems for separating the LEAKAGE of an identified source from an unidentified source are necessary to provide prompt and quantitative information to the operators to permit them to take immediate corrective action. LEAKAGE from the RCPB inside the drywell is detected by at least one of two or three independently monitored variables, such as sump level changes and drywell gaseous and particulate radioactivity levels. The primary means of quantifying LEAKAGE in the drywell is the drywell floor drain sump monitoring system. The drywell floor drain sump monitoring system monitors the LEAKAGE collected in the floor drain sump. This unidentified LEAKAGE consists of LEAKAGE from control rod drives, valve flanges or packings, floor drains, closed cooling water, and drywell air cooling unit condensate drains, and any LEAKAGE not collected in the drywell equipment drain sump. The floor drain sump level indicators have switches that start and stop the sump pumps when required. (The level indicators also provide a floor drain sump high level alarm in the control room.) One timer starts when a sump pump starts on high level, and another timer starts each time the sump is pumped down to the low level setpoint. If the pump does not stop on low level before the first timer ends or the sump fills to the high level setpoint before the second timer ends, an alarm sounds in the control room, indicating a LEAKAGE rate into the sump in excess of a preset limit.

RCS Leakage Detection Instrumentation B 3.4.5 (continued) HATCH UNIT 2 B 3.4-20 REVISION 77 BASES BACKGROUND A flow indicator in the discharge line of the drywell floor drain sump (continued) pumps provides flow indication in the control room, thereby allowing the LEAKAGE rate to be quantified. Alternate means for quantifying the LEAKAGE rate may be used. The pumps can also be started from the control room. The primary containment air monitoring systems (particulate, noble gas, and iodine) continuously monitor the primary containment atmosphere for airborne particulate and gaseous radioactivity. A sudden increase of radioactivity, which may be attributed to RCPB steam or reactor water LEAKAGE, is annunciated in the control room. The primary containment atmosphere particulate and gaseous radioactivity monitoring systems are not capable of quantifying LEAKAGE rates, but are sensitive enough to indicate increased LEAKAGE rates. Larger changes in LEAKAGE rates are detected in shorter times (Ref. 2). APPLICABLE A threat of significant compromise to the RCPB exists if the barrier SAFETY ANALYSES contains a crack that is large enough to propagate rapidly. LEAKAGE rate limits are set low enough to detect the LEAKAGE emitted from a single crack in the RCPB (Refs. 3 and 4). Each of the leakage detection systems inside the drywell is designed with the capability of detecting LEAKAGE less than the established LEAKAGE rate limits and providing appropriate alarm of excess LEAKAGE in the control room. A control room alarm allows the operators to evaluate the significance of the indicated LEAKAGE and, if necessary, shut down the reactor for further investigation and corrective action. The allowed LEAKAGE rates are well below the rates predicted for critical crack sizes (Ref. 5). Therefore, these actions provide adequate response before a significant break in the RCPB can occur. RCS leakage detection instrumentation satisfies Criterion 1 of the NRC Policy Statement (Ref. 7). LCO The drywell floor drain sump monitoring system is required to alarm in the control room, as well as quantify the unidentified LEAKAGE from the RCS. For the system to be considered OPERABLE, one of the two sump level monitoring portions of the system must be OPERABLE. Upon receipt of an alarm from the sump level monitoring instrumentation, the unidentified LEAKAGE rate can be RCS Leakage Detection Instrumentation B 3.4.5 (continued) HATCH UNIT 2 B 3.4-21 REVISION 77 BASES LCO quantified by either the normal flow monitoring instrumentation or (continued) alternate means. Therefore, the normal flow monitoring portion of the system need not be OPERABLE for the drywell floor drain sump monitoring system to be considered OPERABLE. The other monitoring systems (particulate, noble gas, or iodine air monitoring systems) provide early alarms to the operators so closer examination of other detection systems will be made to determine the extent of any corrective action that may be required. With the leakage detection systems inoperable, monitoring for LEAKAGE in the RCPB is degraded. APPLICABILITY In MODES 1, 2, and 3, leakage detection systems are required to be OPERABLE to support LCO 3.4.4. This Applicability is consistent with that for LCO 3.4.4. ACTIONS A.1 With the drywell floor drain sump monitoring system inoperable, no other form of sampling can provide the equivalent information to quantify leakage. However, the primary containment atmospheric activity monitor will provide indication of changes in leakage. With the drywell floor drain sump monitoring system inoperable, but with RCS unidentified and total LEAKAGE being determined every 12 hours (SR 3.4.4.1), operation may continue for 30 days. The 30 day Completion Time of Required Action A.1 is acceptable, based on operating experience, considering the multiple forms of leakage detection that are still available.

Acceptable methods for quantifying both identified and unidentified LEAKAGE include but are not limited to the following: 1) With a drifting sump monitoring system integrator, the sump can be manually pumped down with integrator readings taken before and after pumpdown. The difference in readings determines total gallons pumped. Using time elapsed since last pumpdown, sump inleakage rate can be calculated; and RCS Leakage Detection Instrumentation B 3.4.5 (continued) HATCH UNIT 2 B 3.4-22 REVISION 77 BASES ACTIONS A.1 (continued)

2) With an inoperable sump monitoring system integrator, the sump can be manually pumped down and the time for pumpdown recorded. Utilizing pump flow rate, total gallons pumped is determined. Using time elapsed since last pumpdown, sump inleakage rate can be calculated.

B.1 and B.2 With both gaseous and particulate primary containment atmospheric monitoring channels inoperable (i.e., the required containment atmospheric monitoring system), grab samples of the primary containment atmosphere must be taken and an isotopic analysis performed to provide periodic leakage information. Provided a sample is obtained and analyzed once every 12 hours, the plant may be operated for up to 30 days to allow restoration of at least one of the required monitors. The 12 hour interval provides periodic information that is adequate to detect LEAKAGE. The 30 day Completion Time for restoration recognizes that at least one other form of leakage detection is available. C.1 and C.2 If any Required Action and associated Completion Time of Condition A or B cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to perform the actions in an orderly manner and without challenging plant systems. RCS Leakage Detection Instrumentation B 3.4.5 (continued) HATCH UNIT 2 B 3.4-23 REVISION 79 BASES ACTIONS D.1 (continued) With all required monitors inoperable, no required automatic means of monitoring LEAKAGE are available, and immediate plant shutdown in accordance with LCO 3.0.3 is required. SURVEILLANCE The Surveillances are modified by a Note to indicate that when a REQUIREMENTS channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours, provided the other required instrumentation (either the drywell floor drain sump monitoring system or the primary containment atmospheric monitoring channel, as applicable) is OPERABLE. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. The Note is based upon a NRC Safety Evaluation Report (Ref. 6) which concluded that the 6 hour testing allowance does not significantly reduce the probability of detecting an unidentified LEAKAGE when necessary.

SR 3.4.5.1 This SR is for the performance of a CHANNEL CHECK of the required primary containment atmospheric monitoring system. The check gives reasonable confidence that the channel is operating properly. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.4.5.2 This SR is for the performance of a CHANNEL FUNCTIONAL TEST of the required RCS leakage detection instrumentation. The test ensures that the monitors can perform their function in the desired manner. The test also verifies the alarm setpoint and relative accuracy of the instrument string. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

RCS Leakage Detection Instrumentation B 3.4.5 HATCH UNIT 2 B 3.4-24 REVISION 79 BASES SURVEILLANCE SR 3.4.5.3 REQUIREMENTS (continued) This SR is for the performance of a CHANNEL CALIBRATION of required leakage detection instrumentation channels. The calibration verifies the accuracy of the instrument string, including the instruments located inside containment. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. 10 CFR 50, Appendix A, GDC 30.

2. FSAR, Section 5.2.7.2.1.

3. GEAP-5620, "Failure Behavior in ASTM A106B Pipes Containing Axial Through-Wall Flaws," April 1968. 4. NUREG-75/067, "Investigation and Evaluation of cracking in Austenitic Stainless Steel Piping of Boiling Water Reactors,"

October 1975.

5. FSAR, Section 5.2.7.5.2.

6. NRC Safety Evaluation Report for Amendment 125, April 30, 1993.

7. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RCS Specific Activity B 3.4.6 (continued) HATCH UNIT 2 B 3.4-25 REVISION 77 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.6 RCS Specific Activity

BASES BACKGROUND During circulation, the reactor coolant acquires radioactive materials due to release of fission products from fuel leaks into the reactor coolant and activation of corrosion products in the reactor coolant. These radioactive materials in the reactor coolant can plate out in the RCS, and, at times, an accumulation will break away to spike the normal level of radioactivity. The release of coolant during a Design Basis Accident (DBA) could send radioactive materials into the environment. Limits on the maximum allowable level of radioactivity in the reactor coolant are established to ensure that in the event of a release of any radioactive material to the environment during a DBA, radiation doses are maintained within the limits of 10 CFR 50.67 (Ref. 1). This LCO contains the iodine specific activity limit. The iodine isotopic activities per gram of reactor coolant are expressed in terms of a DOSE EQUIVALENT I-131. The allowable level is intended to limit offsite doses to a small fraction of the 10 CFR 50.67 limits. APPLICABLE Analytical methods and assumptions involving radioactive material in SAFETY ANALYSES the primary coolant are presented in References 2 and 3. The specific activity in the reactor coolant (the source term) is an initial condition for evaluation of the consequences of an accident due to a main steam line break (MSLB) outside containment. No fuel damage is postulated in the MSLB accident, and the release of radioactive material to the environment is assumed to end when the main steam isolation valves (MSIVs) close completely. This MSLB release forms the basis for determining offsite doses (Refs. 2 and 3). The limits on the specific activity of the primary coolant ensure that offsite doses, resulting from an MSLB outside containment during steady state operation, will be a small fraction of the dose guidelines of 10 CFR 50.67. The limits on specific activity are values from a parametric evaluation of typical site locations. These limits are conservative because the evaluation considered more restrictive parameters than for a specific RCS Specific Activity B 3.4.6 (continued) HATCH UNIT 2 B 3.4-26 REVISION 77 BASES APPLICABLE site, such as the location of the site boundary and the meteorological SAFETY ANALYSES conditions of the site.

(continued)

RCS specific activity satisfies Criterion 2 of the NRC Policy Statement (Ref. 4). LCO The specific iodine activity is limited to 0.2 µCi/gm DOSE EQUIVALENT I-131. This limit ensures the source term assumed in the safety analysis for the MSLB is not exceeded, so any release of radioactivity to the environment during an MSLB is a small fraction of the 10 CFR 50.67 limits.

APPLICABILITY In MODE 1, and MODES 2 and 3 with any main steam line not isolated, limits on the primary coolant radioactivity are applicable since there is an escape path for release of radioactive material from the primary coolant to the environment in the event of an MSLB outside of primary containment. In MODES 2 and 3 with the main steam lines isolated, such limits do not apply since an escape path does not exist. In MODES 4 and 5, no limits are required since the reactor is not pressurized and the potential for leakage is reduced. ACTIONS A.1 and A.2 When the reactor coolant specific activity exceeds the LCO DOSE EQUIVALENT I-131 limit, but is 2.0 µCi/gm, samples must be analyzed for DOSE EQUIVALENT I-131 at least once every 4 hours. In addition, the specific activity must be restored to the LCO limit within 48 hours. The Completion Time of once every 4 hours is based on the time needed to take and analyze a sample. The 48 hour Completion Time to restore the activity level provides a reasonable time for temporary coolant activity increases (iodine spikes or crud bursts) to be cleaned up with the normal processing systems. A Note permits the use of the provisions of LCO 3.0.4.c. This allowance permits entry into the applicable MODES(S) while relying on the ACTIONS. This allowance is acceptable due to the significant conservatism incorporated into the specific activity limit, the low RCS Specific Activity B 3.4.6 (continued) HATCH UNIT 2 B 3.4-27 REVISION 79 BASES ACTIONS A.1 and A.2 (continued) probability of an event which is limiting due to exceeding this limit, and the ability to restore transient specific activity excursions while the plant remains at, or proceeds to power operation. B.1, B.2.1, B.2.2.1, and B.2.2.2 If the DOSE EQUIVALENT I-131 cannot be restored to 0.2 µCi/gm within 48 hours, or if at any time it is > 2.0 µCi/gm, it must be determined at least once every 4 hours and all the main steam lines must be isolated within 12 hours. Isolating the main steam lines precludes the possibility of releasing radioactive material to the environment in an amount that is more than a small fraction of the requirements of 10 CFR 50.67 during a postulated MSLB accident. Alternatively, the plant can be placed in MODE 3 within 12 hours and in MODE 4 within 36 hours. This option is provided for those instances when isolation of main steam lines is not desired (e.g., due to the decay heat loads). In MODE 4, the requirements of the LCO are no longer applicable. The Completion Time of once every 4 hours is the time needed to take and analyze a sample. The 12 hour Completion Time is reasonable, based on operating experience, to isolate the main steam lines in an orderly manner and without challenging plant systems. Also, the allowed Completion Times for Required Actions B.2.2.1 and B.2.2.2 for placing the unit in MODES 3 and 4 are reasonable, based on operating experience, to achieve the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.4.6.1 REQUIREMENTS This Surveillance is performed to ensure iodine remains within limit during normal operation. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note that requires this Surveillance to be performed only in MODE 1 because the level of fission products generated in other MODES is much less.

RCS Specific Activity B 3.4.6 HATCH UNIT 2 B 3.4-28 REVISION 77 BASES (continued) REFERENCES 1. 10 CFR 50.67.

2. FSAR, Section 15.1.40.

3. NEDE-24011-P-A-9-US, "GE Standard Application for Reactor Fuel," Supplement for United States, September 1988. 4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RHR Shutdown Cooling System - Hot Shutdown B 3.4.7 (continued) HATCH UNIT 2 B 3.4-29 REVISION 77 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.7 Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown

BASES BACKGROUND Irradiated fuel in the shutdown reactor core generates heat during the decay of fission products and increases the temperature of the reactor coolant. This decay heat must be removed to reduce the temperature of the reactor coolant to 212°F. This decay heat removal is in preparation for performing refueling or maintenance operations, or for keeping the reactor in the Hot Shutdown condition. The two redundant, manually controlled shutdown cooling subsystems of the RHR System provide decay heat removal. Each loop consists of two motor driven pumps, a heat exchanger, and associated piping and valves. Both loops have a common suction from the same recirculation loop. Each pump discharges the reactor coolant, after circulation through the respective heat exchanger, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the RHR Service Water System (LCO 3.7.1, "Residual Heat Removal Service Water (RHRSW) System"). APPLICABLE Decay heat removal by operation of the RHR System in the shutdown SAFETY ANALYSES cooling mode is not required for mitigation of any event or accident evaluated in the safety analyses. Decay heat removal is, however, an important safety function that must be accomplished or core damage could result. The RHR Shutdown Cooling System meets Criterion 4 of the NRC Policy Statement (Ref. 1). LCO Two RHR shutdown cooling subsystems are required to be OPERABLE, and when no recirculation pump is in operation, one shutdown cooling subsystem must be in operation. An OPERABLE RHR shutdown cooling subsystem consists of one OPERABLE RHR pump and the associated heat exchanger, piping and valves which can provide the capability to reduce and maintain the reactor coolant temperature to < 212°F. Additionally, it should be noted that the Residual Heat Removal Service Water (RHRSW) System is a support system for the RHR shutdown cooling function. Two OPERABLE RHRSW system pumps are required per heat exchanger to transfer the heat necessary to reduce and maintain reactor coolant temperature to < 212°F. Calculations performed at extended power uprate conditions show that reactor coolant temperature can be RHR Shutdown Cooling System - Hot Shutdown B 3.4.7 (continued) HATCH UNIT 2 B 3.4-30 REVISION 77 BASES LCO decreased to < 212°F within the time limit specified in Regulatory (continued) Guide 1.139, "Guidance for Residual Heat Removal," assuming two RHRSW System pumps are in operation. OPERABILITY requirements for the RHRSW System in Mode 3 are addressed by LCO 3.7.1, "Residual Heat Removal Service Water (RHRSW) System." The two required RHR shutdown cooling subsystems have a common suction source and are allowed to have a common heat exchanger and common discharge piping. Since the piping and heat exchangers are passive components that are assumed not to fail, they are allowed to be common to both required subsystems. Thus, to meet the LCO, both RHR pumps in one loop or one RHR pump in each of the two loops must be OPERABLE. If the two required subsystems consist of an RHR pump in each loop, both heat exchangers, each with two OPERABLE RHRSW System pumps supplying cooling water, are required since one heat exchanger will not be common to both subsystems. Each shutdown cooling subsystem is considered OPERABLE if it can be manually aligned (remote or local) in the shutdown cooling mode for removal of decay heat. In MODE 3, one RHR shutdown cooling subsystem can provide the required cooling (sufficient to reduce and maintain reactor coolant temperature < 212°F), but two subsystems are required to be OPERABLE to provide redundancy. Operation of one subsystem can maintain or reduce the reactor coolant temperature as required. However, to ensure adequate core flow to allow for accurate average reactor coolant temperature monitoring, nearly continuous operation is required. In MODE 3, the RHR cross tie valve (2E11-F010) may not be opened (per LCO 3.5.1) to allow pumps in one loop to discharge through the opposite recirculation loop. Note 1 permits both RHR shutdown cooling subsystems and recirculation pumps to be shut down for a period of 2 hours in an 8 hour period. Note 2 allows one RHR shutdown cooling subsystem to be inoperable for up to 2 hours for performance of Surveillance tests. These tests may be on the affected RHR System or on some other plant system or component that necessitates placing the RHR System in an inoperable status during the performance. This is permitted because the core heat generation can be low enough and the heatup rate slow enough to allow some changes to the RHR subsystems or other operations requiring RHR flow interruption and loss of redundancy. The LCO consists of two separate requirements. Either requirement can be not met (and the associated Condition entered) without necessarily affecting the other (and without necessarily entering the RHR Shutdown Cooling System - Hot Shutdown B 3.4.7 (continued) HATCH UNIT 2 B 3.4-31 REVISION 77 BASES LCO other associated Condition). For example, an operating RHR (continued) shutdown cooling subsystem can be removed from operation, yet remain OPERABLE for the decay heat removal function. (Manual alignment and operation can satisfy OPERABILITY.) Conversely, an RHR shutdown cooling subsystem (or recirculation pump) can remain in operation, circulating reactor coolant; however, if the RHR heat exchanger cannot remove decay heat, the subsystem is inoperable. The LCO Notes follow this separation of requirements: an exception to circulating reactor coolant (Note 1) does not result in an exception to the OPERABILITY requirement, and an exception to the RHR shutdown cooling subsystem OPERABILITY requirements does not result in an exception to the requirement for circulating reactor coolant (Note 2). APPLICABILITY In MODE 3 with reactor steam dome pressure below the RHR low pressure permissive pressure (i.e., the actual pressure at which the interlock resets) the RHR Shutdown Cooling System must be OPERABLE and shall be operated in the shutdown cooling mode to remove decay heat to reduce or maintain coolant temperature. Otherwise, a recirculation pump is required to be in operation. In MODES 1 and 2, and in MODE 3 with reactor steam dome pressure greater than or equal to the RHR low pressure permissive pressure, this LCO is not applicable. Operation of the RHR System in the shutdown cooling mode is not allowed above this pressure because the RCS pressure may exceed the design pressure of the shutdown cooling piping. Decay heat removal at reactor pressures greater than or equal to the RHR low pressure permissive pressure is typically accomplished by condensing the steam in the main condenser. Additionally, in MODE 2 below this pressure, the OPERABILITY requirements for the Emergency Core Cooling Systems (ECCS) (LCO 3.5.1, "ECCS - Operating") do not allow placing the RHR shutdown cooling subsystem into operation. The requirements for decay heat removal in MODES 4 and 5 are discussed in LCO 3.4.8, "Residual Heat Removal (RHR) Shutdown Cooling System - Cold Shutdown"; LCO 3.9.7, "Residual Heat Removal (RHR) - High Water Level"; and LCO 3.9.8, "Residual Heat Removal (RHR) - Low Water Level." RHR Shutdown Cooling System - Hot Shutdown B 3.4.7 (continued) HATCH UNIT 2 B 3.4-32 REVISION 77 BASES (continued) ACTIONS A Note has been provided to modify the ACTIONS related to RHR shutdown cooling subsystems. Section 1.3, Completion Times, specifies once a Condition has been entered, subsequent divisions, subsystems, components or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable shutdown cooling subsystems provide appropriate compensatory measures for separate inoperable shutdown cooling subsystems. As such, a Note has been provided that allows separate Condition entry for each inoperable RHR shutdown cooling subsystem. A.1, A.2, and A.3 With one required RHR shutdown cooling subsystem inoperable for decay heat removal, except as permitted by LCO Note 2, the inoperable subsystem must be restored to OPERABLE status without delay. In this condition, the remaining OPERABLE subsystem can provide the necessary decay heat removal. The overall reliability is reduced, however, because a single failure in the OPERABLE subsystem could result in reduced RHR shutdown cooling capability. Therefore, an alternate method of decay heat removal must be provided. With both RHR shutdown cooling subsystems inoperable, an alternate method of decay heat removal must be provided in addition to that provided for the initial RHR shutdown cooling subsystem inoperability. This re-establishes backup decay heat removal capabilities, similar to the requirements of the LCO. The 1 hour Completion Time is based on the decay heat removal function and the probability of a loss of the available decay heat removal capabilities. The required cooling capacity of the alternate method should be ensured by verifying (by calculation or demonstration) its capability to maintain or reduce temperature. Decay heat removal by ambient losses can be considered as, or contributing to, the alternate method capability. Alternate methods that can be used include (but are not limited to) the Condensate/Main Steam Systems and the Reactor Water Cleanup System.

RHR Shutdown Cooling System - Hot Shutdown B 3.4.7 (continued) HATCH UNIT 2 B 3.4-33 REVISION 79 BASES ACTIONS A.1, A.2, and A.3 (continued) However, due to the potentially reduced reliability of the alternate methods of decay heat removal, it is also required to reduce the reactor coolant temperature to the point where MODE 4 is entered. B.1, B.2, and B.3 With no RHR shutdown cooling subsystem and no recirculation pump in operation, except as permitted by LCO Note 1, reactor coolant circulation by the RHR shutdown cooling subsystem or recirculation pump must be restored without delay. Until RHR or recirculation pump operation is re-established, an alternate method of reactor coolant circulation must be placed into service. This will provide the necessary circulation for monitoring coolant temperature. The 1 hour Completion Time is based on the coolant circulation function and is modified such that the 1 hour is applicable separately for each occurrence involving a loss of coolant circulation. Furthermore, verification of the functioning of the alternate method must be reconfirmed every 12 hours thereafter. This will provide assurance of continued temperature monitoring capability. During the period when the reactor coolant is being circulated by an alternate method (other than by the required RHR shutdown cooling subsystem or recirculation pump), the reactor coolant temperature and pressure must be periodically monitored to ensure proper function of the alternate method. The once per hour Completion Time is deemed appropriate. SURVEILLANCE SR 3.4.7.1 REQUIREMENTS This Surveillance verifies that one RHR shutdown cooling subsystem or recirculation pump is in operation and circulating reactor coolant. The required flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. RHR Shutdown Cooling System - Hot Shutdown B 3.4.7 HATCH UNIT 2 B 3.4-34 REVISION 77 BASES SURVEILLANCE SR 3.4.7.1 (continued) REQUIREMENTS This Surveillance is modified by a Note allowing sufficient time to align the RHR System for shutdown cooling operation after clearing the pressure interlock that isolates the system, or for placing a recirculation pump in operation. The Note takes exception to the requirements of the Surveillance being met (i.e., forced coolant circulation is not required for this initial 2 hour period), which also allows entry into the Applicability of this Specification in accordance with SR 3.0.4 since the Surveillance will not be "not met" at the time of entry into the Applicability. REFERENCES 1. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RHR Shutdown Cooling System - Cold Shutdown B 3.4.8 (continued) HATCH UNIT 2 B 3.4-35 REVISION 77 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.8 Residual Heat Removal (RHR) Shutdown Cooling System - Cold Shutdown

BASES BACKGROUND Irradiated fuel in the shutdown reactor core generates heat during the decay of fission products and increases the temperature of the reactor coolant. This decay heat must be removed to maintain the temperature of the reactor coolant 212°F. This decay heat removal is in preparation for performing refueling or maintenance operations, or for keeping the reactor in the Cold Shutdown condition. The two redundant, manually controlled shutdown cooling subsystems of the RHR System provide decay heat removal. Each loop consists of two motor driven pumps, a heat exchanger, and associated piping and valves. Both loops have a common suction from the same recirculation loop. Each pump discharges the reactor coolant, after circulation through the respective heat exchanger, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the RHRSW System. APPLICABLE Decay heat removal by operation of the RHR System in the shutdown SAFETY ANALYSES cooling mode is not required for mitigation of any event or accident evaluated in the safety analyses. Decay heat removal is, however, an important safety function that must be accomplished or core damage could result. The RHR Shutdown Cooling System meets Criterion 4 of the NRC Policy Statement (Ref. 1). LCO Two RHR shutdown cooling subsystems are required to be OPERABLE, and when no recirculation pump is in operation, one RHR shutdown cooling subsystem must be in operation. An OPERABLE RHR shutdown cooling subsystem consists of one OPERABLE RHR pump and the associated heat exchanger, one RHRSW pump providing cooling to the heat exchanger, and the associated piping and valves which can provide the capability to maintain the reactor coolant temperature < 212°F. The two required RHR shutdown cooling subsystems have a common suction source and are allowed to have a common heat exchanger and common discharge piping. Since the piping and heat exchangers are passive components that are assumed not to fail, they are allowed to be common to both required subsystems. Thus, to meet the LCO, both RHR pumps in one loop or one RHR pump in each of the two RHR Shutdown Cooling System - Cold Shutdown B 3.4.8 (continued) HATCH UNIT 2 B 3.4-36 REVISION 77 BASES LCO loops must be OPERABLE. If the two required subsystems consist of (continued) an RHR pump in each loop, both heat exchangers are required since one heat exchanger will not be common to both subsystems. In MODE 4, the RHR cross tie valve (2E11-F010) may be opened (per LCO 3.5.2) to allow pumps in one loop to discharge through the opposite recirculation loop to make a complete subsystem. Similarly, to meet the LCO, the cooling supply for the heat exchanger(s) requires two RHRSW pumps (either one pump in each RHRSW loop or two pumps in one RHRSW loop). With one RHR heat exchanger common to both RHR shutdown cooling subsystems, each RHRSW pump is required to be capable of providing cooling to that heat exchanger (Note: the RHRSW cross tie valves may be open to allow the RHRSW pump(s) in one loop to provide cooling to a heat exchanger in the opposite loop to make a complete subsystem.), or with both heat exchangers required, each heat exchanger is required to have an RHRSW pump capable of providing coolant to that heat exchanger. Additionally, each shutdown cooling subsystem is considered OPERABLE if it can be manually aligned (remote or local) in the shutdown cooling mode for removal of decay heat. In MODE 4, one RHR shutdown cooling subsystem can provide the required cooling (sufficient to maintain reactor coolant temperature < 212°F), but two subsystems are required to be OPERABLE to provide redundancy. Operation of one subsystem can maintain or reduce the reactor coolant temperature as required. However, to ensure adequate core flow to allow for accurate average reactor coolant temperature monitoring, nearly continuous operation is required. Note 1 permits both RHR shutdown cooling subsystems and recirculation pumps to be shut down for a period of 2 hours in an 8 hour period. Note 2 allows one RHR shutdown cooling subsystem to be inoperable for up to 2 hours for performance of Surveillance tests. These tests may be on the affected RHR System or on some other plant system or component that necessitates placing the RHR System in an inoperable status during the performance. This is permitted because the core heat generation can be low enough and the heatup rate slow enough to allow some changes to the RHR subsystems or other operations requiring RHR flow interruption and loss of redundancy. The LCO consists of two separate requirements. Either requirement can be not met (and the associated Condition entered) without necessarily affecting the other (and without necessarily entering the other associated Condition). For example, an operating RHR shutdown cooling subsystem can be removed from operation, yet RHR Shutdown Cooling System - Cold Shutdown B 3.4.8 (continued) HATCH UNIT 2 B 3.4-37 REVISION 77 BASES LCO remain OPERABLE for the decay heat removal function. (Manual (continued) alignment and operation can satisfy OPERABILITY.) Conversely, an RHR shutdown cooling subsystem (or recirculation pump) can remain in operation, circulating reactor coolant; however, if the RHR heat exchanger cannot remove decay heat, the subsystem is inoperable. The LCO Notes follow this separation of requirements: an exception to circulating reactor coolant (Note 1) does not result in an exception to the OPERABILITY requirement, and an exception to the RHR shutdown cooling subsystem OPERABILITY requirements does not result in an exception to the requirement for circulating reactor coolant (Note 2). APPLICABILITY In MODE 4, the RHR Shutdown Cooling System must be OPERABLE and shall be operated in the shutdown cooling mode to remove decay heat to maintain coolant temperature below 212°F. Otherwise, a recirculation pump is required to be in operation. In MODES 1 and 2, and in MODE 3 with reactor steam dome pressure greater than or equal to the RHR low pressure permissive pressure, this LCO is not applicable. Operation of the RHR System in the shutdown cooling mode is not allowed above this pressure because the RCS pressure may exceed the design pressure of the shutdown cooling piping. Decay heat removal at reactor pressures greater than or equal to the RHR low pressure permissive pressure is typically accomplished by condensing the steam in the main condenser. Additionally, in MODE 2 below this pressure, the OPERABILITY requirements for the Emergency Core Cooling Systems (ECCS) (LCO 3.5.1, "ECCS - Operating") do not allow placing the RHR shutdown cooling subsystem into operation. The requirements for decay heat removal in MODE 3 below the RHR low pressure permissive pressure and in MODE 5 are discussed in LCO 3.4.7, "Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown"; LCO 3.9.7, "Residual Heat Removal (RHR) - High Water Level"; and LCO 3.9.8, "Residual Heat Removal (RHR) - Low Water Level." ACTIONS A Note has been provided to modify the ACTIONS related to RHR shutdown cooling subsystems. Section 1.3, Completion Times, specifies once a Condition has been entered, subsequent divisions, subsystems, components or variables expressed in the Condition, RHR Shutdown Cooling System - Cold Shutdown B 3.4.8 (continued) HATCH UNIT 2 B 3.4-38 REVISION 77 BASES ACTIONS discovered to be inoperable or not within limits, will not result in (continued) separate entry into the Condition. Section 1.3 also specifies Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable shutdown cooling subsystems provide appropriate compensatory measures for separate inoperable shutdown cooling subsystems. As such, a Note has been provided that allows separate Condition entry for each inoperable RHR shutdown cooling subsystem.

A.1 With one of the two required RHR shutdown cooling subsystems inoperable, except as permitted by LCO Note 2, the remaining subsystem is capable of providing the required decay heat removal. However, the overall reliability is reduced. Therefore, an alternate method of decay heat removal must be provided. With both RHR shutdown cooling subsystems inoperable, an alternate method of decay heat removal must be provided in addition to that provided for the initial RHR shutdown cooling subsystem inoperability. This re-establishes backup decay heat removal capabilities, similar to the requirements of the LCO. The 1 hour Completion Time is based on the decay heat removal function and the probability of a loss of the available decay heat removal capabilities. Furthermore, verification of the functional availability of these alternate method(s) must be reconfirmed every 24 hours thereafter. This will provide assurance of continued heat removal capability. The required cooling capacity of the alternate method should be ensured by verifying (by calculation or demonstration) its capability to maintain or reduce temperature. Decay heat removal by ambient losses can be considered as, or contributing to, the alternate method capability. Alternate methods that can be used include (but are not limited to) the Condensate/Main Steam Systems (feed and bleed) and the Reactor Water Cleanup System.

B.1 and B.2 With no RHR shutdown cooling subsystem and no recirculation pump in operation, except as permitted by LCO Note 1, and until RHR or recirculation pump operation is re-established, an alternate method of reactor coolant circulation must be placed into service. This will provide the necessary circulation for monitoring coolant temperature. The 1 hour Completion Time is based on the coolant circulation RHR Shutdown Cooling System - Cold Shutdown B 3.4.8 HATCH UNIT 2 B 3.4-39 REVISION 79 BASES ACTIONS B.1 and B.2 (continued) function and is modified such that the 1 hour is applicable separately for each occurrence involving a loss of coolant circulation. Furthermore, verification of the functioning of the alternate method must be reconfirmed every 12 hours thereafter. This will provide assurance of continued temperature monitoring capability. During the period when the reactor coolant is being circulated by an alternate method (other than by the required RHR shutdown cooling subsystem or recirculation pump), the reactor coolant temperature and pressure must be periodically monitored to ensure proper function of the alternate method. The once per hour Completion Time is deemed appropriate. SURVEILLANCE SR 3.4.8.1 REQUIREMENTS This Surveillance verifies that one RHR shutdown cooling subsystem or recirculation pump is in operation and circulating reactor coolant. The required flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RCS P/T Limits B 3.4.9 (continued) HATCH UNIT 2 B 3.4-43 REVISION 77 BASES LCO Violation of the limits places the reactor vessel outside of the bounds (continued) of the stress analyses and can increase stresses in other RCS components. The consequences depend on several factors, as follows:

a. The severity of the departure from the allowable operating pressure temperature regime or the severity of the rate of change of temperature; b. The length of time the limits were violated (longer violations allow the temperature gradient in the thick vessel walls to become more pronounced); and

c. The existences, sizes, and orientations of flaws in the vessel material. APPLICABILITY The potential for violating a P/T limit exists at all times. For example, P/T limit violations could result from ambient temperature conditions that result in the reactor vessel metal temperature being less than the minimum allowed temperature for boltup. Therefore, this LCO is applicable even when fuel is not loaded in the core. ACTIONS A.1 and A.2 Operation outside the P/T limits while in MODES 1, 2, and 3 must be corrected so that the RCPB is returned to a condition that has been verified by stress analyses. The 30 minute Completion Time reflects the urgency of restoring the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished in this time in a controlled manner. Besides restoring operation within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify the RCPB integrity remains acceptable and must be completed if continued operation is desired. Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, new analyses, or inspection of the components. ASME Code, Section XI, Appendix E (Ref. 6), may be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline.

RCS P/T Limits B 3.4.9 (continued) HATCH UNIT 2 B 3.4-44 REVISION 77 BASES ACTIONS A.1 and A.2 (continued) The 72 hour Completion Time is reasonable to accomplish the evaluation of a mild violation. More severe violations may require special, event specific stress analyses or inspections. A favorable evaluation must be completed if continued operation is desired. Condition A is modified by a Note requiring Required Action A.2 be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required Action A.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity. B.1 and B.2 If a Required Action and associated Completion Time of Condition A are not met, the plant must be placed in a lower MODE because either the RCS remained in an unacceptable P/T region for an extended period of increased stress, or a sufficiently severe event caused entry into an unacceptable region. Either possibility indicates a need for more careful examination of the event, best accomplished with the RCS at reduced pressure and temperature. With the reduced pressure and temperature conditions, the possibility of propagation of undetected flaws is decreased. Pressure and temperature are reduced by placing the plant in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

C.1 and C.2 Operation outside the P/T limits in other than MODES 1, 2, and 3 (including defueled conditions) must be corrected so that the RCPB is returned to a condition that has been verified by stress analyses. The Required Action must be initiated without delay and continued until the limits are restored. Besides restoring the P/T limit parameters to within limits, an evaluation is required to determine if RCS operation is allowed. This evaluation must verify that the RCPB integrity is acceptable and must

RCS P/T Limits B 3.4.9 (continued) HATCH UNIT 2 B 3.4-46 REVISION 77 BASES SURVEILLANCE SR 3.4.9.2 (continued) REQUIREMENTS Performing the Surveillance within 15 minutes prior to initial control rod withdrawal for the purpose of achieving criticality provides adequate assurance that the limits will not be exceeded between the time of the Surveillance and the time criticality is achieved. This SR, for clarity, is modified by a Note stating that it is only required to be met when the reactor is critical and immediately prior to control rod withdrawal for the purpose of achieving criticality. SR 3.4.9.3 and SR 3.4.9.4 Differential temperatures within the applicable limits ensure that thermal stresses resulting from the startup of an idle recirculation pump will not exceed design allowances. In addition, compliance with these limits ensures that the assumptions of the analysis for the startup of an idle recirculation loop (Ref. 7) are satisfied. The limit provided in SR 3.4.9.4 is also part of the basis for fuel thermal limits (Ref. 13). Performing the Surveillance within 15 minutes before starting the idle recirculation pump provides adequate assurance that the limits will not be exceeded between the time of the Surveillance and the time of the idle pump start. If the 145°F temperature differential specified in SR 3.4.9.3 cannot be determined by direct indication, an alternate method may be used as described below: The differential between the bottom head coolant temperature and the RPV coolant temperature can be assumed to be 145°F if the following can be confirmed: a. One or more loop drive flows were > 40% of rated flow prior to the RPT,

b. High Pressure Coolant Injection (HPCI) and Reactor Core Isolation Cooling (RCIC) Systems have not injected since the RPT,

c. Feedwater temperature has remained > 300°F since the RPT, and

d. The time between the RPT and restart is < 30 minutes.

Reactor Steam Dome Pressure B 3.4.10 (continued) HATCH UNIT 2 B 3.4-50 REVISION 77 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.10 Reactor Steam Dome Pressure

BASES BACKGROUND The reactor steam dome pressure is an assumed value in the determination of compliance with reactor pressure vessel overpressure protection criteria and is also an assumed initial condition of design basis accidents and transients. APPLICABLE The reactor steam dome pressure of 1058 psig is an initial condition SAFETY ANALYSES of the vessel overpressure protection analysis of Reference 1. This analysis assumes an initial maximum reactor steam dome pressure and evaluates the response of the pressure relief system, primarily the safety/relief valves, during the limiting pressurization transient. The determination of compliance with the overpressure criteria is dependent on the initial reactor steam dome pressure; therefore, the limit on this pressure ensures that the assumptions of the overpressure protection analysis are conserved. Reference 2 also assumes an initial reactor steam dome pressure for the analysis of design basis accidents and transients used to determine the limits for fuel cladding integrity (see Bases for LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)") and 1% cladding plastic strain (see Bases for LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)"). Reactor steam dome pressure satisfies the requirements of Criterion 2 of the NRC Policy Statement (Ref. 3). LCO The specified reactor steam dome pressure limit of 1058 psig ensures the plant is operated within the assumptions of the overpressure protection analysis. Operation above the limit may result in a response more severe than analyzed.

APPLICABILITY In MODES 1 and 2, the reactor steam dome pressure is required to be less than or equal to the limit. In these MODES, the reactor may be generating significant steam and events which may challenge the overpressure limits are possible.

Reactor Steam Dome Pressure B 3.4.10 HATCH UNIT 2 B 3.4-51 REVISION 79 BASES APPLICABILITY In MODES 3, 4, and 5, the limit is not applicable because the reactor (continued) is shut down. In these MODES, the reactor pressure is well below the required limit, and no anticipated events will challenge the overpressure limits. ACTIONS A.1 With the reactor steam dome pressure greater than the limit, prompt action should be taken to reduce pressure to below the limit and return the reactor to operation within the bounds of the analyses. The 15 minute Completion Time is reasonable considering the importance of maintaining the pressure within limits. This Completion Time also ensures that the probability of an accident occurring while pressure is greater than the limit is minimized. B.1 If the reactor steam dome pressure cannot be restored to within the limit within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.4.10.1 REQUIREMENTS Verification that reactor steam dome pressure is 1058 psig ensures that the initial conditions of the vessel overpressure protection analysis is met. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Supplement 5A.

2. FSAR, Section 15.

3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

ECCS - Operating B 3.5.1 (continued) HATCH UNIT 2 B 3.5-1 REVISION 0 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM

B 3.5.1 ECCS - Operating BASES BACKGROUND The ECCS is designed, in conjunction with the primary and secondary containment, to limit the release of radioactive materials to the environment following a loss of coolant accident (LOCA). The ECCS uses two independent methods (flooding and spraying) to cool the core during a LOCA. The ECCS network consists of the High Pressure Coolant Injection (HPCI) System, the Core Spray (CS) System, the low pressure coolant injection (LPCI) mode of the Residual Heat Removal (RHR) System, and the Automatic Depressurization System (ADS). The suppression pool provides the required source of water for the ECCS. Although no credit is taken in the safety analyses for the condensate storage tank (CST), it is capable of providing a source of water for the HPCI and CS Systems. On receipt of an initiation signal, ECCS pumps automatically start. Simultaneously, the system aligns and the pumps inject water, taken either from the CST or suppression pool, into the Reactor Coolant System (RCS) as RCS pressure is overcome by the discharge pressure of the ECCS pumps. Although the system is initiated, ADS action is delayed, allowing the operator to interrupt the timed sequence if the system is not needed. The HPCI pump discharge pressure almost immediately exceeds that of the RCS, and the pump injects coolant into the vessel to cool the core. If the break is small, the HPCI System will maintain coolant inventory as well as vessel level while the RCS is still pressurized. If HPCI fails, it is backed up by ADS in combination with LPCI and CS. In this event, the ADS timed sequence could be allowed to time out and open the selected safety/relief valves (S/RVs) depressurizing the RCS, thus allowing LPCI and CS to overcome RCS pressure and inject coolant into the vessel. If the break is large, RCS pressure initially drops rapidly and the LPCI and CS cool the core. Water from the break returns to the suppression pool where it is used again and again. Water in the suppression pool may be circulated through a heat exchanger cooled by the RHR Service Water System. Depending on the location and size of the break, portions of the ECCS may be ineffective; however, the overall design is effective in cooling the core regardless of the size or location of the piping break.

ECCS - Operating B 3.5.1 (continued) HATCH UNIT 2 B 3.5-2 REVISION 20 BASES BACKGROUND All ECCS subsystems are designed to ensure that no single active (continued) component failure will prevent automatic initiation and successful operation of the minimum required ECCS equipment. The CS System is composed of two independent subsystems (Ref. 1). Each subsystem consists of a motor driven pump, a spray sparger above the core, and piping and valves to transfer water from the suppression pool to the sparger. The CS System is designed to provide cooling to the reactor core when reactor pressure is low. Upon receipt of an initiation signal, the CS pumps in both subsystems are automatically started when AC power is available. When the RPV pressure drops sufficiently, CS System flow to the RPV begins. A full flow test line is provided to route water from and to the suppression pool to allow testing of the CS System without spraying water in the RPV. LPCI is an independent operating mode of the RHR System. There are two LPCI subsystems (Ref. 2), each consisting of two motor driven pumps and piping and valves to transfer water from the suppression pool to the RPV via the corresponding recirculation loop. The two LPCI subsystems can be interconnected via the RHR System cross tie valve; however, the cross tie valve is maintained closed with its power removed to prevent loss of both LPCI subsystems during a LOCA. The LPCI subsystems are designed to provide core cooling at low RPV pressure. Upon receipt of an initiation signal, all four LPCI pumps are automatically started (all pumps immediately if power is provided by the 2D Startup Auxiliary Transformer (SAT), and if power is provided by the 2C SAT or the DGs, C pump within 1 second after AC power is available, and A, B, and D pumps approximately 10 seconds after AC power is available). RHR System valves in the LPCI flow path are automatically positioned to ensure the proper flow path for water from the suppression pool to inject into the recirculation loops. When the RPV pressure drops sufficiently, the LPCI flow to the RPV, via the corresponding recirculation loop, begins. The water then enters the reactor through the jet pumps. Full flow test lines are provided for the four LPCI pumps to route water from the suppression pool, to allow testing of the LPCI pumps without injecting water into the RPV. These test lines also provide suppression pool cooling capability, as described in LCO 3.6.2.3, "RHR Suppression Pool Cooling." The HPCI System (Ref. 3) consists of a steam driven turbine pump unit, piping, and valves to provide steam to the turbine, as well as piping and valves to transfer water from the suction source to the core via the feedwater system line, where the coolant is distributed within the RPV through the feedwater sparger. Suction piping for the system is provided from the CST and the suppression pool. Pump suction for ECCS - Operating B 3.5.1 (continued) HATCH UNIT 2 B 3.5-3 REVISION 20 BASES BACKGROUND HPCI is normally aligned to the CST source to minimize injection of (continued) suppression pool water into the RPV. However, if the CST water supply is low, or if the suppression pool level is high, an automatic transfer to the suppression pool water source ensures a water supply for continuous operation of the HPCI System. The steam supply to the HPCI turbine is piped from a main steam line upstream of the associated inboard main steam isolation valve. The HPCI System is designed to provide core cooling for a wide range of reactor pressures (162 psid to 1200 psid, vessel to pump suction). Upon receipt of an initiation signal, the HPCI turbine stop valve and turbine control valve open simultaneously and the turbine accelerates to a specified speed. As the HPCI flow increases, the turbine governor valve is automatically adjusted to maintain design flow. Exhaust steam from the HPCI turbine is discharged to the suppression pool. A full flow test line is provided to route water from and to the CST to allow testing of the HPCI System during normal operation without injecting water into the RPV. The ECCS pumps are provided with minimum flow bypass lines, which discharge to the suppression pool. The valves in these lines automatically open to prevent pump damage due to overheating when other discharge line valves are closed. To ensure rapid delivery of water to the RPV and to minimize water hammer effects, all ECCS pump discharge lines are filled with water. The LPCI and CS System discharge lines are kept full of water using a "keep fill" system (jockey pump system). The HPCI System is normally aligned to the CST. The height of water in the CST is sufficient to maintain the piping full of water up to the first isolation valve. The relative height of the feedwater line connection for HPCI is such that the water in the feedwater lines keeps the remaining portion of the HPCI discharge line full of water. Therefore, HPCI does not require a "keep fill" system. The ADS (Ref. 4) consists of 7 of the 11 S/RVs. It is designed to provide depressurization of the RCS during a small break LOCA if HPCI fails or is unable to maintain required water level in the RPV. ADS operation reduces the RPV pressure to within the operating pressure range of the low pressure ECCS subsystems (CS and LPCI), so that these subsystems can provide coolant inventory makeup. Each of the S/RVs used for automatic depressurization is equipped with one air accumulator and associated inlet check valves. The accumulator provides the pneumatic power to actuate the valves.

ECCS - Operating B 3.5.1 (continued) HATCH UNIT 2 B 3.5-4 REVISION 13 BASES (continued) APPLICABLE The ECCS performance is evaluated for the entire spectrum of SAFETY ANALYSES break sizes for a postulated LOCA. The accidents for which ECCS operation is required are presented in References 5, 6, and 7. The required analyses and assumptions are defined in Reference 8. The results of these analyses are also described in References 9 and 10. This LCO helps to ensure that the following acceptance criteria for the ECCS, established by 10 CFR 50.46 (Ref. 11), will be met following a LOCA, assuming the worst case single active component failure in the ECCS: a. Maximum fuel element cladding temperature is 2200°F;

b. Maximum cladding oxidation is 0.17 times the total cladding thickness before oxidation;

c. Maximum hydrogen generation from a zirconium water reaction is 0.01 times the hypothetical amount that would be generated if all of the metal in the cladding surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react; d. The core is maintained in a coolable geometry; and

e. Adequate long term cooling capability is maintained.

The limiting single failures are discussed in Reference 10. The remaining OPERABLE ECCS subsystems provide the capability to adequately cool the core and prevent excessive fuel damage. The ECCS satisfy Criteria 3 and 4 of the NRC Policy Statement (Ref. 13). LCO Each ECCS injection/spray subsystem and six of seven ADS valves are required to be OPERABLE. The ECCS injection/spray subsystems are defined as the two CS subsystems, the two LPCI subsystems, and one HPCI System. The low pressure ECCS injection/spray subsystems are defined as the two CS subsystems and the two LPCI subsystems. With less than the required number of ECCS subsystems OPERABLE, the potential exists that during a limiting design basis LOCA concurrent with the worst case single failure, the limits specified in Reference 11 could be exceeded. All low pressure ECCS ECCS - Operating B 3.5.1 (continued) HATCH UNIT 2 B 3.5-5 REVISION 55 BASES LCO subsystems and ADS must therefore be OPERABLE to satisfy the (continued) single failure criterion required by Reference 11. (Reference 10 takes no credit for HPCI.) HPCI must be OPERABLE due to risk consideration. LPCI subsystems may be considered OPERABLE during alignment and operation for decay heat removal when below the actual RHR low pressure permissive pressure in MODE 3, if capable of being manually realigned (remote or local) to the LPCI mode and not otherwise inoperable. At these low pressures and decay heat levels, a reduced complement of ECCS subsystems should provide the required core cooling, thereby allowing operation of RHR shutdown cooling when necessary. APPLICABILITY All ECCS subsystems are required to be OPERABLE during MODES 1, 2, and 3, when there is considerable energy in the reactor core and core cooling would be required to prevent fuel damage in the event of a break in the primary system piping. In MODES 2 and 3, when reactor steam dome pressure is 150 psig, ADS and HPCI are not required to be OPERABLE because the low pressure ECCS subsystems can provide sufficient flow below this pressure. ECCS requirements for MODES 4 and 5 are specified in LCO 3.5.2, "ECCS - Shutdown." ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable HPCI subsystem. There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable HPCI subsystem and the provisions of LCO 3.0.4.b, which allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.

A.1 If any one low pressure ECCS injection/spray subsystem is inoperable, the inoperable subsystem must be restored to OPERABLE status within 7 days. In this condition, the remaining OPERABLE subsystems provide adequate core cooling during a LOCA. However, overall ECCS reliability is reduced, because a single failure in one of the remaining OPERABLE subsystems, concurrent with a LOCA, may result in the ECCS not being able to perform its intended safety function. The 7 day Completion Time is ECCS - Operating B 3.5.1 (continued) HATCH UNIT 2 B 3.5-6 REVISION 55 BASES ACTIONS A.1 (continued) based on a reliability study (Ref. 12) that evaluated the impact on ECCS availability, assuming various components and subsystems were taken out of service. The results were used to calculate the average availability of ECCS equipment needed to mitigate the consequences of a LOCA as a function of allowed outage times (i.e., Completion Times). B.1 and B.2 If the inoperable low pressure ECCS subsystem cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. C.1 and C.2 If the HPCI System is inoperable and the RCIC System is verified to be OPERABLE, the HPCI System must be restored to OPERABLE status within 14 days. In this condition, adequate core cooling is ensured by the OPERABILITY of the redundant and diverse low pressure ECCS injection/spray subsystems in conjunction with ADS. Also, the RCIC System will automatically provide makeup water at most reactor operating pressures. Verification of RCIC OPERABILITY within 1 hour is therefore required when HPCI is inoperable. This may be performed as an administrative check by examining logs or other information to determine if RCIC is out of service for maintenance or other reasons. It does not mean to perform the Surveillances needed to demonstrate the OPERABILITY of the RCIC System. If the OPERABILITY of the RCIC System cannot be verified, however, Condition E must be immediately entered. If a single active component fails concurrent with a design basis LOCA, there is a potential, depending on the specific failure, that the minimum required ECCS equipment will not be available. A 14 day Completion Time is based on a reliability study cited in Reference 12 and has been found to be acceptable through operating experience.

ECCS - Operating B 3.5.1 (continued) HATCH UNIT 2 B 3.5-7 REVISION 55 BASES (continued) ACTIONS D.1 and D.2 If any one low pressure ECCS injection/spray subsystem is inoperable in addition to an inoperable HPCI System, the inoperable low pressure ECCS injection/spray subsystem or the HPCI System must be restored to OPERABLE status within 72 hours. In this condition, adequate core cooling is ensured by the OPERABILITY of the ADS and the remaining low pressure ECCS subsystems. However, the overall ECCS reliability is significantly reduced because a single failure in one of the remaining OPERABLE subsystems concurrent with a design basis LOCA may result in the ECCS not being able to perform its intended safety function. Since both a high pressure system (HPCI) and a low pressure subsystem are inoperable, a more restrictive Completion Time of 72 hours is required to restore either the HPCI System or the low pressure ECCS injection/spray subsystem to OPERABLE status. This Completion Time is based on a reliability study cited in Reference 12 and has been found to be acceptable through operating experience. E.1 and E.2 With one ADS valve inoperable, no action is required, because an analysis demonstrated that the remaining six ADS valves are capable of providing the ADS function, per Reference 16. If any Required Action and associated Completion Time of Condition C or D is not met, or if two or more ADS valves are inoperable, the plant must be brought to a condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and reactor steam dome pressure reduced to 150 psig within 36 hours. Entry into MODE 3 is not required if the reduction in reactor steam dome pressure to 150 psig results in exiting the Applicability for the Condition, and the 150 psig is achieved within the given 12 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

F.1 When multiple ECCS subsystems are inoperable, as stated in Condition H, the plant is in a condition outside of the accident analyses. Therefore, LCO 3.0.3 must be entered immediately. ECCS - Operating B 3.5.1 (continued) HATCH UNIT 2 B 3.5-8 REVISION 79 BASES (continued) SURVEILLANCE SR 3.5.1.1 REQUIREMENTS The flow path piping has the potential to develop voids and pockets of entrained air. Maintaining the pump discharge lines of the HPCI System, CS System, and LPCI subsystems full of water ensures that the ECCS will perform properly, injecting its full capacity into the RCS upon demand. This will also prevent a water hammer following an ECCS initiation signal. One acceptable method of ensuring that the lines are full is to vent at the high points. In addition, when HPCI is aligned to the suppression pool (instead of the CST), one acceptable method is to monitor pump suction pressure. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.5.1.2 Verifying the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths provides assurance that the proper flow paths will exist for ECCS operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an initiation signal is allowed to be in a nonaccident position provided the valve will automatically reposition in the proper stroke time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. For the HPCI System, this SR also includes the steam flow path for the turbine and the flow controller position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note that allows LPCI subsystems to be considered OPERABLE during alignment and operation for decay heat removal with reactor steam dome pressure less than the RHR low pressure permissive pressure in MODE 3, if capable of being manually realigned (remote or local) to the LPCI mode and not otherwise inoperable. This allows operation in the RHR shutdown cooling mode during MODE 3, if necessary.

ECCS - Operating B 3.5.1 (continued) HATCH UNIT 2 B 3.5-9 REVISION 79 BASES SURVEILLANCE SR 3.5.1.3 REQUIREMENTS (continued) Verification that ADS air supply header pressure is 90 psig ensures adequate air pressure for reliable ADS operation. The accumulator on each ADS valve provides pneumatic pressure for valve actuation. The design pneumatic supply pressure requirements for the accumulator are such that, following a failure of the pneumatic supply to the accumulator, at least two valve actuations can occur with the drywell at 70% of design pressure (Ref. 12). The ECCS safety analysis assumes only one actuation to achieve the depressurization required for operation of the low pressure ECCS. This minimum required pressure of 90 psig for one actuation is provided by the ADS instrument air supply. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.1.4 Verification that the RHR System cross tie valve is closed and power to its operator is disconnected ensures that each LPCI subsystem remains independent and a failure of the flow path in one subsystem will not affect the flow path of the other LPCI subsystem. Acceptable methods of removing power to the operator include de-energizing breaker control power or racking out or removing the breaker. If the RHR System cross tie valve is open or power has not been removed from the valve operator, both LPCI subsystems must be considered inoperable. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.1.5 (Not used.)

SR 3.5.1.6 Cycling the recirculation pump discharge valves through one complete cycle of full travel demonstrates that the valves are mechanically OPERABLE and will close when required. Upon initiation of an automatic LPCI subsystem injection signal, these valves are required to be closed to ensure full LPCI subsystem flow injection in the reactor via the recirculation jet pumps. De-energizing the valve in the closed position will also ensure the proper flow path for the LPCI subsystem. Acceptable methods of de-energizing the valve include de-energizing breaker control power, racking out the breaker or removing the breaker. ECCS - Operating B 3.5.1 (continued) HATCH UNIT 2 B 3.5-10 REVISION 79 BASES SURVEILLANCE SR 3.5.1.6 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. However, this SR is modified by a Note that states the Surveillance is only required to be performed prior to entering MODE 2 from MODE 3 or 4, when in MODE 4 > 48 hours. Verification during or following MODE 4 > 48 hours and prior to entering MODE 2 from MODE 3 or 4 is an exception to the normal Inservice Testing Program generic valve cycling Frequency but is considered acceptable due to the demonstrated reliability of these valves. The 48 hours is intended to indicate an outage of sufficient duration to allow for scheduling and proper performance of the Surveillance. If the valve is inoperable and in the open position, the associated LPCI subsystem must be declared inoperable.

SR 3.5.1.7, SR 3.5.1.8, and SR 3.5.1.9 The performance requirements of the low pressure ECCS pumps are determined through application of the 10 CFR 50, Appendix K criteria (Ref. 8). This periodic Surveillance is performed (in accordance with the ASME Code, Section XI, requirements for the ECCS pumps) to verify that the ECCS pumps will develop the flow rates required by the respective analyses. The low pressure ECCS pump flow rates ensure that adequate core cooling is provided to satisfy the acceptance criteria of Reference 10. The pump flow rates are verified against a system head equivalent to the RPV pressure expected during a LOCA. The total system pump outlet pressure is adequate to overcome the elevation head pressure between the pump suction and the vessel discharge, the piping friction losses, and RPV pressure present during a LOCA. These values may be established during preoperational testing. The flow tests for the HPCI System are performed at two different pressure ranges such that system capability to provide rated flow is tested at both the higher and lower operating ranges of the system. The pump flow rates are verified against a system head corresponding to the RPV pressure. The total system pump outlet pressure is adequate to overcome the elevation head pressure between the pump suction and the vessel discharge, the piping friction losses, and RPV pressure. Additionally, adequate steam flow must be passing through the main turbine or turbine bypass valves to continue to control reactor pressure when the HPCI System diverts steam flow. The reactor steam pressure must be 920 psig to perform SR 3.5.1.8 and 150 psig to perform SR 3.5.1.9. Adequate

ECCS - Operating B 3.5.1 (continued) HATCH UNIT 2 B 3.5-11 REVISION 79 BASES SURVEILLANCE SR 3.5.1.7, SR 3.5.1.8, and SR 3.5.1.9 (continued) REQUIREMENTS steam flow for SR 3.5.1.8 is represented by at least two turbine bypass valves open, or 200 MWE from the main turbine-generator; and for SR 3.5.1.9 adequate steam flow is represented by at least 1.25 turbine bypass valves open, or total steam flow 1E6 lb/hour. Therefore, sufficient time is allowed after adequate pressure and flow are achieved to perform these tests. Reactor startup is allowed prior to performing the low pressure Surveillance test because the reactor pressure is low and the time allowed to satisfactorily perform the Surveillance test is short. The reactor pressure is allowed to be increased to normal operating pressure since it is assumed that the low pressure test has been satisfactorily completed and there is no indication or reason to believe that HPCI is inoperable. Therefore, SR 3.5.1.8 and SR 3.5.1.9 are modified by Notes that state the Surveillances are not required to be performed until 12 hours after the reactor steam pressure and flow are adequate to perform the test. The 12 hours allowed is sufficient to achieve stable conditions for testing and provides a reasonable time to complete the SR. The Frequency for SR 3.5.1.7 is consistent with the Inservice Testing Program pump testing requirements. The Frequencies for SR 3.5.1.8 and SR 3.5.1.9 are based on operating experience, equipment reliability, and plant risk, and are controlled under the Surveillance Frequency Control Program. SR 3.5.1.10 The ECCS subsystems are required to actuate automatically to perform their design functions. This Surveillance verifies that, with a required system initiation signal (actual or simulated), the automatic initiation logic of HPCI, CS, and LPCI will cause the systems or subsystems to operate as designed, including actuation of the system throughout its emergency operating sequence, automatic pump startup and actuation of all automatic valves to their required positions. This SR also ensures that the HPCI System will automatically restart on an RPV low water level (Level 2) signal received subsequent to an RPV high water level (Level 8) trip and that the suction is automatically transferred from the CST to the suppression pool. The LOGIC SYSTEM FUNCTIONAL TESTperformed in LCO 3.3.5.1 overlaps this Surveillance to provide complete testing of the assumed safety function.

ECCS - Shutdown B 3.5.2 (continued) HATCH UNIT 2 B 3.5-15 REVISION 0 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM

B 3.5.2 ECCS - Shutdown BASES BACKGROUND A description of the Core Spray (CS) System and the low pressure coolant injection (LPCI) mode of the Residual Heat Removal (RHR) System is provided in the Bases for LCO 3.5.1, "ECCS - Operating." APPLICABLE The ECCS performance is evaluated for the entire spectrum of SAFETY ANALYSES break sizes for a postulated loss of coolant accident (LOCA). The long term cooling analysis following a design basis LOCA (Ref. 1) demonstrates that only one low pressure ECCS injection/spray subsystem is required, post LOCA, to maintain adequate reactor vessel water level in the event of an inadvertent vessel draindown. It is reasonable to assume, based on engineering judgment, that while in MODES 4 and 5, one low pressure ECCS injection/spray subsystem can maintain adequate reactor vessel water level. To provide redundancy, a minimum of two low pressure ECCS injection/spray subsystems are required to be OPERABLE in MODES 4 and 5. The low pressure ECCS subsystems satisfy Criterion 3 of the NRC Policy Statement (Ref. 3). LCO Two low pressure ECCS injection/spray subsystems are required to be OPERABLE. The low pressure ECCS injection/spray subsystems consist of two CS subsystems and two LPCI subsystems. Each CS subsystem consists of one motor driven pump, piping, and valves to transfer water from the suppression pool or condensate storage tank (CST) to the reactor pressure vessel (RPV). Each LPCI subsystem consists of one motor driven pump, piping, and valves to transfer water from the suppression pool to the RPV. Only a single LPCI pump is required per subsystem because of the larger injection capacity in relation to a CS subsystem. In MODES 4 and 5, the RHR System cross tie valve is not required to be closed. The necessary portions of the Plant Service Water System are also required to provide appropriate cooling to each required ECCS subsystem. One LPCI subsystem may be aligned for decay heat removal and considered OPERABLE for the ECCS function, if it can be manually ECCS - Shutdown B 3.5.2 (continued) HATCH UNIT 2 B 3.5-16 REVISION 28 BASES LCO realigned (remote or local) to the LPCI mode and is not otherwise (continued) inoperable. Because of low pressure and low temperature conditions in MODES 4 and 5, sufficient time will be available to manually align and initiate LPCI subsystem operation to provide core cooling prior to postulated fuel uncovery. APPLICABILITY OPERABILITY of the low pressure ECCS injection/spray subsystems is required in MODES 4 and 5 to ensure adequate coolant inventory and sufficient heat removal capability for the irradiated fuel in the core in case of an inadvertent draindown of the vessel. Requirements for ECCS OPERABILITY during MODES 1, 2, and 3 are discussed in the Applicability section of the Bases for LCO 3.5.1. ECCS subsystems are not required to be OPERABLE during MODE 5 with the spent fuel storage pool gates removed and the water level maintained at 22 ft 1/8 inches above the RPV flange (equivalent to 21 ft of water above the top of irradiated fuel assemblies seated in the spent fuel storage pool racks; the point from which the water level is measured is shown in Figure B 3.5.2-1). This provides sufficient coolant inventory to allow operator action to terminate the inventory loss prior to fuel uncovery in case of an inadvertent draindown. The Automatic Depressurization System is not required to be OPERABLE during MODES 4 and 5 because the RPV pressure is 150 psig, and the CS System and the LPCI subsystems can provide core cooling without any depressurization of the primary system. The High Pressure Coolant Injection System is not required to be OPERABLE during MODES 4 and 5 since the low pressure ECCS injection/spray subsystems can provide sufficient flow to the vessel. ACTIONS A.1 and B.1 If any one required low pressure ECCS injection/spray subsystem is inoperable, the inoperable subsystem must be restored to OPERABLE status in 4 hours. In this condition, the remaining OPERABLE subsystem can provide sufficient vessel flooding capability to recover from an inadvertent vessel draindown. However, overall system reliability is reduced because a single failure in the remaining OPERABLE subsystem concurrent with a vessel draindown could result in the ECCS not being able to perform its intended function. The 4 hour Completion Time for restoring the required low pressure ECCS injection/spray subsystem to OPERABLE status is ECCS - Shutdown B 3.5.2 (continued) HATCH UNIT 2 B 3.5-17 REVISION 1 BASES ACTIONS A.1 and B.1 (continued) based on engineering judgment that considered the remaining available subsystem and the low probability of a vessel draindown event. With the inoperable subsystem not restored to OPERABLE status in the required Completion Time, action must be immediately initiated to suspend operations with a potential for draining the reactor vessel (OPDRVs) to minimize the probability of a vessel draindown and the subsequent potential for fission product release. Actions must continue until OPDRVs are suspended. C.1, C.2, D.1, D.2, and D.3 With both of the required ECCS injection/spray subsystems inoperable, all coolant inventory makeup capability may be unavailable. Therefore, actions must immediately be initiated to suspend OPDRVs to minimize the probability of a vessel draindown and the subsequent potential for fission product release. Actions must continue until OPDRVs are suspended. One ECCS injection/spray subsystem must also be restored to OPERABLE status within 4 hours. The 4 hour Completion Time to restore at least one low pressure ECCS injection/spray subsystem to OPERABLE status ensures that prompt action will be taken to provide the required cooling capacity or to initiate actions to place the plant in a condition that minimizes any potential fission product release to the environment. If at least one low pressure ECCS injection/spray subsystem is not restored to OPERABLE status within the 4 hour Completion Time, additional actions are required to minimize any potential fission product release to the environment. This includes ensuring: 1) secondary containment [at least including: the Unit 2 reactor building zone if in MODE 4; or the common refueling floor zone if in MODE 5] is OPERABLE; 2) sufficient standby gas treatment (SGT) subsystem(s) are OPERABLE to maintain the secondary containment at a negative pressure with respect to the environment (dependent on secondary containment configuration, refer to Reference 2; single failure protection is not required while in this ACTION); and 3) secondary containment isolation capability is available in each associated secondary containment penetration flow path not isolated that is assumed to be isolated to mitigate radioactivity releases (i.e., one secondary containment isolation valve and associated instrumentation are OPERABLE or other acceptable administrative ECCS - Shutdown B 3.5.2 (continued) HATCH UNIT 2 B 3.5-18 REVISION 79 BASES ACTIONS C.1, C.2, D.1, D.2, and D.3 (continued) controls to assure isolation capability. The administrative controls can consist of stationing a dedicated operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated.). OPERABILITY may be verified by an administrative check, or by examining logs or other information, to determine whether the components are out of service for maintenance or other reasons. It is not necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, the Surveillance may need to be performed to restore the component to OPERABLE status. Actions must continue until all required components are OPERABLE. SURVEILLANCE SR 3.5.2.1 and SR 3.5.2.2 REQUIREMENTS The minimum water level of 146 inches required for the suppression pool is periodically verified to ensure that the suppression pool will provide adequate net positive suction head (NPSH) for the CS System and LPCI subsystem pumps, recirculation volume, and vortex prevention. With the suppression pool water level less than the required limit, all ECCS injection/spray subsystems are inoperable unless they are aligned to an OPERABLE CST. When suppression pool level is < 146 inches, the CS System is considered OPERABLE only if it can take suction from the CST, and the CST water level is sufficient to provide the required NPSH for the CS pump. Therefore, a verification that either the suppression pool water level is 146 inches or that CS is aligned to take suction from the CST and the CST contains 150,000 gallons of water, equivalent to 15 ft, ensures that the CS System can supply at least 50,000 gallons of makeup water to the RPV. The CS suction is uncovered at the 100,000 gallon level. However, as noted, only one required CS subsystem may take credit for the CST option during OPDRVs. During OPDRVs, the volume in the CST may not provide adequate makeup if the RPV were completely drained. Therefore, only one CS subsystem is allowed to use the CST. This ensures the other required ECCS subsystem has adequate makeup volume. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. ECCS - Shutdown B 3.5.2 HATCH UNIT 2 B 3.5-19 REVISION 79 BASES SURVEILLANCE SR 3.5.2.3, SR 3.5.2.5, and SR 3.5.2.6 REQUIREMENTS (continued) The Bases provided for SR 3.5.1.1, SR 3.5.1.7, and SR 3.5.1.10 are applicable to SR 3.5.2.3, SR 3.5.2.5, and SR 3.5.2.6, respectively. However, the LPCI flow rate requirement for SR 3.5.2.5 is based on a single pump, not the two pump flow rate requirement of SR 3.5.1.7.

SR 3.5.2.4 Verifying the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths provides assurance that the proper flow paths will exist for ECCS operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an initiation signal is allowed to be in a nonaccident position provided the valve will automatically reposition in the proper stroke time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. In MODES 4 and 5, the RHR System may operate in the shutdown cooling mode to remove decay heat and sensible heat from the reactor. Therefore, RHR valves that are required for LPCI subsystem operation may be aligned for decay heat removal. Therefore, this SR is modified by a Note that allows one LPCI subsystem of the RHR System to be considered OPERABLE for the ECCS function if all the required valves in the LPCI flow path can be manually realigned (remote or local) to allow injection into the RPV, and the system is not otherwise inoperable. This will ensure adequate core cooling if an inadvertent RPV draindown should occur. REFERENCES 1. NEDC-31376P, "E.I. Hatch Nuclear Plant Units 1 and 2 SAFER/GESTR-LOCA Loss-of-Coolant Accident Analysis," December 1986. 2. Technical Requirements Manual, Section 8.0. 3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. ECCS - Shutdown B 3.5.2 HATCH UNIT 2 B 3.5-20 REVISION 79

Figure B 3.5.2-1 (page 1 of 1) Top of Irradiated Fuel Assembly RCIC System B 3.5.3 (continued) HATCH UNIT 2 B 3.5-21 REVISION 79 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM

B 3.5.3 RCIC System BASES BACKGROUND The RCIC System is not part of the ECCS; however, the RCIC System is included with the ECCS section because of their similar functions. The RCIC System is designed to operate either automatically or manually following reactor pressure vessel (RPV) isolation accompanied by a loss of coolant flow from the feedwater system to provide adequate core cooling and control of the RPV water level. Under these conditions, the High Pressure Coolant Injection (HPCI) and RCIC systems perform similar functions. The RCIC System design requirements ensure that the criteria of Reference 1 are satisfied. The RCIC System (Ref. 2) consists of a steam driven turbine pump unit, piping, and valves to provide steam to the turbine, as well as piping and valves to transfer water from the suction source to the core via the feedwater system line, where the coolant is distributed within the RPV through the feedwater sparger. Suction piping is provided from the condensate storage tank (CST) and the suppression pool. Pump suction is normally aligned to the CST to minimize injection of suppression pool water into the RPV. However, if the CST water supply is low, or the suppression pool level is high, an automatic transfer to the suppression pool water source ensures a water supply for continuous operation of the RCIC System. The steam supply to the turbine is piped from a main steam line upstream of the associated inboard main steam line isolation valve. The RCIC System is designed to provide core cooling for a wide range of reactor pressures (150 psig to 1154 psig). Upon receipt of an initiation signal, the RCIC turbine accelerates to a specified speed. As the RCIC flow increases, the turbine control valve is automatically adjusted to maintain design flow. Exhaust steam from the RCIC turbine is discharged to the suppression pool. A full flow test line is provided to route water from and to the CST to allow testing of the RCIC System during normal operation without injecting water into the RPV. The RCIC pump is provided with a minimum flow bypass line, which discharges to the suppression pool. The valve in this line automatically opens to prevent pump damage due to overheating RCIC System B 3.5.3 (continued) HATCH UNIT 2 B 3.5-22 REVISION 79 BASES BACKGROUND when other discharge line valves are closed. To ensure rapid delivery (continued) of water to the RPV and to minimize water hammer effects, the RCIC System discharge piping is kept full of water. The RCIC System is normally aligned to the CST. The height of water in the CST is sufficient to maintain the piping full of water up to the first isolation valve. The relative height of the feedwater line connection for RCIC is such that the water in the feedwater lines keeps the remaining portion of the RCIC discharge line full of water. Therefore, RCIC does not require a "keep fill" system. APPLICABLE The function of the RCIC System is to respond to transient events by SAFETY ANALYSES providing makeup coolant to the reactor. The RCIC System is not an Engineered Safety Feature System and no credit is taken in the safety analyses for RCIC System operation. Based on its contribution to the reduction of overall plant risk, however, the system satisfies Criterion 4 of the NRC Policy Statement (Ref. 5). LCO The OPERABILITY of the RCIC System provides adequate core cooling such that actuation of any of the low pressure ECCS subsystems is not required in the event of RPV isolation accompanied by a loss of feedwater flow. The RCIC System has sufficient capacity for maintaining RPV inventory during an isolation event. APPLICABILITY The RCIC System is required to be OPERABLE during MODE 1, and MODES 2 and 3 with reactor steam dome pressure > 150 psig, since RCIC is the primary non-ECCS water source for core cooling when the reactor is isolated and pressurized. In MODES 2 and 3 with reactor steam dome pressure 150 psig, and in MODES 4 and 5, RCIC is not required to be OPERABLE since the low pressure ECCS injection/spray subsystems can provide sufficient flow to the RPV. ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable RCIC subsystem. There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable RCIC subsystem, and the provisions of LCO 3.0.4.b, which allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance. RCIC System B 3.5.3 (continued) HATCH UNIT 2 B 3.5-23 REVISION 79 BASES ACTIONS A.1 and A.2 If the RCIC System is inoperable during MODE 1, or MODE 2 or 3 with reactor steam dome pressure > 150 psig, and the HPCI System is verified to be OPERABLE, the RCIC System must be restored to OPERABLE status within 14 days. In this condition, loss of the RCIC System will not affect the overall plant capability to provide makeup inventory at high reactor pressure since the HPCI System is the only high pressure system assumed to function during a loss of coolant accident (LOCA). OPERABILITY of HPCI is therefore verified within 1 hour when the RCIC System is inoperable. This may be performed as an administrative check, by examining logs or other information, to determine if HPCI is out of service for maintenance or other reasons. It does not mean it is necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the HPCI System. If the OPERABILITY of the HPCI System cannot be verified, however, Condition B must be immediately entered. For non-LOCA events, RCIC (as opposed to HPCI) is the preferred source of makeup coolant because of its relatively small capacity, which allows easier control of the RPV water level. Therefore, a limited time is allowed to restore the inoperable RCIC to OPERABLE status. The 14 day Completion Time is based on a reliability study (Ref. 3) that evaluated the impact on ECCS availability, assuming various components and subsystems were taken out of service. The results were used to calculate the average availability of ECCS equipment needed to mitigate the consequences of a LOCA as a function of allowed outage times (AOTs). Because of similar functions of HPCI and RCIC, the AOTs (i.e., Completion Times) determined for HPCI are also applied to RCIC. B.1 and B.2 If the RCIC System cannot be restored to OPERABLE status within the associated Completion Time, or if the HPCI System is simultaneously inoperable, the plant must be brought to a condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and reactor steam dome pressure reduced to 150 psig within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

RCIC System B 3.5.3 (continued) HATCH UNIT 2 B 3.5-24 REVISION 79 BASES (continued) SURVEILLANCE SR 3.5.3.1 REQUIREMENTS The flow path piping has the potential to develop voids and pockets of entrained air. Maintaining the pump discharge line of the RCIC System full of water ensures that the system will perform properly, injecting its full capacity into the Reactor Coolant System upon demand. This will also prevent a water hammer following an initiation signal. One acceptable method of ensuring the line is full when aligned to the CST is to vent at the high points and, when aligned to the suppression pool, by monitoring pump suction pressure. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.5.3.2 Verifying the correct alignment for manual, power operated, and automatic valves in the RCIC flow path provides assurance that the proper flow path will exist for RCIC operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an initiation signal is allowed to be in a nonaccident position provided the valve will automatically reposition in the proper stroke time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. For the RCIC System, this SR also includes the steam flow path for the turbine and the flow controller position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.5.3.3 and SR 3.5.3.4 The RCIC pump flow rates ensure that the system can maintain reactor coolant inventory during pressurized conditions with the RPV isolated. The required flow rate (400 gpm) is the pump design flow rate. Analysis has demonstrated that RCIC can fulfill its design function at a system flow rate of 360 gpm (Ref. 4). The pump flow RCIC System B 3.5.3 (continued) HATCH UNIT 2 B 3.5-25 REVISION 79 BASES SURVEILLANCE SR 3.5.3.3 and SR 3.5.3.4 (continued) REQUIREMENTS rates are verified against a system head equivalent to the RPV pressure. The total system pump outlet pressure is adequate to overcome the elevation head pressure between the pump suction and the vessel discharge, the piping friction losses, and RPV pressure. The flow tests for the RCIC System are performed at two different pressure ranges such that system capability to provide rated flow is tested both at the higher and lower operating ranges of the system. Additionally, adequate steam flow must be passing through the main turbine or turbine bypass valves to continue to control reactor pressure when the RCIC System diverts steam flow. Reactor steam pressure must be 920 psig to perform SR 3.5.3.3 and 150 psig to perform SR 3.5.3.4. Adequate steam flow is represented by at least one turbine bypass valve open, or for SR 3.5.3.3 200 MWE from the main turbine-generator and for SR 3.5.3.4 total steam flow 1E6 lb/hour. Therefore, sufficient time is allowed after adequate pressure and flow are achieved to perform these SRs. Reactor startup is allowed prior to performing the low pressure Surveillance because the reactor pressure is low and the time allowed to satisfactorily perform the Surveillance is short. The reactor pressure is allowed to be increased to normal operating pressure since it is assumed that the low pressure Surveillance has been satisfactorily completed and there is no indication or reason to believe that RCIC is inoperable. Therefore, these SRs are modified by Notes that state the Surveillances are not required to be performed until 12 hours after the reactor steam pressure and flow are adequate to perform the test. The 12 hours allowed is sufficient to achieve stable conditions for testing and provides a reasonable time to complete the SR. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.3.5 The RCIC System is required to actuate automatically in order to verify its design function satisfactorily. This Surveillance verifies that, with a required system initiation signal (actual or simulated), the automatic initiation logic of the RCIC System will cause the system to operate as designed, including actuation of the system throughout its emergency operating sequence; that is, automatic pump startup and actuation of all automatic valves to their required positions. This test also ensures the RCIC System will automatically restart on an RPV

RCIC System B 3.5.3 HATCH UNIT 2 B 3.5-26 REVISION 79 BASES SURVEILLANCE SR 3.5.3.5 (continued) REQUIREMENTS low water level (Level 2) signal received subsequent to an RPV high water level (Level 8) trip and that the suction is automatically transferred from the CST to the suppression pool. The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.2 overlaps this Surveillance to provide complete testing of the assumed safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note that excludes vessel injection during the Surveillance. Since all active components are testable and full flow can be demonstrated by recirculation through the test line, coolant injection into the RPV is not required during the Surveillance. REFERENCES 1. 10 CFR 50, Appendix A, GDC 33.

2. FSAR, Section 5.5.6. 3. Memorandum from R.L. Baer (NRC) to V. Stello, Jr. (NRC), "Recommended Interim Revisions to LCOs for ECCS Components," December 1, 1975.

4. GE Report AES-41-0688, "Safety Evaluation for Relaxation of RCIC Performance Requirements for Plant Hatch Units 1 and 2," July 1988.

5. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Primary Containment B 3.6.1.1 (continued) HATCH UNIT 2 B 3.6-1 REVISION 7 B 3.6 CONTAINMENT SYSTEMS

B 3.6.1.1 Primary Containment

BASES BACKGROUND The function of the primary containment is to isolate and contain fission products released from the Reactor Primary System following a Design Basis Accident (DBA) and to confine the postulated release of radioactive material. The primary containment consists of a steel lined, reinforced concrete vessel, which surrounds the Reactor Primary System and provides an essentially leak tight barrier against an uncontrolled release of radioactive material to the environment. The isolation devices for the penetrations in the primary containment boundary are a part of the containment leak tight barrier. To maintain this leak tight barrier:

a. All penetrations required to be closed during accident conditions are either: 1. Capable of being closed by an OPERABLE automatic containment isolation system, or 2. Closed by manual valves, blind flanges, or de-activated automatic valves secured in their closed positions, except as provided in LCO 3.6.1.3, "Primary Containment Isolation Valves (PCIVs)";

b. The primary containment air lock is OPERABLE, except as provided in LCO 3.6.1.2, "Primary Containment Air Lock"; and c. All equipment hatches are closed. This Specification ensures that the performance of the primary containment, in the event of a DBA, meets the assumptions used in the safety analyses of References 1 and 2. SR 3.6.1.1.1 leakage rate requirements are in conformance with 10 CFR 50, Appendix J, Option B (Ref. 3), as modified by approved exemptions. APPLICABLE The safety design basis for the primary containment is that it must SAFETY ANALYSES withstand the pressures and temperatures of the limiting DBA without exceeding the design leakage rate.

Primary Containment B 3.6.1.1 (continued) HATCH UNIT 2 B 3.6-2 REVISION 54 BASES APPLICABLE The DBA that postulates the maximum release of radioactive material SAFETY ANALYSES within primary containment is a LOCA. In the analysis of this (continued) accident, it is assumed that primary containment is OPERABLE such that release of fission products to the environment is controlled by the rate of primary containment leakage. Analytical methods and assumptions involving the primary containment are presented in References 1 and 2. The safety analyses assume a nonmechanistic fission product release following a DBA, which forms the basis for determination of offsite doses. The fission product release is, in turn, based on an assumed leakage rate from the primary containment. OPERABILITY of the primary containment ensures that the leakage rate assumed in the safety analyses is not exceeded. The maximum allowable leakage rate for the primary containment (La) is 1.2% by weight of the containment air per 24 hours at the design basis LOCA maximum peak containment pressure (Pa) of 47.3 psig (Ref. 1). Primary containment satisfies Criterion 3 of the NRC Policy Statement (Ref. 4). LCO Primary containment OPERABILITY is maintained by limiting leakage to La, except prior to the first startup after performing a required Primary Containment Leakage Rate Testing Program (Ref. 5) leakage test. At this time, applicable leakage limits specified in the Primary Containment Leakage Rate Testing Program must be met. Compliance with this LCO will ensure a primary containment configuration, including equipment hatches, that is structurally sound and that will limit leakage to those leakage rates assumed in the safety analyses. Individual leakage rates specified for the primary containment air lock are addressed in LCO 3.6.1.2. APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, primary containment is not required to be OPERABLE in MODES 4 and 5 to prevent leakage of radioactive material from primary containment. Primary Containment B 3.6.1.1 (continued) HATCH UNIT 2 B 3.6-3 REVISION 7 BASES (continued) ACTIONS A.1 In the event primary containment is inoperable, primary containment must be restored to OPERABLE status within 1 hour. The 1 hour Completion Time provides a period of time to correct the problem commensurate with the importance of maintaining primary containment OPERABILITY during MODES 1, 2, and 3. This time period also ensures that the probability of an accident (requiring primary containment OPERABILITY) occurring during periods where primary containment is inoperable is minimal. B.1 and B.2 If primary containment cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.1.1.1 REQUIREMENTS Maintaining the primary containment OPERABLE requires compliance with the visual examinations and leakage rate test requirements of the Primary Containment Leakage Rate Testing Program. Failure to meet air lock leakage testing (SR 3.6.1.2.1), secondary containment bypass leakage (SR 3.6.1.3.10), or main steam isolation valve leakage (SR 3.6.1.3.11) does not necessarily result in a failure of this SR. The impact of the failure to meet these SRs must be evaluated against the Type A, B, and C acceptance criteria of the Primary Containment Leakage Rate Testing Program. The Primary Containment Leakage Rate Testing Program is based on the guidelines in Regulatory Guide 1.163 (Ref. 6), NEI 94-01 (Ref. 7), and ANSI/ANS-56.8-1994 (Ref. 8). Specific acceptance criteria for as found and as left leakage rates, as well as the methods of defining the leakage rates, are contained in the Primary Containment Leakage Rate Testing Program. At all other times between required leakage rate tests, the acceptance criteria are based on an overall Type A leakage limit of 1.0 La. At 1.0 La, the offsite dose consequences are bounded by the assumptions of the safety analysis. The Frequency is required by the Primary Containment Leakage Rate Testing Program. Primary Containment B 3.6.1.1 (continued) HATCH UNIT 2 B 3.6-4 REVISION 79 BASES SURVEILLANCE SR 3.6.1.1.2 REQUIREMENTS (continued) Maintaining the pressure suppression function of primary containment requires limiting the leakage from the drywell to the suppression chamber. Thus, if an event were to occur that pressurized the drywell, the steam would be directed through the downcomers into the suppression pool. This SR measures drywell to suppression chamber differential pressure during a 10 minute period to ensure that the leakage paths that would bypass the suppression pool are within allowable limits. Satisfactory performance of this SR can be achieved by establishing a known differential pressure between the drywell and the suppression chamber and verifying that the pressure in either the suppression chamber or the drywell does not change by more than 0.25 inch of water per minute over a 10 minute period. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 6.2.

2. FSAR, Section 15.1.39.

3. 10 CFR 50, Appendix J, Option B.

4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

5. Primary Containment Leakage Rate Testing Program. 6. Regulatory Guide 1.163, "Performance-Based Containment Leak-Test Program," September 1995. 7. NEI 94-01, "Industry Guideline for Implementing Performance-Based Option of 10 CFR Part 50, Appendix J," Revision 0, July 26, 1995.

Primary Containment B 3.6.1.1 HATCH UNIT 2 B 3.6-5 REVISION 79 BASES REFERENCES 8. ANSI/ANS-56.8-1994, "American National Standard for (continued) Containment System Leakage Testing Requirements," 1994.

Primary Containment Air Lock B 3.6.1.2 (continued) HATCH UNIT 2 B 3.6-6 REVISION 0 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.2 Primary Containment Air Lock

BASES BACKGROUND One double door primary containment air lock has been built into the primary containment to provide personnel access to the drywell and to provide primary containment isolation during the process of personnel entering and exiting the drywell. The air lock is designed to withstand the same loads, temperatures, and peak design internal and external pressures as the primary containment (Ref. 1). As part of the primary containment, the air lock limits the release of radioactive material to the environment during normal unit operation and through a range of transients and accidents up to and including postulated Design Basis Accidents (DBAs). Each air lock door has been designed and tested to certify its ability to withstand a pressure in excess of the maximum expected pressure following a DBA in primary containment. Each of the doors contains double gasketed seals and local leakage rate testing capability to ensure pressure integrity. To effect a leak tight seal, the air lock design uses pressure sealed doors (i.e., an increase in primary containment internal pressure results in increased sealing force on each door). The air lock is nominally a right circular cylinder, 10 ft in diameter, with doors at each end that are interlocked to prevent simultaneous opening. The air lock is provided with limit switches on both doors that provide control room indication of door position. Additionally, control room indication is provided to alert the operator whenever the air lock interlock mechanism is defeated. During periods when primary containment is not required to be OPERABLE, the air lock interlock mechanism may be disabled, allowing both doors of the air lock to remain open for extended periods when frequent primary containment entry is necessary. Under some conditions allowed by this LCO, the primary containment may be accessed through the air lock, when the interlock mechanism has failed, by manually performing the interlock function. The primary containment air lock forms part of the primary containment pressure boundary. As such, air lock integrity and leak tightness are essential for maintaining primary containment leakage rate to within limits in the event of a DBA. Not maintaining air lock integrity or leak tightness may result in a leakage rate in excess of that assumed in the unit safety analysis. Primary Containment Air Lock B 3.6.1.2 (continued) HATCH UNIT 2 B 3.6-7 REVISION 54 BASES (continued) APPLICABLE The DBA that postulates the maximum release of radioactive material SAFETY ANALYSES within primary containment is a LOCA. In the analysis of this accident, it is assumed that primary containment is OPERABLE, such that release of fission products to the environment is controlled by the rate of primary containment leakage. The primary containment is designed with a maximum allowable leakage rate (La) of 1.2% by weight of the containment air per 24 hours at the calculated design basis LOCA maximum peak containment pressure (Pa) of 47.3 psig (Ref. 2). This allowable leakage rate forms the basis for the acceptance criteria imposed on the SRs associated with the air lock. Primary containment air lock OPERABILITY is also required to minimize the amount of fission product gases that may escape primary containment through the air lock and contaminate and pressurize the secondary containment. The primary containment air lock satisfies Criterion 3 of the NRC Policy Statement (Ref. 4). LCO As part of primary containment, the air lock's safety function is related to control of containment leakage rates following a DBA. Thus, the air lock's structural integrity and leak tightness are essential to the successful mitigation of such an event. The primary containment air lock is required to be OPERABLE. For the air lock to be considered OPERABLE, the air lock interlock mechanism must be OPERABLE, the air lock must be in compliance with the Type B air lock leakage test, and both air lock doors must be OPERABLE. The interlock allows only one air lock door to be opened at a time. This provision ensures that a gross breach of primary containment does not exist when primary containment is required to be OPERABLE. Closure of a single door in each air lock is sufficient to provide a leak tight barrier following postulated events. Nevertheless, both doors are kept closed when the air lock is not being used for normal entry and exit from primary containment. APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, the primary containment air lock is not required to be OPERABLE in MODES 4 Primary Containment Air Lock B 3.6.1.2 (continued) HATCH UNIT 2 B 3.6-8 REVISION 0 BASES APPLICABILITY and 5 to prevent leakage of radioactive material from primary (continued) containment. ACTIONS The ACTIONS are modified by Note 1, which allows entry and exit to perform repairs of the affected air lock component. If the outer door is inoperable, then it may be easily accessed to repair. If the inner door is the one that is inoperable, however, then a short time exists when the containment boundary is not intact (during access through the outer door). The allowance to open the OPERABLE door, even if it means the primary containment boundary is temporarily not intact, is acceptable due to the low probability of an event that could pressurize the primary containment during the short time in which the OPERABLE door is expected to be open. The OPERABLE door must be immediately closed after each entry and exit. The ACTIONS are modified by a second Note, which ensures appropriate remedial measures are taken, if necessary, if air lock leakage results in exceeding overall containment leakage rate acceptance criteria. Pursuant to LCO 3.0.6, actions are not required, even if primary containment is exceeding its leakage limit. Therefore, the Note is added to require ACTIONS for LCO 3.6.1.1, "Primary Containment," to be taken in this event.

A.1, A.2, and A.3 With one primary containment air lock door inoperable, the OPERABLE door must be verified closed (Required Action A.1) in the air lock. This ensures that a leak tight primary containment barrier is maintained by the use of an OPERABLE air lock door. This action must be completed within 1 hour. The 1 hour Completion Time is consistent with the ACTIONS of LCO 3.6.1.1, which requires that primary containment be restored to OPERABLE status within 1 hour. In addition, the air lock penetration must be isolated by locking closed the OPERABLE air lock door within the 24 hour Completion Time. The 24 hour Completion Time is considered reasonable for locking the OPERABLE air lock door, considering that the OPERABLE door is being maintained closed. Required Action A.3 ensures that the air lock with an inoperable door has been isolated by the use of a locked closed OPERABLE air lock door. This ensures that an acceptable primary containment leakage boundary is maintained. The Completion Time of once per 31 days is Primary Containment Air Lock B 3.6.1.2 (continued) HATCH UNIT 2 B 3.6-9 REVISION 0 BASES ACTIONS A.1, A.2, and A.3 (continued) based on engineering judgment and is considered adequate in view of the low likelihood of a locked door being mispositioned and other administrative controls. Required Action A.3 is modified by a Note that applies to air lock doors located in high radiation areas or areas with limited access due to inerting and allows these doors to be verified locked closed by use of administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small. The Required Actions have been modified by two Notes. Note 1 ensures that only the Required Actions and associated Completion Times of Condition C are required if both doors in the air lock are inoperable. With both doors in the air lock inoperable, an OPERABLE door is not available to be closed. Required Actions C.1 and C.2 are the appropriate remedial actions. The exception of Note 1 does not affect tracking the Completion Time from the initial entry into Condition A; only the requirement to comply with the Required Actions. Note 2 allows use of the air lock for entry and exit for 7 days under administrative controls. Primary containment entry may be required to perform Technical Specifications (TS) Surveillances and Required Actions, as well as other activities inside primary containment that are required by TS or activities that support TS-required equipment. This Note is not intended to preclude performing other activities (i.e., non-TS-related activities) if the primary containment was entered, using the inoperable air lock, to perform an allowed activity listed above. The administrative controls required consist of the stationing of a dedicated individual to assure closure of the OPERABLE door except during the entry and exit, and assuring the OPERABLE door is relocked after completion of the containment entry and exit. This allowance is acceptable due to the low probability of an event that could pressurize the primary containment during the short time that the OPERABLE door is expected to be open. B.1, B.2, and B.3 With an air lock interlock mechanism inoperable, the Required Actions and associated Completion Times are consistent with those specified in Condition A. Primary Containment Air Lock B 3.6.1.2 (continued) HATCH UNIT 2 B 3.6-10 REVISION 0 BASES ACTIONS B.1, B.2, and B.3 (continued) The Required Actions have been modified by two Notes. Note 1 ensures that only the Required Actions and associated Completion Times of Condition C are required if both doors in the air lock are inoperable. With both doors in the air lock inoperable, an OPERABLE door is not available to be closed. Required Actions C.1 and C.2 are the appropriate remedial actions. Note 2 allows entry into and exit from the primary containment under the control of a dedicated individual stationed at the air lock to ensure that only one door is opened at a time (i.e., the individual performs the function of the interlock). Required Action B.3 is modified by a Note that applies to air lock doors located in high radiation areas or areas with limited access due to inerting and that allows these doors to be verified locked closed by use of administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small.

C.1, C.2, and C.3 If the air lock is inoperable for reasons other than those described in Condition A or B, Required Action C.1 requires action to be immediately initiated to evaluate containment overall leakage rates using current air lock leakage test results. An evaluation is acceptable since it is overly conservative to immediately declare the primary containment inoperable if both doors in the air lock have failed a seal test or if the overall air lock leakage is not within limits. In many instances (e.g., only one seal per door has failed), primary containment remains OPERABLE, yet only 1 hour (according to LCO 3.6.1.1) would be provided to restore the air lock door to OPERABLE status prior to requiring a plant shutdown. In addition, even with both doors failing the seal test, the overall containment leakage rate can still be within limits. Required Action C.2 requires that one door in the primary containment air lock must be verified closed. This action must be completed within the 1 hour Completion Time. This specified time period is consistent with the ACTIONS of LCO 3.6.1.1, which require that primary containment be restored to OPERABLE status within 1 hour. Additionally, the air lock must be restored to OPERABLE status within 24 hours. The 24 hour Completion Time is reasonable for restoring Primary Containment Air Lock B 3.6.1.2 (continued) HATCH UNIT 2 B 3.6-11 REVISION 7 BASES ACTIONS C.1, C.2, and C.3 (continued) an inoperable air lock to OPERABLE status considering that at least one door is maintained closed in the air lock.

D.1 and D.2 If the inoperable primary containment air lock cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.1.2.1 REQUIREMENTS Maintaining primary containment air locks OPERABLE requires compliance with the leakage rate test requirements of the Primary Containment Leakage Rate Testing Program (Ref. 3). This SR reflects the leakage rate testing requirements with respect to air lock leakage (Type B leakage tests). The acceptance criteria were established as a small fraction of the total allowable containment leakage. The periodic testing requirements verify that the air lock leakage does not exceed the allowed fraction of the overall primary containment leakage rate. The Frequency is required by the Primary Containment Leakage Rate Testing Program. The SR has been modified by two Notes. Note 1 states that an inoperable air lock door does not invalidate the previous successful performance of the overall air lock leakage test. This is considered reasonable since either air lock door is capable of providing a fission product barrier in the event of a DBA. Note 2 has been added to this SR, requiring the results to be evaluated against the acceptance criteria applicable to SR 3.6.1.1.1. This ensures that air lock leakage is properly accounted for in determining the combined Type B and C primary containment leakage rate. Primary Containment Air Lock B 3.6.1.2 HATCH UNIT 2 B 3.6-12 REVISION 79 BASES SURVEILLANCE SR 3.6.1.2.2 REQUIREMENTS (continued) The air lock interlock mechanism is designed to prevent simultaneous opening of both doors in the air lock. Since both the inner and outer doors of an air lock are designed to withstand the maximum expected post accident primary containment pressure, closure of either door will support primary containment OPERABILITY. Thus, the interlock feature supports primary containment OPERABILITY while the air lock is being used for personnel transit in and out of the containment. Periodic testing of this interlock demonstrates that the interlock will function as designed and that simultaneous inner and outer door opening will not inadvertently occur. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 3.8.2.8.2.2.

2. FSAR, Section 6.2.

3. Primary Containment Leakage Rate Testing Program. 4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

PCIVs B 3.6.1.3 (continued) HATCH UNIT 2 B 3.6-13 REVISION 0 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.3 Primary Containment Isolation Valves (PCIVs) BASES BACKGROUND The function of the PCIVs, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs) to within limits. Primary containment isolation ensures that the release of radioactive material to the environment will be consistent with the assumptions used in the analyses for a DBA. The OPERABILITY requirements for PCIVs help ensure that an adequate primary containment boundary is maintained during and after an accident by minimizing potential paths to the environment. Therefore, the OPERABILITY requirements provide assurance that primary containment function assumed in the safety analyses will be maintained. These isolation devices are either passive or active (automatic). Manual valves, de-activated automatic valves secured in their closed position, check valves with flow through the valve secured, blind flanges, and closed systems are considered passive devices. Check valves and other automatic valves designed to close without operator action following an accident, are considered active devices. Two barriers in series are provided for each penetration so that no single credible failure or malfunction of an active component can result in a loss of isolation or leakage that exceeds limits assumed in the safety analyses. One of these barriers may be a closed system. The reactor building-to-suppression chamber vacuum breakers serve a dual function, one of which is primary containment isolation. However, since the other safety function of the vacuum breakers would not be available if the normal PCIV actions were taken, the PCIV OPERABILITY requirements are not applicable to the reactor building-to-suppression chamber vacuum breaker valves. Similar Surveillance Requirements in the LCO for reactor building-to-suppression chamber vacuum breakers provide assurance that the isolation capability is available without conflicting with the vacuum relief function. The primary containment purge supply lines are 18 inches and 20 inches in diameter; exhaust lines are 18 inches in diameter. The 18 inch primary containment purge valves are normally maintained closed in MODES 1, 2, and 3 to ensure the primary containment boundary is maintained. However, the 18 inch valves are qualified for use and may be opened when used for inerting, de-inerting, pressure PCIVs B 3.6.1.3 (continued) HATCH UNIT 2 B 3.6-14 REVISION 0 BASES BACKGROUND control, ALARA or air quality considerations for personnel entry, or (continued) Surveillances that require the valves to be open. These valves are qualified to be open because two additional redundant excess flow isolation dampers are provided on the vent line upstream of the Standby Gas Treatment (SGT) System filter trains. These isolation dampers, together with the PCIVs, will prevent high pressure from reaching the SGT System filter trains in the unlikely event of a loss of coolant accident (LOCA) during venting. Closure of the excess flow isolation dampers will not prevent the SGT System from performing its design function (that is, to maintain a negative pressure in the secondary containment). To ensure that a vent path is available, a 2 inch bypass line is provided around the dampers. The isolation valves on the 18 inch exhaust lines have 2 inch bypass lines around them for use during normal reactor operation or when the 18 inch valves cannot be opened. APPLICABLE The PCIVs LCO was derived from the assumptions related to SAFETY ANALYSES minimizing the loss of reactor coolant inventory, and establishing the primary containment boundary during major accidents. As part of the primary containment boundary, PCIV OPERABILITY supports leak tightness of primary containment. Therefore, the safety analysis of any event requiring isolation of primary containment is applicable to this LCO. The DBAs that result in a release of radioactive material for which the consequences are mitigated by PCIVs are a LOCA and a main steam line break (MSLB). In the analysis for each of these accidents, it is assumed that PCIVs are either closed or close within the required isolation times following event initiation. This ensures that potential paths to the environment through PCIVs (including primary containment purge valves) are minimized. Of the events analyzed in Reference 1, the MSLB is the most limiting event due to radiological consequences. The closure time of the main steam isolation valves (MSIVs) is a significant variable from a radiological standpoint. The MSIVs are required to close within 3 to 5 seconds since the 5 second closure time is assumed in the analysis. The safety analyses assume that the purge valves were closed at event initiation. Likewise, it is assumed that the primary containment is isolated such that release of fission products to the environment is controlled. The single failure criterion required to be imposed in the conduct of unit safety analyses was considered in the original design of the primary containment purge valves. Two valves in series on each PCIVs B 3.6.1.3 (continued) HATCH UNIT 2 B 3.6-15 REVISION 0 BASES APPLICABLE purge line provide assurance that both the supply and exhaust lines SAFETY ANALYSES could be isolated even if a single failure occurred. (continued) PCIVs satisfy Criterion 3 of the NRC Policy Statement (Ref. 6). LCO PCIVs form a part of the primary containment boundary. The PCIV safety function is related to minimizing the loss of reactor coolant inventory and establishing the primary containment boundary during a DBA. The power operated and the automatic isolation valves are required to have isolation times within limits and the automatic isolation valves actuate on an automatic isolation signal. While the reactor building-to-suppression chamber vacuum breakers isolate primary containment penetrations, they are excluded from this Specification. Controls on their isolation function are adequately addressed in LCO 3.6.1.7, "Reactor Building-to-Suppression Chamber Vacuum Breakers." The valves covered by this LCO are listed with their associated stroke times in Reference 2. The normally closed PCIVs are considered OPERABLE when manual valves are closed, or open in accordance with appropriate administrative controls, automatic valves are de-activated and secured in their closed position, blind flanges are in place, and closed systems are intact. These passive isolation valves and devices are those listed in Reference 2. Secondary containment bypass valves and MSIVs must meet additional leakage rate requirements. Other PCIV leakage rates are addressed by LCO 3.6.1.1, "Primary Containment," as Type B or C testing. This LCO provides assurance that the PCIVs will perform their designed safety functions to minimize the loss of reactor coolant inventory and establish the primary containment boundary during accidents. APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, most PCIVs are not required to be OPERABLE and the primary containment purge valves are not required to be sealed closed in MODES 4 and 5. PCIVs B 3.6.1.3 (continued) HATCH UNIT 2 B 3.6-16 REVISION 0 BASES APPLICABILITY Certain valves, however, are required to be OPERABLE to prevent (continued) inadvertent reactor vessel draindown. These valves are those whose associated instrumentation is required to be OPERABLE per LCO 3.3.6.1, "Primary Containment Isolation Instrumentation." (This does not include the valves that isolate the associated instrumentation.) ACTIONS The ACTIONS are modified by a Note allowing penetration flow path(s) except for 18 inch purge valve flow path(s) to be unisolated intermittently under administrative controls. These controls consist of stationing a dedicated operator at the controls of the valve, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for primary containment isolation is indicated. Due to the size of the primary containment purge supply and exhaust line penetrations and the fact that those penetrations exhaust directly from the containment atmosphere to the environment (via the SGT Systems), the penetration flow path containing these valves is not allowed to be opened under administrative controls. A second Note has been added to provide clarification that, for the purpose of this LCO, separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable PCIV. Complying with the Required Actions may allow for continued operation, and subsequent inoperable PCIVs are governed by subsequent Condition entry and application of associated Required Actions. The ACTIONS are modified by Notes 3 and 4. Note 3 ensures that appropriate remedial actions are taken, if necessary, if the affected system(s) are rendered inoperable by an inoperable PCIV (e.g., an Emergency Core Cooling System (ECCS) subsystem is inoperable due to a failed open test return valve). Note 4 ensures appropriate remedial actions are taken when the primary containment leakage limits are exceeded. Pursuant to LCO 3.0.6, these actions are not required even when the associated LCO is not met. Therefore, Notes 3 and 4 are added to require the proper actions be taken. PCIVs B 3.6.1.3 (continued) HATCH UNIT 2 B 3.6-17 REVISION 7 BASES ACTIONS A.1 and A.2 (continued) With one or more penetration flow paths with one PCIV inoperable except for inoperability due to leakage not within a limit specified in an SR to this LCO, the affected penetration flow paths must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, a blind flange, and a check valve with flow through the valve secured. For a penetration isolated in accordance with Required Action A.1, the device used to isolate the penetration should be the closest available valve to the primary containment. The device must be subjected to leakage testing requirements equivalent to the inoperable valve. For example: 1) if the inoperable valve is required to be Type C tested per 10 CFR 50, Appendix J, Option B (Ref. 5), the device chosen to isolate the penetration must also be subjected to Appendix J, Option B, Type C testing; and 2) if the inoperable valve is not subjected to Appendix J, Option B, testing ("-" in Reference 2, Table T7.0-1, Test Type column), the isolation device does not have to be subjected to Appendix J, Option B, testing. If a valve is inoperable due to isolation time not within limits or other condition that would not be expected to adversely affect leakage characteristics, the inoperable valve may be used to isolate the penetration. The Required Action must be completed within the 4 hour Completion Time (8 hours for main steam lines). The Completion Time of 4 hours is reasonable considering the time required to isolate the penetration and the relative importance of supporting primary containment OPERABILITY during MODES 1, 2, and 3. For main steam lines, an 8 hour Completion Time is allowed. The Completion Time of 8 hours for the main steam lines allows a period of time to restore the MSIVs to OPERABLE status given the fact that MSIV closure will result in isolation of the main steam line(s) and a potential for plant shutdown. For affected penetrations that have been isolated in accordance with Required Action A.1, the affected penetration flow path must be verified to be isolated on a periodic basis. This is necessary to ensure that primary containment penetrations required to be isolated following an accident, and no longer capable of being automatically isolated, will be in the isolation position should an event occur. This Required Action does not require any testing or device manipulation. Rather, it involves verification that those devices outside containment PCIVs B 3.6.1.3 (continued) HATCH UNIT 2 B 3.6-18 REVISION 7 BASES ACTIONS A.1 and A.2 (continued) and capable of potentially being mispositioned are in the correct position. The Completion Time of "Once per 31 days for isolation devices outside primary containment" is appropriate because the devices are operated under administrative controls and the probability of their misalignment is low. For the devices inside primary containment, the time period specified "Prior to entering MODE 2 or 3 from MODE 4, if primary containment was de-inerted while in MODE 4, if not performed within the previous 92 days" is based on engineering judgment and is considered reasonable in view of the inaccessibility of the devices and other administrative controls ensuring that device misalignment is an unlikely possibility. Condition A is modified by a Note indicating that this Condition is only applicable to those penetration flow paths with two PCIVs. For penetration flow paths with one PCIV, Condition C provides the appropriate Required Actions. Required Action A.2 is modified by a Note that applies to isolation devices located in high radiation areas, and allows them to be verified by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment, once they have been verified to be in the proper position, is low. B.1 With one or more penetration flow paths with two PCIVs inoperable except due to leakage not within limits, either the inoperable PCIVs must be restored to OPERABLE status or the affected penetration flow path must be isolated within 1 hour. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. A check valve may not be used to isolate the affected penetration. The device must be subjected to leakage testing requirements equivalent to the inoperable valve. For example: 1) if the inoperable valve is required to be Type C tested per 10 CFR 50, Appendix J, Option B, the device chosen to isolate the penetration must also be subjected to Appendix J, Option B, Type C testing; and 2) if the inoperable valve is not subjected to Appendix J, Option B, testing ("-" in Reference 2, Table T7.0-1, Test Type column), the isolation device does not have to be subjected to Appendix J, Option B, testing. PCIVs B 3.6.1.3 (continued) HATCH UNIT 2 B 3.6-19 REVISION 7 BASES ACTIONS B.1 (continued) If a valve is inoperable due to isolation time not within limits or other condition that would not be expected to adversely affect leakage characteristics, the inoperable valve may be used to isolate the penetration. The 1 hour Completion Time is consistent with the ACTIONS of LCO 3.6.1.1. Condition B is modified by a Note indicating this Condition is only applicable to penetration flow paths with two PCIVs. For penetration flow paths with one PCIV, Condition C provides the appropriate Required Actions. C.1 and C.2 With one or more penetration flow paths with one PCIV inoperable, except due to leakage not within limits, the inoperable valve must be restored to OPERABLE status or the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. A check valve may not be used to isolate the affected penetration. The device must be subjected to leakage testing requirements equivalent to the inoperable valve, except for inoperable valves in the Core Spray and Low Pressure Coolant Injection (LPCI) systems. For example: 1) if the inoperable valve is required to be Type C tested per 10 CFR 50, Appendix J, Option B, the device chosen to isolate the penetration must also be subjected to Appendix J, Option B, Type C testing; and 2) if the inoperable valve is not subjected to Appendix J, Option B, testing ("-" in Reference 2, Table T7.0-1, Test Type column), the isolation device does not have to be subjected to Appendix J, Option B, testing. For Core Spray and LPCI system valve inoperability, the device chosen to isolate the affected penetration is not required to be tested per 10 CFR 50, Appendix J, Option B, leakage testing. This exception is based on the integrity of the system piping, which serves to minimize leakage into the secondary containment. If a valve is inoperable due to isolation time not within limits or other condition that would not be expected to adversely affect leakage characteristics, the inoperable valve may be used to isolate the penetration. PCIVs B 3.6.1.3 (continued) HATCH UNIT 2 B 3.6-20 REVISION 1 BASES ACTIONS C.1 and C.2 (continued) Required Action C.1 must be completed within 4 hours for lines other than excess flow check valve (EFCV) lines and 12 hours for EFCV lines. The Completion Time of 4 hours is reasonable considering the relative stability of the closed system (hence, reliability) to act as a penetration isolation boundary and the relative importance of supporting primary containment OPERABILITY during MODES 1, 2, and 3. The Completion Time of 12 hours is reasonable considering the instrument to act as a penetration isolation boundary and the small pipe diameter of the affected penetrations. In the event the affected penetration flow path is isolated in accordance with Required Action C.1, the affected penetration must be verified to be isolated on a periodic basis. This is necessary to ensure that primary containment penetrations required to be isolated following an accident are isolated. The Completion Time of once per 31 days for verifying each affected penetration is isolated is appropriate because the valves are operated under administrative controls and the probability of their misalignment is low. Condition C is modified by a Note indicating that this Condition is only applicable to penetration flow paths with only one PCIV. For penetration flow paths with two PCIVs, Conditions A and B provide the appropriate Required Actions. Required Action C.2 is modified by a Note that applies to valves and blind flanges located in high radiation areas and allows them to be verified by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of these valves, once they have been verified to be in the proper position, is low. D.1 With the secondary containment bypass leakage rate or MSIV leakage rate not within limit, the assumptions of the safety analysis may not be met. Therefore, the leakage must be restored to within limit within 4 hours. Restoration can be accomplished by isolating the penetration that caused the limit to be exceeded by use of one closed and de-activated automatic valve, closed manual valve, or blind flange. When a penetration is isolated, the leakage rate for the isolated penetration is assumed to be the actual pathway leakage PCIVs B 3.6.1.3 (continued) HATCH UNIT 2 B 3.6-21 REVISION 1 BASES ACTIONS D.1 (continued) through the isolation device. If two isolation devices are used to isolate the penetration, the leakage rate is assumed to be the lesser actual pathway leakage of the two devices. The 4 hour Completion Time is reasonable considering the time required to restore the leakage by isolating the penetration and the relative importance to the overall containment function. E.1 and E.2 If any Required Action and associated Completion Time cannot be met in MODE 1, 2, or 3, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

F.1 and F.2 If any Required Action and associated Completion Time cannot be met, the unit must be placed in a condition in which the LCO does not apply. Action must be immediately initiated to suspend operations with a potential for draining the reactor vessel (OPDRVs) to minimize the probability of a vessel draindown and subsequent potential for fission product release. Actions must continue until OPDRVs are suspended and the valve(s) are restored to OPERABLE status. If suspending an OPDRV would result in closing the residual heat removal (RHR) shutdown cooling isolation valves, an alternative Required Action is provided to immediately initiate action to restore the valve(s) to OPERABLE status. This allows RHR shutdown cooling to remain in service while actions are being taken to restore the valve. SURVEILLANCE SR 3.6.1.3.1 REQUIREMENTS This SR ensures that the 18 inch primary containment purge valves are closed as required or, if open, are open for an allowable reason. If a purge valve is open in violation of this SR, the valve is considered inoperable (Condition A applies). The SR is modified by a Note PCIVs B 3.6.1.3 (continued) HATCH UNIT 2 B 3.6-22 REVISION 79 BASES SURVEILLANCE SR 3.6.1.3.1 (continued) REQUIREMENTS stating that the SR is not required to be met when the 18 inch purge valves are open for the stated reasons. The Note states that these valves may be opened for inerting, de-inerting, pressure control, ALARA or air quality considerations for personnel entry, or Surveillances that require the valves to be open. The 18 inch purge valves are capable of closing in the environment following a LOCA. Therefore, these valves are allowed to be open for limited periods of time. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.6.1.3.2 This SR verifies that each primary containment isolation manual valve and blind flange that is located outside primary containment and is required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside the primary containment boundary is within design limits. This SR does not require any testing or valve manipulation. Rather, it involves verification that those isolation devices outside primary containment, and capable of being mispositioned, are in the correct position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Two Notes have been added to this SR. The first Note allows valves and blind flanges located in high radiation areas to be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable since access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA reasons. Therefore, the probability of misalignment of these isolation devices, once they have been verified to be in the proper position, is low. A second Note has been included to clarify that PCIVs that are open under administrative controls are not required to meet the SR during the time that the PCIVs are open.

SR 3.6.1.3.3 This SR verifies that each primary containment manual isolation valve and blind flange that is located inside primary containment and is PCIVs B 3.6.1.3 (continued) HATCH UNIT 2 B 3.6-23 REVISION 79 BASES SURVEILLANCE SR 3.6.1.3.3 (continued) REQUIREMENTS required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside the primary containment boundary is within design limits. For these isolation devices inside primary containment, the Frequency defined as "Prior to entering MODE 2 or 3 from MODE 4 if primary containment was de-inerted while in MODE 4, if not performed within the previous 92 days" is appropriate since these isolation devices are operated under administrative controls and the probability of their misalignment is low. Two Notes have been added to this SR. The first Note allows valves and blind flanges located in high radiation areas to be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable since the primary containment is inerted and access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA and personnel safety reasons. Therefore, the probability of misalignment of these isolation devices, once they have been verified to be in their proper position, is low. A second Note has been included to clarify that PCIVs that are open under administrative controls are not required to meet the SR during the time that the PCIVs are open. SR 3.6.1.3.4 The traversing incore probe (TIP) shear isolation valves are actuated by explosive charges. Actuation and monitoring circuitry is provided in the main control room. Surveillance of explosive charge continuity provides assurance that TIP valves will actuate when required. The circuitry is such that a light illuminates upon loss of explosive charge continuity. Ensuring that the light illuminates when voltage is applied and that it is extinguished when installed in the circuit provides assurance of explosive valve continuity. Other administrative controls, such as those that limit the shelf life of the explosive charges, must be followed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.6.1.3.5 Verifying the isolation time of each power operated and each automatic PCIV is within limits is required to demonstrate OPERABILITY. MSIVs may be excluded from this SR since MSIV full PCIVs B 3.6.1.3 (continued) HATCH UNIT 2 B 3.6-24 REVISION 74 BASES SURVEILLANCE SR 3.6.1.3.5 (continued) REQUIREMENTS closure isolation time is demonstrated by SR 3.6.1.3.6. The isolation time test ensures that each valve will isolate in a time period less than or equal to that listed in the FSAR and that no degradation affecting valve closure since the performance of the last surveillance has occurred. (EFCVs are not required to be tested because they have no specified time limit). The Frequency of this SR is in accordance with the requirements of the Inservice Testing Program. SR 3.6.1.3.6 Verifying that the isolation time of each MSIV is within the specified limits is required to demonstrate OPERABILITY. The isolation time test ensures that the MSIV will isolate in a time period that does not exceed the times assumed in the DBA analyses. This ensures that the calculated radiological consequences of these events remain within 10 CFR 50.67 limits. The Frequency of this SR is in accordance with the requirements of the Inservice Testing Program. SR 3.6.1.3.7 Automatic PCIVs close on a primary containment isolation signal to prevent leakage of radioactive material from primary containment following a DBA. This SR ensures that each automatic PCIV will actuate to its isolation position on a primary containment isolation signal. The LOGIC SYSTEM FUNCTIONAL TEST in SR 3.3.6.1.6 overlaps this SR to provide complete testing of the safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.6.1.3.8 This SR requires a demonstration that each reactor instrumentation line excess flow check valve (EFCV) (of a representative sample) is OPERABLE by verifying that the valve reduces flow to within limits on an actual or simulated instrument line break condition. (The representative sample consists of an approximately equal number of EFCVs, such that each EFCV is tested at least once every 10 years [nominal]. In addition, the EFCVs in the sample are representative of the various plant configurations, models, sizes, and operating environments. This ensures that any potentially common problem

PCIVs B 3.6.1.3 (continued) HATCH UNIT 2 B 3.6-25 REVISION 79 BASES SURVEILLANCE SR 3.6.1.3.8 (continued) REQUIREMENTS with a specific type of application of EFCV is detected at the earliest possible time.) This SR provides assurance that the instrumentation line EFCVs will perform as designed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.6.1.3.9 The TIP shear isolation valves are actuated by explosive charges. An in place functional test is not possible with this design. The explosive squib is removed and tested to provide assurance that the valves will actuate when required. The replacement charge for the explosive squib shall be from the same manufactured batch as the one fired or from another batch that has been certified by having one of the batch successfully fired. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.6.1.3.10 This SR ensures that the leakage rate of secondary containment bypass leakage paths is less than the specified leakage rate. This provides assurance that the assumptions in the radiological evaluations that form the basis of the FSAR (Ref. 3) are met. The secondary containment bypass leakage paths are: 1) main steam condensate drain, penetration 8; 2) reactor water cleanup, penetration 14; 3) equipment drain sump discharge, penetration 18;

4) floor drain sump discharge, penetration 19; 5) chemical drain sump discharge, penetration 55; 6) HPCI steam line condensate to main condenser, penetration 11; and 7) RCIC steam line condensate to main condenser, penetration 10. The leakage rate of each bypass leakage path is assumed to be the maximum pathway leakage (leakage through the worse of the two isolation valves) unless the penetration is isolated by use of one closed and de-activated automatic valve, closed manual valve, or blind flange. In this case, the leakage rate of the isolated bypass leakage path is assumed to be the actual pathway leakage through the isolation device. If both isolation valves in the penetration are closed, the actual leakage rate is the lesser leakage rate of the two valves. The Frequency is required by the Primary Containment Leakage Rate Testing Program (Ref. 7).

PCIVs B 3.6.1.3 (continued) HATCH UNIT 2 B 3.6-26 REVISION 79 BASES SURVEILLANCE SR 3.6.1.3.11 REQUIREMENTS (continued) The analyses in References 1 and 4 are based on leakage that is less than the specified leakage rate. Combined MSIV leakage rate for all four main steam lines must be 100 scfh when tested at 28.8 psig and < 47.3 psig; or combined MSIV leakage rate for all four main steam lines must be 144 scfh when tested at 47.3 psig. The Frequency is required by the Primary Containment Leakage Rate Testing Program. SR 3.6.1.3.12 Deleted SR 3.6.1.3.13 This SR provides assurance that the excess flow isolation dampers can close following an isolation signal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

PCIVs B 3.6.1.3 HATCH UNIT 2 B 3.6-27 REVISION 79 BASES (continued) REFERENCES 1. FSAR, Chapter 15.

2. Technical Requirements Manual, Table T7.0-1.

3. FSAR, Subsection 15.1.39. 4. FSAR, Section 6.2.

5. 10 CFR 50, Appendix J, Option B.

6. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. 7. Primary Containment Leakage Rate Testing Program.

Drywell Pressure B 3.6.1.4 (continued) HATCH UNIT 2 B 3.6-28 REVISION 47 B 3.6 CONTAINMENT SYSTEMS

B 3.6.1.4 Drywell Pressure

BASES BACKGROUND The drywell pressure is limited during normal operations to preserve the initial conditions assumed in the accident analysis for a Design Basis Accident (DBA) or loss of coolant accident (LOCA).

APPLICABLE Primary containment performance is evaluated for the entire SAFETY ANALYSES spectrum of break sizes for postulated LOCAs (Ref. 1). Among the inputs to the DBA is the initial primary containment internal pressure (Ref. 1). Analyses assume an initial drywell pressure of 1.75 psig. This limitation ensures that the safety analysis remains valid by maintaining the expected initial conditions and ensures that the peak LOCA drywell internal pressure does not exceed the maximum allowable of 62 psig. The maximum calculated drywell pressure occurs during the reactor blowdown phase of the DBA, which assumes an instantaneous recirculation line break. The calculated peak drywell pressure for this limiting event is 47.3 psig (Ref. 1). Drywell pressure satisfies Criterion 2 of the NRC Policy Statement (Ref. 2). LCO In the event of a DBA, with an initial drywell pressure 1.75 psig, the resultant peak drywell accident pressure will be maintained below the drywell design pressure. APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, maintaining drywell pressure within limits is not required in MODE 4 or 5.

Drywell Pressure B 3.6.1.4 HATCH UNIT 2 B 3.6-29 REVISION 79 BASES (continued) ACTIONS A.1 With drywell pressure not within the limit of the LCO, drywell pressure must be restored within 1 hour. The Required Action is necessary to return operation to within the bounds of the primary containment analysis. The 1 hour Completion Time is consistent with the ACTIONS of LCO 3.6.1.1, "Primary Containment," which requires that primary containment be restored to OPERABLE status within 1 hour. B.1 and B.2 If drywell pressure cannot be restored to within limit within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.1.4.1 REQUIREMENTS Verifying that drywell pressure is within limit ensures that unit operation remains within the limit assumed in the primary containment analysis. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 6.2.

2. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Drywell Air Temperature B 3.6.1.5 (continued) HATCH UNIT 2 B 3.6-30 REVISION 10 B 3.6 CONTAINMENT SYSTEMS

B 3.6.1.5 Drywell Air Temperature

BASES BACKGROUND The drywell contains the reactor vessel and piping, which add heat to the airspace. Drywell coolers remove heat and maintain a suitable environment. The average airspace temperature affects the calculated response to postulated Design Basis Accidents (DBAs). The limitation on the drywell average air temperature was developed as reasonable, based on operating experience. The limitation on drywell air temperature is used in the Reference 1 safety analyses. APPLICABLE Primary containment performance is evaluated for a spectrum of SAFETY ANALYSES break sizes for postulated loss of coolant accidents (LOCAs) (Ref. 1). Among the inputs to the design basis analysis is the initial drywell average air temperature (Ref. 1). Analyses assume an initial average drywell air temperature of 150°F. This limitation ensures that the safety analysis remains valid by maintaining the expected initial conditions and ensures that the peak LOCA drywell temperature does not result in the drywell structure exceeding the maximum allowable temperature of 340°F (Ref. 2). Exceeding this design temperature may result in the degradation of the primary containment structure under accident loads. Equipment inside primary containment required to mitigate the effects of a DBA is designed to operate and be capable of operating under environmental conditions expected for the accident. Drywell air temperature satisfies Criterion 2 of the NRC Policy Statement (Ref. 3). LCO In the event of a DBA, with an initial drywell average air temperature less than or equal to the LCO temperature limit, the resultant peak accident temperature is maintained below the drywell design temperature. As a result, the ability of primary containment to perform its design function is ensured.

Drywell Air Temperature B 3.6.1.5 (continued) HATCH UNIT 2 B 3.6-31 REVISION 1 BASES (continued) APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, maintaining drywell average air temperature within the limit is not required in MODE 4 or 5. ACTIONS A.1 With drywell average air temperature not within the limit of the LCO, drywell average air temperature must be restored within 8 hours. The Required Action is necessary to return operation to within the bounds of the primary containment analysis. The 8 hour Completion Time is acceptable, considering the sensitivity of the analysis to variations in this parameter, and provides sufficient time to correct minor problems.

B.1 and B.2 If the drywell average air temperature cannot be restored to within limit within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.1.5.1 REQUIREMENTS Verifying that the drywell average air temperature is within the LCO limit ensures that operation remains within the limits assumed for the primary containment analyses. Drywell air temperature is monitored in various quadrants and at various elevations (referenced to mean sea level). Due to the shape of the drywell, a volumetric average is used to determine an accurate representation of the actual average temperature.

Drywell Air Temperature B 3.6.1.5 HATCH UNIT 2 B 3.6-32 REVISION 79 BASES SURVEILLANCE SR 3.6.1.5.1 (continued) REQUIREMENTS For the situation in which some or all of the normal temperature channels are inoperable, plant procedures contain instructions on how to determine the volumetric average to determine an accurate representation of the actual average temperature using the remaining OPERABLE instruments. Depending upon the location and number of inoperable temperature channels and the plant condition, a correction factor may have to be added to the volumetric average temperature calculated from the remaining OPERABLE temperature channels. The correction factor accounts for the inoperable channels and ensures a reasonable value for the average volumetric temperature is calculated. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 6.2.

2. FSAR, Section 6.2.1.4.1. 3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

LLS Valves B 3.6.1.6 HATCH UNIT 2 B 3.6-36 REVISION 79 BASES (continued) REFERENCES 1. FSAR, Section 5.5.17.

2. ASME, OM Code - 2004 Edition, "Code for Operation and Maintenance of Nuclear Power Plants," Appendix I.

3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

4. NEDC-32041P, "Safety Review for Edwin I. Hatch Nuclear Power Plant Units 1 and 2 Updated Safety/Relief Valve Performance Requirements," April 1996.

Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.7 (continued) HATCH UNIT 2 B 3.6-37 REVISION 77 B 3.6 CONTAINMENT SYSTEMS

B 3.6.1.7 Reactor Building-to-Suppression Chamber Vacuum Breakers

BASES BACKGROUND The function of the reactor building-to-suppression chamber vacuum breakers is to relieve vacuum when primary containment depressurizes below reactor building pressure. If the drywell depressurizes below reactor building pressure, the negative differential pressure is mitigated by flow through the reactor building-to-suppression chamber vacuum breakers and through the suppression-chamber-to-drywell vacuum breakers. The design of the external (reactor building-to-suppression chamber) vacuum relief provisions consists of two vacuum breakers (a mechanical vacuum breaker and an air operated butterfly valve), located in series in each of two lines from the reactor building to the suppression chamber airspace. The butterfly valve is actuated by differential pressure. The mechanical vacuum breaker is self actuating and can be remotely operated for testing purposes. The two vacuum breakers in series must be closed to maintain a leak tight primary containment boundary. A negative differential pressure across the drywell wall is caused by rapid depressurization of the drywell. Events that cause this rapid depressurization are cooling cycles, inadvertent primary containment spray actuation, and steam condensation in the event of a primary system rupture. Reactor building-to-suppression chamber vacuum breakers prevent an excessive negative differential pressure across the primary containment boundary. Cooling cycles result in minor pressure transients in the drywell, which occur slowly and are normally controlled by heating and ventilation equipment. Inadvertent spray actuation results in a more significant pressure transient and becomes important in sizing the external (reactor building-to-suppression chamber) vacuum breakers. Increased differential pressure between the reactor building and the drywell can also be caused by operations which remove gas from the drywell. Such operations include inerting/de-inerting of the primary containment. The external vacuum breakers are sized on the basis of the air flow from the secondary containment that is required to mitigate the depressurization transient and limit the maximum negative containment (drywell and suppression chamber) pressure to within design limits. The maximum depressurization rate is a function of the primary containment spray flow rate and temperature and the Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.7 (continued) HATCH UNIT 2 B 3.6-38 REVISION 77 BASES BACKGROUND assumed initial conditions of the primary containment atmosphere. (continued) Low spray temperatures and atmospheric conditions that yield the minimum amount of contained noncondensable gases are assumed for conservatism. APPLICABLE Analytical methods and assumptions involving the reactor SAFETY ANALYSES building-to-suppression chamber vacuum breakers are presented in Reference 1 as part of the accident response of the containment systems. Internal (suppression chamber-to-drywell) and external (reactor building-to-suppression chamber) vacuum breakers are provided as part of the primary containment to limit the negative differential pressure across the drywell and suppression chamber walls, which form part of the primary containment boundary. The safety analyses assume the external vacuum breakers to be closed initially and to be fully open at 0.5 psid (Ref. 1). Additionally, of the two reactor building-to-suppression chamber vacuum breakers, one is assumed to fail in a closed position to satisfy the single active failure criterion. Design Basis Accident (DBA) analyses assume the vacuum breakers to be closed initially and to remain closed and leak tight with positive primary containment pressure. The reactor building-to-suppression chamber vacuum breakers satisfy Criterion 3 of the NRC Policy Statement (Ref. 2). LCO All reactor building-to-suppression chamber vacuum breakers are required to be OPERABLE for opening to satisfy the assumptions used in the safety analyses. This requirement ensures both vacuum breakers in each line (mechanical vacuum breaker and air operated butterfly valve) will open to relieve a negative pressure in the suppression chamber. The LCO also ensures that the two vacuum breakers in each of the two lines from the reactor building to the suppression chamber airspace are closed (except when performing their intended function). APPLICABILITY In MODES 1, 2, and 3, a DBA could result in excessive negative differential pressure across the drywell wall caused by the rapid depressurization of the drywell. The event that results in the limiting rapid depressurization of the drywell is the primary system rupture, which purges the drywell of air and fills the drywell free airspace with steam. Subsequent condensation of the steam would result in depressurization of the drywell, which, after the suppression Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.7 (continued) HATCH UNIT 2 B 3.6-39 REVISION 77 BASES APPLICABILITY chamber-to-drywell vacuum breakers open (due to the differential (continued) pressure between the suppression chamber and drywell), would result in depressurization of the suppression chamber. The limiting pressure and temperature of the primary system prior to a DBA occur in MODES 1, 2, and 3. Excessive negative pressure inside primary containment could also occur due to inadvertent initiation of the Drywell Spray System. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining reactor building-to-suppression chamber vacuum breakers OPERABLE is not required in MODE 4 or 5.

ACTIONS A Note has been added to provide clarification that, for the purpose of this LCO, separate Condition entry is allowed for each penetration flow path. A.1 With one or more vacuum breakers not closed, the leak tight primary containment boundary may be threatened. Therefore, the inoperable vacuum breakers must be restored to OPERABLE status or the open vacuum breaker closed within 72 hours. The 72 hour Completion Time is consistent with requirements for inoperable suppression chamber-to-drywell vacuum breakers in LCO 3.6.1.8, "Suppression Chamber-to-Drywell Vacuum Breakers." The 72 hour Completion Time takes into account the redundant capability afforded by the remaining breakers, the fact that the OPERABLE breaker in each of the lines is closed, and the low probability of an event occurring that would require the vacuum breakers to be OPERABLE during this period. B.1 With one or more lines with two vacuum breakers not closed, primary containment integrity is not maintained. Therefore, one open vacuum breaker must be closed within 1 hour. This Completion Time is consistent with the ACTIONS of LCO 3.6.1.1, "Primary Containment," which requires that primary containment be restored to OPERABLE status within 1 hour.

Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.7 (continued) HATCH UNIT 2 B 3.6-40 REVISION 79 BASES ACTIONS C.1 (continued) With one line with one or more vacuum breakers inoperable for opening, the leak tight primary containment boundary is intact. The ability to mitigate an event that causes a containment depressurization is threatened, however, if both vacuum breakers in at least one vacuum breaker penetration are not OPERABLE. Therefore, the inoperable vacuum breaker must be restored to OPERABLE status within 72 hours. This is consistent with the Completion Time for Condition A and the fact that the leak tight primary containment boundary is being maintained.

D.1 With two lines with one or more vacuum breakers inoperable for opening, the primary containment boundary is intact. However, in the event of a containment depressurization, the function of the vacuum breakers is lost. Therefore, all vacuum breakers in one line must be restored to OPERABLE status within 1 hour. This Completion Time is consistent with the ACTIONS of LCO 3.6.1.1, which requires that primary containment be restored to OPERABLE status within 1 hour.

E.1 and E.2 If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.1.7.1 REQUIREMENTS Each vacuum breaker is verified to be closed to ensure that a potential breach in the primary containment boundary is not present. This Surveillance is performed by observing local or control room indications of vacuum breaker position or by verifying a differential pressure of 0.5 psid is maintained between the reactor building and suppression chamber. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Reactor Building-to-Suppression Chamber Vacuum Breakers B 3.6.1.7 HATCH UNIT 2 B 3.6-41 REVISION 79 BASES SURVEILLANCE SR 3.6.1.7.1 (continued) REQUIREMENTS Two Notes are added to this SR. The first Note allows reactor building-to-suppression chamber vacuum breakers opened in conjunction with the performance of a Surveillance to not be considered as failing this SR. These periods of opening vacuum breakers are controlled by plant procedures and do not represent inoperable vacuum breakers. The second Note is included to clarify that vacuum breakers, which are open due to an actual differential pressure, are not considered as failing this SR.

SR 3.6.1.7.2 Each vacuum breaker must be cycled to ensure that it opens properly to perform its design function and returns to its fully closed position. This ensures that the safety analysis assumptions are valid. The 92 day Frequency of this SR is in accordance with the requirements of the Inservice Testing Program.

SR 3.6.1.7.3 Demonstration of vacuum breaker opening setpoint is necessary to ensure that the safety analysis assumption regarding vacuum breaker full open differential pressure of 0.5 psid is valid. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 6.2.1.

2. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.8 (continued) HATCH UNIT 2 B 3.6-42 REVISION 77 B 3.6 CONTAINMENT SYSTEMS

B 3.6.1.8 Suppression Chamber-to-Drywell Vacuum Breakers

BASES BACKGROUND The function of the suppression chamber-to-drywell vacuum breakers is to relieve vacuum in the drywell. There are 12 internal vacuum breakers located on the vent header of the vent system between the drywell and the suppression chamber, which allow air and steam flow from the suppression chamber to the drywell when the drywell is at a negative pressure with respect to the suppression chamber. Therefore, suppression chamber-to-drywell vacuum breakers prevent an excessive negative differential pressure across the wetwell drywell boundary. Each vacuum breaker is a self actuating valve, similar to a check valve, which can be remotely operated for testing purposes. A negative differential pressure across the drywell wall is caused by rapid depressurization of the drywell. Events that cause this rapid depressurization are cooling cycles, inadvertent drywell spray actuation, and steam condensation from sprays or subcooled water reflood of a break in the event of a primary system rupture. Cooling cycles result in minor pressure transients in the drywell that occur slowly and are normally controlled by heating and ventilation equipment. Spray actuation or spill of subcooled water out of a break results in more significant pressure transients and becomes important in sizing the internal vacuum breakers. Increased differential pressure between the suppression chamber and the drywell can also be caused by operations which add gas to the suppression chamber or remove gas from the drywell. Such operations include inerting/de-inerting of the primary containment. In the event of a primary system rupture, steam condensation within the drywell results in the most severe pressure transient. Following a primary system rupture, air in the drywell is purged into the suppression chamber free airspace, leaving the drywell full of steam. Subsequent condensation of the steam can be caused in two possible ways, namely, Emergency Core Cooling Systems flow from a recirculation line break, or drywell spray actuation following a loss of coolant accident (LOCA). These two cases cases determine the maximum depressurization rate of the drywell. In addition, the waterleg in the Mark I Vent System downcomer is controlled by the drywell-to-suppression chamber differential Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.8 (continued) HATCH UNIT 2 B 3.6-43 REVISION 77 BASES BACKGROUND pressure. If the drywell pressure is less than the suppression (continued) chamber pressure, there will be an increase in the vent waterleg. This will result in an increase in the water clearing inertia in the event of a postulated LOCA, resulting in an increase in the peak drywell pressure. This in turn will result in an increase in the pool swell dynamic loads. The internal vacuum breakers limit the height of the waterleg in the vent system during normal operation. APPLICABLE Analytical methods and assumptions involving the suppression SAFETY ANALYSES chamber-to-drywell vacuum breakers are presented in Reference 1 as part of the accident response of the primary containment systems. Internal (suppression chamber-to-drywell) and external (reactor building-to-suppression chamber) vacuum breakers are provided as part of the primary containment to limit the negative differential pressure across the drywell and suppression chamber walls that form part of the primary containment boundary. The safety analyses assume that the internal vacuum breakers are closed initially and are fully open at a differential pressure of 0.5 psid (Ref. 1). Additionally, 3 of the 12 internal vacuum breakers are assumed to fail in a closed position (Ref. 1). The results of the analyses show that the design pressure is not exceeded even under the worst case accident scenario. The vacuum breaker opening differential pressure setpoint and the requirement that 10 of 12 vacuum breakers be OPERABLE (an additional vacuum breaker is required to meet the single failure criterion) are a result of the requirement placed on the vacuum breakers to limit the vent system waterleg height. The total cross sectional area of the main vent system between the drywell and suppression chamber needed to fulfill this requirement has been established as a minimum of 51.5 times the total break area (Ref. 1). In turn, the vacuum relief capacity between the drywell and suppression chamber should be 1/16 of the total main vent cross sectional area, with the valves set to operate at 0.5 psid differential pressure. Design Basis Accident (DBA) analyses assume the vacuum breakers to be closed initially and to remain closed and leak tight. The suppression chamber-to-drywell vacuum breakers satisfy Criterion 3 of the NRC Policy Statement (Ref. 2). Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.8 (continued) HATCH UNIT 2 B 3.6-44 REVISION 77 BASES (continued) LCO Only 10 of the 12 vacuum breakers must be OPERABLE for opening. All suppression chamber-to-drywell vacuum breakers, however, are required to be closed (except when the vacuum breakers are performing their intended design function). The vacuum breaker OPERABILITY requirement provides assurance that the drywell-to-suppression chamber negative differential pressure remains below the design value. The requirement that the vacuum breakers be closed ensures that there is no excessive bypass leakage should a LOCA occur. APPLICABILITY In MODES 1, 2, and 3, a DBA could result in excessive negative differential pressure across the drywell wall, caused by the rapid depressurization of the drywell. The event that results in the limiting rapid depressurization of the drywell is the primary system rupture that purges the drywell of air and fills the drywell free airspace with steam. Subsequent condensation of the steam would result in depressurization of the drywell. The limiting pressure and temperature of the primary system prior to a DBA occur in MODES 1, 2, and 3. Excessive negative pressure inside the primary containment could also occur due to inadvertent actuation of the Drywell Spray System. In MODES 4 and 5, the probability and consequences of these events are reduced by the pressure and temperature limitations in these MODES; therefore, maintaining suppression chamber-to-drywell vacuum breakers OPERABLE is not required in MODE 4 or 5. ACTIONS A.1 With one of the required vacuum breakers inoperable for opening (e.g., the vacuum breaker is not open and may be stuck closed or not within its opening setpoint limit, so that it would not function as designed during an event that depressurized the drywell), the remaining nine OPERABLE vacuum breakers are capable of providing the vacuum relief function. However, overall system reliability is reduced because a single failure in one of the remaining vacuum breakers could result in an excessive suppression chamber-to-drywell differential pressure during a DBA. Therefore, with 1 of the 10 required vacuum breakers inoperable, 72 hours is allowed to restore at least one of the inoperable vacuum breakers to OPERABLE status so that plant conditions are consistent with those assumed for the design basis analysis. The 72 hour Completion Time is Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.8 (continued) HATCH UNIT 2 B 3.6-45 REVISION 77 BASES ACTIONS A.1 (continued) considered acceptable due to the low probability of an event in which the remaining vacuum breaker capability would not be adequate.

B.1 An open vacuum breaker allows communication between the drywell and suppression chamber airspace, and, as a result, there is the potential for suppression chamber overpressurization due to this bypass leakage if a LOCA were to occur. Therefore, the open vacuum breaker must be closed. The required 2 hour Completion Time is allowed to close the vacuum breaker due to the low probability of an event that would pressurize primary containment.

C.1 and C.2 If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.1.8.1 REQUIREMENTS Each vacuum breaker is verified closed to ensure that this potential large bypass leakage path is not present. This Surveillance is performed by observing the vacuum breaker position indication or by verifying that a differential pressure of 0.5 psid between the drywell and suppression chamber is maintained for 1 hour without makeup. However, if vacuum breaker position indication is not reliable due to, for example, a dual or open indication with torus-to-drywell differential pressure remaining < 0.5 psid, alternate methods of verifying that the vacuum breaker is closed are detailed in Technical Requirements Manual (TRM) (Ref. 4), T3.6.1, "Suppression Chamber-to-Drywell Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.8 (continued) HATCH UNIT 2 B 3.6-46 REVISION 79 BASES SURVEILLANCE SR 3.6.1.8.1 (continued) REQUIREMENTS Vacuum Breaker Position Indication," as ACTIONS for inoperable closed position indicator channels. In this case the vacuum breaker is assumed open until otherwise proved to satisfy the leakage test, and this confirmation must be performed within the Technical Specification 3.6.1.8, Required Action B.1 Completion Time of 2 hours. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. A Note is added to this SR which allows suppression chamber-to-drywell vacuum breakers opened in conjunction with the performance of a Surveillance to not be considered as failing this SR. These periods of opening vacuum breakers are controlled by plant procedures and do not represent inoperable vacuum breakers.

SR 3.6.1.8.2 Each required (i.e., required to be OPERABLE for opening) vacuum breaker must be cycled to ensure that it opens adequately to perform its design function and returns to the fully closed position. This ensures that the safety analysis assumptions are valid. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. In addition, this functional test is required within 12 hours after a discharge of steam to the suppression chamber from the safety/relief valves.

SR 3.6.1.8.3 Verification of the vacuum breaker opening setpoint is necessary to ensure that the safety analysis assumption regarding vacuum breaker full open differential pressure of 0.5 psid is valid. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.8 HATCH UNIT 2 B 3.6-47 REVISION 79 BASES (continued) REFERENCES 1. FSAR, Section 6.2.1.

2. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

3. Technical Requirements Manual.

Suppression Pool Average Temperature B 3.6.2.1 (continued) HATCH UNIT 2 B 3.6-48 REVISION 77 B 3.6 CONTAINMENT SYSTEMS

B 3.6.2.1 Suppression Pool Average Temperature

BASES BACKGROUND The suppression chamber is a toroidal shaped, steel pressure vessel containing a volume of water called the suppression pool. The suppression pool is designed to absorb the decay heat and sensible energy released during a reactor blowdown from safety/relief valve discharges or from Design Basis Accidents (DBAs). The suppression pool must quench all the steam released through the downcomer lines during a loss of coolant accident (LOCA). This is the essential mitigative feature of a pressure suppression containment that ensures that the peak containment pressure is maintained below the maximum allowable pressure for DBAs (ASME Code allowable of 62 psig). The suppression pool must also condense steam from steam exhaust lines in the turbine driven systems (i.e., the High Pressure Coolant Injection System and Reactor Core Isolation Cooling System). Suppression pool average temperature (along with LCO 3.6.2.2, "Suppression Pool Water Level") is a key indication of the capacity of the suppression pool to fulfill these requirements. The technical concerns that lead to the development of suppression pool average temperature limits are as follows: a. Complete steam condensation; b. Primary containment peak pressure and temperature;

c. Condensation oscillation loads; and d. Chugging loads. APPLICABLE The postulated DBA against which the primary containment SAFETY ANALYSES performance is evaluated is the entire spectrum of postulated pipe breaks within the primary containment. Inputs to the safety analyses include initial suppression pool water volume and suppression pool temperature (Reference 1 for LOCAs and for the pool temperature analyses required by Reference 2). An initial pool temperature of 110°F is assumed for the Reference 1 analyses. Reactor shutdown at a pool temperature of 110°F and vessel depressurization at a pool temperature of 120°F are assumed for the Reference 1 analyses. The limit of 105°F, at which testing is terminated, is not used in the Suppression Pool Average Temperature B 3.6.2.1 (continued) HATCH UNIT 2 B 3.6-49 REVISION 77 BASES APPLICABLE safety analyses because DBAs are assumed to not initiate during unit SAFETY ANALYSES testing.

(continued)

Suppression pool average temperature satisfies Criteria 2 and 3 of the NRC Policy Statement (Ref. 4). LCO A limitation on the suppression pool average temperature is required to provide assurance that the containment conditions assumed for the safety analyses are met. This limitation subsequently ensures that peak primary containment pressures and temperatures do not exceed maximum allowable values during a postulated DBA or any transient resulting in heatup of the suppression pool. The LCO requirements are: a. Average temperature 100°F when any OPERABLE intermediate range monitor (IRM) channel is > 25/40 divisions of full scale on Range 7 and no testing that adds heat to the suppression pool is being performed. This requirement ensures that licensing bases initial conditions are met. b. Average temperature 105°F when any OPERABLE IRM channel is > 25/40 divisions of full scale on Range 7 and testing that adds heat to the suppression pool is being performed. This required value ensures that the unit has testing flexibility, and was selected to provide margin below the 110°F limit at which reactor shutdown is required. When testing ends, temperature must be restored to 100°F within 24 hours according to Required Action A.2. Therefore, the time period that the temperature is > 100°F is short enough not to cause a significant increase in unit risk. c. Average temperature 110°F when all OPERABLE IRM channels are 25/40 divisions of full scale on Range 7. This requirement ensures that the unit will be shut down at > 110°F. The pool is designed to absorb decay heat and sensible heat but could be heated beyond design limits by the steam generated if the reactor is not shut down. Note that 25/40 divisions of full scale on IRM Range 7 is a convenient measure of when the reactor is producing power essentially equivalent to 1% RTP. At this power level, heat input is approximately equal to normal system heat losses. Suppression Pool Average Temperature B 3.6.2.1 (continued) HATCH UNIT 2 B 3.6-50 REVISION 77 BASES (continued) APPLICABILITY In MODES 1, 2, and 3, a DBA could cause significant heatup of the suppression pool. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining suppression pool average temperature within limits is not required in MODE 4 or 5. ACTIONS A.1 and A.2 With the suppression pool average temperature above the specified limit when not performing testing that adds heat to the suppression pool and when above the specified power indication, the initial conditions exceed the conditions assumed for the References 1 and 3 analyses. However, primary containment cooling capability still exists, and the primary containment pressure suppression function will occur at temperatures well above those assumed for safety analyses. Therefore, continued operation is allowed for a limited time. The 24 hour Completion Time is adequate to allow the suppression pool average temperature to be restored below the limit. Additionally, when suppression pool temperature is > 100°F, increased monitoring of the suppression pool temperature is required to ensure that it remains 110°F. The once per hour Completion Time is adequate based on past experience, which has shown that pool temperature increases relatively slowly except when testing that adds heat to the suppression pool is being performed. Furthermore, the once per hour Completion Time is considered adequate in view of other indications in the control room, including alarms, to alert the operator to an abnormal suppression pool average temperature condition.

B.1 If the suppression pool average temperature cannot be restored to within limits within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the power must be reduced to < 25/40 divisions of full scale on Range 7 for all OPERABLE IRMs within 12 hours. The 12 hour Completion Time is reasonable, based on operating experience, to reduce power from full power conditions in an orderly manner and without challenging plant systems.

Suppression Pool Average Temperature B 3.6.2.1 (continued) HATCH UNIT 2 B 3.6-51 REVISION 77 BASES ACTIONS C.1 (continued) Suppression pool average temperature is allowed to be > 100°F when any OPERABLE IRM channel is > 25/40 divisions of full scale on Range 7, and when testing that adds heat to the suppression pool is being performed. However, if temperature is > 105°F, all testing must be immediately suspended to preserve the heat absorption capability of the suppression pool. With the testing suspended, Condition A is entered and the Required Actions and associated Completion Times are applicable. D.1, D.2, and D.3 Suppression pool average temperature > 110°F requires that the reactor be shut down immediately. This is accomplished by placing the reactor mode switch in the shutdown position. Further, cooldown to MODE 4 is required at normal cooldown rates (provided pool temperature remains 120°F). Additionally, when suppression pool temperature is > 110°F, increased monitoring of pool temperature is required to ensure that it remains 120°F. The once per 30 minute Completion Time is adequate, based on operating experience. Given the high suppression pool average temperature in this Condition, the monitoring Frequency is increased to twice that of Condition A. Furthermore, the 30 minute Completion Time is considered adequate in view of other indications available in the control room, including alarms, to alert the operator to an abnormal suppression pool average temperature condition.

E.1 and E.2 If suppression pool average temperature cannot be maintained at 120°F, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the reactor pressure must be reduced to < 200 psig within 12 hours, and the plant must be brought to at least MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. Continued addition of heat to the suppression pool with suppression pool temperature > 120°F could result in exceeding the design basis maximum allowable values for primary containment temperature or pressure. Furthermore, if a blowdown were to occur when the temperature was > 120°F, the maximum allowable bulk and local temperatures could be exceeded very quickly. Suppression Pool Average Temperature B 3.6.2.1 HATCH UNIT 2 B 3.6-52 REVISION 79 BASES (continued) SURVEILLANCE SR 3.6.2.1.1 REQUIREMENTS The suppression pool average temperature (torus average bulk temperature) is regularly monitored to ensure that the required limits are satisfied. The average temperature is determined by using a weighted average of functional suppression pool water temperature channels. The channels in the lower half of the suppression pool are averaged and the channels in the upper half of the suppression pool are averaged. The suppression pool average temperature is the average of the upper and lower average temperatures. For the situation in which some or all of either the upper half or the lower half temperature channels are inoperable, plant procedures contain instructions on how to determine the suppression pool average temperature using the remaining OPERABLE instruments. Depending upon the location and number of inoperable channels and the plant condition, a correction factor may have to be added to the average temperature calculated from the remaining OPERABLE temperature channels. The correction factor accounts for the inoperable channels and ensures a reasonable value for the average bulk temperature is calculated. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The 5 minute Frequency during testing is justified by the rates at which tests will heat up the suppression pool, has been shown to be acceptable based on operating experience, and provides assurance that allowable pool temperatures are not exceeded. The Frequency is further justified in view of other indications available in the control room, including alarms, to alert the operator to an abnormal suppression pool average temperature condition. REFERENCES 1. GE Report EAS-19-0388, "Elimination of the Suppression Pool Temperature Limit for Plant Hatch Units 1 and 2," March 1988. 2. NUREG-0783.

3. FSAR, Section 6.2.

4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Suppression Pool Water Level B 3.6.2.2 (continued) HATCH UNIT 2 B 3.6-53 REVISION 77 B 3.6 CONTAINMENT SYSTEMS

B 3.6.2.2 Suppression Pool Water Level

BASES BACKGROUND The suppression chamber is a toroidal shaped, steel pressure vessel containing a volume of water called the suppression pool. The suppression pool is designed to absorb the energy associated with decay heat and sensible heat released during a reactor blowdown from safety/relief valve (S/RV) discharges or from a Design Basis Accident (DBA). The suppression pool must quench all the steam released through the downcomer lines during a loss of coolant accident (LOCA). This is the essential mitigative feature of a pressure suppression containment, which ensures that the peak containment pressure is maintained below the maximum allowable pressure for DBAs (ASME Code allowable of 62 psig). The suppression pool must also condense steam from the steam exhaust lines in the turbine driven systems (i.e., High Pressure Coolant Injection (HPCI) System and Reactor Core Isolation Cooling (RCIC) System) and provides the main emergency water supply source for the reactor vessel. The suppression pool volume ranges between approximately 86,000 ft3 at the low water level limit of 146 inches and approximately 90,000 ft3 at the high water level limit of 150 inches. If the suppression pool water level is too low, an insufficient amount of water would be available to adequately condense the steam from the S/RV quenchers, main vents, or HPCI and RCIC turbine exhaust lines. Low suppression pool water level could also result in an inadequate emergency makeup water source to the Emergency Core Cooling System. The lower volume would also absorb less steam energy before heating up excessively. Therefore, a minimum suppression pool water level is specified. If the suppression pool water level is too high, it could result in insufficient volume to accommodate noncondensable gases and excessive pool swell loads during a DBA LOCA. Therefore, a maximum pool water level is specified. This LCO specifies an acceptable range to prevent the suppression pool water level from being either too high or too low. APPLICABLE Initial suppression pool water level affects suppression pool SAFETY ANALYSES temperature response calculations, calculated drywell pressure during vent clearing for a DBA, calculated pool swell loads for a DBA LOCA, and calculated loads due to S/RV discharges. Suppression pool Suppression Pool Water Level B 3.6.2.2 (continued) HATCH UNIT 2 B 3.6-54 REVISION 77 BASES APPLICABLE water level must be maintained within the limits specified so that the SAFETY ANALYSES safety analysis of Reference 1 remains valid.

(continued)

Suppression pool water level satisfies Criteria 2 and 3 of the NRC Policy Statement (Ref. 2). LCO A limit that suppression pool water level be 146 inches and 150 inches is required to ensure that the primary containment conditions assumed for the safety analyses are met. Either the high or low water level limits were used in the safety analyses, depending upon which is more conservative for a particular calculation. APPLICABILITY In MODES 1, 2, and 3, a DBA would cause significant loads on the primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. The requirements for maintaining suppression pool water level within limits in MODE 4 or 5 are addressed in LCO 3.5.2, "ECCS - Shutdown." ACTIONS A.1 With suppression pool water level outside the limits, the conditions assumed for the safety analyses are not met. If water level is below the minimum level, the pressure suppression function still exists as long as main vents are covered, HPCI and RCIC turbine exhausts are covered, and S/RV quenchers are covered. If suppression pool water level is above the maximum level, protection against overpressurization still exists due to the margin in the peak containment pressure analysis and the capability of the Drywell Spray System. Therefore, continued operation for a limited time is allowed. The 2 hour Completion Time is sufficient to restore suppression pool water level to within limits. Also, it takes into account the low probability of an event impacting the suppression pool water level occurring during this interval. Suppression Pool Water Level B 3.6.2.2 HATCH UNIT 2 B 3.6-55 REVISION 79 BASES ACTIONS B.1 and B.2 (continued) If suppression pool water level cannot be restored to within limits within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.2.2.1 REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 6.2.1. 2. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. RHR Suppression Pool Cooling B 3.6.2.3 (continued) HATCH UNIT 2 B 3.6-56 REVISION 77 B 3.6 CONTAINMENT SYSTEMS

B 3.6.2.3 Residual Heat Removal (RHR) Suppression Pool Cooling

BASES BACKGROUND Following a Design Basis Accident (DBA), the RHR Suppression Pool Cooling System removes heat from the suppression pool. The suppression pool is designed to absorb the sudden input of heat from the primary system. In the long term, the pool continues to absorb residual heat generated by fuel in the reactor core. Some means must be provided to remove heat from the suppression pool so that the temperature inside the primary containment remains within design limits. This function is provided by two redundant RHR suppression pool cooling subsystems. The purpose of this LCO is to ensure that both subsystems are OPERABLE in applicable MODES. Each RHR subsystem contains two pumps and one heat exchanger and is manually initiated and independently controlled. The two subsystems perform the suppression pool cooling function by circulating water from the suppression pool through the RHR heat exchangers and returning it to the suppression pool. RHR service water, circulating through the tube side of the heat exchangers, exchanges heat with the suppression pool water and discharges this heat to the external heat sink. The heat removal capability of one RHR pump in one subsystem is sufficient to meet the overall DBA pool cooling requirement for loss of coolant accidents (LOCAs) and transient events such as a turbine trip or stuck open safety/relief valve (S/RV). S/RV leakage and high pressure core injection and Reactor Core Isolation Cooling System testing increase suppression pool temperature more slowly. The RHR Suppression Pool Cooling System is also used to lower the suppression pool water bulk temperature following such events. APPLICABLE Reference 1 contains the results of analyses used to predict primary SAFETY ANALYSES containment pressure and temperature following large and small break LOCAs. The intent of the analyses is to demonstrate that the heat removal capacity of the RHR Suppression Pool Cooling System is adequate to maintain the primary containment conditions within design limits. The suppression pool temperature is calculated to remain below the design limit. The RHR Suppression Pool Cooling System satisfies Criterion 3 of the NRC Policy Statement (Ref. 3). RHR Suppression Pool Cooling B 3.6.2.3 (continued) HATCH UNIT 2 B 3.6-57 REVISION 77 BASES (continued) LCO During a DBA, a minimum of one RHR suppression pool cooling subsystem is required to maintain the primary containment peak pressure and temperature below design limits (Ref. 1). To ensure that these requirements are met, two RHR suppression pool cooling subsystems must be OPERABLE with power from two safety related independent power supplies. Therefore, in the event of an accident, at least one subsystem is OPERABLE assuming the worst case single active failure. An RHR suppression pool cooling subsystem is OPERABLE when one of the pumps, the heat exchanger, and associated piping, valves, instrumentation, and controls are OPERABLE. Each RHR suppression pool cooling subsystem is supported by an independent subsystem of the Residual Heat Removal Service Water (RHRSW) System. Specifically, two OPERABLE RHRSW pumps and an OPERABLE flow path, as defined in the Bases for LCO 3.7.1, "Residual Heat Removal Service Water (RHRSW) System," are required to provide the necessary heat transfer from the heat exchanger and, thereby, support each suppression pool cooling subsystem. APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment and cause a heatup and pressurization of primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, the RHR Suppression Pool Cooling System is not required to be OPERABLE in MODE 4 or 5. ACTIONS A.1 With one RHR suppression pool cooling subsystem inoperable, the inoperable subsystem must be restored to OPERABLE status within 7 days. In this Condition, the remaining RHR suppression pool cooling subsystem is adequate to perform the primary containment cooling function. However, the overall reliability is reduced because a single failure in the OPERABLE subsystem could result in reduced primary containment cooling capability. The 7 day Completion Time is acceptable in light of the redundant RHR suppression pool cooling capabilities afforded by the OPERABLE subsystem and the low probability of a DBA occurring during this period. RHR Suppression Pool Cooling B 3.6.2.3 (continued) HATCH UNIT 2 B 3.6-58 REVISION 79 BASES ACTIONS B.1 (continued) With two RHR suppression pool cooling subsystems inoperable, one subsystem must be restored to OPERABLE status within 8 hours. In this condition, there is a substantial loss of the primary containment pressure and temperature mitigation function. The 8 hour Completion Time is based on this loss of function and is considered acceptable due to the low probability of a DBA and because alternative methods to remove heat from primary containment are available. C.1 and C.2 If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.2.3.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the RHR suppression pool cooling mode flow path provides assurance that the proper flow path exists for system operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position provided it can be aligned to the accident position within the time assumed in the accident analysis. This is acceptable since the RHR suppression pool cooling mode is manually initiated. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. RHR Suppression Pool Cooling B 3.6.2.3 HATCH UNIT 2 B 3.6-59 REVISION 77 BASES SURVEILLANCE SR 3.6.2.3.2 REQUIREMENTS (continued) Verifying that each required RHR pump develops a flow rate 7700 gpm while operating in the suppression pool cooling mode with flow through the associated heat exchanger ensures that pump performance has not degraded during the cycle. Flow is a normal test of centrifugal pump performance required by ASME Code, Section XI (Ref. 2). This test confirms one point on the pump design curve, and the results are indicative of overall performance. Such inservice tests confirm component OPERABILITY and detect incipient failures by indicating abnormal performance. The Frequency of this SR is in accordance with the Inservice Testing Program. REFERENCES 1. FSAR, Section 6.2.2.

2. ASME, Boiler and Pressure Vessel Code, Section XI.

3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RHR Suppression Pool Spray B 3.6.2.4 (continued) HATCH UNIT 2 B 3.6-60 REVISION 77 B 3.6 CONTAINMENT SYSTEMS

B 3.6.2.4 Residual Heat Removal (RHR) Suppression Pool Spray

BASES BACKGROUND Following a Design Basis Accident (DBA), the RHR Suppression Pool Spray System removes heat from the suppression chamber airspace. The suppression pool is designed to absorb the sudden input of heat from the primary system from a DBA or a rapid depressurization of the reactor pressure vessel (RPV) through safety/relief valves. The heat addition to the suppression pool results in increased steam in the suppression chamber, which increases primary containment pressure. Steam blowdown from a DBA can also bypass the suppression pool and end up in the suppression chamber airspace. Some means must be provided to remove heat from the suppression chamber so that the pressure and temperature inside primary containment remain within analyzed design limits. This function is provided by two redundant RHR suppression pool spray subsystems. The purpose of this LCO is to ensure that both subsystems are OPERABLE in applicable MODES. Each of the two RHR suppression pool spray subsystems contains two pumps and one heat exchanger, which are manually initiated and independently controlled. The two subsystems perform the suppression pool spray function by circulating water from the suppression pool through the RHR heat exchangers and returning it to the suppression pool spray spargers. The spargers only accommodate a small portion of the total RHR pump flow; the remainder of the flow returns to the suppression pool through the suppression pool cooling return line. Thus, both suppression pool cooling and suppression pool spray functions are performed when the Suppression Pool Spray System is initiated. RHR service water, circulating through the tube side of the heat exchangers, exchanges heat with the suppression pool water and discharges this heat to the external heat sink. Either RHR suppression pool spray subsystem is sufficient to condense the steam from small bypass leaks from the drywell to the suppression chamber airspace during the postulated DBA. APPLICABLE Reference 1 contains the results of analyses used to predict primary SAFETY ANALYSES containment pressure and temperature following large and small break loss of coolant accidents. The intent of the analyses is to demonstrate that the pressure reduction capacity of the RHR Suppression Pool Spray System is adequate to maintain the primary RHR Suppression Pool Spray B 3.6.2.4 (continued) HATCH UNIT 2 B 3.6-61 REVISION 77 BASES APPLICABLE containment conditions within design limits. The time history for SAFETY ANALYSES primary containment pressure is calculated to demonstrate that the (continued) maximum pressure remains below the design limit. The RHR Suppression Pool Spray System satisfies Criterion 3 of the NRC Policy Statement (Ref. 2). LCO In the event of a DBA, a minimum of one RHR suppression pool spray subsystem is required to mitigate potential bypass leakage paths and maintain the primary containment peak pressure below the design limits (Ref. 1). To ensure that these requirements are met, two RHR suppression pool spray subsystems must be OPERABLE with power from two safety related independent power supplies. Therefore, in the event of an accident, at least one subsystem is OPERABLE assuming the worst case single active failure. An RHR suppression pool spray subsystem is OPERABLE when one of the pumps, the heat exchanger, and associated piping, valves, instrumentation, and controls are OPERABLE. Each RHR suppression pool spray subsystem is supported by an independent subsystem of the Residual Heat Removal Service Water (RHRSW) System. Specifically, two OPERABLE RHRSW pumps and an OPERABLE flow path, as defined in the Bases for LCO 3.7.1, "Residual Heat Removal Service Water (RHRSW) System," are required to provide the necessary heat transfer from the heat exchanger and, thereby, support each suppression pool spray subsystem. APPLICABILITY In MODES 1, 2, and 3, a DBA could cause pressurization of primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining RHR suppression pool spray subsystems OPERABLE is not required in MODE 4 or 5. ACTIONS A.1 With one RHR suppression pool spray subsystem inoperable, the inoperable subsystem must be restored to OPERABLE status within 7 days. In this Condition, the remaining OPERABLE RHR suppression pool spray subsystem is adequate to perform the primary containment bypass leakage mitigation function. RHR Suppression Pool Spray B 3.6.2.4 (continued) HATCH UNIT 2 B 3.6-62 REVISION 77 BASES ACTIONS A.1 (continued) However, the overall reliability is reduced because a single failure in the OPERABLE subsystem could result in reduced primary containment bypass mitigation capability. The 7 day Completion Time was chosen in light of the redundant RHR suppression pool spray capabilities afforded by the OPERABLE subsystem and the low probability of a DBA occurring during this period. B.1 With both RHR suppression pool spray subsystems inoperable, at least one subsystem must be restored to OPERABLE status within 8 hours. In this Condition, there is a substantial loss of the primary containment bypass leakage mitigation function. The 8 hour Completion Time is based on this loss of function and is considered acceptable due to the low probability of a DBA and because alternative methods to remove heat from primary containment are available. C.1 and C.2 If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.2.4.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the RHR suppression pool spray mode flow path provides assurance that the proper flow paths will exist for system operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position provided it can be aligned to the accident position within the time assumed in the accident analysis. This is acceptable since the RHR suppression pool RHR Suppression Pool Spray B 3.6.2.4 HATCH UNIT 2 B 3.6-63 REVISION 79 BASES SURVEILLANCE SR 3.6.2.4.1 (continued) REQUIREMENTS cooling mode is manually initiated. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.2.4.2 This Surveillance is performed every 10 years to verify that the spray nozzles are not obstructed and that flow will be provided when required. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 6.2.

2. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RHR Drywell Spray B 3.6.2.5 (continued) HATCH UNIT 2 B 3.6-64 REVISION 77 B 3.6 CONTAINMENT SYSTEMS

B 3.6.2.5 Residual Heat Removal (RHR) Drywell Spray

BASES BACKGROUND The Drywell Spray is a mode of the RHR system which may be initiated under post accident conditions to reduce the temperature and pressure of the primary containment atmosphere. Each of the two RHR subsystems consists of two pumps, one heat exchanger, containment spray valves, and a spray header in the drywell. RHR drywell spray is a manually initiated function which can only be placed in service if adequate core cooling is assured. A physical interlock prevents opening the spray valves unless reactor water level is above two thirds core height. However, under certain conditions as delineated by the emergency operating procedures, this interlock may be bypassed. Water is pumped from the suppression pool and through the RHR heat exchangers, after which it is diverted to the spray headers in the drywell. The spray then effects a temperature and pressure reduction through the combined effects of evaporative and convective cooling, depending on the drywell atmosphere. If the atmosphere is superheated, a rapid evaporative cooling process will ensue. If the environment in the drywell is saturated, temperature and pressure will be reduced via a convective cooling process. The drywell spray is also operated post-LOCA to wash, or scrub, inorganic iodines and particulates from the drywell atmosphere into the suppression pool. At Plant Hatch, the drywell spray is credited post-LOCA for both the scrubbing function as well as the temperature and pressure reduction effects. The drywell spray is not credited in determining the post-LOCA peak primary containment internal pressure; however, the Hatch radiological dose analysis does take credit for the drywell spray temperature and pressure reduction over time in reducing the post-LOCA primary containment leakage and main steam isolation valve leakage. RHR Service Water (RHRSW), circulating through the tube side of the heat exchangers, supports the drywell spray temperature and pressure reduction function by exchanging heat with the suppression pool water and discharging the heat to the external heat sink. The drywell spray mode of RHR is described in the FSAR, Reference 1. RHR Drywell Spray B 3.6.2.5 (continued) HATCH UNIT 2 B 3.6-65 REVISION 77 BASES (continued) APPLICABLE The RHR Drywell Spray is credited post-LOCA for scrubbing inorganic SAFETY ANALYSES iodines and particulates from the primary containment atmosphere. This function reduces the amount of airborne activity available for leakage from the primary containment. The RHR drywell spray also reduces the temperature and pressure in the drywell over time, thereby reducing the post-LOCA primary containment and main steam isolation valve leakage to within the assumptions of the Hatch radiological dose analysis. The RHR drywell spray system is not required to maintain the primary containment peak post-LOCA pressure within design limits. Reference 2 contains the results of analyses used to predict the effects of drywell spray on the post accident primary containment atmosphere, as well as the primary containment leak rate analysis. The RHR drywell spray system satisfies criterion 3 of the NRC Policy Statement (Reference 3). LCO In the event of a LOCA, a minimum of one RHR drywell spray subsystem using one RHR pump is required to adequately scrub the inorganic iodines and particulates from the primary containment atmosphere. One RHR drywell spray system using one RHR pump is also adequate to reduce the primary containment temperature and pressure to maintain the primary containment and main steam isolation valve post-accident leakage rates within the limits assumed in the Hatch radiological dose analysis. To ensure these requirements are met, two RHR drywell spray subsystems must be OPERABLE with power supplies from two safety related independent power supplies. Therefore, in the event of an accident, at least one subsystem is OPERABLE assuming the worst case single failure. An RHR drywell spray subsystem is considered OPERABLE when one of the two pumps in the subsystem, the heat exchanger, associated piping, valves, instrumentation, and controls are OPERABLE. Each RHR drywell spray subsystem is supported by an independent subsystem of the RHRSW system. Specifically, two RHRSW pumps and an OPERABLE flow path are required to provide the necessary heat transfer from the heat exchanger and thereby support each drywell spray subsystem.

RHR Drywell Spray B 3.6.2.5 (continued) HATCH UNIT 2 B 3.6-66 REVISION 77 BASES (continued) APPLICABILITY In MODES 1, 2, and 3, a DBA could cause the pressurization of, and the release of fission products into, the primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to pressure and temperature limitations in these MODES. Therefore, maintaining RHR drywell spray subsystems OPERABLE is not required in MODE 4 or 5. ACTIONS A.1 With one drywell spray subsystem inoperable, the inoperable subsystem must be restored to OPERABLE status within 7 days. In this condition, the remaining OPERABLE RHR drywell spray subsystem is adequate to perform the primary containment fission product scrubbing and temperature and pressure reduction functions. However, the overall reliability is reduced because a single failure in the OPERABLE subsystem could result in the loss of the scrubbing and temperature and pressure reduction capabilities of the RHR drywell spray system. The 7 day Completion Time was chosen because of the capability of the redundant and OPERABLE RHR drywell spray subsystem and the low probability of a DBA occurring during this period. B.1 With both RHR drywell spray subsystems inoperable, at least one subsystem must be restored to OPERABLE status within 8 hours. In this Condition, there is a substantial loss of the fission product scrubbing and temperature and pressure reduction functions of the RHR drywell spray system. The 8 hour Completion Time is based on the low probability of a DBA during this period. C.1 and C.2 If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner without challenging plant systems.

Primary Containment Oxygen Concentration B 3.6.3.2 (continued) HATCH UNIT 2 B 3.6-68 REVISION 74 B 3.6 CONTAINMENT SYSTEMS

B 3.6.3.2 Primary Containment Oxygen Concentration

BASES BACKGROUND Boiling water reactors must be designed to withstand events that generate hydrogen either due to the zirconium metal water reaction in the core or due to radiolysis. The primary method to control hydrogen is to inert the primary containment. With the primary containment inert, that is, oxygen concentration < 4.0 volume percent (v/o), a combustible mixture cannot be present in the primary containment for any hydrogen concentration. An event that rapidly generates hydrogen from zirconium metal water reaction will result in excessive hydrogen in primary containment, but oxygen concentration will remain < 4.0 v/o and no combustion can occur. This LCO ensures that oxygen concentration does not exceed 4.0 v/o during operation in the applicable conditions.

APPLICABLE The Plant Hatch Individual Plant Examination (Ref. 1) assumes SAFETY ANALYSES that the primary containment is inerted when a Design Basis Accident loss of coolant accident occurs. Thus, the hydrogen assumed to be released to the primary containment as a result of metal water reaction in the reactor core will not produce combustible gas mixtures in the primary containment. The primary containment oxygen concentration satisfies Criterion 4 of the NRC Policy Statement (Ref. 2). It is assumed in Reference 1 and can be considered risk significant.

LCO The primary containment oxygen concentration is maintained < 4.0 v/o to ensure that an event that produces any amount of hydrogen does not result in a combustible mixture inside primary containment.

Primary Containment Oxygen Concentration B 3.6.3.2 (continued) HATCH UNIT 2 B 3.6-69 REVISION 74 BASES (continued) APPLICABILITY The primary containment oxygen concentration must be within the specified limit when primary containment is inerted, except as allowed by the relaxations during startup and shutdown addressed below. The primary containment must be inert in MODE 1, since this is the condition with the highest probability of an event that could produce hydrogen. Inerting the primary containment is an operational problem because it prevents containment access without an appropriate breathing apparatus. Therefore, the primary containment is inerted as late as possible in the plant startup and de-inerted as soon as possible in the plant shutdown. As long as reactor power is < 15% RTP, the potential for an event that generates significant hydrogen is low and the primary containment need not be inert. Furthermore, the probability of an event that generates hydrogen occurring within the first 24 hours of a startup, or within the last 24 hours before a shutdown, is low enough that these "windows," when the primary containment is not inerted, are also justified. The 24 hour time period is a reasonable amount of time to allow plant personnel to perform inerting or de-inerting.

ACTIONS A.1 If oxygen concentration is 4.0 v/o at any time while operating in MODE 1, with the exception of the relaxations allowed during startup and shutdown, oxygen concentration must be restored to < 4.0 v/o within 24 hours. The 24 hour Completion Time is allowed when oxygen concentration is 4.0 v/o because of the low probability and long duration of an event that would generate significant amounts of hydrogen occurring during this period.

B.1 If oxygen concentration cannot be restored to within limits within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, power must be reduced to 15% RTP within 8 hours. The 8 hour Completion Time is reasonable, based on operating experience, to reduce reactor power from full power conditions in an orderly manner and without challenging plant systems.

Primary Containment Oxygen Concentration B 3.6.3.2 HATCH UNIT 2 B 3.6-70 REVISION 79 BASES (continued) SURVEILLANCE SR 3.6.3.2.1 REQUIREMENTS The primary containment (drywell and suppression chamber) must be determined to be inert by verifying that oxygen concentration is < 4.0 v/o. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. Edwin I. Hatch Nuclear Plants Units 1 and 2 Plant Hatch Individual Plant Examination (IPE), December 1992.

2. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Drywell Cooling System Fans B 3.6.3.3 (continued) HATCH UNIT 2 B 3.6-71 REVISION 74 B 3.6 CONTAINMENT SYSTEMS

B 3.6.3.3 Drywell Cooling System Fans

BASES BACKGROUND The Drywell Cooling System (air side) ensures a uniformly mixed post accident primary containment atmosphere, thereby minimizing the potential for local hydrogen burns due to a pocket of hydrogen above the flammable concentration. The Drywell Cooling System is designed to withstand a loss of coolant accident (LOCA) in post accident environments without loss of function. However, the system is not "environmentally qualified." The system has eight subsystems consisting of recirculation fans, fan coil units, motors, controls, and ducting. However, due to the fact that the 2T47-B010A/B Units do not receive power from the diesel generators, they are not allowed to be used to meet the LCO requirements. Each of the six credited subsystems is sized to circulate 8000 scfm (for the 2T47-B007A/B fans) or 25,000 scfm (for the 2T47-B008A/B and 2T47-B009A/B fans). The Drywell Cooling System employs both forced circulation and natural circulation to ensure the proper mixing of hydrogen in primary containment. The recirculation fans provide the forced circulation to mix hydrogen while the fan coils provide the natural circulation by increasing the density through the cooling of the hot gases at the top of the drywell causing the cooled gases to gravitate to the bottom of the drywell. The six subsystems are initiated manually since flammability limits would not be reached until several days after a LOCA. Three of the subsystems are powered from one emergency power supply while the other three subsystems are powered from another emergency power supply. Since each subsystem can provide 100% of the mixing requirements, the system will provide its design function with a worst case single active failure. The Drywell Cooling System uses the Drywell Cooling System recirculating fans to mix the drywell atmosphere. The fan coil units and recirculation fans are automatically disengaged during a LOCA but may be restored to service manually by the operator. In the event of a loss of offsite power, all fan coil units, recirculating fans, and primary containment water chillers are transferred to the emergency diesels. The fan coil units and recirculating fans are started automatically from diesel power upon loss of offsite power.

Drywell Cooling System Fans B 3.6.3.3 (continued) HATCH UNIT 2 B 3.6-72 REVISION 74 BASES (continued) APPLICABLE The Drywell Cooling System fans provide the capability for reducing SAFETY ANALYSES the local hydrogen concentration to approximately the bulk average concentration following a Design Basis Accident (DBA). The limiting DBA relative to hydrogen generation is a LOCA. Hydrogen may accumulate in primary containment following a LOCA as a result of:

a. A metal steam reaction between the zirconium fuel rod cladding and the reactor coolant; or

b. Radiolytic decomposition of water in the Reactor Coolant System. To evaluate the potential for hydrogen accumulation in primary containment following a LOCA, the hydrogen generation as a function of time following the initiation of the accident is calculated.

Conservative assumptions recommended by Reference 1 are used to maximize the amount of hydrogen calculated. The Reference 2 calculations show that hydrogen assumed to be released to the drywell within 2 minutes following a DBA LOCA raises drywell hydrogen concentration to over 2.5 volume percent (v/o). Natural circulation phenomena result in a gradient concentration difference of less then 0.5 v/o in the drywell and less than 0.1 v/o in the suppression chamber. Even though this gradient is acceptably small and no credit for mechanical mixing was assumed in the analysis, two Drywell Cooling System fans are required to be OPERABLE by this LCO. This will ensure the gradient concentration difference is small. The Drywell Cooling System fans satisfy Criterion 3 of the NRC Policy Statement (Ref. 3). LCO Two Drywell Cooling System fans must be OPERABLE to ensure operation of at least one fan in the event of a worst case single active failure. Each of these fans must be powered from an independent safety related bus. The 2T47-B007A and B, B008 A and B, and B009 A and B fans shall be used to meet this requirement. In addition, only the recirculation fan portion of the system must be OPERABLE; the cooler portion does not need to be OPERABLE. Operation with at Drywell Cooling System Fans B 3.6.3.3 (continued) HATCH UNIT 2 B 3.6-73 REVISION 74 BASES LCO least one fan provides the capability of controlling the bulk hydrogen (continued) concentration in primary containment without exceeding the flammability limit.

APPLICABILITY In MODES 1 and 2, the two Drywell Cooling System fans ensure the capability to prevent localized hydrogen concentrations above the flammability limit of 4.0 v/o in drywell, assuming a worst case single active failure. In MODE 3, both the hydrogen production rate and the total hydrogen produced after a LOCA would be less than that calculated for the DBA LOCA. Also, because of the limited time in this MODE, the probability of an accident requiring the Drywell Cooling System fans is low. Therefore, the Drywell Cooling System fans are not required in MODE 3. In MODES 4 and 5, the probability and consequences of a LOCA are reduced due to the pressure and temperature limitations in these MODES. Therefore, the Drywell Cooling System fans are not required in these MODES. ACTIONS A.1 With one required Drywell Cooling System fan inoperable, the inoperable fan must be restored to OPERABLE status within 30 days. In this condition, the remaining OPERABLE fan is adequate to perform the hydrogen mixing function. However, the overall reliability is reduced because a single failure in the OPERABLE fan could result in reduced hydrogen mixing capability. The 30 day Completion Time is based on the availability of the second fan, the low probability of the occurrence of a LOCA that would generate hydrogen in amounts capable of exceeding the flammability limit, the amount of time available after the event for operator action to prevent exceeding this limit, and the availability of natural circulation to maintain the atmosphere mixed. Drywell Cooling System Fans B 3.6.3.3 (continued) HATCH UNIT 2 B 3.6-74 REVISION 79 BASES ACTIONS B.1 (continued) With two Drywell Cooling System fans inoperable, one fan must be restored to OPERABLE status within 7 days. Seven days is a reasonable time to allow two Drywell Cooling System fans to be inoperable because the hydrogen mixing function is maintained via natural circulation and because of the low probability of the occurrence of a LOCA that would generate hydrogen in amounts capable of exceeding the flammability limit.

C.1 If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours. The allowed Completion Time of 12 hours is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging plant systems. SURVEILLANCE SR 3.6.3.3.1 REQUIREMENTS Operating each required Drywell Cooling System fan for 15 minutes ensures that each subsystem is OPERABLE and that all associated controls are functioning properly. It also ensures that blockage, fan or motor failure, or excessive vibration can be detected for corrective action. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Drywell Cooling System Fans B 3.6.3.3 HATCH UNIT 2 B 3.6-75 REVISION 74 BASES (continued) REFERENCES 1. Regulatory Guide 1.7, Revision 0.

2. FSAR, Section 6.2.5.

3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Secondary Containment B 3.6.4.1 (continued) HATCH UNIT 2 B 3.6-76 REVISION 74 B 3.6 CONTAINMENT SYSTEMS

B 3.6.4.1 Secondary Containment

BASES BACKGROUND The function of the secondary containment is to contain, dilute, and hold up fission products that may leak from primary containment following a Design Basis Accident (DBA). In conjunction with operation of the Standby Gas Treatment (SGT) System and closure of certain valves whose lines penetrate the secondary containment, the secondary containment is designed to reduce the activity level of the fission products prior to release to the environment and to isolate and contain fission products that are released during certain operations that take place inside primary containment, when primary containment is not required to be OPERABLE, or that take place outside primary containment. The secondary containment is a structure that completely encloses the primary containment and those components that may be postulated to contain primary system fluid. This structure forms a control volume that serves to hold up and dilute the fission products. It is possible for the pressure in the control volume to rise relative to the environmental pressure (e.g., due to pump and motor heat load additions). The secondary containment encompasses three separate zones: the Unit 1 reactor building (Zone I), the Unit 2 reactor building (Zone II), and the common refueling floor (Zone III). The secondary containment can be modified to exclude the Unit 1 reactor building (Zone I) provided the following requirements are met:

a. Unit 1 Technical Specifications do not require OPERABILITY of Zone I;

b. All hatches separating Zone III from Zone I are closed and sealed; and

c. At least one door in each access path separating Zone III from Zone I is closed.

Similarly, other zones can be excluded from the secondary containment OPERABILITY requirement during various plant operating conditions with the appropriate controls. For example, during Unit 2 shutdown operations, the secondary containment can be modified to exclude the Unit 2 reactor building (Zone II) (either alone or in combination with excluding Zone I as described above) provided the following requirements are met: Secondary Containment B 3.6.4.1 (continued) HATCH UNIT 2 B 3.6-77 REVISION 74 BASES BACKGROUND a. Unit 2 is not conducting operations with a potential for draining (continued) the reactor vessel (OPDRV);

b. All hatches separating Zone III from Zone II are closed and sealed; and c. At least one door in each access path separating Zone III from Zone II is closed.

To prevent ground level exfiltration while allowing the secondary containment to be designed as a conventional structure, the secondary containment requires support systems to maintain the control volume pressure at less than the external pressure. Requirements for these systems are specified separately in LCO 3.6.4.2, "Secondary Containment Isolation Valves (SCIVs)," and LCO 3.6.4.3, "Standby Gas Treatment (SGT) System." When one or more zones are excluded from secondary containment, the specific requirements for the support systems will also change (e.g., securing particular SGT or drain isolation valves). APPLICABLE There are two principal accidents for which credit is taken for SAFETY ANALYSES secondary containment OPERABILITY. These are a loss of coolant accident (LOCA) (Ref. 1) and a fuel handling accident inside secondary containment (Ref. 2). The secondary containment performs no active function in response to either of these limiting events; however, its leak tightness is required to ensure that the release of radioactive materials from the primary containment is restricted to those leakage paths and associated leakage rates assumed in the accident analysis and that fission products entrapped within the secondary containment structure will be treated by the Unit 1 and Unit 2 SGT Systems prior to discharge to the environment. Postulated LOCA leakage paths from the primary containment into secondary containment include those into both the reactor building and refueling floor zones (e.g., drywell head leakage). Secondary containment satisfies Criterion 3 of the NRC Policy Statement (Ref. 4). LCO An OPERABLE secondary containment provides a control volume into which fission products that bypass or leak from primary containment, or are released from the reactor coolant pressure boundary Secondary Containment B 3.6.4.1 (continued) HATCH UNIT 2 B 3.6-78 REVISION 74 BASES LCO components located in secondary containment, can be diluted and (continued) processed prior to release to the environment. For the secondary containment to be considered OPERABLE, it must have adequate leak tightness to ensure that the required vacuum (0.20 inch of vacuum) can be established and maintained. The secondary containment boundary required to be OPERABLE is dependent on the operating status of both units, as well as the configuration of doors, hatches, refueling floor plugs, SCIVs, and available flow paths to SGT Systems. The required boundary encompasses the zones which can be postulated to contain fission products from accidents required to be considered for the condition of each unit, and furthermore, must include zones not isolated from the SGT subsystems being credited for meeting LCO 3.6.4.3. Allowed configurations, associated SGT subsystem requirements, and associated SCIV requirements are detailed in the Technical Requirements Manual (Ref. 3). APPLICABILITY In MODES 1, 2, and 3, a LOCA could lead to a fission product release to primary containment that leaks to secondary containment (the reactor building zone and potentially the refueling floor zone). Therefore, secondary containment OPERABILITY is required during the same operating conditions that require primary containment OPERABILITY. In MODES 4 and 5, the probability and consequences of the LOCA are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining secondary containment OPERABLE is not required in MODE 4 or 5 to ensure a control volume, except for other situations for which significant releases of radioactive material can be postulated, such as during OPDRVs, during CORE ALTERATIONS, or during movement of irradiated fuel assemblies in the secondary containment. (Note, moving irradiated fuel assemblies in the secondary containment may also occur in MODES 1, 2, and 3.) Since CORE ALTERATIONS and movement of irradiated fuel assemblies are only postulated to release radioactive material to the refueling floor zone, the secondary containment configuration may consist of only Zone III during these conditions. Similarly, during OPDRVs while in MODE 4 (vessel head bolted) the release of radioactive materials is only postulated to the associated reactor building, the secondary containment configuration may consist of only Zone II.

Secondary Containment B 3.6.4.1 (continued) HATCH UNIT 2 B 3.6-79 REVISION 74 BASES (continued) ACTIONS A.1 If secondary containment is inoperable, it must be restored to OPERABLE status within 4 hours. The 4 hour Completion Time provides a period of time to correct the problem that is commensurate with the importance of maintaining secondary containment during MODES 1, 2, and 3. This time period also ensures that the probability of an accident (requiring secondary containment OPERABILITY) occurring during periods where secondary containment is inoperable is minimal. B.1 and B.2 If secondary containment cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. C.1, C.2, and C.3 Movement of irradiated fuel assemblies in the secondary containment, CORE ALTERATIONS, and OPDRVs can be postulated to cause fission product release to the secondary containment. In such cases, the secondary containment is the only barrier to release of fission products to the environment. CORE ALTERATIONS and movement of irradiated fuel assemblies must be immediately suspended if the secondary containment is inoperable. Suspension of these activities shall not preclude completing an action that involves moving a component to a safe position. Also, action must be immediately initiated to suspend OPDRVs to minimize the probability of a vessel draindown and subsequent potential for fission product release. Actions must continue until OPDRVs are suspended. Required Action C.1 has been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, Secondary Containment B 3.6.4.1 (continued) HATCH UNIT 2 B 3.6-80 REVISION 79 BASES ACTIONS C.1, C.2, and C.3 (continued) inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason to require a reactor shutdown. SURVEILLANCE SR 3.6.4.1.1 and SR 3.6.4.1.2 REQUIREMENTS Verifying that secondary containment equipment hatches and one access door in each access opening are closed ensures that the infiltration of outside air of such a magnitude as to prevent maintaining the desired negative pressure does not occur. Verifying that all such openings are closed provides adequate assurance that exfiltration from the secondary containment will not occur. SR 3.6.4.1.1 also requires equipment hatches to be sealed. In this application, the term "sealed" has no connotation of leak tightness. Maintaining secondary containment OPERABILITY requires verifying one door in the access opening is closed. An access opening contains one inner and one outer door. The intent is not to breach the secondary containment at any time when secondary containment is required. This is achieved by maintaining the inner or outer portion of the barrier closed at all times. However, all secondary containment access doors are normally kept closed, except when the access opening is being used for entry and exit or when maintenance is being performed on an access opening. When the secondary containment configuration excludes Zone I and/or Zone II, these SRs also include verifying the hatches and doors separating the common refueling floor zone from the reactor building(s). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.6.4.1.3 and SR 3.6.4.1.4 The Unit 1 and Unit 2 SGT Systems exhausts the secondary containment atmosphere to the environment through appropriate treatment equipment. To ensure that all fission products are treated, SR 3.6.4.1.3 verifies that the appropriate SGT System(s) will rapidly establish and maintain a negative pressure in the secondary containment. This is confirmed by demonstrating that the required SGT subsystem(s) will draw down the secondary containment to 0.20 inch of vacuum water gauge in 120 seconds (13 seconds of diesel generator startup and breaker closing time is included in the 120 second drawdown time). This cannot be accomplished if the secondary containment boundary is not intact. SR 3.6.4.1.4 demonstrates that the required SGT subsystem(s) can Secondary Containment B 3.6.4.1 HATCH UNIT 2 B 3.6-81 REVISION 79 BASES SURVEILLANCE SR 3.6.4.1.3 and SR 3.6.4.1.4 (continued) REQUIREMENTS maintain 0.20 inch of vacuum water gauge for 1 hour at a flow rate 4000 cfm for each SGT subsystem. The 1 hour test period allows secondary containment to be in thermal equilibrium at steady state conditions. Therefore, these two tests are used to ensure secondary containment boundary integrity. Since these SRs are secondary containment tests, they need not be performed with each SGT subsystem. The SGT subsystems are tested on a STAGGERED TEST BASIS, however, to ensure that in addition to the requirements of LCO 3.6.4.3, each SGT subsystem or combination of subsystems will perform this test. The number of SGT subsystems and the required combinations are dependent on the configuration of the secondary containment and are detailed in the Technical Requirements Manual (Ref. 3). The Note to SR 3.6.4.1.3 and SR 3.6.4.1.4 specifies that the number of required SGT subsystems be one less than the number required to meet LCO 3.6.4.3, "Standby Gas Treatment (SGT) System," for the given configuration. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 15.1.39.

2. FSAR, Section 15.1.41. 3. Technical Requirements Manual, Section 8.0.

4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

SCIVs B 3.6.4.2 (continued) HATCH UNIT 2 B 3.6-82 REVISION 74 B 3.6 CONTAINMENT SYSTEMS B 3.6.4.2 Secondary Containment Isolation Valves (SCIVs)

BASES BACKGROUND The function of the SCIVs, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs). Secondary containment isolation within the time limits specified for those isolation valves designed to close automatically ensures that fission products that leak from primary containment following a DBA, or that are released during certain operations when primary containment is not required to be OPERABLE or take place outside primary containment, are maintained within the secondary containment boundary. The OPERABILITY requirements for SCIVs help ensure that an adequate secondary containment boundary is maintained during and after an accident by minimizing potential paths to the environment. These isolation devices consist of either passive devices or active (automatic) devices. Manual valves, de-activated automatic valves secured in their closed position, check valves with flow through the valve secured, and blind flanges are considered passive devices. Automatic SCIVs close on a secondary containment isolation signal to establish a boundary for untreated radioactive material within secondary containment following a DBA or other accidents. Other penetrations are isolated by the use of valves in the closed position or blind flanges. APPLICABLE The SCIVs must be OPERABLE to ensure the secondary SAFETY ANALYSES containment barrier to fission product releases is established. The principal accidents for which the secondary containment boundary is required are a loss of coolant accident (Ref. 1) and a fuel handling accident inside secondary containment (Ref. 2). The secondary containment performs no active function in response to either of these limiting events, but the boundary established by SCIVs is required to ensure that leakage from primary containment is processed by the Standby Gas Treatment (SGT) System before being released to the environment. Maintaining SCIVs OPERABLE with isolation times within limits ensures that fission products will remain trapped inside secondary SCIVs B 3.6.4.2 (continued) HATCH UNIT 2 B 3.6-83 REVISION 74 BASES APPLICABLE containment so that they can be treated by the SGT System prior to SAFETY ANALYSES discharge to the environment.

(continued)

SCIVs satisfy Criterion 3 of the NRC Policy Statement (Ref. 4). LCO SCIVs form a part of the secondary containment boundary. The SCIV safety function is related to control of offsite radiation releases resulting from DBAs. The power operated isolation valves are considered OPERABLE when their isolation times are within limits and the valves actuate on an automatic isolation signal. The valves covered by this LCO, along with their associated stroke times, are listed in Reference 3. The normally closed isolation valves or blind flanges are considered OPERABLE when manual valves are closed, or open in accordance with appropriate administrative controls, automatic SCIVs are de-activated and secured in their closed position, and blind flanges are in place. These passive isolation valves or devices are listed in Reference 3. The SCIVs required to be OPERABLE are dependent on the configuration of the secondary containment (which is dependent on the operating status of both units, as well as the configuration of doors, hatches, refueling floor plugs, and available flow paths to SGT Systems). The required boundary encompasses the zones which can be postulated to contain fission products from accidents required to be considered for the condition of each unit, and furthermore, must include zones not isolated from the SGT subsystems being credited for meeting LCO 3.6.4.3, "Standby Gas Treatment (SGT) System." The required SCIVs are those in penetrations communicating with the zones required for secondary containment OPERABILITY and are detailed in Reference 3. APPLICABILITY In MODES 1, 2, and 3, a LOCA could lead to a fission product release to the primary containment that leaks to the secondary containment. Therefore, the OPERABILITY of SCIVs is required. In MODES 4 and 5, the probability and consequences of a LOCA are reduced due to pressure and temperature limitations in these MODES. Therefore, maintaining SCIVs OPERABLE is not required in SCIVs B 3.6.4.2 (continued) HATCH UNIT 2 B 3.6-84 REVISION 74 BASES APPLICABILITY MODE 4 or 5, except for other situations under which significant (continued) radioactive releases can be postulated, such as during operations with a potential for draining the reactor vessel (OPDRVs), during CORE ALTERATIONS, or during movement of irradiated fuel assemblies in the secondary containment. (Note: Moving irradiated fuel assemblies in the secondary containment may also occur in MODES 1, 2, and 3.) ACTIONS The ACTIONS are modified by three Notes. The first Note allows penetration flow paths to be unisolated intermittently under administrative controls. These controls consist of stationing a dedicated operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated. The second Note provides clarification that for the purpose of this LCO separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable SCIV. Complying with the Required Actions may allow for continued operation, and subsequent inoperable SCIVs are governed by subsequent Condition entry and application of associated Required Actions. The third Note ensures appropriate remedial actions are taken, if necessary, if the affected system(s) are rendered inoperable by an inoperable SCIV. A.1 and A.2 In the event that there are one or more penetration flow paths with one SCIV inoperable, the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic SCIV, a closed manual valve, and a blind flange. For penetrations isolated in accordance with Required Action A.1, the device used to isolate the penetration should be the closest available device to secondary containment. The Required Action must be completed within the 8 hour Completion Time. The specified time period is reasonable considering the time required to SCIVs B 3.6.4.2 (continued) HATCH UNIT 2 B 3.6-85 REVISION 74 BASES ACTIONS A.1 and A.2 (continued) isolate the penetration, and the probability of a DBA, which requires the SCIVs to close, occurring during this short time is very low. For affected penetrations that have been isolated in accordance with Required Action A.1, the affected penetration must be verified to be isolated on a periodic basis. This is necessary to ensure that secondary containment penetrations required to be isolated following an accident, but no longer capable of being automatically isolated, will be in the isolation position should an event occur. The Completion Time of once per 31 days is appropriate because the isolation devices are operated under administrative controls and the probability of their misalignment is low. This Required Action does not require any testing or device manipulation. Rather, it involves verification that the affected penetration remains isolated. Required Action A.2 is modified by a Note that applies to devices located in high radiation areas and allows them to be verified closed by use of administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment once they have been verified to be in the proper position, is low. B.1 With two SCIVs in one or more penetration flow paths inoperable, the affected penetration flow path must be isolated within 4 hours. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. The 4 hour Completion Time is reasonable considering the time required to isolate the penetration and the probability of a DBA, which requires the SCIVs to close, occurring during this short time, is very low. C.1 and C.2 If any Required Action and associated Completion Time of Condition A or B cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are SCIVs B 3.6.4.2 (continued) HATCH UNIT 2 B 3.6-86 REVISION 79 BASES ACTIONS C.1, and C.2 (continued) reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

D.1, D.2, and D.3 If any Required Action and associated Completion Time of Condition A or B are not met, the plant must be placed in a condition in which the LCO does not apply. If applicable, CORE ALTERATIONS and the movement of irradiated fuel assemblies in the secondary containment must be immediately suspended. Suspension of these activities shall not preclude completion of movement of a component to a safe position. Also, if applicable, actions must be immediately initiated to suspend OPDRVs in order to minimize the probability of a vessel draindown and the subsequent potential for fission product release. Actions must continue until OPDRVs are suspended. Required Action D.1 has been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving fuel while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason to require a reactor shutdown. SURVEILLANCE SR 3.6.4.2.1 REQUIREMENTS This SR verifies that each secondary containment manual isolation valve and blind flange that is required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside of the secondary containment boundary is within design limits. This SR does not require any testing or valve manipulation. Rather, it involves verification that those isolation devices in secondary containment that are capable of being mispositioned are in the correct position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SCIVs B 3.6.4.2 (continued) HATCH UNIT 2 B 3.6-87 REVISION 79 BASES SURVEILLANCE SR 3.6.4.2.1 (continued) REQUIREMENTS Two Notes have been added to this SR. The first Note applies to valves and blind flanges located in high radiation areas and allows them to be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA reasons. Therefore, the probability of misalignment of these isolation devices, once they have been verified to be in the proper position, is low. A second Note has been included to clarify that SCIVs that are open under administrative controls are not required to meet the SR during the time the SCIVs are open. SR 3.6.4.2.2 Verifying that the isolation time of each power operated and each automatic SCIV is within limits is required to demonstrate OPERABILITY. The isolation time test ensures that the SCIV will isolate in a time period less than or equal to that assumed in the safety analyses. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.4.2.3 Verifying that each automatic SCIV closes on a secondary containment isolation signal is required to prevent leakage of radioactive material from secondary containment following a DBA or other accidents. This SR ensures that each automatic SCIV will actuate to the isolation position on a secondary containment isolation signal. The LOGIC SYSTEM FUNCTIONAL TEST in SR 3.3.6.2.5 overlaps this SR to provide complete testing of the safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SCIVs B 3.6.4.2 HATCH UNIT 2 B 3.6-88 REVISION 79 BASES (continued) REFERENCES 1. FSAR, Section 15.1.39.

2. FSAR, Section 15.1.41. 3. Technical Requirements Manual, Section 8.0.

4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

SGT System B 3.6.4.3 (continued) HATCH UNIT 2 B 3.6-89 REVISION 74 B 3.6 CONTAINMENT SYSTEMS B 3.6.4.3 Standby Gas Treatment (SGT) System BASES BACKGROUND The SGT System is required by 10 CFR 50, Appendix A, GDC 41, "Containment Atmosphere Cleanup" (Ref. 1). The function of the SGT System is to ensure that radioactive materials that leak from the primary containment into the secondary containment following a Design Basis Accident (DBA) are filtered and adsorbed prior to exhausting to the environment. The Unit 1 and Unit 2 SGT Systems each consists of two fully redundant subsystems, each with its own set of dampers, charcoal filter train, and controls. The Unit 1 SGT subsystems' ductwork is separate from the inlet to the filter train to the discharge of the fan. The rest of the ductwork is common. The Unit 2 SGT subsystems' ductwork is separate except for the suction from the drywell and torus, which is common (however, this suction path is not required for subsystem OPERABILITY). Each charcoal filter train consists of (components listed in order of the direction of the air flow):

a. A demister or moisture separator;

b. An electric heater;

c. A prefilter;

d. A high efficiency particulate air (HEPA) filter;

e. Two charcoal adsorbers for Unit 1 subsystems and one charcoal adsorber for Unit 2 subsystems;

f. A second HEPA filter; and

g. An axial vane fan for Unit 1 subsystems and a centrifugal fan for Unit 2 subsystems.

The sizing of the SGT Systems equipment and components is based on the results of an infiltration analysis, as well as an exfiltration analysis of the secondary containment. The internal pressure of the SGT Systems boundary region is maintained at a negative pressure when the system is in operation, to conservatively ensure zero

SGT System B 3.6.4.3 (continued) HATCH UNIT 2 B 3.6-90 REVISION 74 BASES BACKGROUND exfiltration of air from the building when exposed to winds as high as (continued) 31 mph.

The demister is provided to remove entrained water in the air, while the electric heater reduces the relative humidity of the airstream (Refs. 2 and 3). (However, credit is not taken for the operation of the heater. Accordingly, laboratory testing of the charcoal efficiency is performed at a relative humidity of 95%.) The prefilter removes large particulate matter, while the HEPA filter removes fine particulate matter and protects the charcoal from fouling. The charcoal adsorbers remove gaseous elemental iodine and organic iodides, and the final HEPA filter collects any carbon fines exhausted from the charcoal adsorber. The Unit 1 and Unit 2 SGT Systems automatically start and operate in response to actuation signals indicative of conditions or an accident that could require operation of the system. Following initiation, all required charcoal filter train fans start. Upon verification that the required subsystems are operating, the redundant required subsystem is normally shut down. APPLICABLE The design basis for the Unit 1 and Unit 2 SGT Systems is to SAFETY ANALYSES mitigate the consequences of a loss of coolant accident and fuel handling accidents (Refs. 2, 3, 4, and 5). For all events analyzed, the SGT Systems are shown to be automatically initiated to reduce, via filtration and adsorption, the radioactive material released to the environment. The SGT System satisfies Criterion 3 of the NRC Policy Statement (Ref. 7). LCO Following a DBA, a minimum number of SGT subsystems are required to maintain the secondary containment at a negative pressure with respect to the environment and to process gaseous releases. Meeting the LCO requirements for OPERABLE subsystems ensures operation of the minimum number of SGT subsystems in the event of a single active failure. The required number of SGT subsystems is dependent on the configuration required to meet LCO 3.6.4.1, "Secondary Containment." For secondary containment OPERABILITY consisting of all three zones, the required number of SGT subsystems is four. With secondary containment OPERABILITY consisting of one reactor building and the common refueling floor zones, the required number of SGT subsystem is three. Allowed SGT System B 3.6.4.3 (continued) HATCH UNIT 2 B 3.6-91 REVISION 74 BASES LCO configurations and associated SGT subsystem requirements are (continued) detailed in the Technical Requirements Manual (Ref. 6).

In addition, with secondary containment in modified configurations, the SGT System valves to excluded zone(s) are not included as part of SGT System OPERABILITY (i.e., the valves may be secured closed and are not required to open on an actuation signal). APPLICABILITY In MODES 1, 2, and 3, a LOCA could lead to a fission product release to primary containment that leaks to secondary containment. Therefore, Unit 1 and Unit 2 SGT Systems OPERABILITY are required during these MODES. In MODES 4 and 5, the probability and consequences of a LOCA are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining the SGT Systems in OPERABLE status is not required in MODE 4 or 5, except for other situations under which significant releases of radioactive material can be postulated, such as during operations with a potential for draining the reactor vessel (OPDRVs), during CORE ALTERATIONS, or during movement of irradiated fuel assemblies in the secondary containment. ACTIONS The Actions are modified by a Note to indicate that when both Unit 1 SGT subsystems are placed in an inoperable status for inspection of the Unit 1 hardened vent rupture disk, entry into associated Conditions and Required Actions may be delayed for up to 24 hours, provided both Unit 2 SGT subsystems are OPERABLE. Upon completion of the inspection or expiration of the 24 hour allowance, the Unit 1 SGT subsystems must be returned to OPERABLE status or the applicable Conditions entered and Required Actions taken. The 24 hour allowance is based upon precluding a dual unit shutdown to perform the inspection, yet minimizing the time both Unit 1 SGT subsystems are inoperable. A.1 and B.1 With one required Unit 1 or Unit 2 SGT subsystem inoperable, the inoperable subsystem must be restored to OPERABLE status. In this condition, the remaining required OPERABLE SGT subsystems are adequate to perform the required radioactivity release control function. However, the overall system reliability is reduced because a single SGT System B 3.6.4.3 (continued) HATCH UNIT 2 B 3.6-92 REVISION 74 BASES ACTIONS A.1 and B.1 (continued) failure in one of the remaining required OPERABLE subsystems could result in the radioactivity release control function not being adequately performed. The 7 and 30 day Completion Times are based on consideration of such factors as the availability of the OPERABLE redundant SGT subsystems and the low probability of a DBA occurring during this period. Additionally, the 30 day Completion Time of Required Action A.1 is based on three remaining OPERABLE SGT subsystems, of which two are Unit 2 subsystems, and the secondary containment volume in the Unit 1 reactor building being open to the common refueling floor where the two Unit 2 SGT subsystems can readily provide rapid drawdown of vacuum. Testing and analysis has shown that in this configuration, even with an additional single failure (which is not necessary to assume while in ACTIONS) the secondary containment volume may be drawn to a vacuum in the time required to support assumptions of analyses.

C.1 and C.2 If the SGT subsystem cannot be restored to OPERABLE status within the required Completion Time in MODE 1, 2, or 3, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. In the event that a Unit 1 SGT subsystem is the one not restored to OPERABLE status as required by Required Action A.1 or B.1, operation of Unit 2 can continue provided that Unit 1 is shut down, the Unit 1 reactor building zone is isolated from the remainder of secondary containment and the SGT System, and the Unit 1 Technical Specifications do not require Operability of Zone I. In this modified secondary containment configuration, only three SGT subsystems are required to be OPERABLE to meet LCO 3.6.4.3, and no limitation is applied to the inoperable Unit 1 SGT subsystem. This in effect is an alternative to restoring the inoperable Unit 1 SGT subsystem, i.e., shut down Unit 1 and isolate its reactor building zone from secondary containment and SGT System.

SGT System B 3.6.4.3 (continued) HATCH UNIT 2 B 3.6-93 REVISION 74 BASES ACTIONS D.1, D.2.1, D.2.2, and D.2.3 (continued) During movement of irradiated fuel assemblies in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, when Required Action A.1 or B.1 cannot be completed within the required Completion Time, the remaining required OPERABLE SGT subsystems should immediately be placed in operation. This action ensures that the remaining subsystems are OPERABLE, that no failures that could prevent automatic actuation have occurred, and that any other failure would be readily detected. An alternative to Required Action D.1 is to immediately suspend activities that represent a potential for releasing radioactive material to the secondary containment, thus placing the plant in a condition that minimizes risk. If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies must immediately be suspended. Suspension of these activities must not preclude completion of movement of a component to a safe position. Also, if applicable, actions must immediately be initiated to suspend OPDRVs in order to minimize the probability of a vessel draindown and subsequent potential for fission product release. Actions must continue until OPDRVs are suspended. The Required Actions of Condition D have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason to require a reactor shutdown. E.1 If two or more required SGT subsystems are inoperable in MODE 1, 2 or 3, the Unit 1 and Unit 2 SGT Systems may not be capable of supporting the required radioactivity release control function. Therefore, LCO 3.0.3 must be entered immediately. SGT System B 3.6.4.3 (continued) HATCH UNIT 2 B 3.6-94 REVISION 79 BASES ACTIONS F.1, F.2, and F.3 (continued) When two or more required SGT subsystems are inoperable, if applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in secondary containment must immediately be suspended. Suspension of these activities shall not preclude completion of movement of a component to a safe position. Also, if applicable, actions must immediately be initiated to suspend OPDRVs in order to minimize the probability of a vessel draindown and subsequent potential for fission product release. Actions must continue until OPDRVs are suspended. Required Action F.1 has been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason to require a reactor shutdown. SURVEILLANCE SR 3.6.4.3.1 REQUIREMENTS Operating each required Unit 1 and Unit 2 SGT subsystem for 15 continuous minutes ensures that they are OPERABLE and that all associated controls are functioning properly. It also ensures that blockage, fan or motor failure, or excessive vibration can be detected for corrective action. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.4.3.2 This SR verifies that the required Unit 1 and Unit 2 SGT filter testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing HEPA filter performance, charcoal adsorber efficiency, minimum system flow rate, and the physical properties of the activated charcoal (general use and following specific operations). Specific test frequencies and additional information are discussed in detail in the VFTP.

SGT System B 3.6.4.3 HATCH UNIT 2 B 3.6-95 REVISION 79 BASES SURVEILLANCE SR 3.6.4.3.3 REQUIREMENTS (continued) This SR verifies that each required Unit 1 and Unit 2 SGT subsystem starts on receipt of an actual or simulated initiation signal. The LOGIC SYSTEM FUNCTIONAL TEST in SR 3.3.6.2.5 overlaps this SR to provide complete testing of the safety function. This Surveillance can be performed with the reactor at power. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. 10 CFR 50, Appendix A, GDC 41.

2. Unit 1 FSAR, Section 5.3.2.3. 3. Unit 2 FSAR, Section 6.2.4.

4. Unit 2 FSAR, Section 15.2. 5. Unit 2 FSAR, Section 15.3. 6. Technical Requirements Manual, Section 8.0.

7. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RHRSW System B 3.7.1 (continued) HATCH UNIT 2 B 3.7-2 REVISION 89 BASES (continued) APPLICABLE The RHRSW System removes heat from the suppression pool to limit SAFETY ANALYSES the suppression pool temperature and primary containment pressure following a LOCA. This ensures that the primary containment can perform its function of limiting the release of radioactive materials to the environment following a LOCA. The ability of the RHRSW System to support long term cooling of the reactor or primary containment is discussed in the FSAR, Subsections 9.2.7, 7.4.5, and Chapter 15 (Refs. 1, 2 and 3, respectively). These analyses explicitly assume that the RHRSW System will provide adequate cooling support to the equipment required for safe shutdown. These analyses include the evaluation of the long term primary containment response after a design basis LOCA. The safety analyses for long term cooling were performed for various combinations of RHR System failures. The worst case single failure that would affect the performance of the RHRSW System is any failure that would disable one subsystem of the RHRSW System. As discussed in the FSAR, Section 15.4.10.1.1 (Ref. 4) for these analyses, manual initiation of the OPERABLE RHRSW subsystem and the associated RHR System is assumed to occur 10 minutes after a DBA. The RHRSW flow required to support the assumed heat removal rate is 3750 gpm per pump with two pumps operating in one loop with up to 5% tubes plugged in the RHR heat exchanger. In this case, the maximum suppression chamber water temperature and pressure are approximately 207.5°F and 25.9 psig, respectively, well below the design temperature of 340°F and maximum allowable pressure of 62 psig. The RHRSW System satisfies Criterion 3 of the NRC Policy Statement (Ref. 5). LCO Two RHRSW subsystems are required to be OPERABLE to provide the required redundancy to ensure that the system functions to remove post accident heat loads, assuming the worst case single active failure occurs coincident with the loss of offsite power. An RHRSW subsystem is considered OPERABLE when: a. Two pumps are OPERABLE; and b. An OPERABLE flow path is capable of taking suction from the intake structure and transferring the water to the RHR heat exchangers at the assumed flow rate. Additionally, the RHRSW cross tie valves, both the motor-operated valves and the manual isolation valves (which allow the two RHRSW loops RHRSW System B 3.7.1 (continued) HATCH UNIT 2 B 3.7-3 REVISION 49 BASES LCO b. (continued)

to be connected) must be closed so that failure of one subsystem will not affect the OPERABILITY of the other subsystems. An adequate suction source is not addressed in this LCO since the minimum net positive suction head (59 ft mean sea level in the pump well) is bounded by the plant service water pump requirements (LCO 3.7.2, "Plant Service Water (PSW) System and Ultimate Heat Sink (UHS)"). APPLICABILITY In MODES 1, 2, and 3, the RHRSW System is required to be OPERABLE to support the OPERABILITY of the RHR System for primary containment cooling (LCO 3.6.2.3, "Residual Heat Removal (RHR) Suppression Pool Cooling," and LCO 3.6.2.4, "Residual Heat Removal (RHR) Suppression Pool Spray") and decay heat removal (LCO 3.4.7, "Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown"). The Applicability is therefore consistent with the requirements of these systems. In MODES 4 and 5, the OPERABILITY requirements of the RHRSW System are determined by the systems it supports, and therefore, the requirements are not the same for all facets of operation in MODES 4 and 5. Thus, the LCOs of the RHR Shutdown Cooling System (LCO 3.4.8, "RHR Shutdown Cooling System - Cold Shutdown," LCO 3.9.7, "RHR - High Water Level," and LCO 3.9.8, "RHR - Low Water Level"), which require portions of the RHRSW System to be OPERABLE, will govern RHRSW System requirements during operation in MODES 4 and 5. ACTIONS A.1 With one RHRSW pump inoperable, the inoperable pump must be restored to OPERABLE status within 30 days. With the unit in this condition, the remaining OPERABLE RHRSW pumps are adequate to perform the RHRSW heat removal function. However, the overall reliability is reduced because a single failure in the OPERABLE subsystem could result in reduced RHRSW capability. The 30 day Completion Time is based on the remaining RHRSW heat removal RHRSW System B 3.7.1 (continued) HATCH UNIT 2 B 3.7-4 REVISION 55 BASES ACTIONS A.1 (continued) capability, including enhanced reliability afforded by manual cross connect capability, and the low probability of a DBA with concurrent worst case single failure. B.1 With one RHRSW pump inoperable in each subsystem, if no additional failures occur in the RHRSW System, and the two OPERABLE pumps are aligned by opening the normally closed cross tie valves (i.e., after an event requiring operation of the RHRSW System), then the remaining OPERABLE pumps and flow paths provide adequate heat removal capacity following a design basis LOCA. However, capability for this alignment is not assumed in long term containment response analysis and an additional single failure in the RHRSW System could reduce the system capacity below that assumed in the safety analysis. Therefore, continued operation is permitted only for a limited time. One inoperable pump is required to be restored to OPERABLE status within 7 days. The 7 day Completion Time for restoring one inoperable RHRSW pump to OPERABLE status is based on engineering judgment, considering the level of redundancy provided. C.1 Required Action C.1 is intended to handle the inoperability of one RHRSW subsystem for reasons other than Condition A. The Completion Time of 7 days is allowed to restore the RHRSW subsystem to OPERABLE status. With the unit in this condition, the remaining OPERABLE RHRSW subsystem is adequate to perform the RHRSW heat removal function. However, the overall reliability is reduced because a single failure in the OPERABLE RHRSW subsystem could result in loss of RHRSW function. The Completion Time is based on the redundant RHRSW capabilities afforded by the OPERABLE subsystem and the low probability of an event occurring requiring RHRSW during this period. RHRSW System B 3.7.1 (continued) HATCH UNIT 2 B 3.7-5 REVISION 49 BASES ACTIONS C.1 (continued) The Required Action is modified by a Note indicating that the applicable Conditions of LCO 3.4.7 be entered and Required Actions taken if the inoperable RHRSW subsystem results in an inoperable RHR shutdown cooling subsystem. This is an exception to LCO 3.0.6 and ensures the proper actions are taken for these components. D.1 With both RHRSW subsystems inoperable for reasons other than Condition B (e.g., both subsystems with inoperable flow paths, or one subsystem with an inoperable pump and one subsystem with an inoperable flow path), the RHRSW System is not capable of performing its intended function. At least one subsystem must be restored to OPERABLE status within 8 hours. The 8 hour Completion Time for restoring one RHRSW subsystem to OPERABLE status, is based on the Completion Times provided for the RHR suppression pool cooling and spray functions. The Required Action is modified by a Note indicating that the applicable Conditions of LCO 3.4.7 be entered and Required Actions taken if an inoperable RHRSW subsystem results in an inoperable RHR shutdown cooling subsystem. This is an exception to LCO 3.0.6 and ensures the proper actions are taken for these components.

E.1 and E.2 If the RHRSW subsystems cannot be not restored to OPERABLE status within the associated Completion Times, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. SURVEILLANCE SR 3.7.1.1 REQUIREMENTS Verifying the correct alignment for each manual, power operated, and automatic valve in each RHRSW subsystem flow path provides RHRSW System B 3.7.1 HATCH UNIT 2 B 3.7-6 REVISION 89 BASES SURVEILLANCE SR 3.7.1.1 (continued) REQUIREMENTS assurance that the proper flow paths will exist for RHRSW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves are verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position, and yet considered in the correct position, provided it can be realigned to its accident position. This is acceptable because the RHRSW System is a manually initiated system. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Subsection 9.2.7. 2. FSAR, Subsection 7.4.5.

3. FSAR, Chapter 15. 4. FSAR, Section 15.4.10.1.1. 5. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. 6. GEH 0000-0126-6532-R1, "Ultimate Heat Sink Temperature Increase to 97°F Impact on DBA-LOCA Analysis and DW Equipment Qualification Analysis," June 2011.

PSW System and UHS B 3.7.2 (continued) HATCH UNIT 2 B 3.7-11 REVISION 82 BASES ACTIONS E.1 (continued) heat removal function. However, the overall reliability is reduced because a single failure in the OPERABLE PSW subsystem could result in loss of PSW function. The 72 hour Completion Time is based on the redundant PSW System capabilities afforded by the OPERABLE subsystem, the low probability of an accident occurring during this time period, and is consistent with the allowed Completion Time for restoring an inoperable DG. Required Action E.1 is modified by two Notes indicating that the applicable Conditions of LCO 3.8.1, "AC Sources - Operating," LCO 3.4.7, "Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown," be entered and Required Actions taken if the inoperable PSW subsystem results in an inoperable DG or RHR shutdown cooling subsystem, respectively. This is in accordance with LCO 3.0.6 and ensures the proper actions are taken for these components.

F.1 and F.2 If any Required Action and associated Completion Time of Condition A, B, C, D, or E cannot be met, or both PSW subsystems are inoperable for reasons other than Conditions C and D, or the UHS is determined inoperable, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. SURVEILLANCE SR 3.7.2.1 REQUIREMENTS This SR verifies the UHS is OPERABLE by ensuring the water level in the pump well of the intake structure to be sufficient for the proper operation of the PSW pumps (net positive suction head and pump vortexing are considered in determining this limit). In addition, if a temporary weir is in place, the river level must also correspond to a level in the pump well of the intake structure of 60.5 ft MSL with no weir in place. If the water level is > 61.7 ft MSL, there is sufficient PSW System and UHS B 3.7.2 (continued) HATCH UNIT 2 B 3.7-12 REVISION 82 BASES SURVEILLANCE SR 3.7.2.1 (continued) REQUIREMENTS margin to the minimum level requirement (60.5 ft MSL), so the Surveillance is only required to be performed in accordance with the Surveillance Frequency Control Program. However, if the level is 61.7 ft, the Surveillance must be performed more frequently (every 12 hours), since the conditions are closer to the minimum level limit. SR 3.7.2.2 Verifying the correct alignment for each manual, power operated, and automatic valve in each PSW subsystem flow path provides assurance that the proper flow paths will exist for PSW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position, and yet considered in the correct position, provided it can be automatically realigned to its accident position within the required time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. This SR is modified by a Note indicating that isolation of the PSW System to components or systems may render those components or systems inoperable, but does not affect the OPERABILITY of the PSW System. As such, when all PSW pumps, valves, and piping are OPERABLE, but a branch connection off the main header is isolated, the PSW System is still OPERABLE. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.7.2.3 This SR verifies that the automatic isolation valves of the PSW System will automatically switch to the safety or emergency position to provide cooling water exclusively to the safety related equipment during an accident event. This is demonstrated by the use of an actual or simulated initiation signal. This SR also verifies the automatic start capability (on a LOCA or LOSP signal) of one of the two PSW pumps in each subsystem. PSW System and UHS B 3.7.2 HATCH UNIT 2 B 3.7-13 REVISION 79 BASES SURVEILLANCE SR 3.7.2.3 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 9.2.1.

2. FSAR, Chapter 6. 3. FSAR, Chapter 15.

4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

DG 1B SSW System B 3.7.3 (continued) HATCH UNIT 2 B 3.7-14 REVISION 0 B 3.7 PLANT SYSTEMS B 3.7.3 Diesel Generator (DG) 1B Standby Service Water (SSW) System

BASES BACKGROUND The DG 1B SSW System is designed to provide cooling water for the removal of heat from the DG 1B. DG 1B is the only component served by the DG 1B SSW System. The DG 1B SSW pump autostarts upon receipt of a DG start signal when power is available to the pump's electrical bus. Cooling water is pumped from the Altamaha River by the DG 1B SSW pump to the essential DG components through the SSW supply header. After removing heat from the components, the water is discharged to the plant service water (PSW) discharge header. The capability exists to manually cross connect the PSW System to supply cooling to the DG 1B during times when the SSW pump is inoperable. A complete description of the DG 1B SSW System is presented in the FSAR, Section 9.2.1 (Ref. 1).

APPLICABLE The ability of the DG 1B SSW System to provide adequate cooling to SAFETY ANALYSES the DG 1B is an implicit assumption for the safety analyses presented in the FSAR, Chapters 6 and 15 (Refs. 2 and 3, respectively). The ability to provide onsite emergency AC power is dependent on the ability of the DG 1B SSW System to cool the DG 1B. The DG 1B SSW System satisfies Criterion 3 of the NRC Policy Statement (Ref. 4). LCO The OPERABILITY of the DG 1B SSW System is required to provide a coolant source to ensure effective operation of the DG 1B in the event of an accident or transient. The OPERABILITY of the DG 1B SSW System is based on having an OPERABLE pump and an OPERABLE flow path. An adequate suction source is not addressed in this LCO since the minimum net positive suction head of the DG 1B SSW pump is bounded by the PSW requirements [LCO 3.7.2, "Plant Service Water (PSW) System and Ultimate Heat Sink (UHS)"]. DG 1B SSW System B 3.7.3 (continued) HATCH UNIT 2 B 3.7-15 REVISION 0 BASES (continued) APPLICABILITY The requirements for OPERABILITY of the DG 1B SSW System are governed by the required OPERABILITY of the DG 1B (LCO 3.8.1, "AC Sources - Operating," and LCO 3.8.2, "AC Sources - Shutdown").

ACTIONS A.1, A.2, and A.3 The Required Actions are modified by a Note indicating that the LCO 3.0.4 does not apply. As a result, a MODE change is allowed when the DG 1B SSW System is inoperable, provided the DG 1B has an adequate cooling water supply from the Unit 1 PSW. If the DG 1B SSW System is inoperable, the OPERABILITY of the DG 1B is affected due to loss of its cooling source; however, the capability exists to provide cooling to DG 1B from the PSW System of Unit 1. Continued operation is allowed for 60 days if the OPERABILITY of a Unit 1 PSW System, with respect to its capability to provide cooling to the DG 1B, can be verified. This is accomplished by aligning cooling water to DG 1B from the Unit 1 PSW System within 8 hours and verifying this lineup once every 31 days. The 8 hour Completion Time is based on the time required to reasonably complete the Required Action, and the low probability of an event occurring requiring DG 1B during this period. The 31 day verification of the Unit 1 PSW lineup to the DG 1B is consistent with the PSW valve lineup SR. The 60 day Completion Time to restore the DG 1B SSW System to OPERABLE status allows sufficient time to repair the system, yet prevents indefinite operation with cooling water provided from the Unit 1 PSW System.

B.1 If cooling water cannot be made available to the DG 1B within the 8 hour Completion Time, or if cooling water cannot be verified to be aligned to DG 1B from a Unit 1 PSW subsystem as required by the 31 day verification Required Action, the DG 1B cannot perform its intended function and must be immediately declared inoperable. In accordance with LCO 3.0.6, this also requires entering into the Applicable Conditions and Required Actions for LCO 3.8.1 or LCO 3.8.2. Additionally, if the DG 1B SSW System is not restored to OPERABLE status within 60 days, DG 1B must be immediately declared inoperable. DG 1B SSW System B 3.7.3 HATCH UNIT 2 B 3.7-16 REVISION 79 BASES (continued) SURVEILLANCE SR 3.7.3.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the DG 1B SSW System flow path provides assurance that the proper flow paths will exist for DG 1B SSW System operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position, and yet be considered in the correct position provided it can be automatically realigned to its accident position, within the required time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.7.3.2 This SR ensures that the DG 1B SSW System pump will automatically start to provide required cooling to the DG 1B when the DG 1B starts and the respective bus is energized. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 9.2.1.

2. FSAR, Chapter 6.

3. FSAR, Chapter 15.

4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

MCREC System B 3.7.4 (continued) HATCH UNIT 2 B 3.7-18 REVISION 84 BASES BACKGROUND taken in at the normal ventilation intake and is mixed with the (continued) recirculated air before being passed through one of the charcoal adsorber filter subsystems for removal of airborne radioactive particles and gaseous iodines. The MCREC System is designed to maintain a habitable environment in the CRE for a 30 day continuous occupancy after a DBA without exceeding 5 rem total effective dose equivalent (TEDE). A single MCREC subsystem operating at a subsystem flow rate of 2750 cfm and an outside air flow rate of 400 cfm will pressurize the CRE to 0.1 inches water gauge relative to external areas adjacent to the CRE boundary to minimize infiltration of air from all surrounding areas adjacent to the CRE boundary. MCREC System operation in maintaining CRE habitability is discussed in the FSAR, Sections 6.4 and 9.4.1, (Refs. 1 and 2, respectively). APPLICABLE The ability of the MCREC System to maintain the habitability of the SAFETY ANALYSES CRE is an explicit assumption for the safety analyses presented in the FSAR, Chapters 6 and 15 (Refs. 3 and 4, respectively). The pressurization mode of the MCREC System is assumed to operate following a DBA, as discussed in the FSAR, Section 6.4.1.2.2 (Ref. 5). The radiological doses to the CRE occupants as a result of the various DBAs are summarized in Reference 6. No single active or passive failure will cause the loss of outside air or recirculated air from the CRE. The MCREC System provides protection from smoke and hazardous chemicals to the CRE occupants. The evaluation of hazardous chemical releases demonstrates that the toxicity limits are not exceeded in the CRE following a hazardous chemical release (Ref. 12). The evaluation of a smoke challenge demonstrates that it will not result in the inability of the CRE occupants to control the reactor either from the control room or from the remote shutdown panels (Ref. 2). The MCREC System satisfies Criterion 3 of the NRC Policy Statement (Ref. 7). LCO Two redundant subsystems of the MCREC System are required to be OPERABLE to ensure that at least one is available, if a single active failure disables the other subsystem. Total MCREC System failure, such as from a loss of both ventilation subsystems or from an inoperable CRE boundary, could result in exceeding a dose of 5 rem MCREC System B 3.7.4 (continued) HATCH UNIT 2 B 3.7-19 REVISION 84 BASES LCO TEDE to the CRE occupants in the event of a DBA. (continued) Each MCREC subsystem is considered OPERABLE when the individual components necessary to limit CRE occupant exposure are OPERABLE. A subsystem is considered OPERABLE when its associated:

a. Filter booster fan is OPERABLE; b. HEPA filter and charcoal adsorbers are not excessively restricting flow and are capable of performing their filtration functions; c. Associated ductwork, valves, and dampers are OPERABLE, and air circulation can be maintained;

d. One AHU fan is OPERABLE, and either operating or having its control switch in "Standby" with OPERABLE automatic start capability; and

e. Associated AHU cooling coils, water cooled condensing units, refrigerant compressors, and associated instrumentation and controls to ensure loop seal is maintained.

OPERABILITY of two MCREC subsystems entails satisfying the requirements listed above for each subsystem and, in addition, satisfying other limitations on AHU fan OPERABILITY. For both MCREC subsystems to be OPERABLE, the two required AHU fans must be independently powered; i.e., one fan via 1R24-S002 and one fan via 1R24-S003. (Note that AHU C is treated as powered from 1R24-S002 or S003, depending upon the source of power for 1R24-S029.) Furthermore, with one of the two required AHU fans inoperable (i.e., not independently powered, or not operating or capable of automatic start), one MCREC subsystem shall be declared inoperable. However, the inoperability may be assigned to either MCREC subsystem. OPERABILITY details for various configurations are outlined in the Technical Requirements Manual (TRM) (Ref. 8), Section 2.0. In order for the MCREC subsystems to be considered OPERABLE, the CRE boundary must be maintained such that the CRE occupant dose from a large radioactive release does not exceed the calculated dose in the licensing basis consequence analyses for DBAs, and that CRE occupants are protected from hazardous chemicals and smoke. MCREC System B 3.7.4 (continued) HATCH UNIT 2 B 3.7-20 REVISION 84 BASES LCO The LCO is modified by a Note allowing the CRE boundary to be (continued) opened intermittently under administrative controls. This Note only applies to openings in the CRE boundary that can be rapidly restored to the design condition, such as doors, hatches, floor plugs, and access panels. For entry and exit through doors the administrative control of the opening is performed by the person(s) entering or exiting the area. For other openings, these controls should be proceduralized and consist of stationing a dedicated individual at the opening who is in continuous communication with the operators in the CRE. This individual will have a method to rapidly close the opening and to restore the CRE boundary to a condition equivalent to the design condition when a need for CRE isolation is indicated. Each of the main control room exhaust fan ducts is equipped with only one isolation damper (1Z41-F018A/B). During normal system operation, the dampers are maintained closed. However, when an exhaust fan is operated and its associated damper is opened, a single failure could prevent isolation of that penetration and adversely impact main control room habitability. Consequently, when a MCREC system exhaust fan (1Z41-C011A/B) is operated or its associated damper (1Z41-F018A/B) is opened, one of the two MCREC subsystems must be declared inoperable. Optional allowances for inoperable subsystems do not preclude changing the declared inoperable subsystem to best accommodate other plant circumstances; e.g., inoperable diesel generators, Safety Function Determination Program. However, in these instances, the Condition for one inoperable MCREC subsystem shall not be evaluated for Completion Time extensions, in accordance with Section 1.3. APPLICABILITY In MODES 1, 2, and 3, the MCREC System must be OPERABLE to ensure that the CRE will remain habitable during and following a DBA, since the DBA could lead to a fission product release. In MODES 4 and 5, the probability and consequences of a DBA are reduced because of the pressure and temperature limitations in these MODES. Therefore, maintaining the MCREC System OPERABLE is not required in MODE 4 or 5, except for the following situations under which significant radioactive releases can be postulated:

a. During movement of irradiated fuel assemblies in the secondary containment. Moving irradiated fuel assemblies in the secondary containment may also occur in MODES 1, 2, and 3;

b. During CORE ALTERATIONS; and MCREC System B 3.7.4 (continued) HATCH UNIT 2 B 3.7-21 REVISION 84 BASES APPLICABILITY c. During operations with potential for draining the reactor (continued) vessel (OPDRVs).

ACTIONS A.1 With one MCREC subsystem inoperable, for reasons other than an inoperable CRE boundary, the inoperable MCREC subsystem must be restored to OPERABLE status within 7 days. With the unit in this condition, the remaining OPERABLE MCREC subsystem is adequate to perform the CRE occupant protection function. However, the overall reliability is reduced because a failure in the OPERABLE subsystem could result in loss of the MCREC System function. The 7 day Completion Time is based on the low probability of a DBA occurring during this time period, and that the remaining subsystem can provide the required capabilities. B.1, B.2, and B.3 If the unfiltered inleakage of potentially contaminated air past the CRE boundary and into the CRE can result in CRE occupant radiological dose greater than the calculated dose of the licensing basis analyses of DBA consequences (allowed to be up to 5 rem TEDE), or inadequate protection of CRE occupants from hazardous chemicals or smoke, the CRE boundary is inoperable. Actions must be taken to restore an OPERABLE CRE boundary within 90 days. During the period that the CRE boundary is considered inoperable, action must be initiated to implement mitigating actions to lessen the effect on CRE occupants from the potential hazards of a radiological or chemical event or a challenge from smoke, in accordance with the Control Room Habitability Program. Actions must be taken within 24 hours to verify that in the event of a DBA, the mitigating actions will ensure that CRE occupant radiological exposures will not exceed the calculated dose of the licensing basis analyses of DBA consequences, and that CRE occupants are protected form hazardous chemicals and smoke. These mitigating actions (i.e., actions that are taken to offset the consequences of the inoperable CRE boundary) should be preplanned for implementation upon entry into the condition, regardless of whether entry is intentional or unintentional. The 24 hour Completion Time is reasonable based on the low probability of a DBA occurring during this time period, and the use of mitigating actions. The 90 day Completion Time is reasonable based on the determination that the mitigating actions will ensure protection of CRE occupants within analyzed limits while limiting the MCREC System B 3.7.4 (continued) HATCH UNIT 2 B 3.7-22 REVISION 84 BASES ACTIONS B.1, B.2, and B.3 (continued) probability that CRE occupants will have to implement protective measures that may adversely affect their ability to control the reactor and maintain it in a safe shutdown condition in the event of a DBA. In addition, the 90 day Completion Time is a reasonable time to diagnose, plan and possibly repair, and test most problems with the CRE boundary. C.1 and C.2 In MODE 1, 2, or 3, if the inoperable MCREC subsystem or the CRE boundary cannot be restored to OPERABLE status within the required Completion Time, the unit must be placed in a MODE that minimizes accident risk. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. D.1, D.2.1, D.2.2, and D.2.3 The Required Actions of Condition D are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require a reactor shutdown. During movement of irradiated fuel assemblies in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, if the inoperable MCREC subsystem cannot be restored to OPERABLE status within the required Completion Time, the OPERABLE MCREC subsystem may be placed in the pressurization mode. This action ensures that the remaining subsystem is OPERABLE, that no failures that would prevent automatic actuation have occurred, and that any active failure will be readily detected. An alternative to Required Action D.1 is to immediately suspend activities that present a potential for releasing radioactivity that might require isolation of the CRE. This places the unit in a condition that minimizes the accident risk. If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended MCREC System B 3.7.4 (continued) HATCH UNIT 2 B 3.7-23 REVISION 84 BASES ACTIONS D.1, D.2.1, D.2.2, and D.2.3 (continued) immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position. Also, if applicable, action must be initiated immediately to suspend OPDRVs to minimize the probability of a vessel draindown and the subsequent potential for fission product release. Actions must continue until the OPDRVs are suspended. E.1 If both MCREC subsystems are inoperable in MODE 1, 2, or 3 for reasons other than an inoperable CRE boundary (i.e., Condition B), the MCREC System may not be capable of performing the intended function and the unit is in a condition outside of the accident analyses. Therefore, LCO 3.0.3 must be entered immediately.

F.1, F.2, and F.3 The Required Actions of Condition F are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require a reactor shutdown. During movement of irradiated fuel assemblies in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, with two MCREC subsystems inoperable or with one or more MCREC subsystems inoperable due to an inoperable CRE boundary, action must be taken immediately to suspend activities that present a potential for releasing radioactivity that might require isolation of the CRE. This places the unit in a condition that minimizes the accident risk. If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position. If applicable, action must be initiated immediately to suspend OPDRVs to minimize the probability of a vessel draindown and subsequent potential for fission product release. Actions must continue until the OPDRVs are suspended. MCREC System B 3.7.4 (continued) HATCH UNIT 2 B 3.7-24a REVISION 84 BASES (continued) SURVEILLANCE SR 3.7.4.1 REQUIREMENTS This SR verifies that a subsystem in a standby mode starts on demand and continues to operate. Standby systems should be checked periodically to ensure that they start and function properly. As the environmental and normal operating conditions of this system are not severe, testing each subsystem once every 31 days provides an adequate check on this system. Since the MCREC System does not have heaters, each subsystem need only be operated for 15 minutes to demonstrate the function of the subsystem. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.7.4.2 This SR verifies that the required MCREC testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing HEPA filter performance, charcoal adsorber efficiency, minimum system flow rate, and the physical properties of the activated charcoal (general use and following specific operations). Specific test Frequencies and additional information are discussed in detail in the VFTP. SR 3.7.4.3 This SR verifies that on an actual or simulated initiation signal, each MCREC subsystem starts and operates. The LOGIC SYSTEM FUNCTIONAL TEST in SR 3.3.7.1.4 overlaps this SR to provide complete testing of the safety function. This Surveillance can be performed with the reactor at power. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.7.4.4 This SR verifies the OPERABILITY of the CRE boundary by testing for unfiltered air inleakage past the CRE boundary and into the CRE. The details of the testing are specified in the Control Room Envelope Habitability Program. The CRE is considered habitable when the radiological dose to CRE occupants calculated in the licensing basis analyses of DBA MCREC System B 3.7.4 (continued) HATCH UNIT 2 B 3.7-24b REVISION 84 BASES SURVEILLANCE SR 3.7.4.4 (continued) REQUIREMENTS consequences is not more than 5 rem TEDE and the CRE occupants are protected from hazardous chemicals and smoke. This SR verifies that the unfiltered air inleakage into the CRE is no greater than the flow rate assumed in the licensing basis analyses of DBA consequences. When unfiltered air inleakage is greater than the assumed flow rate, Condition B must be entered. Required Actrion B.3 allows time to restore the CRE boundary to OPERABLE status provided mitigating actions can ensure that the CRE remains within the licensing basis habitability limits for the occupants following an accident. Compensatory measures are discussed in Regulatory Guide 1.196, Section C.2.7.3, (Ref. 9) which endorses, with exceptions, NEI 99-03, Section 8.4 and Appendix F (Ref. 10). These compensatory measures may also be used as mitigating actions as required by Required Action B.2. Temporary analytical methods may also be used as compensatory measures to restore OPERABILITY (Ref. 11). Options for restoring the CRE boundary to OPERABLE status include changing the licensing basis DBA consequence analysis, repairing the CRE boundary, or a combination of these actions. Depending upon the nature of the problem and the corrective action, a full scope inleakage test may not be necessary to establish that the CRE boundary has been restored to OPERABLE status. REFERENCES 1. FSAR, Section 6.4.

2. FSAR, Section 9.4.1.

3. FSAR, Chapter 6.

4. FSAR, Chapter 15.

5. FSAR, Section 6.4.1.2.2.

6. FSAR, Table 15.1-28.

7. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

8. Technical Requirements Manual, Table T2.1-1. 9. Regulatory Guide 1.196.

10. NEI 99-03, "Control Room Habitability Assessment," June 2001.

Control Room AC System B 3.7.5 (continued) HATCH UNIT 2 B 3.7-25 REVISION 1 B 3.7 PLANT SYSTEMS

B 3.7.5 Control Room Air Conditioning (AC) System

BASES BACKGROUND The Control Room AC portion of the Main Control Room Environment Control System (hereafter referred to as the Control Room AC System) provides temperature control for the control room following isolation of the control room. The Control Room AC System consists of three 50% capacity subsystems that provide cooling and heating of control room supply air. Each subsystem consists of an air handling unit (AHU) (i.e., cooling coils and fan), water cooled condensing units, refrigerant compressors, ductwork, dampers, and instrumentation and controls to provide for control room temperature control. The condensing units receive cooling water from the Plant Service Water System. The Control Room AC System is designed to provide a controlled environment under both normal and accident conditions. Two subsystems provide the required temperature control to maintain a suitable control room environment for a sustained occupancy of 14 persons. The design conditions for the control room environment are 72-79°F and < 75% relative humidity. The Control Room AC System operation in maintaining the control room temperature is discussed in the FSAR, Sections 6.4 and 9.4.1 (Ref. 1). APPLICABLE The design basis of the Control Room AC System is to maintain the SAFETY ANALYSES control room temperature for a 30 day continuous occupancy. The Control Room AC System components are arranged in three 50% capacity safety related subsystems. During emergency operation, the Control Room AC System maintains a habitable environment and ensures the OPERABILITY of components in the control room. A single failure of a component of the Control Room AC System, assuming a loss of offsite power, does not impair the ability of the system to perform its design function. Redundant detectors and controls are provided for control room temperature control. The Control Room AC System is designed in accordance with Seismic Category I requirements. The Control Room AC System is capable of removing sensible and latent heat loads from the control room, including consideration of equipment heat loads and personnel occupancy requirements to ensure equipment OPERABILITY. Control Room AC System B 3.7.5 (continued) HATCH UNIT 2 B 3.7-26 REVISION 45 BASES APPLICABLE The Control Room AC System satisfies Criterion 3 of the NRC Policy SAFETY ANALYSES Statement (Ref. 2).

(continued)   LCO  Three 50% capacity subsystems of the Control Room AC System are required to be OPERABLE to ensure that at least two are available, assuming a single failure disables one of the subsystems. Total system failure could result in the equipment operating temperature exceeding limits.

The Control Room AC System is considered OPERABLE when the individual components necessary to maintain the control room temperature are OPERABLE in both subsystems. These components include the AHU cooling coils, AHU fans, water cooled condensing units, refrigerant compressors, ductwork, dampers, and associated instrumentation and controls sufficient to assure manual or automatic operation of the system. OPERABILITY details for various configurations are outlined in Technical Requirements Manual (TRM) (Ref. 3), Section 2.0. It is permissible to provide cooling water from either Unit 1 PSW or Unit 2 PSW. During operation in MODE 1, 2 or 3, when either unit's PSW System is supplying the cooling water to a Control Room AC subsystem, the Control Room AC System OPERABILITY requirements also include the applicable PSW subsystem. Under these conditions, one PSW pump per PSW subsystem is required to supply adequate cooling water to its respective Control Room AC subsystem(s). In addition, during conditions in MODES other than MODES 1, 2, and 3 when the Control Room AC System is required to be OPERABLE (e.g., during CORE ALTERATIONS), the necessary portions of either unit's PSW System and the Ultimate Heat sink are part of the OPERABILITY requirements covered by this LCO. As described above, one PSW pump per PSW subsystem, is adequate to supply cooling water to its respective Control Room AC subsystem(s). APPLICABILITY In MODE 1, 2, or 3, the Control Room AC System must be OPERABLE to ensure that the control room temperature will not exceed equipment OPERABILITY or Control Room habitability limits. In MODES 4 and 5, the probability and consequences of a Design Basis Accident are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining the Control Control Room AC System B 3.7.5 (continued) HATCH UNIT 2 B 3.7-27 REVISION 86 BASES APPLICABILITY Room AC System OPERABLE is not required in MODE 4 or 5, except (continued) for the following situations under which significant radioactive releases can be postulated: a. During movement of irradiated fuel assemblies in the secondary containment. Moving irradiated fuel assemblies in the secondary containment may also occur in MODES 1, 2, and 3;

b. During CORE ALTERATIONS; and c. During operations with a potential for draining the reactor vessel (OPDRVs). ACTIONS A.1 With one control room AC subsystem inoperable, the inoperable control room AC subsystem must be restored to OPERABLE status within 30 days. With the unit in this condition, the remaining OPERABLE control room AC subsystems are adequate to perform the control room air conditioning function. However, the overall reliability is reduced because a single failure in an OPERABLE subsystem could result in loss of the control room air conditioning function. The 30 day Completion Time is based on the low probability of an event occurring requiring control room isolation, the consideration that the remaining subsystems can provide the required protection.

B.1 and B.2 With two control room AC subsystems inoperable, the Control Room AC System may not be capable of performing its intended function. Therefore, the control room area temperature is required to be monitored to ensure that temperature is being maintained such that equipment in the control room is not adversely affected. With the control room temperature being maintained within the temperature limit, 7 days is allowed to restore a Control Room AC subsystem to OPERABLE status. This Completion time is reasonable considering that the control room temperature is being maintained within limits, the availability of the remaining OPERABLE control room AC subsystem, and the low probability of an event occurring requiring control room isolation. Alternate methods of maintaining control room temperature, such as non-safety grade air conditioning systems or fans, can also be used to maintain control room temperature.

Control Room AC System B 3.7.5 (continued) HATCH UNIT 2 B 3.7-28 REVISION 86 BASES ACTIONS C.1 and C.2 (continued) With three control room AC subsystems inoperable, the Control Room AC System may not be capable of performing its intended function. Therefore, the control room area temperature is required to be monitored to ensure that temperature is being maintained such that equipment in the control room is not adversely affected. With the control room temperature being maintained within the temperature limit, 72 hours is allowed to restore a Control Room AC subsystem to OPERABLE status. This Completion time is reasonable considering that the control room temperature is being maintained within limits and the low probability of an event occurring requiring control room isolation. Alternate methods of maintaining control room temperature, such as non-safety grade air conditioning systems or fans, can also be used to maintain control room temperature.

D.1 and D.2 In MODE 1, 2, or 3, with any Required Action and associated Completion Time of Condition A, B or C not met, the unit must be placed in a MODE that minimizes risk. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

E.1, E.2.1, E.2.2, and E.2.3 The Required Actions of Condition E are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require a reactor shutdown. During movement of irradiated fuel assemblies in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, if Required Action and associated Completion Time for Condition A is not met, the OPERABLE control room AC subsystems may be placed immediately in operation. This action ensures that the remaining subsystems are OPERABLE, that no failures that would prevent actuation will occur, and that any active failure will be readily detected. Control Room AC System B 3.7.5 (continued) HATCH UNIT 2 B 3.7-29 REVISION 86 BASES ACTIONS E.1, E.2.1, E.2.2, and E.2.3 (continued) An alternative to Required Action E.1 is to immediately suspend activities that present a potential for releasing radioactivity that might require isolation of the control room. This places the unit in a condition that minimizes risk. If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position. Also, if applicable, action must be initiated immediately to suspend OPDRVs to minimize the probability of a vessel draindown and subsequent potential for fission product release. Actions must continue until the OPDRVs are suspended. F.1, F.2, and F.3 The Required Actions of Condition F are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not a sufficient reason to require a reactor shutdown. During movement of irradiated fuel assemblies in the secondary containment, during CORE ALTERATIONS, or during OPDRVs, if Required Actions B.1 and B.2 or Required Actions C.1 and C.2 cannot be met within the required Completion Times, action must be taken to immediately suspend activities that present a potential for releasing radioactivity that might require protection of the control room operators. This places the unit in a condition that minimizes risk. If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended immediately. Suspension of these activities shall not preclude completion of movement of a component to a safe position. Also, if applicable, action must be initiated immediately to suspend OPDRVs to minimize the probability of a vessel draindown and subsequent potential for fission product release. Actions must continue until the OPDRVs are suspended. Control Room AC System B 3.7.5 HATCH UNIT 2 B 3.7-30 REVISION 86 BASES SURVEILLANCE SR 3.7.5.1 REQUIREMENTS This SR verifies that the heat removal capability of the system is sufficient to remove the control room heat load assumed in the safety analysis. The SR consists of a combination of testing and calculation. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Sections 6.4 and 9.4.1.

2. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. 3. Technical Requirements Manual, Table T2.1-1.

Main Condenser Offgas B 3.7.6 (continued) HATCH UNIT 2 B 3.7-31 REVISION 74 B 3.7 PLANT SYSTEMS B 3.7.6 Main Condenser Offgas

BASES BACKGROUND During unit operation, steam from the low pressure turbine is exhausted directly into the condenser. Air and noncondensable gases are collected in the condenser, then exhausted through the steam jet air ejectors (SJAEs) to the Main Condenser Offgas System. The offgas from the main condenser normally includes radioactive gases. The Main Condenser Offgas System has been incorporated into the unit design to reduce the gaseous radwaste emission. This system uses a catalytic recombiner to recombine radiolytically dissociated hydrogen and oxygen. The gaseous mixture is cooled by the offgas condenser; the water and condensables are stripped out by the offgas condenser and moisture separator. The radioactivity of the remaining gaseous mixture (i.e., the offgas recombiner effluent) is monitored downstream of the moisture separator prior to entering the holdup line. APPLICABLE The main condenser offgas gross gamma activity rate is an SAFETY ANALYSES initial condition of the Main Condenser Offgas System failure event, discussed in the FSAR, Sections 11.3 and 15.1.35 (Ref. 1). The analysis assumes a gross failure in the Main Condenser Offgas System that results in the rupture of the Main Condenser Offgas System pressure boundary. The gross gamma activity rate is controlled to ensure that, during the event, the calculated offsite doses will be well within the limits of 10 CFR 50.67 (Ref. 2). The main condenser offgas limits satisfy Criterion 2 of the NRC Policy Statement (Ref. 3). LCO To ensure compliance with the assumptions of the Main Condenser Offgas System failure event (Ref. 1), the fission product release rate should be consistent with a noble gas release to the reactor coolant of 100 µCi/MWt-second after decay of 30 minutes. This LCO is established consistent with this requirement (2436 MWt x 100 µCi/MWt-second = 240 mCi/second). The 240 mCi/second limit is conservative for a rated core thermal power of 2804 MWt.

Main Condenser Offgas B 3.7.6 (continued) HATCH UNIT 2 B 3.7-32 REVISION 21 BASES (continued) APPLICABILITY The LCO is applicable when steam is being exhausted to the main condenser and the resulting noncondensables are being processed via the Main Condenser Offgas System. This occurs during MODE 1, and during MODES 2 and 3 with any main steam line not isolated and the SJAE in operation. In MODES 4 and 5, steam is not being exhausted to the main condenser and the requirements are not applicable. ACTIONS A.1 If the offgas radioactivity rate limit is exceeded, 72 hours is allowed to restore the gross gamma activity rate to within the limit. The 72 hour Completion Time is reasonable, based on engineering judgment, the time required to complete the Required Action, the large margins associated with permissible dose and exposure limits, and the low probability of a Main Condenser Offgas System rupture.

B.1, B.2, B.3.1, and B.3.2 If the gross gamma activity rate is not restored to within the limits in the associated Completion Time, all main steam lines or the SJAE must be isolated. This isolates the Main Condenser Offgas System from the source of the radioactive steam. The main steam lines are considered isolated if at least one main steam isolation valve in each main steam line is closed, and at least one main steam line drain valve in the drain line is closed. The 12 hour Completion Time is reasonable, based on operating experience, to perform the actions from full power conditions in an orderly manner and without challenging unit systems. An alternative to Required Actions B.1 and B.2 is to place the unit in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. Main Condenser Offgas B 3.7.6 HATCH UNIT 2 B 3.7-33 REVISION 79 BASES (continued) SURVEILLANCE SR 3.7.6.1 REQUIREMENTS This SR requires an isotopic analysis of an offgas sample to ensure that the required limits are satisfied. The noble gases to be sampled are Xe-133, Xe-135, Xe-138, Kr-85m, Kr-87, and Kr-88. If the measured rate of radioactivity increases significantly (by 50% after correcting for expected increases due to changes in THERMAL POWER), an isotopic analysis is also performed within 4 hours after the increase is noted, to ensure that the increase is not indicative of a sustained increase in the radioactivity rate. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note indicating that the SR is not required to be performed until 31 days after any main steam line is not isolated and the SJAE is in operation. Only in this condition can radioactive fission gases be in the Main Condenser Offgas System at significant rates. REFERENCES 1. FSAR, Sections 11.3 and 15.1.35.

2. 10 CFR 50.67.

3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Main Turbine Bypass System B 3.7.7 (continued) HATCH UNIT 2 B 3.7-34 REVISION 21 B 3.7 PLANT SYSTEMS

B 3.7.7 Main Turbine Bypass System

BASES BACKGROUND The Main Turbine Bypass System is designed to control steam pressure when reactor steam generation exceeds turbine requirements during unit startup, sudden load reduction, and cooldown. It allows excess steam flow from the reactor to the condenser without going through the turbine. The bypass capacity of the system is approximately 21% of the turbine design steam flow. Sudden load reductions within the capacity of the steam bypass can be accommodated without reactor scram. The Main Turbine Bypass System consists of three valves connected to the main steam lines between the main steam isolation valves and the turbine stop valves. Each of these three valves is operated by hydraulic cylinders. The bypass valves are controlled by the pressure regulation function of the Turbine Electrohydraulic Control System, as discussed in the FSAR, Section 7.7.4 (Ref. 1). The bypass valves are normally closed, and the pressure regulator controls the turbine control valves that direct all steam flow to the turbine. If the speed governor or the load limiter restricts steam flow to the turbine, the pressure regulator controls the system pressure by opening the bypass valves. When the bypass valves open, the steam flows from the bypass chest, through connecting piping, to the pressure breakdown assemblies, where a series of orifices are used to further reduce the steam pressure before the steam enters the condenser. APPLICABLE The Main Turbine Bypass System is assumed to function during SAFETY ANALYSES the feedwater controller failure to maximum flow demand as discussed in the FSAR, Section 15.1.7 (Ref. 2). Opening the bypass valves during the pressurization event (subsequent to the resulting main turbine trip) mitigates the increase in reactor vessel pressure, which affects the MCPR during the event. An inoperable Main Turbine Bypass System may result in an MCPR penalty. The Main Turbine Bypass System satisfies Criterion 3 of the NRC Policy Statement (Ref. 4).

Main Turbine Bypass System B 3.7.7 (continued) HATCH UNIT 2 B 3.7-35 REVISION 42 BASES (continued) LCO The Main Turbine Bypass System is required to be OPERABLE to limit peak pressure in the main steam lines and maintain reactor pressure within acceptable limits during events that cause rapid pressurization, so that the Safety Limit MCPR is not exceeded. With the Main Turbine Bypass System inoperable, modifications to the MCPR limits [LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)"] may be applied to allow this LCO to be met. The MCPR limit for the inoperable Main Turbine Bypass System is specified in the COLR. An OPERABLE Main Turbine Bypass System requires the bypass valves to open in response to increasing main steam line pressure. This response is within the assumptions of the applicable analysis (Ref. 2). APPLICABILITY The Main Turbine Bypass System is required to be OPERABLE at 24% RTP to ensure that the fuel cladding integrity Safety Limit and the cladding 1% plastic strain limit are not violated during the feedwater controller failure to maximum flow demand transient. As discussed in the Bases for LCO 3.2.1, "AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)," and LCO 3.2.2, sufficient margin to these limits exists at < 24% RTP. Therefore, these requirements are only necessary when operating at or above this power level. ACTIONS A.1 If the Main Turbine Bypass System is inoperable (one or more bypass valves inoperable), or the MCPR limits for an inoperable Main Turbine Bypass System, as specified in the COLR, are not applied, the assumptions of the design basis transient analysis may not be met. Under such circumstances, prompt action should be taken to restore the Main Turbine Bypass System to OPERABLE status or adjust the MCPR limits accordingly. The 2 hour Completion Time is reasonable, based on the time to complete the Required Action and the low probability of an event occurring during this period requiring the Main Turbine Bypass System. B.1 If the Main Turbine Bypass System cannot be restored to OPERABLE status or the MCPR limits for an inoperable Main Turbine Bypass System are not applied, THERMAL POWER must be reduced to Main Turbine Bypass System B 3.7.7 (continued) HATCH UNIT 2 B 3.7-36 REVISION 79 BASES ACTIONS B.1 (continued) < 24% RTP. As discussed in the Applicability section, operation at < 24% RTP results in sufficient margin to the required limits, and the Main Turbine Bypass System is not required to protect fuel integrity during the turbine generator load rejection transient. The 4 hour Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. SURVEILLANCE SR 3.7.7.1 REQUIREMENTS Cycling each main turbine bypass valve through one complete cycle of full travel demonstrates that the valves are mechanically OPERABLE and will function when required. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.7.7.2 The Main Turbine Bypass System is required to actuate automatically to perform its design function. This SR demonstrates that, with the required system initiation signals, the valves will actuate to their required position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.7.7.3 This SR ensures that the TURBINE BYPASS SYSTEM RESPONSE TIME is in compliance with the assumptions of the appropriate safety analysis. The response time limits are specified in Technical Requirements Manual (Ref. 3). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Main Turbine Bypass System B 3.7.7 HATCH UNIT 2 B 3.7-37 REVISION 79 BASES REFERENCES 1. FSAR, Section 7.7.4.

2. FSAR, Section 15.1.7.

3. Technical Requirements Manual, Table T5.0-1. 4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Spent Fuel Storage Pool Water Level B 3.7.8 (continued) HATCH UNIT 2 B 3.7-38 REVISION 74 B 3.7 PLANT SYSTEMS B 3.7.8 Spent Fuel Storage Pool Water Level

BASES BACKGROUND The minimum water level in the spent fuel storage pool meets the assumptions of iodine decontamination factors following a fuel handling accident. A general description of the spent fuel storage pool design is found in the FSAR, Section 9.1.2 (Ref. 1). The assumptions of the fuel handling accident in the spent fuel storage pool are found in Reference 2. APPLICABLE The water level above the irradiated fuel assemblies is an explicit SAFETY ANALYSES assumption of the fuel handling accident; the point from which the water level is measured is shown in Figure B 3.5.2-1. A fuel handling accident in the spent fuel storage pool was evaluated (Ref. 2) and ensured that the radiological dose consequences were well within the 10 CFR 50.67 limits (Ref. 3) and met the exposure guidelines of Regulatory Guide 1.183 (Ref. 5). A fuel handling accident could release a fraction of the fission product inventory by breaching the fuel rod cladding as discussed in the Regulatory Guide 1.183 (Ref. 5). The fuel handling accident is evaluated for the dropping of an irradiated fuel assembly onto the spent fuel storage pool racks (Ref. 2). The water level in the spent fuel storage pool provides for absorption of water soluble fission product gases and transport delays of soluble and insoluble gases that must pass through the water before being released to the secondary containment atmosphere. This absorption and transport delay reduces the potential radioactivity of the release during a fuel handling accident. The spent fuel storage pool water level satisfies Criterion 2 of the NRC Policy Statement (Ref. 6). LCO The specified water level preserves the assumptions of the fuel handling accident analysis (Ref. 2). As such, it is the minimum required for fuel movement within the spent fuel storage pool. Spent Fuel Storage Pool Water Level B 3.7.8 (continued) HATCH UNIT 2 B 3.7-39 REVISION 79 BASES (continued) APPLICABILITY This LCO applies during movement of irradiated fuel assemblies in the spent fuel storage pool since the potential for a release of fission products exists.

ACTIONS A.1 Required Action A.1 is modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, inability to suspend movement of irradiated fuel assemblies is not a sufficient reason to require a reactor shutdown. When the initial conditions for an accident cannot be met, action must be taken to preclude the accident from occurring. If the spent fuel storage pool level is less than required, the movement of irradiated fuel assemblies in the spent fuel storage pool is suspended immediately. Suspension of this activity shall not preclude completion of movement of an irradiated fuel assembly to a safe position. This effectively precludes a spent fuel handling accident from occurring. SURVEILLANCE SR 3.7.8.1 REQUIREMENTS This SR verifies that sufficient water is available in the event of a fuel handling accident. The water level in the spent fuel storage pool must be checked periodically. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 9.1.2.

2. FSAR, Section 15.3.

3. 10 CFR 50.67. 4. Deleted.

Spent Fuel Storage Pool Water Level B 3.7.8 HATCH UNIT 2 B 3.7-40 REVISION 74 BASES REFERENCES 5. Regulatory Guide 1.183, July 2000. (continued)

6. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Turbine Building Ventilation Exhaust System Fans B 3.7.9 (continued) HATCH UNIT 2 B 3.7-41 REVISION 74 B 3.7 PLANT SYSTEMS B 3.7.9 Turbine Building Ventilation (TB HVAC) Exhaust System Fans

BASES BACKGROUND The control room, as part of the control building, is housed within the Units 1 and 2 turbine building structure. As part of the revised design basis accident (DBA) radiological dose analyses implementing Alternative Source Term (AST), the Units 1 and 2 TB HVAC exhaust system fans are credited to mitigate radiological doses to control room personnel. One of the four TB HVAC exhaust system fans is credited with purging the area around the control room to reduce the activity available for leakage into the control room following a loss of coolant accident, main steam line break, or control rod drop accident. The TB HVAC system was originally designed to support power generation and was not considered an engineered safety feature (ESF) system. The primary power generation design function of the TB HVAC system, consisting of supply and exhaust systems, is to provide air movement for temperature and airborne radioactivity control. To accomplish the power generation design function the TB HVAC system runs continuously during normal plant operation. As part of the implementation of AST, the TB HVAC exhaust system fans (without reliance on the TB HVAC supply system) are credited with performing an ESF design function of mitigating the consequences of the referenced DBAs by purging the activity available for leakage into the control room post-accident. For each unit, air is exhausted from the turbine building by a duct system to the outside environment via the reactor building vent plenum by one of two exhaust fans. The exhaust from the turbine building passes through two 50% capacity filter trains, per unit, but the filtering function is not credited. One of the two 100% capacity exhaust fans per unit runs continuously during normal plant operation. If the operating exhaust fan fails, the standby exhaust fan starts automatically. To accomplish the AST credited purge function post-accident, one of the four TB HVAC exhaust system fans is sufficient to deliver the credited purge flow. The single fan flow capacity necessary to support the original TB HVAC system power generation design functions bounds the AST credited purge flow. The AST dose analyses assume that the turbine building purge flow is manually initiated within 9 hours of the start of the 3 applicable DBAs. This assumption allows time for restarting at least one exhaust fan post-accident following a concurrent loss of offsite power. AST does not take credit for filtration by the TB HVAC exhaust system filter trains. Turbine Building Ventilation Exhaust System Fans B 3.7.9 (continued) HATCH UNIT 2 B 3.7-42 REVISION 74 BASES BACKGROUND In support of crediting a single TB HVAC exhaust system fan for purge (continued) flow post-accident, the TB HVAC exhaust systems have been enhanced as follows. To assure that no single failure exists that would preclude the operation of one fan, two fans are required (one fan from each unit). The TB HVAC exhaust systems and the motor control center panels utilized for the normal non-Class 1E power source for the TB HVAC exhaust systems have been seismically verified to be able to support the purge function following a Hatch design basis earthquake. Finally, in the unlikely event that the normal power supply for the TB HVAC exhaust fan systems cannot be restored prior to 9 hours post-accident with a concurrent loss of offsite power, each of the TB HVAC exhaust fans can be powered, one at a time per unit, via manual transfer switches from an essential motor control center (one essential motor control center per unit) that can receive power from an emergency diesel generator. APPLICABLE The TB HVAC exhaust system fans support maintaining the SAFETY ANALYSES habitability of the control room by purging the area around the control room to reduce the activity available for leakage into the control room following a loss of coolant accident, main steam line break, or control rod drop accident. The TB HVAC exhaust systems are described in Unit 1 FSAR section 10.9.3.4 (Ref. 1) and Unit 2 FSAR section 9.4.4 (Ref. 2). The dose mitigation function of the TB HVAC exhaust systems, specifically crediting purge flow starting 9 hours after the applicable DBAs, is documented in the Unit 1 and 2 safety analysis in Unit 2 FSAR chapter 15 (Ref. 3). The radiological doses to control room personnel as a result of the various DBAs are also documented in Unit 2 FSAR chapter 15 (Ref. 3). No single failure will cause the loss of the credited turbine building purge function. The TB HVAC exhaust system fans satisfy Criterion 3 of the NRC Policy Statement. LCO One Unit 1 TB HVAC exhaust system fan and one Unit 2 TB HVAC exhaust system fan must be OPERABLE to ensure that at least one is available, assuming a single failure disables the other system. Inability to implement the turbine building purge function could result in exceeding a dose of 5 rem to the control room operators in the event of a loss of coolant accident, main steam line break, or control rod drop accident. Turbine Building Ventilation Exhaust System Fans B 3.7.9 (continued) HATCH UNIT 2 B 3.7-43 REVISION 74 BASES LCO One Unit 1 TB HVAC exhaust system fan and one Unit 2 TB HVAC (continued) exhaust system fan are considered OPERABLE when the individual components necessary to control operator exposure are OPERABLE in both systems. Each unit's required TB HVAC exhaust system fan is considered OPERABLE when its associated:

a. One of the two available exhaust fans is OPERABLE,

b. Prefilters, carbon adsorbers, and high efficiency particulate air (HEPA) filters are not excessively restricting flow, c. Associated ductwork and dampers are OPERABLE, and exhaust flow can be maintained, and d. Alternate power supply (from essential motor control centers) and associated manual transfer switches are OPERABLE. OPERABILITY of one Unit 1 TB HVAC exhaust system fan and one Unit 2 TB HVAC exhaust system fan entails satisfying the requirements listed above for each unit's TB HVAC exhaust system fan. For both units' TB HVAC exhaust system fans to be OPERABLE, the two required exhaust fans must be independently powered.

APPLICABILITY In MODES 1, 2, and 3, one Unit 1 TB HVAC exhaust system fan and one Unit 2 TB HVAC exhaust system fan must be OPERABLE to control operator exposure during and following a DBA which could lead to a fission product release in the turbine building. In MODES 4 and 5, the probability and consequences of a DBA with a fission product release in the turbine building are reduced because of the pressure and temperature limitations in these MODES. Therefore, maintaining one Unit 1 TB HVAC exhaust system fan and one Unit 2 TB HVAC exhaust system fan OPERABLE is not required in MODE 4 or 5. ACTIONS A.1 With one unit's required TB HVAC exhaust system fan inoperable, an inoperable TB HVAC exhaust system fan must be restored to OPERABLE status within 7 days. With the unit in this condition, the remaining OPERABLE TB HVAC exhaust system fan is adequate to perform the turbine building purge function. However, the overall reliability is reduced because a single failure related to the OPERABLE Turbine Building Ventilation Exhaust System Fans B 3.7.9 (continued) HATCH UNIT 2 B 3.7-44 REVISION 74 BASES ACTIONS A.1 (continued) TB HVAC exhaust system fan could result in reduced turbine building purge capability. The 7 day Completion Time is based on the low probability of a DBA occurring during this time period, and that the remaining OPERABLE TB HVAC exhaust system fan can provide the required capabilities. B.1 If two required TB HVAC exhaust system fans are inoperable in MODE 1, 2, or 3, the TB HVAC exhaust systems fans cannot perform their turbine building purge function. Actions must be taken to restore one required TB HVAC exhaust system fan to OPERABLE status within 24 hours. The 24 hour Completion Time is reasonable based on the low probability of a DBA occurring during this time period, the purge function is maintained via natural wind-driven ventilation in the turbine building, and the low probability that sufficient activity would be released into the turbine building following a DBA to significantly impact control room habitability via inleakage. C.1 and C.2 In MODE 1, 2, or 3, if the inoperable required TB HVAC exhaust system fans cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE that minimizes risk. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours and in MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems. SURVEILLANCE The Surveillances are modified by a Note to indicate that when a REQUIREMENTS required TB HVAC exhaust system fan, with associated filter trains, ductwork, and dampers, is placed in an inoperable status for performance of required Surveilances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours provided one of the other TB HVAC exhaust system fans, with associated filter trains, ductwork, and dampers, can perform the turbine building purge function post-accident. Upon completion of the Surveillance, or expiration of the 6 hour allowance, the TB HVAC exhaust system fan, with associated filter trains, ductwork, and dampers, must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the AST dose analyses assumption that the

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-1 REVISION 1 B 3.8 ELECTRICAL POWER SYSTEMS

B 3.8.1 AC Sources - Operating

BASES BACKGROUND The Unit 2 Class 1E AC Electrical Power Distribution System AC sources consist of the offsite power sources (preferred power sources, normal and alternate), and the onsite standby power sources (diesel generators (DGs) 2A, 2C, and 1B). As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1), the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Feature (ESF) systems. The Class 1E AC distribution system is divided into redundant load groups, so loss of any one group does not prevent the minimum safety functions from being performed. Each load group has connections to two preferred offsite power supplies and a single DG. Offsite power is supplied to the 230 kV and 500 kV switchyards from the transmission network by eight transmission lines. From the 230 kV switchyards, two electrically and physically separated circuits provide AC power, through startup auxiliary transformers 2C and 2D, to 4.16 kV ESF buses 2E, 2F, and 2G. A detailed description of the offsite power network and circuits to the onsite Class 1E ESF buses is found in the FSAR, Sections 8.2 and 8.3 (Ref. 2). An offsite circuit consists of all breakers, transformers, switches, interrupting devices, cabling, and controls required to transmit power from the offsite transmission network to the onsite Class 1E ESF bus or buses. Startup auxiliary transformer (SAT) 2D provides the normal source of power to the ESF buses 2E, 2F, and 2G. If any 4.16 kV ESF bus loses power, an automatic transfer from SAT 2D to SAT 2C occurs. At this time, 4.16 kV buses 2A and 2B and supply breakers from SAT 2C also trip open, disconnecting all nonessential loads from SAT 2C to preclude overloading of the transformer. SATs 2C and 2D are sized to accommodate the simultaneous starting of all required ESF loads on receipt of an accident signal without the need for load sequencing. However, ESF loads are sequenced when the associated 4.16 kV ESF bus is supplied from SAT 2C. A description of the Unit 1 offsite power sources is provided in the Bases for Unit 1 LCO 3.8.1, "AC Sources - Operating." AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-2 REVISION 1 BASES BACKGROUND The onsite standby power source for 4.16 kV ESF buses 2E, 2F, and (continued) 2G consists of three DGs. DGs 2A and 2C are dedicated to ESF buses 2E and 2G, respectively. DB 1B (the swing DG) is a shared power source and can supply either Unit 1 ESF bus 1F or Unit 2 ESF bus 2F. A DG starts automatically on a loss of coolant accident (LOCA) signal (i.e., low reactor water level signal or high drywell pressure signal) or on an ESF bus degraded voltage or undervoltage signal. After the DG has started, it automatically ties to its respective bus after offsite power is tripped as a consequence of ESF bus undervoltage or degraded voltage, independent of or coincident with a LOCA signal. The DGs also start and operate in the standby mode without tying to the ESF bus on a LOCA signal alone. Following the trip of offsite power, load shed relays strip nonpermanent loads from the ESF bus. When the DG is tied to the ESF bus, loads are then sequentially connected to its respective ESF bus by the automatic load sequence timing devices. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading the DG. In the event of a loss of preferred power, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a LOCA. Certain required plant loads are returned to service in a predetermined sequence in order to prevent overloading of the DGs in the process. After the initiating signal is received, all automatic and permanently connected loads needed to recover the unit or maintain it in a safe condition are returned to service (i.e., the loads are energized.) Ratings for the DGs satisfy the requirements of Regulatory Guide 1.9 (Ref. 3). DGs 2A and 2C have the following ratings:

a. 2850 kW - continuous,

b. 3100 kW - 2000 hours,

c. 3250 kW - 300 hours, and

d. 3500 kW - 30 minutes. DG 1B has the following ratings: a. 2850 kW - 1000 hours, and

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-3 REVISION 20 BASES BACKGROUND b. 3250 kW - 168 hours.

(continued)

A description of the Unit 1 onsite power sources is provided in the Bases for Unit 1 LCO 3.8.1. APPLICABLE The initial conditions of DBA and transient analyses in the FSAR, SAFETY ANALYSES Chapter 6 (Ref. 4) and Chapter 15 (Ref. 5), assume ESF systems are OPERABLE. The AC electrical power sources are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.5, Emergency Core Cooling System (ECCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6, Containment Systems. The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining the onsite or offsite AC sources OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite power sources or all onsite AC power sources; and

b. A postulated worst case single failure.

AC sources satisfy Criterion 3 of the NRC Policy Statement (Ref. 13). LCO Two qualified circuits between the offsite transmission network and the onsite Unit 2 Class 1E Distribution System and three separate and independent DGs (2A, 2C, and 1B) ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an anticipated operational occurrence (AOO) or a postulated DBA. In addition, some components required by Unit 2 are powered from Unit 1 sources (i.e., Standby Gas Treatment (SGT) System, low pressure coolant injection (LPCI) valve load centers, Main Control Room Environmental Control (MCREC) System, and Control Room Air Conditioning (AC) System). For SGT, one qualified circuit between the offsite transmission network and the onsite Unit 1 Class 1E Distribution System and one Unit 1 DG (1A or 1C) must also be OPERABLE. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-4 REVISION 20 BASES LCO For the LPCI valve load centers, one qualified circuit between the (continued) offsite transmission network and the onsite Class 1E Electrical Distribution System capable of supplying power to each of the required LPCI valve load centers must be OPERABLE. The circuits can be any combination of the Unit 1 circuits supplying the 1E and 1G ESF buses and the Unit 2 circuit supplying the 2F ESF bus such that each LPCI valve load center is capable of being supplied. Also, two DGs capable of supplying power to the required LPCI valve load centers must be OPERABLE. The DGs can be any combination of the Unit 1 DGs (i.e., 1A and 1C DGs) and the swing DG (i.e., DG 1B) such that each LPCI valve load center is capable of being supplied. It is preferable to use the Unit 1 circuits and DGs to supply power to the LPCI valve load centers, since in the case of an LOSP on both Units, one LPCI valve load center would be without power if the swing DG was aligned to the opposite unit, thereby rendering one LPCI subsystem inoperable. Qualified offsite circuits are those that are described in the FSAR, and are part of the licensing basis for the unit. Each offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while connected to the ESF buses. For the purpose of this LCO, each Unit 2 offsite circuit consists of incoming breaker and disconnect to the respective 2C and 2D SATs, the 2C and 2D transformers, and the respective circuit path including feeder breakers to 4.16 kV ESF buses. (However, for design purposes, the offsite circuit excludes the feeder breakers to each 4.16 kV ESF bus). Feeder breakers from each circuit to the 2F ESF bus are required to be OPERABLE. Feeder breakers from each circuit to the 2E and 2G ESF buses are required to be OPERABLE; however, as an alternative, only one feeder breaker per bus to the 2E and 2G ESF buses is required to be OPERABLE, if they are from different SATs (e.g., 2E feeder breaker from the 2C SAT and the 2G feeder breaker from the 2D SAT). The Unit 1 offsite circuit also consists of the incoming breaker and disconnect to the 4.16 kV ESF buses required to be OPERABLE to provide power to the Unit 1 equipment required by LCO 3.6.4.3, LCO 3.7.4, and LCO 3.7.5. Each DG must be capable of starting, accelerating to rated frequency and voltage, and connecting to its respective ESF bus on detection of bus undervoltage. This sequence must be accomplished within 12 seconds. Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the ESF buses. These capabilities are required to be met from a variety of initial conditions, such as DG in standby with the engine hot and DG in standby with the engine at ambient condition. Additional DG AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-5 REVISION 55 BASES LCO capabilities must be demonstrated to meet required Surveillances, (continued) e.g., capability of the DG to revert to standby status on an ECCS signal while operating in parallel test mode. Proper sequencing of loads, including tripping of nonessential loads, is a required function for DG OPERABILITY. The AC sources must be separate and independent (to the extent possible) (Ref. 1) of other AC sources. For the DGs, the separation and independence are complete. For the offsite AC sources, the separation and independence are to the extent practical. A circuit may be connected to more than one ESF bus, with automatic transfer capability to the other circuit OPERABLE, and not violate separation criteria. A circuit that is not connected to an ESF bus is required to have OPERABLE automatic transfer capability to at least two ESF buses (one of which must be to the 2F bus) to support OPERABILITY of that circuit. APPLICABILITY The AC sources are required to be OPERABLE in MODES 1, 2, and 3 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and

b. Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the event of a postulated DBA. The AC power requirements for MODES 4 and 5 and other conditions in which AC Sources are required, are covered in LCO 3.8.2, "AC Sources - Shutdown."

ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable DG. There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable DG and the provisions of LCO 3.0.4.b, which allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance. A.1 To ensure a highly reliable power source remains with one offsite circuit inoperable, it is necessary to verify the availability of the remaining required offsite circuits on a more frequent basis. Since the AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-6 REVISION 55 BASES ACTIONS A.1 (continued) Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met. However, if a second required circuit fails SR 3.8.1.1, the second offsite circuit is inoperable, and Condition D, for two offsite circuits inoperable, is entered. A.2 Required Action A.2, which only applies if a 4160 V ESF bus cannot be powered from an offsite source, is intended to provide assurance that an event with a coincident single failure of the associated DG does not result in a complete loss of safety function of critical systems. These features are designed with redundant safety related divisions (i.e., single division systems are not included). Redundant required features failures consist of inoperable features associated with a division redundant to the division that has no offsite power. The Completion Time for Required Action A.2 is intended to allow time for the operator to evaluate and repair any discovered inoperabilities. This Completion Time also allows an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins on discovery that both: a. The 4160 V ESF bus has no offsite power supplying its loads; and

b. A redundant required feature on the other division is inoperable.

If, at any time during the existence of this Condition (one offsite circuit inoperable) a redundant required feature subsequently becomes inoperable, this Completion Time would begin to be tracked. Discovering no offsite power to one 4160 V ESF bus of the onsite Class 1E Power Distribution System coincident with one or more inoperable redundant required support or supported features, or both, that are associated with any other ESF bus that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours is acceptable because it minimizes risk while allowing time for restoration before the unit is subjected to transients associated with shutdown. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-7 REVISION 55 BASES ACTIONS A.2 (continued) The remaining OPERABLE offsite circuits and DGs are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection may have been lost for the required feature's function; however, function is not lost. The 24 hour Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 24 hour Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period. A.3 According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition A for a period that should not exceed 72 hours. With one required offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the plant safety systems. In this condition, however, the remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class 1E Distribution System. The 72 hour Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and the low probability of a DBA occurring during this period. The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet LCO 3.8.1.a, b, or c. If Condition A is entered while, for instance, the swing DG is inoperable, and that DG is subsequently returned OPERABLE, LCO 3.8.1.a, b, or c may already have been not met for up to 14 days. This situation could lead to a total of 17 days, since initial failure to meet LCO 3.8.1.a, b, and c, to restore the offsite circuit. At this time, the swing DG could again become inoperable, the circuit restored OPERABLE, and an additional 14 days (for a total of 31 days) allowed prior to complete restoration of LCO 3.8.1.a, b, and c. The 17 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet LCO 3.8.1.a, b, or c. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 72 hours and 17 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-8 REVISION 55 BASES ACTIONS A.3 (continued) As in Required Action A.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time LCO 3.8.1.a, b, or c was initially not met, instead of at the time that Condition A was entered. B.1 To ensure a highly reliable power source remains with one Unit 2 or the swing DG inoperable, it is necessary to verify the availability of the required offsite circuits on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions must then be entered. B.2 Required Action B.2 is intended to provide assurance that a loss of offsite power, during the period that a Unit 2 or swing DG is inoperable, does not result in a complete loss of safety function of critical systems. These features are designed with redundant safety related divisions (i.e., single division systems are not included). Redundant required features failures consist of inoperable features associated with a division redundant to the division that has an inoperable DG. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins on discovery that both:

a. An inoperable Unit 2 or swing DG exists; and

b. A redundant required feature on the other division (Division 1 or 2), or divisions in the case of the Unit 1 and 2 Standby Gas Treatment (SGT) System, is inoperable. If, at any time during the existence of this Condition (one Unit 2 or swing DG inoperable), a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked.

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-9 REVISION 55 BASES ACTIONS B.2 (continued) Discovering one required DG inoperable coincident with one or more inoperable redundant required support or supported features, or both, that are associated with the OPERABLE DGs results in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown. The remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period. B.3.1 and B.3.2 Required Action B.3.1 provides an allowance to avoid unnecessary testing of OPERABLE DGs. If it can be determined that the cause of the inoperable DG does not exist on the OPERABLE DG(s), SR 3.8.1.2.a does not have to be performed. If the cause of inoperability exists on other DG(s), they are declared inoperable upon discovery, and Condition F of LCO 3.8.1 is entered. Once the failure is repaired, and the common cause failure no longer exists, Required Action B.3.1 is satisfied. If the cause of the initial inoperable DG cannot be confirmed not to exist on the remaining DG(s), performance of SR 3.8.1.2.a suffices to provide assurance of continued OPERABILITY of those DGs. In the event the inoperable DG is restored to OPERABLE status prior to completing either B.3.1 or B.3.2, the deficiency control program, as appropriate, will continue to evaluate the common cause possibility. This continued evaluation, however, is no longer under the 24 hour constraint imposed while in Condition B. According to Generic Letter 84-15 (Ref. 7), 24 hours is a reasonable time to confirm that the OPERABLE DGs are not affected by the same problem as the inoperable DG. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-10 REVISION 83 BASES ACTIONS B.4 (continued) Regulatory Guide 1.93 (Ref. 6), provides guidance that operation in Condition B may continue for 72 hours. A risk-informed, deterministic evaluation performed for Plant Hatch justifies operation in Condition B for 14 days, provided action is taken to ensure two DGs are dedicated to each Hatch unit. This is accomplished for an inoperable A or C DG by inhibiting the automatic alignment (on a LOCA or LOSP signal) of the swing DG to the other unit. If the inoperable DG is the swing DG, each unit has two dedicated DGs. For an inoperable swing DG, a 72 hour Completion Time applies unless the restrictions specified following this paragraph are satisfied. In Condition B for each defined Completion Time and restriction (if applicable), the remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Unit 2 Class 1E Distribution System. The Completion Times take into account the capacity and capability of the remaining AC sources, reasonable time for maintenance, and low probability of a DBA occurring during this period. The 14 day Completion Time is also subject to additional restrictions for planned maintenance on other plant systems; these are controlled by NMP-GM-031. Use of the 14 day Completion time is permitted as follows:

• For the Unit 2 DGs:

Once per DG per operating cycle for performing major overhaul of a DG. As needed to complete unplanned maintenance. This time shall be minimized.

• For the swing DG: The additional restrictions apply prior to using a Completion Time of greater than 72 hours. The 14 day Completion Time may be used once per Unit 1 operating cycle for performing a major overhaul of the swing DG. The time may be used as needed to complete unplanned maintenance. This time shall be minimized.
• As needed for the swing DG when it is inhibited from automatically aligning to Unit 2 in order for the 14 day Completion Time to be used for a Unit 1 DG.

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-11 REVISION 55 BASES ACTIONS B.4 (continued) The "AND" connector between the 72 hour and 14 day Completion Times means that both Completion Times apply simultaneously. That is, the 14 day Completion Time for an A or C DG with the swing DG inhibited applies from the time of entry into Condition B, not from the time the swing DG is inhibited. The fourth Completion Time for Required Action B.4 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet LCO 3.8.1.a, b, or c. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently restored OPERABLE, LCO 3.8.1.a, b, or c may already have been not met for up to 72 hours. This situation could lead to a total of 17 days, since initial failure to meet LCO 3.8.1.a, b, and c, to restore the DG. At this time, an offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 72 hours (for a total of 20 days) allowed prior to complete restoration of LCO 3.8.1.a, b, and c. The 17 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet LCO 3.8.1.a, b, or c. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connectors between the Completion Times mean that all Completion Times apply simultaneously, and the more restrictive must be met. As in Required Action B.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This exception results in establishing the "time zero" at the time that LCO 3.8.1.a, b, or c was initially not met, instead of the time that Condition B was entered. C.1 To ensure a highly reliable power source remains with one required Unit 1 DG inoperable, it is necessary to verify the availability of the required offsite circuits on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions must then be entered. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-12 REVISION 55 BASES

ACTIONS C.2 (continued) Required Action C.2 is intended to provide assurance that a loss of offsite power, during the period that one required Unit 1 DG is inoperable, does not result in a complete loss of safety function of critical systems. These features are designed with redundant safety related divisions (i.e., single division systems are not included). Redundant required features failures consist of inoperable features associated with a division redundant to the division that has an inoperable DG. The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins on discovery that both:

a. An inoperable required Unit 1 DG exists; and b. A redundant required feature on the other division (Division 1 or 2), or divisions in the case of the Unit 1 and 2 SGT System, is inoperable.

If, at any time during the existence of this Condition (required Unit 1 DG inoperable), a redundant feature subsequently becomes inoperable, this Completion Time begins to be tracked. Discovering one required Unit 1 DG inoperable coincident with one or more inoperable redundant required support or supported features, or both, that are associated with the OPERABLE DGs results in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown. The remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a DBA occurring during this period. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-13 REVISION 83 BASES ACTIONS C.3.1 and C.3.2 (continued) Required Action C.3.1 provides an allowance to avoid unnecessary testing of OPERABLE DGs. If it can be determined that the cause of the inoperable DG does not exist on the OPERABLE DG, SR 3.8.1.2.a does not have to be performed. If the cause of inoperability exists on other DG(s), they are declared inoperable upon discovery, and Condition F of LCO 3.8.1 is entered. Once the failure is repaired, and the common cause failure no longer exists, Required Action C.3.1 is satisfied. If the cause of the initial inoperable DG cannot be confirmed not to exist on the remaining DG(s), performance of SR 3.8.1.2.a suffices to provide assurance of continued OPERABILITY of those DGs. In the event the inoperable DG is restored to OPERABLE status prior to completing either C.3.1 or C.3.2, the deficiency control program, as appropriate, will continue to evaluate the common cause possibility. This continued evaluation, however, is no longer under the 24 hour constraint imposed while in Condition C. According to Generic Letter 84-15 (Ref. 7), 24 hours is a reasonable time to confirm that the OPERABLE DGs are not affected by the same problem as the inoperable DG.

C.4 In Condition C, the remaining OPERABLE offsite circuit is adequate to supply electrical power to the required onsite Unit 1 Class 1E Distribution System. The 7 day Completion Time is based on the shortest restoration time allowed for the systems affected by the inoperable DG in the individual system LCOs. A risk-informed, deterministic evaluation performed for Plant Hatch justifies operation in Condition C for 14 days, provided action is taken to ensure two DGs are dedicated to each Hatch unit. This is accomplished for an inoperable A or C DG by inhibiting the automatic alignment (on a LOCA or LOSP signal) of the swing DG to the other unit. The Completion Times take into account the capacity and capability of the remaining AC sources, reasonable time for maintenance, and low probability of a DBA occurring during this period. Use of the 14 day Completion Time, subject to additional restrictions controlled by NMP-GM-031, is permitted as follows:

• Once per DG per operating cycle for performing a major overhaul of a DG.
• As needed to complete unplanned maintenance. This time shall be minimized.

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-14 REVISION 55 BASES ACTIONS D.1 and D.2 (continued) Required Action D.1 addresses actions to be taken in the event of inoperability of redundant required features concurrent with inoperability of two or more required offsite circuits. Required Action D.1 reduces the vulnerability to a loss of function. The Completion Time for taking these actions is reduced to 12 hours from that allowed with one 4160 V ESF bus without offsite power (Required Action A.2). The rationale for the reduction to 12 hours is that Regulatory Guide 1.93 (Ref. 6) allows a Completion Time of 24 hours for two required offsite circuits inoperable, based upon the assumption that two complete safety divisions are OPERABLE. (While this ACTION allows more than two circuits to be inoperable, Regulatory Guide 1.93 assumed two circuits were all that were required by the LCO, and a loss of those two circuits resulted in a loss of all offsite power to the Class 1E AC Electrical Power Distribution System. Thus, with the Plant Hatch design, a loss of more than two required offsite circuits results in the same conditions assumed in Regulatory Guide 1.93.) When a concurrent redundant required feature failure exists, this assumption is not the case, and a shorter Completion Time of 12 hours is appropriate. These features are designed with redundant safety related divisions, (i.e., single division systems are not included in the list). Redundant required features failures consist of any of these features that are inoperable because any inoperability is on a division redundant to a division with inoperable offsite circuits. The Completion Time for Required Action D.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both: a. All required offsite circuits are inoperable; and b. A redundant required feature is inoperable. If, at any time during the existence of this Condition (two or more required offsite circuits inoperable), a redundant required feature subsequently becomes inoperable, this Completion Time begins to be tracked. According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition D for a period that should not exceed 24 hours. This level of degradation means that the offsite electrical power system does not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded. This level of degradation generally corresponds to a total loss of the immediately accessible offsite power sources. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-15 REVISION 39 BASES ACTIONS D.1 and D.2 (continued) Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more DGs inoperable. However, two factors tend to decrease the severity of this degradation level:

a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure; and

b. The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source. With two or more of the required offsite circuits inoperable, sufficient onsite AC sources are available to maintain the unit in a safe shutdown condition in the event of a DBA or transient. In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case single failure were postulated as a part of the design basis in the safety analysis. Thus, the 24 hour Completion Time provides a period of time to effect restoration of one of the offsite circuits commensurate with the importance of maintaining an AC electrical power system capable of meeting its design criteria.

According to Regulatory Guide 1.93 (Ref. 6), with the available offsite AC sources two less than required by the LCO (which as stated earlier, generally corresponds to a total loss of the immediately accessible offsite power sources; this is the condition experienced by Plant Hatch when two or more required circuits are inoperable), operation may continue for 24 hours. If all required offsite sources are restored within 24 hours, unrestricted operation may continue. If all but one required offsite sources are restored within 24 hours, power operation continues in accordance with Condition A. E.1 and E.2 Pursuant to LCO 3.0.6, the Distribution System ACTIONS would not be entered even if all AC sources to it were inoperable, resulting in de-energization. Therefore, the Required Actions of Condition E are modified by a Note to indicate that when Condition E is entered with no AC source to any ESF bus, ACTIONS for LCO 3.8.7, "Distribution Systems - Operating," must be immediately entered. This allows AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-16 REVISION 39 BASES ACTIONS E.1 and E.2 (continued) Condition E to provide requirements for the loss of the offsite circuit and one DG without regard to whether a division is de-energized. LCO 3.8.7 provides the appropriate restrictions for a de-energized ESF bus. According to Regulatory Guide 1.93 (Ref. 6), operation may continue in Condition E for a period that should not exceed 12 hours. In Condition E, individual redundancy is lost in both the offsite electrical power system and the onsite AC electrical power system. However, since power system redundancy is provided by two diverse sources of power, the reliability of the power systems in this Condition may appear higher than that in Condition D (loss of two or more required offsite circuits). This difference in reliability is offset by the susceptibility of this power system configuration to a single bus or switching failure. The 12 hour Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and the low probability of a DBA occurring during this period. F.1 With two or more Unit 2 and swing DGs inoperable, with an assumed loss of offsite electrical power, insufficient standby AC sources are available to power the minimum required ESF functions. Since the offsite electrical power system is the only source of AC power for the majority of ESF equipment at this level of degradation, the risk associated with continued operation for a very short time could be less than that associated with an immediate controlled shutdown. (The immediate shutdown could cause grid instability, which could result in a total loss of AC power.) Since any inadvertent unit generator trip could also result in a total loss of offsite AC power, the time allowed for continued operation is severely restricted. The intent here is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation. According to Regulatory Guide 1.93 (Ref. 6), with two or more DGs inoperable, operation may continue for a period that should not exceed 2 hours. (Regulatory Guide 1.93 assumed the unit has two DGs. Thus, a loss of both DGs results in a total loss of onsite power. Therefore, a loss of more than two DGs, in the Plant Hatch design, results in degradation no worse than that assumed in Regulatory AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-17 REVISION 39 BASES ACTIONS F.1 (continued) Guide 1.93. In addition, the loss of a required Unit 1 DG concurrent with the loss of a Unit 2 or swing DG, is analogous to the loss of a single DG in the Regulatory Guide 1.93 assumptions, thus, entry into this Condition is not required in this case.)

G.1 With both Unit 1 DGs and the swing DG inoperable (or otherwise incapable of supplying power to the LPCI valve load centers), and an assumed loss of offsite electrical power, insufficient standby AC sources are available to power the LPCI valve load centers. Since the offsite electrical power system is the only source of AC power for the LPCI valve load centers at this level of degradation, the risk associated with operation for a very short time could be less than that associated with an immediate controlled shutdown. (The immediate shutdown could cause grid instability, which could result in a total loss of AC power.) Since any inadvertent unit generator trip could also result in a total loss of offsite AC power, the time allowed for continued operation is severely restricted. The intent here is to avoid the risk associated with an immediate controlled shutdown and minimize the risk associated with an immediate controlled shutdown and minimize the risk associated with this level of degradation. According to Regulatory Guide 1.93 (Ref. 6), with two or more DGs inoperable, operation may continue for a period that should not exceed 2 hours. (Regulatory Guide 1.93 assumed the unit had two DGs. Thus, a loss of both DGs results in a total loss of onsite power.) Therefore, a loss of both Unit 1 DGs and the swing DG results in degradation no worse than that assumed in Regulatory Guide 1.93, and the 2 hour Completion Time is acceptable. H.1 and H.2 If the inoperable AC electrical power sources cannot be restored to OPERABLE status within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-18 REVISION 39 BASES ACTIONS I.1 (continued) Condition I corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown.

SURVEILLANCE The AC sources are designed to permit inspection and testing of all REQUIREMENTS important areas and features, especially those that have a standby function, in accordance with 10 CFR 50, GDC 18 (Ref. 8). Periodic component tests are supplemented by extensive functional tests during refueling outages under simulated accident conditions. The SRs for demonstrating the OPERABILITY of the DGs are generally consistent with the recommendations of Regulatory Guide 1.9 (Ref. 3), Regulatory Guide 1.108 (Ref. 9), and Regulatory Guide 1.137 (Ref. 10), although Plant Hatch Unit 2 is not committed to Regulatory Guides 1.108 or 1.137. Specific commitments relative to DG testing is described in FSAR Section 8.3 (Ref. 2). Where the SRs discussed herein specify voltage and frequency tolerances, the following summary is applicable. The allowable values for achieving steady state voltage are specified within a range of 10% (3740 V) and + 2% (4243 V) of 4160 V. The Allowable Value of 3740 V is consistent with Regulatory Guide 1.9 for demonstrating that the DG is capable of attaining the required voltage. A more limiting value of 4243 V is specified as the allowable value for overvoltage due to overvoltage limits on the 600 V buses. The + 2% value maintains the required overvoltage limits. The specified minimum and maximum frequencies of the DG are 58.8 Hz and 61.2 Hz, respectively. These values are equal to +/- 2% of the 60 Hz nominal frequency and are derived from the recommendations found in Regulatory Guide 1.9 (Ref. 3). The SRs are modified by a Note to indicate that SR 3.8.1.1 through SR 3.8.1.18 apply only to the Unit 2 AC sources, and that SR 3.8.1.19 applies only to the Unit 1 AC sources. SR 3.8.1.1 This SR ensures proper circuit continuity for the offsite AC electrical power supply to the onsite distribution network and availability of AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-19 REVISION 79 BASES SURVEILLANCE SR 3.8.1.1 (continued) REQUIREMENTS offsite AC electrical power. The breaker alignment verifies that each breaker is in its correct position to ensure that distribution buses and loads are connected to their preferred power source and that appropriate independence of offsite circuits is maintained. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.1.2 This SR helps to ensure the availability of the standby electrical power supply to mitigate DBAs and transients and maintain the unit in a safe shutdown condition, and verifies that the DGs are capable of proper startup, synchronizing, and accepting a load approximately 50% of the continuous load rating. This demonstrates DG capability while minimizing the mechanical stress and wear on the engine. A minimum run time of 60 minutes is required to stabilize engine temperatures, while minimizing the time that the DG is connected to the offsite source. Although no power factor requirements are established by this SR, the DG is normally operated at a power factor between 0.8 lagging and 1.0. The 0.8 value is the design rating of the machine, while 1.0 is an operational limitation. To minimize the wear on moving parts that do not get lubricated when the engine is not running, this SR has been modified by a Note, (Note 2) to indicate that all DG starts for this Surveillance may be preceded by an engine prelube period and followed by a warmup prior to loading. For the purposes of this testing, the DGs are started from standby conditions. Standby conditions for a DG mean that the diesel engine coolant and oil are being continuously circulated and temperature is being maintained consistent with manufacturer recommendations. In order to reduce stress and wear on diesel engines, the DG manufacturer recommends a modified start in which the starting speed of DGs is limited, warmup is limited to this lower speed, and the DGs are gradually accelerated to synchronous speed prior to loading. These start procedures are the intent of Note 3. Once voltage and frequency requirements are demonstrated, the DG may be tied to its respective 4160 V emergency bus, as directed by SR 3.8.1.2.b. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-20 REVISION 79 BASES SURVEILLANCE SR 3.8.1.2 (continued) REQUIREMENTS When the DG is tied to its bus, the electrical grid, due to its larger size compared to the DG, will dictate DG voltage and frequency. The DG operator cannot adjust either parameter. Therefore, the voltage and frequency requirements of SR 3.8.1.2.a no longer apply while the DG is tied to its bus and need not be met to satisfy the requirements of SR 3.8.1.2.b. Other SRs, notably SR 3.8.1.9, require that voltage and frequency requirements can be met while the DG is supplying load. SR 3.8.1.5.a requires that the DG starts from standby conditions and achieves required voltage and frequency within 12 seconds. The 12 second start requirement supports the assumptions in the design basis LOCA analysis of FSAR, Chapter 6 (Ref. 4). The 12 second start requirement is not applicable to SR 3.8.1.2 (see Note 3), when a modified start procedure as described above is used. If a modified start is not used, the 12 second start voltage and frequency requirements of SR 3.8.1.5.a apply. Since SR 3.8.1.5.a does require a 12 second start, it is more restrictive than SR 3.8.1.2, and it may be performed in lieu of SR 3.8.1.2. This procedure is the intent of Note 1. To minimize testing of the swing DG, this SR is modified by a note (Note 4) to allow a single test (instead of two tests, one for each unit) to satisfy the requirements for both units, using the starting circuitry of one unit for one periodic test and the starting circuitry of the other unit during the next periodic test. This is allowed since the main purpose of the Surveillance, to ensure DG OPERABILITY, is still being verified on the proper frequency, the starting circuits historically have a very low failure rate, as compared to the DG itself, and that, while each starting circuit is only being tested every second test (due to the staggering of the tests), some portions of the starting circuits are common to both units. If the swing DG fails one of these Surveillance, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit. Note 5 modifies this Surveillance to indicate that diesel engine runs for this Surveillance may include gradual loading, as recommended by the manufacturer, so that mechanical stress and wear on the diesel engine are minimized. Note 6 modifies the Surveillance by stating that starting transients above the upper voltage limit do not invalidate this test. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-21 REVISION 80 BASES SURVEILLANCE SR 3.8.1.2 (continued) REQUIREMENTS Note 7 modifies this Surveillance by stating that momentary load transients because of changing bus loads do not invalidate this test. Note 8 indicates that this Surveillance is required to be conducted on only one DG at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.1.3 This volume is selected to ensure adequate fuel oil for a minimum of 1 hour of DG operation at full load + 10%. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.1.4 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the fuel oil day tanks periodically eliminates the necessary environment for bacterial survival. This is a means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water in the day tank may come from condensation, rain water, contaminated fuel oil, and breakdown of the fuel oil by bacteria. Checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-22 REVISION 79 BASES SURVEILLANCE SR 3.8.1.4 (continued) REQUIREMENTS The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.5 This SR helps to ensure the availability of the standby electrical power supply to mitigate DBAs and transients and maintain the unit in a safe shutdown condition. This Surveillance verifies that the DGs are capable of a "fast cold" start, synchronizing, and accepting a load more closely simulating accident loads. A minimum run time of 60 minutes is required to stabilize engine temperatures, while minimizing the time that the DG is connected to the offsite source. SR 3.8.1.5 requires that the DG starts from standby conditions and achieves required voltage and frequency within 12 seconds. The 12 second start requirement supports the assumptions in the design basis LOCA analysis of FSAR, Chapter 6 (Ref. 4). Once voltage and frequency requirements are demonstrated, the DG may be tied to its respective 4160 V emergency bus, as directed by SR 3.8.1.2.b. When the DG is tied to its bus, the electrical grid, due to its larger size compared to the DG, will dictate DG voltage and frequency. The DG operator cannot adjust either parameter. Therefore, the voltage and frequency requirements of SR 3.8.1.2.a no longer apply while the DG is tied to its bus and need not be met to satisfy the requirements of SR 3.8.1.2.b. Other SRs, notably SR 3.8.1.9, require that voltage and frequency requirements can be met while the DG is supplying load. For the purposes of this testing, the DGs are started from standby conditions. Standby conditions for a DG mean that the diesel engine coolant and oil are being continuously circulated and temperature is being maintained consistent with manufacturer recommendations. Although no power factor requirements are established by this SR, the DG is normally operated at a power factor between 0.8 lagging and 1.0. The 0.8 value is the design rating of the machine, while 1.0 is an operational limitation. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-23 REVISION 79 BASES SURVEILLANCE SR 3.8.1.5 (continued) REQUIREMENTS To minimize the wear on moving parts that do not get lubricated when the engine is not running, this SR has been modified by a Note (Note 1) to indicate that all DG starts for this Surveillance may be preceded by an engine prelube period and followed by a warmup prior to loading. Note 2 modifies this Surveillance to indicate that diesel engine runs for this Surveillance may include gradual loading, as recommended by the manufacturer, so that mechanical stress and wear on the diesel engine are minimized. Note 3 modifies this Surveillance by stating that momentary load transients because of changing bus loads do not invalidate this test. Note 4 indicates that this Surveillance is required to be conducted on only one DG at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations. To minimize testing of the swing DG, Note 5 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units, with the DG started using the starting circuitry of one unit and synchronized to the ESF bus of that unit for one periodic test and started using the starting circuitry of the other unit and synchronized to the ESF bus of that unit during the next periodic test. This is allowed since the main purpose of the Surveillance, to ensure DG OPERABILITY, is still being verified on the proper frequency, and each unit's starting circuitry and breaker control circuitry, which is only being tested every second test (due to the staggering of the tests), historically have a very low failure rate. If the swing DG fails one of these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit. SR 3.8.1.6 Transfer of each 4.16 kV ESF bus power supply from the normal offsite circuit to the alternate offsite circuit demonstrates the OPERABILITY of the alternate circuit distribution network to power the shutdown loads. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-24 REVISION 79 BASES SURVEILLANCE SR 3.8.1.6 (continued) REQUIREMENTS This SR is modified by a Note. The reason for the Note is that, during operation with the reactor critical, performance of this SR could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, plant safety systems. Credit may be taken for unplanned events that satisfy this SR. This Surveillance tests the applicable logic associated with the Unit 2 swing bus. The comparable test specified in the Unit 1 Technical Specifications tests the applicable logic associated with the Unit 1 swing bus. Consequently, a test must be performed within the Frequency contained in the Surveillance Frequency Control Program for each unit. The Note specifying the restriction for not performing the test while the unit is in MODE 1 or 2 does not have applicability to Unit 1. As the Surveillance represents separate tests, the Unit 2 Surveillance should not be performed with Unit 2 in MODE 1 or 2 and the Unit 1 test should not be performed with Unit 1 in MODE 1 or 2. SR 3.8.1.7 Each DG is provided with an engine overspeed trip to prevent damage to the engine. Recovery from the transient caused by the loss of a large load could cause diesel engine overspeed, which, if excessive, might result in a trip of the engine. This Surveillance demonstrates the DG load response characteristics and capability to reject the largest single load without exceeding predetermined voltage and frequency and while maintaining a specified margin to the overspeed trip. The largest single load for each DG is a residual heat removal service water pump at rated flow (1225 bhp). This Surveillance may be accomplished by: a) tripping the DG output breaker with the DG carrying greater than or equal to its associated single largest post-accident load while paralleled to offsite power or while solely supplying the bus, or b) tripping its associated single largest post-accident load with the DG solely supplying the bus. Although Plant Hatch Unit 2 is not committed to IEEE-387-1984, (Ref. 11), this SR is consistent with the IEEE-387-1984 requirement that states the load rejection test is acceptable if the increase in diesel speed does not exceed 75% of the difference between synchronous speed and the overspeed trip setpoint, or 15% above synchronous speed, whichever is lower. For all DGs, this represents 65.5 Hz, AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-25 REVISION 79 BASES SURVEILLANCE SR 3.8.1.7 (continued) REQUIREMENTS equivalent to 75% of the difference between nominal speed and the overspeed trip setpoint. The voltage and frequency specified are consistent with the nominal range for the DG. SR 3.8.1.7.a corresponds to the maximum frequency excursion, while SR 3.8.1.7.b is the voltage to which the DG must recover following load rejection. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by two Notes. The reason for Note 1 is that, during operation with the reactor critical, performance of this SR could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, plant safety systems. Credit may be taken for unplanned events that satisfy this SR. In order to ensure that the DG is tested under load conditions that are as close to design basis conditions as possible, testing is performed with only the DG providing power to the associated 4160 V ESF bus. The DG is not synchronized with offsite power. To minimize testing of the swing DG, Note 2 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit (no unit specific DG components are being tested). If the swing DG fails one of these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit.

SR 3.8.1.8 This Surveillance demonstrates the DG capability to reject a full load without overspeed tripping or exceeding the predetermined voltage limits. The DG full load rejection may occur because of a system fault or inadvertent breaker tripping. This Surveillance ensures proper engine generator load response under the simulated test conditions. This test simulates the loss of the total connected load that the DG experiences following a full load rejection and verifies that the DG does not trip upon loss of the load. These acceptance criteria provide AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-26 REVISION 79 BASES SURVEILLANCE SR 3.8.1.8 (continued) REQUIREMENTS DG damage protection. While the DG is not expected to experience this transient during an event, and continues to be available, this response ensures that the DG is not degraded for future application, including reconnection to the bus if the trip initiator can be corrected or isolated. In order to ensure that the DG is tested under load conditions that are as close to design basis conditions as possible, testing must be performed using a power factor 0.88. This power factor is chosen to be representative of the actual design basis inductive loading that the DG would experience. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by three Notes. The reason for Note 1 is that during operation with the reactor critical, performance of this SR could cause perturbations to the electrical distribution systems that would challenge continued steady state operation and, as a result, plant safety systems. Credit may be taken for unplanned events that satisfy this SR. Note 2 is provided in recognition that if the offsite electrical power distribution system is lightly loaded (i.e., system voltage is high, it may not be possible to raise voltage without creating an overvoltage condition on the ESF bus. Therefore, to ensure the bus voltage, supplied ESF loads, and DG are not placed in an unsafe condition during this test, the power factor limit does not have to be met if grid voltage or ESF bus loading does not permit the power factor limit to be met when the DG is tied to the grid. When this occurs, the power factor should be maintained as close to the limit as practicable. To minimize testing of the swing DG, Note 3 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit (no unit specific DG components are being tested). If the swing DG fails one of these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-27 REVISION 79 BASES SURVEILLANCE SR 3.8.1.9 REQUIREMENTS (continued) This Surveillance demonstrates the as designed operation of the standby power sources during loss of the offsite source and is consistent with Regulatory Guide 1.108 (Ref. 9), paragraph 2.a.(1). This test verifies all actions encountered from the loss of offsite power, including shedding of the nonessential loads and energization of the emergency buses and respective loads from the DG. It further demonstrates the capability of the DG to automatically achieve the required voltage and frequency within the specified time. The DG auto-start time of 12 seconds is derived from requirements of the accident analysis for responding to a design basis large break LOCA. The Surveillance should be continued for a minimum of 5 minutes in order to demonstrate that all starting transients have decayed and stability has been achieved. The requirement to verify the connection and power supply of permanent and auto-connected loads is intended to satisfactorily show the relationship of these loads to the DG loading logic. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, Emergency Core Cooling Systems (ECCS) injection valves are not desired to be stroked open, or systems are not capable of being operated at full flow, or RHR systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of the connection and loading of these loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified. For the purpose of this testing, the DGs shall be started from standby conditions, that is, with the engine coolant and oil being continuously circulated and temperature maintained consistent with manufacturer recommendations. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. The reason for Note 2 is that performing the Surveillance would remove a required AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-28 REVISION 79 BASES SURVEILLANCE SR 3.8.1.9 (continued) REQUIREMENTS offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. Credit may be taken for unplanned events that satisfy this SR. This Surveillance tests the applicable logic associated with the Unit 2 swing bus. The comparable test specified in the Unit 1 Technical Specifications tests the applicable logic associated with the Unit 1 swing bus. Consequently, a test must be performed within the Frequency contained in the Surveillance Frequency Control Program for each unit. The Note specifying the restriction for not performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 1. As the Surveillance represents separate tests, the Unit 2 Surveillance should not be performed with Unit 2 in MODE 1, 2, or 3 and the Unit 1 test should not be performed with Unit 1 in MODE 1, 2, or 3. SR 3.8.1.10 This Surveillance demonstrates that the DG automatically starts and achieves the required voltage and frequency within the specified time (12 seconds) from the design basis actuation signal (LOCA signal) and operates for 5 minutes. The 5 minute period provides sufficient time to demonstrate stability. The requirement to verify the connection and power supply of permanent and autoconnected loads is intended to satisfactorily show the relationship of these loads to the loading logic for loading onto offsite power. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, ECCS injection valves are not desired to be stroked open, low pressure injection systems are not capable of being operated at full flow, or RHR systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of the connection and loading of these loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil being continuously circulated and temperature maintained consistent with manufacturer recommendations. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-29 REVISION 79 BASES SURVEILLANCE SR 3.8.1.10 (continued) REQUIREMENTS This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. The reason for Note 2 is that during operation with the reactor critical, performance of this Surveillance could potentially cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, plant safety systems. Credit may be taken for unplanned events that satisfy this SR. This Surveillance tests the applicable logic associated with the Unit 2 swing bus. The comparable test specified in the Unit 1 Technical Specifications tests the applicable logic associated with the Unit 1 swing bus. Consequently, a test must be performed within the Frequency contained in the Surveillance Frequency Control Program for each unit. The Note specifying the restriction for not performing the test while the unit is in MODE 1 or 2 does not have applicability to Unit 1. As the Surveillance represents separate tests, the Unit 2 Surveillance should not be performed with Unit 2 in MODE 1 or 2 and the Unit 1 test should not be performed with Unit 1 in MODE 1 or 2. SR 3.8.1.11 This Surveillance demonstrates that DG non-critical protective functions (e.g., high jacket water temperature) are bypassed on a loss of voltage signal concurrent with an ECCS initiation signal and critical protective functions (engine overspeed, generator differential current, and low lubricating oil pressure) are available to trip the DG to avert substantial damage to the DG unit. The non-critical trips are bypassed during DBAs and provide an alarm on an abnormal engine condition. This alarm provides the operator with sufficient time to react appropriately. The DG availability to mitigate the DBA is more critical than protecting the engine against minor problems that are not immediately detrimental to emergency operation of the DG. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required DG from AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-30 REVISION 79 BASES SURVEILLANCE SR 3.8.1.11 (continued) REQUIREMENTS service. Credit may be taken for unplanned events that satisfy this SR. This Surveillance tests the applicable logic associated with the Unit 2 swing bus. The comparable test specified in the Unit 1 Technical Specifications tests the applicable logic associated with the Unit 1 swing bus. Consequently, a test must be performed within the Frequency contained in the Surveillance Frequency Control Program for each unit. The Note specifying the restriction for not performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 1. As the Surveillance represents separate tests, the Unit 2 Surveillance should not be performed with Unit 2 in MODE 1, 2, or 3 and the Unit 1 test should not be performed with Unit 1 in MODE 1, 2, or 3.

SR 3.8.1.12 Regulatory Guide 1.108 (Ref. 9), paragraph 2.a.(3), requires demonstration once per 24 months that the DGs can start and run continuously at full load capability for an interval of not less than 24 hours. The first 22 hours of this test are performed at 2775 kW and 2825 kW (which is near the continuous rating of the DG), and the last 2 hours of this test are performed at 3000 kW. This is in accordance with commitments described in FSAR Section 8.3 (Ref. 2). The DG starts for this Surveillance can be performed either from standby or hot conditions. The provisions for prelube and warmup, and for gradual loading, discussed in SR 3.8.1.2, are applicable to this SR. In order to ensure that the DG is tested under load conditions that are as close to design conditions as possible, testing must be performed using a power factor 0.88. This power factor is chosen to be representative of the actual design basis inductive loading that the DG could experience. A load band is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-31 REVISION 79 BASES SURVEILLANCE SR 3.8.1.12 (continued) REQUIREMENTS This Surveillance has been modified by four Notes. Note 1 states that momentary transients due to changing bus loads do not invalidate this test. Similarly, momentary power factor transients above the limit do not invalidate the test. The reason for Note 2 is that during operation with the reactor critical, performance of this Surveillance could cause perturbations to the electrical distribution systems that would challenge continued steady state operation and, as a result, plant safety systems. However, it is acceptable to perform this SR in MODES 1 and 2 provided the other two DGs are OPERABLE, since a perturbation can only affect one divisional DG. If during the performance of this Surveillance, one of the other DGs becomes operable, this Surveillance is to be suspended. The surveillance may not be performed in MODES 1 and 2 during inclement weather and unstable grid conditions. Credit may be taken for unplanned events that satisfy this SR. Note 3 is provided in recognition that if the offsite electrical power distribution system is lightly loaded (i.e., system voltage is high), it may not be possible to raise voltage without creating an overvoltage condition on the ESF bus. Therefore, to ensure the bus voltage, supplied ESF loads, and DG are not placed in an unsafe condition during this test, the power factor limit does not have to be met if grid voltage or ESF bus loading does not permit the power factor limit to be met when the DG is tied to the grid. When this occurs, the power factor should be maintained as close to the limit as practicable. To minimize testing of the swing DG, Note 4 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit (no unit specific DG components are being tested). If the swing DG fails one of these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit.

SR 3.8.1.13 This Surveillance demonstrates that the diesel engine can restart from a hot condition, such as subsequent to shutdown from normal Surveillances, and achieve the required voltage and frequency within 12 seconds. The 12 second time is derived from the requirements of the accident analysis to respond to a design basis large break LOCA. The 24 month Frequency is consistent with the recommendations of Regulatory Guide 1.108 (Ref. 9), paragraph 2.a.(5). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-32 REVISION 79 BASES SURVEILLANCE SR 3.8.1.13 (continued) REQUIREMENTS This SR is modified by three Notes. Note 1 ensures that the test is performed with the diesel sufficiently hot. The requirement that the diesel has operated for at least 2 hours at near full load conditions prior to performance of this Surveillance is based on manufacturer recommendations for achieving hot conditions. Momentary transients due to changing bus loads do not invalidate this test. Note 2 allows all DG starts to be preceded by an engine prelube period to minimize wear and tear on the diesel during testing. To minimize testing of the swing DG, Note 3 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is allowed since the main purpose of the Surveillance can be met by performing the test on either unit (no unit specific DG components are being tested). If the swing DG fails one of these Surveillances, the DG should be considered inoperable on both units, unless the cause of the failure can be directly related to only one unit.

SR 3.8.1.14 This Surveillance is consistent with the recommendations of Regulatory Guide 1.108 (Ref. 9), paragraph 2.a.(6) and ensures that the manual synchronization and automatic load transfer from the DG to the offsite source can be made and that the DG can be returned to ready-to-load status when offsite power is restored. It also ensures that the auto-start logic is reset to allow the DG to reload if a subsequent loss of offsite power occurs. The DG is considered to be in ready-to-load status when the DG is at rated speed and voltage, the output breaker is open and can receive an auto-close signal on bus undervoltage, and the load sequence timers are reset. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. Credit may be taken for unplanned events that satisfy this SR. This Surveillance tests the applicable logic associated with the Unit 2 swing bus. The comparable test specified in the Unit 1 Technical Specifications tests the applicable logic associated with the Unit 1 swing bus. Consequently, a test must be performed within the AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-33 REVISION 79 BASES SURVEILLANCE SR 3.8.1.14 (continued) REQUIREMENTS Frequency contained in the Surveillance Frequency Control Program for each unit. The Note specifying the restriction for not performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 1. As the Surveillance represents separate tests, the Unit 2 Surveillance should not be performed with Unit 2 in MODE 1, 2, or 3 and the Unit 1 test should not be performed with Unit 1 in MODE 1, 2, or 3.

SR 3.8.1.15 Demonstration of the test mode override ensures that the DG availability under accident conditions is not compromised as the result of testing. Interlocks to the LOCA sensing circuits cause the DG to automatically reset to ready-to-load operation if an ECCS initiation signal is received during operation in the test mode. Ready-to-load operation is defined as the DG running at rated speed and voltage with the DG output breaker open. Although Plant Hatch Unit 2 is not committed to this standard, this SR is consistent with the provisions for automatic switchover required by IEEE-308 (Ref. 12), paragraph 6.2.6(2). The intent in the requirements associated with SR 3.8.1.15.b is to show that the emergency loading is not affected by the DG operation in test mode. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the emergency loads to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. Credit may be taken for unplanned events that satisfy this SR. This Surveillance tests the applicable logic associated with the Unit 2 swing bus. The comparable test specified in the Unit 1 Technical Specifications tests the applicable logic associated with the Unit 1 swing bus. Consequently, a test must be performed within the AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-34 REVISION 79 BASES SURVEILLANCE SR 3.8.1.15 (continued) REQUIREMENTS Frequency contained in the Surveillance Frequency Control Program for each unit. The Note specifying the restriction for not performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 1. As the Surveillance represents separate tests, the Unit 2 Surveillance should not be performed with Unit 2 in MODE 1, 2, or 3 and the Unit 1 test should not be performed with Unit 1 in MODE 1, 2, or 3.

SR 3.8.1.16 Under accident conditions, loads are sequentially connected to the bus by the automatic load sequence timing devices. The sequencing logic controls the permissive and starting signals to motor breakers to prevent overloading of the DGs due to high motor starting currents. The 10% load sequence time interval tolerance ensures that sufficient time exists for the DG to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding ESF equipment time delays are not violated. Reference 2 provides a summary of the automatic loading of ESF buses. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. Credit may be taken for unplanned events that satisfy this SR. This Surveillance tests the applicable logic associated with the Unit 2 swing bus. The comparable test specified in the Unit 1 Technical Specifications tests the applicable logic associated with the Unit 1 swing bus. Consequently, a test must be performed within the Frequency contained in the Surveillance Frequency Control Program for each unit. The Note specifying the restriction for not performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 1. As the Surveillance represents separate tests, the Unit 2 Surveillance should not be performed with Unit 2 in MODE 1, 2, or 3 and the Unit 1 test should not be performed with Unit 1 in MODE 1, 2, or 3. AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-35 REVISION 79 BASES SURVEILLANCE SR 3.8.1.17 REQUIREMENTS (continued) In the event of a DBA coincident with a loss of offsite power, the DGs are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded. This Surveillance demonstrates DG operation, as discussed in the Bases for SR 3.8.1.9, during a loss of offsite power actuation test signal in conjunction with an ECCS initiation signal. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified. For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine coolant and oil being continuously circulated and temperature maintained consistent with manufacturer recommendations. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. The reason for Note 2 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. Credit may be taken for unplanned events that satisfy this SR. This Surveillance tests the applicable logic associated with the Unit 2 swing bus. The comparable test specified in the Unit 1 Technical Specifications tests the applicable logic associated with the Unit 1 swing bus. Consequently, a test must be performed within the Frequency contained in the Surveillance Frequency Control Program for each unit. The Note specifying the restriction for not performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 1. As the Surveillance represents separate tests, the Unit 2 Surveillance should not be performed with Unit 2 in MODE 1, 2, or 3 and the Unit 1 test should not be performed with Unit 1 in MODE 1, 2, or 3. SR 3.8.1.18 This Surveillance demonstrates that the DG starting independence has not been compromised. Also, this Surveillance demonstrates that each engine can achieve proper speed within the specified time when the DGs are started simultaneously. For the purpose of this testing, AC Sources - Operating B 3.8.1 (continued) HATCH UNIT 2 B 3.8-36 REVISION 79 BASES SURVEILLANCE SR 3.8.1.18 (continued) REQUIREMENTS the DGs must be started from standby conditions, that is, with the engine coolant and oil continuously circulated and temperature maintained consistent with manufacturer recommendations. It is permissible to place all three DGs in test simultaneously, for the performance of this Surveillance. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.19 With the exception of this Surveillance, all other Surveillances of this Specification (SR 3.8.1.1 through SR 3.8.1.18) are applied only to the Unit 2 DG and offsite circuits, and swing DG. This Surveillance is provided to direct that the appropriate Surveillances for the required Unit 1 DG and offsite circuit are governed by the Unit 1 Technical Specifications. Performance of the applicable Unit 1 Surveillances will satisfy both any Unit 1 requirements, as well as satisfying this Unit 2 SR. Several exceptions are noted to the Unit 1 SRs: SR 3.8.1.6 is excepted since only one Unit 1 circuit is required by the Unit 2 Specification (therefore, there is not necessarily a second circuit to transfer to); SRs 3.8.1.10, 15, and 17 are excepted since they relate to the DG response to a Unit 1 ECCS initiation signal, which is not a necessary function for support of the Unit 2 requirement for an OPERABLE Unit 1 DG. The Frequency required by the applicable Unit 1 SR also governs performance of that SR for both Units. REFERENCES 1. 10 CFR 50, Appendix A, GDC 17. 2. FSAR, Sections 8.2 and 8.3. 3. Regulatory Guide 1.9, March 1971.

4. FSAR, Chapter 6. 5. FSAR, Chapter 15.

6. Regulatory Guide 1.93, December 1974.

AC Sources - Operating B 3.8.1 HATCH UNIT 2 B 3.8-37 REVISION 79 BASES REFERENCES 7. Generic Letter 84-15. (continued) 8. 10 CFR 50, Appendix A, GDC 18.

9. Regulatory Guide 1.108, August 1977. 10. Regulatory Guide 1.137, October 1979.

11. IEEE Standard 387-1984.

12. IEEE Standard 308-1980. 13. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

AC Sources - Shutdown B 3.8.2 (continued)B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.2 AC Sources - Shutdown BASES BACKGROUND A description of the AC sources is provided in the Bases for LCO 3.8.1, "AC Sources - Operating." APPLICABLE The OPERABILITY of the minimum AC sources during MODES 4 SAFETY ANALYSES and 5 and during movement of irradiated fuel assemblies in the secondary containment ensures that: a. The facility can be maintained in the shutdown or refueling condition for extended periods; b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and

c. Adequate AC electrical power is provided to mitigate events postulated during shutdown, such as an inadvertent draindown of the vessel or a fuel handling accident. In general, when the unit is shut down the Technical Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or loss of all onsite power is not required. The rationale for this is based on the fact that many Design Basis Accidents (DBAs) that are analyzed in MODES 1, 2, and 3 have no specific analyses in MODES 4 and 5. Postulated worst case bounding events are deemed not credible in MODES 4 and 5 because the energy contained within the reactor pressure boundary, reactor coolant temperature and pressure, and corresponding stresses result in the probabilities of occurrences significantly reduced or eliminated, and minimal consequences. These deviations from DBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems. During MODES 1, 2, and 3, various deviations from the analysis assumptions and design requirements are allowed within the ACTIONS. This allowance is in recognition that certain testing and maintenance activities must be conducted, provided an acceptable level of risk is not exceeded. During MODES 4 and 5, performance of a significant number of required testing and maintenance activities is also required. In MODES 4 and 5, the activities are generally HATCH UNIT 2 B 3.8-38 REVISION 39 AC Sources - Shutdown B 3.8.2 (continued) BASES APPLICABLE planned and administratively controlled. Relaxations from typical SAFETY ANALYSES MODES 1, 2, and 3 LCO requirements are acceptable during (continued) shutdown MODES, based on:

a. The fact that time in an outage is limited. This is a risk prudent goal as well as a utility economic consideration. b. Requiring appropriate compensatory measures for certain conditions. These may include administrative controls, reliance on systems that do not necessarily meet typical design requirements applied to systems credited in operation MODE analyses, or both. c. Prudent utility consideration of the risk associated with multiple activities that could affect multiple systems. d. Maintaining, to the extent practical, the ability to perform required functions (even if not meeting MODES 1, 2, and 3 OPERABILITY requirements) with systems assumed to function during an event. In the event of an accident during shutdown, this LCO ensures the capability of supporting systems necessary for avoiding immediate difficulty, assuming either a loss of all offsite power or a loss of all onsite (diesel generator (DG)) power. The AC sources satisfy Criterion 3 of the NRC Policy Statement (Ref. 1). LCO One Unit 2 offsite circuit capable of supplying the onsite Class 1E power distribution subsystem(s) of LCO 3.8.8, "Distribution Systems -

Shutdown," ensures that all required Unit 2 loads are powered from offsite power. An OPERABLE Unit 2 DG, associated with a Distribution System Engineered Safety Feature (ESF) bus required to be OPERABLE by LCO 3.8.8, ensures that a diverse power source is available for providing electrical power support assuming a loss of the offsite circuit. In addition, some components that may be required by Unit 2 are powered from Unit 1 sources [e.g., Standby Gas Treatment (SGT) System and Low Pressure Coolant Injection (LPCI) valve load centers]. For SGT, one qualified circuit between the offsite transmission network and the onsite Unit 1 Class 1E Distribution System, and one Unit 1 DG capable of supplying power to one of the required Unit 1 subsystems of each of the required components, must be OPERABLE. For the LPCI valve load centers, one qualified circuit HATCH UNIT 2 B 3.8-39 REVISION 39 AC Sources - Shutdown B 3.8.2 (continued) BASES LCO between the offsite transmission network and the onsite Class 1E (continued) Electrical Distribution System capable of supplying power to the required LPCI valve load center must be OPERABLE. The circuit can be any of the Unit 1 circuits supplying the 1E and 1G ESF buses and the Unit 2 circuit supplying the 2F ESF bus. Also, one DG capable of supplying power to the required LPCI valve load center must be OPERABLE. The DG can be any one of the Unit 1 DGs (i.e., 1A and 1C DGs) and the swing DG (i.e., DG 1B). It is preferable to use the Unit 1 circuit and a Unit 1 DG to supply power to the LPCI valve load center, since in the case of an LOSP on both units, one LPCI valve load center would be without power if the swing DG was aligned to the opposite unit, thereby rendering one LPCI subsystem inoperable. Together, OPERABILITY of the required offsite circuits and DGs ensures the availability of sufficient AC sources to operate the plant in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents and reactor vessel draindown). The qualified offsite circuits must be capable of maintaining rated frequency and voltage while connected to their respective ESF buses, and of accepting required loads during an accident. Qualified offsite circuits are those that are described in the FSAR and are part of the licensing basis for the unit. The Unit 1 and Unit 2 offsite circuits consist of incoming breaker and disconnect to the 1C or 1D and the 2C or 2D startup auxiliary transformers (SATs), associated 1C or 1D and 2C or 2D SATs, and the respective circuit path including feeder breakers to all 4.16 kV ESF buses required by LCO 3.8.8. (However, for design purposes, the offsite circuit excludes the feeder breakers to each 4.16 kV ESF bus.) The required DGs must be capable of starting, accelerating to rated frequency and voltage, connecting to their respective ESF bus on detection of bus undervoltage, and accepting required loads. This sequence must be accomplished within 12 seconds. Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the ESF buses. These capabilities are required to be met from a variety of initial conditions such as DG in standby with engine hot and DG in standby with engine at ambient conditions. Additional DG capabilities must be demonstrated to meet required Surveillances, e.g., capability of the DG to revert to standby status on an ECCS signal while operating in parallel test mode. Proper sequencing of loads, including tripping of nonessential loads, is a required function for DG OPERABILITY. HATCH UNIT 2 B 3.8-40 REVISION 39 AC Sources - Shutdown B 3.8.2 (continued) BASES LCO It is acceptable during shutdown conditions, for a single offsite power (continued) circuit to supply all 4.16 kV ESF buses on a unit. No fast transfer capability is required for offsite circuits to be considered OPERABLE.

APPLICABILITY The AC sources are required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment to provide assurance that: a. Systems providing adequate coolant inventory makeup are available for the irradiated fuel assemblies in the core in case of an inadvertent draindown of the reactor vessel; b. Systems needed to mitigate a fuel handling accident are available; c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition. AC power requirements for MODES 1, 2, and 3 are covered in LCO 3.8.1. ACTIONS A.1 An offsite circuit is considered inoperable if it is not available to one required ESF 4160 V bus. If two or more ESF 4.16 kV buses are required per LCO 3.8.8, the remaining buses with offsite power available may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS, fuel movement, and operations with a potential for draining the reactor vessel. By the allowance of the option to declare required features inoperable with no offsite power available, appropriate restrictions can be implemented in accordance with the affected required feature(s) LCOs' ACTIONS. HATCH UNIT 2 B 3.8-41 REVISION 39 AC Sources - Shutdown B 3.8.2 BASES ACTIONS A.2.1, A.2.2, A.2.3, A.2.4, B.1, B.2, B.3, and B.4 (continued) With one or more offsite circuits not available to all required 4160 V ESF buses, the option still exists to declare all required features inoperable (per Required Action A.1). Since this option may involve undesired administrative efforts, the allowance for sufficiently conservative actions is made. With one or more required DGs inoperable, the minimum required diversity of AC power sources is not available. It is, therefore, required to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies in the secondary containment, and activities that could result in inadvertent draining of the reactor vessel. Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC sources and to continue this action until restoration is accomplished in order to provide the necessary AC power to the plant safety systems. The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required AC electrical power sources should be completed as quickly as possible in order to minimize the time during which the plant safety systems may be without sufficient power. Pursuant to LCO 3.0.6, the Distribution System ACTIONS would not be entered even if all AC sources to it are inoperable, resulting in de-energization. Therefore, the Required Actions of Condition A have been modified by a Note to indicate that when Condition A is entered with no AC power to any required ESF bus, ACTIONS for LCO 3.8.8 must be immediately entered. This Note allows Condition A to provide requirements for the loss of the offsite circuit whether or not a bus is de-energized. LCO 3.8.8 provides the appropriate restrictions for the situation involving a de-energized bus.

SURVEILLANCE SR 3.8.2.1 REQUIREMENTS SR 3.8.2.1 requires the SRs from LCO 3.8.1 that are necessary for ensuring the OPERABILITY of the AC sources in other than MODES 1, 2, and 3. SR 3.8.1.6 is not required to be met since only one Unit 1 and one Unit 2 offsite circuits are required to be OPERABLE. SR 3.8.1.15 is not required to be met because the required OPERABLE DG(s) is not required to undergo periods of (continued) HATCH UNIT 2 B 3.8-42 REVISION 39 AC Sources - Shutdown B 3.8.2 BASES SURVEILLANCE SR 3.8.2.1 (continued) REQUIREMENTS being synchronized to the offsite circuit. SR 3.8.1.18 is excepted because starting independence is not required with the DG(s) that is not required to be OPERABLE. Refer to the corresponding Bases for LCO 3.8.1 for a discussion of each SR. This SR is modified by a Note. The reason for the Note is to preclude requiring the OPERABLE DG(s) from being paralleled with the offsite power network or otherwise rendered inoperable during the performance of SRs, and to preclude de-energizing a required 4160 V ESF bus or disconnecting a required offsite circuit during performance of SRs. With limited AC sources available, a single event could compromise both the required circuit(s) and the DG(s). It is the intent that these SRs must still be capable of being met, but actual performance is not required. This Surveillance is provided to direct that the appropriate Surveillances for the required Unit 1 DG and offsite circuit are governed by the Unit 1 Technical Specifications. Performance of the applicable Unit 1 Surveillances will satisfy both any Unit 1 requirements, as well as satisfying this Unit 2 Surveillance requirement. The Frequency required by the applicable Unit 1 SR also governs performance of that SR for both Units. REFERENCES 1. NRC No. 92-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. HATCH UNIT 2 B 3.8-43 REVISION 39 Diesel Fuel Oil and Transfer, Lube Oil, and Starting Air B 3.8.3 (continued) HATCH UNIT 2 B 3.8-44 REVISION 80 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.3 Diesel Fuel Oil and Transfer, Lube Oil, and Starting Air

BASES BACKGROUND Each diesel generator (DG) is provided with a storage tank. Each tank is connected to a piping network to provide a shared fuel oil storage system. The 33,320 gallons required to be maintained in each of the DG's fuel oil tanks represent a total volume of oil, sufficient to operate any two DGs at 3250 kW for a period of 7 days (Ref. 1). In addition, it provides fuel to also operate the other Unit's required DGs at a load sufficient to maintain power to the components, required to be OPERABLE by the Unit 2 Technical Specifications, for 7 days. This onsite fuel oil capacity is sufficient to operate the DGs for longer than the time to replenish the onsite supply from outside sources. Fuel oil is transferred from storage tank to day tank by either of two transfer pumps associated with each storage tank. Valving is also available so that fuel oil can be transferred between fuel oil storage tanks and the day tanks. Redundancy of pumps and piping precludes the failure of one pump, or the rupture of any pipe, valve, or tank to result in the loss of more than one DG. All outside tanks, pumps, and piping are located underground. For proper operation of the standby DGs, it is necessary to ensure the proper quality of the stored fuel oil. The fuel oil property monitored is the total particulate concentration. Periodic testing of the stored fuel oil total particulate concentration is a method to monitor the potential degradation related to long term storage and the potential impact to fuel filter plugging as a result of high particulate levels. The DG lubrication system is designed to provide sufficient lubrication to permit proper operation of its associated DG under all loading conditions. The system is required to circulate the lube oil to the diesel engine working surfaces and to remove excess heat generated by friction during operation. The onsite storage in addition to the engine oil sump is sufficient to ensure 7 days' continuous operation. This supply is sufficient to allow the operator to replenish lube oil from outside sources. Each DG has an air start system with adequate capacity for five successive start attempts on the DG without recharging the air start receivers. Diesel Fuel Oil and Transfer, Lube Oil, and Starting Air B 3.8.3 (continued) HATCH UNIT 2 B 3.8-45 REVISION 80 BASES (continued) APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY ANALYSES analyses in the FSAR, Chapter 6 (Ref. 2), and Chapter 15 (Ref. 3), assume Engineered Safety Feature (ESF) systems are OPERABLE. The DGs are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.5, Emergency Core Cooling System (ECCS) and Reactor Core Isolation Cooling (RCIC) System; and Section 3.6, Containment Systems. Since diesel fuel oil and transfer, lube oil, and starting air subsystem support the operation of the standby AC power sources, they satisfy Criterion 3 of the NRC Policy Statement (Ref. 4). LCO Stored diesel fuel oil is required to have sufficient supply for 7 days of full load operation. Included in this requirement is the transfer capability automatically from the Unit 2 and swing DGs storage tanks to the associated day tank and manually from each Unit 2 and swing DG storage tank to the day tanks of each required DG. It is also required to meet specific standards for quality. Additionally, sufficient lube oil supply must be available to ensure the capability to operate at full load for 7 days. This requirement, in conjunction with an ability to obtain replacement supplies within 7 days, supports the availability of DGs required to shut down the reactor and to maintain it in a safe condition for an anticipated operational occurrence (AOO) or a postulated DBA with loss of offsite power. DG day tank fuel oil requirements are addressed in LCO 3.8.1, "AC Sources - Operating," and LCO 3.8.2, "AC Sources - Shutdown." The starting air system is required to have a minimum capacity for five successive DG start attempts without recharging the air start receivers. Only one air start receiver per DG is required, since each air start receiver has the required capacity. APPLICABILITY The AC sources (LCO 3.8.1 and LCO 3.8.2) are required to ensure the availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an AOO or a postulated Diesel Fuel Oil and Transfer, Lube Oil, and Starting Air B 3.8.3 (continued) HATCH UNIT 2 B 3.8-46 REVISION 39 BASES APPLICABILITY DBA. Because stored diesel fuel oil and transfer, lube oil, and starting (continued) air subsystem support LCO 3.8.1 and LCO 3.8.2, stored diesel fuel oil and transfer, lube oil, and starting air are required to be within limits when the associated DG is required to be OPERABLE. ACTIONS The ACTIONS Table is modified by a Note indicating that separate Condition entry is allowed for each DG. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable DG subsystem. Complying with the Required Actions for one inoperable DG subsystem may allow for continued operation, and subsequent inoperable DG subsystem(s) are governed by separate Condition entry and application of associated Required Actions.

A.1 With one or more required DGs with one fuel oil transfer pump inoperable, the inoperable pump must be restored to OPERABLE status within 30 days. With the unit in this condition, the remaining OPERABLE fuel transfer pump is adequate to perform the fuel transfer function. However, the overall reliability is reduced because a single failure in the OPERABLE pump could result in loss of the associated DG and loss of the fuel oil in the respective tank. The 30 day Completion Time is based on the remaining fuel oil transfer capability, and the low probability of the need for the DG concurrent with a worst case single failure.

B.1 In this condition, the 7 day fuel oil supply for a required DG is not available. However, the Condition is restricted to fuel oil level reductions that maintain at least a 6 day supply. These circumstances may be caused by events such as:

a. Full load operation required for an inadvertent start while at minimum required level; or

b. Feed and bleed operations that may be necessitated by increasing particulate levels or any number of other oil quality degradations.

Diesel Fuel Oil and Transfer, Lube Oil, and Starting Air B 3.8.3 (continued) HATCH UNIT 2 B 3.8-47 REVISION 39 BASES ACTIONS B.1 (continued) This restriction allows sufficient time for obtaining the requisite replacement volume and performing the analyses required prior to addition of the fuel oil to the tank. A period of 48 hours is considered sufficient to complete restoration of the required level prior to declaring the DG inoperable. This period is acceptable based on the remaining capacity (> 6 days), the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period. C.1 With a required DG lube oil inventory < 400 gal, sufficient lube oil to support 7 days of continuous DG operation at full load conditions may not be available. However, the Condition is restricted to lube oil volume reductions that maintain at least a 6 day supply. This restriction allows sufficient time for obtaining the requisite replacement volume. A period of 48 hours is considered sufficient to complete restoration of the required volume prior to declaring the DG inoperable. This period is acceptable based on the remaining capacity (> 6 days), the low rate of usage, the fact that procedures will be initiated to obtain replenishment, and the low probability of an event during this brief period.

D.1 This Condition is entered as a result of a failure to meet the acceptance criterion for particulates. Normally, trending of particulate levels allows sufficient time to correct high particulate levels prior to reaching the limit of acceptability. Poor sample procedures (bottom sampling), contaminated sampling equipment, and errors in laboratory analysis can produce failures that do not follow a trend. Since the presence of particulates does not mean failure of the fuel oil to burn properly in the diesel engine, since particulate concentration is unlikely to change significantly between Surveillance Frequency intervals, and since proper engine performance has been recently demonstrated (within 31 days), it is prudent to allow a brief period prior to declaring the associated DG inoperable. The 7 day Completion Time allows for further evaluation, resampling, and re-analysis of the DG fuel oil. Diesel Fuel Oil and Transfer, Lube Oil, and Starting Air B 3.8.3 (continued) HATCH UNIT 2 B 3.8-48 REVISION 79 BASES ACTIONS E.1 (continued) With required starting air receiver pressure < 225 psig, sufficient capacity for five successive DG start attempts does not exist. However, as long as the receiver pressure is 170 psig, there is adequate capacity for at least one start attempt, and the DG can be considered OPERABLE while the air receiver pressure is restored to the required limit. A period of 48 hours is considered sufficient to complete restoration to the required pressure prior to declaring the DG inoperable. This period is acceptable based on the remaining air start capacity, the fact that most DG starts are accomplished on the first attempt, and the low probability of an event during this brief period. F.1 With a Required Action and associated Completion Time of Condition A, B, C, D, or E not met, one or more required DG fuel oil transfer subsystems inoperable for reasons other than Condition A, one or more required DG fuel oil storage tanks with fuel oil level not within limits for reasons other than Condition B, or the stored diesel lube oil or the required starting air subsystem not within limits for reasons other than addressed by Condition C or E, the associated DG may be incapable of performing its intended function and must be immediately declared inoperable. SURVEILLANCE SR 3.8.3.1 REQUIREMENTS This SR provides verification that there is an adequate inventory of fuel oil in the Unit 2 and swing DG storage tanks to support the required DGs' operation for 7 days at the assumed load. (See B 3.8.3.) The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.3.2 This Surveillance ensures that sufficient lubricating oil inventory (combined inventory in the DG lubricating oil sump and stored in the warehouse) is available to support at least 7 days of full load operation for each required DG. The 400 gal requirement is based on the DG manufacturer's consumption values for the run time of the DG. Diesel Fuel Oil and Transfer, Lube Oil, and Starting Air B 3.8.3 (continued) HATCH UNIT 2 B 3.8-49 REVISION 79 BASES SURVEILLANCE SR 3.8.3.2 (continued) REQUIREMENTS Implicit in this SR is the requirement to verify the capability to transfer the lube oil from its storage location to the DG, since the DG lube oil sump does not hold adequate inventory for 7 days of full load operation without the level reaching the manufacturer's recommended minimum level. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.3.3 This SR verifies that the required Unit 2 and swing DG fuel oil testing is performed in a accordance with the Diesel Fuel Oil Testing Program. Tests are a means of monitoring the potential degradation related to long term storage and the potential impact to fuel filter plugging as a result of high particulate levels. Specific sampling requirements, frequencies, and additional information are discussed in detail in the Diesel Fuel Oil Testing Program. SR 3.8.3.4 This Surveillance ensures that, without the aid of the refill compressor, sufficient air start capacity for each required DG is available. The system design requirements provide for a minimum of five engine start cycles without recharging. A start cycle is defined by the DG vendor, but usually is measured in terms of time (seconds of cranking) or engine cranking speed. The pressure specified in this SR is intended to reflect the lowest value at which the five starts can be accomplished using one air receiver. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.3.5 This Surveillance demonstrates that each required Unit 2 and swing DG fuel oil transfer pump operates and transfers fuel oil from its associated storage tank to its associated day tank. It is required to

Diesel Fuel Oil and Transfer, Lube Oil, and Starting Air B 3.8.3 (continued) HATCH UNIT 2 B 3.8-50 REVISION 79 BASES SURVEILLANCE SR 3.8.3.5 (continued) REQUIREMENTS support continuous operation of standby power sources. This Surveillance provides assurance that the fuel oil transfer pumps are OPERABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the controls and control systems for automatic fuel transfer are OPERABLE. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.3.6 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Periodic removal of water from the required Unit 2 and swing DG fuel storage tanks eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water in the storage tank may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and from breakdown of the fuel oil by bacteria. Checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.3.7 This Surveillance demonstrates that each required Unit 2 and swing DG fuel oil transfer pump operates and transfers fuel oil from its associated storage tank to each required DG's day tank. It is required to support continuous operation of standby power sources, since fuel from three storage tanks is needed to supply fuel for two DGs to meet the 7 day supply requirement discussed in the Background section of these Bases. This Surveillance provides assurance that the fuel oil transfer pumps are OPERABLE, the fuel oil piping system is intact, Diesel Fuel Oil and Transfer, Lube Oil, and Starting Air B 3.8.3 HATCH UNIT 2 B 3.8-51 REVISION 79 BASES SURVEILLANCE SR 3.8.3.7 (continued) REQUIREMENTS the fuel delivery piping is not obstructed, and the controls and control systems for manual fuel transfer are OPERABLE. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 9.5.4.

2. FSAR, Chapter 6.

3. FSAR, Chapter 15. 4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

DC Sources - Operating B 3.8.4 (continued) HATCH UNIT 2 B 3.8-52 REVISION 39 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.4 DC Sources - Operating

BASES BACKGROUND The DC electrical power system provides the AC emergency power system with control power. It also provides both motive and control power to selected safety related equipment. As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1), the DC electrical power system is designed to have sufficient independence, redundancy, and testability to perform its safety functions, assuming a single failure. The DC electrical power system also conforms to the recommendations of Regulatory Guide 1.6 (Ref. 2) and IEEE-308 (Ref. 3). The station service DC power sources provide both motive and control power to selected safety related and nonsafety related equipment. Each DC subsystem is energized by one 125/250 V station service battery and three 125 V battery chargers (two normally inservice chargers and one standby charger). Each battery is exclusively associated with a single 125/250 VDC bus. Each set of battery chargers exclusively associated with a 125/250 VDC subsystem cannot be interconnected with any other 125/250 VDC subsystem. The normal and backup chargers are supplied from the same AC load groups for which the associated DC subsystem supplies the control power. The loads between the redundant 125/250 VDC subsystem are not transferable except for the Automatic Depressurization System, the logic circuits and valves of which are normally fed from the Division 1 DC system. The diesel generator (DG) DC power sources provide control and instrumentation power for their respective DG and their respective offsite circuit supply breakers. In addition, DG 2A power source provides circuit breaker control power for the respective Division I loads on 4160 VAC buses 2E and 2F, and DG 2C power source provides circuit breaker control power for the respective Division II loads on 4160 VAC buses 2F and 2G. Each DG DC subsystem is energized by one 125 V battery and two 125 V battery chargers (one normally inservice charger and one standby charger). During normal operation, the DC loads are powered from the respective station service and DG battery chargers with the batteries floating on the system. In case of loss of normal power to any battery charger, the DC loads are automatically powered from the associated battery. This will DC Sources - Operating B 3.8.4 (continued) HATCH UNIT 2 B 3.8-53 REVISION 39 BASES BACKGROUND result in the discharging of the associated battery (and affect the (continued) battery cell parameters).

The DC power distribution system is described in more detail in Bases for LCO 3.8.7, "Distribution System - Operating," and LCO 3.8.8, "Distribution System - Shutdown." Each battery has adequate storage capacity to carry the required load continuously for approximately 2 hours (Ref. 4). Each DC battery subsystem is separately housed in a ventilated room apart from its charger and distribution panels. Each subsystem is located in an area separated physically and electrically from the other subsystems to ensure that a single failure in one subsystem does not cause a failure in a redundant subsystem. There is no sharing between redundant Class 1E subsystems such as batteries, battery chargers, or distribution panels. The batteries for DC electrical power subsystems are sized to produce required capacity at 80% of nameplate rating, corresponding to warranted capacity at end of life. The minimum design voltage limit is 105/210 V. Each battery charger of DC electrical power subsystem has ample power output capacity for the steady state operation of connected loads required during normal operation, while at the same time maintaining a fully charged battery. Each battery charger has sufficient capacity to restore the battery from the design minimum charge to its fully charged state within 24 hours while supplying normal steady state loads (Ref. 4). A description of the Unit 1 DC power sources is provided in the Bases for Unit 1 LCO 3.8.4, "DC Sources - Operating." APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY ANALYSES analyses in the FSAR, Chapter 6 (Ref. 5) and Chapter 15 (Ref. 6), assume that Engineered Safety Feature (ESF) systems are OPERABLE. The DC electrical power system povides normal and emergency DC electrical power for the DGs, emergency auxiliaries, and control and switching during all MODES of operation. The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining DC sources OPERABLE during accident conditions in the event of: DC Sources - Operating B 3.8.4 (continued) HATCH UNIT 2 B 3.8-54 REVISION 39 BASES APPLICABLE a. An assumed loss of all offsite AC power sources or all onsite SAFETY ANALYSES AC power sources; and (continued)

b. A postulated worst case single failure. The DC sources satisfy Criterion 3 of the NRC Policy Statement (Ref. 13). LCO The Unit 2 DC electrical power subsystems - with: 1) each station service DC subsystem consisting of two 125 V batteries in series, two battery chargers, and the corresponding control equipment and interconnecting cabling supplying power to the associated bus; and 2) each DG DC subsystem consisting of one battery bank, one battery charger, and the corresponding control equipment and interconnecting cabling - are required to be OPERABLE to ensure the availability of the required power to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA. In addition, some components required by Unit 2 require power from Unit 1 sources (e.g., Standby Gas Treatment (SGT) System, Low Pressure Coolant Injection (LPCI) valve load centers, Main Control Room Environmental Control (MCREC) System, and Control Room Air Condition (AC) System). Therefore, the Unit 1 DG DC and the swing DG DC electrical power subsystems needed to provide DC power to the required Unit 1 components are also required to be OPERABLE. Thus, loss of any DC electrical power subsystem does not prevent the minimum safety function from being performed (Ref. 4). APPLICABILITY The DC electrical power sources are required to be OPERABLE in MODES 1, 2, and 3 to ensure safe unit operation and to ensure that: a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and b. Adequate core cooling is provided, and containment integrity and other vital functions are maintained in the event of a postulated DBA.

The DC electrical power requirements for MODES 4 and 5, and other conditions in which DC Sources are required, are addressed in the Bases for LCO 3.8.5, "DC Sources - Shutdown." DC Sources - Operating B 3.8.4 (continued) HATCH UNIT 2 B 3.8-55 REVISION 39 BASES (continued) ACTIONS A.1 If one or more of the required Unit 1 DG DC electrical power subsystems is inoperable (e.g., inoperable battery, inoperable battery charger(s), or inoperable battery charger and associated inoperable battery), or if the swing DG DC electrical power subsystem is inoperable due to performance of SR 3.8.4.7 or SR 3.8.4.8, and a loss of function has not occurred as described in Condition E, the remaining DC electrical power subsystems have the capacity to support a safe shutdown and to mitigate an accident condition. In the case of an inoperable required Unit 1 DG DC electrical power subsystem, continued power operation should not exceed 7 days since a subsequent postulated worst case single failure could result in the loss of certain safety functions (e.g., SGT System and LPCI valve load centers). The 7 day Completion Time takes into account the capacity and capability of the remaining DC sources, and is based on the shortest restoration time allowed for the systems affected by the inoperable DC source in the respective system Specification. In the case of an inoperable swing DG DC electrical power subsystem, since a subsequent postulated worst case single failure could result in the loss of minimum necessary DC electrical subsystems to mitigate a postulated worst case accident, continued power operation should also not exceed 7 days. The 7 day Completion Time is based upon the swing DG DC electrical power subsystem being inoperable due to performance of SR 3.8.4.7 or SR 3.8.4.8. Performance of these two SRs will result in inoperability of the DC battery. Since this battery is common to both units, more time is provided to restore the battery, if the battery is inoperable for performance of required Surveillances, to preclude the need to perform a dual unit shutdown to perform these Surveillances. The swing DG DC electrical power subsystem also does not provide power to the same type of equipment as the other DG DC sources (e.g., breaker control power for 4160 V loads is not provided by the swing DG battery). The Completion Time also takes into account the capacity and capability of the remaining DC sources. B.1 If a Unit 2 or swing DG DC electric power subsystem is inoperable (for reasons other than Condition A), the remaining DC electrical power subsystems have the capacity to support a safe shutdown and to mitigate an accident condition. Since a subsequent postulated worst case single failure could result in the loss of minimum necessary DC electrical subsystems to mitigate a postulated worst DC Sources - Operating B 3.8.4 (continued) HATCH UNIT 2 B 3.8-56 REVISION 39 BASES ACTIONS B.1 (continued) case accident, continued power operation should not exceed 12 hours. The 12 hour Completion Time provides a period of time to correct the problem commensurate with the importance of maintaining the DG DC electrical power subsystem OPERABLE. (The DG DC electrical power subsystem affects both the DG and the offsite circuit, as well as the breaker closure power for various 4160 V AC loads, but does not affect 125/250 V DC station service loads.)

C.1 Condition C represents one Unit 2 station service division with a loss of ability to completely respond to an event, and a potential loss of ability to remain energized during normal operation. It is therefore imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for complete loss of DC power to the affected division. The 2 hour limit is consistent with the allowed time for an inoperable DC Distribution System division. If one of the required DC electrical power subsystems is inoperable (e.g., inoperable battery, inoperable battery charger(s), or inoperable battery charger and associated inoperable battery), the remaining DC electrical power subsystems have the capacity to support a safe shutdown and to mitigate an accident condition. Since a subsequent postulated worst case single failure could result in the loss of minimum necessary DC electrical subsystems to mitigate a postulated worst case accident, continued power operation should not exceed 2 hours. The 2 hour Completion Time is based on Regulatory Guide 1.93 (Ref. 7) and reflects a reasonable time to assess unit status as a function of the inoperable DC electrical power subsystem and, if the DC electrical power subsystem is not restored to OPERABLE status, to prepare to effect an orderly and safe unit shutdown. D1. and D.2 If the DC electrical power subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours and to MODE 4 within 36 hours. The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems. The Completion Time DC Sources - Operating B 3.8.4 (continued) HATCH UNIT 2 B 3.8-57 REVISION 79 BASES ACTIONS D.1 and D.2 (continued) to bring the unit to MODE 4 is consistent with the time required in Regulatory Guide 1.93 (Ref. 7).

E.1 Condition E corresponds to a level of degradation in the DC electrical power subsystems that causes a required safety function to be lost. When more than one DC source is lost, and this results in the loss of a required function, the plant is in a condition outside the accident analysis. Therefore, no additional time is justified for continued operation. LCO 3.0.3 must be entered immediately to commence a controlled shutdown. SURVEILLANCE The SRs are modified by a NOTE to indicate that SR 3.8.4.1 through REQUIREMENTS SR 3.8.4.8 apply only to the Unit 2 DC sources, and that SR 3.8.4.9 applies only to the Unit 1 DC sources.

SR 3.8.4.1 Verifying battery terminal voltage while on float charge for the batteries helps to ensure the effectiveness of the charging system and the ability of the batteries to perform their intended function. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery (or battery cell) and maintain the battery (or a battery cell) in a fully charged state. Voltage requirements are based on the nominal design voltage of the battery and are consistent with the initial voltages assumed in the battery sizing calculations. The voltage requirement for battery terminal voltage is based on the open circuit voltage of a lead-calcium cell of nominal 1.215 specific gravity. Without regard to other battery parameters, this voltage is indicative of a battery that is capable of performing its required safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.4.2 Visual inspection to detect corrosion of the battery cells and connections, or measurement of the resistance of each inter-cell, DC Sources - Operating B 3.8.4 (continued) HATCH UNIT 2 B 3.8-58 REVISION 79 BASES SURVEILLANCE SR 3.8.4.2 (continued) REQUIREMENTS inter-rack, inter-tier, and terminal connection, provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance. The connection resistance limits are established to maintain connection resistance as low as reasonably possible to minimize the overall voltage drop across the battery and the possibility of battery damage due to heating of connections. The resistance values for each battery connection are located in the Technical Requirements Manual (Ref. 9). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.4.3 Visual inspection of the battery cells, cell plates, and battery racks provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.4.4 and SR 3.8.4.5 Visual inspection and resistance measurements of inter-cell, inter-rack, inter-tier, and terminal connections provides an indication of physical damage or abnormal deterioration that could indicate degraded battery condition. The anti-corrosion material is used to help ensure good electrical connections and to reduce terminal deterioration. The visual inspection for corrosion is not intended to require removal of and inspection under each terminal connection. The removal of visible corrosion is a preventive maintenance SR. The presence of visible corrosion does not necessarily represent a failure of this SR, provided visible corrosion is removed during performance of this Surveillance.

DC Sources - Operating B 3.8.4 (continued) HATCH UNIT 2 B 3.8-59 REVISION 79 BASES SURVEILLANCE SR 3.8.4.4 and SR 3.8.4.5 (continued) REQUIREMENTS The connection resistance limits are established to maintain connection resistance as low as reasonably possible to minimize the overall voltage drop across the battery and the possibility of battery damage due to heating of connections. The resistance values for each battery connection are located in the Technical Requirements Manual (Ref. 9). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.4.6 Battery charger capability requirements are based on the design capacity of the chargers (Ref. 4). According to Regulatory Guide 1.32 (Ref. 10), each battery charger supply is required to be based on the largest combined demands of the various steady state loads and the charging capacity to restore the battery from the design minimum charge state to the fully charged state, irrespective of the status of the unit during these demand occurrences. The minimum required amperes and duration ensures that these requirements can be satisfied. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.8.4.7 A battery service test is a special test of the battery's capability, as found, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The discharge rate and test length corresponds to the design duty cycle requirements as specified in Reference 4. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program . This SR is modified by two Notes. Note 1 allows the performance of a modified performance discharge test in lieu of a service test.

DC Sources - Operating B 3.8.4 (continued) HATCH UNIT 2 B 3.8-60 REVISION 79 BASES SURVEILLANCE SR 3.8.4.7 (continued) REQUIREMENTS The modified performance discharge test is a simulated duty cycle consisting of just two rates: the 1 minute rate published for the battery or the largest current load of the duty cycle, followed by the test rate employed for the performance test, both of which envelope the duty cycle of the service test. Since the ampere-hours removed by a rated 1 minute discharge represent a very small portion of the battery capacity, the test rate can be changed to that for the performance test without compromising the results of the performance discharge test. The battery terminal voltage for the modified performance discharge test should remain above the minimum battery terminal voltage specified in the battery service test for the duration of time equal to that of the service test. A modified performance discharge test is a test of the battery capacity and its ability to provide a high rate, short duration load (usually the highest rate of the duty cycle). This will often confirm the battery's ability to meet the critical period of the load duty cycle, in addition to determining its percentage of rated capacity. Initial conditions for the modified performance discharge test should be identical to those specified for a service discharge test. The reason for Note 2 is that performing the Surveillance would remove a required DC electrical power subsystem from service, perturb the electrical distribution system, and challenge safety systems. Credit may be taken for unplanned events that satisfy the Surveillance. The swing DG DC battery is exempted from this restriction, since it is required by both units' LCO 3.8.4 and cannot be performed in the manner required by the Note without resulting in a dual unit shutdown. SR 3.8.4.8 A battery performance discharge test is a constant current capacity test to detect any change in the capacity determined by the acceptance test. Initial conditions consistent with IEEE 450 need to be met prior to the performing of a battery performance discharge test. The test results reflect the overall effects of usage and age. A battery modified performance discharge test is described in the Bases for SR 3.8.4.7. Either the battery performance discharge test or the modified performance discharge test is acceptable for satisfying SR 3.8.4.8; however, only the modified performance discharge test may be used to satisfy SR 3.8.4.8, while satisfying the requirements of SR 3.8.4.7 at the same time. DC Sources - Operating B 3.8.4 (continued) HATCH UNIT 2 B 3.8-61 REVISION 79 BASES SURVEILLANCE SR 3.8.4.8 (continued) REQUIREMENTS The acceptance criteria for this Surveillance is consistent with IEEE-450 (Ref. 8) and IEEE-485 (Ref. 12). These references recommend that the battery be replaced if its capacity is below 80% of the manufacturer's rating. Although there may be ample capacity, the battery rate of deterioration is rapidly increasing. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program This SR is modified by a Note. The reason for the Note is that performing the Surveillance would remove a required DC electrical power subsystem from service, perturb the electrical distribution system, and challenge safety systems. Credit may be taken for unplanned events that satisfy the Surveillance. The swing DG DC battery is exempted from this restriction, since it is required by both units' LCO 3.8.4 and cannot be performed in the manner required by the Note without resulting in a dual unit shutdown.

SR 3.8.4.9 With the exception of this Surveillance, all other Surveillances of this Specification (SR 3.8.4.1 through SR 3.8.4.8) are applied only to the Unit 2 DC sources. This Surveillance is provided to direct that the appropriate Surveillances for the required Unit 1 DC sources are governed by the Unit 1 Technical Specifications. Performance of the applicable Unit 1 Surveillances will satisfy both any Unit 1 requirements, as well as satisfying this Unit 2 SR. The Frequency required by the applicable Unit 1 SR also governs performance of that SR for both Units.

DC Sources - Operating B 3.8.4 HATCH UNIT 2 B 3.8-62 REVISION 79 BASES REFERENCES 1. 10 CFR 50, Appendix A, GDC 17.

2. Regulatory Guide 1.6.

3. IEEE Standard 308-1971. 4. FSAR, Paragraphs 8.3.2.1.1 and 8.3.2.1.2.

5. FSAR, Chapter 6.

6. FSAR, Chapter 15.

7. Regulatory Guide 1.93, December 1974. 8. IEEE Standard 450-1987. 9. Technical Requirements Manual, Section 9.0.

10. Regulatory Guide 1.32, February 1977. 11. Not used 12. IEEE Standard 485-1983.

13. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

DC Sources - Shutdown B 3.8.5 (continued)B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.5 DC Sources - Shutdown BASES BACKGROUND A description of the DC sources is provided in the Bases for LCO 3.8.4, "DC Sources - Operating." APPLICABLE The initial conditions of Design Basis Accident and transient analyses SAFETY ANALYSES in the FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume that Engineered Safety Feature systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the diesel generators (DGs), emergency auxiliaries, and control and switching during all MODES of operation. The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY. The OPERABILITY of the minimum DC electrical power sources during MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment ensures that:

a. The facility can be maintained in the shutdown or refueling condition for extended periods; b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and c. Adequate DC electrical power is provided to mitigate events postulated during shutdown, such as an inadvertent draindown of the vessel or a fuel handling accident.

The DC sources satisfy Criterion 3 of the NRC Policy Statement (Ref. 3). LCO The necessary Unit 2 DC electrical power subsystems -- with: 1) each station service DC subsystem consisting of two 125 V batteries in series, two battery chargers, and the corresponding control equipment and interconnecting cabling; and 2) each DG DC subsystem consisting of one battery bank, one battery charger, and HATCH UNIT 2 B 3.8-63 REVISION 39 DC Sources - Shutdown B 3.8.5 (continued)BASES LCO the corresponding control equipment and interconnecting cabling -- (continued) are required to be OPERABLE to support required DC distribution subsystems required OPERABLE by LCO 3.8.8, "Distribution Systems - Shutdown." In addition, some components that may be required by Unit 2 require power from Unit 1 sources (e.g., Standby Gas Treatment (SGT) System and LPCI valve load centers). Therefore, the Unit 1 DG DC and the swing DG DC electrical power subsystems needed to provide DC power to the required Unit 1 components are also required to be OPERABLE. This requirement ensures the availability of sufficient DC electrical power sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents and inadvertent reactor vessel draindown). APPLICABILITY The DC electrical power sources required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment provide assurance that:

a. Required features to provide adequate coolant inventory makeup are available for the irradiated fuel assemblies in the core in case of an inadvertent draindown of the reactor vessel; b. Required features needed to mitigate a fuel handling accident are available; c. Required features necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and

d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition. The DC electrical power requirements for MODES 1, 2, and 3 are covered in LCO 3.8.4. ACTIONS A.1, A.2.1, A.2.2, A.2.3, and A.2.4 If more than one DC distribution subsystem is required according to LCO 3.8.8, the DC subsystems remaining OPERABLE with one or more DC power sources inoperable may be capable of supporting sufficient required features to allow continuation of CORE HATCH UNIT 2 B 3.8-64 REVISION 39 DC Sources - Shutdown B 3.8.5 (continued)BASES ACTIONS A.1, A.2.1, A.2.2, A.2.3, and A.2.4 (continued) ALTERATIONS, fuel movement, and operations with a potential for draining the reactor vessel. By allowance of the option to declare required features inoperable with associated DC power sources inoperable, appropriate restrictions are implemented in accordance with the affected system LCOs' ACTIONS. In many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of irradiated fuel assemblies in the secondary containment, and any activities that could result in inadvertent draining of the reactor vessel). Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required DC electrical power subsystems and to continue this action until restoration is accomplished in order to provide the necessary DC electrical power to the plant safety systems. The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required DC electrical power subsystems should be completed as quickly as possible in order to minimize the time during which the plant safety systems may be without sufficient power. SURVEILLANCE SR 3.8.5.1 REQUIREMENTS SR 3.8.5.1 requires performance of all Surveillances required by SR 3.8.4.1 through SR 3.8.4.8. Therefore, see the corresponding Bases for LCO 3.8.4 for a discussion of each SR. This SR is modified by a Note. The reason for the Note is to preclude requiring the OPERABLE DC sources from being discharged below their capability to provide the required power supply or otherwise rendered inoperable during the performance of SRs. It is the intent that these SRs must still be capable of being met, but actual performance is not required.

SR 3.8.5.2 This Surveillance is provided to direct that the appropriate Surveillances for the required Unit 1 DC sources are governed by the HATCH UNIT 2 B 3.8-65 REVISION 39 DC Sources - Shutdown B 3.8.5 BASES SURVEILLANCE SR 3.8.5.2 (continued) REQUIREMENTS Unit 1 Technical Specifications. Performance of the applicable Unit 1 Surveillances will satisfy both any Unit 1 requirements, as well as satisfying this Unit 2 Surveillance Requirement. The Frequency required by the applicable Unit 1 SR also governs performance of that SR for both Units. REFERENCES 1. FSAR, Chapter 6. 2. FSAR, Chapter 15. 3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993. HATCH UNIT 2 B 3.8-66 REVISION 39 Battery Cell Parameters B 3.8.6 (continued) HATCH UNIT 2 B 3.8-67 REVISION 39 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.6 Battery Cell Parameters

BASES BACKGROUND This LCO delineates the limits on electrolyte temperature, level, float voltage, and specific gravity for the DC electrical power subsystems batteries. A discussion of these batteries and their OPERABILITY requirements is provided in the Bases for LCO 3.8.4, "DC Sources - Operating," and LCO 3.8.5, "DC Sources - Shutdown." APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY ANALYSES analyses in the FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume Engineered Safety Feature systems are OPERABLE. The DC electrical power subsystems provide normal and emergency DC electrical power for the diesel generators (DGs), emergency auxiliaries, and control and switching during all MODES of operation. The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining at least one division of DC sources OPERABLE during accident conditions, in the event of:

a. An assumed loss of all offsite AC or all onsite AC power; and

b. A postulated worst case single failure.

Since battery cell parameters support the operation of the DC electrical power subsystems, they satisfy Criterion 3 of the NRC Policy Statement (Ref. 4). LCO Battery cell parameters must remain within acceptable limits to ensure availability of the required DC power to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence or a postulated DBA. Cell parameter limits are established to allow continued DC electrical system function even with Category A and B limits not met. Battery Cell Parameters B 3.8.6 (continued) HATCH UNIT 2 B 3.8-68 REVISION 39 BASES (continued) APPLICABILITY The battery cell parameters are required solely for the support of the associated DC electrical power subsystem. Therefore, these cell parameters are only required when the DC power source is required to be OPERABLE. Refer to the Applicability discussions in Bases for LCO 3.8.4 and LCO 3.8.5. ACTIONS A Note has been added providing that, for this LCO, separate Condition entry is allowed for each battery. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable battery. Complying with the Required Actions for battery cell parameters allows for restoration and continued operation, and subsequent out of limit battery cell parameters may be governed by separate Condition entry and application of associated Required Actions. A.1, A.2, and A.3 With parameters of one or more cells in one or more batteries not within limits (i.e., Category A limits not met or Category B limits not met, or Category A and B limits not met) but within the Category C limits specified in Table 3.8.6-1, the battery is degraded but there is still sufficient capacity to perform the intended function. Therefore, the affected battery is not required to be considered inoperable solely as a result of Category A or B limits not met, and continued operation is permitted for a limited period. The pilot cell electrolyte level and float voltage are required to be verified to meet the Category C limits within 1 hour (Required Action A.1). This check provides a quick indication of the status of the remainder of the battery cells. One hour provides time to inspect the electrolyte level and to confirm the float voltage of the pilot cells. One hour is considered a reasonable amount of time to perform the required verification. Verification that the Category C limits are met (Required Action A.2) provides assurance that during the time needed to restore the parameters to the Category A and B limits, the battery is still capable of performing its intended function. A period of 24 hours is allowed to complete the initial verification because specific gravity measurements must be obtained for each connected cell. Taking into consideration both the time required to perform the required verification and the assurance that the battery cell parameters are not severely degraded, this time is considered reasonable. The

Battery Cell Parameters B 3.8.6 (continued) HATCH UNIT 2 B 3.8-69 REVISION 79 BASES ACTIONS A.1, A.2, and A.3 (continued) verification is repeated at 7 day intervals until the parameters are restored to Category A and B limits. This periodic verification is consistent with the normal Frequency of pilot cell surveillances. Continued operation is only permitted for 31 days before battery cell parameters must be restored to within Category A and B limits. Taking into consideration that, while battery capacity is degraded, sufficient capacity exists to perform the intended function and to allow time to fully restore the battery cell parameters to normal limits, this time is acceptable for operation prior to declaring the associated DC battery inoperable. B.1 When any battery parameter is outside the Category C limit for any connected cell, sufficient capacity to supply the maximum expected load requirement is not ensured and the corresponding DC electrical power subsystem must be declared inoperable. Additionally, other potentially extreme conditions, such as not completing the Required Actions of Condition A within the required Completion Time or average electrolyte temperature of representative cells falling below the appropriate limit (65°F for station service and 40°F for DG batteries), also are cause for immediately declaring the associated DC electrical power subsystem inoperable. SURVEILLANCE SR 3.8.6.1 REQUIREMENTS This SR verifies that Category A battery cell parameters are consistent with IEEE-450 (Ref. 3), which recommends regular battery inspections in accordance with the Surveillance Frequency Control Program including voltage, specific gravity, and electrolyte level of pilot cells. SR 3.8.6.2 The 92 day inspection of specific gravity, cell voltage, and level is consistent with IEEE-450 (Ref. 3). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. In addition, within 24 hours of a battery overcharge > 150 V, the battery must be demonstrated to meet Category B limits. This inspection Battery Cell Parameters B 3.8.6 (continued) HATCH UNIT 2 B 3.8-70 REVISION 79 BASES SURVEILLANCE SR 3.8.6.2 (continued) REQUIREMENTS is also consistent with IEEE-450 (Ref. 3), which recommends special inspections following a severe overcharge, to ensure that no significant degradation of the battery occurs as a consequence of such overcharge. SR 3.8.6.3 This Surveillance verification that the average temperature of representative cells is within limits is consistent with a recommendation of IEEE-450 (Ref. 3) that states that the temperature of electrolyte in representative cells should be determined in accordance with the Surveillance Frequency Control Program. Lower than normal temperatures act to inhibit or reduce battery capacity. This SR ensures that the operating temperatures remain within an acceptable operating range. This limit is based on IEEE-450 or the manufacturer's recommendations when provided. Table 3.8.6-1 This table delineates the limits on electrolyte level, float voltage, and specific gravity for three different categories. The meaning of each category is discussed below. Category A defines the normal parameter limit for each designated pilot cell in each battery. The cells selected as pilot cells are those whose temperature, voltage, and electrolyte specific gravity approximate the state of charge of the entire battery. The Category A limits specified for electrolyte level are based on manufacturer's recommendations and are consistent with the guidance in IEEE-450 (Ref. 3), with the extra 1/4 inch allowance above the high water level indication for operating margin to account for temperature and charge effects. In addition to this allowance, footnote a to Table 3.8.6-1 permits the electrolyte level to be above the specified maximum level during equalizing charge, provided it is not overflowing. These limits ensure that the plates suffer no physical damage, and that adequate electron transfer capability is maintained in the event of transient conditions. IEEE-450 (Ref. 3) recommends that electrolyte level readings should be made only after the battery has been at float charge for at least 72 hours. The Category A limit specified for float voltage is 2.13 V per cell. This value is based on the recommendation of IEEE-450 (Ref. 3), Battery Cell Parameters B 3.8.6 (continued) HATCH UNIT 2 B 3.8-71 REVISION 39 BASES SURVEILLANCE Table 3.8.6-1 (continued) REQUIREMENTS which states that prolonged operation of cells below 2.13 V can reduce the life expectancy of cells. The Category A limit specified for specific gravity for each pilot cell is 1.200 (0.015 below the manufacturer's fully charged nominal specific gravity) or a battery charging current that had stabilized at a low value. This value is characteristic of a charged cell with adequate capacity. According to IEEE-450 (Ref. 3), the specific gravity readings are based on a temperature of 77°F (25°C). The specific gravity readings are corrected for actual electrolyte temperature and level. For each 3°F (1.67°C) above 77°F (25°C), 1 point (0.001) is added to the reading; 1 point is subtracted for each 3°F below 77°F. The specific gravity of the electrolyte in a cell increases with a loss of water due to electrolysis or evaporation. Level correction will be in accordance with manufacturer's recommendations. Category B defines the normal parameter limits for each connected cell. The term "connected cell" excludes any battery cell that may be jumpered out. The Category B limits specified for electrolyte level and float voltage are the same as those specified for Category A and have been discussed above. The Category B limit specified for specific gravity for each connected cell is 1.195 (0.020 below the manufacturer's fully charged, nominal specific gravity) with the average of all connected cells 1.205 (0.010 below the manufacturer's fully charged, nominal specific gravity). These values are based on manufacturer's recommendations. The minimum specific gravity value required for each cell ensures that the effects of a highly charged or newly installed cell do not mask overall degradation of the battery. Category C defines the limits for each connected cell. These values, although reduced, provide assurance that sufficient capacity exists to perform the intended function and maintain a margin of safety. When any battery parameter is outside the Category C limit, the assurance of sufficient capacity described above no longer exists, and the battery must be declared inoperable. The Category C limits specified for electrolyte level (above the top of the plates and not overflowing) ensure that the plates suffer no physical damage and maintain adequate electron transfer capability. The Category C limit for voltage is based on IEEE-450 (Ref. 3), which Battery Cell Parameters B 3.8.6 HATCH UNIT 2 B 3.8-72 REVISION 39 BASES SURVEILLANCE Table 3.8.6-1 (continued) REQUIREMENTS states that a cell voltage of 2.07 V or below, under float conditions and not caused by elevated temperature of the cell, indicates internal cell problems and may require cell replacement. The Category C Allowable Value of average specific gravity 1.195, is based on manufacturer's recommendations (0.020 below the manufacturer's recommended fully charged, nominal specific gravity). In addition to that limit, it is required that the specific gravity for each connected cell must be no less than 0.020 below the average of all connected cells. This limit ensures that the effect of a highly charged or new cell does not mask overall degradation of the battery. The footnotes to Table 3.8.6-1 that apply to specific gravity are applicable to Category A, B, and C specific gravity. Footnote b of Table 3.8.6-1 requires the above mentioned correction for electrolyte level and temperature, with the exception that level correction is not required when battery charging current, while on float charge, is < 1 amp for station service batteries and < 0.5 amp for DG batteries. This current provides, in general, an indication of overall battery condition. Because of specific gravity gradients that are produced during the recharging process, delays of several days may occur while waiting for the specific gravity to stabilize. A stabilized charger current is an acceptable alternative to specific gravity measurement for determining the state of charge of the designated pilot cell. This phenomenon is discussed in IEEE-450 (Ref. 3). Footnote c to Table 3.8.6-1 allows the float charge current to be used as an alternate to specific gravity for up to 7 days following a battery recharge. REFERENCES 1. FSAR, Chapter 6.

2. FSAR, Chapter 15. 3. IEEE Standard 450-1987.

4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Distribution Systems - Operating B 3.8.7 (continued) HATCH UNIT 2 B 3.8-73 REVISION 39 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.7 Distribution Systems - Operating BASES BACKGROUND The onsite Class 1E AC and DC electrical power distribution system is divided into redundant and independent AC and DC electrical power distribution subsystems. The primary AC distribution system consists of three 4.16 kV Engineered Safety Feature (ESF) buses each having an offsite source of power as well as a dedicated onsite diesel generator (DG) source. Each 4.16 kV ESF bus is normally connected to a normal source startup auxiliary transformer (SAT) (2D). During a loss of the normal offsite power source to the 4.16 kV ESF buses, the alternate supply breaker from SAT 2C attempts to close. If all offsite sources are unavailable, the onsite emergency DGs supply power to the 4.16 kV ESF buses. The secondary plant distribution system includes 600 VAC emergency buses 2C and 2D and associated load centers, and transformers. There are two independent 125/250 VDC station service electrical power distribution subsystems and three independent 125 VDC DG electrical power distribution subsystems that support the necessary power for ESF functions. A description of the Unit 1 AC and DC electrical power distribution system is provided in the Bases for Unit 1 LCO 3.8.7, "Distribution System - Operating." The list of required Unit 2 distribution buses is presented in LCO 3.8.7. APPLICABLE The initial conditions of Design Basis Accident (DBA) and transient SAFETY ANALYSES analyses in the FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume ESF systems are OPERABLE. The AC and DC electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.5, Emergency Core. Distribution Systems - Operating B 3.8.7 (continued) HATCH UNIT 2 B 3.8-74 REVISION 39 BASES APPLICABLE Cooling Systems (ECCS) and Reactor Core Isolation Cooling (RCIC) SAFETY ANALYSES System; and Section 3.6 Containment Systems.

(continued)

The OPERABILITY of the AC and DC electrical power distribution subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining distribution systems OPERABLE during accident conditions in the event of: a. An assumed loss of all offsite power sources or all onsite AC electrical power sources; and b. A postulated worst case single failure. The AC and DC electrical power distribution system satisfies Criterion 3 of the NRC Policy Statement (Ref. 4). LCO The Unit 2 AC and DC electrical power distribution subsystems are required to be OPERABLE. The required Unit 2 electrical power distribution subsystems listed in LCO 3.8.7 ensure the availability of AC and DC electrical power for the systems required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated DBA. Should one or more buses not listed in LCO 3.8.7 become inoperable due to a failure not affecting the OPERABILITY of a bus listed in LCO 3.8.7 (e.g., a breaker supplying a single MCC faults open), the individual loads on the bus would be considered inoperable, and the appropriate Conditions and Required Actions of the LCOs governing the individual loads would be entered. If however, one or more of these buses is inoperable due to a failure also affecting the OPERABILITY of a bus listed in LCO 3.8.7 (e.g., loss of a 4.16 kV ESF bus, which results in de-energization of all buses powered from the 4.16 kV ESF bus), the Conditions and Required Actions of the LCO for the individual loads are not required to be entered, since LCO 3.0.6 allows this exception (i.e., the loads are inoperable due to the inoperability of a support system governed by a Technical Specification; the 4.16 kV ESF bus). In addition, since some components required by Unit 2 receive power through Unit 1 electrical power distribution subsystems (e.g., Standby Gas Treatment (SGT) System, Low Pressure Coolant Injection (LPCI) valve load centers, Main Control Room Environmental Control (MCREC) System,and Control Room Air Conditioning (AC) System), the Unit 1 AC and DC electrical power distribution subsystems needed to support the required equipment must also be OPERABLE.

Refueling Equipment Interlocks B 3.9.1 (continued) HATCH UNIT 2 B 3.9-1 REVISION 0 B 3.9 REFUELING OPERATIONS B 3.9.1 Refueling Equipment Interlocks

BASES BACKGROUND Refueling equipment interlocks restrict the operation of the refueling equipment or the withdrawal of control rods to reinforce unit procedures that prevent the reactor from achieving criticality during refueling. The refueling interlock circuitry senses the conditions of the refueling equipment and the control rods. Depending on the sensed conditions, interlocks are actuated to prevent the operation of the refueling equipment or the withdrawal of control rods. GDC 26 of 10 CFR 50, Appendix A, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1). The control rods, when fully inserted, serve as the system capable of maintaining the reactor subcritical in cold conditions during all fuel movement activities and accidents. Instrumentation is provided to sense the position of the refueling platform, the loading of the refueling platform fuel grapple, and the full insertion of all control rods. Additionally, inputs are provided for the loading of the refueling platform frame-mounted hoist, the loading of the refueling platform trolley-mounted hoist, the full retraction of the fuel grapple, and the loading of the service platform hoist. With the reactor mode switch in the shutdown or refueling position, the indicated conditions are combined in logic circuits to determine if all restrictions on refueling equipment operations and control rod insertion are satisfied. A control rod not at its full-in position interrupts power to the refueling equipment and prevents operating the equipment over the reactor core when loaded with a fuel assembly. Conversely, the refueling equipment located over the core and loaded with fuel inserts a control rod withdrawal block in the Control Rod Drive System to prevent withdrawing a control rod. The refueling platform has two mechanical switches that open before the platform or any of its hoists are physically located over the reactor vessel. All refueling hoists have switches that open when the hoists are loaded with fuel. The refueling interlocks use these indications to prevent operation of the refueling equipment with fuel loaded over the core whenever any Refueling Equipment Interlocks B 3.9.1 (continued) HATCH UNIT 2 B 3.9-2 REVISION 0 BASES BACKGROUND control rod is withdrawn, or to prevent control rod withdrawal (continued) whenever fuel loaded refueling equipment is over the core (Ref. 2).

The hoist switches open at a load lighter than the weight of a single fuel assembly in water. APPLICABLE The refueling interlocks are explicitly assumed in the FSAR analyses SAFETY ANALYSES for the control rod removal error during refueling (Ref. 3) and the fuel assembly insertion error during refueling (Ref. 4). These analyses evaluate the consequences of control rod withdrawal during refueling and also fuel assembly insertion with a control rod withdrawn. A prompt reactivity excursion during refueling could potentially result in fuel failure with subsequent release of radioactive material to the environment. Criticality and, therefore, subsequent prompt reactivity excursions are prevented during the insertion of fuel, provided all control rods are fully inserted during the fuel insertion. The refueling interlocks accomplish this by preventing loading of fuel into the core with any control rod withdrawn or by preventing withdrawal of a rod from the core during fuel loading. The refueling platform location switches activate at a point outside of the reactor core such that, with a fuel assembly loaded and a control rod withdrawn, the fuel is not over the core. Refueling equipment interlocks satisfy Criterion 3 of the NRC Policy Statement (Ref. 5). LCO To prevent criticality during refueling, the refueling interlocks ensure that fuel assemblies are not loaded with any control rod withdrawn. To prevent these conditions from developing, the all-rods-in, the refueling platform position, the refueling platform fuel grapple fuel loaded, the refueling platform trolley-mounted hoist fuel loaded, the refueling platform frame-mounted hoist fuel loaded, the refueling platform fuel grapple full-up position, and the service platform hoist fuel loaded inputs are required to be OPERABLE. These inputs are combined in logic circuits, which provide refueling equipment or control rod blocks to prevent operations that could result in criticality during refueling operations.

Refuel Position One-Rod-Out Interlock B 3.9.2 (continued) HATCH UNIT 2 B 3.9-5 REVISION 0 B 3.9 REFUELING OPERATIONS B 3.9.2 Refuel Position One-Rod-Out Interlock

BASES BACKGROUND The refuel position one-rod-out interlock restricts the movement of control rods to reinforce unit procedures that prevent the reactor from becoming critical during refueling operations. During refueling operations, no more than one control rod is permitted to be withdrawn. GDC 26 of 10 CFR 50, Appendix A, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1). The control rods serve as the system capable of maintaining the reactor subcritical in cold conditions. The refuel position one-rod-out interlock prevents the selection of a second control rod for movement when any other control rod is not fully inserted (Ref. 2). It is a logic circuit that has redundant channels. It uses the all-rods-in signal (from the control rod full-in position indicators discussed in LCO 3.9.4, "Control Rod Position Indication") and a rod selection signal (from the Reactor Manual Control System). This Specification ensures that the performance of the refuel position one-rod-out interlock in the event of a Design Basis Accident meets the assumptions used in the safety analysis of Reference 3. APPLICABLE The refueling position one-rod-out interlock is explicitly assumed SAFETY ANALYSES in the FSAR analysis for the control rod withdrawal error during refueling (Ref. 3). This analysis evaluates the consequences of control rod withdrawal during refueling. A prompt reactivity excursion during refueling could potentially result in fuel failure with subsequent release of radioactive material to the environment. The refuel position one-rod-out interlock and adequate SDM (LCO 3.1.1, "Shutdown Margin (SDM)") prevent criticality by preventing withdrawal of more than one control rod. With one control rod withdrawn, the core will remain subcritical, thereby preventing any prompt critical excursion. The refuel position one-rod-out interlock satisfies Criterion 3 of the NRC Policy Statement (Ref. 4). Refuel Position One-Rod-Out Interlock B 3.9.2 (continued) HATCH UNIT 2 B 3.9-6 REVISION 0 BASES (continued) LCO To prevent criticality during MODE 5, the refuel position one-rod-out interlock ensures no more than one control rod may be withdrawn. Both channels of the refuel position one-rod-out interlock are required to be OPERABLE and the reactor mode switch must be locked in the refuel position to support the OPERABILITY of these channels. APPLICABILITY In MODE 5, with the reactor mode switch in the refuel position, the OPERABLE refuel position one-rod-out interlock provides protection against prompt reactivity excursions. In MODES 1, 2, 3, and 4, the refuel position one-rod-out interlock is not required to be OPERABLE and is bypassed. In MODES 1 and 2, the Reactor Protection System (LCO 3.3.1.1) and the control rods (LCO 3.1.3) provide mitigation of potential reactivity excursions. In MODES 3 and 4, with the reactor mode switch in the shutdown position, a control rod block (LCO 3.3.2.1) ensures all control rods are inserted, thereby preventing criticality during shutdown conditions. ACTIONS A.1 and A.2 With one or both channels of the refueling position one-rod-out interlock inoperable, the refueling interlocks may not be capable of preventing more than one control rod from being withdrawn. This condition may lead to criticality. Control rod withdrawal must be immediately suspended, and action must be immediately initiated to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Action must continue until all such control rods are fully inserted. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and, therefore, do not have to be inserted. SURVEILLANCE SR 3.9.2.1 REQUIREMENTS Proper functioning of the refueling position one-rod-out interlock requires the reactor mode switch to be in Refuel. During control rod withdrawal in MODE 5, improper positioning of the reactor mode switch could, in some instances, allow improper bypassing of required interlocks. Therefore, this Surveillance imposes an additional level of assurance that the refueling position one-rod-out interlock will be Refuel Position One-Rod-Out Interlock B 3.9.2 HATCH UNIT 2 B 3.9-7 REVISION 79 BASES SURVEILLANCE SR 3.9.2.1 (continued) REQUIREMENTS OPERABLE when required. By "locking" the reactor mode switch in the proper position (i.e., removing the reactor mode switch key from the console while the reactor mode switch is positioned in refuel), an additional administrative control is in place to preclude operator errors from resulting in unanalyzed operation. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.9.2.2 Performance of a CHANNEL FUNCTIONAL TEST on each channel demonstrates the associated refuel position one-rod-out interlock will function properly when a simulated or actual signal indicative of a required condition is injected into the logic. The CHANNEL FUNCTIONAL TEST may be performed by any series of sequential, overlapping, or total channel steps so that the entire channel is tested. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. To perform the required testing, the applicable condition must be entered (i.e., a control rod must be withdrawn from its full-in position). Alternatively, the control rod withdrawal, and the attempted withdrawal of the second control rod, may be simulated. In either case, SR 3.9.2.2 has been modified by a Note that states the CHANNEL FUNCTIONAL TEST is not required to be performed until 1 hour after any control rod is withdrawn. REFERENCES 1. 10 CFR 50, Appendix A, GDC 26. 2. FSAR, Section 7.6.1.

3. FSAR, Section 15.1.13. 4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Control Rod Position B 3.9.3 (continued) HATCH UNIT 2 B 3.9-8 REVISION 0 B 3.9 REFUELING OPERATIONS B 3.9.3 Control Rod Position

BASES BACKGROUND Control rods provide the capability to maintain the reactor subcritical under all conditions and to limit the potential amount and rate of reactivity increase caused by a malfunction in the Control Rod Drive System. During refueling, movement of control rods is limited by the refueling interlocks (LCO 3.9.1 and LCO 3.9.2) or the control rod block with the reactor mode switch in the shutdown position (LCO 3.3.2.1). GDC 26 of 10 CFR 50, Appendix A, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1). The control rods serve as the system capable of maintaining the reactor subcritical in cold conditions. The refueling interlocks allow a single control rod to be withdrawn at any time unless fuel is being loaded into the core. To preclude loading fuel assemblies into the core with a control rod withdrawn, all control rods must be fully inserted. This prevents the reactor from achieving criticality during refueling operations. APPLICABLE Prevention and mitigation of prompt reactivity excursions during SAFETY ANALYSES refueling are provided, when required, by the refueling interlocks (LCO 3.9.1 and LCO 3.9.2), the SDM (LCO 3.1.1), the intermediate range monitor neutron flux scram (LCO 3.3.1.1), and the control rod block instrumentation (LCO 3.3.2.1). The safety analysis for the control rod withdrawal error during refueling in the FSAR (Ref. 2) assumes the functioning of the refueling interlocks and adequate SDM. The analysis for the fuel assembly insertion error (Ref. 3) assumes all control rods are fully inserted. Thus, prior to fuel reload, all control rods must be fully inserted to minimize the probability of an inadvertent criticality. Control rod position satisfies Criterion 3 of the NRC Policy Statement (Ref. 4). LCO All control rods must be fully inserted during applicable refueling conditions to minimize the probability of an inadvertent criticality during refueling.

Control Rod Position B 3.9.3 HATCH UNIT 2 B 3.9-9 REVISION 79 BASES (continued) APPLICABILITY During MODE 5, loading fuel into core cells with control rods withdrawn may result in inadvertent criticality. Therefore, the control rods must be inserted before loading fuel into a core cell. All control rods must be inserted before loading fuel to ensure that a fuel loading error does not result in loading fuel into a core cell with the control rod withdrawn. In MODES 1, 2, 3, and 4, the reactor pressure vessel head is on, and no fuel loading activities are possible. Therefore, this Specification is not applicable in these MODES. ACTIONS A.1 With all control rods not fully inserted during the applicable conditions, an inadvertent criticality could occur that is not analyzed in the FSAR. All fuel loading operations must be immediately suspended. Suspension of these activities shall not preclude completion of movement of a component to a safe position.

SURVEILLANCE SR 3.9.3.1 REQUIREMENTS During refueling, to ensure that the reactor remains subcritical, all control rods must be fully inserted prior to and during fuel loading. Periodic checks of the control rod position ensure this condition is maintained. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. 10 CFR 50, Appendix A, GDC 26.

2. FSAR, Section 15.1.13. 3. FSAR, Section 15.1.14.

4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

Control Rod Position IndicationB 3.9.4(continued)HATCH UNIT 2B 3.9-10REVISION 0B 3.9 REFUELING OPERATIONSB 3.9.4 Control Rod Position IndicationBASESBACKGROUNDThe full-in position indication channel for each control rod providesnecessary information to the refueling interlocks to prevent inadvertentcriticalities during refueling operations. During refueling, the refuelinginterlocks (LCO 3.9.1 and LCO 3.9.2) use the full-in position indicationchannel to limit the operation of the refueling equipment and themovement of the control rods. The absence of the full-in position channel signal for any control rod removes the all-rods-in permissivefor the refueling equipment interlocks and prevents fuel loading. Also,this condition causes the refuel position one-rod-out interlock to notallow the withdrawal of any other control rod.GDC 26 of 10 CFR 50, Appendix A, requires that one of the tworequired independent reactivity control systems be capable of holdingthe reactor core subcritical under cold conditions (Ref. 1). The controlrods serve as the system capable of maintaining the reactorsubcritical in cold conditions.APPLICABLEPrevention and mitigation of prompt reactivity excursions duringSAFETY ANALYSESrefueling are provided, when required, by the refueling interlocks(LCO 3.9.1 and LCO 3.9.2), the SDM (LCO 3.1.1), the intermediaterange monitor neutron flux scram (LCO 3.3.1.1), and the control rodblock instrumentation (LCO 3.3.2.1).The safety analysis for the control rod withdrawal error duringrefueling (Ref. 2) assumes the functioning of the refueling interlocksand adequate SDM. The analysis for the fuel assembly insertion error(Ref. 3) assumes all control rods are fully inserted. The full-in position indication channel is required to be OPERABLE so that the refuelinginterlocks can ensure that fuel cannot be loaded with any control rodwithdrawn and that no more than one control rod can be withdrawn ata time.Control rod position indication satisfies Criterion 3 of the NRC PolicyStatement (Ref. 4). Control Rod Position IndicationB 3.9.4(continued)HATCH UNIT 2B 3.9-11REVISION 0BASES (continued)LCOEach control rod full-in position indication channel must beOPERABLE to provide the required input to the refueling interlocks. Achannel is OPERABLE if it provides correct position indication to therefueling interlock logic.APPLICABILITYDuring MODE 5, the control rods must have OPERABLE full-inposition indication channels to ensure the applicable refueling interlocks will be OPERABLE.In MODES 1 and 2, requirements for control rod position are specifiedin LCO 3.1.3, "Control Rod OPERABILITY." In MODES 3 and 4, with the reactor mode switch in the shutdown position, a control rod block(LCO 3.3.2.1) ensures all control rods are inserted, thereby preventingcriticality during shutdown conditions.ACTIONSA Note has been provided to modify the ACTIONS related to controlrod position indication channels. Section 1.3, Completion Times,specifies that once a Condition has been entered, subsequentdivisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will notresult in separate entry into the Condition. Section 1.3 also specifiesthat Required Actions of the Condition continue to apply for eachadditional failure, with Completion Times based on initial entry into theCondition. However, the Required Actions for inoperable control rodposition indication channels provide appropriate compensatorymeasures for separate inoperable channels. As such, this Note has been provided, which allows separate Condition entry for eachinoperable required control rod position indication channel.A.1.1, A.1.2, A.1.3, A.2.1, and A.2.2With one or more required full-in position indication channelsinoperable, compensating actions must be taken to protect againstpotential reactivity excursions from fuel assembly insertions orcontrol rod withdrawals. This may be accomplished by immediatelysuspending in-vessel fuel movement and control rod withdrawal, and immediately initiating action to fully insert all insertable control rods incore cells containing one or more fuel assemblies. Actions mustcontinue until all insertable control rods in core cells containing oneor more fuel assemblies are fully inserted. Suspension ofin-vessel fuel movements and control rod withdrawal shall not preclude moving a component to a safe position. Control Rod Position IndicationB 3.9.4HATCH UNIT 2B 3.9-12REVISION 0BASESACTIONSA.1.1, A.1.2, A.1.3, A.2.1, and A.2.2 (continued)Alternatively, actions must be immediately initiated to fully insert thecontrol rod(s) associated with the inoperable full-in positionindicator(s) and disarm (electrically or hydraulically) the drive(s) to ensure that the control rod is not withdrawn. A control rod can behydraulically disarmed by closing the drive water and exhaust waterisolation valves. A control rod can be electrically disarmed bydisconnecting power from all four direction control valve solenoids.Actions must continue until all associated control rods are fullyinserted and drives are disarmed. Under these conditions (control rodfully inserted and disarmed), an inoperable full-in channel may be bypassed to allow refueling operations to proceed. An alternatemethod must be used to ensure the control rod is fully inserted (e.g.,use the "00" notch position indication).SURVEILLANCESR 3.9.4.1REQUIREMENTSThe full-in position indication channels provide input to the one-rod-out interlock and other refueling interlocks that require an all-rods-inpermissive. The interlocks are actuated when the full-in positionindication for any control rod is not present, since this indicates that all rods are not fully inserted. Therefore, testing of the full-in positionindication channels is performed to ensure that when a control rod iswithdrawn, the full-in position indication is not present. The full-inposition indication channel is considered inoperable even with thecontrol rod fully inserted, if it would continue to indicate full-in with the control rod withdrawn. Performing the SR each time a control rod iswithdrawn from the full-in position is considered adequate because ofthe procedural controls on control rod withdrawals and the visual andaudible indications available in the control room to alert the operator tocontrol rods not fully inserted.REFERENCES1.10 CFR 50, Appendix A, GDC 26.2.FSAR, Section 15.1.13.3.FSAR, Section 15.1.14. 4.NRC No. 93-102, "Final Policy Statement on TechnicalSpecification Improvements," July 23, 1993. Control Rod OPERABILITY - Refueling B 3.9.5 (continued) HATCH UNIT 2 B 3.9-13 REVISION 0 B 3.9 REFUELING OPERATIONS B 3.9.5 Control Rod OPERABILITY - Refueling

BASES BACKGROUND Control rods are components of the Control Rod Drive (CRD) System, the primary reactivity control system for the reactor. In conjunction with the Reactor Protection System, the CRD System provides the means for the reliable control of reactivity changes during refueling operation. In addition, the control rods provide the capability to maintain the reactor subcritical under all conditions and to limit the potential amount and rate of reactivity increase caused by a malfunction in the CRD System. GDC 26 of 10 CFR 50, Appendix A, requires that one of the two required independent reactivity control systems be capable of holding the reactor core subcritical under cold conditions (Ref. 1). The CRD System is the system capable of maintaining the reactor subcritical in cold conditions.

APPLICABLE Prevention and mitigation of prompt reactivity excursions during SAFETY ANALYSES refueling are provided, when required, by refueling interlocks (LCO 3.9.1 and LCO 3.9.2), the SDM (LCO 3.1.1), the intermediate range monitor neutron flux scram (LCO 3.3.1.1), and the control rod block instrumentation (LCO 3.3.2.1). The safety analyses for the control rod withdrawal error during refueling (Ref. 2) and the fuel assembly insertion error (Ref. 3) evaluate the consequences of control rod withdrawal during refueling and also fuel assembly insertion with a control rod withdrawn. A prompt reactivity excursion during refueling could potentially result in fuel failure with subsequent release of radioactive material to the environment. Control rod scram provides protection should a prompt reactivity excursion occur. Control rod OPERABILITY during refueling satisfies Criterion 3 of the NRC Policy Statement (Ref. 4). LCO Each withdrawn control rod must be OPERABLE. The withdrawn control rod is considered OPERABLE if the scram accumulator pressure is 940 psig and the control rod is capable of being automatically inserted upon receipt of a scram signal. Inserted control Control Rod OPERABILITY - Refueling B 3.9.5 (continued) HATCH UNIT 2 B 3.9-14 REVISION 79 BASES LCO rods have already completed their reactivity control function, and (contiued) therefore, are not required to be OPERABLE. APPLICABILITY During MODE 5, withdrawn control rods must be OPERABLE to ensure that in a scram the control rods will insert and provide the required negative reactivity to maintain the reactor subcritical. For MODES 1 and 2, control rod requirements are found in LCO 3.1.2, "Reactivity Anomalies," LCO 3.1.3, "Control Rod OPERABILITY," LCO 3.1.4, "Control Rod Scram Times," and LCO 3.1.5, "Control Rod Scram Accumulators." During MODES 3 and 4, control rods are not able to be withdrawn since the reactor mode switch is in shutdown and a control rod block is applied. This provides adequate requirements for control rod OPERABILITY during these conditions. ACTIONS A.1 With one or more withdrawn control rods inoperable, action must be immediately initiated to fully insert the inoperable control rod(s). Inserting the control rod(s) ensures the shutdown and scram capabilities are not adversely affected. Actions must continue until the inoperable control rod(s) is fully inserted.

SURVEILLANCE SR 3.9.5.1 and SR 3.9.5.2 REQUIREMENTS During MODE 5, the OPERABILITY of control rods is primarily required to ensure a withdrawn control rod will automatically insert if a signal requiring a reactor shutdown occurs. Because no explicit analysis exists for automatic shutdown during refueling, the shutdown function is satisfied if the withdrawn control rod is capable of automatic insertion and the associated CRD scram accumulator pressure is 940 psig. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.9.5.1 is modified by a Note that allows 7 days after withdrawal of the control rod to perform the Surveillance. This acknowledges that Control Rod OPERABILITY - Refueling B 3.9.5 HATCH UNIT 2 B 3.9-15 REVISION 0 BASES SURVEILLANCE SR 3.9.5.1 and SR 3.9.5.2 (continued) REQUIREMENTS the control rod must first be withdrawn before performance of the Surveillance, and therefore avoids potential conflicts with SR 3.0.3 and SR 3.0.4. REFERENCES 1. 10 CFR 50, Appendix A, GDC 26.

2. FSAR, Section 15.1.13. 3. FSAR, Section 15.1.14.

4. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RPV Water Level B 3.9.6 (continued) HATCH UNIT 2 B 3.9-16 REVISION 74 B 3.9 REFUELING OPERATIONS B 3.9.6 Reactor Pressure Vessel (RPV) Water Level

BASES BACKGROUND The movement of fuel assemblies or handling of control rods within the RPV requires a minimum water level of 23 ft above the top of the irradiated fuel assemblies seated within the RPV. The point from which the water level is measured is shown in Figure B 3.5.2-1. During refueling, this maintains a sufficient water level in the reactor vessel cavity. Sufficient water is necessary to retain iodine fission product activity in the water in the event of a fuel handling accident (Refs. 1 and 2). Sufficient iodine activity would be retained to limit offsite doses from the accident to well within the 10 CFR 50.67 limits, as provided by the guidance of Reference 1. APPLICABLE During movement of fuel assemblies or handling of control rods, the SAFETY ANALYSES water level in the RPV is an initial condition design parameter in the analysis of a fuel handling accident in containment postulated by Regulatory Guide 1.183 (Ref. 1). Analysis of the fuel handling accident inside containment is described in Reference 2. With a minimum water level of 23 ft and a minimum decay time of 24 hours prior to fuel handling, the analysis and test programs demonstrate that the iodine release due to a postulated fuel handling accident is adequately captured by the water and that offsite doses are maintained within allowable limits (Ref. 4). The related assumptions include the worst case dropping of an irradiated fuel assembly onto the reactor core loaded with irradiated fuel assemblies. RPV water level satisfies Criterion 2 of the NRC Policy Statement (Ref. 5). LCO A minimum water level of 23 ft above the top of the irradiated fuel assemblies seated within the RPV is required to ensure that the radiological consequences of a postulated fuel handling accident are within acceptable limits, as provided by the guidance of Reference 1. The point from which the water level is measured is shown in Figure B 3.5.2-1.

RPV Water Level B 3.9.6 (continued) HATCH UNIT 2 B 3.9-17 REVISION 79 BASES (continued) APPLICABILITY LCO 3.9.6 is applicable when moving fuel assemblies or handling control rods (i.e., movement with other than the normal control rod drive) within the RPV. The LCO minimizes the possibility of a fuel handling accident in containment that is beyond the assumptions of the safety analysis. If irradiated fuel is not present within the RPV, there can be no significant radioactivity release as a result of a postulated fuel handling accident. Requirements for fuel handling accidents in the spent fuel storage pool are covered by LCO 3.7.8, "Spent Fuel Storage Pool Water Level." ACTIONS A.1 If the water level is < 23 ft above the top of the irradiated fuel assemblies seated within the RPV, all operations involving movement of fuel assemblies and handling of control rods within the RPV shall be suspended immediately to ensure that a fuel handling accident cannot occur. The suspension of fuel movement and control rod handling shall not preclude completion of movement of a component to a safe position. SURVEILLANCE SR 3.9.6.1 REQUIREMENTS Verification of a minimum water level of 23 ft above the top of the irradiated fuel assemblies seated within the RPV ensures that the design basis for the postulated fuel handling accident analysis during refueling operations is met. Water at the required level limits the consequences of damaged fuel rods, which are postulated to result from a fuel handling accident in containment (Ref. 2). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. Regulatory Guide 1.183, July 2000. 2. FSAR, Section 15.3.

3. Deleted.

RPV Water Level B 3.9.6 HATCH UNIT 2 B 3.9-18 REVISION 74 BASES REFERENCES 4. 10 CFR 50.67. (continued)

5. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RHR - High Water Level B 3.9.7 (continued) HATCH UNIT 2 B 3.9-19 REVISION 28 B 3.9 REFUELING OPERATIONS B 3.9.7 Residual Heat Removal (RHR) - High Water Level

BASES BACKGROUND The purpose of the RHR System in MODE 5 is to remove decay heat and sensible heat from the reactor coolant, as required by GDC 34 (Ref. 1). Each of the two shutdown cooling loops of the RHR System can provide the required decay heat removal. Each loop consists of two motor driven pumps, a heat exchanger, and associated piping and valves. Both loops have a common suction from the same recirculation loop. Each pump discharges the reactor coolant, after it has been cooled by circulation through the respective heat exchangers, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the RHR Service Water System. The RHR shutdown cooling mode is manually controlled. In addition to the RHR subsystems, the volume of water above the reactor pressure vessel (RPV) flange provides a heat sink for decay heat removal. APPLICABLE With the unit in MODE 5, the RHR System is not required to mitigate SAFETY ANALYSES any events or accidents evaluated in the safety analyses. The RHR System is required for removing decay heat to maintain the temperature of the reactor coolant. The RHR System satisfies criterion 4 of the NRC Policy Statement (Ref. 3). LCO Only one RHR shutdown cooling subsystem is required to be OPERABLE and in operation in MODE 5 with irradiated fuel in the RPV and the water level 22 ft 1/8 inches above the RPV flange (equivalent to 21 ft of water above the top of irradiated fuel assemblies seated in the spent fuel storage pool racks; the point from which the water level is measured is shown in Figure B 3.5.2-1.) Only one subsystem is required because the volume of water above the RPV flange provides backup decay heat removal capability. An OPERABLE RHR shutdown cooling subsystem consists of an RHR pump and the associated heat exchanger, an RHRSW pump providing cooling to the heat exchanger with sufficient flow to maintain RHR - High Water Level B 3.9.7 (continued) HATCH UNIT 2 B 3.9-20 REVISION 28 BASES LCO reactor coolant temperature in the desired range, valves, piping, (continued) instruments, and controls to ensure an OPERABLE flow path. In MODE 5, the RHR cross tie valve is not required to be closed; thus, the valve may be opened to allow RHR pumps in one loop to discharge through the opposite recirculation loop to make a complete subsystem. In addition, the RHRSW cross tie valves may be open to allow RHRSW pumps in one loop to provide cooling to a heat exchanger in the opposite loop to make a complete subsystem. Additionally, each RHR shutdown cooling subsystem is considered OPERABLE if it can be manually aligned (remote or local) in the shutdown cooling mode for removal of decay heat. Operation (either continuous or intermittent) of one subsystem can maintain and reduce the reactor coolant temperature as required (sufficient to maintain reactor coolant temperature in the desired range). However, to ensure adequate core flow to allow for accurate average reactor coolant temperature monitoring, nearly continuous operation is required. A Note is provided to allow a 2 hour exception to shut down the operating subsystem every 8 hours. The LCO consists of two separate requirements. Either requirement can be not met (and the associated Condition entered) without necessarily affecting the other (and without necessarily entering the other associated Condition). For example, an operating RHR shutdown cooling subsystem can be removed from operation, yet remain OPERABLE for the decay heat removal function. (Manual alignment and operation can satisfy OPERABILITY.) Conversely, an RHR shutdown cooling subsystem (or recirculation pump) can remain in operation, circulating reactor coolant; however, if the RHR heat exchanger cannot remove decay heat, the subsystem is inoperable. The LCO Notes follow this separation of requirements: an exception to circulating reactor coolant (Note 1) does not result in an exception to the OPERABILITY requirement, and an exception to the RHR shutdown cooling subsystem OPERABILITY requirements does not result in an exception to the requirement for circulating reactor coolant (Note 2). APPLICABILITY One RHR shutdown cooling subsystem must be OPERABLE and in operation in MODE 5, with irradiated fuel in the RPV and the water level 22 ft 1/8 inches above the top of the RPV flange, to provide decay heat removal. RHR shutdown cooling subsystem requirements in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS). RHR Shutdown Cooling subsystem requirements in MODE 5 with irradiated fuel in the RPV and the water level < 22 ft 1/8 inches above the RPV flange are given in LCO 3.9.8, "Residual Heat Removal (RHR) - Low Water Level." RHR - High Water Level B 3.9.7 (continued) HATCH UNIT 2 B 3.9-21 REVISION 1 BASES (continued) ACTIONS A.1 With no RHR shutdown cooling subsystem OPERABLE, an alternate method of decay heat removal must be established within 1 hour. In this condition, the volume of water above the RPV flange provides adequate capability to remove decay heat from the reactor core. However, the overall reliability is reduced because loss of water level could result in reduced decay heat removal capability. The 1 hour Completion Time is based on decay heat removal function and the probability of a loss of the available decay heat removal capabilities. Furthermore, verification of the functional availability of these alternate method(s) must be reconfirmed every 24 hours thereafter. This will ensure continued heat removal capability. Alternate decay heat removal methods are available to the operators for review and preplanning in the unit's Operating Procedures. For example, this may include the use of the Fuel Pool Cooling System, the Reactor Water Cleanup System, operating with the regenerative heat exchanger bypassed, or any other subsystem that can remove heat from the coolant. The method used to remove the decay heat should be the most prudent choice based on unit conditions. B.1, B.2, B.3, and B.4 If no RHR shutdown cooling subsystem is OPERABLE and an alternate method of decay heat removal is not available in accordance with Required Action A.1, actions shall be taken immediately to suspend operations involving an increase in reactor decay heat load by suspending loading of irradiated fuel assemblies into the RPV. Additional actions are required to minimize any potential fission product release to the environment. This includes ensuring: 1) secondary containment (at least including the common refueling floor zone) is OPERABLE; 2) sufficient standby gas treatment subsystem(s) are OPERABLE to maintain the secondary containment at a negative pressure with respect to the environment (dependent on secondary containment configuration, refer to Reference 2; single failure protection is not required while in this ACTION); and

3) secondary containment isolation capability is available in each secondary containment penetration flow path not isolated that is assumed to be isolated to mitigate radioactive releases (i.e., one secondary containment isolation valve and associated instrumentation are OPERABLE or other acceptable administrative controls to assure isolation capability. The administrative controls can consist of RHR - High Water Level B 3.9.7 (continued) HATCH UNIT 2 B 3.9-22 REVISION 79 BASES ACTIONS B.1, B.2, B.3, and B.4 (continued) stationing a dedicated operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated.). This may be performed as an administrative check, by examining logs or other information to determine whether the components are out of service for maintenance or other reasons. It is not necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, a Surveillance may need to be performed to restore the component to OPERABLE status. Actions must continue until all required components are OPERABLE.

C.1 and C.2 If no RHR shutdown cooling subsystem is in operation, an alternate method of coolant circulation is required to be established within 1 hour. The Completion Time is modified such that the 1 hour is applicable separately for each occurrence involving a loss of coolant circulation. During the period when the reactor coolant is being circulated by an alternate method (other than by the required RHR shutdown cooling subsystem), the reactor coolant temperature must be periodically monitored to ensure proper functioning of the alternate method. The once per hour Completion Time is deemed appropriate. SURVEILLANCE SR 3.9.7.1 REQUIREMENTS This Surveillance demonstrates that the required RHR shutdown cooling subsystem is in operation and circulating reactor coolant. The required flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. RHR - High Water Level B 3.9.7 HATCH UNIT 2 B 3.9-23 REVISION 46 BASES (continued) REFERENCES 1. 10 CFR 50, Appendix A, GDC 34.

2. Technical Requirements Manual, Section 8.0. 3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

RHR - Low Water Level B 3.9.8 (continued) HATCH UNIT 2 B 3.9-24 REVISION 1 B 3.9 REFUELING OPERATIONS

B 3.9.8 Residual Heat Removal (RHR) - Low Water Level

BASES BACKGROUND The purpose of the RHR System in MODE 5 is to remove decay heat and sensible heat from the reactor coolant, as required by GDC 34 (Ref. 1). Each of the two shutdown cooling loops of the RHR System can provide the required decay heat removal. Each loop consists of two motor driven pumps, a heat exchanger, and associated piping and valves. Both loops have a common suction from the same recirculation loop. Each pump discharges the reactor coolant, after it has been cooled by circulation through the respective heat exchangers, to the reactor via the associated recirculation loop. The RHR heat exchangers transfer heat to the RHR Service Water System. The RHR shutdown cooling mode is manually controlled. APPLICABLE With the unit in MODE 5, the RHR System is not required to SAFETY ANALYSES mitigate any events or accidents evaluated in the safety analyses. The RHR System is required for removing decay heat to maintain the temperature of the reactor coolant. The RHR System satisfies Criterion 4 of the NRC Policy Statement (Ref. 3). LCO In MODE 5 with irradiated fuel in the reactor pressure vessel (RPV) and the water level < 22 ft 1/8 inches above the RPV flange, two RHR shutdown cooling subsystems must be OPERABLE. An OPERABLE RHR shutdown cooling subsystem consists of an RHR pump and the associated heat exchanger, an RHRSW pump providing cooling to the heat exchanger with sufficient flow to maintain reactor coolant temperature in the desired range, valves, piping, instruments, and controls to ensure an OPERABLE flow path. The two required RHR shutdown cooling subsystems have a common suction source and are allowed to have a common heat exchanger and common discharge piping. Since the piping and heat exchangers are passive components that are assumed not to fail, they are allowed to be common to both subsystems. Thus, to meet the LCO, both RHR pumps in one loop or one RHR pump in each of the two loops must be OPERABLE. If the RHR - Low Water Level B 3.9.8 (continued) HATCH UNIT 2 B 3.9-25 REVISION 1 BASES LCO two required subsystems consist of an RHR pump in each loop, both (continued) heat exchangers are required, since one heat exchanger will not be common to both subsystems. In MODE 5, the RHR cross tie valve is not required to be closed; thus, the valve may be opened to allow pumps in one loop to discharge through the opposite recirculation loop to make a complete subsystem. Similarly, to meet the LCO, the cooling supply for the heat exchanger(s) requires two RHRSW pumps (either one pump in each RHRSW loop or two pumps in one RHRSW loop). With one RHR heat exchanger common to both RHR shutdown cooling subsystems, each RHRSW pump is required to be capable of providing cooling to that heat exchanger (Note: the RHRSW cross tie valves may be open to allow RHRSW pump(s) in one loop to provide cooling to a heat exchanger in the opposite loop to make a complete subsystem.), or with both heat exchangers required, each heat exchanger is required to have an RHRSW pump capable of providing coolant to that heat exchanger. Additionally, each RHR shutdown cooling subsystem is considered OPERABLE if it can be manually aligned (remote or local) in the shutdown cooling mode for removal of decay heat. Operation (either continuous or intermittent) of one subsystem can maintain and reduce the reactor coolant temperature as required (sufficient to maintain reactor coolant temperature in the desired range). However, to ensure adequate core flow to allow for accurate average reactor coolant temperature monitoring, nearly continuous operation is required. A Note is provided to allow a 2 hour exception to shut down the operating subsystem every 8 hours. The LCO consists of two separate requirements. Either requirement can be not met (and the associated Condition entered) without necessarily affecting the other (and without necessarily entering the other associated Condition). For example, an operating RHR shutdown cooling subsystem can be removed from operation, yet remain OPERABLE for the decay heat removal function. (Manual alignment and operation can satisfy OPERABILITY.) Conversely, an RHR shutdown cooling subsystem (or recirculation pump) can remain in operation, circulating reactor coolant; however, if the RHR heat exchanger cannot remove decay heat, the subsystem is inoperable. The LCO Notes follow this separation of requirements: an exception to circulating reactor coolant (Note 1) does not result in an exception to the OPERABILITY requirement, and an exception to the RHR shutdown cooling subsystem OPERABILITY requirements does not result in an exception to the requirement for circulating reactor coolant (Note 2). RHR - Low Water Level B 3.9.8 (continued) HATCH UNIT 2 B 3.9-26 REVISION 1 BASES (continued) APPLICABILITY Two RHR shutdown cooling subsystems are required to be OPERABLE, and one must be in operation in MODE 5, with irradiated fuel in the RPV and the water level < 22 ft 1/8 inches above the top of the RPV flange, to provide decay heat removal. RHR shutdown cooling subsystem requirements in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS). RHR shutdown cooling subsystem requirements in MODE 5 with irradiated fuel in the RPV and the water level 22 ft 1/8 inches above the RPV flange are given in LCO 3.9.7, "Residual Heat Removal (RHR) - High Water Level." ACTIONS A.1 With one of the two required RHR shutdown cooling subsystems inoperable, the remaining subsystem is capable of providing the required decay heat removal. However, the overall reliability is reduced. Therefore an alternate method of decay heat removal must be provided. With both required RHR shutdown cooling subsystems inoperable, an alternate method of decay heat removal must be provided in addition to that provided for the initial RHR shutdown cooling subsystem inoperability. This re-establishes backup decay heat removal capabilities, similar to the requirements of the LCO. The 1 hour Completion Time is based on the decay heat removal function and the probability of a loss of the available decay heat removal capabilities. Furthermore, verification of the functional availability of this alternate method(s) must be reconfirmed every 24 hours thereafter. This will ensure continued heat removal capability. Alternate decay heat removal methods are available to the operators for review and preplanning in the unit's Operating Procedures. For example, this may include the use of the Reactor Water Cleanup System, operating with the regenerative heat exchanger bypassed. The method used to remove decay heat should be the most prudent choice based on unit conditions. B.1, B.2, and B.3 With the required RHR shutdown cooling subsystem(s) inoperable and the required alternate method(s) of decay heat removal not available in accordance with Required Action A.1, additional actions are required to minimize any potential fission product release to the environment. This includes ensuring: 1) secondary containment (at least including the common refueling floor zone) is OPERABLE; RHR - Low Water Level B 3.9.8 (continued) HATCH UNIT 2 B 3.9-27 REVISION 1 BASES ACTIONS B.1, B.2, and B.3 (continued)

2) sufficient standby gas treatment subsystem(s) are OPERABLE to maintain the secondary containment at a negative pressure with respect to the environment (dependent on secondary containment configuration, refer to Reference 2; single failure protection is not required while in this ACTION); and 3) secondary containment isolation capability is available in each associated secondary containment penetration flow path not isolated that is assumed to be isolated to mitigate radioactive releases (i.e., one secondary containment isolation valve and associated instrumentation are OPERABLE or other acceptable administrative controls to assure isolation capability. The administrative controls can consist of stationing a dedicated operator, who is in continuous communication with the control room, at the controls of the isolation device. In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated.). This may be performed as an administrative check, by examining logs or other information to determine whether the components are out of service for maintenance or other reasons. It is not necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the components. If, however, any required component is inoperable, then it must be restored to OPERABLE status. In this case, the Surveillance may need to be performed to restore the component to OPERABLE status. Actions must continue until all required components are OPERABLE.

C.1 and C.2 If no RHR shutdown cooling subsystem is in operation, an alternate method of coolant circulation is required to be established within 1 hour. The Completion Time is modified such that the 1 hour is applicable separately for each occurrence involving a loss of coolant circulation. During the period when the reactor coolant is being circulated by an alternate method (other than by the required RHR shutdown cooling subsystem), the reactor coolant temperature must be periodically monitored to ensure proper functioning of the alternate method. The once per hour Completion Time is deemed appropriate.

RHR - Low Water Level B 3.9.8 HATCH UNIT 2 B 3.9-28 REVISION 79 BASES (continued) SURVEILLANCE SR 3.9.8.1 REQUIREMENTS This Surveillance demonstrates that one required RHR shutdown cooling subsystem is in operation and circulating reactor coolant. The required flow rate is determined by the flow rate necessary to provide sufficient decay heat removal capability. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. 10 CFR 50, Appendix A, GDC 34.

2. Technical Requirements Manual, Section 8.0.

3. NRC No. 93-102, "Final Policy Statement on Technical Specification Improvements," July 23, 1993.

°>

<

Reactor Mode Switch Interlock Testing B 3.10.2 (continued) HATCH UNIT 2 B 3.10-6 REVISION 62 B 3.10 SPECIAL OPERATIONS

B 3.10.2 Reactor Mode Switch Interlock Testing

BASES BACKGROUND The purpose of this Special Operations LCO is to permit operation of the reactor mode switch from one position to another to confirm certain aspects of associated interlocks during periodic tests and calibrations in MODES 3, 4, and 5. The reactor mode switch is a conveniently located, multiposition, keylock switch provided to select the necessary scram functions for various plant conditions (Ref. 1). The reactor mode switch selects the appropriate trip relays for scram functions and provides appropriate bypasses. The mode switch positions and related scram interlock functions are summarized as follows:

a. Shutdown - Initiates a reactor scram; bypasses main steam line isolation scram; b. Refuel - Selects Neutron Monitoring System (NMS) scram function for low neutron flux level operation (but does not disable the average power range monitor scram); bypasses main steam line isolation scram; c. Startup/Hot Standby - Selects NMS scram function for low neutron flux level operation (intermediate range monitors and average power range monitors); bypasses main steam line isolation; and

d. Run - Selects NMS scram function for power range operation.

The reactor mode switch also provides interlocks for such functions as control rod blocks, scram discharge volume trip bypass, refueling interlocks, and main steam isolation valve isolations.

APPLICABLE The acceptance criterion for reactor mode switch interlock SAFETY ANALYSES testing is to prevent fuel failure by precluding reactivity excursions or core criticality. The interlock functions of the shutdown and refuel positions normally maintained for the reactor mode switch in MODES 3, 4, and 5 are provided to preclude reactivity excursions that could potentially result in fuel failure. Interlock testing that requires moving the reactor mode switch to other positions (run, startup/hot standby, or refuel) while in MODE 3, 4, or 5 requires administratively Reactor Mode Switch Interlock Testing B 3.10.2 (continued) HATCH UNIT 2 B 3.10-7 REVISION 62 BASES APPLICABLE maintaining all control rods inserted and no other CORE SAFETY ANALYSES ALTERATIONS in progress. With all control rods inserted in core (continued) cells containing one or more fuel assemblies, and no CORE ALTERATIONS in progress, there are no credible mechanisms for unacceptable reactivity excursions during the planned interlock testing. For postulated accidents, such as control rod removal error during refueling or loading of fuel with a control rod withdrawn, the accident analysis demonstrates that fuel failure will not occur (Refs. 2 and 3). The withdrawal of a single control rod will not result in criticality when adequate SDM is maintained. Also, loading fuel assemblies into the core with a single control rod withdrawn will not result in criticality (provided adequate SDM is maintained), thereby preventing fuel failure. As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of the NRC Policy Statement apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases. LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. MODES 3, 4, and 5 operations not specified in Table 1.1-1 can be performed in accordance with other Special Operations LCOs (i.e., LCO 3.10.1, "Inservice Leak and Hydrostatic Testing Operation," LCO 3.10.3, "Single Control Rod Withdrawal - Hot Shutdown," LCO 3.10.4, "Single Control Rod Withdrawal - Cold Shutdown," and LCO 3.10.8, "SDM Test - Refueling") without meeting this LCO or its ACTIONS. If any testing is performed that involves the reactor mode switch interlocks and requires repositioning beyond that specified in Table 1.1-1 for the current MODE of operation, the testing can be performed, provided all interlock functions potentially defeated are administratively controlled. In MODES 3, 4, and 5 with the reactor mode switch in shutdown as specified in Table 1.1-1, all control rods are fully inserted and a control rod block is initiated. Therefore, all control rods in core cells that contain one or more fuel assemblies must be verified fully inserted while in MODES 3, 4, and 5, with the reactor mode switch in other than the shutdown position. The additional LCO requirement to preclude CORE ALTERATIONS is appropriate for MODE 5 operations, as discussed below, and is inherently met in MODES 3 and 4 by the definition of CORE ALTERATIONS, which cannot be performed with the vessel head in place. Reactor Mode Switch Interlock Testing B 3.10.2 (continued) HATCH UNIT 2 B 3.10-8 REVISION 62 BASES LCO In MODE 5, with the reactor mode switch in the refuel position, only (continued) one control rod can be withdrawn under the refuel position one-rod-out interlock (LCO 3.9.2, "Refuel Position One-Rod-Out Interlock"). The refueling equipment interlocks (LCO 3.9.1, "Refueling Equipment Interlocks") appropriately control other CORE ALTERATIONS. Due to the increased potential for error in controlling these multiple interlocks, and the limited duration of tests involving the reactor mode switch position, conservative controls are required, consistent with MODES 3 and 4. The additional controls of administratively not permitting other CORE ALTERATIONS will adequately ensure that the reactor does not become critical during these tests. APPLICABILITY Any required periodic interlock testing involving the reactor mode switch, while in MODES 1 and 2, can be performed without the need for Special Operations exceptions. Mode switch manipulations in these MODES would likely result in unit trips. In MODES 3, 4, and 5, this Special Operations LCO is only permitted to be used to allow reactor mode switch interlock testing that cannot conveniently be performed without this allowance or testing which must be performed prior to entering another MODE. Such interlock testing may consist of required Surveillances, or may be the result of maintenance, repair, or troubleshooting activities. In MODES 3, 4, and 5, the interlock functions provided by the reactor mode switch in shutdown (i.e., all control rods inserted and incapable of withdrawal) and refueling (i.e., refueling interlocks to prevent inadvertent criticality during CORE ALTERATIONS) positions can be administratively controlled adequately during the performance of certain tests. ACTIONS A.1, A.2, A.3.1, and A.3.2 These Required Actions are provided to restore compliance with the Technical Specifications overridden by this Special Operations LCO. Restoring compliance will also result in exiting the Applicability of this Special Operations LCO. All CORE ALTERATIONS except for control rod insertion, if in progress, are immediately suspended in accordance with Required Action A.1, and all insertable control rods in core cells that contain one or more fuel assemblies are fully inserted within 1 hour, in accordance with Required Action A.2. This will preclude potential mechanisms that could lead to criticality. Suspension of CORE ALTERATIONS shall not preclude the completion of movement of a Reactor Mode Switch Interlock Testing B 3.10.2 HATCH UNIT 2 B 3.10-9 REVISION 79 BASES ACTIONS A.1, A.2, A.3.1, and A.3.2 (continued) component to a safe condition. Placing the reactor mode switch in the shutdown position will ensure that all inserted control rods remain inserted and result in operating in accordance with Table 1.1-1. Alternatively, if in MODE 5, the reactor mode switch may be placed in the refuel position, which will also result in operating in accordance with Table 1.1-1. A Note is added to Required Action A.3.2 to indicate that this Required Action is not applicable in MODES 3 and 4, since only the shutdown position is allowed in these MODES. The allowed Completion Time of 1 hour for Required Action A.2, Required Action A.3.1, and Required Action A.3.2 provides sufficient time to normally insert the control rods and place the reactor mode switch in the required position, based on operating experience, and is acceptable given that all operations that could increase core reactivity have been suspended. SURVEILLANCE SR 3.10.2.1 and SR 3.10.2.2 REQUIREMENTS Meeting the requirements of this Special Operations LCO maintains operation consistent with or conservative to operating with the reactor mode switch in the shutdown position (or the refuel position for MODE 5). The functions of the reactor mode switch interlocks that are not in effect, due to the testing in progress, are adequately compensated for by the Special Operations LCO requirements. The administrative controls are to be periodically verified to ensure that the operational requirements continue to be met. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 7.2.2.10.5.

2. FSAR, Section 15.1.13.

3. FSAR, Section 15.1.14.

Single Control Rod Withdrawal - Hot Shutdown B 3.10.3 (continued) HATCH UNIT 2 B 3.10-10 REVISION 62 B 3.10 SPECIAL OPERATIONS

B 3.10.3 Single Control Rod Withdrawal - Hot Shutdown

BASES BACKGROUND The purpose of this MODE 3 Special Operations LCO is to permit the withdrawal of a single control rod for testing while in hot shutdown, by imposing certain restrictions. In MODE 3, the reactor mode switch is in the shutdown position, and all control rods are inserted and blocked from withdrawal. Many systems and functions are not required in these conditions, due to the other installed interlocks that are actuated when the reactor mode switch is in the shutdown position. However, circumstances may arise while in MODE 3 that present the need to withdraw a single control rod for various tests (e.g., friction tests, scram timing, and coupling integrity checks). These single control rod withdrawals are normally accomplished by selecting the refuel position for the reactor mode switch. This Special Operations LCO provides the appropriate additional controls to allow a single control rod withdrawal in MODE 3.

APPLICABLE With the reactor mode switch in the refuel position, the analyses for SAFETY ANALYSES control rod withdrawal during refueling are applicable and, provided the assumptions of these analyses are satisfied in MODE 3, these analyses will bound the consequences of an accident. Explicit safety analyses in the FSAR (Ref. 1) demonstrate that the functioning of the refueling interlocks and adequate SDM will preclude unacceptable reactivity excursions. Refueling interlocks restrict the movement of control rods to reinforce operational procedures that prevent the reactor from becoming critical. These interlocks prevent the withdrawal of more than one control rod. Under these conditions, since only one control rod can be withdrawn, the core will always be shut down even with the highest worth control rod withdrawn if adequate SDM exists. The control rod scram function provides backup protection to normal refueling procedures and the refueling interlocks, which prevent inadvertent criticalities during refueling. Alternate backup protection can be obtained by ensuring that a five by five array of control rods, centered on the withdrawn control rod, are inserted and incapable of withdrawal.

Single Control Rod Withdrawal - Hot Shutdown B 3.10.3 (continued) HATCH UNIT 2 B 3.10-11 REVISION 62 BASES APPLICABLE As described in LCO 3.0.7, compliance with Special Operations LCOs SAFETY ANALYSES is optional, and therefore, no criteria of the NRC Policy Statement (continued) apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases. LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 3 with the reactor mode switch in the refuel position can be performed in accordance with other Special Operations LCOs (i.e., LCO 3.10.2, "Reactor Mode Switch Interlock Testing") without meeting this Special Operations LCO or its ACTIONS. However, if a single control rod withdrawal is desired in MODE 3, controls consistent with those required during refueling must be implemented and this Special Operations LCO applied. "Withdrawal", in this application, includes the actual withdrawal of the control rod, as well as maintaining the control rod in a position other than the full-in position, and reinserting the control rod. The refueling interlocks of LCO 3.9.2, "Refuel Position One-Rod-Out Interlock," required by this Special Operations LCO, will ensure that only one control rod can be withdrawn. To back up the refueling interlocks (LCO 3.9.2), the ability to scram the withdrawn control rod in the event of an inadvertent criticality is provided by this Special Operations LCO's requirements in Item d.1. Alternately, provided a sufficient number of control rods in the vicinity of the withdrawn control rod are known to be inserted and incapable of withdrawal (Item d.2), the possibility of criticality on withdrawal of this control rod is sufficiently precluded, so as not to require the scram capability of the withdrawn control rod. Also, once this alternate (Item d.2) is completed, the SDM requirement to account for both the withdrawn-untrippable control rod, and the highest worth control rod may be changed to allow the withdrawn-untrippable control rod to be the single highest worth control rod.

APPLICABILITY Control rod withdrawals are adequately controlled in MODES 1, 2, and 5 by existing LCOs. In MODES 3 and 4, control rod withdrawal is only allowed if performed in accordance with this Special Operations LCO or Special Operations LCO 3.10.4, and if limited to one control rod. This allowance is only provided with the reactor mode switch in the refuel position. For these conditions, the one-rod-out interlock (LCO 3.9.2), control rod position indication (LCO 3.9.4, "Control Rod Single Control Rod Withdrawal - Hot Shutdown B 3.10.3 (continued) HATCH UNIT 2 B 3.10-12 REVISION 62 BASES APPLICABILITY Position Indication"), full insertion requirements for all other control (continued) rods and scram functions (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," and LCO 3.9.5, Control Rod OPERABILITY - Refueling"), or the added administrative controls in Item d.2 of this Special Operations LCO, minimize potential reactivity excursions. ACTIONS A Note has been provided to modify the ACTIONS related to a single control rod withdrawal while in MODE 3. Section 1.3, Completion Times, specifies once a Condition has been entered, subsequent divisions, subsystems, components or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for each requirement of the LCO not met provide appropriate compensatory measures for separate requirements that are not met. As such, a Note has been provided that allows separate Condition entry for each requirement of the LCO.

A.1 If one or more of the requirements specified in this Special Operations LCO are not met, the ACTIONS applicable to the stated requirements of the affected LCOs are immediately entered as directed by Required Action A.1. Required Action A.1 has been modified by a Note that clarifies the intent of any other LCO's Required Actions to insert all control rods. This Required Action includes exiting this Special Operations Applicability by returning the reactor mode switch to the shutdown position. A second Note has been added, which clarifies that this Required Action is only applicable if the requirements not met are for an affected LCO. A.2.1 and A.2.2 Required Actions A.2.1 and A.2.2 are alternate Required Actions that can be taken instead of Required Action A.1 to restore compliance with the normal MODE 3 requirements, thereby exiting this Special Operations LCO's Applicability. Actions must be initiated immediately to insert all insertable control rods. Actions must continue until all such control rods are fully inserted. Placing the reactor mode switch in the shutdown position will ensure all inserted rods remain inserted Single Control Rod Withdrawal - Hot Shutdown B 3.10.3 HATCH UNIT 2 B 3.10-13 REVISION 79 BASES ACTIONS A.2.1 and A.2.2 (continued) and restore operation in accordance with Table 1.1-1. The allowed Completion Time of 1 hour to place the reactor mode switch in the shutdown position provides sufficient time to normally insert the control rods. SURVEILLANCE SR 3.10.3.1, SR 3.10.3.2, and SR 3.10.3.3 REQUIREMENTS The other LCOs made applicable in this Special Operations LCO are required to have their Surveillances met to establish that this Special Operations LCO is being met. If the local array of control rods is inserted and disarmed while the scram function for the withdrawn rod is not available, periodic verification in accordance with SR 3.10.3.2 is required to preclude the possibility of criticality. SR 3.10.3.2 has been modified by a Note, which clarifies that this SR is not required to be met if SR 3.10.3.1 is satisfied for LCO 3.10.3.d.1 requirements, since SR 3.10.3.2 demonstrates that the alternative LCO 3.10.3.d.2 requirements are satisfied. Also, SR 3.10.3.3 verifies that all control rods other than the control rod being withdrawn are fully inserted. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 15.1.13.

Single Control Rod Withdrawal - Cold Shutdown B 3.10.4 (continued) HATCH UNIT 2 B 3.10-14 REVISION 62 B 3.10 SPECIAL OPERATIONS

B 3.10.4 Single Control Rod Withdrawal - Cold Shutdown

BASES BACKGROUND The purpose of this MODE 4 Special Operations LCO is to permit the withdrawal of a single control rod for testing or maintenance, while in cold shutdown, by imposing certain restrictions. In MODE 4, the reactor mode switch is in the shutdown position, and all control rods are inserted and blocked from withdrawal. Many systems and functions are not required in these conditions, due to the installed interlocks associated with the reactor mode switch in the shutdown position. Circumstances may arise while in MODE 4, however, that present the need to withdraw a single control rod for various tests (e.g., friction tests, scram time testing, and coupling integrity checks). Certain situations may also require the removal of the associated control rod drive (CRD). These single control rod withdrawals and possible subsequent removals are normally accomplished by selecting the refuel position for the reactor mode switch.

APPLICABLE With the reactor mode switch in the refuel position, the analyses for SAFETY ANALYSES control rod withdrawal during refueling are applicable and, provided the assumptions of these analyses are satisfied in MODE 4, these analyses will bound the consequences of an accident. Explicit safety analyses in the FSAR (Ref. 1) demonstrate that the functioning of the refueling interlocks and adequate SDM will preclude unacceptable reactivity excursions. Refueling interlocks restrict the movement of control rods to reinforce operational procedures that prevent the reactor from becoming critical. These interlocks prevent the withdrawal of more than one control rod. Under these conditions, since only one control rod can be withdrawn, the core will always be shut down even with the highest worth control rod withdrawn if adequate SDM exists. The control rod scram function provides backup protection in the event normal refueling procedures and the refueling interlocks fail to prevent inadvertent criticalities during refueling. Alternate backup protection can be obtained by ensuring that a five by five array of control rods, centered on the withdrawn control rod, are inserted and incapable of withdrawal. This alternate backup protection is required when removing a CRD because this removal renders the withdrawn control rod incapable of being scrammed. Single Control Rod Withdrawal - Cold Shutdown B 3.10.4 (continued) HATCH UNIT 2 B 3.10-15 REVISION 62 BASES APPLICABLE As described in LCO 3.0.7, compliance with Special Operations LCOs SAFETY ANALYSES is optional, and therefore, no criteria of the NRC Policy Statement (continued) apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases. LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 4 with the reactor mode switch in the refuel position can be performed in accordance with other LCOs (i.e., Special Operations LCO 3.10.2, "Reactor Mode Switch Interlock Testing") without meeting this Special Operations LCO or its ACTIONS. If a single control rod withdrawal is desired in MODE 4, controls consistent with those required during refueling must be implemented and this Special Operations LCO applied. "Withdrawal", in this application, includes the actual withdrawal of the control rod, as well as maintaining the control rod in a position other than the full-in position, and reinserting the control rod. The refueling interlocks of LCO 3.9.2, "Refuel Position One-Rod-Out Interlock," required by this Special Operations LCO will ensure that only one control rod can be withdrawn. At the time CRD removal begins, the disconnection of the position indication probe will cause LCO 3.9.4, "Control Rod Position Indication," and therefore, LCO 3.9.2 to fail to be met. Therefore, prior to commencing CRD removal, a control rod withdrawal block is required to be inserted to ensure that no additional control rods can be withdrawn and that compliance with this Special Operations LCO is maintained. To back up the refueling interlocks (LCO 3.9.2) or the control rod withdrawal block, the ability to scram the withdrawn control rod in the event of an inadvertent criticality is provided by the Special Operations LCO requirements in Item c.1. Alternatively, when the scram function is not OPERABLE, or when the CRD is to be removed, a sufficient number of rods in the vicinity of the withdrawn control rod are required to be inserted and made incapable of withdrawal (Item c.2). This precludes the possibility of criticality upon withdrawal of this control rod. Also, once this alternate (Item c.2) is completed, the SDM requirement to account for both the withdrawn-untrippable control rod, and the highest worth control rod may be changed to allow the withdrawn-untrippable control rod to be the single highest worth control rod.

Single Control Rod Withdrawal - Cold Shutdown B 3.10.4 (continued) HATCH UNIT 2 B 3.10-16 REVISION 62 BASES (continued) APPLICABILITY Control rod withdrawals are adequately controlled in MODES 1, 2, and 5 by existing LCOs. In MODES 3 and 4, control rod withdrawal is only allowed if performed in accordance with Special Operations LCO 3.10.3, or this Special Operations LCO, and if limited to one control rod. This allowance is only provided with the reactor mode switch in the refuel position. During these conditions, the full insertion requirements for all other control rods, the one-rod-out interlock (LCO 3.9.2), control rod position indication (LCO 3.9.4), and scram functions (LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," and LCO 3.9.5, "Control Rod OPERABILITY - Refueling"), or the added administrative controls in Item b.2 and Item c.2 of this Special Operations LCO, provide mitigation of potential reactivity excursions. ACTIONS A Note has been provided to modify the ACTIONS related to a single control rod withdrawal while in MODE 4. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for each requirement of the LCO not met provide appropriate compensatory measures for separate requirements that are not met. As such, a Note has been provided that allows separate Condition entry for each requirement of the LCO. A.1, A.2.1, and A.2.2 If one or more of the requirements of this Special Operations LCO are not met with the affected control rod insertable, these Required Actions restore operation consistent with normal MODE 4 conditions (i.e., all rods inserted) or with the exceptions allowed in this Special Operations LCO. Required Action A.1 has been modified by a Note that clarifies that the intent of any other LCO's Required Actions to insert all control rods. This Required Action includes exiting this Special Operations Applicability by returning the reactor mode switch to the shutdown position. A second Note has been added to Required Action A.1 to clarify that this Required Action is only applicable if the requirements not met are for an affected LCO.

Single Control Rod Withdrawal - Cold Shutdown B 3.10.4 (continued) HATCH UNIT 2 B 3.10-17 REVISION 79 BASES ACTIONS A.1, A.2.1, and A.2.2 (continued) Required Actions A.2.1 and A.2.2 are specified, based on the assumption that the control rod is being withdrawn. If the control rod is still insertable, actions must be immediately initiated to fully insert all insertable control rods and within 1 hour place the reactor mode switch in the shutdown position. Actions must continue until all such control rods are fully inserted. The allowed Completion Time of 1 hour for placing the reactor mode switch in the shutdown position provides sufficient time to normally insert the control rods. B.1, B.2.1, and B.2.2 If one or more of the requirements of this Special Operations LCO are not met with the affected control rod not insertable, withdrawal of the control rod and removal of the associated CRD must be immediately suspended. If the CRD has been removed, such that the control rod is not insertable, the Required Actions require the most expeditious action be taken to either initiate action to restore the CRD and insert its control rod, or initiate action to restore compliance with this Special Operations LCO. SURVEILLANCE SR 3.10.4.1, SR 3.10.4.2, SR 3.10.4.3, and SR 3.10.4.4 REQUIREMENTS The other LCOs made applicable by this Special Operations LCO are required to have their associated surveillances met to establish that this Special Operations LCO is being met. If the local array of control rods is inserted and disarmed while the scram function for the withdrawn rod is not available, periodic verification is required to ensure that the possibility of criticality remains precluded. Verification that all the other control rods are fully inserted is required to meet the SDM requirements. Verification that a control rod withdrawal block has been inserted ensures that no other control rods can be inadvertently withdrawn under conditions when position indication instrumentation is inoperable for the affected control rod. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.10.4.2 and SR 3.10.4.4 have been modified by Notes, which clarify that these SRs are not required to be met if the alternative requirements demonstrated by SR 3.10.4.1 are satisfied. Single Control Rod Withdrawal - Cold Shutdown B 3.10.4 HATCH UNIT 2 B 3.10-18 REVISION 62 BASES (continued) REFERENCES 1. FSAR, Section 14.3.3.3.

Single CRD Removal - Refueling B 3.10.5 (continued) HATCH UNIT 2 B 3.10-19 REVISION 62 B 3.10 SPECIAL OPERATIONS

B 3.10.5 Single Control Rod Drive (CRD) Removal - Refueling

BASES BACKGROUND The purpose of this MODE 5 Special Operations LCO is to permit the removal of a single CRD during refueling operations by imposing certain administrative controls. Refueling interlocks restrict the movement of control rods and the operation of the refueling equipment to reinforce operational procedures that prevent the reactor from becoming critical during refueling operations. During refueling operations, no more than one control rod is permitted to be withdrawn from a core cell containing one or more fuel assemblies. The refueling interlocks use the full-in position indicators to determine the position of all control rods. If the full-in position signal is not present for every control rod, then the all-rods-in permissive for the refueling equipment interlocks is not present and fuel loading is prevented. Also, the refuel position one-rod-out interlock will not allow the withdrawal of a second control rod. The control rod scram function provides backup protection in the event normal refueling procedures, and the refueling interlocks described above, fail to prevent inadvertent criticalities during refueling. The requirement for this function to be OPERABLE precludes the possibility of removing the CRD once a control rod is withdrawn from a core cell containing one or more fuel assemblies. This Special Operations LCO provides controls sufficient to ensure the possibility of an inadvertent criticality is precluded, while allowing a single CRD to be removed from a core cell containing one or more fuel assemblies. The removal of the CRD involves disconnecting the position indication probe, which causes noncompliance with LCO 3.9.4, "Control Rod Position Indication," and, therefore, LCO 3.9.1, "Refueling Equipment Interlocks," and LCO 3.9.2, "Refueling Position One-Rod-Out Interlock." The CRD removal also requires isolation of the CRD from the CRD Hydraulic System, thereby causing inoperability of the control rod (LCO 3.9.5, "Control Rod OPERABILITY - Refueling"). APPLICABLE With the reactor mode switch in the refuel position, the analyses for SAFETY ANALYSES control rod withdrawal during refueling are applicable and, provided the assumptions of these analyses are satisfied, these analyses will bound the consequences of accidents. Explicit safety analyses in the FSAR (Ref. 1) demonstrate that proper operation of the refueling interlocks and adequate SDM will preclude unacceptable reactivity excursions. Single CRD Removal - Refueling B 3.10.5 (continued) HATCH UNIT 2 B 3.10-20 REVISION 62 BASES APPLICABLE Refueling interlocks restrict the movement of control rods and the SAFETY ANALYSES operation of the refueling equipment to reinforce operational (continued) procedures that prevent the reactor from becoming critical. These interlocks prevent the withdrawal of more than one control rod. Under these conditions, since only one control rod can be withdrawn, the core will always be shut down even with the highest worth control rod withdrawn if adequate SDM exists. By requiring all other control rods to be inserted and a control rod withdrawal block initiated, the function of the inoperable one-rod-out interlock (LCO 3.9.2) is adequately maintained. This Special Operations LCO requirement to suspend all CORE ALTERATIONS adequately compensates for the inoperable all rods in permissive for the refueling equipment interlocks (LCO 3.9.1). The control rod scram function provides backup protection to normal refueling procedures and the refueling interlocks, which prevent inadvertent criticalities during refueling. Since the scram function and refueling interlocks may be suspended, alternate backup protection required by this Special Operations LCO is obtained by ensuring that a five by five array of control rods, centered on the withdrawn control rod, are inserted and are incapable of being withdrawn (by insertion of a control rod block). As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of the NRC Policy Statement apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases. LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 5 with any of the following LCOs, LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," LCO 3.3.8.2, "Reactor Protection System (RPS) Electric Power Monitoring," LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, or LCO 3.9.5 not met, can be performed in accordance with the Required Actions of these LCOs without meeting this Special Operations LCO or its ACTIONS. However, if a single CRD removal from a core cell containing one or more fuel assemblies is desired in MODE 5, controls consistent with those required by LCO 3.3.1.1, LCO 3.3.8.2, LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, and LCO 3.9.5 must be implemented, and this Special Operations LCO applied. By requiring all other control rods to be inserted and a control rod withdrawal block initiated, the function of the inoperable one-rod-out Single CRD Removal - Refueling B 3.10.5 (continued) HATCH UNIT 2 B 3.10-21 REVISION 62 BASES LCO interlock (LCO 3.9.2) is adequately maintained. This Special (continued) Operations LCO requirement to suspend all CORE ALTERATIONS adequately compensates for the inoperable all rods in permissive for the refueling equipment interlocks (LCO 3.9.1). Ensuring that the five by five array of control rods, centered on the withdrawn control rod, are inserted and incapable of withdrawal adequately satisfies the backup protection that LCO 3.3.1.1 and LCO 3.9.2 would have otherwise provided. Also, once these requirements (Items a, b, and c) are completed, the SDM requirement to account for both the withdrawn-untrippable control rod and the highest worth control rod may be changed to allow the withdrawn-untrippable control rod to be the single highest worth control rod. APPLICABILITY Operation in MODE 5 is controlled by existing LCOs. The allowance to comply with this Special Operations LCO in lieu of the ACTIONS of LCO 3.3.1.1, LCO 3.3.8.2, LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, and LCO 3.9.5 is appropriately controlled with the additional administrative controls required by this Special Operations LCO, which reduce the potential for reactivity excursions. ACTIONS A.1. A.2.1. and A.2.2 If one or more of the requirements of this Special Operations LCO are not met, the immediate implementation of these Required Actions restores operation consistent with the normal requirements for failure to meet LCO 3.3.1.1, LCO 3.9.1, LCO 3.9.2, LCO 3.9.4, and LCO 3.9.5 (i.e., all control rods inserted) or with the allowances of this Special Operations LCO. The Completion Times for Required Action A.1, Required Action A.2.1, and Required Action A.2.2 are intended to require that these Required Actions be implemented in a very short time and carried through in an expeditious manner to either initiate action to restore the CRD and insert its control rod, or initiate action to restore compliance with this Special Operations LCO. Actions must continue until either Required Action A.2.1 or Required Action A.2.2 is satisfied.

Single CRD Removal - Refueling B 3.10.5 HATCH UNIT 2 B 3.10-22 REVISION 79 BASES (continued) SURVEILLANCE SR 3.10.5.1, SR 3.10.5.2, SR 3.10.5.3, SR 3.10.5.4, and REQUIREMENTS SR 3.10.5.5 Verification that all the control rods, other than the control rod withdrawn for the removal of the associated CRD, are fully inserted is required to ensure the SDM is within limits. Verification that the local five by five array of control rods, other than the control rod withdrawn for removal of the associated CRD, is inserted and disarmed, while the scram function for the withdrawn rod is not available, is required to ensure that the possibility of criticality remains precluded. Verification that a control rod withdrawal block has been inserted ensures that no other control rods can be inadvertently withdrawn under conditions when position indication instrumentation is inoperable for the withdrawn control rod. The Surveillance for LCO 3.1.1, which is made applicable by this Special Operations LCO, is required in order to establish that this Special Operations LCO is being met. Verification that no other CORE ALTERATIONS are being made is required to ensure the assumptions of the safety analysis are satisfied. While not required by this LCO, verification of the core loading may be prudent to ensure that a fuel loading error has not invalidated the assumptions of the safety analysis. Periodic verification of the administrative controls established by this Special Operations LCO is prudent to preclude the possibility of an inadvertent criticality. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 15.1.13.

Multiple Control Rod Withdrawal - Refueling B 3.10.6 (continued) HATCH UNIT 2 B 3.10-23 REVISION 62 B 3.10 SPECIAL OPERATIONS

B 3.10.6 Multiple Control Rod Withdrawal - Refueling

BASES BACKGROUND The purpose of this MODE 5 Special Operations LCO is to permit multiple control rod withdrawal during refueling by imposing certain administrative controls. Refueling interlocks restrict the movement of control rods and the operation of the refueling equipment to reinforce operational procedures that prevent the reactor from becoming critical during refueling operations. During refueling operations, no more than one control rod is permitted to be withdrawn from a core cell containing one or more fuel assemblies. When all four fuel assemblies are removed from a cell, the control rod may be withdrawn with no restrictions. Any number of control rods may be withdrawn and removed from the reactor vessel if their cells contain no fuel. The refueling interlocks use the full-in position indicators to determine the position of all control rods. If the full-in position signal is not present for every control rod, then the all rods in permissive for the refueling equipment interlocks is not present and fuel loading is prevented. Also, the refuel position one-rod-out interlock will not allow the withdrawal of a second control rod. To allow more than one control rod to be withdrawn during refueling, these interlocks must be defeated. This Special Operations LCO establishes the necessary administrative controls to allow bypassing the full-in position indicators.

APPLICABLE Explicit safety analyses in the FSAR (Ref. 1) demonstrate that the SAFETY ANALYSES functioning of the refueling interlocks and adequate SDM will prevent unacceptable reactivity excursions during refueling. To allow multiple control rod withdrawals, control rod removals, associated control rod drive (CRD) removal, or any combination of these, the full-in position indication is allowed to be bypassed for each withdrawn control rod if all fuel has been removed from the cell. With no fuel assemblies in the core cell, the associated control rod has no reactivity control function and is not required to remain inserted. Prior to reloading fuel into the cell, however, the associated control rod must be inserted to ensure that an inadvertent criticality does not occur, as evaluated in the Reference 1 analysis. Multiple Control Rod Withdrawal - Refueling B 3.10.6 (continued) HATCH UNIT 2 B 3.10-24 REVISION 62 BASES APPLICABLE As described in LCO 3.0.7, compliance with Special Operations LCOs SAFETY ANALYSES is optional, and therefore, no criteria of the NRC Policy Statement (continued) apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases. LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. Operation in MODE 5 with either LCO 3.9.3, "Control Rod Position," LCO 3.9.4, "Control Rod Position Indication," or LCO 3.9.5, "Control Rod OPERABILITY - Refueling," not met, can be performed in accordance with the Required Actions of these LCOs without meeting this Special Operations LCO or its ACTIONS. If multiple control rod withdrawal or removal, or CRD removal is desired, all four fuel assemblies are required to be removed from the associated cells. Prior to entering this LCO, any fuel remaining in a cell whose CRD was previously removed under the provisions of another LCO must be removed. "Withdrawal", in this application, includes the actual withdrawal of the control rod as well as maintaining the control rod in a position other than the full-in position, and reinserting the control rod. When fuel is loaded into the core with multiple control rods withdrawn, special spiral reload sequences are used to ensure that reactivity additions are minimized. Spiral reloading encompasses reloading a cell (four fuel locations immediately adjacent to a control rod) on the edge of a continuous fueled region (the cell can be loaded in any sequence). Otherwise, all control rods must be fully inserted before loading fuel.

APPLICABILITY Operation in MODE 5 is controlled by existing LCOs. The exceptions from other LCO requirements (e.g., the ACTIONS of LCO 3.9.3, LCO 3.9.4, or LCO 3.9.5) allowed by this Special Operations LCO are appropriately controlled by requiring all fuel to be removed from cells whose full-in indicators are allowed to be bypassed.

Multiple Control Rod Withdrawal - Refueling B 3.10.6 HATCH UNIT 2 B 3.10-25 REVISION 79 BASES (continued) ACTIONS A.1, A.2, A.3.1, and A.3.2 If one or more of the requirements of this Special Operations LCO are not met, the immediate implementation of these Required Actions restores operation consistent with the normal requirements for refueling (i.e., all control rods inserted in core cells containing one or more fuel assemblies) or with the exceptions granted by this Special Operations LCO. The Completion Times for Required Action A.1, Required Action A.2, Required Action A.3.1, and Required Action A.3.2 are intended to require that these Required Actions be implemented in a very short time and carried through in an expeditious manner to either initiate action to restore the affected CRDs and insert their control rods, or initiate action to restore compliance with this Special Operations LCO. SURVEILLANCE SR 3.10.6.1, SR 3.10.6.2, and SR 3.10.6.3 REQUIREMENTS Periodic verification of the administrative controls established by this Special Operations LCO is prudent to preclude the possibility of an inadvertent criticality. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. FSAR, Section 15.1.13.

SDM Test - Refueling B 3.10.8 (continued) HATCH UNIT 2 B 3.10-30 REVISION 62 B 3.10 SPECIAL OPERATIONS

B 3.10.8 SHUTDOWN MARGIN (SDM) Test - Refueling

BASES BACKGROUND The purpose of this MODE 5 Special Operations LCO is to permit SDM testing to be performed for those plant configurations in which the reactor pressure vessel (RPV) head is either not in place or the head bolts are not fully tensioned. LCO 3.1.1, "SHUTDOWN MARGIN (SDM)," requires that adequate SDM be demonstrated following fuel movements or control rod replacement within the RPV. The demonstration must be performed prior to or within 4 hours after criticality is reached. This SDM test may be performed prior to or during the first startup following the refueling. Performing the SDM test prior to startup requires the test to be performed while in MODE 5, with the vessel head bolts less than fully tensioned (and possibly with the vessel head removed). While in MODE 5, the reactor mode switch is required to be in the shutdown or refuel position, where the applicable control rod blocks ensure that the reactor will not become critical. The SDM test requires the reactor mode switch to be in the startup/hot standby position, since more than one control rod will be withdrawn for the purpose of demonstrating adequate SDM. This Special Operations LCO provides the appropriate additional controls to allow withdrawing more than one control rod from a core cell containing one or more fuel assemblies when the reactor vessel head bolts are less than fully tensioned. APPLICABLE Prevention and mitigation of unacceptable reactivity excursions SAFETY ANALYSES during control rod withdrawal, with the reactor mode switch in the startup/hot standby position while in MODE 5, is provided by the intermediate range monitor (IRM) neutron flux scram [LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation"], and control rod block instrumentation (LCO 3.3.2.1, "Control Rod Block Instrumentation"). The limiting reactivity excursion during startup conditions while in MODE 5 is the control rod drop accident (CRDA). CRDA analyses assume that the reactor operator follows prescribed withdrawal sequences. For SDM tests performed within these defined sequences, the analyses of References 1 and 2 are applicable. However, for some sequences developed for the SDM testing, the control rod patterns assumed in the safety analyses of References 1 and 2 may not be met. Therefore, special CRDA analyses, performed in accordance with an NRC approved methodology, may be required SDM Test - Refueling B 3.10.8 (continued) HATCH UNIT 2 B 3.10-31 REVISION 62 BASES APPLICABLE to demonstrate the SDM test sequence will not result in unacceptable SAFETY ANALYSES consequences should a CRDA occur during the testing. For the (continued) purpose of this test, the protection provided by the normally required MODE 5 applicable LCOs, in addition to the requirements of this LCO, will maintain normal test operations as well as postulated accidents within the bounds of the appropriate safety analyses (Refs. 1 and 2). In addition to the added requirements for the RWM, Average Power Range Monitor, and control rod coupling, the notch out mode is specified for out of sequence withdrawals. Requiring the notch out mode limits withdrawal steps to a single notch, which limits inserted reactivity, and allows adequate monitoring of changes in neutron flux, which may occur during the test. As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of the NRC Policy Statement apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO As described in LCO 3.0.7, compliance with this Special Operations LCO is optional. SDM tests may be performed while in MODE 2, in accordance with Table 1.1-1, without meeting this Special Operations LCO or its ACTIONS. For SDM tests performed while in MODE 5, additional requirements must be met to ensure that adequate protection against potential reactivity excursions is available. To provide additional scram protection beyond the normally required IRMs, the Average Power Range Monitors are also required to be OPERABLE (LCO 3.3.1.1, Functions 2.a, 2.d, and 2.e) as though the reactor were in MODE 2. Because multiple control rods will be withdrawn and the reactor will potentially become critical, the approved control rod withdrawal sequence must be enforced by the RWM (LCO 3.3.2.1, Function 2, MODE 2), or must be verified by a second licensed operator or other qualified member of the technical staff. To provide additional protection against an inadvertent criticality, control rod withdrawals that do not conform to the banked position withdrawal sequence specified in LCO 3.1.6, "Rod Pattern Control," (i.e., out of sequence control rod withdrawals) must be made in the individual notched withdrawal mode to minimize the potential reactivity insertion associated with each movement. Coupling integrity of withdrawn control rods is required to minimize the probability of a CRDA and ensure proper functioning of the withdrawn control rods, if they are required to scram. Because the reactor vessel head may be removed during these tests, no other CORE ALTERATIONS may be in SDM Test - Refueling B 3.10.8 (continued) HATCH UNIT 2 B 3.10-32 REVISION 62 BASES LCO progress. Furthermore, since the control rod scram function with the (continued) RCS at atmospheric pressure relies solely on the CRD accumulator, it is essential that the CRD charging water header remain pressurized. This Special Operations LCO then allows changing the Table 1.1-1 reactor mode switch position requirements to include the startup/hot standby position, such that the SDM tests may be performed while in MODE 5. APPLICABILITY These SDM test Special Operations requirements are only applicable if the SDM tests are to be performed while in MODE 5 with the reactor vessel head removed or the head bolts not fully tensioned. Additional requirements during these tests to enforce control rod withdrawal sequences and restrict other CORE ALTERATIONS provide protection against potential reactivity excursions. Operations in all other MODES are unaffected by this LCO. ACTIONS A.1 With one or more control rods discovered uncoupled during this Special Operation, a controlled insertion of each uncoupled control rod is required; either to attempt recoupling, or to preclude a control rod drop. This controlled insertion is preferred since, if the control rod fails to follow the drive as it is withdrawn (i.e., is "stuck" in an inserted position), placing the reactor mode switch in the shutdown position per Required Action B.1 could cause substantial secondary damage. If recoupling is not accomplished, operation may continue, provided the control rods are fully inserted within 3 hours and disarmed (electrically or hydraulically) within 4 hours. Inserting a control rod ensures the shutdown and scram capabilities are not adversely affected. The control rod is disarmed to prevent inadvertent withdrawal during subsequent operations. The control rods can be hydraulically disarmed by closing the drive water and exhaust water isolation valves. Electrically, the control rods can be disarmed by disconnecting power from all four directional control valve solenoids. Required Action A.1 is modified by a Note that allows the RWM to be bypassed if required to allow insertion of the inoperable control rods and continued operation. LCO 3.3.2.1 "Control Rod Block Instrumentation," ACTIONS provide additional requirements when the RWM is bypassed to ensure compliance with the CRDA analysis.

SDM Test - Refueling B 3.10.8 (continued) HATCH UNIT 2 B 3.10-33 REVISION 62 BASES ACTIONS A.1 (continued) The allowed Completion Times are reasonable, considering the small number of allowed inoperable control rods, and provide time to insert and disarm the control rods in an orderly manner and without challenging plant systems. Condition A is modified by a Note allowing separate Condition entry for each uncoupled control rod. This is acceptable since the Required Actions for this Condition provide appropriate compensatory actions for each uncoupled control rod. Complying with the Required Actions may allow for continued operation. Subsequent uncoupled control rods are governed by subsequent entry into the Condition and application of the Required Actions.

B.1 With one or more of the requirements of this LCO not met for reasons other than an uncoupled control rod, the testing should be immediately stopped by placing the reactor mode switch in the shutdown or refuel position. This results in a condition that is consistent with the requirements for MODE 5 where the provisions of this Special Operations LCO are no longer required.

SURVEILLANCE SR 3.10.8.1, SR 3.10.8.2, and SR 3.10.8.3 REQUIREMENTS LCO 3.3.1.1, Functions 2.a, 2.d, and 2.e, made applicable in this Special Operations LCO, are required to have their Surveillances met to establish that this Special Operations LCO is being met. However, the control rod withdrawal sequences during the SDM tests may be enforced by the RWM (LCO 3.3.2.1, Function 2, MODE 2 requirements) or by a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff (e.g., a qualified shift technical advisor or reactor engineer). As noted, either the applicable SRs for the RWM (LCO 3.3.2.1) must be satisfied according to the applicable Frequencies (SR 3.10.8.2), or the proper movement of control rods must be verified (SR 3.10.8.3). This latter verification (i.e., SR 3.10.8.3) must be performed during control rod movement to prevent deviations from the specified sequence. These Surveillances provide adequate assurance that the specified test sequence is being followed.

SDM Test - Refueling B 3.10.8 HATCH UNIT 2 B 3.10-34 REVISION 79 BASES SURVEILLANCE SR 3.10.8.4 REQUIREMENTS (continued) Periodic verification of the administrative controls established by this LCO will ensure that the reactor is operated within the bounds of the safety analysis. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. SR 3.10.8.5 Coupling verification is performed to ensure the control rod is connected to the control rod drive mechanism and will perform its intended function when necessary. The verification is required to be performed any time a control rod is withdrawn to the full-out notch position, or prior to declaring the control rod OPERABLE after work on the control rod or CRD System that could affect coupling. This Frequency is acceptable, considering the low probability that a control rod will become uncoupled when it is not being moved, as well as operating experience related to uncoupling events. SR 3.10.8.6 CRD charging water header pressure verification is performed to ensure the motive force is available to scram the control rods in the event of a scram signal. Since the reactor is depressurized in MODE 5, there is insufficient reactor pressure to scram the control rods. Verification of charging water header pressure ensures that if a scram were required, capability for rapid control rod insertion would exist. The minimum charging water header pressure of 940 psig, which is below the expected pressure of 1100 psig, still ensures sufficient pressure for rapid control rod insertion. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. REFERENCES 1. NEDE-24011-P-A-US, General Electric Standard Application for Reactor Fuel, Supplement for United States (revision specified in the COLR).

2. Letter from T. Pickens (BWROG) to G.C. Lainas, NRC, "Amendment 17 to General Electric Licensing Topical Report NEDE-24011-P-A," August 15, 1986.}}