Text

Technical Specification Bases, Manual
	ML23017A055
Person / Time
Site:	Susquehanna
Issue date:	01/06/2023
From:	; Susquehanna
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	Download: ML23017A055 (1)
	v • d • e

U c:U.l

U O 1 ,,.::'.'.; U ,.:::'.;.;,

Page 1 of 6 MANUAL HARD COPY DISTRIBUTION DOCUMENT TRANSMITTAL 2023-380 USER INFORMATION:

GERLACH*ROSEY M EMPL#: 028401 CA#: 0363 Address: NUCSA2 Phone#: 542-3194 TRANSMITTAL INFORMATION:

TO: GERLACH*ROSEY M 01/06/2023 LOCATION: USNRC FROM: NUCLEAR RECORDS DOCUMENT CONTROL CENTER (NUCSA-2)

THE FOLLOWING CHANGES HAVE OCCURRED TO THE HARDCOPY OR ELECTRONI~ MANUAL ASSIGNED TO YOU. HARDCOPY USERS MUST ENSURE THE DOCUMENTS PROVIDED MATCH THE INFORMATION ON THIS TRANSMITTAL. WHEN REPLACING THIS MATERIAL IN YOUR HARDCOPY MANUAL, ENSURE THE UPDATE DOCUMENT ID IS THE SAME DOCUMENT ID YOU'RE REMOVING FROM YOUR MANUAL. TOOLS FROM THE HUMAN PERFORMANCE TOOL BAG SHOULD BE UTILIZED TO ELIMINATE THE CHANCE OF ERRORS.

ATTENTION: "REPLACE" directions do not affect the Table of Contents, Therefore no TOC will be issued with the updated material.

TSBl - TECHNICAL SPECIFICATION BASES UNIT 1 MANUAL REMOVE MANUAL TABLE OF CONTENTS DATE: 12/01/2022 ADD MANUAL TABLE OF CONTENTS DATE: 01/05/2023 CATEGORY: DOCUMENTS TYPE: TSBl

Uctll. VO I L.UL..J Page 2 of 6 ID: TEXT 3.1.7 REMOVE : REV: 4 ADD: REV: 5 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.3.1.1 REMOVE : REV: 7 ADD: REV: 8 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.3.2.1 ADD: REV: 6 REMOVE: REV:5 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.3.2.2 REMOVE : REV : 3 ADD: REV: 4 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.3.4.1 ADD: REV: 4 REMOVE : REV : 3 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.3.4.2 REMOVE: REV:1

U ct!!. VO I L. UL. ..J Page 3 of 6 ADD: REV: 2 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.3.5.1 REMOVE : REV: 5 ADD: REV: 6 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.3.5.3 ADD: REV: 1 REMOVE : REV: 0 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.3.6.1 REMOVE : REV : 9 ADD: REV: 10 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.3.8.1 ADD: REV: 6 REMOVE: REV:5 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.5.1 ADD: REV: 9 REMOVE: REV:8 CATEGORY: DOCUMENTS TYPE: TSBl

u cul. uo , L. u L...)

Page 4 of 6 ID: TEXT 3.5.3 ADD: REV: 7 REMOVE : REV: 6 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.6.1.2 REMOVE: REV:2 ADD: REV: 3 REPLACE: REV:3 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.6.1.3 REMOVE: REV: 18 ADD: REV: 19 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.6.1.6 REMOVE : REV: 1 ADD: REV: 2 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.6.2.3 ADD: REV: 3 REMOVE : REV : 2 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.6.2.4

Uc:Ul. UO I L.UL..:J Page 5 of 6 REMOVE : REV: 1 ADD: REV: 2 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.7.1 REMOVE : REV : 7 ADD: REV: 8 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.7.2 ADD: REV: 6 REMOVE : REV: 5 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.8.1 REMOVE: REV: 14 ADD: REV: 15 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.8.4 REMOVE : REV: 4 ADD: REV: 5 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.8.7 REMOVE: REV: 3 ADD: REV: 4

LJ d.11 e U O / L. UL. .J Page 6 of 6 ANY DISCREPANCIES WITH THE MATERIAL PROVIDED, CONTACT DCS@ X3171 OR X3194 FOR ASSISTANCE. UPDATES FOR HARDCOPY MANUALS WILL BE DISTRIBUTED WITHIN 3 DAYS IN ACCORDANCE WITH DEPARTMENT PROCEDURES. PLEASE MAKE ALL CHANGES AND ACKNOWLEDGE COMPLETE IN YOUR NIMS INBOX UPON COMPLETION OF UPDATES. FOR ELECTRONIC MANUAL USERS, ELECTRONICALLY REVIEW THE APPROPRIATE DOCUMENTS AND ACKNOWLEDGE COMPLETE IN YOUR NIMS INBOX.

1.

SSES MANUAL

.- Manual Name: TSBl

Manual

Title:

TECHNICAL SPECIFICATION BASES UNIT 1 MANUAL Table Of Contents Issue Date: 01/05/2023 Procedure Name Rev Issue Date Change ID Change Number TEXT LOES 134 01/03/2019

Title:

LIST OF EFFECTIVE SECTIONS TEXT TOC 25 03/05/2019

Title:

TABLE OF CONTENTS TEXT 2 .1.1 7 03/29/2022

Title:

SAFETY LIMITS (SLS) REACTOR CORE SLS TEXT 2 .1.2 1 TEXT 3.0 TEXT 3 .1.1 TEXT 3 .1.2 TEXT 3 .1. 3 11/16/2016 TEXT 3.1.4 5 11/16/2016

Title:

REACTIVITY CONTROL SYSTEMS CONTROL ROD SCRAM TIMES TEXT 3 .1.5 2 11/16/2016

Title:

REACTIVITY CONTROL SYSTEMS CONTROL ROD SCRAM ACCUMULATORS TEXT 3 .1. 6 5 03/29/2022

Title:

REACTIVITY CONTROL SYSTEMS ROD PATTERN CONTROL

Page 1 of 8 Report Date: 01/05/23

SSES MANUAL *l Manual Name: TSBl Manual Ti t1e*: TECHNICAL SPECIFICATION BASES UNIT 1 MANUAL TEXT 3.1.7 5 01/05/2023

Title:

REACTIVITY CONTROL SYSTEMS STANDBY LIQUID CONTROL (SLC) SYSTEM TEXT 3 .1.8 4 11/16/2016

Title:

REACTIVITY CONTROL SYSTEMS SCRAM DISCHARGE VOLUME (SDV) VENT AND DRAIN VALVES TEXT 3.2.1 4 03/29/2022

Title:

POWER DISTRIBUTION LIMITS AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)

TEXT 3.2.2 5 03/29/2022

Title:

POWER DISTRIBUTION LIMITS MINIMUM CRITICAL POWER RATIO (MCPR)

TEXT 3.2.3 4 03/29/2022

Title:

POWER DISTRIBUTION LIMITS LINEAR HEAT GENERATION RATE (LHGR)

TEXT 3.3.1.1 TEXT 3 . 3 . 1. 2 8

4 01/05/2023

Title:

INSTRUMENTATION REACTOR PROTECTION SYSTEM (RPS) 01/23/2018 INSTRUMENTATION

Title:

INSTRUMENTATION SOURCE RANGE MONITOR (SRM) INSTRUMENTATION TEXT 3.3.2.1 6 01/05/2023

Title:

INSTRUMENTATION CONTROL ROD BLOCK INSTRUMENTATION TEXT 3.3.2.2 4 01/05/2023

Title:

INSTRUMENTATION FEEDWATER MAIN TURBINE HIGH WATER LEVEL TRIP INSTRUMENTATION TEXT 3 . 3 . 3 . 1 , 10 11/16/2016

Title:

INSTRUMENTATION POST ACCIDENT MONITORING (PAM) INSTRUMENTATION TEXT 3.3.3.2 2 11/16/2016

Title:

INSTRUMENTATION REMOTE SHUTDOWN SYSTEM TEXT 3.3.4.1 4 01/05/2023

Title:

INSTRUMENTATION END OF CYCLE RECIRCULATION PUMP TRIP (EOC-RPT) INSTRUMENTATION Page 2 of 8 Report Date: 01/05/23

SSES MANUAL Manual Name : TSBl

Manual

Title:

TECHNICAL SPECIFICATION BASES UNIT 1 MANUAL TEXT 3.3.4.2 2 01/05/2023

Title:

INSTRUMENTATION ANTICIPATED TRANSIENT WITHOUT SCRAM RECIRCULATION PUMP TRIP (ATWS-RPT) INSTRUMENTATION TEXT 3.3.5.1 6 01/05/2023

Title:

INSTRUMENTATION EMERGENCY CORE COOLING SYSTEM (ECCS) INSTRUMENTATION TEXT 3.3.5.2 3 03/18/2021

Title:

REACTOR PRESSURE VESSEL (RPV) WATER INVENTORY CONTROL INSTRUMENTATION TEXT 3.3.5.3 1 01/05/2023

Title:

UNIT 1 REACTOR PRESSURE VESSEL WIC TS CHANGES TEXT 3.3.6.1 10 01/05/2023

Title:

INSTRUMENTATION PRIMARY CONTAINMENT ISOLATION INSTRUMENTATION

TEXT 3.3.6.2 6 03/05/2019

Title:

INSTRUMENTATION SECONDARY CONTAINMENT ISOLATION INSTRUMENTATION TEXT 3.3.7.1 4 03/05/2019

Title:

INSTRUMENTATION CONTROL ROOM EMERGENCY OUTSIDE AIR SUPPLY (CREOAS) SYSTEM INSTRUMENTATION TEXT 3.3.8.1 6 01/05/2023

Title:

INSTRUMENTATION LOSS OF POWER (LOP) INSTRUMENTATION TEXT 3.3.8.2 1 11/16/2016

Title:

INSTRUMENTATION REACTOR PROTECTION SYSTEM (RPS) ELECTRIC POWER MONITORING TEXT 3.4.1 7 05/13/2022

Title:

REACTOR COOLANT SYSTEM (RCS) RECIRCULATION LOOPS OPERATING TEXT 3.4.2 5 05/13/2022

Title:

REACTOR COOLANT SYSTEM (RCS) JET PUMPS TEXT 3.4.3 3 01/13/2012

Title:

REACTOR COOLANT SYSTEM RCS SAFETY RELIEF VALVES S/RVS

Page 3 of 8 Report Date: 01/05/23

SSES MANUAL Manual Name: TSBl Manual

Title:

TECHNICAL SPECIFICATION BASES UNIT 1 MANUAL TEXT 3.4.4 1 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) RCS OPERATIONAL LEAKAGE TEXT 3.4.5 2 04/13/2016

Title:

REACTOR COOLANT SYSTEM (RCS) RCS PRESSURE ISOLATION VALVE (PIV) LEAKAGE TEXT 3.4.6 5 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) RCS LEAKAGE DETECTION INSTRUMENTATION TEXT 3.4:7 3 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) RCS SPECIFIC ACTIVITY TEXT 3.4.8 3 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) RESIDUAL HEAT REMOVAL (RHR) SHUTDOWN COOLING SYSTEM

- HOT SHUTDOWN TEXT 3 . 4 . 9 2 11/16/2016 *

Title:

REACTOR COOLANT SYSTEM (RCS) RESIDUAL HEAT REMOVAL (RHR) SHUTDOWN COOLING SYSTEM

- COLD SHUTDOWN TEXT 3.4.10 6 05/14/2019

Title:

REACTOR COOLANT SYSTEM (RCS) RCS PRESSURE AND TEMPERATURE (P/T) LIMITS TEXT 3.4.11 1 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) REACTOR STEAM DOME PRESSURE TEXT 3.5.1 9 01/05/2023

Title:

EMERGENCY CORE COOLING SYSTEMS (ECCS) REACTOR PRESSURE VESSEL (RPV) WATER INVENTORY CONTROL AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM ECCS OPERATING TEXT 3.5.2 5 06/09/2022

Title:

EMERGENCY CORE COOLING SYSTEMS (ECCS) REACTOR PRESSURE VESSEL (RPV) WATER INVENTORY CONTROL AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM ECCS OPERATING TEXT 3.5.3 7 01/05/2023

Title:

EMERGENCY CORE COOLING SYSTEMS (ECCS) REACTOR PRESSURE VESSEL (RPV) WATER INVENTORY CONTROL AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM ECCS OPERATING Page 4 of 8 Report Date: 01/05/23

SSES MANUAL Manual Name: TSBl

Manual

Title:

TECHNICAL SPECIFICATION BASES UNIT 1 MANUAL TEXT 3.6.1.1 6 11/16/2016

Title:

PRIMARY CONTAINMENT TEXT 3.6.1.2 3 01/05/2023

Title:

CONTAINMENT SYSTEMS PRIMARY CONTAINMENT AIR LOCK TEXT 3 . 6 . 1. 3 19 01/05/2023

Title:

CONTAINMENT SYSTEMS PRIMARY CONTAINMENT ISOLATION VALVES (PCIVS)

TEXT 3.6.1.4 2 11/16/2016

Title:

CONTAINMENT SYSTEMS CONTAINMENT PRESSURE TEXT 3.6.1.5 2 11/16/2016

Title:

CONTAINMENT SYSTEMS DRYWELL AIR TEMPERATURE

TEXT 3.6.1.6 2 01/05/2023

Title:

CONTAINMENT SYSTEMS SUPPRESSION CHAMBER-TO-DRYWELL VACUUM BREAKERS TEXT 3.6.2.1 3 11/16/2016

Title:

CONTAINMENT SYSTEMS SUPPRESSION POOL AVERAGE TEMPERATURE TEXT 3.6.2.2 2 '03/05/2019

Title:

CONTAINMENT SYSTEMS SUPPRESSION POOL WATER LEVEL TEXT 3.6.2.3 3 01/05/2023

Title:

CONTAINMENT SYSTEMS RESIDUAL HEAT REMOVAL (RHR) SUPPRESSION POOL COOLING TEXT 3.6.2.4 2 01/05/2023

Title:

CONTAINMENT SYSTEMS RESIDUAL HEAT REMOVAL (RHR) SUPPRESSION POOL SPRAY TEXT 3.6.3.1 2 06/13/2006

Title:

CONTAINMENT SYSTEMS PRIMARY CONTAINMENT HYDROGEN RECOMBINERS TEXT 3.6.3.2 4 04/22/2020

Title:

CONTAINMENT SYSTEMS DRYWELL AIR FLOW SYSTEM Page 5 of 8 Report Date: 01/05/23

SSES MANUAL Manual Name: TSBl Manual*Title: TECHNICAL SPECIFICATION BASES UNIT 1 MANUAL TEXT 3.6.3.3 3 09/29/2017

Title:

CONTAINMENT SYSTEMS PRIMARY CONTAINMENT OXYGEN CONCENTRATION TEXT 3.6.4.1 16 12/16/2020

Title:

CONTAINMENT SYSTEMS SECONDARY CONTAINMENT TEXT 3.6.4.2 14 03/05/2.019

Title:

CONTAINMENT SYSTEMS SECONDARY CONTAINMENT ISOLATION VALVES (SCIVS)

TEXT 3.6.4.3 7 03/05/2019

Title:

CONTAINMENT SYSTEMS STANDBY GAS TREATMENT (SGT) SYSTEM TEXT 3.7.1 8 01/05/2023

Title:

PLANT SYSTEMS RESIDUAL HEAT REMOVAL SERVICE WATER (RHRSW) SYSTEM AND THE ULTIMATE HEAT SINK (UHS)

TEXT 3.7.2 6 01/05/2023

Title:

PLANT SYSTEMS EMERGENCY SERVICE WATER (ESW) SYSTEM TEXT 3.7.3 4 03/05/2019

Title:

PLANT SYSTEMS CONTROL ROOM EMERGENCY OUTSIDE AIR SUPPLY (CREOAS) SYSTEM TEXT 3.7.4 2 03/05/2019

Title:

PLANT SYSTEMS CONTROL ROOM FLOOR COOLING SYSTEM TEXT 3.7.5 2 11/16/2016

Title:

PLANT SYSTEMS MAIN CONDENSER OFFGAS TEXT 3.7.6 3 11/16/2016

Title:

PLANT SYSTEMS MAIN TURBINE BYPASS SYSTEM TEXT 3.7.7 2 11/16/2016

Title:

PLANT SYSTEMS SPENT FUEL STORAGE POOL WATER LEVEL TEXT 3.7.8 1 11/16/2016

Title:

PLANT SYSTEMS Page 6 of 8 Report Date: 01/05/23

I SSES MANUAL Manual Name: TSBl Manual

Title:

TECHNICAL SPECIFICATION BASES UNIT 1 MANUAL TEXT 3.8.1 15 01/05/2023

Title:

ELECTRICAL POWER SYSTEMS AC SOURCES - OPERATING TEXT 3.8.2 2 03/18/2021

Title:

ELECTRICAL POWER SYSTEMS AC SOURCES - SHUTDOWN TEXT 3.8.3 7 08/07/2019

Title:

ELECTRICAL POWER SYSTEMS DIESEL FUEL OIL, LUBE OIL, AND STARTING AIR TEXT 3.8.4 5 01/05/2023

Title:

ELECTRICAL POWER SYSTEMS DC SOURCES - OPERATING TEXT 3.8.5 2 03/05/2019

Title:

ELECTRICAL POWER SYSTEMS DC SOURCES - SHUTDOWN

TEXT 3.8.6 2 11/16/2016

Title:

ELECTRICAL POWER SYSTEMS BATTERY CELL PARAMETERS TEXT 3.8.7 4 01/05/2023

Title:

ELECTRICAL POWER SYSTEMS DISTRIBUTION SYSTEMS - OPERATING TEXT 3.8.8 2 03/05/2019

Title:

ELECTRICAL POWER SYSTEMS DISTRIBUTION SYSTEMS - SHUTDOWN TEXT 3.9.1 1 11/16/2016

Title:

REFUELING OPERATIONS REFUELING EQUIPMENT INTERLOCKS TEXT 3.9.2 2 11/16/2016

Title:

REFUELING OPERATIONS REFUEL POSITION ONE-ROD-OUT INTERLOCK TEXT 3.9.3 1 11/16/2016

Title:

REFUELING OPERATIONS CONTROL ROD POSITION TEXT 3.9.4 0 11/15/2002

Title:

REFUELING OPERATIONS CONTROL ROD POSITION INDICATION Page 7 of 8 Report Date: 01/05/23

SSES MANUAL Manual Name: TSBl Manual

Title:

TECHNICAL SPECIFICATION BASES UNIT 1 MANUAL TEXT 3.9.5 1 11/16/2016

Title:

REFUELING OPERATIONS CONTROL ROD OPERABILITY - REFUELING TEXT 3.9.6 2 11/16/2016

Title:

REFUELING OPERATIONS REACTOR PRESSURE VESSEL (RPV) WATER LEVEL TEXT 3.9.7 1 11/16/2016

Title:

REFUELING OPERATIONS RESIDUAL HEAT REMOVAL (RHR) - HIGH WATER LEVEL TEXT 3.9.8 1 11/16/2016

Title:

REFUELING OPERATIONS RESIDUAL HEAT REMOVAL (RHR) - LOW WATER LEVEL TEXT 3.10.1 2 03/05/2019

Title:

SPECIAL OPERATIONS INSERVICE LEAK AND HYDROSTATIC TESTING OPERATION TEXT 3.10.2 1 11/16/2016

Title:

SPECIAL OPERATIONS REACTOR MODE SWITCH INTERLOCK TESTING TEXT 3.10.3 1 11/16/2016

Title:

SPECIAL OPERATIONS SINGLE CONTROL ROD WITHDRAWAL - HOT SHUTDOWN TEXT 3.10.4 1 11/16/2016

Title:

SPECIAL OPERATIONS SINGLE CONTROL ROD WITHDRAWAL - COLD SHUTDOWN TEXT 3.10.5 1 11/16/2016

Title:

SPECIAL OPERATIONS SINGLE CONTROL ROD DRIVE (CRD) REMOVAL - REFUELING TEXT 3.10.6 1 11/16/2016

Title:

SPECIAL OPERATIONS MULTIPLE CONTROL ROD WITHDRAWAL - REFUELING TEXT 3.10.7 2 03/29/2022

Title:

SPECIAL OPERATIONS CONTROL ROD TESTING - OPERATING TEXT 3.10.8 3 03/29/2022

Title:

SPECIAL OPERATIONS SHUTDOWN MARGIN (SDM) TEST - REFUELING Page 8 of 8 Report Date: 01/05/23

Rev. 5 SLC System

B 3.1 REACTIVITY CONTROL SYSTEMS B 3.1. 7 Standby Liquid Control (SLC) System B 3.1.7 BASES BACKGROUND The SLC System is designed to provide the capability of bringing the reactor, at any time in a fuel. cycle, from full power and minimum control rod inventory to a subcritical condition with the reactor in the most reactive, xenon free state without taking credit for control rod movement.

Additionally, the SLC System is designed to provide sufficient buffering agent to maintain the suppression pool pH at or above 7.0 following a OBA LOCA involving fuel damage. Maintaining the suppression pool pH at or above 7.0 will mitigate the re-evolution of iodine from the suppression pool water following a OBA LOCA. The SLC system satisfies the requirements of 10 CFR 50.62 (Ref. 1) for anticipated transient without scram.

The SLC System consists of a sodium pentaborate solution storage tank, two positive displacement pumps, two explosive valves that are provided in parallel for redundancy, and associated piping and valves used to transfer

borated water from the storage tank to the reactor pressure vessel (RPV) .

The borated solution is discharged near the bottom of the core shroud, where it then mixes with the cooling water rising through the core. A smaller tank containing demineralized water is provided for testing purposes.

APPLICABLE The SLC System is manually initiated from the main control room, as SAFETY directed by the emergency operating procedures, if the operator believes ANALYSES the reactor cannot be shut down, or kept shut down, with the control rods or if fuel damage occurs post-LOCA. The SLC System is used in the event that enough control rods cannot be inserted to accomplish shutdown and cooldown in the normal manner or if fuel damage occurs post-LOCA. The SLC System injects borated water into the reactor core to add negative reactivity to compensate for all of the various reactivity effects that could occur during plant operations. To meet this objective, it is necessary to inject a quantity of enriched sodium pentaborate, which produces a concentration equivalent to 660 ppm of natural boron, in the reactor coolant at 68°F. To allow for potential leakage and imperfect mixing in the reactor system, an amount of boron equal to 25% of the amownt cited above is added (Ref. 2). The volume versus concentration limits in Figure 3.1.7-1 and the temperature versus concentration limits in Figure 3.1.7-2 are calculated such that the required concentration is achieved accounting for dilution in the RPV with normal water level and including the water volume

- SUSQUEHANNA - UNIT 1 in the residual heat removal shutdown cooling piping and in the 3.1-39

Rev. 5 SLC System

BASES APPLICABLE SAFETY B 3.1.7 recirculation loop piping. This quantity of borated solution is the amount that is above the pump suction shutoff level in the boron solution storage ANALYSES tank. No credit is taken for the portion of the tank volume that cannot be (continued) injected. The minimum concentration ensures compliance with the requirements of 10 CFR 50.62 (Ref. 1).

The SLC System is also used to control Suppression Pool pH in the event of a OBA LOCA by injecting sodium pentaborate into the reactor vessel.

The sodium pentaborate is then transported to the suppression pool and mixed by ECCS flow recirculation through the reactor, out of the break and into the suppression chamber. The amount of sodium pentaborate solution that must be available for injection following a OBA LOCA is determined as part of the OBA LOCA radiological analysis. This quantity is maintained in the storage tank as specified in the Technical Specification.

The SLC System satisfies the requirements of the NRC Policy Statement (Ref. 3) because operating experience and probabilistic risk assessments have shown the SLC System to be important to public health and safety.

Thus, it is retained in the Technical Specifications .

LCO The OPERABILITY of the SLC System provides backup capability for reactivity control independent of normal reactivity control provisions provided by the control rods and provides sufficient buffering agent to maintain the suppression pool pH at or above 7.0 following a OBA LOCA involving fuel damage. The OPERABILITY of the SLC System is based on the conditions of the borated solution in the storage tank and the availability of a flow path to the RPV, including the OPERABILITY of the pumps and valves. Two SLC subsystems are required to be OPERABLE; each contains an OPERABLE pump, an explosive valve, and associated piping, valves, and instruments and controls to ensure an OPERABLE flow path.

APPLICABILITY In MODES 1 and 2, shutdown capability is required. In MODES 3 and 4, control rods are not able to be withdrawn (except as permitted by LCO 3.10.3 and LCO 3.10.4) since the reactor mode switch is in shutdown and a control rod block is applied. This provides adequate controls to ensure that the reactor remains subcritical. In MODE 5, only a single control rod can be withdrawn from a core cell containing fuel assemblies. Demonstration of adequate SOM (LCO 3.1.1, "SHUTDOWN MARGIN (SOM)") ensures that the reactor will not become critical. Therefore, the SLC System is not required to be OPERABLE when only a single control rod can be withdrawn.

SUSQUEHANNA - UNIT 1 3.1-40

Rev. 5 SLC System 8 3.1.7 BASES APPLICABILITY A OBA LOCA that results in the release of radioactive material is possible (continued) in MODES 1, 2 and 3; therefore, capability to buffer the suppression pool pH is required. In MODES 4 and 5, a OBA LOCA with radioactive release need not be postulated.

ACTIONS If the boron solution concentration is not within the limits in Figure 3.1. 7-1, the operability of both SLC subsystems is impacted and the concentration must be restored to within limits within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . The allowed Completion Time of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months is considered acceptable given the low probability of an event occurring concurrent with the failure of the control rods to shut down the reactor.

If the boron solution concentration is >12 weight-percent with the tank volume ;;:: 1350 gallons, both SLC subsystems are operable as long as the temperature for the boron solution concentration is within the acceptable region of Figure 3.1. 7-2. If the temperature requirements are not met, operability of both SLC subsystems is impacted and the concentration or

solution temperature must be restored within limits within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months .

8.1 If one SLC subsystem is inoperable for reasons other than Condition A, the inoperable subsystem must be restored to OPERABLE status within 7 days or in accordance with the Risk Informed Completion Time Program. In this condition, the remaining OPERABLE subsystem is adequate to perform the shutdown function and provide adequate buffering agent to the suppression pool. However, the overall reliability is reduced because a single failure in the remaining OPERABLE subsystem could result in reduced SLC System shutdown capability. The 7 day Completion Time is based on the availability of an OPERABLE subsystem capable of performing the intended SLC System functions and the low probability of an event occurring requiring SLC injection.

C.1 If both SLC subsystems are inoperable for reasons other than Condition A, at least one subsystem must be restored to OPERABLE status within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . The allowed Completion Time of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months is considered acceptable given the low probability of an event occurring requiring SLC injection .

SUSQUEHANNA - UNIT 1 3.1-41

Rev. 5 SLC System

BASES ACTIONS (continued)

D.1 B 3.1.7 If any Required Action and associated Completion Time is not met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.1.7.1, SR 3.1.7.2, and SR 3.1.7.3 REQUIREMENTS SR 3.1. 7.1 through SR 3.1. 7.3 are 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Surveillances verifying certain characteristics of the SLC System (e.g., the volume and temperature of the borated solution in the storage tank), thereby ensuring SLC System OPERABILITY without disturbing normal plant operation. These Surveillances ensure that the proper borated solution volume and temperature, including the temperature of the pump suction piping, are maintained. Maintaining a minimum specified borated solution temperature

is important in ensuring that the sodium pentaborate remains in solution and does not precipitate out in the storage tank or in the pump suction piping. The temperature versus concentration curve of Figure 3.1.7-2 ensures that a 10°F margin will be maintained above the saturation temperature. An alternate method of performing SR 3.1.7.3 is to verify the OPERABILITY of the SLC heat trace system. This verifies the continuity of the heat trace lines and ensures proper heat trace operation, which ensure that the SLC suction piping temperature is maintained. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.1.7.4 and SR 3.1.7.6 SR 3.1.7.4 verifies the continuity of the explosive charges in the injection valves to ensure that proper operation will occur if required. Other administrative controls, such as those that limit the shelf life of the explosive charges, must be followed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.1. 7.6 verifies that each valve in the system is in its correct position, but does not apply to the squib (i.e., explosive) valves. Verifying the correct alignment for manual and power operated valves in the SLC System flow path provides assurance that the proper flow paths will exist for system operation. A valve is also allowed to be in the nonaccident

- position provided it can be aligned to the accident position from the control SUSQUEHANNA - UNIT 1 3.1-42

Rev. 5 SLC System B 3.1.7 BASES SURVEILLANCE SR 3.1.7.4 and SR 3.1.7.6 (continued)

REQUIREMENTS (continued) room, or locally by a dedicated operator at the valve control. This is acceptable since the SLC System is a manually initiated system. This Surveillance also does not apply to valves that are locked, sealed, or otherwise secured in position since they are verified to be in the correct position prior to locking, sealing, or securing. This verification of valve alignment does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.1.7.5 This Surveillance requires an examination of the sodium pentaborate solution by using chemical analysis to ensure that the proper concentration of sodium pentaborate exists in the storage tank. SR 3.1. 7 .5 must be performed anytime sodium pentaborate or water is added to the storage tank solution to determine that the sodium pentaborate solution concentration is within the specified limits. SR 3.1.7.5 must also be performed anytime the temperature is restored to within the limits of Figure 3.1. 7-2, to ensure that no significant sodium pentaborate precipitation occurred. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.1.7.7 Demonstrating that each SLC System pump develops a flow rate 2 40.0 gpm at a discharge pressure 2 1250 psig without actuating the pump's relief valve ensures that pump performance has not degraded during the fuel cycle. Testing at 1250 psig assures that the functional capability of the SLC system meets the A TWS Rule (1 O CFR 50.62)

(Ref. 1) requirements. This minimum pump flow rate requirement ensures that, when combined with the sodium pentaborate solution concentration requirements, the rate of negative reactivity insertion from the SLC System will adequately compensate for the positive reactivity effects encountered during power reduction, cooldown of the moderator, and xenon decay.

Additionally, the minimum pump flow rate requirement ensures that adequate buffering agent will reach the suppression pool to maintain pH above 7.0. This test confirms one point on the pump design curve and is indicative of overall performance. Such inservice inspections confirm component OPERABILITY, trend performance, and detect incipient failures by indicating abnormal performance. The Frequency of this Surveillance is in accordance with the lnservice Testing Program.

SUSQUEHANNA - UNIT 1 3.1-43

Rev. 5 SLC System

BASES SURVEILLANCE REQUIREMENTS SR 3.1.7.8 and SR 3.1.7.9 B 3.1.7 (continued) These Surveillances ensure that there is a functioning flow path from the boron solution storage tank to the RPV, including the firing of an explosive valve. The replacement charge for the explosive valve shall be from the same manufactured batch as the one fired or from another batch that has been certified by having one of that batch successfully fired. The Surveillance may be performed in separate steps to prevent injecting solution into the RPV. An acceptable method for verifying flow from the pump to the RPV is to pump demineralized water from a test tank through one SLC subsystem and into the RPV. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Demonstrating that all heat traced piping between the* boron solution storage tank and the suction inlet to the injection pumps is unblocked ensures that there is a functioning flow path for injecting the sodium pentaborate solution. An acceptable method for verifying that the suction piping is unblocked is to pump from the storage tank to the test tank. This test can be performed by any series of overlapping or total flow path test so that the entire flow path is included. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This is especially true in light of the temperature verification of this piping required by SR 3.1.7.3. However, if, in performing SR 3.1.7.3, it is determined that the temperature of this piping has fallen below the specified minimum or the heat trace was not properly energized and building temperature was below the temperature at which the SLC solution would precipitate out, SR 3.1.7.9 must be performed once within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after the piping temperature is restored to within the limits of Figure 3.1.7-2.

SR 3.1.7.10 Enriched sodium pentaborate solution is made by mixing granular, enriched sodium pentaborate with water. Verification of the actual B-10 enrichment must be performed prior to addition to the SLC tank in order to ensure that the proper B-10 atom percentage is being used. This verification may be based on independent isotopic analysis or a manufacturer certificate of compliance.

SUSQUEHANNA - UNIT 1 3.1-44

Rev.5 SLC System B 3.1.7 BASES REFERENCES 1. 10 CFR 50.62.

2. FSAR, Section 9.3.5.

3. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132) .

SUSQUEHANNA - UNIT 1 3.1-45

Rev.5 SLC System B 3.1.7 BASES THIS PAGE INTENTIONALLY LEFT BLANK

SUSQUEHANNA - UNIT 1 3.1-46

Rev. 8 RPS Instrumentation

B 3.3 INSTRUMENTATION B 3.3.1.1 Rea"ctor Protection System (RPS) Instrumentation B 3.3.1.1 BASES BACKGROUND The RPS initiates a reactor scram when one or more monitored parameters exceed their specified limits, to preserve the integrity of the fuel cladding and the Reactor Coolant System (RCS) and minimize the energy that must be absorbed following a loss of coolant accident (LOCA). This can be accomplished either automatically or manually.

The protection and monitoring functions of the RPS have been designed to ensure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as LCOs on other reactor system parameters and equipment performance. The LSSS are defined in this Specification as the Allowable Values, which, in conjunction with the LCOs, establish the threshold for protective system action to prevent exceeding acceptable limits, including Safety Limits (SLs) during Design Basis Accidents (DBAs).

The RPS, as shown in the FSAR, Figure 7.2-1 (Ref. 1), includes sensors, relays, bypass circuits, and switches that are necessary to cause initiation of a reactor scram. Functional diversity is provided by monitoring a wide range of dependent and independent parameters. The input parameters to the scram logic are from instrumentation that monitors reactor vessel water level, reactor vessel pressure, neutron flux, main steam line isolation valve position, turbine control valve (TCV) fast closure trip oil pressure, turbine stop valve (TSV) position, drywell pressure, and scram discharge volume (SDV) water level, as well as reactor mode switch in shutdown position and manual scram signals. There are at least four redundant sensor input signals from each of these parameters (with the exception of the reactor mode switch in shutdown scram signal). When the setpoint is reached, the channel sensor actuates, which then outputs an RPS trip signal to the trip logic. Table B 3.3.1.1-1 summarizes the diversity of sensors capable of initiating scrams during anticipated operating transients typically analyzed.

The RPS is comprised of two independent trip systems (A and B) with two logic channels in each trip system (logic channels A1 and A2, B1 and B2) as shown in Reference 1. The outputs of the logic channels in a trip system are combined in a one-out-of-two logic so that either channel can trip the associated trip system. The tripping of both trip systems will produce a reactor scram. This logic arrangement is referred to as a one-out-of-two taken twice logic. Each trip system can be reset by use of a

. reset switch. If a full scram occurs (both trip systems trip), a relay prevents SUSQUEHANNA - UNIT 1 3.3-1

Rev.8 RPS Instrumentation

BASES BACKGROUND (continued)

B 3.3.1.1 reset of the trip systems for 10 seconds after the full scram signal is received. This 10 second delay on reset ensures that the scram function will be completed.

Two AC powered scram pilot solenoids are located in the hydraulic control unit for each control rod drive (CRD). Each scram pilot valve is operated with the solenoids normally energized. The scram pilot valves control the air supply to the scram inlet and outlet valves for the associated CRD.

When either scram pilot valve solenoid is energized, air pressure holds the scram valves closed and, therefore, both scram pilot valve solenoids must be de-energized to cause a control rod to scram. The scram valves control the supply and discharge paths for the CRD water during a scram. One of the scram pilot valve solenoids for each CRD is controlled by trip system A, and the other solenoid is controlled by trip system B. Any trip of trip system A in conjunction with any trip in trip system B results in de-energizing both solenoids, air bleeding off, scram valves opening, and control rod scram.

The DC powered backup scram valves, which energize on a scram signal to depressurize the scram air header, are also controlled by the RPS.

- Additionally, the RPS System controls the SDV vent and drain valves such that when both trip systems trip, the SDV vent and drain valves close to isolate the SDV.

APPLICABLE The actions of the RPS are assumed in the safety analyses of SAFETY References 3, 4, 5 and 6. The RPS initiates a reactor scram before the ANALYSES, monitored parameter values reach the Allowable Values, specified by the LCO, and setpoint methodology and listed in Table 3.3.1.1-1 to preserve the integrity APPLICABILITY of the fuel cladding, the reactor coolant pressure boundary (RCPB), and the containment by minimizing the energy that must be absorbed following a LOCA.

RPS instrumentation satisfies Criterion 3 of the NRC Policy Statement.

(Ref. 2)

Functions not specifically credited in the accident analysis are retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

The OPERABILITY of the RPS is dependent on the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.1.1-1.

Each Function must have a required number of OPERABLE channels per RPS trip system, with their setpoints within the specified Allowable Value, where appropriate. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. Each channel must also respond within its assumed response time.

SUSQUEHANNA - UNIT 1 3.3-2

Rev. 8 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE Allowable Values are specified for each RPS Function specified in the SAFETY Table. Nominal trip setpoints are specified in the setpoint calculations. The ANALYSES, nominal setpoints are selected to ensure that the actual setpoints do not LCO, and exceed the Allowable Value between successive CHANNEL APPLICABILITY CALIBRATIONS. Operation with a trip setpoint less conservative than the (continued) nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.

Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter reaches the setpoint, the associated device changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

The OPERABILITY of scram pilot valves and associated solenoids, backup scram valves, and SDV valves, described in the Background section, are not addressed by this LCO.

The individual Functions are required to be OPERABLE in the MODES specified in the table, which may require an RPS trip to mitigate the consequences of a design basis accident or transient. To ensure a reliable scram function, a combination of Functions are required in each MODE to provide primary and diverse initiation signals.

The RPS is required to be OPERABLE in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies. Control rods withdrawn from a core cell containing no fuel assemblies do not affect the reactivity of the core and, therefore, are not required to have the capability to scram. Provided all other control rods remain inserted, the RPS function is not required. In this condition, the required SDM (LCO 3.1.1) and refuel position one-rod-out interlock (LCO 3.9.2) ensure that no event requiring RPS will occur. During normal operation in MODES 3 and 4, all control rods are fully inserted and the Reactor Mode Switch Shutdown Position control rod withdrawal block (LCO 3.3.2.1) does not allow any control rod to be withdrawn. Under these conditions, the SUSQUEHANNA - UNIT 1 3.3-3

BASES Rev. 8 RPS Instrumentation B 3.3.1.1 APPLICABLE RPS function is not required to be OPERABLE. The exception to this is SAFETY Special Operations (LCO 3.10.3 and LCO 3.10.4) which ensure compliance ANALYSES, with appropriate requirements.

LCO, and APPLICABILITY The specific Applicable Safety Analyses, LCO, and Applicability (continued) discussions are listed below on a Function by Function basis.

Intermediate Range Monitor (IRM) 1.a. Intermediate Range Monitor Neutron Flux - High The IRMs monitor neutron flux levels from the upper range of the source range monitor (SRM) to the lower range of the average power range monitors (APRMs). The IRMs are capable of generating trip signals that can be used to prevent fuel damage resulting from abnormal operating transients in the intermediate power range. In this power range, the most significant source of reactivity change is due to control rod withdrawal. The IRM provides diverse protection for the rod worth minimizer (RWM), which monitors and controls the movement of control rods at low power. The RWM prevents the withdrawal of an out of sequence control rod during

startup that could result in an unacceptable neutron flux excursion (Ref. 5) .

The IRM provides mitigation of the neutron flux excursion. To demonstrate the capability of the IRM System to mitigate control rod withdrawal events, generic analyses have been performed (Ref. 3) to evaluate the consequences of control rod withdrawal events during startup that are mitigated only by the IRM. This analysis, which assumes that one IRM channel in each trip system is bypassed, demonstrates that the IRMs provide protection against local control rod withdrawal errors and results in peak fuel energy depositions below the 170 cal/gm fuel failure threshold criterion.

The IRMs are also capable of limiting other reactivity excursions during startup, such as cold water injection events, although no credit is specifically assumed. *

The IRM System is divided into two trip systems, with four IRM channels inputting to each trip system. The analysis of Reference 3 assumes that one channel in each trip system is bypassed. Therefore, six channels with three channels in each trip system are required for IRM OPERABILITY to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. This trip is active in each of the 10 ranges of the IRM, which must be selected by the operator to maintain the neutron flux within the monitored level of an IRM range.

The analysis of Reference 3 has adequate conservatism to permit an IRM Allowable Value of 122 divisions of a 125 division scale.

SUSQUEHANNA - UNIT 1 3.3-4

Rev. 8 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 1.a. Intermediate Range Monitor Neutron Flux - High (continued}

SAFETY ANALYSES, The Intermediate Range Monitor Neutron Flux - High Function must be LCO, and OPERABLE during MODE 2 when control rods may be withdrawn and the APPLICABILITY potential for criticality exists. In MODE 5, when a cell with fuel has its (continued) control rod withdrawn, the IRMs provide monitoring for and protection against unexpected reactivity excursions. In MODE 1, the APRM System and the RWM provide protection against control rod withdrawal error events and the IRMs are not required. In addition, the Function is automatically bypassed when the Reactor Mode Switch is in the Run position.

1.b. Intermediate Range Monitor - lnop This trip signal provides assurance that a minimum number of IRMs are OPERABLE. Anytime an IRM mode switch is moved to any position other than "Operate," the detector voltage drops below a preset level, or when a module is not plugged in, an inoperative trip signal will be received by the RPS unless the IRM is bypassed. Since only one IRM in each trip system may be bypassed, only one IRM in each RPS trip system may be inoperable without resulting in an RPS trip signal.

This Function was not specifically credited in the accident analysis but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

Six channels of Intermediate Range Monitor - lnop with three channels in each trip system are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal.

Since this Function is not assumed in the safety analysis, there is no Allowable Value for this Function.

This Function is required to be OPERABLE when the Intermediate Range Monitor Neutron Flux - High Function is required.

Average Power Range Monitor (APRM)

The APRM channels provide the primary indication of neutron flux within the core and respond almost instantaneously to neutron flux increases.

The APRM channels receive input signals from the local power range monitors (LPRMs) within the reactor core to provide an indication of the power distribution and local power changes. The APRM channels average these LPRM signals to provide a continuous indication of average reactor power from a few percent to greater than RTP. Each SUSQUEHANNA - UNIT 1 3.3-5

Rev.8 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE Average Power Range Monitor (APRM) (continued)

SAFETY ANALYSES, APRM channel also includes an Oscillation Power Range Monitor LCO, and- (OPRM) Upscale Function which monitors small groups of LPRM signals APPLICABILITY to detect thermal-hydraulic instabilities.

(continued)

The APRM trip System is divided into four APRM channels and four 2-out-of-4 Voter channels. Each APRM channel provides inputs to each of the four voter channels. The four voter channels are divided into two groups of two each with each group of two providing inputs to one RPS trip system. The system is designed to allow one APRM channel, but no voter channels, to be bypassed. A trip from any one unbypassed APRM will result in a "half-trip" in all four of the voter channels, but no trip inputs to either RPS trip system.

APRM trip Functions 2.a, 2.b, 2.c, and 2.d are voted independ,;mtly from OPRM Trip Function 2.f. Therefore, any Function 2.a, 2.b, 2.c, or 2.d trip from any two unbypassed APRM channels will result in a full trip in each of the four voter channels, which in turn results in two trip inputs into each RPS trip system logic channel (A1, A2, 81, and 82), thus resulting in a full scram signal. Similarly, a Function 2.f trip from any two unbypassed APRM channels will result in a full trip from each of the four voter channels.

Three of the four APRM channels and all four of the voter channels are required to be OPERABLE to ensure that no single failure will preclude a scram on a valid signal. In addition, to provide adequate coverage of the entire core consistent with the design bases for the APRM Functions 2.a, 2.b, and 2.c, at least [20] LPRM inputs with at least three LPRM inputs from each of the four axial levels at which the LPRMs are located must be OPERABLE for each APRM channel, with no more than [9], LPRM detectors declared inoperable since the most recent APRM gain calibration. Per Reference 23, the minimum input requirement for an APRM channel with 43 LPRM inputs is determined given that the total number of LPRM outputs used as inputs to an APRM channel that may be bypassed shall not exceed twenty-three (23). Hence, 20 LPRM inputs producing a channel trip signal are needed to be operable. For the OPRM Trip Function 2. f, each LPRM in an APRM channel is further associated in a pattern of OPRM "cells," as described in References 17 and 18. Each OPRM cell is capable of producing a channel trip signal.

SUSQUEHANNA - UNIT 1 3.3-6

Rev. 8 RPS Instrumentation

BASES APPLICABLE SAFETY 2.a. Average Power Range Monitor Neutron Flux - High (Setdown)

B 3.3.1.1 ANALYSES, For operation at low power (i.e., MODE 2), the Average Power Range LCO, and Monitor Neutron Flux - High (Setdown) Function is capable of generating APPLICABILITY a trip signal that prevents fuel damage resulting from abnormal operating (continued) transients in this power range. For most operation at low power levels, the Average Power Range Monitor Neutron Flux - High (Setdown)

Function will provide a secondary scram to the Intermediate Range Monitor Neutron Flux - High Function because of the relative setpoints.

With the IRMs at Range 9 or 10, it is possible that the Average Power Range Monitor Neutron Flux - High (Setdown) Function will provide the primary trip signal for a corewide increase in power.

The Average Power Range Monitor Neutron Flux - High (Setdown)

Function together with the IRM - High Function provide mitigation for the control rod withdrawal event during startup (Section 15.4.1 of Ref. 5). Also, the Function indirectly ensures that before the reactor mode switch is placed in the run position, reactor power does not exceed 23% RTP (SL 2.1.1.1) when operating at low reactor pressure and low core flow.

Therefore, it indirectly prevents fuel damage during significant reactivity increases with THERMAL POWER< 23% RTP.

The Allowable Value is based on preventing significant increases in power when THERMAL POWER is< 23% RTP.

The Average Power Range Monitor Neutron Flux - High (Setdown)

Function must be OPERABLE during MODE 2 when control rods may be withdrawn since the potential for criticality exists. In MODE 1, the Average Power Range Monitor Neutron Flux - High Function provides protection against reactivity transients and the RWM protects against control rod withdrawal error events.

There are provisions in the design of the NUMAC PRNM that given certain circumstances, such as loss of one division of RPS power, an individual APRM will default to a 'run' mode condition logic. If the plant is in mode 2 when this occurs, the individual APRM will be in a condition where the 'run' mode setpoint (Function 2.c) and not the 'setdown' setpoint (Function 2.a) will be applied. If this condition occurs while in reactor mode 2 condition, the appropriate LCO condition per Table 3.3.1.1-1 needs to be entered.

2.b. Average Power Range Monitor Simulated Thermal Power - High The Average Power Range Monitor Simulated Thermal Power - High Function monitors neutron flux to approximate the THERMAL POWER being transferred to the reactor coolant. The APRM neutron flux is SUSQUEHANNA - UNIT 1 3.3-7

Rev.8 RPS Instrumentation

BASES APPLICABLE SAFETY 2.b. Average Power Range Monitor Simulated Thermal Power - High (continued)

B 3.3.1.1 ANALYSES, LCO, and electronically filtered with a time constant representative of the fuel heat APPLICABILITY transfer dynamics to generate a signal proportional to the THERMAL (continued) POWER in the reactor. The trip level is varied as a function of recirculation drive flow (i.e., at lower core flows, the setpoint is reduced proportional to the reduction in power experienced as core flow is reduced with a fixed control rod pattern) but is clamped at an upper limit that is always lower than the Average Power Range Monitor Neutron Flux - High Function Allowable Value. The Average Power Range Monitor Simulated Thermal Power - High Function is not credited in any plant Safety Analyses. The Average Power Range Monitor Simulated Thermal Power - High Function is set above the APRM Rod Block to provide defense in depth to the APRM Neutron Flux - High for transients where THERMAL POWER increases slowly (such as loss of feedwater heating event). During these events, the THERMAL POWER increase does not significantly lag the neutron flux response and, because of a low~r trip setpoint, will initiate a scram before the high neutron flux scram. For rapid neutron flux increase events, the THERMAL POWER lags the neutron flux and the Average Power Range Monitor Neutron Flux - High Function will provide a scram signal before the Average Power Range Monitor Simulated Thermal Power - High Function setpoint is exceeded.

The Average Power Range Monitor Simulated Thermal Power - High Function uses a trip level generated based on recirculation loop drive flow (W) representative of total core flow. Each APRM channel uses one total recirculation drive flow signal. The total recirculation drive flow signal is generated by the flow processing logic, part of the APRM channel, by summing the flow calculated from two flow transmitter signal inputs, one from each of the two recirculation drive flow loops. The flow processing logic OPERABILITY is part of the APRM channel OPERABILITY requirements for this Function.

The adequacy of drive flow as a representation of core flow is ensured through drive flow alignment, accomplished by SR 3.3.1.1.20.

A note is included, applicable when the plant is in single recirculation loop operation per LCO 3.4.1, which requires reducing by 11W the recirculation flow value used in the APRM Simulated Thermal Power - High Allowable Value equation. The Average Power Range Monitor Scram Function varies as a function of recirculation loop drive flow (W). 11W is defined as the difference in indicated drive flow (in percent of drive flow, which produces rated core flow) between two-loop and single-loop operation at the same core flow. The value of 11W is established to conservatively bound the inaccuracy created in the core flow/drive flow correlation due to back flow in the jet pumps associated with the inactive recirculation loop.

SUSQUEHANNA - UNIT 1 3.3-8

Rev. 8 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 2.b. Average Power Range Monitor Simulated Thermal Power - High SAFETY (continued)

ANALYSES, LCO, and This adjusted Allowable Value thus maintains thermal margins essentially APPLICABILITY unchanged from those for two-loop operation.

(continued)

The THERMAL POWER time constant of< 7 seconds is based on the fuel heat transfer dynamics and provides a signal proportional to the THERMAL POWER. The simulated thermal time constant is part of filtering logic in the APRM that simulates the relationship between neutron flux and core thermal power.

The Average Power Range Monitor Simulated Thermal Power - High Function is required to be OPERABLE in MODE 1 when there is the possibility of generating excessive THERMAL POWER and potentially exceeding the SL applicable to high pressure and core flow conditions (MCPR SL). During MODES 2 and 5, other IRM and APRM Functions provide protection for fuel cladding integrity.

2.c. Average Power Range Monitor Neutron Flux - High

- The Average Power Range Monitor Neutron Flux - High Function is capable of generating a trip signal to prevent fuel damage or excessive RCS pressure. For the overpressurization protection analysis of Reference 4, the Average Power Range Monitor Neutron Flux - High Function is assumed to terminate the main steam isolation valve (MSIV) closure event and, along with the safety/relief valves (S/RVs), limit the peak reactor pressure vessel (RPV) pressure to less than the ASME Code limits. The control rod drop accident (CRDA) analysis (Ref. 5) takes credit for the Average Power Range Monitor Neutron Flux - High Function to terminate the CRDA.

The CRDA analysis assumes that re.actor scram occurs on Average Power Range Monitor Neutron Flux - High Function.

The Average Power Range Monitor Neutron Flux - High Function is required to be OPERABLE in MODE 1 where the potential consequences of the analyzed transients could result in the SLs (e.g., MCPR and RCS pressure) being exceeded. Although the Average Power Range Monitor Neutron Flux - High Function is assumed in the CRDA analysis, which is applicable in MODE 2, the Average Power Range Monitor Neutron Flux - High (Setdown) Function conservatively bounds the assumed trip and, together with the assumed IRM trips, provides adequate protection.

Therefore, the Average Power Range Monitor Neutron Flux - High Function is not required in MODE 2.

SUSQUEHANNA- UNIT 1 3.3-9

Rev. 8 RPS Instrumentation

BASES APPLICABLE SAFETY 2.d. Average Power Range Monitor - lnop B 3.3.1.1 ANALYSES, Three of the four APRM channels are required to be OPERABLE for each LCO, and of the APRM Functions. This Function (lnop) provides assurance that the APPLICABILITY minimum number of APRM channels are OPERABLE.

(continued)

For any APRM channel, any time its mode switch is not in the "Operate" position, an APRM module required to issue a trip is unplugged, or the automatic self-test system detects a critical fault with the APRM channel, an lnop trip is sent to all four voter channels. lnop trips from two or more unbypassed APRM channels result in a trip output from each of the four voter channels to its associated trip system.

This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

There is no Allowable Value for this Function.

This Function is required to be OPERABLE in the MODES where the APRM Functions are required.

2.e. 2-out-of-4 Voter The 2-out-of-4 VoterFunction provides the interface between the APRM Functions, including the OPRM Trip Function, and the final RPS trip system logic. As such, it is required to be OPERABLE in the MODES where the APRM Functions are required and is necessary to support the safety analysis applicable to each of those Functions. Therefore, the 2-out-of-4 Voter Function is required to be OPERABLE in MODES 1 and 2.

All four voter channels are required to be OPERABLE. Each voter channel includes self-diagnostic functions. If any voter channel detects a critical fault in its own processing, a trip is issued from that voter channel to the associated RPS trip system.

The Two-out-of-Four Logic Module includes both the 2-out-of-4 Voter hardware and the APRM Interface hardware. The 2-out-of-4 Voter Function 2.e votes APRM Functions 2.a, 2.b, 2.c, and 2.d independently of Function 2.f. This voting is accomplished by the 2-out-of-4 Voter hardware in the Two-out-of-Four Logic Module. The voter includes separate outputs to RPS for the two independently voted sets of Functions, each of which is redundant (four total outputs). The analysis in Reference 15 took credit for this redundancy in the justification of the 12-hour Completion Time for Condition A, so the voter Function 2.e must be declared inoperable if any of its functionality is inoperable. The voter SUSQUEHANNA- UNIT 1 3.3-10

Rev.a RPS Instrumentation

BASES APPLICABLE SAFETY 2.e. 2-out-of-4 Voter (continued)

B 3.3.1.1 ANALYSES, Function 2.e does not need to be declared inoperable due to any failure LCO, and affecting only the APRM Interface hardware portion of the Two-out-of-APPLICABILITY Four Logic Module.

(continued)

There is no Allowable Value for this Function.

2.f. Oscillation Power Range Monitor (OPRM) Trip The OPRM Trip Function provides compliance with GDC 10, "Reactor Design," and GDC 12, "Suppression of Reactor Power Oscillations"

thereby providing protection from exceeding the fuel MCPR safety limit (SL) due to anticipated thermal-hydraulic power oscillations.

References 17, 18 and 19 describe three algorithms for detecting thermal-hydraulic instability related neutron flux oscillations: the period based detection algorithm (confirmation count and cell amplitude), the amplitude based algorithm, and the growth rate algorithm. All three are implemented in the OPRM Trip Function, but the safety analysis takes credit only for the period based detection algorithm. The remaining algorithms provide defense in depth and additional protection against unanticipated oscillations. OPRM Trip Function OPERABILITY for Technical Specification purposes is based only on the period based detection algorithm.

The OPRM Trip Function receives input signals from the local power range monitors (LPRMs) within the reactor core, which are combined into "cells" for evaluation by the OPRM algorithms. Each channel is capable of detecting thermal-hydraulic instabilities, by detecting the related neutron flux oscillations, and issuing a trip signal before the MCPR SL is exceeded. Three of the four channels are required to be OPERABLE.

The OPRM Trip is automatically enabled (bypass removed) when THERMAL POWER is:?: 25% RTP, as indicated by the APRM Simulated Thermal Power, and reactor core flow is ~ the value defined in the COLR, as indicated by APRM measured recirculation drive flow. This is the operating region where actual thermal-hydraulic instability and related neutron flux oscillations are expected to occur. Reference 21 includes additional discussion of OPRM Trip enable region limits.

These setpoints, which are sometimes referred to as the "auto-bypass" setpoints, establish the boundaries of the OPRM Trip enabled region.

The APRM Simulated Thermal Power auto-enable setpoint has 1%

- deadband while the drive flow setpoint has a 2% deadband. The deadband for these setpoints is established so that it increases the enabled region once the region is entered.

SUSQUEHANNA - UNIT 1 3.3-11

Rev. 8 RPS Instrumentation

BASES APPLICABLE SAFETY 2.f. Oscillation Power Range Monitor (0PRM) Trip (continued)

B 3.3.1.1 ANALYSES, The OPRM Trip Function is required to be OPERABLE when the plant is LCO, and at~ 23% RTP. The 23% RTP level is selected to provide margin in the APPLICABILITY unlikely event that a reactor power increase transient occurring without (continued) operator action while the plant is operating below 25% RTP causes a power increase to or beyond the 25% APRM Simulated Thermal Power OPRM Trip auto-enable setpoint. This OPERABILITY requirement assures that the OPRM Trip auto-enable function will be OPERABLE when required.

An APRM channel is also required to have a minimum number of OPRM cells OPERABLE for the Upscale Function 2.f to be OPERABLE. The OPRM cell operability requirements are documented in the Technical Requirements Manual, TRO 3.3.9, and are established as necessary to support the trip setpoint calculations performed in accordance with methodologies in Reference 19.

An OPRM Trip is issued from an APRM channel when the period based detection algorithm in that channel detects oscillatory changes in the neutron flux, indicated by the combined signals of the LPRM detectors in a cell, with period confirmations and relative cell amplitude exceeding specified setpoints. One or more cells in a channel exceeding the trip conditions will result in a channel OPRM Trip from that channel. An OPRM Trip is also issued from the channel if either the growth rate or amplitude-based algorithms detect oscillatory changes in the neutron flux for one or more cells in that channel. (Note: To facilitate placing the 0PRM Trip Function 2.f in one APRM channel in a "tripped" state, if necessary to satisfy a Required Action, the APRM equipment is conservatively designed to force an 0PRM Trip output from the APRM channel if an APRM lnop condition occurs, such as when the APRM chassis keylock switch is placed in the lnop position.)

There are three "sets" of OPRM related setpoints or adjustment parameters: a) OPRM Trip auto-enable region setpoints for STP and drive flow; b) period based detection algorithm (PBDA) confirmation count and amplitude setpoints; and c) period based detection algorithm tuning parameters.

The first set, the OPRM Trip auto-enable setpoints, as discussed in the SR 3.3.1.1.19 Bases, are treated as nominal setpoints with no additional margins added. The settings are defined in the Technical Requirements Manual, TRO 3.3.9, and confirmed by SR 3.3.1.1.19. The second set, the OPRM PBDA trip setpoints, are established in accordance with

methodologies defined in Reference 19, and are documented in the COLR. There are no allowable values for these setpoints. The third set, the OPRM PBDA "tuning" parameters, are established or adjusted in SUSQUEHANNA - UNIT 1 3.3-12

Rev.a RPS Instrumentation

BASES APPLICABLE SAFETY 2.f. Oscillation Power Range Monitor (OPRM) Trip (continued)

B 3.3.1.1 ANALYSES, accordance with and controlled by requirements in the Technical LCO, and Requirements Manual, TRO 3.3.9.

APPLICABILITY (continued) 3. Reactor Vessel Steam Dome Pressure - High An increase in the RPV pressure during reactor operation compresses the steam voids and results in a positive reactivity insertion. This causes the neutron flux and THERMAL POWER transferred to the reactor coolant to increase, which could challenge the integrity of the.fuel cladding and the RCPB. This trip Function is assumed in the low power generator load rejection without bypass and the recirculation flow controller failure (increasing) event. However, the Reactor Vessel Steam Dome Pressure-High Function initiates a scram for transients that result in a pressure increase, counteracting the pressure increase by rapidly reducing core power. For the overpressurization protection analysis of Reference 4, reactor scram (the analyses conservatively assume a scram from either the Average Power Range Monitor Neutron Flux - High signal, or the Reactor Vessel Steam Dome Pressure - High signal), along

- with the S/RVs, limits the peak RPV pressure to less than the ASME Section III Code limits.

High reactor pressure signals are initiated from four pressure instruments that sense reactor pressure. The Reactor Vessel Steam Dome Pressure-High Allowable Value is chosen to provide a sufficient margin to the ASME Section III Code limits during the event.

Four channels of Reactor Vessel Steam Dome Pressure - High Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. The Function is required to be OPERABLE in MODES 1 and 2 when the RCS is pressurized and the potential for pressure increase exists.

4. Reactor Vessel Water Level - Low, Level 3 Low RPV water level indicates the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, a reactor scram is initiated at Level 3 to substantially reduce the heat generated in the fuel from fission. The Reactor Vessel Water Level - Low, Level 3 Function is assumed in the analysis of the recirculation line break (Ref. 6). The reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the Emergency Core Cooling Systems (ECCS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

SUSQUEHANNA - UNIT 1 3.3-13

Rev. 8 RPS Instrumentation

BASES APPLICABLE SAFETY

4. Reactor Vessel Water Level - Low, Level 3 (continued)

B 3.3.1.1 ANALYSES, Reactor Vessel Water Level - Low, Level 3 signals are initiated from four LCO, and level instruments that sense the difference between the pressure due to a APPLICABILITY constant column of water (reference leg) and the pressure due to the actual (continued) water level (variable leg) in the vessel.

Four channels of Reactor Vessel Water Level - Low, Level 3 Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal.

The Reactor Vessel Water Level - Low, Level 3 Allowable Value is selected to ensure that during normal operation the separator skirts are not uncovered (this protects available recirculation pump net positive suction head (NPSH) from significant carryunder) and, for transients involving loss of all normal feedwater flow, initiation of the low pressure ECCS subsystems at Reactor Vessel Water - Low Low Low, Level 1 will not be required.

The Function is required in MODES 1 and.2 where considerable energy exists in the RCS resulting in the limiting transients and accidents. ECCS initiations at Reactor Vessel Water Level - Low Low, Level 2 and Low Low Low, Level 1 provide sufficient protection for level transients in all other MODES.

5. Main Steam Isolation Valve - Closure MSIV closure results in loss of the main turbine and the condenser as a heat sink for the nuclear steam supply system and indicates a need to shut down the reactor to reduce heat generation. Therefore, a reactor scram is initiated on a Main Steam Isolation Valve - Closure signal before the MS IVs are completely closed in anticipation of the complete loss of the normal heat sink and subsequent overpressurization transient. However, for the overpressurization protection analysis of Reference 4, the Average Power Range Monitor Neutron Flux - High Function, along with the S/RVs, limits the peak RPV pressure to less than the ASME Code limits. That is, the direct scram on position switches for MSIV closure events is not assumed in the overpressurization analysis.

Additionally, MSIV closure is assumed in the transients analyzed in Reference 5 (e.g., low steam line pressure, manual closure of MSIVs, high steam line flow). The reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the ECCS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

SUSQUEHANNA - UNIT 1 3.3-14

Rev. 8 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 5. Main Steam Isolation Valve - Closure (continued)

SAFETY ANALYSES, MSIV closure signals are initiated from position switches located on each of LCO, and the eight MSIVs. Each MSIV has two position switches; one inputs to RPS APPLICABILITY trip system A while the other inputs to RPS trip system B. Thus, each RPS (continued) trip system receives an input from eight Main Steam Isolation Valve -

Closure channels, each consisting of one position switch. The logic for the Main Steam Isolation Valve - Closure Function is arranged such that either the inboard or outboard valve on three or more of the main steam lines must close in order for a scram to occur.

The Main Steam Isolation Valve - Closure Allowable Value is specified to ensure that a scram occurs prior to a significant reduction in steam flow, thereby reducing the severity of the subsequent pressure transient.

Sixteen channels (arranged in pairs) of the Main Steam Isolation Valve -

Closure Function, with eight channels in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude the scram from this Function on a valid signal. This Function is only required in MODE 1 since, with the MSIVs open and the heat generation rate high, a pressurization transient can occur if the MSIVs close. In addition, the Function is automatically bypassed when the Reactor Mode Switch is not in the Run position. In MODE 2, the heat generation rate is low enough so that the other diverse RPS functions provide sufficient protection.

6. Drywell Pressure - High High pressure in the drywell could indicate a break in the RCPB. A reactor scram is initiated to minimize the possibility of fuel damage and to reduce the amount of energy being added to the coolant and the drywell. The Drywell Pressure - High Function is assumed in the analysis of the recirculation line break (Ref. 6). The reactor scram reduces the amount of energy required to be absorbed and, along with the actions of Emergency Core Cooling Systems (ECCS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

High drywell pressure signals are initiated from four pressure instruments that sense drywell pressure. The Allowable Value was selected to be as low as possible and indicative of a LOCA inside primary containment.

Four channels of Drywell Pressure - High Function, with two channels in each trip system arranged in a one-out-of-two logic, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal. The Function is required in MODES 1 and 2 where considerable energy exists in the RCS, resulting in the limiting transients and accidents.

SUSQUEHANNA - UNIT 1 3.3-15

Rev. 8 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 7.a, 7.b. Scram Discharge Volume Water Level- High SAFETY ANALYSES, The SDV receives the water displaced by the motion of the CRD pistons LCO, and during a reactor scram. Should this volume fill to a point where there is APPLICABILITY insufficient volume to accept the displaced water, control rod insertion (continued) would be hindered. Therefore, a reactor scram is initiated while the remaining free volume is still sufficient to accommodate the water from a full core scram. The two types of Scram Discharge Volume Water Level -

High Functions are an input to the RPS logic. No credit is taken for a scram initiated from these Functions for any of the design basis accidents or transients analyzed in the FSAR. However, they are retained to ensure the scram function remains OPERABLE.

SDV water level is measured by two diverse methods. The level in each of the two SDVs is measured by two float type level switches and two level transmitters with trip units for a total of eight level signals. The outputs of these devices are arranged so that there is a signal from a level switch and a level transmitter with trip unit to each RPS logic channel. The level measurement instrumentation satisfies the recommendations of Reference 8 .

The Allowable Value is chosen low enough to ensure that there is sufficient volume in the SDV to accommodate the water from a full scram.

Four channels of each type of Scram Discharge Volume Water Level -

High Function, with two channels of each type in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from these Functions on a valid signal. These Functions are required in MODES 1 and 2, and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn. At all other times, this Function may be bypassed.

8. Turbine Stop Valve - Closure Closure of the TSVs results in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited.

Therefore, a reactor scram is initiated at the start of TSV closure in anticipation of the transients that would result from the closure of these valves. The Turbine Stop Valve - Closure Function is the primary scram signal for the turbine trip event analyzed in Reference 5. For this event, the reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the End of Cycle Recirculation Pump Trip (EOC-RPT) System, ensures that the MCPR SL is not exceeded. Turbine Stop

- Valve - Closure signals are initiated from position switches located on each of the four TSVs. Two independent position switches are associated with each stop valve. One of the two switches provides input to RPS trip SUSQUEHANNA - UNIT 1 3.3-16

Rev. 8 RPS Instrumentation

BASES APPLICABLE SAFETY

8. Turbine Stop Valve - Closure (continued)

B 3.3.1.1 ANALYSES, system A; the other, to RPS trip system 8. Thus, each RPS trip system LCO, and receives an input from four Turbine Stop Valve - Closure channels, each APPLICABILITY consisting of one position switch. The logic for the Turbine Stop Valve -

(continued) Closure Function is such that three or more TSVs must be closed to produce a scram. This Function must be enabled at THERMAL POWER

~-26% RTP. This is accomplished automatically by pressure instruments sensing turbine first stage pressure. Because an increase in the main turbine bypass flow can affect this function non-conservatively, THERMAL POWER is derived from first stage pressure. The main turbine bypass valves must not cause the trip Function to be bypassed when THERMAL POWER is ~ 26% RTP.

The Turbine Stop Valve - Closure Allowable Value is selected to be high enough to detect imminent TSV closure, thereby reducing the severity of the subsequent pressure transient.

Eight channels (arranged in pairs) of Turbine Stop Valve-Closure Function, with four channels in each trip system, are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function if any three TSVs should close. This Function is required, consistent with analysis assumptions, whenever THERMAL POWER is~ 26% RTP. This Function is not required when THERMAL POWER is < 26% RTP since the Reactor Vessel Steam Dome Pressure-High and the Average Power Range Monitor Neutron Flux - High Functions are adequate to maintain the necessary safety margins.

9. Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Fast closure of the TCVs results in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited.

Therefore, a reactor scram is initiated on TCV fast closure in anticipation of the transients that would result from the closure of these valves. The Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Function is the primary scram signal for the generator load rejection event analyzed in Reference 5. For this event, the reactor scram reduces the amount of energy required to be absorbed and, along with the actions of the EOC-RPT System, ensures that the MCPR SL is not exceeded.

Turbine Control Valve Fast Closure, Trip Oil Pressure - Low signals are initiated by the electrohydraulic control (EHC) fluid pressure at each control valve. One pressure instrument is associated with each control valve, and the signal from each transmitter is assigned to a separate RPS logic channel. This Function must be enabled at THERMAL POWER

~ 26% RTP. This is accomplished automatically by pressure instruments sensing turbine first stage pressure. Because an increase in the main SUSQUEHANNA - UNIT 1 3.3-17

Rev. 8

- BASES APPLICABLE RPS Instrumentation

9. Turbine Control Valve Fast Closure, Trip Oil Pressure - Low B 3.3.1.1 SAFETY (continued)

ANALYSES, LCO, and turbine bypass flow can affect this function non-conservatively, THERMAL APPLICABILITY POWER is derived from first stage pressure. The main turbine bypass (continued) valves must not cause the trip Function to be bypassed when THERMAL POWER is~ 26% RTP.

The Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Allowable Value is selected high enough to detect imminent TCV fast closure.

Four channels of Turbine Control Valve Fast Closure, Trip Oil Pressure -

Low Function with two channels in each trip system arranged in a one-out-of-two logic are required to be OPERABLE to ensure that no single instrument failure will preclude a scram from this Function on a valid signal.

This Function is required, consistent with the analysis assumptions, whenever THERMAL POWER is~ 26% RTP. This Function is not required when THERMAL POWER is< 26% RTP, since the Reactor Vessel Steam Dome Pressure - High and the Average Power Range Monitor Neutron Flux - High Functions are adequate to maintain the necessary safety margins.

10. Reactor Mode Switch - Shutdown Position The Reactor Mode Switch - Shutdown Position Function provides signals, via the manual scram logic channels, to each of the four RPS logic channels, which are redundant to the automatic protective instrumentation channels and provide manual reactor trip capability. This Function was not specifically credited in the accident analysis, but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

The reactor mode switch is a single switch with four channels, each of which provides input into one of the RPS logic channels.

There is no Allowable Value for this Function, since the channels are mechanically actuated based solely on reactor mode switch position.

Four channels of Reactor Mode Switch - Shutdown Position. Function, with two channels in each trip system, are available and required to be OPERABLE. The Reactor Mode Switch - Shutdown Position Function is required to be OPERABLE in MODES 1 and 2, and MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since these are the MODES and other specified conditions when control rods are withdrawn.

SUSQUEHANNA - UNIT 1 3.3-18

Rev.8 RPS Instrumentation B 3.3.1.1 BASES APPLICABLE 11. Manual Scram SAFETY ANALYSES, The Manual Scram push button channels provide signals, via the manual LCO, and scram logic channels, to each of the four RPS logic channels, which are APPLICABILITY redundant to the automatic protective instrumentation channels and (continued) provide manual reactor trip capability. This Function was not specifically credited in the accident analysis but it is retained for the overall redundancy and diversity of the RPS as required by the NRC approved licensing basis.

There is one Manual Scram push button channel for each of the four RPS logic channels. In order to cause a scram it is necessary that at least one channel in each trip system be actuated.

There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons.

Four channels of Manual Scram with two channels in each trip system arranged in a one-out-of-two lqgic are available and required to be OPERABLE in MODES 1 and 2, and in MODE 5 with any control rod withdrawn from a core cell containing one or more fuel assemblies, since

e these are the MODES and other specified conditions when control rods are withdrawn.

ACTIONS A Note has been provided to modify the ACTIONS related to RPS instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable RPS instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable RPS instrumentation channel.

A.1 and A.2 Because of the diversity of sensors available to provide trip signals and the redundancy of the RPS design, an allowable out of service time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months has been shown to be acceptable (Refs. 9, 15 and 16) to permit restoration of any inoperable channel to OPERABLE status. However, this out of service time is only acceptable provided the associated Function's inoperable channel is in one trip system and the Function still maintains RPS trip capability (refer to Required Actions 8.1, 8.2, and C.1 Bases).

SUSQUEHANNA - UNIT 1 3.3-19

Rev. 8 RPS Instrumentation

BASES ACTIONS

( continued)

A.1 and A.2 (continued)

B 3.3.1.1 Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program. The ability to calculate a Risk Informed Completion Time is modified by a Note and limited to situations in which a loss of function has not occurred. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel or the associated trip system must be placed in the tripped condition per Required Actions A.1 and A.2. Placing the inoperable channel in trip (or the associated trip system in trip) would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue.

Alternatively, if it is not desired to place the channel (or trip system) in trip (e.g., as in the case where placing the inoperable channel in trip would result in a full scram), Condition D must be entered and its Required Action taken.

As noted, Action A.2 is not applicable for APRM Functions 2.a, 2.b, 2.c, 2.d, or 2.f. lnoperability of one required APRM channel affects both trip systems. For that condition, Required Action A.1 must be satisfied, and is

the only action (other than restoring OPERABILITY) that will restore capability to accommodate a single failure. lnoperability of more than one required APRM channel of the same trip function results in loss of trip capability and entry into Condition C, as well as entry into Condition A for each channel.

8.1 and B.2 Condition B exists when, for any one or more Functions, at least one required channel is inoperable in each trip system. In this condition, provided at least one channel per trip system is OPERABLE, the RPS still maintains trip capability for that Function, but cannot accommodate a single failure in either trip system.

Required Actions 8.1 and 8.2 limit the time the RPS scram logic, for any Function, would not accommodate single failure in both trip systems (e.g., one-out-of-one and one-out-of-one arrangement for a typical four channel Function). The reduced reliability of this logic arrangement was not evaluated in References 9, 15 or 16 for the 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time.

Within the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the associated Function will have all required channels OPERABLE or in trip (or any combination) in one trip system.

Completing one of these Required Actions restores RPS to a reliability level equivalent to that evaluated in Reference 9, 15 and 16, which justified a 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowable out of service time as presented in Condition A The trip system in the more degraded state should be placed in trip or, alternatively, SUSQUEHANNA - UNIT 1 3.3-20

Rev. 8 RPS Instrumentation B 3.3.1.1 BASES ACTIONS B.1 and B.2 (continued)

(continued) all the inoperable channels in that trip system should be placed in trip (e.g., a trip system with two inoperable channels could be in a more degraded state than a trip system with four inoperable channels if the two inoperable channels are in the same Function while the four inoperable channels are all in different Functions). The decision of which trip system is in the more degraded state should be based on prudent judgment and take into account current plant conditions (i.e., what MODE the plant is in).

If this action would result in a scram, it is permissible to place the other trip system or its inoperable channels in trip.

The 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Completion Time is judged acceptable based on the remaining capability to trip, the diversity of the sensors available to provide the trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of a scram. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program. The ability to calculate a Risk Informed Completion Time is modified by a Note and limited to situations in which a loss of function has not occurred.

Alternately, if it is not desired to place the inoperable channels (or one trip system) in trip (e.g., as in the case where placing the inoperable channel or associated trip system in trip would result in a scram), Condition D must be entered and its Required Action taken.

As noted, Condition B is not applicable for APRM Functions 2.a, 2.b, 2.c, 2.d, or 2.f. lnoperability of an APRM channel affects both trip systems and is not associated with a specific trip system as are the APRM 2-out-of-4 Voter (Function 2.e) and other non-APRM channels for which Condition B applies. For an inoperable APRM channel, Required Action A.1 must be satisfied, and is the only action (other than restoring OPERABILITY) that will restore capability to accommodate a single failure. lnoperability of a Function in more than one required APRM channel results in loss of trip capability for that Function and entry into Condition C, as well as entry into Condition A for each channel. Because Conditions A and C provide Required Actions that are appropriate for the inoperability of APRM Functions 2.a, 2.b, 2.c, 2.d, or 2.f, and because these Functions are not associated with specific trip systems as are the APRM 2-out-of-4 Voter and other non-APRM channels, Condition B does not apply.

C.1

Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same trip SUSQUEHANNA - UNIT 1 3.3-21

Rev. 8 RPS Instrumentation

BASES ACTIONS (continued)

C.1 (continued)

B 3.3.1.1 system for the same Function result in the Function not maintaining RPS trip capability. A Function is considered to be maintaining RPS trip capability when sufficient channels are OPERABLE or in trip (or the associated trip system is in trip), such that both trip systems will generate a trip signal from the given Function on a valid signal. For the typical Function with one-out-of-two taken twice logic, this would require both trip systems to have one channel OPERABLE or in trip (or the associated trip system in trip). For Function 5 (Main Steam Isolation Valve - Closure), this would require both trip systems to have each channel associated with the MSIVs in three main steam lines (not necessarily the same main steam lines for both trip systems) OPERABLE or in trip (or the associated trip system in trip).

For Function 8 (Turbine Stop Valve - Closure), this would require both trip systems to have three channels, each OPERABLE or in trip (or the associated trip system in trip).

The Completion Time is intended to allow the operator time to evaluate and

repair any discovered inoperabilities. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

D.1 Required Action D.1 directs entry into the appropriate Condition referenced in Table 3.3.1.1-1. The applicable Condition specified in the Table is Function and MODE or other specified condition dependent and may change as the Required Action of a previous Condition is completed. Each time an inoperable channel has not met any Required Action of Condition A, B, or C and the associated Completion Time has expired, Condition D will be entered for that channel and provides for transfer to the appropriate subsequent Condition.

E.1, F.1, G.1, and J.1 If the channel(s) is not restored to OPERABLE status or placed in trip (or the associated trip system placed in trip) within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. The allowed Completion Times are reasonable, based on operating experience, to reach the specified condition from full power conditions in an orderly manner and without challenging plant systems. In addition, the Completion Time of Required Actions E.1 and J.1 are consistent with the Completion Time provided in LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)."

SUSQUEHANNA - UNIT 1 3.3-22

Rev.a RPS Instrumentation

BASES ACTIONS (continued)

H.1 B 3.3.1.1 If the channel(s) is not restored to OPERABLE status or placed in trip (or the associated trip system placed in trip) within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by immediately initiating action to fully insert all insertable control rods in core cells containing one or more fuel assemblies. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and are, therefore, not required to be inserted. Action must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted.

1.1 and 1.2 Required Actions 1.1 and 1.2 are intended to ensure that appropriate actions are taken if more than two inoperable or bypassed OPRM channels result in not maintaining OPRM trip capability.

In the 4-OPRM channel configuration, any 'two' of the OPRM channels out of the total of four and one 2-out-of-4 voter channels in each RPS trip

- system are required to function for the OPRM safety trip function to be accomplished. Therefore, three OPRM channels assures at least two OPRM channels can provide trip inputs to the 2-out-of-4 voter channels even in the event of a single OPRM channel failure, and the minimum of two 2-out-of-4 voter channels per RPS trip system assures at least one voter channel will be operable per RPS trip system even in the event of a single voter channel failure.

References 15 and 16 justified use of alternate methods to detect and suppress oscillations under limited conditions. The alternate methods are consistent with the guidelines identified in Reference 20. The alternate-methods procedures require increased operator awareness and monitoring for neutron flux oscillations when operating in the region where oscillations are possible. If operator observes indications of oscillation, as described in Reference 20, the operator will take the actions described by procedures, which include manual scram of the reactor. The power/flow map regions where oscillations are possible are developed based on the methodology in Reference 22. The applicable regions are contained in the COLR.

The alternate methods would adequately address detection and mitigation in the event of thermal hydraulic instability oscillations. Based on industry operating experience with actual instability oscillations, the operator would be able to recognize instabilities during this time and take action to suppress them through a manual scram. In addition, the OPRM system may still be available to provide alarms to the operator if the onset of oscillations were to occur.

SUSQUEHANNA - UNIT 1 3.3-23

Rev. 8 RPS Instrumentation B 3.3.1.1 BASES ACTIONS 1.1 and 1.2 (continued)

(continued)

The 12-hour allowed Completion Time for Required Action 1.1 is based on engineering judgment to allow orderly transition to the alternate methods while limiting the period of time during which no automatic or alternate detect and suppress trip capability is formally in place. Based on the small probability of an instability event occurring at all, the 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is judged to be reasonable.

The 120-day allowed Completion Time, the time that was evaluated in References 15 and 16, is considered adequate because with operation minimized in regions where oscillations may occur and implementation of the alternate methods, the likelihood of an instability event that could not be adequately handled by the alternate methods during this 120-day period was negligibly small.

The primary purpose of Required Actions 1.1 and 1.2 is to allow an orderly

completion, without undue impact on plant operation, of design and verification activities required to correct unanticipated equipment design or functional problems that cause OPRM Trip Function INOPERABILITY in all APRM channels that cannot reasonably be corrected by normal maintenance or repair actions. These Required Actions are not intended and were not evaluated as a routine alternative to returning failed or inoperable equipment to OPERABLE status.

SURVEILLANCE As noted at the beginning of the SRs, the SRs for each RPS REQUIREMENTS instrumentation Function are located in the SRs column of Table 3.3.1.1-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , provided the associated Function maintains RPS trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 9, 15 and 16) assumption of the average time required to perform channel Surveillance. That analysis demonst_rated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the RPS will trip when necessary.

SR 3.3.1.1.1 and SR 3.3.1.1.2 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that SUSQUEHANNA - UNIT 1 3.3-24

Rev. 8 RPS Instrumentation

BASES SURVEILLANCE REQUIREMENTS SR 3.3.1.1.1 and SR 3.3.1.1.2 (continued)

B 3.3.1.1 (continued) instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria which are determined by the plant staff based on an investigation of a combination of the channel instrument uncertainties, may be used to support this parameter comparison and include indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit, and does not necessarily indicate the channel is Inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.1.1.3 To ensure that the APRMs are accurately indicating the true core average power, the APRMs are calibrated to the reactor power calculated from a heat balance.

A restriction to satisfying this SR when < 23% RTP is provided that requires the SR to be met only at ;;:,: 23% RTP because it is difficult to accurately maintain APRM indication of core THERMAL POWER consistent with a heat balance when < 23% RTP. At low power levels, a high degree of accuracy is unnecessary because of the large, inherent margin to thermal limits (MCPR, LHGR and APLHGR). At;;:,: 23% RTP, the Surveillance is required to have been satisfactorily performed in accordance with SR 3.0.2.

A Note is provided which allows an increase in THERMAL POWER above 23% if the Frequency is not met per SR 3.0.2. In this event, the SR must be performed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after reaching or exceeding 23% RTP.

Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.1.4

A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function.

SUSQUEHANNA - UNIT 1 3.3-25

Rev.8 RPS Instrumentation

-* BASES SURVEILLANCE REQUIREMENTS SR 3.3.1.1.4 (continued)

B 3.3.1.1 (continued) As noted, SR 3.3.1.1.4 is not required to be performed when entering MODE 2 from MODE 1, since testing of the MODE 2 required IRM Functions cannot be performed in MODE 1 without utilizing jumpers, lifted

leads, or movable links. This allows entry into MODE 2 if the Frequency is not met per SR 3.0.2. In this event, the SR must be performed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after entering MODE 2 from MODE 1. Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.1.5 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. (The Manual Scram Function's CHANNEL FUNCTIONAL TEST Frequency was credited in the analysis to extend many automatic scram Functions' Frequencies.) The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.1.6 and SR 3.3.1.1.7 These Surveillances are established to ensure that no gaps in neutron flux indication exist from subcritical to power operation for monitoring core reactivity status.

I The overlap between SRMs and IRMs is required to be demonstrated to ensure that reactor power will not be increased into a neutron flux region without adequate indication. The overlap is demonstrated prior to fully withdrawing the SRMs from the core. Demonstrating the overlap prior to fully withdrawing the SRMs from the core is required to ensure the SRMs are on-scale for the overlap demonstration.

The overlap between IRMs and APRMs is of concern when reducing power into the IRM range. On power increases, the system design will prevent further increases (by initiating a rod block) if adequate overlap is not maintained. Overlap between IRMs and APRMs exists when sufficient IRMs and APRMs concurrently have onscale readings such that the transition between MODE 1 and MODE 2 can be made without either APRM downscale rod block, or IRM upscale rod block. Overlap between SRMs and IRMs similarly exists when, prior to fully withdrawing the SRMs from the core, IRMs are above mid-scale on range 1 before SRMs have reached the upscale rod block.

SUSQUEHANNA - UNIT 1 3.3-26

Rev. 8 RPS Instrumentation B 3.3.1.1

BASES SURVEILLANCE SR 3.3.1.1.6 and SR 3.3.1.1.7 (continued)

REQUIREMENTS (continued) As noted, SR 3.3.1.1.7 is only required to be met during entry into MODE 2 from MODE 1. That is, after the overlap requirement has been met and indication has transitioned to the IRMs, maintaining overlap is not required (APRMs may be reading downscale once in MODE 2).

If overlap for a group of channels is not demonstrated (e.g., IRM/APRM overlap), the reason for the failure of the Surveillance should be determined and the appropriate channel(s) declared inoperable. Only those appropriate channels that are required in the current MODE or condition should be declared inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.1.8 LPRM gain settings are determined from the local flux profiles that are either measured by the Traversing lncore Probe (TIP) System at all functional locations or calculated for TIP locations that are not functional.

The methodology used to develop the power distribution limits considers the uncertainty for both measured and calculated local flux profiles. This methodology assumes that all the TIP locations are functional for the first LPRM calibration following a refueling outage, and a minimum of 25 functional TIP locations for subsequent LPRM calibrations. The calibrated LPRMs establish the relative local flux profile for appropriate representative input to the APRM System. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.1.9 and SR 3.3.1.1.14 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.1.9 is modified by a Note that provides a general exception to the definition of CHANNEL FUNCTIONAL TEST. This exception is necessary because the design of instrumentation does not facilitate functional testing of all required contacts of the relay which input into the combinational logic.

(Reference 10) Performance of such a test could result in a plant transient or place the plant in an undo risk situation. Therefore, for this SR, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the change of state of the relay which inputs into the combinational logic.

The required contacts not tested during the CHANNEL FUNCTIONAL SUSQUEHANNA - UNIT 1 3.3-27

Rev. 8 RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.9 and SR 3.3.1.1.14 (continued)

REQUIREMENTS (continued) TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.1.1.15. This is acceptable because operating experience shows that the contacts not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.1.10, SR 3.3.1.1.11, SR 3.3.1.1.13, and SR 3.3.1.1.18 A CHANNEL CALIBRATION verifies that the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

Note 1 for SR 3.3.1.1.18 states that neutron detectors are excluded from CHANNEL CALIBRATION because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal.

Changes in neutron detector sensitivity are compensated for by performing the calorimetric calibration (SR 3.3.1.1.3) and the LPRM calibration against the TIPs (SR 3.3.1.1.8).

A Note is provided for SR 3.3.1.1.11 that requires the IRM SRs to be performed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months of entering MODE 2 from MODE 1. Testing of the MODE 2 APRM and IRM Functions cannot be performed in MODE 1 without utilizing jumpers, lifted leads, or movable links. This Note allows entry into MODE 2 from MODE 1 if the associated Frequency is not met per SR 3.0.2. Twelve hours is based on operating experience and in consideration of providing a reasonable time in which to complete the SR.

A second note is provided for SR 3.3.1.1.18 that requires that the recirculation flow (drive flow) transmitters, which supply the flow signal to the APRMs, be included in the SR for Functions 2.b and 2.f. The APRM Simulated Thermal Power-High Function (Function 2.b) and the OPRM Trip Function (Function 2.f) both require a valid drive flow signal. The APRM Simulated Thermal Power - High Function uses drive flow to vary the trip setpoint. The OPRM Trip Function uses drive flow to automatically enable or bypass the OPRM Trip output to the RPS. A CHANNEL CALIBRATION of the APRM drive flow signal requires both calibrating the drive flow transmitters and the processing hardware in the APRM equipment. SR 3.3.1.1.20 establishes a valid drive flow/ core flow relationship. Changes throughout the cycle in the drive flow/ core flow SUSQUEHANNA - UNIT 1 3.3-28

Rev. 8 RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.10, SR 3.3.1.1.11, SR 3 ..3.1.1.13 and SR 3.3.1.1.18 REQUIREMENTS (continued)

(continued) relationship due to the changing thermal hydraulic operating conditions of the core are accounted for in the margins included in the bases or analyses used to establish the setpoints for the APRM Simulated Thermal Power-High Function and the OPRM Trip Function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.1.12 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. For the APRM Functions, this test supplements the automatic self-test functions that operate continuously in the APRM and voter channels. The scope of the APRM CHANNEL FUNCTIONAL TEST is that which is necessary to test the hardware. Software controlled functions are tested as part of the initial verification and validation and are only incidentally tested as part of the surveillance testing. Automatic self-test functions check the EPROMs in which the software-controlled logic is defined.

Changes in the EPROMs will be detected by the self-test function and alarmed via the APRM trouble alarm. SR 3.3.1.1.1 for the APRM functions includes a step to confirm that the automatic self-test function is still operating.

The APRM CHANNEL FUNCTIONAL TEST covers the APRM channels (including recirculation flow processing -- applicable to Function 2.b and the auto-enable portion of Function 2.f only), the 2-out-of-4 Voter channels, and the interface connections into the RPS trip systems from the voter channels.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology. (NOTE: The actual voting logic of the 2-out-of-4 Voter Function is tested as part of SR 3.3.1.1.15.

The auto-enable setpoints for the OPRM Trip are confirmed by SR 3.3.1.1.19.)

A Note is provided for Function 2.a that requires this SR to be performed within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months of entering MODE 2 from MODE 1. Testing of the MODE 2 APRM Function cannot be performed in MODE 1 without utilizing jumpers or lifted leads. This Note allows entry into MODE 2 from MODE 1 if the associated Frequency is not met per SR 3.0.2.

SUSQUEHANNA - UNIT 1 3.3-:29

Rev. 8 RPS Instrumentation

BASES SURVEILLANCE REQUIREMENTS SR 3.3.1.1.12 (continued)

B 3.3.1.1 (continued) A second Note is provided for Functions 2.b and 2.f that clarifies that the CHANNEL FUNCTIONAL TEST for Functions 2.b and 2.f includes testing of the recirculation flow processing electronics, excluding the flow transmitters.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.1.15 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The functional testing of control rods (LCO 3.1.3), and SDV vent and drain valves (LCO 3.1.8), overlaps this Surveillance to provide complete testing of the assumed safety function.

The LOGIC SYSTEM FUNCTIONAL TEST for APRM Function 2.e simulates APRM and OPRM trip conditions at the 2-out-of-4 Voter

channel inputs to check all combinations of two tripped inputs to the 2-out-of-4 logic in the voter channels and APRM-related redundant RPS relays.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.1.16 This SR ensures that scrams initiated from the Turbine Stop Valve -

Closure and Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Functions will not be inadvertently bypassed when THERMAL POWER is 2 26% RTP. This is performed by a Functional check that ensures the scram feature is not bypassed at 2 26% RTP. Because main turbine bypass flow can affect this function nonconservatively (THERMAL POWER is derived from turbine first stage pressure), the opening of the main turbine bypass valves must not cause the trip Function to be bypassed when Thermal Power is 2:: 26% RTP.

If any bypass channel's trip function is nonconservative (i.e., the Functions are bypassed at 2 26% RTP, either due to open main turbine bypass valve(s) or other reasons), then the affected Turbine Stop Valve - Closure and Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Functions are considered inoperable. Alternatively, the bypass channel can be

placed in the conservative condition (nonbypass). If placed in the nonbypass condition, this SR is met and the channel is considered OPERABLE.

SUSQUEHANNA - UNIT 1 3.3-30

Rev. 8 RPS Instrumentation

BASES SURVEILLANCE REQUIREMENTS SR 3.3.1.1.16 (continued) 8 3.3.1.1 (continued) The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.1.17 This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the accident analysis. This test may be performed in one measurement or in overlapping segments, with verification that all components are tested. The RPS RESPONSE TIME acceptance criteria are included in Reference 11.

RPS RESPONSE TIME for the APRM 2-out-of-4 Voter Function (2.e) includes the APRM Flux Trip output relays and the OPRM Trip output relays of the voter and the associated RPS relays and contactors.

(Note: The digital portion of the APRM, OPRM and 2-out-of-4 Voter channels are excluded from RPS RESPONSE TIME testing because self-testing and calibration checks the time base of the digital electronics.

Confirmation of the time base is adequate to assure required response

- times are met. Neutron detectors are excluded from RPS RESPONSE TIME testing because the principles of detector operation virtually ensure an instantaneous response time. See References 12 and 13).

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.1.17 for Function 2.e confirms the response time of that function, and also confirms the response time of components common to Function 2.e and other RPS functions. (Reference 14)

The redundant outputs from the 2-out-of-4 Voter channel (2 for APRM trips and 2 for OPRM trips) are considered part of the same channel, but the OPRM and APRM outputs are considered to be separate channels for application of SR 3.3.1.1.17, so. The note further requires that testing of OPRM and APRM outputs from a 2-out-of-4 Voter be alternated. In addition to these commitments, References 15 and 16 require that the testing of inputs to each RPS Trip System alternate .

SUSQUEHANNA - UNIT 1 3.3-31

Rev. 8 RPS Instrumentation

B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.17 (continued)

REQUIREMENTS (continued) Combining these frequency requirements, an acceptable test sequence is one that:

a. Tests each RPS Trip System interface every other cycle,

b. Alternates the testing of APRM and OPRM outputs from any specific 2-out-of-4 Voter Channel

c. Alternates between divisions at least every other test cycle.

The testing sequence shown in the table below is one sequence that satisfies these requirements.

Function 2.e Testing Sequence for SR 3.3.1.1.17 "Staggering" Voter 24-Month Output Cycle Voter A1 Voter A2 Voter B1 Voter B2 RPS Trip Tested Division Output Output Output Output System 1st OPRMA1 OPRM A 1 2nd APRM B1 APRM B 1 3rd OPRM A2 OPRM A 2 4th APRM B2 APRM B 2 5th APRMA1 APRM A 1 5th OPRM B1 OPRM B 1 7th APRMA2 APRM A 2 sth OPRM B2 OPRM B 2 After 8 cycles, the sequence repeats.

Each test of an OPRM or APRM output tests each of the redundant outputs from the 2-out-of-4 Voter channel for that Function and each of the corresponding relays in the RPS. Consequently, each of the RPS relays is tested every fourth cycle. The RPS relay testing frequency is twice the frequency justified by References 15 and 16.

SUSQUEHANNA - UNIT 1 3.3-32

Rev. 8 RPS Instrumentation

BASES SURVEILLANCE REQUIREMENTS SR 3.3.1.1.19 B 3.3.1.1 (continued) This surveillance involves confirming the OPRM Trip auto-enable setpoints. The auto-enable setpoint values are considered to be nominal values as discussed in Reference 21. This surveillance ensures that the OPRM Trip is enabled (not bypassed) for the correct values of APRM Simulated Thermal Power and recirculation drive flow. Other surveillances ensure that the APRM Simulated Thermal Power and recirculation drive flow properly correlate with THERMAL POWER (SR 3.3.1.1.2) and core flow (SR 3.3.1.1.20), respectively.

If any auto-enable setpoint is nonconservative (i.e., the OPRM Trip is bypassed when APRM Simulated Thermal Power z 25% and recirculation drive flow ::;; value equivalent to the core flow value defined in the COLR, then the affected channel is considered inoperable for the OPRM Trip Function. Alternatively, the OPRM Trip auto-enable setpoint(s) may be adjusted to place the channel in a conservative condition (not bypassed).

If the OPRM Trip is placed in the not-bypassed condition, this SR is met, and the channel is considered OPERABLE.

- For purposes of this surveillance, consistent with Reference 21, the conversion from core flow values defined in the COLR to drive flow values used for this SR can be conservatively determined by a linear scaling assuming that 100% drive flow corresponds to 100 Mlb/hr core flow, with no adjustment made for expected deviations between core flow and drive flow below 100%.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.1.20 The APRM Simulated Thermal Power-High Function (Function 2.b) uses drive flow to vary the trip setpoint. The OPRM Trip Function (Function 2.f) uses drive flow to automatically enable or bypass the OPRM Trip output to RPS. Both of these Functions use drive flow as a representation of reactor core flow. SR 3.3.1.1.18 ensures that the drive flow transmitters and processing electronics are calibrated. This SR adjusts the recirculation drive flow s_caling factors in each APRM channel to provide the appropriate drive flow/core flow alignment.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program .

- SUSQUEHANNA - UNIT 1 3.3-33

Rev. 8 RPS Instrumentation B 3.3.1.1 BASES REFERENCES 1. FSAR, Figure 7.2-1.

2. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

3. NEDO-23842, "Continuous Control Rod Withdrawal in the Startup Range," April 18, 1978.

4. FSAR, Section 5.2.2.

5. FSAR, Chapter 15.

6. FSAR, Section 6.3.3.

7. Not used.

8. P. Check (NRG) letter to G. Lainas (NRG), "BWR Scram Discharge System Safety Evaluation," December 1, 1980.

. 9.

10.

NEDO-30851-P-A, "Technical Specification Improvement Analyses for BWR Reactor Protection System," March 1988.

NRG Inspection and Enforcement Manual, Part 9900: Technical Guidance, Standard Technical Specification 1.0 Definitions, Issue date 12/08/86.

11. FSAR, Table 7.3-28.

12. NEDO-32291A "System Analyses for Elimination of Selected Response Time Testing Requirements," October 1995.

13. NRG Safety Evaluation Report related to Amendment No. 171 for License No. NPF 14 and Amendment No. 144 for License No. NPF 22.

14. NEDO-32291-A Supplement 1 "System Analyses for the Elimination of Selected Response Time Testing Requirements," October 1999.

15. NEDC-3241 OP-A, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option Ill Stability Trip Function," October 1995.

16. NEDC-3241 OP-A Supplement 1, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM)

Retrofit Plus Option Ill Stability Trip Function," November 1997 .

SUSQUEHANNA - UNIT 1 3.3-34

Rev.8 RPS Instrumentation

BASES REFERENCES (continued)

17. NEDO-31960-A, "BWR Owners' Group Long-Term Stability Solutions Licensing Methodology," November 1995.

B 3.3.1.1

18. NEDO-31960-A, Supplement 1, "BWR Owners' Group Long-Term Stability Solutions Licensing Methodology," November 1995.

19. NEDO-32465-A, "BWR Owners' Group Long-Term Stability Detect and Suppress Solutions Licensing Basis Methodology and Reload Applications," August 1996.

20. BWROG Letter BWROG 9479, L. A. England (BWROG) to M. J. Virgilio, "BWR Owners' Group Guidelines for Stability Interim Corrective Action," June 6, 1994.

21. BWROG Letter BWROG 96113, K. P. Donovan (BWROG) to L. E. Phillips (NRC), "Guidelines for Stabi_lity Option Ill

'Enable Region' (TAC M92882)," September 17, 1996.

22. EMF-CC-074(P)(A), Volume 4, "BWR Stability Analysis:

Assessment of STAIF with Input from MICROBURN-B2."

23. GE Letter to PPL, GE-2005-EMC426, "Susquehanna 1 & 2 Minimum LPRM Input Requirement for NUMAC APRM 4-Channel Design,"

April 26, 2005 .

- SUSQUEHANNA - UNIT 1 3.3-34a

Rev. 8 RPS Instrumentation

Table B 3.3.1.1-1 (page 1 of 1)

RPS Instrumentation Sensor Diversity B 3.3.1.1 Scram Sensors for lnitiatinQ Events RPV Variables Anticipator, Fuel Initiation Events (a) (b) (c) (d) (e) (f). (Q)

MSIV Closure X X X X Turbine Trip (w/bypass) 'X X X X Generator Trip (w/bypass) X X X Pressure Regulator Failure X X X X X (primary pressure decrease)

(MSIV closure trip)

Pressure Regulator Failure X X X (primary pressure decrease)

(Level 8 trip)

- Pressure Regulator Failure (primary pressure increase)

Feedwater Controller Failure (high reactor water level)

X X X X X

X Feedwater Controller Failure X X X (low reactor water level)

Loss of Condenser Vacuum X X X X Loss of AC Power (loss of X X X X transformer)

Loss of AC Power (loss of grid X X X X X X connections)

(a) Reactor Vessel Steam Dome Pressure - High (b) Reactor Vessel Water Level - High, Level 8 (c) Reactor Vessel Water Level - Low, Level 3 (d) Turbine Control Valve Fast Closure (e) Turbine Stop Valve - Closure (f) Main Steam Isolation Valve - Closure

(g) Average Power Range Monitor Neutron Flux - High SUSQUEHANNA - UNIT 1 3.3-34b

Rev. 6 Control Rod Block Instrumentation

B 3.3 INSTRUMENTATION B 3.3.2.1 Control Rod Block Instrumentation B 3.3.2.1 BASES BACKGROUND Control rods provide the primary means for control of reactivity changes.

Control rod block instrumentation includes channel sensors, logic circuitry, switches, and relays that are designed to ensure that specified fuel design limits are not exceeded for postulated transients and accidents. During high power operation, the rod block monitor (RBM) provides protection for control rod withdrawal error events. During low power operations, control rod blocks from the rod worth minimizer (RWM) enforce specific control rod sequences designed to mitigate the consequences of the control rod drop accident (CRDA). During shutdown conditions, control rod blocks from the Reactor Mode Switch - Shutdown Position Function ensure that all control rods remain inserted to prevent inadvertent criticalities.

The Nominal Trip Setpoint (NTSP) is a predetermined setting for a protective device chosen to ensure automatic actuation prior to the process variable reaching the Analytical Limit and thus ensuring that the Safety Limit (SL) would not be exceeded. The NTSP accounts for various uncertainties. As such, the NTSP meets the definition of a Limiting Safety System Setting (LSSS) because the protective instrument channel actuates to protect a reactor core or RCS pressure boundary Safety Limit. Rod Block Monitor functions 1a, 1b and 1c are LSSSs.

Technical Specifications contain values related to the OPERABILITY of equipment required for safe operation of the facility. OPERABLE is defined in Technical Specifications as" ... being capable of performing its specified safety function(s)." For automatic protective devices related to SLs, the required safety function is to ensure that a SL is not exceeded and therefore the NTSP is the LSSS, as defined by 10 CFR 50.36. However, use of the NTSP to define OPERABILITY in Technical Specifications would be an overly restrictive requirement if it were applied as an OPERABILITY limit for the "as-found" value during a Surveillance. This would result in Technical Specification compliance problems, as well as reports and corrective actions required by the rule which are not necessary to ensure safety.

Use of the NTSP to define "as-found" OPERABILITY under the expected circumstances described above would result in actions required by both the rule and Technical Specifications that are not warranted. However, there is also some point beyond which the device would have not been able to perform its function due, for example, to greater than expected drift. This SUSQUEHANNA - UNIT 1 3.3-44

Rev. 6 Control Rod Block Instrumentation B 3.3.2.1 BASES BACKGROUND value needs to be specified in the Technical Specifications in order to (continued) define OPERABILITY of the devices and is designated as the Allowable Value which, is the least conservative value of the as-found setpoint that a channel can have during testing.

The Allowable Value specified in SR 3.3.2.1. 7 is the least conservative value of the as-found setpoint that a channel can have when tested, such that a channel is OPERABLE if the setpoint is found conservative with respect to the Allowable Value during the CHANNEL CALIBRATION.

The purpose of the RBM is to limit control rod withdrawal if localized neutron flux exceeds a predetermined setpoint during control rod manipulations. It is assumed to function to block further control rod withdrawal to preclude a MCPR Safety Limit violation. The RBM supplies a trip signal to the Reactor Manual Control System (RMCS) to appropriately inhibit control rod withdrawal during power operation above the low power range setpoint. The RBM has two channels, either of which can initiate a control rod block when the channel output exceeds the control rod block setpoint. One RBM channel inputs into one RMCS rod block circuit and the other RBM channel inputs into the second RMCS rod block circuit. The RBM channel signal is generated by averaging a set of local power range monitor (LPRM) signals at various core heights surrounding the control rod being withdrawn. A simulated thermal power signal from one of the four redundant average power range monitor (APRM) channels supplies a reference signal for one of the RBM channels and a simulated thermal power signal from another of the APRM channels supplies the reference signal to the second RBM channel. This reference signal is used to determine which RBM range setpoint (low, intermediate, or high) is enabled. If the APRM simulated thermal power is indicating less than the low power range setpoint, the RBM is automatically bypassed. The RBM is also automatically bypassed if a peripheral control rod is selected (Ref. 2).

The purpose of the RWM is to control rod patterns during startup, such that only specified control rod sequences and relative positions are allowed over the operating range from all control rods inserted to 10% RTP. The sequences effectively limit the potential amount and rate of reactivity increase during a CRDA. Prescribed control rod sequences are stored in the RWM, which will initiate control rod withdrawal and insert blocks when the actual sequence deviates beyond allowances from the stored sequence. The RWM determines the actual sequence based position indication for each control rod. The RWM also uses steam flow signals to determine when the reactor power is above the preset power level at which the RWM is automatically bypassed (Ref. 1). The RWM is a single channel system that provides input into RMCS rod block channel 2.

SUSQUEHANNA - UNIT 1 3.3-45

Rev. 6 Control Rod Block Instrumentation B 3.3.2.1 BASES BACKGROUND The function of the individual rod sequence steps (banking steps) is to (continued) minimize the potential reactivity increase from postulated CRDA at low power levels. However, if the possibility for a control rod to drop can be eliminated, then banking steps at low power levels are not needed to ensure the applicable event limits can not be exceeded. The rods may be inserted without the need to stop at intermediate positions since the possibility of a CRDA is eliminated by the confirmation that withdrawn control rods are coupled.

To eliminate the possibility of a CRDA, administrative controls require that any partially inserted control rods, which have not been confirmed to be coupled since their last withdrawal, be fully inserted prior to reaching the THERMAL POWER of :::;;10% RTP. If a control rod has been checked for coupling at notch 48 and the rod has not been moved inward, this rod is in contact with it's drive and is not required to be fully inserted prior to reaching the THERMAL POWER of :::;;10% RTP. However, if it cannot be confirmed that the control rod has been moved inward, then that rod shall be fully inserted prior to reaching the THERMAL POWER of :::;;10% RTP.

The remaining control rods may then be inserted without the need to stop at intermediate positions since the possibility of a CRDA has been

eliminated .

With the reactor mode switch in the shutdown position, a control rod withdrawal block is applied to all control rods to ensure that the shutdown condition is maintained. This Function prevents inadvertent criticality as the result of a control rod withdrawal during MODE 3 or 4, or during MODE 5 when the reactor mode switch is required to be in the shutdown position. The reactor mode switch has two channels, each inputting into a separate RMCS rod block circuit. A rod block in either RMCS circuit will provide a control rod block to all control rods.

APPLICABLE Allowable Values are specified for each applicable Rod Block Function SAFETY listed in Table 3.3.2.1-1. The NTSPs (actual trip setpoints) are selected to ANALYSES, ensure that the setpoints are conservative with respect to the Allowable LCO, and Value. A channel is inoperable if its actual trip setpoint is non-conservative APPLICABILITY with respect to its required Allowable Value.

NTSPs are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor power), and when the measured output value of the process parameter exceeds the setpoint, the associated device (e.g., trip unit) changes state. The Analytical Limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the Analytical Limits, corrected for calibration, process, and some of the instrument errors. The NTSPs are then SUSQUEHANNA - UNIT 1 3.3-46

Rev.6 Control Rod Block Instrumentation

BASES APPLICABLE SAFETY B 3.3.2.1 determined, accounting for the remaining channel uncertainties. The trip setpoints derived in this manner provide adequate protection because ANALYSES, instrumentation uncertainties, process effects, calibration tolerances, and LCO, and drift are accounted for.

APPLICABILITY (continued) The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

1. Rod Block Monitor The RBM is designed to prevent violation of the MCPRSL and the cladding 1% strain Fuel design limit that may result from a single control rod withdrawal (RWE) event.

The analytical methods and assumptions used in evaluating the RWE event are summarized in Reference 14. The fuel thermal performance as a function of RBM Allowable Value is determined from the analysis. The NTSP and Allowable Values are chosen as a function of power level.

NTSP operating limits are established based on the specified Allowable Values.

- The RBM function satisfies Criterion 3 of the NRC Policy Statement (Ref. 7). .

Two channels of the RBM are required to be OPERABLE, with their setpoints within the appropriate Allowable Value for the associated power range, to ensure that no single instrument failure can preclude a rod block for this Function. The actual setpoints are calibrated consistent with applicable setpoint methodology.

Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Values between successive CHANNEL CALIBRATIONS.

Nominal trip setpoints are those predetermined values of output at which an action should take place. The trip setpoints are compared to the actual process parameter, the calculated RBM flux (RBM channel signal). When the normalized RBM flux value exceeds the applicable trip setpoint, the RBM provides a trip output.

The analytic limits are derived from the limiting values of the process parameters. Using the GE setpoint methodology, based on ISA RP 67.04, Part II "Methodologies for the Determination of Setpoints for Nuclear Safety-Related Instrumentation" setpoint calculation Method 2, the RBM Allowable Values are determined from the analytical limits using the

SUSQUEHANNA - UNIT 1 3.3-47

Rev.6 Control Rod Block Instrumentation B 3.3.2.1 BASES APPLICABLE 1. Rod Block Monitor (continued).

SAFETY ANALYSES, statistical combination of the RBM input signal calibration error, process LCO, and measurement error, primary element accuracy and instrument accuracy APPLICABILITY under trip conditions. Accounting for these errors assures that a setpoint (continued) found during calibration at the Allowable Value has adequate margin to protect the analytical limit thereby protecting the Safety Limit.

For the digital RBM, there is a normalization process initiated upon rod selection, so that only RBM input signal drift over the interval from the rod selection to rod movement needs to be considered in determining the nominal trip setpoints. The RBM has no drift characteristic with no as-left or as-found tolerances since it only performs digital calculations on the digitized input signals provided by the APRMs.

The RBM Allowable Value demonstrates that the analytical limit would not be exceeded, thereby protecting the safety limit. The Nominal trip setpoints and Allowable Values determined in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and environment errors are

accounted for and appropriately applied for the RBM. There are no margins applied to the RBM nominal trip setpoint calculations which could mask RBM degradation.

The RBM will function when operating greater than or equal to 28% RTP.

Below this power level, the RBM is not required to be OPERABLE.

The RBM selects one of three different RBM flux trip setpoints to be applied based on the current value of THERMAL POWER. THERMAL POWER is indicated to each RBM channel by a simulated thermal power (STP) reference signal input from an associated reference APRM channel. The OPERABLE range is divided into three "power ranges," a "low power range," an "intermediate power range," and a "high power range." The RBM flux trip setpoint applied within each of these three power ranges is, respectively, the "low trip setpoint," the "intermediate trip setpoint," and the "high trip setpoint" (Allowable Values for which are defined in the COLR).

To determine the current power range, each RBM channel compares its current STP input value to three power setpoints, the "low power setpoint",

(28%), the "intermediate power setpoint" (current value defined in the COLR), and the "high power setpoint" (current value defined in the COLR),

which define, respectively, the lower limit of the low power range, the lower limit of the intermediate power range, and the lower limit of the high power range. The trip setpoint applicable for each power range is more restrictive than the corresponding setpoint for the lower power range(s). When STP

SUSQUEHANNA - UNIT 1 3.3-48

Rev. 6 Control Rod Block Instrumentation

BASES APPLICABLE SAFETY

1. Rod Block Monitor (continued)

B 3.3.2.1 ANALYSES, is below the low power setpoint, the RBM flux trip outputs are automatically LCO, and bypassed but the low trip setpoint continues to be applied to indicate the APPLICABILITY RBM flux setpoint on the NUMAC RBM displays.

(continued)

The calculated setpoints and applicable power ranges are bounding values. In the equipment implementation, it is necessary to apply a "deadband" to each setpoint. The deadband is applied to the RBM trip setpoint selection logic and the RBM trip automatic bypass logic such that the setpoint being applied is always equal to or more conservative than the required setpoint. Since the RBM flux trip setpoint applicable to the higher power ranges are more conservative than the corresponding trip setpoints for lower power ranges, the trip setpoint applicable to the higher power range (high power range or intermediate power range) continues to be applied when STP decreases below the lower limit of that range until STP is below the power range setpoint by a value exceeding the deadband.

Similarly, when STP decreases below the low power setpoint, the automatic bypass of RBM flux trip outputs will not be applied until STP decreases below the trip setpoint a value exceeding the deadband.

- The RBM channel uses THERMAL POWER, as represented by the STP input value from its reference APRM channel, to automatically enable RBM flux trip outputs (remove the automatic bypass) and to select the RBM flux trip setpoint to be applied. However, the RBM Upscale function is only required to be OPERABLE when the MCPR values are less than the values defined in the COLR, depending on the THERMAL POWER level.

Therefore, even though the RBM Upscale Function is implemented in each RBM channel as a single trip function with a selected trip setpoint, it is characterized in Table 3.3.2.1-1 as three Functions, the Low Power Range

- Upscale Function, the Intermediate Power Range - Upscale Function, and the High Power Range - Upscale Function, to facilitate correct definition of the OPERABILITY requirements for the Functions. Each Function corresponds to one of the RBM power ranges. Due to the deadband effects on the determination of the current power range, the transition between these three Functions will occur at slightly different THERMAL POWER levels for increasing power versus decreasing power.

2. Rod Worth Minimizer The RWM enforces the banked position withdrawal sequence (BPWS) to ensure that the initial conditions of the CRDA analysis are not violated.

The analytical methods and assumptions used in evaluating the CRDA are

- summarized in References 2, 3, 4, and 5. The BPWS requires that control rods be moved in groups, with all control rods assigned to a specific group SUSQUEHANNA - UNIT 1 3.3-49

Rev.6 Control Rod Block Instrumentation

- BASES APPLICABLE 2. Rod Worth Minimizer (continued)

B 3.3.2.1 SAFETY ANALYSES, required to be within specified banked positions. Requirements that the LCO, and control rod sequence is in compliance with the BPWS are specified in APPLICABILITY LCO 3.1.6, "Rod Pattern Control."

(continued)

When performing a shutdown of the plant, an optional BPWS control rod sequence (Ref. 7) may be used if the coupling of each withdrawn control rod has been confirmed. The rods may be inserted without the need to stop at intermediate positions. When using the Reference 11 control rod insertion sequence for shutdown, the rod worth minimizer may be reprogrammed to enforce the requirements of the improved BPWS control rod insertion, or may be bypassed and the improved BPWS shutdown sequence implemented under the controls in Condition D.

The RWM Function satisfies Criterion 3 of the NRC Policy Statement.

(Ref. 7)

Since the RWM is designed to act as a backup to operator control of the rod sequences, only one channel of the RWM is available and required to

be OPERABLE (Ref. 6). Special circumstances provided for in the Required Action of LCO 3.1.3, "Control Rod OPERABILITY," and LCO 3.1.6 may necessitate bypassing the RWM to allow continued operation with inoperable control rods, or to allow correction of a control rod pattern not in compliance with the BPWS. The RWM may be bypassed as required by these conditions, but then it must be considered inoperable and the Required Actions of this LCO followed.

Compliance with the BPWS, and therefore OPERABILITY of the RWM, is required in MODES 1 and 2 when THERMAL POWER is < 10% RTP.

When THERMAL POWER is> 10% RTP, there is no possible control rod configuration that results in a control rod worth that could exceed the 280 cal/gm fuel damage limit during a CRDA (Refs. 4 and 6). In MODES 3 and 4, all control rods are required to be inserted into the core (except as provided in 3.1 O "Special Operations"); therefore, a CRDA cannot occur. In MODE 5, since only a single control rod can be withdrawn from a core cell containing fuel assemblies, adequate SOM ensures that the consequences of a CRDA are acceptable, since the reactor will be subcritical.

3. Reactor Mode Switch - Shutdown Position During MODES 3 and 4, and during MODE 5 when the reactor mode switch is required to be in the shutdown position, the core is assumed to be subcritical; therefore, no positive reactivity insertion events are analyzed.

The Reactor Mode Switch - Shutdown Position control rod withdrawal SUSQUEHANNA - UNIT 1 3.3-50

Rev.6 Control Rod Block Instrumentation

- - BASES APPLICABLE SAFETY

3. Reactor Mode Switch - Shutdown Position (continued)

B 3.3.2.1 ANALYSES block ensures that the reactor remains subcritical by blocking control rod LCO, and withdrawal, thereby preserving the assumptions of the safety analysis.

APPLICABILITY (continued) The Reactor Mode Switch - Shutdown Position Function satisfies Criterion 3 of the NRC Policy Statement. (Ref. 7)

Two channels are required to be OPERABLE to ensure that no single channel failure, will preclude a rod block when required. There is no Allowable Value for this Function since the channels are mechanically actuated based solely on reactor mode switch position.

During shutdown conditions (MODE 3, 4, or 5), no positive reactivity insertion events are analyzed because assumptions are that control rod withdrawal blocks are provided to prevent criticality. Therefore, when the reactor mode switch is in the shutdown position, the control rod withdrawal block is required to be OPERABLE. During MODE 5 with the reactor mode switch in the refueling position, the refuel position one-rod-out interlock (LCO 3.9.2) provides the required control rod withdrawal blocks.

- ACTIONS A.1 With one RBM channel inoperable, the remaining OPERABLE channel is adequate to perform the control rod block function; however, overall reliability is reduced because a single failure in the remaining OPERABLE channel can result in no control rod block capability for the RBM. For this reason, Required Action A.1 requires restoration of the inoperable channel to OPERABLE status. The Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is based on the low probability of an event occurring coincident with a failure in the remaining OPERABLE channel. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program. However, because Function 3, Reactor Mode Switch -

Shutdown Position, is only applicable in MODES 3, 4, and 5, the Risk Informed Completion Time Program may not be entered for inoperable channel(s) of Function 3.

8.1 If Required Action A.1 is not met and the associated Completion Time has expired, the inoperable channel must be placed in trip within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . If both RBM channels are inoperable, the RBM is not capable of performing its intended function; thus, one channel must also be placed in trip. This initiates a control rod withdrawal block, thereby ensuring that the RBM function is met.

SUSQUEHANNA - UNIT 1 3.3-51

Rev.6 Control Rod Block Instrumentation

BASES ACTIONS (continued)

B.1 (continued)

B 3.3.2.1 The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities and is acceptable because it minimizes risk while allowing time for restoration or tripping of inoperable channels.

C.1, C.2.1.1, C.2.1.2, and C.2.2 With the RWM inoperable during a reactor startup, the operator is still capable of enforcing the prescribed control rod sequence. However, the overall reliability is reduced because a single operator error can result in violating the control rod sequence. Therefore, control rod movement must be immediately suspended except by scram. Alternatively, startup may continue if at least 12 control rods have already been withdrawn, or a reactor startup with an inoperable RWM was not performed in the last calendar year, i.e., the last 12 months. Required Actions C.2.1.1 and C.2.1.2 require verification of these conditions by review of plant logs and control room indications. A reactor startup with an inoperable RWM is defined as rod withdrawal during startup when the RWM is required to be

OPERABLE. Once Required Action C.2.1.1 or C.2.1.2 is satisfactorily completed, control rod withdrawal may proceed in accordance with the restrictions imposed by Required Action C.2.2. Required Action C.2.2 allows for the RWM Function to be performed manually and requires a double check of compliance with the prescribed rod sequence by a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff. The RWM may be bypassed under these conditions to allow continued operations. In addition, Required Actions of LCO 3.1.3 and LCO 3.1.6 may require bypassing the RWM, during which time the RWM must be considered inoperable with Condition C entered and its Required Actions taken.

D.1 With the RWM inoperable during a reactor shutdown, the operator is still capable of enforcing the prescdbed control rod sequence. Required Action D.1 allows for the RWM Function to be performed manually and requires a double check of compliance with the prescribed rod sequence by a second licensed operator (Reactor Operator or Senior Reactor Operator) or other qualified member of the technical staff. The RWM may be bypassed under these conditions to allow the reactor shutdown to continue .

SUSQUEHANNA- UNIT 1 3.3-52

- - - - - - - - - - - - - - - - - - - - - - - ~

Rev.6 Control Rod Block Instrumentation

- BASES ACTIONS (continued)

E.1 and E.2 B 3.3.2.1 With one Reactor Mode Switch - Shutdown Position control rod withdrawal block channel inoperable, the remaining OPERABLE channel is adequate to perform the control rod withdrawal block function. However, since the Required Actions are consistent with the normal action of an OPERABLE Reactor Mode Switch - Shutdown Position Function (i.e., maintaining all control rods inserted), there is no distinction between having one or two channels inoperable.

In both cases (one or both channels inoperable), suspending all control rod withdrawal and initiating action to fully insert all insertable control rods in core cells containing one or more fuel assemblies will ensure that the core is subcritical with adequate SOM ensured by LCO 3.1.1. Control rods in core cells containing no fuel assemblies do not affect the reactivity of the core and are therefore not required to be inserted. Action must continue until all insertable control rods in core cells containing one or more fuel assemblies are fully inserted.

SURVEILLANCE REQUIREMENTS As noted at the beginning of the SRs, the SRs for each Control Rod Block instrumentation Function are found in the SRs column of Table 3.3.2.1-1.

The Surveillances are modified by a Note to indicate that when an RBM channel"is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provided the associated Function maintains control rod block capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 9, 12 and 13) assumption of the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that a control rod block will be initiated when necessary.

SR 3.3.2.1.1 A CHANNEL FUNCTIONAL TEST is performed for each RBM channel to ensure that the entire channel will perform the intended function. It includes the Reactor Manual Control Multiplexing System input. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program ..

SUSQUEHANNA- UNIT 1 3.3-53

Rev.6 Control Rod Block Instrumentation

BASES SURVEILLANCE REQUIREMENTS SR 3.3.2.1.2 and SR 3.3.2.1.3 B 3.3.2.1 (continued) A CHANNEL FUNCTiONAL TEST is performed for the RWM to ensure that the entire system will perform the intended function. The CHANNEL FUNCTIONAL TEST for the RWM is performed by attempting to withdraw a control rod not in compliance with the prescribed sequence and verifying a control rod block occurs and by verifying proper indication of the selection error of at least one out-of-sequence control rod. As noted in the SRs, SR 3.3.2.1.2 is not required to be performed until 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after any control rod is withdrawn in MODE 2. As noted, SR 3.3.2.1.3 is not required to be performed until 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after THERMAL POWER is ::::; 10% RTP in MODE 1.

This allows entry into MODE 2 for SR 3.3.2.1.2, and entry into MODE 1 when THERMAL POWER is ::::; 10% RTP for SR 3.3.2.1.3, to perform the required Surveillance if the Frequency is not met per SR 3.0.2. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months allowance is based on operating experience and in consideration of providing a reasonable time in which to complete the SRs. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.1.4

The RBM setpoints are automatically varied as a function of Simulated Thermal Power. Three control rod block Allowable Values are specified in Table 3.3.2.1-1, each within a specific power range. The power at which the control rod block Allowable Values automatically change are based on the APRM signal's input to each RBM channel. Below the minimum power setpoint, the RBM is automatically bypassed. These control rod block NTSPs must be verified periodically to be less than or equal to the specified Allowable Values. If any power range setpoint is non-conservative, then the affected RBM channel is considered inoperable. As noted, neutron detectors are excluded from the Surveillance because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Neutron

detectors are adequately tested in SR 3.3.1.1.3 and SR 3.3.1.1.8. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.1.5 The RWM is automatically bypassed when power is above a specified value. The power level is determined from steam flow signals. The automatic bypass setpoint must be verified periodically to be not bypassed

10% RTP. This is performed by a Functional check. If the RWM low power setpoint is nonconservative, then the RWM is considered

inoperable. Alternately, the low power setpoint channel can be placed in the conservative* condition (nonbypass). If placed in the nonbypassed SUSQUEHANNA - UNIT 1 3.3-54

Rev.6 Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE SR 3.3.2.1.5 (continued)

REQUIREMENTS (continued) condition, the SR is met and the RWM is not considered inoperable. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.1.6 A CHANNEL FUNCTIONAL TEST is performed for the Reactor Mode Switch - Shutdown Position Function to ensure that the entire channel will perform the intended function. The CHANNEL FUNCTIONAL TEST for the Reactor Mode Switch - Shutdown Position Function is performed by attempting to withdraw any control rod with the reactor mode switch in the shutdown position and verifying a control rod block occurs.

As noted in the SR, the Surveillance is not required to be performed until 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after the reactor mode switch is in the shutdown position, since testing of this interlock with the reactor mode switch in any other position cannot be performed without using jumpers, lifted leads, or movable links.

This allows entry into MODES 3 and 4 if the Frequency is not met per

- SR 3.0.2. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months allowance is based on operating experience and in consideration of providing a reasonable time in which to complete the SRs.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.1.7 CHANNEL CALIBRATION is a test that verifies the channel responds to the measured parameter with the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibration consistent with the plant specific setpoint methodology.

As noted, neutron detectors are excluded from the CHANNEL CALIBRATION because they are passive devices, with minimal drift, and because of the difficulty of simulating a meaningful signal. Neutron detectors are adequately tested in SR 3.3.1.1.2 and SR 3.3.1.1.8.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.1. 7 for the RBM Functions is modified by two Notes as identified in Table 3.3.2.1-1. The RBM Functions are Functions that are LSSSs for reactor core Safety Limits. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel SUSQUEHANNA - UNIT 1 3.3-54a

Rev. 6 Control Rod Block Instrumentation B 3.3.2.1 BASES SURVEILLANCE SR 3.3.2.1. 7 (continued)

REQUIREMENTS (continued) setpoint is not the NTSP but is conservative with respect to the Allowable Value. For digital channel components, no as-found tolerance or as-left tolerance can be specified. Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service.

These channels will also be identified in the Corrective Action Program.

Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the instrument be returned to the NTSP. If the as-left instrument setting cannot be returned to the NTSP, then the instrument channel shall be declared inoperable. The second Note also requires that the NTSP and NTSP methodology are to be contained in a document controlled by 10 CFR 50.59.

SR 3.3.2.1.8 The RWM will only enforce the proper control rod sequence if the rod

- sequence is properly input into the RWM computer. This SR ensures that the proper sequence is loaded into the RWM so that it can perform its intended function. The Surveillance is performed once prior to declaring RWM OPERABLE following loading of sequence into RWM, since this is when rod sequence input errors are possible.

SUSQUEHANNA - UNIT 1 3.3-54b

Rev. 6 Control Rod Block Instrumentation B 3.3.2.1 BASES REFERENCES 1. FSAR, Section 7.7.1.2.8.

2. FSAR, Section 7.6.1.a.5.7

3. NEDE-24011-P-A-9-US, "General Electrical Standard Application for Reload Fuel," Supplement for United States, Section S 2.2.3.1, September 1988.

4. "Modifications to the Requirements for Control Rod Drop Accident Mitigating Systems," BWR Owners' Group, July 1986.

5. NEDO-21231, "Banked Position Withdrawal Sequence,"

January 1977.

6. NRG SER, "Acceptance of Referencing of Licensing Topical Report NEDE-24011-P-A," "General Electric Standard Application for Reactor Fuel, Revision 8, Amendment 17," December 27, 1987.

7. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 32193) .

8.

9.

NEDC-30851-P-A, "Technical Specification Improvement Analysis for BWR Control Rod Block Instrumentation," October 1988.

GENE-770-06-1, "Addendum to Bases for changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation, Technical Specifications," February 1991.

10. FSAR, Section 15.4.2.

11. NEDO 33091-A, Revision 2, "Improved BPWS Control Rod Insertion Process," July 2004.

12. NEDC-3241 OP-A, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option Ill Stability Trip Function," October 1995.

13. NEDC-3241 OP-A Supplement 1, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option Ill Stability Trip Function," November 1997.

14. XN-NF-80-19(P)(A) Volume 4, Revision 1, "Exxon Nuclear Methodology for Boiling Water Reactors: Application of the ENC Methodology to BWR Reloads," Exxon Nuclear Company, June 1986.

SUSQUEHANNA - UNIT 1 3.3-54c

Rev.4 Feedwater - Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 B 3.3 INSTRUMENTATION B 3.3.2.2 Feedwater - Main Turbine High Water Level Trip Instrumentation BASES BACKGROUND The feedwater - main turbine high water level trip instrumentation is designed to detect a potential failure of the Feedwater Level Control System that causes excessive feedwater flow.

With excessive feedwater flow, the water level in the reactor vessel rises toward the high water level, Level 8 reference point, causing the trip of the three feedwater pump turbines and the main turbine.

Reactor Vessel Water Level-High, Level 8 signals are provided by level sensors that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level in the reactor vessel (variable leg). Three channels of Reactor Vessel Water Level instrumentation are input to the Integrated Controls System (ICS) to provide the Reactor Vessel Water Level High, Level 8 trips of the

Feedwater Pl.imp Turbines and the Main Turbine. The channel trip signals are evaluated independently in each of the three ICS distributed control logic cabinets located in the Computer Room using a two-out-of three channel coincident trip logic configuration, to provide the Level 8 trips of the feedwater pump turbines. The feedwater pump turbine trip initiation signal is provided with redundant trip paths to the individual feedwater pump turbine ICS cabinets located in the turbine building. The Level 8 trip of the Main Turbine is provided directly by the ICS via a hardwired discrete contact two-out-of-three channel coincident trip logic inputting to the main turbine electro-hydraulic controls.

A trip of the feedwater pump turbines limits further increase in reactor vessel water level by limiting further addition of feedwater to the reactor vessel. A trip of the main turbine and closure of the stop valves protects the turbine from damage due to water entering the turbine.

APPLICABLE The feedwater - main turbine high water level trip instrumentation is SAFETY assumed to be capable of providing a turbine trip in the design basis ANALYSES transient analysis for a feedwater controller failure, maximum demand event (Ref. 1). The Level 8 trip indirectly initiates a reactor scram from the main turbine trip (above 26% RTP) and trips the feedwater pumps, thereby terminating the event. The reactor scram mitigates the reduction in MCPR.

Feedwater - main turbine high water level trip instrumentation satisfies Criterion 3 of the NRC Policy Statement. (Ref. 3)

SUSQUEHANNA- UNIT 1 3.3-55

Rev.4 Feedwater - Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES LCO The LCO requires three channels of the Reactor Vessel Water Level-High, Level 8 trip instrumentation to be OPERABLE to ensure that no single instrument failure will prevent the feedwater pump turbines and main turbine trip on a valid Level 8 signal. Two of the three channels are needed to provide trip signals in order for the feedwater - main turbine trips to occur. Each channel must have its setpoint set within the specified Allowable Value of SR 3.3.2.2.3. The Allowable Value is set to ensure that the thermal limits are not exceeded during the event. The actual setpoint is calibrated to be consistent with the applicable setpoint methodology assumptions. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable.

Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter reaches the setpoint, the associated device changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

APPLICABILITY The feedwater - main turbine high water level trip instrumentation is required to be OPERABLE at 2 23% RTP to ensure that the fuel cladding integrity Safety Limit is not violated during the feedwater controller failure, maximum demand event. As discussed in the Bases of LCO 3.2.2, "MINIMUM CRITICAL POWER RATIO (MCPR)," sufficient margin to these limits exists below 23% RTP; therefore, the requirements are only necessary when operating at or above this power level.

SUSQUEHANNA- UNIT 1 3.3-56

Rev.4 Feedwater - Main Turbine High Water Level Trip Instrumentation

BASES ACTIONS A Note has been provided to modify the ACTIONS related to feedwater -

main turbine high water level trip instrumentation channels. Section 1.3, B 3.3.2.2 Completion Times, specifies that once a Condition has been entered, subsequent divisions subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition.

However, the Required Actions for inoperable feedwater - main turbine high water level trip instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable feedwater - main turbine high water level trip instrumentation channel.

With one channel inoperable, the remaining two OPERABLE channels can provide the required trip signal. However, overall instrumentation reliability is reduced because a single failure in one of the remaining channels

concurrent with feedwater controller failure, maximum demand event, may result in the instrumentation not being able to perform its intended function.

Therefore, continued operation is only allowed for a limited time with one channel inoperable. If the inoperable channel cannot be restored to OPERABLE status within the Completion Time, the channel must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue with no further restrictions. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in a feedwater or main turbine trip),

Condition C must be entered and its Required Action taken.

If the failure only affects the trip function of a single component, such as a main feed pump, an option is always available to remove the affected component from service and restore OPERABILITY. This is acceptable because removing the component from service performs the safety function.

The Completion Time of 7 days is based on the low probability of the event occurring coincident with a single failure in a remaining OPERABLE channel. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program .

SUSQUEHANNA - UNIT 1 3.3-57

Rev.4 Feedwater - Main Turbine High Water Level Trip Instrumentation

BASES ACTIONS (continued)

B.1 B 3.3.2.2 With two or more channels inoperable, the feedwater - main turbine high water level trip instrumentation cannot perform its design function (feedwater- main turbine high water level trip capability is not maintained).

Therefore, continued operation is only permitted for a 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months period, during which feedwater - main turbine high water level trip capability must be restored. The trip capability is considered maintained when sufficient channels are OPERABLE or in trip such that the feedwater - main turbine high water level trip logic will generate a trip signal on a valid signal. This requires two channels to each be OPERABLE or in trip. If the required channels cannot be restored to OPERABLE status or placed in trip, Condition C must be entered and its Required Action taken.

If the failure only affects the trip function of a single main feed pump, an option is always available to remove the affected component from service and restore OPERABILITY. This is acceptable because removing the component from service performs the safety function.

The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time is sufficient for the operator to take corrective action, and takes into account the likelihood of an event requiring actuation of feedwater - main turbine high water level trip instrumentation occurring during this period. It is also consistent with the 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time provided in LCO 3.2.2 for Required Action A 1, since this instrumentation's purpose is to preclude a MCPR violation.

C.1 With the required channels not restored to OPERABLE status or placed in trip, THERMAL POWER must be reduced to < 23% RTP within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months .

As discussed in the Applicability section of the Bases, operation below 23% RTP results in sufficient margin to the required limits, and the feedwater - main turbine high water level trip instrumentation is not required to protect fuel integrity during the feedwater controller failure, maximum demand event. The allowed Completion Time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is based on operating experience to reduce THERMAL POWER to

< 23% RTP from full power conditions in an orderly manner and without challenging plant systems.

If the failure only affects the trip function of a single main feed pump, an option is always available to remove the affected component from service and restore OPERABILITY. This is acceptable because removing the component from service performs the safety function .

SUSQUEHANNA - UNIT 1 3.3-58

Rev.4 Feedwater - Main Turbine High Water Level Trip Instrumentation

BASES SURVEILLANCE REQUIREMENTS B 3.3.2.2 The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provided the associated Function maintains feedwater - main turbine high water level trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 2) assumption that 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is the average time required to perform channel Surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the feedwater

pump turbines and main turbine will trip when necessary.

SR 3.3.2.2.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between instrument channels could be an indication of excessive instrument drift in one of the channels, or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria, which are determined by the plant staff based on an investigation of a combination of the channel instrument uncertainties, may be used to support this parameter comparison and include indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit, and does not necessarily indicate the channel is Inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.2.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program .

SUSQUEHANNA - UNIT 1 3.3-59

Rev.4 Feedwater - Main Turbine High Water Level Trip Instrumentation

BASES SURVEILLANCE REQUIREMENTS SR 3.3.2.2.2 (continued)

B 3.3.2.2 (continued) This SR is modified by two Notes. Note 1 provides a general exception to the definition of CHANNEL FUNCTIONAL TEST. This exception is necessary because the design architecture of the ICS (e.g. digital control blocks and logic) does not facilitate complete functional testing of all required logic blocks, which input into the combinational logic.

(Reference 4) Performance of such a test could result in a plant transient or place the plant in an undo risk situation. Therefore, for this SR, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the change of state of the logical blocks which input into the combinational logic. The required logical blocks not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.2.2.4. This is acceptable because operating experience shows that the logical blocks not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients.

Note 2 provides a second specific exception to the definition of CHANNEL

FUNCTIONAL TEST. For the Feedwater - Main Turbine High Water Level Trip Function, certain required channel logical blocks are not included in the performance of the CHANNEL FUNCTIONAL TEST. These exceptions are necessary because the circuit design does not facilitate functional testing of the entire channel through to the combinational logic.

(Reference 4) Specifically, testing of all required logical blocks could lead to unplanned transients. Therefore, for this circuit, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the actuation of circuit devices up to the point where further testing could result in an unplanned transient. (References 5 and 6) The required logical blocks not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.2.2.4. This exception is acceptable because operating experience shows that the devices not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients.

SR 3.3.2.2.3 CHANNEL CALIBRATION verifies that the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SUSQUEHANNA - UNIT 1 3.3-60

Rev.4 Feedwater - Main Turbine High Water Level Trip Instrumentation

BASES SURVEILLANCE REQUIREMENTS SR 3.3.2.2.4 B 3.3.2.2 (continued) The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the feedwater - main turbine valves is included as part of this Surveillance and overlaps the LOGIC SYSTEM FUNCTIONAL TEST to provide complete testing of the assumed safety function. Therefore, if a valve is incapable of operating, the associated instrumentation would also be inoperable. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 15.1.2.

2. GENE-770-06-1, "Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991.

3. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

4. NRC Inspection and Enforcement Manual, Part 9900: Technical Guidance, Standard Technical Specification Section 1.0 Definitions, Issue date 12/08/86.

5. PLA-2618: NRC Inspection Reports 50-387/85-28 and 50-388/85-23.

6. NRC Region I Combined Inspection 50-387/90-20, 50-388/90-20 .

SUSQUEHANNA - UNIT 1 3.3-61

Rev.4 Feedwater - Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES THIS PAGE INTENTIONALLY LEFT BLANK SUSQUEHANNA - UNIT 1 3.3-62

Rev.4 Feedwater - Main Turbine High Water Level Trip Instrumentation B 3.3.2.2 BASES

THIS PAGE INTENTIONALLY LEFT BLANK

- SUSQUEHANNA - UNIT 1 3.3-63

Rev. 4 EOC-RPT Instrumentation B 3.3.4.1 B 3.3 INSTRUMENTATION B 3.3.4.1 End of Cycle Recirculation Pump Trip (EOC-RPT) Instrumentation BASES BACKGROUND The EOC-RPT instrumentation initiates a recirculation pump trip (RPT) to reduce the peak reactor pressure and power resulting from turbine trip or generator load rejection transients to provide additional margin to core thermal MCPR Safety Limits (SLs).

The need for the additional negative reactivity in excess of that normally inserted on a scram reflects end of cycle reactivity considerations. Flux shapes at the end of cycle are such that the control rods may not be able to ensure that thermal limits are maintained by inserting sufficient negative reactivity during the first few feet of rod travel upon a scram caused by Turbine Control Valve (TCV) Fast Closure, Trip Oil Pressure - Low or Turbine Stop Valve (TSV) - Closure. The physical phenomenon involved is that the void reactivity feedback due to a pressurization transient can add positive reactivity at a faster rate than the control rods can add negative reactivity .

The EOC-RPT instrumentation, as shown in Reference 1, is composed of sensors that detect initiation of closure of the TSVs or fast closure of the TCVs, combined with relays, logic circuits, and fast acting circuit breakers that interrupt power from the recirculation pump motor generator (MG) set generators to each of the recirculation pump motors. When the setpoint is reached, the channel output relay actuates, which then outputs an EOC-RPT signal to the trip logic. When the RPT breakers trip open, the recirculation pumps coast down under their own inertia. The EOC-RPT has two identical trip systems, either of which can actuate an RPT.

Each EOC-RPT trip system is a two-out-of-two logic for each Function; thus, either two TSV - Closure or two TCV Fast Closure, Trip Oil Pressure

- Low signals are required for a trip system to actuate. The Turbine Stop Valve - Closure functions such that:

(1) The closing of one Turbine Stop Valve will not cause an RPT trip.

(2) The closing of two Turbine Stop Valves may or may not cause an RPT trip depending on which stop valves are closed.

(3) The closing of three or more Turbine Stop Valves will always yield an RPTtrip .

SUSQUEHANNA - UNIT 1 3.3-81

Rev.4 EOC-RPT Instrumentation B 3.3.4.1 BASES BACKGROUND If either trip system actuates, both recirculation pumps will trip. There are (continued) two RPT breakers in series per recirculation pump. One trip system trips one of the two RPT breakers for each recirculation pump, and the second trip system trips the other RPT breaker for each recirculation pump.

APPLICABLE The TSV - Closure and the TCV Fast Closure, Trip Oil Pressure - Low SAFETY Functions are designed to trip the recirculation pumps in the event of a ANALYSES, turbine trip or generator load rejection to mitigate the neutron flux, heat flux, LCO, and and pressure transients, and to increase the margin to the MCPR SL. The APPLICABILITY analytical methods and assumptions used in evaluating the turbine trip and generator load rejection, as well as other safety analyses that take credit for EOC-RPT, are summarized in References 2 and 3.

To mitigate pressurization transient effects, the EOC-RPT must trip the recirculation pumps after initiation of closure movement of either the TSVs or the TCVs. The combined effects of this trip and a scram reduce fuel bundle power more rapidly than a scram alone, resulting in an increased margin to the MCPR SL. Alternatively, MCPR limits for an inoperable EOC-RPT, as specified in the COLR, are sufficient to mitigate pressurization transient effects. The EOC-RPT function is automatically disabled when turbine first stage pressure is < 26% RTP.

EOC-RPT instrumentation satisfies Criterion 3 of the NRC Policy Statement. (Ref. 6)

The OPERABILITY of the EOC-RPT is dependent on the OPERABILITY of the individual instrumentation channel Functions. Each Function must have a required number of OPERABLE channels in each trip system, with their setpoints within the specified Allowable Value of SR 3.3.4.1.2. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. Channel OPERABILITY also includes the associated RPT breakers. Each channel (including the associated RPT breakers) must also respond within its assumed response time.

Allowable Values are specified for each EOC-RPT Function specified in the LCO. Nominal trip setpoints are specified in the setpoint calculations. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Each Allowable Value specified is more conservative than the analytical limit assumed in the transient and accident analysis in order to account for instrument uncertainties appropriate to the Function. Trip setpoints are those predetermined values of output at which an action SUSQUEHANNA - UNIT 1 3.3-82

Rev. 4 EOC-RPT Instrumentation

- BASES APPLICABLE SAFETY should take place. The setpoints are compared to the actual process B 3.3.4.1 parameter (e.g., TSV position), and when the measured output value of the ANALYSES, process parameter reaches the setpoint, the associated device changes LCO, and state. The analytic limits are derived from the limiting values of the process APPLICABILITY parameters obtained from the safety analysis. The Allowable Values are (continued) derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

Alternatively, since this instrumentation protects against a MCPR SL violation, with the instrumentation inoperable, modifications to the MCPR limits (LCO 3.2.2) may be applied to allow this LCO to be met. The MCPR penalty for the EOC-RPT inoperable condition is specified in the COLR.

The specific Applicable Safety Analysis, LCO, and Applicability discussions are listed below on a Function by Function basis.

Turbine Stop Valve - Closure Closure of the TSVs and a main turbine trip result in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, an RPT is initiated on TSV - Closure in anticipation of the transients that would result from closure of these valves.

EOC-RPT decreases reactor power and aids the reactor scram in ensuring that the MCPR SL is not exceeded during the worst case transient.

Closure of the TSVs is determined by measuring the position of each valve.

There are two separate position switches associated with each stop valve, the signal from each switch being assigned to a separate trip channel. The logic for the TSV - Closure Function is such that two or more TSVs must be closed to produce an EOC-RPT. This Function must be enabled at THERMAL POWER~ 26% RTP. This is accomplished automatically by pressure instruments sensing turbine first stage pressure. Because an increase in the main turbine bypass flow can affect this function nonconservatively (THERMAL POWER is derived from first stage pressure), the main turbine bypass valves must not cause the trip Functions to be bypassed when thermal power is~ 26% RTP. Four channels of TSV - Closure, with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure will preclude an EOC-RPT from this Function on a valid signal. The TSV - Closure Allowable Value is selected to detect imminent TSV closure.

SUSQUEHANNA - UNIT 1 3.3-83

Rev. 4 EOC-RPT Instrumentation B 3.3.4.1 BASES APPLICABLE Turbine Stop Valve - Closure (continued)

SAFETY ANALYSES, This protection is required, consistent with the safety analysis assumptions, LCO, and whenever THERMAL POWER is 2 26% RTP. Below 26% RTP, the APPLICABILITY Reactor Vessel Steam Dome Pressure - High and the Average Power (continued) Range Monitor (APRM) Fixed Neutron Flux - High Functions of the Reactor Protection System (RPS) are adequate to maintain the necessary safety margins.

Turbine Control Valve Fast Closure, Trip Oil Pressure - Low Fast closure of the TCVs during a generator load rejection results in the loss of a heat sink that produces reactor pressure, neutron flux, and heat flux transients that must be limited. Therefore, an RPT is initiated on TCV Fast Closure, Trip Oil Pressure - Low in anticipation of the transients that would result from the closure of these valves. The EOC-RPT decreases reactor power and aids the reactor scram in ensuring that the MCPR SL is not exceeded during the worst case transient.

Fast closure of the TCVs is determined by measuring the electrohydraulic control fluid pressure at each control valve. There is one pressure instrument associated with each control valve, and the signal from each instrument is assigned to a separate trip channel. The logic for the TCV Fast Closure, Trip Oil Pressure - Low Function is such that two or more TCVs must be closed (pressure instrument trips) to produce an EOC-RPT.

This Function must be enabled at THERMAL POWER 2 26% RTP. This is accomplished automatically by pressure instruments sensing turbine first stage pressure. Because an increase in the main turbine bypass flow can affect this function nonconservatively (THERMAL POWER is derived from first stage pressure) the main turbine bypass valves must not cause the trip Functions to be bypassed when thermal power is 2 26% RTP. Four channels of TCV Fast Closure, Trip Oil Pressure - Low, with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure will preclude an EOC-RPT from this Function on a valid signal. The TCV Fast Closure, Trip Oil Pressure - Low Allowable Value is selected high enough to detect imminent TCV fast closure.

This protection is required consistent with the safety analysis whenever THERMAL POWER is ~ 26% RTP. Below 26% RTP, the Reactor Vessel Steam Dome Pressure - High and the APRM Fixed Neutron Flux - High Functions of the RPS are adequate to maintain the necessary safety margins .

SUSQUEHANNA - UNIT 1 3.3-84

Rev.4 EOC-RPT Instrumentation

- BASES ACTIONS A Note has been provided to modify the ACTIONS related to EOC-RPT B 3.3.4.1 instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable EOC-RPT instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable EOC-RPT instrumentation channel.

A.1, A.2, and A.3 With one or more channels inoperable, but with EOC-RPT trip capability maintained (refer to Required Actions B.1 and B.2 Bases), the EOC-RPT System is capable of performing the intended function. However, the reliability and redundancy of the EOC-RPT instrumentation is reduced such that a single failure in the remaining trip system could result in the inability of the EOC-RPT System to perform the intended function. Therefore, only a limited time is allowed to restore compliance with the LCO. Because of the diversity of sensors available to provide trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of an EOC-RPT, 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is provided to restore the inoperable channels (Required Action A.1). Alternately, the inoperable channels may be placed in trip (Required Action A.2) or Required Action A.3 MCPR Limits for inoperable EOC-RPT can be applied since these would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. As noted, placing the channel in trip with no further restrictions is not allowed if the inoperable channel is the result of an inoperable breaker, since this may not adequately compensate for the inoperable breaker (e.g., the breaker may be inoperable such that it will not open). Alternatively, a Completion Time can be determined for Required Actions A.1 and A.2 in accordance with the Risk Informed Completion Time Program. The ability to calculate a Risk Informed Completion Time is modified by a Note and limited to situations in which a loss of function has not occurred. If it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an RPT, or if the inoperable channel is the result of an inoperable breaker),

Condition C must be entered and its Required Actions taken.

SUSQUEHANNA - UNIT 1 3.3-85

Rev. 4 EOC-RPT Instrumentation B 3.3.4.1 BASES ACTIONS 8.1 and 8.2 (continued)

Required Actions 8.1 and 8.2 are intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in the Function not maintaining EOC-RPT trip capability. A Function is considered to be maintaining EOC-RPT trip capability when sufficient channels are OPERABLE or in trip, such that the EOC-RPT System will generate a trip signal from the given Function on a valid signal and both recirculation pumps can be tripped. This requires two channels of the Function in the same trip system, to each be OPERABLE or in trip, and the associated RPT breakers to be OPERABLE or in trip.

Alternately, Required Action 8.2 requires the MCPR limit for inoperable EOC-RPT, as specified in the COLR, to be applied. This also restores the margin to MCPR assumed in the safety analysis.

The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time is sufficient time for the operator to take corrective action, and takes into account the likelihood of an event requiring actuation of the EOC-RPT instrumentation during this period. It is also consistent with the 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time provided in LCO 3.2.2 for Required Action A.1, since this instrumentation's purpose is to preclude a MCPR violation .

C.1 and C.2 With any Required Action and associated Completion Time not met, THERMAL POWER must be reduced to < 26% RTP within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months .

Alternately, the associated recirculation pump may be removed from service, since this performs the intended function of the instrumentation.

The allowed Completion Time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is reasonable, based on operating experience, to reduce THERMAL POWER to < 26% RTP from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE The Surveillances are modified by a Note to indicate that when a channel is REQUIREMENTS placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provided the associated Function maintains EOC-RPT trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 4) assumption of the average time required to perform channel Surveillance.

That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the recirculation pumps will trip when necessary .

SUSQUEHANNA - UNIT 1 3.3-86

Rev. 4 EOC-RPT Instrumentation B 3.3.4.1 BASES SURVEILLANCE SR 3.3.4.1.1 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire Qhannel will perform the intended function.

This SR is modified by a Note that provides a general exception to the definition of CHANNEL FUNCTIONAL TEST. This exception is necessary because the design of instrumentation does not facilitate functional testing of all required contacts of the relay which input into the combinational logic.

(Reference 7) Performance of such a test could result in a plant transient or place the plant in an undo risk situation. Therefore, for this SR, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the change of state of the relay which inputs into the combinational logic.

The required contacts not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.4.1.3. This is acceptable because operating experience shows that the contacts not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.4.1.2 CHANNEL CALIBRATION verifies that the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.4.1.3 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the pump breakers is included as a part of this test, overlapping the LOGIC SYSTEM FUNCTIONAL TEST, to provide complete testing of the associated safety function. Therefore, if a breaker is incapable of operating, the associated instrument channel(s) would also be inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SUSQUEHANNA - UNIT 1 3.3-87

Rev.4 EOC-RPT Instrumentation B 3.3.4.1 BASES SURVEILLANCE SR 3.3.4.1.4 REQUIREMENTS (continued) This SR ensures that an EOC-RPT initiated from the TSV - Closure and TCV Fast Closure, Trip Oil Pressure- Low Functions will not be inadvertently bypassed when THERMAL POWER is 2 26% RTP. This is performed by a Functional check that ensures the EOC-RPT Function is not bypassed. Because increasing the main turbine bypass flow can affect this function nonconservatively (THERMAL POWER is derived from first stage pressure) the main turbine bypass valves must not cause the trip Functions to be bypassed when thermal power is 2 26% RTP. If any functions are bypassed at 2 26% RTP, either due to open main turbine bypass valves or other reasons, the affected TSV - Closure and TCV Fast Closure, Trip Oil Pressure - Low Functions are considered inoperable.

Alternatively, the bypass channel can be placed in the conservative condition (nonbypass). If placed in the nonbypass condition, this SR is met with the channel considered OPERABLE.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.4.1.5 This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the accident analysis. The EOC-RPT SYSTEM RESPONSE TIME acceptance criteria are included in Reference 5.

A Note to the Surveillance states that breaker interruption time may be assumed from the most recent performance of SR 3.3.4.1.6. This is allowed since the time to open the contacts after energization of the trip coil and the arc suppression time are short and do not appreciably change, due to the design of the breaker opening device and the fact that the breaker is not routinely cycled.

Response times cannot be determined at power because operation of final actuated devices is required. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.4.1.6 This SR ensures that the RPT breaker interruption time (arc suppression time plus time to open the contacts) is provided to the EOC-RPT SYSTEM RESPONSE TIME test. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SUSQUEHANNA - UNIT 1 3.3-88

Rev.4 EOC-RPT Instrumentation B 3.3.4.1 BASES REFERENCES 1. FSAR, Figure 7.2-1-4 (EOC-RPT logic diagram).

2. FSAR, Sections 15.2 and 15.3.

3. FSAR, Sections 7.1 and 7.6.

4. GENE-770-06-1, "Bases For Changes To Surveillance Test Intervals And Allowed Out-Of-Service Times For Selected Instrumentation Technical Specifications," February 1991.

5. FSAR Table 7.6-10.

6. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 32193).

7. NRC Inspection and Enforcement Manual, Part 9900: Technical Guidance, Standard Technical Specification Section 1.0 Definitions, Issue date 12/08/86 .

SUSQUEHANNA - UNIT 1 3.3-89

Rev.4 EOC-RPT Instrumentation

BASES B 3.3.4.1 THIS PAGE INTENTIONALLY LEFT BLANK SUSQUEHANNA - UNIT 1 3.3-90

Rev.4 EOC-RPT Instrumentation 8 3.3.4.1 BASES THIS PAGE INTENTIONALLY LEFT BLANK

SUSQUEHANNA - UNIT 1 3.3-91

Rev.2 A T\/VS-RPT Instrumentation B 3.3.4.2 B 3.3 INSTRUMENTATION B 3.3.4.2 Anticipated Transient Without Scram Recirculation Pump Trip (ATWS-RPT)

Instrumentation BASES BACKGROUND The ATWS-RPT System initiates an RPT, adding negative reactivity, following events in which a scram does not (but should) occur, to lessen the effects of an ATWS event. Tripping the recirculation pumps adds negative reactivity from the increase in steam voiding in the core area as core flow decreases. When Reactor Vessel Water Level - Low Low, Level 2 or Reactor Steam Dome Pressure - High setpoint is reached, the Recirculation Pump Trip (RPT) breakers trip.

The ATWS-RPT System includes sensors, relays, bypass capability, circuit breakers, and switches that are necessary to cause initiation of an RPT.

When the setpoint is reached, the channel sensor actuates, which then outputs an ATWS-RPT signal to the trip logic.

The A TWS-RPT consists of two independent trip systems, with two channels of Reactor Steam Dome Pressure- High and two channels of Reactor Vessel Water Level - Low Low, Level 2 in each trip system. Each ATWS-RPT trip system is a two-out-of-two logic for each Function. Thus, either two Reactor Water Level - Low Low, Level 2 or two Reactor Pressure - High signals are needed to trip a trip system. The outputs of the channels in a trip system are combined in a logic so that either trip system will trip both recirculation pumps (by tripping the respective RPT breakers).

There are two RPT breakers in series provided for each of the two recirculation pumps for a total of four breakers. One trip system trips one of the two breakers for each recirculation pump, and the second trip system trips the other breaker for each recirculation pump.

APPLICABLE The A T\/VS-RPT is credited in the ASME Overpressure Safety Analyses.

SAFETY The ATWS-RPT initiates an RPT to aid in preserving the integrity of the fuel ANALYSES, cladding following events in which a scram does not, but should, occur.

LCO, and Based on its contribution to the reduction of overall plant risk, the APPLICABILITY instrumentation is included as required by the NRC Policy Statement (Ref. 3) .

SUSQUEHANNA- UNIT 1 3.3-92

Rev. 2 ATWS-RPT Instrumentation B 3.3.4.2 BASES APPLICABLE The OPERABILITY of the ATWS-RPT is dependent on the OPERABILITY SAFETY of the individual instrumentation channel Functions. Each Function must ANALYSES, have a required number of OPERABLE channels in each trip system, with LCO, and their setpoints within the specified Allowable Value of SR 3.3.4.2.3 or APPLICABILITY SR 3.3.4.2.4. The actual setpoint is calibrated consistent with applicable (continued) setpoint methodology assumptions. Channel OPERABILITY also includes the associated RPT breakers. In the event one RPT breaker is inoperable for tripping, the two channels of Reactor Vessel Water Level - Low Low, Level 2 and the two channels of Reactor Steam Dome Pressure - High that are associated with that RPT breaker, are considered inoperable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value.

Allowable Values are specified for each A TWS-RPT Function specified in the LCO. Nominal trip setpoints are specified in the setpoint calculations.

The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS.

Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are .

those predetermined values of output at which an action should take place.

The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter reaches the setpoint, the associated device changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manne*r provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

The individual Functions are required to be OPERABLE in MODE 1 to protect against common mode failures of the Reactor Protection System by providing a diverse trip to mitigate the consequences of a postulated ATWS event. The Reactor Steam Dome Pressure - High and Reactor Vessel Water Level - Low Low, Level. 2 Functions are required to be OPERABLE in MODE 1, since the reactor is producing significant power and the recirculation system could be at high flow. During this MODE, the potential exists for pressure increases or low water level, assuming an ATWS event.

In MODE 2, the reactor is at low power and the recirculation system is at low flow; thus, the potential is low for a pressure increase or low water level, assuming an A TWS event. Therefore, the ATWS-RPT is not necessary. In MODES 3 and 4, the reactor is shut down with all control SUSQUEHANNA- UNIT 1 3.3-93

Rev.2 A TWS-RPT Instrumentation

BASES APPLICABLE SAFETY B 3.3.4.2 rods inserted; thus, an A TWS event is not significant and the possibility of a significant pressure increase or low water level is negligible. In MODE 5, ANALYSES, the one rod out interlock ensures that the reactor remains subcritical; thus, LCO, and an A TWS event is not significant. In addition, the reactor pressure vessel APPLICABILITY (RPV) head is not fully tensioned and no pressure transient threat to the (continued) reactor coolant pressure boundary (RCPB) exists.

The specific Applicable Safety Analyses and LCO discussions are listed below on a Function by Function basis.

a. Reactor Vessel Water Level - Low Low, Level 2 Low RPV water level indicates the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the ATWS-RPT System is initiated at Level 2 to aid in maintaining level above the top of the active fuel. The reduction of core flow reduces the neutron flux and THERMAL POWER and, therefore, the rate of coolant boiloff.

Reactor vessel water level signals are initiated from four level

instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

Four channels of Reactor Vessel Water Level - Low Low, Level 2, with two channels in each trip system, are available and required to be OPERABLE to ensure that no single instrument failure can preclude an A TWS-RPT from this Function on a valid signal. The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value is chosen so that the system will not be initiated after a Level 3 scram with feedwater still available, and for convenience with the reactor core isolation cooling high pressure coolant injection initiation.

b. Reactor Steam Dome Pressure - High Excessively high RPV pressure may rupture the RCPB. An increase in the RPV pressure during reactor operation compresses the steam voids and results in a positive reactivity insertion. This increases neutron flux and THERMAL POWER, which could potentially result in fuel failure and overpressurization. The Reactor Steam Dome Pressure - High Function initiates an RPT for transients that result in a pressure increase, counteracting the pressure increase by rapidly reducing core power generation. For the overpressurization event, the RPT aids in the termination of the ATWS event and, along with the safety/relief valves, limits the peak RPV pressure to less than the ASME Section Ill Code Service Level C limits (1500 psig).

SUSQUEHANNA- UNIT 1 3.3-94

Rev.2 A TWS-RPT Instrumentation

BASES APPLICABLE SAFETY

b. Reactor Steam Dome Pressure - High (continued)

B 3.3.4.2 ANALYSES, The Reactor Steam Dome Pressure - High signals are initiated from LCO, and four pressure instruments that monitor reactor steam dome pressure.

APPLICABILITY Four channels of Reactor Steam Dome Pressure - High, with two (continued) channels in each trip system, are available and are required to be OPERABLE to ensure that no single instrument failure can preclude an A TWS-RPT from this Function on a valid signal. The Reactor Steam Dome Pressure - High Allowable Value is chosen to provide an adequate margin to the ASME Section Ill Code Service Level C allowable Reactor Coolant System pressure.

ACTIONS A Note has been provided to modify the ACTIONS related to ATWS-RPT instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable A TWS-RPT instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable A TWS-RPT instrumentation channel.

A.1 and A.2 With one or more channels inoperable, but with A TWS-RPT capability for each Function maintained (refer to Required Action B.1 Bases), the A TWS-RPT System is capable of performing the intended function. However, the reliability and redundancy of the ATWS-RPT instrumentation is reduced, such that a single failure in the remaining trip system could result in the inability of the ATWS-RPT System to perform the intended function.

Therefore, only a limited time is allowed to restore the inoperable channels to OPERABLE status. Because of the diversity of sensors available to provide trip signals, the low probability of extensive numbers of inoperabilities affecting all diverse Functions, and the low probability of an event requiring the initiation of ATWS-RPT, 14 days is provided to restore the inoperable channel (Required Action A.1 ). Alternately, the inoperable channel may be placed in trip (Required Action A.2), since this would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. As noted, placing the channel in trip with no further restrictions is not allowed if the inoperable channel is the result of an inoperable breaker, since this may not adequately compensate for the inoperable breaker (e.g., the breaker SUSQUEHANNA- UNIT 1 3.3-95

Rev. 2 ATWS-RPT Instrumentation

BASES ACTIONS (continued)

A.1 and A.2 (continued) 8 3.3.4.2 may be inoperable such that it will not open). Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program. The ability to calculate a Risk Informed Completion Time is modified by a Note and limited to situations in which a loss of function has not occurred. If it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an RPT),

or if the inoperable channel is the result of an inoperable breaker, on expiration of the 14 day Completion Time Condition D must be entered and its Required Actions taken.

8.1 Required Action 8.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in the Function not maintaining ATWS:RPT trip capability. A Function is considered to be maintaining ATWS:RPT trip capability when sufficient channels are OPERABLE or in trip such that the A TWS:RPT System will generate a trip signal from the given Function on a valid signal, and both recirculation pumps can be tripped. This requires two channels of the Function in the same trip system to each be OPERABLE or in trip, and the RPT breakers associated with that trip system (one for each operating recirculation pump) to be OPERABLE or in trip.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is sufficient for the operator to take corrective action (e.g., restoration or tripping of channels) and takes into account the likelihood of an event requiring actuation of the A TWS-RPT instrumentation during this period and that one Function is still maintaining ATWS-RPT trip capability.

Required Action C.1 is intended to ensure that appropriate Actions are taken if multiple, inoperable, untripped channels within both Functions result in both Functions not maintaining ATWS-RPT trip capability. The description of a Function maintaining ATWS-RPT trip capability is discussed in the Bases for Required Action 8.1 above.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is sufficient for the operator to take corrective action and takes into account the likelihood of an event requiring actuation of the ATWS-RPT instrumentation during this period .

SUSQUEHANNA- UNIT 1 3.3-96

Rev. 2 ATWS-RPT Instrumentation B 3.3.4.2 BASES ACTIONS D.1 and D.2 (continued)

With any Required Action and associated Completion Time not met, the plant must be brought to a MODE or other specified condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months (Required Action D.2). Alternately, the

. associated recirculation pump may be removed from service since this performs the intended function of the instrumentation (Required Action D.1). The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, both to reach MODE 2 from full power conditions and to remove a recirculation pump from service in an orderly manner and without challenging plant systems.

SURVEILLANCE The Surveillances are modified by a Note to indicate that when a channel is REQUIREMENTS placed in an inoperable status solely for performance of required Surveillances, entry into the associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provided the associated Function maintains ATWS-RPT trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 2) assumption of the average time required to perform channel Surveillance.

That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the recirculation pumps will trip when necessary.

SR 3.3.4.2.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria which are determined by the plant staff based on an investigation of a combination of the channel instrument uncertainties, may be used to support this parameter comparison and include indication and

SUSQUEHANNA- UNIT 1 3.3-97

Rev.2 ATWS-RPT Instrumentation

BASES SURVEILLANCE REQUIREMENTS SR 3.3.4.2.1 (continued)

B 3.3.4.2 (continued) readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit, and does not necessarily indicate the channel is inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the required channels of this LCO.

SR 3.3.4.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function.

This SR is modified by a Note that provides a general exception to the definition of CHANNEL FUNCTIONAL TEST. This exception is necessary because the design of instrumentation does not facilitate functional testing of all required contacts of the relay which input into the combinational logic.

(Reference 4) Performance of such a test could result in a plant transient or place the plant in an undo risk situation. Therefore, for this SR, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the change of state of the relay which inputs into the combinational logic.

The required contacts not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.4.2.5. This is acceptable because operating experience shows that the contacts not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.4.2.3 and SR 3.3.4.2.4 A CHANNEL CALIBRATION verifies that the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program .

SUSQUEHANNA - UNIT 1 3.3-98

Rev. 2 A TWS-RPT Instrumentation B 3.3.4.2 BASES SURVEILLANCE SR 3.3.4.2.5 REQUIREMENTS (continued) The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required trip logic for a specific channel. The system functional test of the pump RPT breakers is included as part of this Surveillance and overlaps the LOGIC SYSTEM FUNCTIONAL TEST to provide complete testing of the assumed safety function. Therefore, if a breaker is incapable of operating, the associated instrument channel(s)

(two channels of Reactor Vessel Water Level - Low Low, Level 2 and two channels of Reactor Steam Dome Pressure - High) would be inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. GENE-637, 024, -0893, Evaluation of SSES ATWS Performance for Power Uprate Conditions, Sept 1993.

2. NEDE-770-06-1, "Bases for Changes To Surveillance Test Intervals and Allowed Out-of-Service Times For Selected Instrumentation Technical Specifications," February 1991 .

3. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 32193).

4. NRC Inspection and Enforcement Manual, Part 9900: Technical Guidance, Standard Technical Specification Section 1.0 Definitions, Issue date 12/08/86.

SUSQUEHANNA- UNIT 1 3.3-99

Rev.2 A TWS-RPT Instrumentation B 3.3.4.2 BASES

THIS PAGE INTENTIONALLY LEFT BLANK SUSQUEHANNA - UNIT 1 3.3-100

Rev. 6 ECCS Instrumentation B 3.3.5.1 B 3.3 INSTRUMENTATION B 3.3.5.1 Emergency Core Cooling System (ECCS) Instrumentation BASES BACKGROUND The purpose of the ECCS instrumentation is to initiate appropriate responses from the systems to ensure that the fuel is adequately cooled in the event of a design basis accident or transient.

For most anticipated operational occurrences and Design Basis Accidents (DBAs), a wide range of dependent and independent parameters are monitored.

The ECCS instrumentation actuates core spray (CS), low pressure coolant injection (LPCI), high pressure coolant injection (HPCI), Automatic Depressurization System (ADS), the diesel generators (DGs) and other features described in the DG background. The equipment involved with each of these systems with exception of the DGs and other features, is described in the Bases for LCO 3.5.1, "ECCS-Operating."

Core Spray System The CS System may be initiated by either automatic or manual means.

Automatic initiation occurs for conditions of Reactor Vessel Water Level Low, Low, Low, Level 1 or Drywell Pressure - High concurrent with Reactor Pressure - Low. Each of these diverse variables is monitored by four redundant instruments. The initiation logic for one CS loop is arranged in a one-out-of-two-twice network using level and pressure instruments which will generate a signal when:

(1) both level sensors are tripped, or (2) two high drywell pressure sensors and two low reactor vessel pressure sensors are tripped, or (3) a combination of one channel of level sensor and one of the other channels of high drywell pressure sensor together with its associated low reactor vessel pressure sensor (i.e. Channel A level sensor and Channel C high drywell pressure sensor and low reactor vessel pressure sensor) .

SUSQUEHANNA- UNIT 1 3.3-101

Rev.6 ECCS Instrumentation

BASES BACKGROUND (continued)

Core Spray System (continued)

B 3.3.5.1 Once an initiation signal is received by the CS control circuitry, the signal is sealed in until manually reset. The logic can also be initiated by use of a manual push button (one push button per subsystem). Upon receipt of an initiation signal, the CS pumps are started 15 seconds after initiation signal if normal offsite power is available and 10.5 seconc;ls after diesel generator power is available.

The CS test line isolation valve, which is also a primary containment isolation valve (PCIV), is closed on a CS initiation signal to allow full system flow assumed in the accident analyses and maintain primary containment isolated. The CS System also monitors the pressure in the reactor to ensure that, before the injection valves open, the reactor pressure has fallen to a value below the CS System's maximum design pressure. The variable is monitored by four redundant instruments. The instrument outputs are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic.

Low Pressure Coolant Injection System The LPCI is an operating mode of the Residual Heat Removal (RHR)

System, with two LPCI subsystems. The LPCI subsystems may be initiated by automatic or manual means. Automatic initiation occurs for conditions of Reactor Vessel Water Level Low, Low, Low, Level 1 or Drywell Pressure - High concurrent with Reactor Pressure - Low. Each of these diverse variables is monitored by four instruments in two divisions.

Each division is arranged in a one-out-of-two-twice network using level and pressure instruments which will generate a signal when:

(1) both level sensors are tripped, or (2) two high drywell pressure sensors and two low reactor vessel pressure sensors are tripped, or (3) a combination of one channel level sensor and one of the other channel of high drywell pressure sensor together with its associated low reactor vessel pressure sensor. (i.e. Channel A level sensor and Channel C high drywell and low reactor vessel pressure sensor) .

- SUSQUEHANNA- UNIT 1 3.3-102

Rev.6 ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Low Pressure Coolant Injection System (continued)

(continued)

The initiation logic is cross connected between divisions (i.e., either start signal will start all four pumps and open both loop's injection valves). Once an initiation signal is received by the LPCI control circuitry, the signal is sealed in until manually reset. The cross division start signals for the pumps affect both the opposite division's start logic and the pump's 4KV breaker start logic. The cross division start signal to the opposite division's start logic is for improved reliability. The cross division start signals to the pump's 4KV breaker start logic is needed to ensure specific control power failures do not prevent the start of an adequate number of LPCI pumps.

Upon receipt of an initiation signal, all LPCI pumps start after a 3 second time delay when normal AC power is lost and standby diesel generator power is available. If normal power is available, LPCI pumps A and B will start immediately and pumps C and D will start 7.0 seconds after initiation signal to limit loading of the offsite sources.

The RHR test line and spray line are also isolated on a LPCI initiation signal to allow the full system flow assumed in the accident analyses and for those valves which are also PCIVs maintain primary containment isolated.

The LPCI System monitors the pressure in the reactor to ensure that, before an injection valve opens, the reactor pressure has fallen to a value below the LPCI System's maximum design pressure. The variable is

monitored by four redundant instruments. The instrument outputs are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic.

Logic is provided to close the recirculation pump discharge valves to ensure that LPCI flow does not bypass the core when it injects into the recirculation lines. The logic consists of an initiation signal (Low reactor water level and high drywell pressure in a one out of two taken twice logic) from both divisions of LPCI instruments and a pressure permissive. The pressure variable is monitored by four redundant instruments. The instrument outputs are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic.

High Pressure Coolant Injection System The HPCI System may be initiated by either automatic or manual means.

Automatic initiation occurs for conditions of Reactor Vessel Water Level-Low Low, Level 2 or Drywell Pressure-High. Each of these variables is monitored by four redundant instruments. The instrument outputs are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic for each Function.

SUSQUEHANNA- UNIT 1 3.3-103

Rev. 6 EGGS Instrumentation

BASES BACKGROUND (continued)

High Pressure Coolant Injection System (continued)

B 3.3.5.1 The HPCI System also monitors the water level in the condensate storage tank (CST). HPCI suction is normally maintained on the CST until it transfers to the suppression pool on low CST level or is manually transferred by the operator. Reactor grade water in the CST is the normal source. Upon receipt of a HPCI initiation signal, the CST suction valve is automatically signaled to open (it is normally in the open position) unless the suppression pool suction valve is open. If the water level in the CST falls to the level switch process setpoint value, an automatic suction transfer is initiated. The suppression pool suction valve receives a signal to open and in parallel, the CST suction valve receives a signal to close to complete the transfer. Two level switches are used to detect low water level in the CST. Either switch can cause the suppression pool suction valve to open and the CST suction valve to close.

The HPCI provides makeup water to the reactor until the reactor vessel water level reaches the Reactor Vessel Water Level - High, Level 8 trip, at which time the HPCI turbine trips, which causes the turbine's stop valve, minimum flow valve, the cooling water isolation valve, and the injection valve to close. The logic is two-out-of-two to provide high reliability of the HPCI System. The HPCI System automatically restarts if a Reactor Vessel Water Level - Low Low, Level 2 signal is subsequently received.

Automatic Depressurization System The ADS may be initiated by either automatic or manual means. Automatic initiation occurs when signals indicating Reactor Vessel Water Leve - Low Low Low, Level 1; Drywell Pressure - High or ADS Drywell Bypass Actuation Timer; confirmed Reactor Vessel Water Level - Low, Level 3; and CS or LPCI Pump Discharge Pressure - High are all present and the ADS Initiation Timer has timed out. There are two instruments each for Reactor Vessel Water Level - Low Low Low, Level 1 and Drywell Pressure

- High, and one instrument for confirmed Reactor Vessel Water Level -

Low, Level 3 in each of the two ADS trip systems. Each of these instruments drives a relay whose contacts form the initiation logic.

Each ADS trip system includes a time delay between satisfying the initiation logic and the actuation of the ADS valves. The ADS Initiation Timer time delay setpoint is chosen to be long enough that the HPCI system has sufficient operating time to recover to a level above Level 1, yet not so long that the LPCI and CS Systems are unable to adequately cool the fuel if the HPCI fails to maintain that level. An alarm in the control room is annunciated when either of the timers is timing. Resetting the ADS initiation signals resets the ADS Initiation Timers. The ADS also monitors

- the discharge pressures of the four LPCl pumps and the four CS pumps.

Each ADS trip system includes two discharge pressure permissive SUSQUEHANNA- UNIT 1

3.3-104

Rev. 6 ECCS Instrumentation

BASES BACKGROUND (continued)

Automatic Depressurization System (continued)

B 3.3.5.1 instruments from both CS pumps in the division and from either of the two LPCI pumps in the associated Division (i.e., Division 1 LPCI pumps A or C input to ADS trip system A, and Division 2 LPCI pumps B or D input to ADS trip system B). The signals are used as a permissive for ADS actuation, indicating that there is a source of core coolant available once the ADS has depressurized the vessel. With both CS pumps in a division or one of the LPCI pumps operating sufficient flow is available to permit automatic depressurization.

The ADS logic in each trip system is arranged in two strings. Each string has a contact from each of the following variables: Reactor Vessel Water Level - Low Low Low, Level 1; Drywell Pressure - High; or Drywell Pressure Bypass Actuation Timer. One of the two strings in each trip system must also have a confirmed Reactor Vessel Water Level -Low, Level 3. All contacts in both logic strings must close, the ADS initiation timer must time out, and a loop of CS or LPCI pump discharge pressure signal must be present to initiate an ADS trip system. Either the A or B trip system will cause all the ADS relief valves to open. Once the Drywell Pressure - High signal, the ADS Drywell Pressure Bypass Actuation Timer, or the ADS initiation signal is present, it is individually sealed in until manually reset.

Manual inhibit switches are provided in th~ control room for the ADS; however, their function is not required for ADS OPERABILITY (provided ADS is not inhibited when required to be OPERABLE).

Diesel Generators and Other Initiated Features The DGs may be initiated by either automatic or manual means. Automatic initiation occurs for conditions of Reactor Vessel Water Level - Low Low Low, Level 1 or Drywell Pressure - High. The DGs are also initiated upon loss of voltage signals (Refer to the Bases for LCO 3.3.8.1, "Loss of Power (LOP) Instrumentation," for a discussion of these signals.) The initiation logic is arranged in a one-out-of-two-twice network using level and pressure instruments which will generate a signal when:

(1) both level sensors are.tripped, or (2) both high drywell pressure sensors are tripped, or (3) a combination of one level sensor and one high drywell pressure sensor is tripped.

SUSQUEHANNA- UNIT 1 3.3-105

Rev.6 ECCS Instrumentation

- BASES BACKGROUND (continued)

Diesel Generators and Other Initiated Features (continued)

B 3.3.5.1 DGs A and B receive their initiation signal from CS system initiation logic Division I and Division II respectively. DGs C and D receive their initiation signals from either LPCI systems initiation logic Division I or Division II.

The DGs can also be started manually from the control room and locally from the associated DG room. The DG initiation signal is a sealed in signal and must be manually reset. The DG initiation logic is reset by resetting the associated ECCS initiation logic. Upon receipt of a loss of coolant accident (LOCA) initiation signal, each DG is automatically started, is ready to load in approximately 10 seconds, and will run in standby conditions (rated voltage and speed, with the DG output breaker open). The DGs will only energize their respective Engineered Safety Feature buses if a loss of offsite power occurs. (Refer to Bases for LCO 3.3.8.1.).

In addition to DG initiation, the ECCS instrumentation initiates other design features. Signals from the CS System logic initiate (1) the reset of two Emergency Service Water (ESW) timers, (2) the reset of the degraded grid timers for the 4kV buses on Unit 1, (3) LOCA load shed schemes, and (4) the trip of Drywell Cooling equipment. Signals from the LPCI System

logic initiate (1) the reset of two Emergency Service Water (ESW) timers, (2) the trip of turbine building chillers, and (3) the trip of reactor building chillers. The ESW pump timer reset feature assures the ESW pumps do not start concurrently with the CS or LPCI pumps. If one or both ESW pump timer resets in a division or reactor building/turbine building chiller trips are inoperable; two offsite circuits with the 4kV buses aligned to their .

normal configuration are required to be OPERABLE. If one or both ESW pump timer resets in a division or reactor building/turbine building chiller trips are inoperable; the effects on one offsite circuit have not been analyzed; and therefore, the offsite circuit is assumed not to be capable of accepting the required loads during certain accident events. The ESW pump timer reset is not required in MODES 4 and 5 because concurrent pump starts, on a LOCA signal, of the ESW pumps (initiated by the DG start circuitry) with CS or LPCI pumps cannot occur in these MODES.

APPLICABLE The actions of the ECCS are explicitly assumed in the safety analyses of SAFETY References 1 and 2. The ECCS is initiated to preserve the integrity of the ANALYSES, fuel cladding by limiting the post LOCA peak cladding temperature to less LCO, and than the 10 CFR 50.46 limits.

APPLICABILITY ECCS instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref. 4). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion .

- SUSQUEHANNA- UNIT 1 3.3-106

Rev. 6 ECCS Instrumentation

BASES APPLICABLE SAFETY The OPERABILITY of the ECCS instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions B 3.3.5.1 ANALYSES, specified in Table 3.3.5.1-1. Each Function must have a required number LCO, and of OPERABLE channels, with their setpoints within the specified Allowable APPLICABILITY Values, where appropriate. The actual setpoint is calibrated consistent with (continued) applicable setpoint methodology assumptions. Each ECCS subsystem must also respond within its assumed response time. Table 3.3.5.1-1, footnotes (a) and (b), are added to show that certain ECCS instrumentation Functions are also required to be OPERABLE to perform DG initiation and actuation of other Technical Specifications (TS) function.

Allowable Values are specified for each ECCS Function specified in the table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter reaches the setpoint, the associated device changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined, accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

An exception to the methodology described to derive the Allowable Value is the methodology used to determine the Allowable Values for the ECCS pump start time delays and HPCI CST Level 1 - Low. These Allowable Values are based on system calculations and/or engineering judgement which establishes a conservative limit at which the function should occur.

In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions that may require ECCS (or DG) initiation to mitigate the consequences of a design basis transient or accident. To ensure reliable ECCS and DG function, a combination of Functions is required to provide primary and secondary initiation signals.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

SUSQUEHANNA- UNIT 1 3.3-107

Rev. 6 ECCS Instrumentation

- BASES APPLICABLE SAFETY Core Spray and Low Pressure Coolant Injection Systems B 3.3.5.1 ANALYSES, 1.a, 2.a. Reactor Vessel Water Level - Low Low Low, Level 1 LCO, and APPLICABILITY Low reactor pressure vessel (RPV) water level indicates that the capability (continued) to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. The low pressure ECCS and associated DGs are initiated at Level 1 to ensure that core spray and flooding functions are available to prevent or minimize fuel damage. The Reactor Vessel Water Level - Low Low Low, Level 1 is one of the Functions assumed to be OPERABLE and capable of initiating the ECCS during the transients analyzed in References 2. In addition, the Reactor Vessel Water Level -

Low Low Low, Level 1 Function is directly assumed in the analysis of the recirculation line break (Ref. 1). The core cooling function of the ECCS, along with the scram action of the Reactor Protection System (RPS),

ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel Water Level - Low Low Low, Level 1 signals are initiated from four level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel Water Level - Low Low Low, Level 1 Allowable Value is chosen to allow time for the low pressure core flooding systems to activate and provide adequate cooling The initiation logic for LPCI pumps and injection valves is cross connected such that either division's start signal will start all four pumps and open both loop's injection valves. This cross division logic is required in MODES 1, 2, and 3.

DGs C and D which are initiated from the LPCI LOCA initiation are cross connected such that both DGs receive an initiation signal from both Divisions of the LPCI LOCA initiation circuitry. This cross connected logic is only required in MODES 1, 2, and 3.

Four channels of Reactor Vessel Water Level - Low Low Low, Level 1 Function are only required to be OPERABLE when the ECCS or DG(s) are required to be OPERABLE to ensure that no single instrument failure can preclude ECCS and DG initiation .

SUSQUEHANNA- UNIT 1 3.3-108

Rev.6 EGGS Instrumentation

BASES APPLICABLE SAFETY 1.b, 2.b. Drywell Pressure - High B 3.3.5.1 ANALYSES, High pressure in the drywell could indicate a break in the reactor coolant LCO, and pressure boundary (RCPB). The low pressure EGGS (provided a APPLICABILITY concurrent low reactor pressure signal is present) and associated DGs, (continued) without a concurrent low reactor pressure signal, are initiated upon receipt of the Drywell Pressure - High Function in order to minimize the possibility of fuel damage. The Drywell Pressure - High Function, along with the Reactor Water Level - Low Low Low, Level 1 Function, is directly assumed in the analysis of the recirculation line break (Ref. 1). The core cooling function of the EGGS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

High drywell pressure signals are initiated from four pressure instruments that sense drywell pressure. The Allowable Value was selected to be as low as practical and be indicative of a LOCA inside primary containment.

The Drywell Pressure - High Function is required to be OPERABLE when the EGGS or DG is required to be OPERABLE in conjunction with times when the primary containment is required to be OPERABLE. Thus, four

channels of the CS and LPCI Drywell Pressure - High Function are required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single instrument failure can preclude EGGS and DG initiation. In MODES 4 and 5, the Drywell Pressure - High Function is not required, since there is insufficient energy in the reactor to pressurize the primary containment to Drywell Pressure - High setpoint. Refer to LCO 3.5.1 for Applicability Bases for the low pressure EGGS subsystems and to LCO 3.8.1 for Applicability Bases for the DGs.

1.c, 1.d, 2.c, 2.d Reactor Steam Dome Pressure - Low Low reactor steam dome pressure signals are used as permissives for the low pressure EGGS subsystems. The low reactor pressure permissive is provided to prevent a high drywell pressure condition which is not accompanied by low reactor pressure, i.e. a false LOCA signal, from disabling two RHR pumps on the other unit. The low reactor steam dome pressure permissive also ensures that, prior to opening the injection valves of the low pressure EGGS subsystems, the reactor pressure has fallen to a value below these subsystems' maximum design pressure. The Reactor Steam Dome Pressure - Low is one of the Functions assumed to be OPERABLE and capable of permitting initiation of the EGGS during the transients analyzed in Reference 2. In addition, the Reactor Steam Dome Pressure - Low Function is directly assumed in the analysis of the recirculation line break (Ref. 1). The core cooling function of the EGGS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

SUSQUEHANNA- UNIT 1 3.3-109

Rev. 6 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 1.c, 1.d, 2.c, 2.d Reactor Steam Dome Pressure - Low (continued)

SAFETY ANALYSES, The Reactor Steam Dome Pressure - Low signals are initiated from four LCO, and pressure instruments that sense the reactor dome pressure.

APPLICABILITY (continued) The pressure instruments are set to actuate between the Upper and Lower Allowable Values on decreasing reactor dome pressure.

The Upper Allowable Value is low enough to ensure that the reactor dome pressure has fallen to a value below the Core Spray and RHR/LPCI maximum design pressures to preclude overpressurization.

The Lower Allowable Value is high enough to ensure that the ECCS injection prevents the fuel peak cladding temperature from exceeding the limits of 10 CFR 50.46.

DGs C and D which are initiated from the LPCI LOCA initiation are cross connected such that both DGs receive an initiation signal from both Divisions of the LPCI LOCA initiation circuitry. This cross connected logic is only required in MODES 1, 2, and 3. In MODES 4 and 5, redundancy in the DG initiation circuitry is not required. Therefore, in MODES 4 and 5 for DGs C and D only one division of ECCS initiation logic is required.

Four channels of Reactor Steam Dome Pressure - Low Function are required to be OPERABLE only when the ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude ECCS initiation.

1.e, 2.f. Manual Initiation The Manual Initiation push button channels introduce signals into the appropriate ECCS logic to provide manual initiation capability and are redundant to the automatic protective instrumentation. There is one push button for each of the CS and LPCI subsystems (i.e., two for CS and two for LPCI).

The Manual Initiation Function is not assumed in any accident or transient analyses in the FSAR. However, the Function is retained for overall redundancy and diversity of the low pressure ECCS function as required by the NRG in the plant licensing basis.

There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons.

Each channel of the Manual Initiation Function (one channel per subsystem) is required to be OPERABLE only when the associated ECCS is required to be OPERABLE.

SUSQUEHANNA- UNIT 1 3.3-110

Rev. 6 ECCS Instrumentation

BASES APPLICABLE SAFETY 2.e. Reactor Steam Dome Pressure - Low (Recirculation Discharge Valve Permissive)

B 3.3.5.1 ANALYSES, LCO, and Low reactor steam dome pressure signals are used as permissives for APPLICABILITY recirculation discharge and bypass valves closure. This ensures that the (continued) LPCI subsystems inject into the proper RPV location assumed in the safety analysis. The Reactor Steam Dome Pressure - Low is one of the Functions assumed to be OPERABLE and capable of closing the valves during the transients analyzed in Reference 2. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Steam Dome Pressure - Low Function is directly assumed in the analysis of the recirculation line break (Ref. 1).

The Reactor Steam Dome Pressure - Low signals are initiated from four pressure instruments that sense the reactor dome pressure. _

The Allowable Value is chosen to ensure that the valves close prior to commencement of LPCI injection flow into the core, as assumed in the safety analysis .

Four channels of the Reactor Steam Dome Pressure - Low Function are only required to be OPERABLE in MODES 1, 2, and 3 with the associated recirculation pump discharge valve open. With the valve(s) closed, the function instrumentation has been performed; thus, the Function is not required. In MODES 4 and 5, the loop injection location is not critical since LPCI injection through the recirculation loop in either direction will still ensure that LPCI flow reaches the core (i.e., there is no significant reactor steam dome back pressure).

HPCI System 3.a. Reactor Vessel Water Level - Low Low, Level 2 Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the HPCI System is initiated at Level 2 to maintain level above the top of the active fuel. The Reactor Vessel Water Level - Low Low, Level 2 is one of the Functions assumed to be OPERABLE analyzed in Reference 2. Additionally, the Reactor Vessel Water Level - Low Low, Level 2 Function associated with HPCI is directly assumed in the analysis of the recirculation line break (Ref. 2). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

- SUSQUEHANNA- UNIT 1 3.3-111

Rev.6 ECCS Instrumentation

BASES APPLICABLE SAFETY 3.a. Reactor Vessel Water Level - Low Low, Level 2 (continued)

B 3.3.5.1 ANALYSES, Reactor Vessel Water Level - Low Low, Level 2 signals are initiated from LCO, and four level instruments that sense the difference between the pressure due APPLICABILITY to a constant column of water (reference leg) and the pressure due to the (continued) actual water level (variable leg) in the vessel.

The HPCI Reactor Vessel Water Level - Low Low, Level 2 Allowable Value is chosen to be consistent with the Reactor Core Isolation Cooling (RCIC)

System Reactor Vessel Water Level - Low Low, Level 2 Allowable value.

Four channels of Reactor Vessel Water Level - Low Low, Level 2 Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation. Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.b. Drywell Pressure - High High pressure in the drywell could indicate a break in the RCPB. The HPCI System is initiated upon receipt of the Drywell Pressure - High Function in

order to minimize the possibility of fuel damage. The Drywell Pressure -

High Function, along with the Reactor Water Level - Low Low, Level 2 Function, is directly assumed in the analysis of the recirculation line break (Ref. 1). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

High drywell pressure signals are initiated from four pressure instruments that sense drywell pressure. The Allowable Value was selected to be as low as possible to be indicative of a LOCA inside primary containment.

Four channels of the Drywell Pressure - High Function are required to be OPERABLE when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation. Refer to LCO 3.5.1 for the Applicability Bases for the HPCI System.

3.c. Reactor Vessel Water Level - High, Level 8 High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel. Therefore, the Level 8 signal is used to trip the HPCI turbine to prevent overflow into the main steam lines (MSLs). The Reactor Vessel Water Level - High, Level 8 Function is not assumed in the accident and transient analyses. It was retained since it is a potentially significant contributor to risk.

SUSQUEHANNA- UNIT 1 3.3-112

Rev.6 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.c. Reactor Vessel Water Level - High, Level 8 (continued)

SAFETY ANALYSES, Reactor Vessel Water Level - High, Level 8 signals for HPCI are initiated LCO, and from two level instruments. Both Level 8 signals are required in order to APPLICABILITY trip HPCI. This ensures that no single instrument failure can preclude an (continued) HPCI initiation or trip. The Reactor Vessel Water Level - High, Level 8 Allowable Value is chosen to prevent flow from the HPCI System from overflowing into the MSLs.

Two channels of Reactor Vessel Water Level - High, Level 8 Function are required to be OPERABLE only when HPCI is required to be OPERABLE.

Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.d. Condensate Storage Tank Level - Low The Condensate Storage Tank-Low signal indicates that a conservatively calculated NPSH-available limit is being approached.

Normally the suction valves between HPCI and the CST are open and, upon receiving a HPCI initiation signal, water for HPCI injection would be

taken from the CST. However, if the water level in the CST falls to the level switch process setpoint value, an automatic suction transfer is initiated.

The suppression pool suction valve receives a signal to open and in parallel, the CST suction valve receives a signal to close to complete the transfer. The HPCI suction transfer must be initiated prior to CST level dropping below the technical specification allowable value to ensure that an adequate suction head for the pump and an uninterrupted supply of makeup water is available to the HPCI pump. The Function is implicitly assumed in the accident and transient analyses (which take credit for HPCI) since the analyses assume that the HPCI suction source is the suppression pool.

Condensate Storage Tank Level-Low signals are initiated from two level instruments. The logic is arranged such that either level switch can cause the suppression pool suction valves to open and the CST suction valve to close. The Condensate Storage Tank Level-Low Function Allowable Value is high enough to ensure adequate pump suction head while water is being taken from the CST.

Two channels of the Condensate Storage Tank Level-Low Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source. Refer to LCO 3.5.1 for HPCI Applicability Bases .

SUSQUEHANNA- UNIT 1 3.3-113

Rev.6 EGGS Instrumentation 8 3.3.5.1 BASES APPLICABLE 3.e. Manual Initiation SAFETY ANALYSES, The Manual Initiation push button channel introduces signals into the HPCI LCO, and logic to provide manual initiation capability and is redundant to the APPLICABILITY automatic protective instrumentation. There is one push button for the (continued) HPCI System.

The Manual Initiation Function is not assumed in any accident or transient analyses in the FSAR. However, the Function is retained for overall redundancy and diversity of the HPCI function as required by the NRG in the plant licensing basis.

There is no Allowable Value for this Function since the channel is mechanically actuated based solely on the position of the push button.

One channel of the Manual Initiation Function is required to be OPERABLE only when the HPCI System is required to be OPERABLE. Refer to LCO 3.5.1 for HPCI Applicability Bases.

Automatic Depressurization System 4.a, 5.a. Reactor Vessel Water Level - Low Low Low, Level 1 Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, ADS receives one of the signals necessary for initiation from this Function. The Reactor Vessel Water Level - Low Low Low, Level 1 is one of the Functions assumed to be OPERABLE and capable of initiating the ADS during the accident analyzed in Reference 1. The core cooling function of the EGGS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel Water Level - Low Low Low, Level 1 signals are initiated from four level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low Low Low, Level 1 Function are required to be OPERABLE only when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip system A, while the other two channels input to ADS trip system 8. Refer to LCO 3.5.1 for ADS Applicability Bases.

The Reactor Vessel Water Level - Low Low Low, Level 1 Allowable Value is chosen to allow time for the low pressure core flooding systems to initiate and provide adequate cooling .

SUSQUEHANNA- UNIT 1 3.3-114

Rev. 6 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.b, 5.b. Drywell Pressure - High SAFETY ANALYSES, High pressure in the drywell could indicate a break in the RCPB.

LCO, and Therefore, ADS receives one of the signals necessary for initiation from this APPLICABILITY Function in order to minimize the possibility of fuel damage. The Drywell (continued) Pressure - High is assumed to be OPERABLE and capable of initiating the ADS during the accidents analyzed in Reference 2. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Drywell Pressure - High signals are initiated from four pressure instruments that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment.

Four channels of Drywell Pressure-High Function are only required to be OPERABLE when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip system A, while the other two channels input to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.c, 5.c. Automatic Depressurization System Initiation Timer The purpose of the Automatic Depressurization System Initiation Timer is to delay depressurization of the reactor vessel to allow the HPCI System time to maintain reactor vessel water level. Since the rapid depressurization caused by ADS operation is one of the most severe transients on the reactor vessel, its occurrence should be limited: By delaying initiation of the ADS Function, the operator is given the chance to monitor the success or failure of the HPCI System to maintain water level, and then to decide whether or not to allow ADS to initiate, to delay initiation further by recycling the timer, or to inhibit initiation permanently. The Automatic Depressurization System Initiation Timer Function is assumed to be OPERABLE for the accident analyses of Reference 1 that require ECCS initiation and assume failure of the HPCI System.

There are two Automatic Depressurization System Initiation Timer relays, one in each of the two ADS trip systems. The Allowable Value for the Automatic Depressurization System Initiation Timer is chosen so that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling.

SUSQUEHANNA- UNIT 1 3.3-115

Rev. 6 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.c, 5.c. Automatic Depressurization System Initiation Timer (continued)

SAFETY ANALYSES, Two channels of the Automatic Depressurization System Initiation Timer LCO, and Function are only required to be OPERABLE when the ADS is required to APPLICABILITY be OPERABLE to ensure that no single instrument failure can preclude (continued) ADS initiation. (One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.d, 5.d. Reactor Vessel Water Level - Low, Level 3 The Reactor Vessel Water Level - Low, Level 3 Function is used by the ADS only as a confirmatory low water level signal. ADS receives one of the signals necessary for initiation from Reactor Vessel Water Level - Low Low Low, Level 1 signals. In order to prevent spurious initiation of the ADS due to spurious Level 1 signals, a Level 3 signal must also be received before ADS initiation commences.

Reactor Vessel Water Level - Low, Level 3 signals are initiated from two level instruments that sense the difference between the pressure due to a

constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. The Allowable Value for Reactor Vessel Water Level - Low, Level 3 is selected at the RPS Level 3 scram Allowable Value for convenience. Refer to LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," for the Bases discussion of this Function.

Two channels of Reactor Vessel Water Level - Low, Level 3 Function are required to be OPERABLE only when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.e, 4.f, 5.e, 5.f. Core Spray and Low Pressure Coolant lniection Pump Discharge Pressure - High The Pump Discharge Pressure - High signals from the CS and LPCI pumps are used as permissives for ADS initiation, indicating that there is a source of low pressure cooling water available once the ADS has depressurized the vessel. Pump Discharge Pressure - High is one of the Functions assumed to be OPERABLE and capable of permitting ADS initiation during the events analyzed in Reference 1 with an assumed HPCI failure. For these events the ADS depressurizes the reactor vessel so that the low pressure ECCS can perform the core cooling functions. This core SUSQUEHANNA- UNIT 1 3.3-116

Rev.6 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.e, 4.f, 5.e, 5.f. Core Spray and Low Pressure Coolant Injection SAFETY Pump Discharge Pressure - High (continued)

ANALYSES, LCO, and cooling function of the ECCS, along with the scram action of the RPS, APPLICABILITY ensures that the fuel peak cladding temperature remains below the limits of (continued) 10 CFR 50.46.

Pump discharge pressure signals are initiated from twelve pressure instruments, two on the discharge side of each of the four LPCI pumps and one on the discharge of each of CS pumps. In order to generate an ADS permissive in one trip system, it is necessary that only one LPCI pump or one CS subsystem indicate the high discharge pressure condition. The Pump Discharge Pressure - High Allowable Value is less than the pump discharge pressure when the pump is operating in a full flow mode and high enough to avoid any condition that results in a discha*rge pressure permissive when the CS and LPCI pumps are aligned for injection and the pumps are not running. The actual operating point of this function is not assumed in any transient or accide,nt analysis.

Twelve channels of Core Spray and Low Pressure Coolant Injection Pump

Discharge Pressure - High Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two CS channels associated with CS pumps A and C and four LPCI channels associated with LPCI pumps A and C are required for trip system A Two CS channels associated with CS pumps B and D and four LPCI channels associated with LPCI pumps B and D are required for trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.g, 5.g. Automatic Depressurization System Drywell Pressure Bypass Actuation Timer One of the signals required for ADS initiation is Drywell Pressure - High.

However, if the event requiring ADS initiation occurs outside the drywell (e.g., main steam line break outside containment), a high drywell pressure signal may never be present. Therefore, the Automatic Depressurization System Drywell Pressure Bypass Actuation Timer is used to bypass the Drywell Pressure - High Function after a certain time period has elapsed.

Operation of the Automatic Depressurization System Drywell Pressure Bypass Actuation Timer Function is not assumed in any accident analysis.

The instrumentation is retained in the TS because ADS is part of the primary success path for mitigation of a OBA

SUSQUEHANNA- UNIT 1 3.3-117

Rev. 6 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.g, 5.g. Automatic Depressurization System Drywell Pressure Bypass SAFETY Actuation Timer (continued)

ANALYSES, LCO, and There are four Automatic Depressurization System Drywell Pressure APPLICABILITY Bypass Actuation Timer relays, two in each of the two ADS trip systems.

(continued) The Allowable Value for the Automatic Depressurization System Low Water Level Actuation Timer is chosen to ensure that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling.

Four channels of the Automatic Depressurization System Drywell Pressure Bypass Actuation Timer Function are required to be OPERABLE only when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.h, 5.h. Manual Initiation The Manual Initiation push button channels introduce signals into the ADS logic to provide manual initiation capability and are redundant to the

automatic protective instrumentation. There are two push buttons for each ADS trip system for a total of four.

The Manual Initiation Function is not assumed in any accident or transient analyses in the FSAR. However, the Function is retained for overall redundancy and diversity of the ADS functions as required by the NRC in the plant licensing basis.

There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons.

Four channels of the Manual Initiation Function (two channels per trip system) are only required to be OPERABLE when the ADS is required to be OPERABLE. Refer to LCO 3.5.1 for ADS Applicability Bases.

ACTIONS A Note has been provided to modify the ACTIONS related to ECCS instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable ECCS instrumentation channels provide appropriate compensatory measures for separate inoperable Condition entry for each inoperable ECCS instrumentation channel.

SUSQUEHANNA- UNIT 1 3.3-118

Rev.6 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS A.1 (continued)

Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.1-1. The applicable Condition referenced in the table is Function dependent. Each time a channel is discovered inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.

8.1, 8.2, and 8.3 Required Actions 8.1 and 8.2 are intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in redundant automatic initiation capability being lost for the feature(s). Required Action 8.1 features would be those that are initiated by Functions 1.a, 1.b, 1.c, 2.a, 2.b, and 2.c (e.g., low pressure ECCS). The Required Action 8.2 system would be HPCI. For Required Action 8.1, redundant automatic initiation capability is lost if (a) one Function 1.a, 1.b, 1.c, 2.a, or 2.b is inoperable and untripped with only one offsite source OPERABLE, or (b) one or more Function 1.a or Function 2.a channels in both divisions are inoperable and untripped, or (c) one or more

- Function 1.b or Function 2.b channels in both divisions are inoperable and untripped, or (d) one or more Function 1.c or Function 2.c channels in both divisions are inoperable and untripped.

For (a) above (Function 1.a, 1.b, 1.c, 2.a, or 2.b is inoperable and untripped with only one offsite source OPERABLE), the ESW pump timer resets may not receive a reset signal and the Reactor Building chillers, Turbine Building chillers and the Drywell cooling equipment may not receive a trip signal. Without the reset of the ESW pump timers and without the trip of the Reactor Building and Turbine Building chillers, the OPERABLE offsite circuit may not be capable of accepting starts of the ESW pumps concurrently with CS or LPCI pumps. For this situation, both the OPERABLE offsite circuit and the DG, that would not be capable of starting, should be declared inoperable. Actions required by LCO 3.8.1 "AC Sources Operating" or LCO 3.8.2 "AC Sources Shutdown" should be taken or disable the affected reactor building/turbine building chillers and disable the affected ESW pumps automatic initiation capability and take the ACTIONS required by LCO 3.7.2 "ESW System".

For the Drywell cooling equipment trip, inoperability of this feature would require that the associated drywell cooling fans be declared inoperable in accordance with LCO 3.6.3.2 "Drywell Air Flow System".

With two offsite sources OPERABLE and one Function 1.a, 1.b, 1.c, 2.a, or 2.b inoperable and untripped, sufficient ECCS equipment is available to meet the design basis accident analysis.

SUSQUEHANNA- UNIT 1 3.3-119

Rev.6 ECCS Instrumentation

- - BASES ACTIONS (continued)

B.1, B.2, and B.3 (continued)

B 3.3.5.1 For (b), (c) and (d) above, for each Division, since each inoperable channel would have Required Action B.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated system of low pressure ECCS, DGs, and associated features to be declared inoperable. However, since channels in both Divisions are inoperable and untripped, and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in the associated low pressure ECCS and DGs being concurrently declared inoperable.

For Required Action B.2, redundant automatic initiation capability is lost if two Function 3.a or two Function 3.b channels are inoperable and untripped in the same trip system. In this situation (loss of redundant automatic initiation capability), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Action B.3 is not appropriate and the feature(s) associated with the inoperable, untripped channels must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

Notes are also provided (the Note to Required Action B.1 and the Note to Required Action B.2) to delineate which Required Action is applicable for each Function that requires entry into Condition B if an associated channel is inoperable. This ensures that the proper loss of initiation capability check is performed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action B.1, the Completion Time only begins upon discovery that a redundant feature in both Divisions (e.g., both CS subsystems) cannot be automatically initiated due to inoperable, untripped channels within the same Function as described in the paragraph above.

For Required Action B.2, the Completion Time only begins upon discovery that the HPCI System cannot be automatically initiated due to two inoperable, untripped channels for the associated Function in the same trip system. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels:

SUSQUEHANNA- UNIT 1 3.3-120

Rev. 6 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS B.1, B.2, and B.3 (continued)

(continued)

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program. The ability to calculate a Risk Informed Completion Time is modified by a Note and limited to situations in which a loss of function has not occurred. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action B.3. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition G must be entered and its Required Action taken.

C.1 and C.2

Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the same Function result in redundant automatic initiation capability being lost for the feature(s).

Required Action C.1 features would be those that are initiated by Functions 1.d, 2.d, and 2.e (i.e., low pressure ECCS). Redundant automatic initiation capability is lost if either (a) two or more Function 1.d channels are inoperable such that the trip system loses initiation capability, (b) two or more Function 2.d channels are inoperable in the same trip system such that the trip system loses initiation capability, or (c) two or more Function 2.e channels are inoperable affecting LPCI pumps in different subsystems. In this situation (loss of redundant automatic initiation capability), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Action C.2 is not appropriate and the feature(s) associated with the inoperable channels must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . Since each inoperable channel would have Required Action C.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated system to be declared inoperable. However, since channels for both low pressure ECCS subsystems are inoperable (e.g.,

both CS subsystems), and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in both subsystems being concurrently declared inoperable. For Functions 1.d, 2.d, and 2.e, the affected portions are the associated low pressure ECCS pumps.

- SUSQUEHANNA- UNIT 1 3.3-121

Rev.6 ECCS Instrumentation 8 3.3.5.1 BASES ACTIONS C.1 and C.2 (continued)

(continued)

The Note states that Required Action C.1 is only applicable for Functions 1.d, 2.d, and 2.e. Required Action C.1 is not applicable to Functions 1.e, 2.f, and 3.e (which also require entry into this Condition if a channel in these Functions is inoperable), since they are the Manual Initiation Functions and are not assumed in any accident or transient analysis. Thus, a total loss of manual initiation capability for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (as allowed by Required Action C.2) is allowed. Required Action C.1 is also not applicable to Function 3.c (which also requires entry into this Condition if a channel in this Function is inoperable), since the loss of one channel results in a loss of the Function (two-out-of-two logic). This loss was considered during the development of Reference 3 and considered acceptable for the 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed by Required Action C.2.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action C.1, the Completion Time only begins upon discovery that the same feature in.both subsystems (e.g., both CS

subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program. The ability to calculate a Risk Informed Completion Time is modified by a Note and limited to situations in which a loss of function has not occurred. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition G must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would either cause the initiation or it would not necessarily result in a safe state for the channel in all events.

SUSQUEHANNA- UNIT 1 3.3-122

Rev.6 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS D.1, D.2.1, and D.2.2 (continued)

Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic component initiation capability for the HPCI System. Automatic component initiation capability is lost if two Function 3.d channels are inoperable and untripped. In this situation (loss of automatic suction swap), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Actions D.2.1 and D.2.2 is not appropriate and the HPCI System must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after discovery of loss of HPCI initiation capability. A Note identifies that Required Action D.1 is only applicable if the HPCI pump suction is not aligned to the suppression pool, since, if aligned, the Function is already performed. This allows the HPCI pump suction to be realigned to the Suppression Pool within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , if desired.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action D.1, the Completion Time only begins upon discovery that the HPCI System cannot be automatically aligned to the suppression pool due to two inoperable, untripped channels in the same Function. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program. The ability to calculate a Risk Informed Completion Time is modified by a Note and limited to situations in which a loss of function has not occurred. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1 or the suction source must be aligned to the suppression pool within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months per Required Action D.2.2. Placing the inoperable channel in trip performs the intended function of the channel (shifting the suction source to the suppression pool). Performance of either of these two Required Actions will allow operation to continue. If it is not desired to perform Required Actions D.2.1.and D.2.2, Condition G must be entered and its Required Action taken .

SUSQUEHANNA- UNIT 1 3.3-123

Rev. 6 ECCS Instrumentation

BASES ACTIONS (continued)

E.1 and E.2 B 3.3.5.1 Required Action E.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within similar ADS trip system A and B Functions result in redundant automatic initiation capability being lost for the ADS. Redundant automatic initiation capability is lost if either (a) one Fu.nction 4.a channel and one Function 5.a channel are inoperable and untripped, (b) one Function 4.b channel and one Function 5.b channel are inoperable and untripped, or (c) one Function 4.d channel and one Function 5.d channel are inoperable and untripped.

In this situation (loss of automatic initiation capability), the 96 hour0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months or 8 day allowance, as applicable, of Required Action E.2 is not appropriate and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after discovery of loss of ADS initiation capability.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action E.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable, untripped channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program. The ability to calculate a Risk Informed Completion Time is modified by a Note and limited to situations in which a loss of function has not occurred. If either HPCI or RCIC is inoperable, the time is shortened to 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months or in accordance with the Risk Informed Completion Time Program. The ability to calculate a Risk Informed Completion Time is modified by a Note and limited to situations in which a loss of function has not occurred. If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months or the Risk Informed Completion Time, the new Completion Time (i.e., 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months or the Risk Informed Completion Time) begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable, untripped channel cannot exceed 8 days or the Risk Informed Completion Time. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months to 8 days or the Risk Informed Completion Time, the "time zero" for beginning the new Completion Time (i.e., 8 days or the Risk Informed Completion Time)

SUSQUEHANNA- UNIT 1 3.3-124

Rev. 6 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS E.1 and E.2 (continued)

(continued) begins upon discovery of the inoperable, untripped channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action E.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation),

Condition G must be entered and its Required Action taken.

F.1 and F.2 Required Action F.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within similar ADS trip system Functions result in automatic initiation capability being lost for the ADS.

Automatic initiation capability is lost if either (a) one Function 4.c channel and one Function 5.c channel are inoperable, (b) a combination of Function 4.e, 4.f, 5.e, and 5.f channels are inoperable such that both ADS

- trip systems lose initiation capability, or (c) one or more Function 4.g channels and one or more Function 5.g channels are inoperable.

In this situation (loss of automatic initiation capability), the 96 hour0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months or 8 day allowance, as applicable, of Required Action F.2 is not appropriate, and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after discovery of loss of ADS initiation capability. The Note to Required Action F.1 states that Required Action F.1 is only applicable for Functions 4.c, 4.e, 4.f, 4.g, 5.c, 5.e, 5.f, and 5.g. Required Action F.1 is not applicable to Functions 4.h and 5.h (which also require entry into this Condition if a channel in these Functions is inoperable), since they are the Manual Initiation Functions and are not assumed in any accident or transient analysis. Thus, a total loss of manual initiation capability for 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months or 8 days (as allowed by Required Action F.2) is allowed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action F.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels .

SUSQUEHANNA- UNIT 1 3.3-125

Rev.6 ECCS Instrumentation

BASES ACTIONS (continued)

F.1 and F.2 (continued)

B 3.3.5.1 Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE (Required Action F.2). Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program. The ability to calculate a Risk Informed Completion Time is modified by a Note and limited to situations in which a loss of function has not occurred. If either HPCI or RCIC is inoperable, the time shortens to 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months or in accordance with the Risk informed Completion Time Program. The ability to calculate a Risk Informed Completion Time is modified by a Note and limited to situations in which a loss of function has not occurred. If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months or the Risk Informed Completion Time, the new Completion Time (i.e., 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months or the Risk Informed Completion Time) begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable channel cannot exceed 8 days or the Risk Informed Completion Time. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months to 8 days or the Risk Informed Completion Time, the "time zero" for beginning the new Completion Time (i.e., 8 days or the Risk Informed Completion Time) begins upon discovery of the inoperable channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition G must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.

G.1 With any Required Action and associated Completion Time not met, the associated supported feature(s) may be incapable of performing the intended function, and those associated with inoperable untripped channels must be declared inoperable immediately .

SUSQUEHANNA-UNIT 1 3.3-126

Rev. 6 ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE As noted in the beginning of the SRs, the SRs for each ECCS REQUIREMENTS instrumentation Function are found in the SRs column of Table 3.3.5.1-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months as follows: (a) for Function 3.c and 3.f; and (b) for Functions other than 3.c and 3.f provided the associated Function or redundant Function maintains ECCS initiation capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 3) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the ECCS will initiate when necessary.

In addition, for Functions 1.a, 1.b, 1.c, 2.a and 2.b, the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance is acceptable provided both offsite sources are OPERABLE.

SR 3.3.5.1.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK guarantees that undetected channel failure is limited; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria which are determined by the plant staff based on an investigation of a combination of the channel instrument uncertainties, may be used to support this parameter comparison and include indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit, and does not necessarily indicate the channel is Inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal checks of channels during normal operational use of the displays associated with the channels required by the LCO .

SUSQUEHANNA- UNIT 1 3.3-127

Rev. 6 ECCS Instrumentation

BASES SURVEILLANCE REQUIREMENTS SR 3.3.5.1.2 B 3.3.5.1 (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function.

This SR is modified by a Note that provides a general exception to the definition of CHANNEL FUNCTIONAL TEST. This exception is necessary because the design of instrumentation does not facilitate functional testing of all required contacts of the relay which input into the combinational logic.

(Reference 5) Performance of such a test could result in a plant transient or place the plant in an undo risk situation. Therefore, for this SR, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the change of state of the relay which inputs into the combinational logic.

The required contacts not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.5.1.5. This is acceptable because operating experience shows that the contacts not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.1.3 and SR 3.3.5.1 .4 A CHANNEL CALIBRATION is a complete check that verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.1.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.1, LCO 3.5.2, LCO 3.8.1, and LCO 3.8.2 overlaps this Surveillance to complete testing of the assumed safety function. The LOGIC SYSTEM FUNCTIONAL TEST tests the operation of the initiation logic up to but not including the first contact which is unique to an individually supported feature such as the starting of a DG .

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SUSQUEHANNA- UNIT 1 3.3-128

Rev.6 ECCS Instrumentation

BASES REFERENCES 1. FSAR, Section 6.3.

B 3.3.5.1

2. FSAR, Chapter 15.

3. NEDC-30936-P-A, "BWR Owners' Group Technical Specification Improvement Analyses for ECCS Actuation Instrumentation, Part 2,"

December 1988.

4. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 32193).

5. NRC Inspection and Enforcement Manual, Part 9900: Technical Guidance, Standard Technical Specification Section 1.0 Definitions, Issue date 12/08/86.

SUSQUEHANNA- UNIT 1 3.3-129

Rev. 6 ECCS Instrumentation B 3.3.5.1 BASES THIS PAGE INTENTIONALLY LEFT BLANK SUSQUEHANNA- UNIT 1 3.3-130

Rev. 6 ECCS Instrumentation 8 3.3.5.1 1 .

BASES THIS PAGE INTENTIONALLY LEFT BLANK

SUSQUEHANNA- UNIT 1 3.3-131

Rev. 1 RCIC System Instrumentation

B 3.3 INSTRUMENTATION B 3.3.5.3 Reactor Core Isolation Cooling (RCIC) System Instrumentation B 3.3.5.3 BASES BACKGROUND The purpose of the RCIC System instrumentation is to initiate actions to ensure adequate core cooling when the reactor vessel is isolated from its primary heat sink (the main condenser) and normal coolant makeup flow from the Reactor Feedwater System is unavailable, such that initiation of the low pressure Emergency Core Cooling Systems (ECCS) pumps does not occur. A more complete discussion of RCIC System operation is provided in the Bases of LCO 3.5.3, "RCIC System."

The RCIC System may be initiated by either automatic or manual means.

Automatic initiation occurs for conditions of reactor vessel Low Low water level. The variable is monitored by four instruments. The outputs of the trip units are arranged in a one-out-of-two taken twice logic arrangement.

Once initiated, the RCIC logic seals in and can be reset by the operator only when the reactor vessel water level signals have cleared .

The RCIC test line isolation valve is closed on a RCIC initiation signal to allow full system flow and maintain primary containment isolated in the event RCIC is not operating.

The RCIC System also monitors the water levels in the condensate storage tank (CST) which is the normal suction source of reactor grade water for RCIC. Upon receipt of a RCIC initiation signal, the CST suction valve is automatically signaled to open (it is normally in the open position) unless the pump suction from the suppression pool valve is open. If the water level in the CST falls below a preselected level, first the suppression pool suction valve automatically opens, and then the CST suction valve automatically closes. Two level switches are used to detect low water level in the CST. Either switch can cause the suppression pool suction valve to open and the CST suction valve to close.

The RCIC System provides makeup water to the reactor until the reactor vessel water level reaches the high water level (Level 8) trip (two-out-of-two logic), at which time the RCIC steam supply and cooling water supply valves close (the injection valve also closes due to the closure of the steam supply valves). The RCIC System restarts if vessel level again drops to the low level initiation point (Level 2) .

SUSQUEHANNA - UNIT 1 3.3-140

Rev. 1 RCIC System Instrumentation

BASES APPLICABLE SAFETY B 3.3.5.3 The function of the RCIC System to provide makeup coolant to the reactor is used to respond to transient events. The RCIC System is not an ANALYSES, Engineered Safety Feature System and no credit is taken in the safety LCO, and analyses for RCIC System operation. Based on its contribution to the APPLICABILITY reduction of overall plant risk, however, the system, and therefore its instrumentation, are included in the Technical Specifications as required by the NRC Policy Statement (Ref. 2). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITY of the RCIC System instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.3-1. Each Function must have a required number of OPERABLE channels with their setpoints within the specified Allowable Values, where appropriate. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Allowable Values are specified for each RCIC System instrumentation Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Each Allowable Value specified accounts for instrument uncertainties appropriate to the Function. These uncertainties are described in the setpoint methodology.

An exception to the methodology described to derive the Allowable Value is the methodology used to determine the Allowable Value for the Condensate Storage Tank Low Level. This Allowable Value is based on a system calculation and engineering judgement which establishes a conservative limit at which the Function should occur.

The individual Functions are required to be OPERABLE in MODE 1, and in MODES 2 and 3 with reactor steam dome pressure > 150 psig since this is when RCIC is required to be OPERABLE. (Refer to LCO 3.5.3 for Applicability Bases for the RCIC System).

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis .

SUSQUEHANNA - UNIT 1 3.3-141

Rev. 1 RCIC System Instrumentation

BASES APPLICABLE SAFETY

1. Reactor Vessel Water Level - Low Low, Level 2 B 3.3.5.3 ANALYSES, Low reactor pressure vessel (RPV) water level indicates that normal LCO, and feedwater flow is insufficient to maintain reactor vessel water level and that APPLICABILITY the capability to cool the fuel may be threatened. Should RPV water level (continued) decrease too far, fuel damage could result. Therefore, the RCIC System is initiated at Level 2 to assist in maintaining water level above the top of the active fuel.

Reactor Vessel Water Level - Low Low, Level 2 signals are initiated from four level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value is set high enough such that for complete loss of feedwater flow, the RCIC System flow with high pressure coolant injection assumed to fail will be sufficient to avoid initiation of low pressure ECCS at Level 1.

Four channels of Reactor Vessel Water Level - Low Low, Level 2 Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC initiation. Refer to LCO 3.5.3 for RCIC Applicability Bases.

2. Reactor Vessel Water Level - High, Level 8 High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel. Therefore, the Level 8 signal is used to close the RCIC steam supply and cooling water supply valves to prevent overflow into the main steam lines (MSLs). (The injection valve also closes due to the*closure of the steam supply valve).

Reactor Vessel Water Level - High, Level 8 signals for RCIC are initiated from two level instruments, which sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel Water Level - High, Level 8 Allowable Value is high enough to preclude isolating the injection valve of the RCIC during normal operation, yet low enough to trip the RCIC System prior to water overflowing into the MSLs.

Two channels of Reactor Vessel Water Level - High, Level 8 Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC initiation. Refer to LCO 3.5.3 for RCIC Applicability Bases.

SUSQUEHANNA - UNIT 1 3.3-142

Rev. 1 RCIC System Instrumentation

BASES APPLICABLE SAFETY

3. Condensate Storage Tank Level- Low B 3.3.5.3 ANALYSES, The Condensate Storage Tank-Low signal indicates that a conservatively LCO, and calculated NPSH-available limit is being approached. Normally, the suction APPLICABILITY valve between the RCIC pump and the CST is open and, upon receiving a (continued) RCIC initiation signal, water for RCIC injection would be taken from the CST. However, if the water level in the CST falls below a preselected level, first the suppression pool suction valve automatically opens, and then the CST suction valve automatically closes. This ensures that an adequate suction head for the pump and an uninterrupted supply of makeup water is available to the RCIC pump. This logic also has a manual override function initiated by manual closure of the suppression pool suction valve should it be desired to realign the suction to the remaining reserve volume in the CST. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CST suction valve automatically closes.

Two level switches are used to detect low water level in the CST. The Condensate Storage Tank Level- Low Function Allowable Value is set high enough to ensure adequate pump suction head while water is being taken from the CST.

Two channels of Condensate Storage Tank Level- Low Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC swap to suppression pool source. Refer to LCO 3.5.3 for RCIC Applicability Bases.

4. Manual Initiation The Manual Initiation push button switch introduces a signal into the RCIC System initiation logic that is redundant to the automatic protective instrumentation and provides manual initiation capability. There is one push button for the RCIC System resulting in a single channel trip Function.

The Manual Initiation Function is not assumed in any accident or transient analyses in the FSAR. However, the Function is retained for overall redundancy and diversity of the RCIC function as required by the NRC in the plant licensing basis.

There is no Allowable Value for this Function since the channel is mechanically actuated based solely on the position of the push button.

One channel of Manual Initiation is required to be OPERABLE when RCIC is required to be OPERABLE.

SUSQUEHANNA - UNIT 1 3.3-143

Rev. 1 RCIC System Instrumentation

BASES ACTIONS A Note has been provided to modify the ACTIONS related to RCIC System instrumentation channels. Section 1.3, Completion Times, specifies that B 3.3.5.3 once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable RCIC System instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable RCIC System instrumentation channel.

A.1 Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.3-1. The applicable Condition referenced in the Table is Function dependent. Each time a channel is discovered to be inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition .

8.1 and 8.2 Required Action 8.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic initiation capability for the RCIC System. In this case, automatic initiation capability is lost if two Function 1 channels in the same trip system are inoperable and untripped. In this situation (loss of automatic initiation capability), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Action 8.2 is not appropriate, and the RCIC System must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after discovery of loss of RCIC initiation capability.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action 8.1, the Completion Time only begins upon discovery that the RCIC System cannot be automatically initiated due to two inoperable, untripped Reactor Vessel Water Level - Low Low, Level 2 channels in the same trip system. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels .

SUSQUEHANNA - UNIT 1 3.3-144

Rev. 1 RCIC System Instrumentation

BASES ACTIONS (continued) 8.1 and 8.2 (continued)

B 3.3.5.3 Because of the redundancy of sensors available to provide initiation signals and the fact that the RCIC System is not assumed in any accident or transient analysis, an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months has been shown to be acceptable (Ref. 1) to permit restoration of any inoperable channel to OPERABLE status. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program. The ability to calculate a Risk Informed Completion Time is modified by a Note and limited to situations in which a loss of function has not occurred. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action 8.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition E must be entered and its Required Action taken.

C.1

A risk based analysis was performed and determined that an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (Ref. 1) is acceptable to permit restoration of any inoperable channel to OPERABLE status (Required Action C.1 ). A Required Action (similar to Required Action 8.1) limiting the allowable out of service time, if a loss of automatic RCIC initiation capability exists, is not required. This Condition applies to the Reactor Vessel Water Level - High, Level 8 Function whose logic is arranged such that any inoperable channel will result in a loss of automatic RCIC trip protection capability. As stated above, this loss of automatic RCIC trip protection capability was analyzed and determined to be acceptable. This Condition also applies to the Manual Initiation Function. Since this Function is not assumed in any accident or transient analysis, a total loss of manual initiation capability (Required Action C.1) for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed. The Required Action does not allow placing a channel in trip since this action would not necessarily result in a safe state for the channel in all events.

D.1, D.2.1, and D.2.2 Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in automatic component initiation capability being lost for the feature(s). For Required Action D.1, the RCIC System is the only associated feature. In this case, automatic initiation capability is lost if two Function 3 channels are inoperable and untripped. In this situation (loss of automatic suction swap), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Actions D.2.1 and D.2.2 is not appropriate, and the RCIC System must be declared SUSQUEHANNA - UNIT 1 3.3-145

Rev. 1 RCIC System Instrumentation

BASES ACTIONS (continued)

D.1, D.2.1, and D.2.2 (continued)

B 3.3.5.3 inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months from discovery of loss of RCIC initiation capability.

A note identifies that required Action D.1 is only applicable if the RCIC pump suction is not aligned to the suppression pool since, if aligned, the Function is already performed. This allows the RCIC pump suction to be realigned to the suppression pool within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , if desired.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action D.1, the Completion Time only begins upon discovery that the RCIC System cannot be automatically aligned to the suppression pool due to two inoperable, untripped channels in the same Function. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the redundancy of sensors available to provide initiation signals and the fact that the RCIC System is not assumed in any accident or transient analysis, an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months has been shown to be acceptable (Ref. 1) to permit restoration of any inoperable channel to OPERABLE status. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program. The ability to calculate a Risk Informed Completion Time is modified by a Note and limited to situations in which a loss of function has not occurred. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1, which performs the intended function of the channel (shifting the suction source to the suppression pool). Alternatively, Required Action D.2.2 allows the manual alignment of the RCIC suction to the suppression pool within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , which also performs the intended function. If it is not desired to perform Required Actions D.2.1 and D.2.2, Condition E must be entered and its Required Action taken.

E.1 With any Required Action and associated Completion Time not met, the RCIC System may be incapable _of performing the intended function, and the RCIC System must be declared inoperable immediately.

SUSQUEHANNA - UNIT 1 3.3-146

Rev. 1 RCIC System Instrumentation

BASES SURVEILLANCE REQUIREMENTS As noted in the beginning of the SRs, the SRs for each RCIC System instrumentation Function are found in the SRs column of Table 3.3.5.3-1.

B 3.3.5.3 The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed as follows: (a) for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months for Function 2 and 4; and (b) for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months for Functions other than Function 2 and 4, provided the associated Function maintains trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 1) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the RCIC will initiate when necessary.

SR 3.3.5.3.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a parameter on other similar channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria which are determined by the plant staff based on an investigation of a combination of the channel instrument uncertainties, may be used to support this parameter comparison and include indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit, and does not necessarily indicate the channel is Inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal checks of channels during normal operational use of the displays associated with the channels required by the LCO .

SUSQUEHANNA - UNIT 1 3.3-147

Rev. 1 RCIC System Instrumentation

BASES SURVEILLANCE REQUIREMENTS SR 3.3.5.3.2 B 3.3.5.3 (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that provides a general exception to the definition of CHANNEL FUNCTIONAL TEST. This exception is necessary because the design of instrumentation does not facilitate functional testing of all required contacts of the relay which input into the combinational logic.

(Reference 3) Performance of such a test could result in a plant transient or place the plant in an undo risk situation. Therefore, for this SR, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the change of state of the relay which inputs into the combinational logic.

The required contacts not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.5.3.5. This is acceptable because operating experience shows that the contacts not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients.

SR 3.3.5.3.3 and SR 3.3.5.3.4 A CHANNEL CALIBRATION verifies that the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.3.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.3 overlaps this Surveillance to provide complete testing of the safety function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program .

SUSQUEHANNA - UNIT 1 3.3-148

Rev. 1 RCIC System Instrumentation

BASES REFERENCES 1.

B 3.3.5.3 NEDE-770-06-2, "Addendum to Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991.

2. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 32193).

3. NRC Inspection and Enforcement Manual, Part 9900: Technical Guidance, Standard Technical Specification Section 1.0 Definitions, Issue date 12/08/86.

SUSQUEHANNA - UNIT 1 3.3-149

Rev. 10 Primary Containment Isolation Instrumentation

B 3.3 INSTRUMENTATION B 3.3.6.1 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND The primary containment isolation instrumentation automatically initiates closure of appropriate primary containment isolation valves (PCIVs). The function of the PCIVs, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs). Primary containment isolation within the time limits specified for those isolation valves designed to close automatically ensures that the release of radioactive material to the environment will be consistent with the assumptions used in the analyses for a OBA The isolation instrumentation includes the sensors, relays, and instruments that are necessary to cause initiation of primary containment and reactor coolant pressure boundary (RCPB) isolation. When the setpoint is reached, the sensor actuates, which then outputs an isolation signal to the isolation logic. Functional diversity is provided by monitoring a wide range of independent parameters. The input parameters to the isolation logics are (a) reactor vessel water level, (b) area ambient and emergency cooler temperatures, (c) main steam line (MSL) flow measurement, (d) Standby Liquid Control (SLC) System initiation, (e) condenser vacuum, (f) main steam line pressure, (g) high pressure coolant injection (HPCI) and reactor core isolation cooling (RCIC) steam line Ll pressure, (h) SGTS Exhaust radiation, (i) HPCI and RCIC steam line pressure, U) HPCI and RCIC turbine exhaust diaphragm pressure, (k) reactor water cleanup (RWCU) differential flow and high flow, (I) reactor steam dome pressure, and (m) drywell pressure. Redundant sensor input signals from each parameter are provided for initiation of isolation. The only exception is SLC System initiation. In addition, manual isolation of the logics is provided.

Primary containment isolation instrumentation has inputs to the trip logic of the isolation functions listed below.

1. Main Steam Line Isolation Most MSL Isolation Functions receive inputs from four channels. The outputs from these channels are combined in a one-out-of-two taken twice logic to initiate isolation of all main steam isolation valves (MSIVs). The outputs from the same channels are arranged into two two-out-of-two logic trip systems to isolate all MSL drain valves. The MSL drain line has two isolation valves with one two-out-of-two logic system associated with each valve:

SUSQUEHANNA - UNIT 1 3.3-150

Rev. 10 Primary Containment Isolation Instrumentation

BASES BACKGROUND (continued)

1. Main Steam Line Isolation (continued)

B 3.3.6.1 The exceptions to this arrangement are the Main Steam Line Flow - High Function. The Main Steam Line Flow - High Function uses 16 flow channels, four for each steam line. One channel from each steam line inputs to one of the four trip strings. Two trip strings make up each trip system and both trip systems must trip to cause an MSL isolation. Each trip string has four inputs (one per MSL), any one of which will trip the trip string. The trip strings are arranged in a one-out-of-two taken twice logic.

This is effectively a one-out-of-eight taken twice logic arrangement to initiate isolation of the MS IVs. Similarly, the 16 flow channels are connected into two two-out-of-two logic trip systems (effectively, two one-out-of-four twice logic), with each trip system isolating one of the two*

MSL drain valves.

2. Primary Containment Isolation Most Primary Containment Isolation Functions receive inputs from four channels. The outputs from these channels are arranged into two two-out-of-two logic trip systems. One trip system initiates isolation of all inboard primary containment isolation valves, while the other trip system initiates isolation of all outboard primary containment isolation valves.

Each logic closes one of the two valves on each penetration, so that operation of either logic isolates the penetration.

The exceptions to this arrangement are as follows. Hydrogen and Oxygen Analyzers which isolate Division I Analyzer on a Division I isolation signal, and Division II Analyzer on a Division II isolation signal. This is to ensure monitoring capability is not lost. Instrument gas supply penetrations only have one automatic isolation valve and receive an isolation signal from only one division. Several Core Spray and RHR system penetrations are provided with a single automatic PCIV and receive a signal from only one division. The redundant isolation barrier for these PC IVs is provided by the closed system. The SGTS Exhaust Radiation - High function uses two channels, with a single channel for each trip system.

3., 4. High Pressure Coolant Injection System Isolation and Reactor Core Isolation Cooling System Isolation Most Functions that isolate HPCI and RCIC receive input from two channels, with each channel in one trip system using a one-out-of-one logic. Each of the two trip systems in each isolation group is connected to one of the two valves on each associated penetration.

The exceptions are the HPCI and RCIC Turbine Exhaust Diaphragm Pressure - High and Steam Supply Line Pressure - Low Functions. These Functions receive inputs from four turbine exhaust diaphragm pressure and SUSQUEHANNA- UNIT 1 3.3-151

Rev. 10 Primary Containment Isolation Instrumentation

BASES BACKGROUND (continued)

B 3.3.6.1 3 .* 4. High Pressure Coolant Injection System Isolation and Reactor Core Isolation Cooling System Isolation (continued) four steam supply pressure channels for each system. The outputs from the turbine exhaust diaphragm pressure and steam supply pressure channels are each connected to two two-out-of-two trip systems. Each trip system isolates one valve per associated penetration.

5. Reactor Water Cleanup System Isolation The Reactor Vessel Water Level - Low Low, Level 2 Isolation Function receives input from four reactor vessel water level channels. The outputs from the reactor vessel water level channels are connected into two two-out-of-two trip systems. The Differential Flow - High, Flow - High, and SLC System Initiation Functions receive input from two channels, with each channel in one trip system using a one-out-of-one logic. The temperature isolations are divided into three Functions. These Functions are Pump Area, Penetration Area, and Heat Exchanger Area. Each area is monitored by two temperature monitors, one for each trip system. These are configured so that any one input will trip the associated trip system. Each

of the two trip systems is connected to one of the two valves on each RWCU penetration.

6. Shutdown Cooling System Isolation The Reactor Vessel Water Level - Low, Level 3 Function receives input from four reactor vessel water level channels. The outputs from the reactor vessel water level channels are connected to two two-out-of-two trip systems. The Reactor Vessel Pressure - High Function receives input from two channels, with each channel in one trip system using a one-out-of-one logic. Each of the two trip systems is connected to one of the two valves on each shutdown cooling penetration.

7. Traversing lncore Probe System Isolation The Reactor Vessel Water Level - Low, Level 3 Isolation Function receives input from two reactor vessel water level channels. The Drywell Pressure -

High Isolation Function receives input from two drywell pressure channels.

The outputs from the reactor vessel water level channels and drywell pressure channels are connected into one two-out-of-two logic trip system.

When either Isolation Function actuates, the TIP drive mechanisms will withdraw the TIPs, if inserted, and close the inboard TIP System isolation ball valves when the proximity probe senses the TIPs are withdrawn into the shield. The TIP System isolation ball valves are only open when the TIP System is in use. The outboard TIP System isolation valves are manual shear valves.

SUSQUEHANNA- UNIT 1 3.3-152

Rev. 10 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE The isolation signals generated by the primary containment isolation SAFETY instrumentation are implicitly assumed in the safety analyses of ANALYSES, References 1 and 2 to initiate closure of valves to limit offsite doses. Refer LCO, and to LCO 3.6.1.3, "Primary Containment Isolation Valves (PCIVs)," Applicable APPLICABILITY Safety Analyses Bases for more detail of the safety analyses.

Primary containment isolation instrumentation satisfies Criterion 3 of the NRC Policy Statement. (Ref. 8) Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITY of the primary containment instrumentation is dependent on the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.6.1-1. Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. Each channel must also respond within its assumed response time, where appropriate .

Allowable Values are specified for each Primary Containment Isolation Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter reaches the setpoint, the associated device changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

In general, the individual Functions are required to be OPERABLE in MODES 1, 2, and 3 consistent with the Applicability for LCO 3.6.1.1, "Primary Containment." Functions that have different Applicabilities are discussed below in the individual Functions discussion.

SUSQUEHANNA - UNIT 1 3.3-153

Rev. 10 Primary Containment Isolation Instrumentation

BASES APPLICABLE SAFETY The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

B 3.3.6.1 ANALYSES, LCO, and The penetrations which are isolated by the below listed functions can be APPLICABILITY determined by referring to the PCIV Table found in the Bases of (continued) LCO 3.6.1.3, "Primary Containment Isolation Valves."

Main Steam Line Isolation 1.a. Reactor Vessel Water Level - Low Low Low, Level 1 Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of the MSIVs and other interfaces with the reactor vessel occurs to prevent offsite dose limits from being exceeded. The Reactor Vessel Water Level - Low Low Low, Level 1 Function is one of the many Functions assumed to be OPERABLE and capable of providing isolation signals. The Reactor Vessel Water Level -

Low Low Low, Level 1 Function associated with isolation is assumed in the analysis of the recirculation line break (Ref. 1). The isolation of the MS Ls

on Level 1 supports actions to ensure that offsite dose limits are not exceeded for a OBA.

Reactor vessel water level signals are initiated from four level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level -

Low Low Low, Level 1 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level - Low Low Low, Level 1 Allowable Value is chosen to be the same as the ECCS Level 1 Allowable Value (LCO 3.3.5.1) to ensure that the MSLs isolate on a potential loss of coolant accident (LOCA) to prevent offsite and control room doses from exceeding regulatory limits.

1.b. Main Steam Line Pressure - Low Low MSL pressure indicates that there may be a problem with the turbine pressure regulation, which could result in a low reactor vessel water level condition and the RPV cooling down more than 100°F/hr if the pressure loss is allowed to continue. The Main Steam Line Pressure - Low Function is directly assumed in the analysis of the pressure regulator failure (Ref. 2).

For this event, the closure of the MS IVs ensures that the RPV temperature change limit (100°F/hr) is not reached. In addition, this Function supports SUSQUEHANNA - UNIT 1 3.3-154

Rev. 10 Primary Containment Isolation Instrumentation

BASES APPLICABLE SAFETY 1.b. Main Steam Line Pressure - Low (continued)

B 3.3.6.1 ANALYSES, actions to ensure that Safety Limit 2.1.1.1 is not exceeded. (This Function LCO, and closes the MSIVs prior to pressure decreasing below 785 psig, which APPLICABILITY results in a scram due to MSIV closure, thus reducing reactor power to (continued) < 23% RTP.)

The MSL low pressure signals are initiated from four instruments that are connected to the MSL header. The instruments are arranged such that, even though physically separated from each other, each instrument is able to detect low MSL pressure. Four channels of Main Steam Line Pressure -

Low Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Main Steam Line Pressure - Low trip will only occur after a 500 milli-second time delay to prevent any spurious isolations.

The Allowable Value was selected to be high enough to prevent excessive RPV depressurization. The Main Steam Line Pressure - Low Function is only required to be OPERABLE in MODE 1 since this is when the assumed transient can occur (Ref. 2) .

1.c. Main Steam Line Flow - High Main Steam Line Flow - High is provided to detect a break of the MSL and to initiate closure of the MSIVs. If the steam were allowed to continue flowing out of the break, the reactor would depressurize and the core could uncover. If the RPV water level decreases too far, fuel damage could occur. Therefore, the isolation is initiated on high flow to prevent or minimize core damage. The Main Steam Line Flow - High Function is directly assumed in the analysis of the main steam line break (MSLB)

(Ref. 1). The isolation action, along with the scram function of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46 and offsite and control room doses do not exceed regulatory limits.

The MSL flow signals are initiated from 16 instruments that are connected to the four MS Ls. The instruments. are arranged such that, even though physically separated from each other, all four connected to one MSL would be able to detect the high flow. Four channels of Main Steam Line Flow -

High Function for each unisolated MSL (two channels per trip system) are available and are required to be OPERABLE so that no single instrument failure will preclude detecting a break in any individual MSL.

SUSQUEHANNA - UNIT 1 3.3-155

Rev. 10 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 1.d. Condenser Vacuum - Low SAFETY ANALYSES, The Allowable Value is chosen to ensure that offsite dose limits are not LCO, and exceeded due to the break.

APPLICABILITY (continued) The Condenser Vacuum - Low Function is provided to prevent overpressurization of the main condenser in the event of a loss of the main condenser vacuum. Since the integrity of the condenser is an assumption in offsite dose calculations, the Condenser Vacuum - Low Function is assumed to be OPERABLE and capable of initiating closure of the MS IVs.

The closure of the MS IVs is initiated to prevent the addition of steam that would lead to additional condenser pressurization and possible rupture of the diaphragm installed to protect the turbine exhaust hood, thereby preventing a potential radiation leakage path following an accident.

Condenser vacuum pressure signals are derived from four pressure instruments that sense the pressure in the condenser. Four channels of Condenser Vacuum - Low Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Value is chosen to prevent damage to the condenser due to pressurization, thereby ensuring its integrity for offsite dose analysis. As noted (footnote (a) to Table 3.3.6.1-1), the channels are not required to be OPERABLE in MODES 2 and 3 when all main turbine stop valves (TSVs) are closed, since the potential for condenser overpressurization is minimized. Switches are provided to manually bypass the channels when all TSVs are closed.

1.e. Reactor Building Main Steam Tunnel Temperature - High Reactor Building Main Steam Tunnel temperature is provided to detect a leak in the RCPB and provides diversity to the high flow instrumentation.

The isolation occurs when a very small leak has occurred. If the small leak is allowed to continue without isolation, offsite dose limits may be reached.

However, credit for these instruments is not taken in any transient or accident analysis in the FSAR, since bounding analyses are performed for large breaks, such as MSLBs.

Area temperature signals are initiated from thermocouples located in the area being monitored. Four channels of Reactor Building Main Steam Tunnel Temperature - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function .

SUSQUEHANNA- UNIT 1 3.3-156

Rev. 10 Primary Containment Isolation Instrumentation

BASES APPLICABLE SAFETY 1.e. Reactor Building Main Steam Tunnel Temperature - High (continued)

B 3.3.6.1 ANALYSES, The reactor building main steam tunnel temperature trip will only occur after LCO, and a one second time delay.

APPLICABILITY (continued) The temperature monitoring Allowable Value is chosen to detect a leak equivalent to approximately 25 gpm of water.

1.f. Manual Initiation The Manual Initiation push button channels introduce signals into the MSL isolation logic that are redundant to the automatic protective instrumentation and provide manual isolation capability. There is no specific FSAR safety analysis that takes credit for this Function. It is retained for the overall redundancy and diversity of the isolation function as required by the NRC in the plant licensing basis.

There are four push buttons for the logic, two manual initiation push button per trip system. There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the

push buttons .

Two channels of Manual Initiation Function are available and are required to be OPERABLE in MODES 1, 2, and 3, since these are the MODES in which the MSL isolation automatic Functions are required to be OPERABLE.

Primary Containment Isolation 2.a. Reactor Vessel Water Level - Low, Level 3 Low RPV water level indicates that the capability to cool the fuel may be threatened. The valves whose penetrations communicate with the primary containment are isolated to limit the release of fission products. The isolation of the primary containment on Level 3 supports actions to ensure that offsite and control room dose regulatory limits are not exceeded. The Reactor Vessel Water Level - Low, Level 3 Function associated with isolation is implicitly assumed in the FSAR analysis as these leakage paths are assumed to be isolated post LOCA.

Reactor Vessel Water Level - Low, Level 3 signals are initiated from level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low, Level 3 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

SUSQUEHANNA - UNIT 1 3.3-157

Rev. 10 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 2.a. Reactor Vessel Water Level - Low, Level 3 (continued)

SAFETY ANALYSES, The Reactor Vessel Water Level - Low, Level 3 Allowable Value was LCO, and chosen to be the same as the RPS Level 3 scram Allowable Value APPLICABILITY (LCO 3.3.1.1 ), since isolation of these valves is not critical to orderly plant (continued) shutdown.

2.b. Reactor Vessel Water Level - Low Low, Level 2 Low RPV water level indicates that the capability to cool the fuel may be threatened. The valves whose penetrations communicate with the primary containment are isolated to limit the release of fission products. The isolation of the primary containment on Level 2 supports actions to ensure that offsite and control room dose regulatory limits are not exceeded. The Reactor Vessel Water Level - Low Low, Level 2 Function associated with isolation is implicitly assumed in the FSAR analysis as these leakage paths are assumed to be isolated post LOCA.

Reactor Vessel Water Level - Low Low, Level 2 signals are initiated from level instruments that sense the difference between the pressure due to a

constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low Low, Level 2 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value was chosen to be the same as the ECCS Level 2 Allowable Value (LCO 3.3.5.1 ), since this may be indicative of a LOCA.

2.c. Reactor Vessel Water Level - Low Low Low, Level 1 Low reactor pressure vessel (RPV) water level indicates that the capability

to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. The valves whose penetrations communicate with the primary containment are isolated to limit the release of fission products. The isolation of the primary containment on Level 1 supports actions to ensure the offsite and control room dose regulatory limits are not exceeded. The Reactor Vessel Water Level - Low Low Low, Level 1 Function associated with isolation is implicitly assumed in the FSAR analysis as these leakage paths are assumed to be isolated post LOCA.

SUSQUEHANNA - UNIT 1 3.3-158

Rev. 10 Primary Containment Isolation Instrumentation

- BASES APPLICABLE SAFETY 2.c. Reactor Vessel Water Level - Low Low Low, Level 1 (continued)

B 3.3.6.1 ANALYSES, Reactor vessel water level signals are initiated from four level instruments LCO, and that sense the difference between the pressure due to a constant column APPLICABILITY of water (reference leg) and the pressure due to the actual water level (continued) (variable leg) in the vessel. Four channels of Reactor Vessel Water Level -

Low Low Low, Level 1 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level - Low Low Low, Level 1 Allowable Value is chosen to be the same as the ECCS Level 1 Allowable Value (LCO 3.3.5.1) to ensure that the associated penetrations isolate on a potential loss of coolant accident (LOCA) to prevent offsite and control room doses from exceeding regulatory limits.

2.d. Drywell Pressure - High High drywell pressure can indicate a break in the RCPB inside the primary containment. The isolation of some of the primary containment isolation valves on high drywell pressure supports actions to ensure that offsite and control room dose regulatory limits are not exceeded. The Drywell Pressure - High Function, associated with isolation of the primary containment, is implicitly assumed in the FSAR accident analysis as these leakage paths are assumed to be isolated post LOCA.

High drywell pressure signals are initiated from pressure instruments that sense the pressure in the drywell. Four channels of Drywell Pressure -

High per Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Value was selected to be the same as the ECCS Drywell Pressure- High Allowable Value (LCO 3.3.5.1), since this may be indicative of a LOCA inside primary containment.

2.e. SGTS Exhaust Radiation - High High SGTS Exhaust radiation indicates possible gross failure of the fuel cladding. Therefore, when SGTS Exhaust Radiation High is detected, an isolation is initiated to limit the release of fission products. However, this Function is not assumed in any accident or transient analysis in the FSAR because other leakage paths (e.g., MSIVs) are more limiting .

SUSQUEHANNA - UNIT 1 3.3-159

Rev. 10 Primary Containment Isolation Instrumentation

BASES APPLICABLE SAFETY 2.e. SGTS Exhaust Radiation - High (continued)

B 3.3.6.1 ANALYSES, The SGTS Exhaust radiation signals are initiated from radiation detectors LCO, and that are located in the SGTS Exhaust. Two channels of SGTS Exhaust APPLICABILITY Radiation - High Function are available and are required to be OPERABLE (continued) to ensure that no single instrument failure can preclude the isolation function.

The Allowable Value is low enough to promptly detect gross failures in ttie fuel cladding.

2.f. Manual Initiation T~e Manual Initiation push button channels introduce signals into the primary containment isolation logic that are redundant to the automatic protective instrumentation and provide manual isolation capability. There is no specific FSAR safety analysis that takes credit for this Function. It is retained for overall redundancy and diversity of the isolation function as required by the NRC in the plant licensing basis.

There are two push buttons for the logic, one manual initiation push button per trip system. There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons.

Two channels of the Manual Initiation Function are available and are required to be OPERABLE in MODES 1, 2, and 3, since these are the MODES in which the Primary Containment Isolation automatic Functions are required to be OPERABLE.

High Pressure Coolant Injection and Reactor Core Isolation Cooling Systems Isolation 3.a., 4.a. HPCI and RCIC Steam Line~ Pressure - High Steam Line ~ Pressure High Functions are provided to detect a break of the RCIC or HPCI steam lines and initiate closure of the steam line isolation valves of the appropriate system. If the steam is allowed to continue flowing out of the break, the reactor will depressurize and the core can uncover. Therefore, the isolations are initiated on high flow to prevent or minimize core damage. The isolation action, along with the scram function of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Specific credit for these Functions is not assumed in any FSAR accident analyses since the bounding analysis is performed for large breaks such as recirculation and MSL breaks. However, these instruments prevent the RCIC or HPCI steam line breaks from becoming bounding.

SUSQUEHANNA - UNIT 1 3.3-160

Rev. 10 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 3.a., 4.a. HPCI and RCIC Steam Line~ Pressure - High (continued)

SAFETY ANALYSES, The HPCI and RCIC Steam Line~ Pressure - High signals are initiated LCO, and from instruments (two for HPCI and two for RCIC) that are connected to the APPLICABILITY system steam lines. Two channels of both HPCI and RCIC Steam Line ~

(continued) pressure - High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The steam line ~ Pressure - High will only occur after a 3 second time delay to prevent any spurious isolations.

The Allowable Values are chosen to be low enough to ensure that the trip occurs to prevent fuel damage and maintains the MSLB event as the bounding event, and high enough to be above the maximum transient steam flow during system startup.

3.b., 4.b. HPCI and RCIC Steam Supply Line Pressure - Low Low MSL pressure indicates that the pressure of the steam in the HPCI or RCIC turbine may be too low to continue operation of the associated system's turbine. These isolations are for equipment protection and are not assumed in any transient or accident analysis in the FSAR. However, they also provide a diverse signal to indicate a possible system break. These instruments are included in Technical Specifications (TS) because of the potential for risk due to possible failure of the instruments preventing HPCI and RCIC initiations (Ref. 3). -

The HPCI and RCIC Steam Supply Line Pressure - Low signals are initiated from instruments (four for HPCI and four for RCIC) that are connected to the system steam line. Four channels of both HPCI and RCIC Steam Supply Line Pressure - Low Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Values are selected to be high enough to prevent damage to the system's turbine.

3.c., 4.c. HPCI and RCIC Turbine Exhaust Diaphragm Pressure - High High turbine exhaust diaphragm pressure indicates that a release of steam into the associated compartment is possible. That is, one of two exhaust diaphragms has ruptured. These isolations are to prevent steam from entering the associated compartment and are not assumed in any transient or accident analysis in the FSAR. These instruments are included in the TS because of the potential for risk due to possible failure of the instruments preventing HPCI and RCIC initiations (Ref. 3).

SUSQUEHANNA - UNIT 1 3.3-161

Rev. 10 Primary Containment Isolation Instrumentation

BASES APPLICABLE SAFETY 3.c., 4.c. HPCI and RCIC Turbine Exhaust Diaphragm Pressure - High (continued)

B 3.3.6.1 ANALYSES, LCO, and The HPCI and RCIC Turbine Exhaust Diaphragm Pressure - High signals APPLICABILITY are initiated from instruments (four for HPCI and four for RCIC) that are (continued) connected to the area between the rupture diaphragms on each system's turbine exhaust line. Four channels of both HPCI and RCIC Turbine Exhaust Diaphragm Pressure - High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Values is low enough to identify a high turbine exhaust pressure condition resulting from a diaphragm rupture, or a leak in the diaphragm adjacent to the exhaust line and high enough to prevent inadvertent system isolation.

3.d., 4.d. Drywell Pressure- High High drywell pressure can indicate a break in the RCPB. The HPCI and RCIC isolation of the turbine exhaust vacuum breaker line is provided to

prevent communication with the wetwell when high drywell pressure exists .

A potential leakage path exists via the turbine exhaust. The isolation is delayed until the system becomes unavailable for injection (i.e., low steam supply line pressure). The isolation of the HPCI and RCIC turbine exhaust vacuum breaker line by Drywell Pressure - High is indirectly assumed in the FSAR accident analysis because the turbine exhaust vacuum breaker line leakage path is not assumed to contribute to offsite doses and is provided for long term containment isolation.

High drywell pressure signals are initiated from pressure instruments that sense the pressure in the drywell. Four channels of both HPCI and RCIC Drywell Pressure - High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Value was selected to be the same as the EGGS Drywell Pressure - High Allowable Value (LCO 3.3.5.1 ), since this is indicative of a LOCA inside primary containment.

SUSQUEHANNA- UNIT 1 3.3-162

Rev. 10 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 3.e., 3.f., 3.g., 4.e,, 4.f., 4.g. HPCI and RCIC Area and Emergency Cooler SAFETY Temperature- High

ANALYSES, LCO, and HPCI and RCIC Area and Emergency Cooler temperatures are provided to APPLICABILITY detect a leak from the associated system steam piping. The isolation (continued) occurs when a small leak has occurred and is diverse to the high flow instrumentation. If the small leak is allowed to continue without isolation, offsite dose limits may be reached. These Functions are not assumed in any FSAR transient or accident analysis, since bounding analyses are performed for large breaks such as recirculation or MSL breaks.

Area and Emergency Cooler Temperature- High signals are initiated from thermocouples that are appropriately located to protect the system that is being monitored. Two instruments monitor each area. Two channels for each HPCI and RCIC Area and Emergency Cooler Temperature- High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The HPCI and RCIC Pipe Routing area temperature trips will only occur after a 15 minute time delay to prevent any spurious temperature isolations due to short temperature increases and allows operators sufficient time to determine which system is leaking. The other ambient temperature trips will only occur after a one second time delay to prevent any spurious temperature isolations.

The Allowable Values are set low enough to detect a leak equivalent to 25 gpm, and high enough to avoid trips at expected operating temperature.

3.h., 4.h. Manual Initiation The Manual Initiation push button channels introduce signals into the HPCI and RCIC systems' isolation logics that are redundant to the automatic protective instrumentation and provide manual isolation capability. There is no specific FSAR safety analysis that takes credit for these Functions.

They are retained for overall redundancy and diversity of the isolation function as required by the NRC in the plant licensing basis There is one manual initiation push button for each of the HPCI and RCIC systems. One isolation pushbutton per system will introduce an isolation to one of the two trip systems. There is no Allowable Value for these Functions, since the channels are mechanically actuated based solely on the position of the push buttons.

Two channels of both HPCI and RCIC Manual Initiation Functions are available and are required to be OPERABLE in MODES 1, 2, and 3 since these are the MODES in which the HPCI and RCIC systems' Isolation automatic Functions are required to be OPERABLE.

SUSQUEHANNA- UNIT 1 3.3-163

Rev. 10 Primary Containment Isolation Instrumentation

BASES APPLICABLE SAFETY Reactor Water Cleanup System Isolation B 3.3.6.1 ANALYSES, 5.a. RWCU Differential Flow - High LCO, and APPLICABILITY The high differential flow signal is provided to detect a break in the RWCU (continued) System. This will detect leaks in the RWCU System when area temperature would not provide detection (i.e., a cold leg break). Should the reactor coolant continue to flow out of the break, offsite dose limits may be exceeded. Therefore, isolation of the RWCU System is initiated when high differential flow is sensed to prevent exceeding offsite doses. A 45 second time delay is provided to prevent spurious trips during most RWCU operational transients. This Function is not assumed in any FSAR transient or accident analysis, since bounding analyses are performed for large breaks such as MSLBs.

The high differential flow signals are initiated from instruments that are connected to the inlet (from the recirculation suction) and outlets (to condenser and feedwater) of the RWCU System. Two channels of Differential Flow - High Function are available and are required to be OPERABLE to ensure that no single instrument failure downstream of the

common summer can preclude the isolation function .

The Differential Flow - High Allowable Value ensures that a break of the RWCU piping is detected.

5.b., 5.c., 5.d. RWCU Area Temperatures - High RWCU area temperatures are provided to detect a leak from the RWCU System. The isolation occurs even when small leaks have occurred and is diverse to the high differential flow instrumentation for the hot portions of the RWCU System. If the small leak continues without isolation, offsite dose limits may be reached. Credit for these instruments is not taken in any transient or accident analysis in the FSAR, since bounding analyses are performed for large breaks such as recirculation or MSL breaks.

Area temperature signals are initiated from temperature elements that are located in the area that is being monitored. Six thermocouples provide input to the Area Temperature - High Function (two per area). Six channels are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The area temperature trip will only occur after a one second time to prevent any spurious temperature isolations.

The Area Temperature - High Allowable Values are set low enough to detect a leak equivalent to 25 gpm.

SUSQUEHANNA - UNIT 1 3.3-164

Rev. 10 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 5.e. SLC System Initiation SAFETY ANALYSES, The isolation of the RWCU System is required when the SLC System has LCO, and been initiated to prevent dilution and removal of the boron solution by the APPLICABILITY RWCU System (Ref. 4). SLC System initiation signals are initiated from (continued) the two SLC pump start signals.

There is no Allowable Value associated with this Function since the channels are mechanically actuated based solely on the position of the SLC System initiation switch.

Two channels (one from each pump) of the SLC System Initiation Function are available and are required to be OPERABLE only in MODES 1, 2, and 3 which is consistent with the Applicability for the SLC System (LCO 3.1.7).

As noted (footnote (b) to Table 3.3.6.1-1), this Function is only required to close the outboard RWCU isolation valve trip systems.

5.f. Reactor Vessel Water Level - Low Low, Level 2

Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of some interfaces with the reactor vessel occurs to isolate the potential sources of a break. The isolation of the RWCU System on Level 2 supports actions to ensure that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Vessel Water Level - Low Low, Level 2 Function associated with RWCU isolation is not directly assumed in the FSAR safety analyses because the RWCU System line break is bounded by breaks of larger systems (recirculation and MSL breaks are more limiting).

Reactor Vessel Water Level - Low Low, Level 2 signals are initiated from four level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level - Low Low, Level 2 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value was chosen to be the same as the ECCS Reactor Vessel Water Level - Low Low, Level 2 Allowable Value (LCO 3.3.5.1), since the capability to cool the fuel may be threatened .

SUSQUEHANNA - UNIT 1 3.3-165

Rev. 10 Primary Containment Isolation Instrumentation

BASES APPLICABLE SAFETY 5.g. RWCU Flow - High B 3.3.6.1 ANALYSES, RWCU Flow - High Function is provided to detect a break of the RWCU LCO, and System. Should the reactor coolant continue to flow out of the break, APPLICABILITY offsite dose limits may be exceeded. Therefore, isolation is initiated on (continued) high flow to prevent or minimize core damage. The isolation action, along with the scram function of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Specific credit for this Function is not assumed in any FSAR accident analyses since the bounding analysis is performed for large breaks such as recirculation and MSL breaks.

The RWCU Flow - High signals are initiated from two instruments. Two channels of RWCU Flow - High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The RWCU flow trip will only occur after a 5 second time delay to prevent spurious trips.

The Allowable Value is chosen to be low enough to ensure that the trip occurs to prevent fuel damage and maintains the MSLB event as the bounding event.

5.h. Manual Initiation The Manual Initiation push button channels introduce signals into the RWCU System isolation logic that are redundant to the automatic protective instrumentation and provide manual isolation capability. There is no specific FSAR safety analysis that takes credit for this Function. It is retained for overall redundancy and diversity of the isolation function as required by the NRC in the plant licensing basis.

There are two push buttons for the logic, one manual initiation push button per trip system. There is no Allowable Value for this Function, since the channels are mechanically actuated based solely on the position of the push buttons.

Two channels of the Manual Initiation Function are available and are required to be OPERABLE in MODES 1, 2, and 3 since these are the MODES in which the RWCU System Isolation automatic Functions are required to be OPERABLE.

SUSQUEHANNA - UNIT 1 3.3-166

Rev. 10 Primary Containment Isolation Instrumentation

BASES APPLICABLE SAFETY Shutdown Cooling System Isolation B 3.3.6.1 ANALYSES, 6.a. Reactor Steam Dome Pressure - High LCO, and APPLICABILITY The Reactor Steam Dome Pressure - High Function is provided to isolate (continued) the shutdown cooling portion of the Residual Heat Removal (RHR) System.

This interlock is provided only for equipment protection to prevent an intersystem LOCA scenario, and credit for the interlock is not assumed in the accident or transient analysis in the FSAR.

The Reactor Steam Dome Pressure - High signals are initiated from two instruments. Two channels of Reactor Steam Dome Pressure - High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Function is only required to be OPERABLE in MODES 1, 2, and 3, since these are the only MODES in which the reactor can be pressurized with the exception of Special Operations LCO 3.10.1; thus, equipment protection is needed. The Allowable Value was chosen to be low enough to protect the system equipment from over pressurization.

6.b. Reactor Vessel Water Level - Low, Level 3 Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of some reactor vessel interfaces occurs to begin isolating the potential sources of a break. The Reactor Vessel Water Level - Low, Level 3 Function associated with RHR Shutdown Cooling System isolation is not directly assumed in safety analyses because a break of the RHR Shutdown Cooling System is bounded by breaks of the recirculation and MSL.

The RHR Shutdown Cooling System isolation on Level 3 supports actions to ensure that the RPV water level does not drop below the top of the active fuel during a vessel draindown event caused by a leak (e.g., pipe break or inadvertent valve opening) in the RHR Shutdown Cooling System.

Reactor Vessel Water Level - Low, Level 3 signals are initiated from four level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels (two channels per trip system) of the Reactor Vessel Water Level - Low, Level 3 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function .

SUSQUEHANNA- UNIT 1 3.3-167

Rev. 10 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 6.b. Reactor Vessel Water Level- Low, Level 3 (continued)

SAFETY ANALYSES, The Reactor Vessel Water Level - Low, Level 3 Allowable Value was LCO, and chosen to be the same as the RPS Reactor Vessel Water Level - Low, APPLICABILITY Level 3 Allowable Value (LCO 3.3.1.1), since the capability to cool the fuel (continued) may be threatened.

The Reactor Vessel Water Level - Low, Level 3 Function is only required to be OPERABLE in MODE 3 to prevent this potential flow path from lowering the reactor vessel level to the top of the fuel.

In MODES 1 and 2, another isolation (i.e., Reactor Steam Dome Pressure

- High) and administrative controls ensure that this flow path remains isolated to prevent unexpected loss of inventory via this flow path.

6.c. Manual Initiation The Manual Initiation push button channels introduce signals to RHR Shutdown Cooling System isolation logic that is redundant to the automatic protective instrumentation and provide manual isolation capability. There is

no specific FSAR safety analysis that takes credit for this Function. It is retained for overall redundancy and diversity of the isolation function as required by the NRC in the plant licensing basis.

There are two push buttons for the logic, one manual initiation push button per trip system. There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons.

Two channels of the Manual Initiation Function are available and are required to be OPERABLE in MODE 3.

Traversing lncore Probe System Isolation 7.a. Reactor Vessel Water Level - Low, Level 3 Low RPV water level indicates that the capability to cool the fuel may be threatened. The valves whose penetrations communicate with the primary containment are isolated to limit the release of fission products. The isolation of the primary containment on Level 3 supports actions to ensure that offsite and control room dose regulatory limits are not exceeded. The Reactor Vessel Water Level - Low, Level 3 Function associated with isolation is implicitly assumed in the FSAR analysis as these leakage paths are assumed to be isolated post LOCA.

SUSQUEHANNA - UNIT 1 3.3-168

Rev. 10 Primary Containment Isolation Instrumentation

BASES APPLICABLE SAFETY 7.a. Reactor Vessel Water Level - Low, Level 3 (continued)

B 3.3.6.1 ANALYSES, Reactor Vessel Water Level - Low, Level 3 signals are initiated from level LCO, and transmitters that sense the difference between the pressure due to a APPLICABILITY constant column of water (reference leg) and the pressure due to the actual (continued) water level (variable leg) in the vessel. Two channels of Reactor Vessel Water Level - Low, Level 3 Function are available and are required to be OPERABLE to ensure that no single instrument failure can initiate an inadvertent isolation actuation. The isolation function is ensured by the manual shear valve in each penetration.

The Reactor Vessel Water Level - Low, Level 3 Allowable Value was chosen to be the same as the RPS Level 3 scram Allowable Value (LCO 3.3.1.1 ), since isolation of these valves is not critical to orderly plant shutdown.

7.b. Drywell Pressure - High High drywell pressure can indicate a break in the RCPB inside the primary containment. The isolation of some of the primary containment isolation

valves on high drywell pressure supports actions to ensure that offsite and control room dose regulatory limits are not exceeded. The Drywell Pressure - High Function, associated with isolation of the primary containment, is implicitly assumed in the FSAR accident analysis as these leakage paths are assumed to be isolated post LOCA.

High drywell pressure signals are initiated from pressure transmitters that sense the pressure in the drywell. Two channels of Drywell Pressure-High per Function are available and are required to be OPERABLE to ensure that no single instrument failure can initiate an inadvertent actuation. The isolation function is ensured by the manual shear valve in each penetration.

The Allowable Value was selected to be the same as the ECCS Drywell Pressure - High Allowable Value (LCO 3.3.5.1), since this may be indicative of a LOCA inside primary containment. *

SUSQUEHANNA- UNIT 1 3.3-169

Rev. 10 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS The ACTIONS are modified by two Notes. Note 1 allows penetration flow path(s) to be unisolated intermittently under administrative controls. These controls consist of stationing a dedicated operator at the controls of the valve, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for primary containment isolation is indicated. Note 2 has been provided to modify the ACTIONS related to primary containment isolation instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable primary containment isolation instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable primary containment isolation instrumentation channel.

A.1

Because of the diversity of sensors available to provide isolation signals and the redundancy of the isolation design, an allowable out of service time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for Functions 2.a, 2.d, 6.b, 7.a, and 7.b and 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for Functions other than Functions 2.a, 2.d, 6.b, 7.a, and 7.b has been shown to be acceptable (Refs. 5 and 6) to permit restoration of any inoperable channel to OPERABLE status. This out of service time is only acceptable provided the associated Function is still maintaining isolation capability (refer to Required Action B.1 Bases). Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program. The ability to calculate a Risk Informed Completion Time is modified by a Note and limited to situations in which a loss of function has not occurred. Because Function 6.b, "Reactor Vessel Water Level, Low - Level 3," and Function 6.c, "Manual Initiation," are only applicable in MODE 3, the Risk Informed Completion Time Program may not be entered for inoperable channel(s) of Function 6.b or Function 6.c.

If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A 1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue with no further restrictions. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would

- result in an isolation), Condition C must be entered and its Required Action taken.

SUSQUEHANNA- UNIT 1 3.3-170

Rev. 10 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS B.1 and B.2 (continued)

Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in redundant automatic isolation capability being lost for the associated penetration flow path(s). The MSL Isolation Functions are considered to be maintaining isolation capability when sufficient channels are OPERABLE or in trip, such that both trip systems will generate a trip signal from the given Function on a valid signal. The other isolation functions are considered to be maintaining isolation capability when sufficient channels are OPERABLE or in trip, such that one trip system will generate a trip signal from the given Function on a valid signal. This ensures that one of the two PCIVs in the associated penetration flow path -

can receive an isolation signal from the given Function. For Functions 1.a, 1.b, 1.d, and 1.e, this would require both trip systems to have one channel OPERABLE or in trip. For Function 1.c, this would require both trip systems to have one channel, associated with each MSL, OPERABLE or in trip. Therefore, this would require both trip systems to have one channel per location OPERABLE or in trip. For Functions 2.a, 2.b, 2.c, 2.d, 3.b, 3.c, 3.d, 4.b, 4.c, 4.d, 5.f, and 6.b, this would require one trip system to have two channels, each OPERABLE or in trip. For Functions 2.e, 3.a, 3.e, 3.f, 3.g, 4.a, 4.e, 4.f, 4.g, 5.a, 5.b, 5.c, 5.d, 5.e, 5.g, and 6.a, this would require one trip system to have one channel OPERABLE or in trip. The Condition does not include the Manual Initiation Functions (Functions 1.f, 2.f, 3.h, 4.h, 5.h, and 6.c), since they are not assumed in any accident or transient analysis. Thus, a total loss of manual initiation capability for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (as allowed by Required Action A.1) is allowed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

_ C.1 Required Action C.1 directs entry into the appropriate Condition referenced in Table 3.3.6.1-1. The applicable Condition specified in Table 3.3.6.1-1 is Function and MODE or other specified condition dependent and may change as the Required Action of a previous Condition is completed. Each time an inoperable channel has not met any Required Action of Condition A or B and the associated Completion Time has expired, Condition C will be entered for that channel and provides for transfer to the appropriate subsequent Condition .

SUSQUEHANNA - UNIT 1 3.3-171

Rev. 10 Primary Containment Isolation Instrumentation

BASES ACTIONS (continued)

D.1, D.2.1, and D.2.2 B 3.3.6.1 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months (Required Actions D.2.1 and D.2.2). Alternately, the associated MSLs may be isolated (Required Action D.1), and, if allowed (i.e., plant safety analysis allows operation with an MSL isolated), operation with that MSL isolated may continue. Isolating the affected MSL accomplishes the safety function of the inoperable channel. The Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

E.1 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 2 from full power conditions in an orderly manner and without challenging plant systems.

E1 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, plant operations may continue if the affected penetration flow path(s) is isolated. Isolating the affected penetration flow path(s) accomplishes the safety function of the inoperable channels.

If it is not desired to isolate the affected penetration flow path(s) (e.g., as in the case where isolating the penetration flow path(s) could result in a reactor scram), Condition H must be entered and its Required Actions taken.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing sufficient time for plant operations personnel to isolate the affected penetration flow path(s) .

SUSQUEHANNA - UNIT 1 3.3-172

Rev. 10 Primary Containment Isolation Instrumentation

BASES ACTIONS (continued)

G.1 B 3.3.6.1 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, plant operations may continue if the affected penetration flow path(s) is isolated. Isolating the affected penetration flow path(s) accomplishes the safety function of the inoperable channels. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is acceptable due to the fact that these Functions are either not assumed in any accident or transient analysis in the FSAR (Manual Initiation) or, in the case of the TIP System isolation, the TIP System penetration is a small bore (0.280 inch), its isolation in a design basis event (with loss of offsite power) would be via the manually operated shear valves, and the ability to manually isolate by either the normal isolation valve or the shear valve is unaffected by the inoperable instrumentation. It should be noted, however, that the TIP System is powered from an auxiliary instrumentation bus which has an uninterruptible power supply and hence, the TIP drive mechanisms and ball valve control will still function in the event of a loss of offsite power. Alternately, if it is not desired to isolate the affected penetration flow path(s) (e.g., as in the case where isolating the penetration flow path(s) could result in a reactor scram),

Condition H must be entered and its Required Actions taken .

H.1 and H.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, or any Required Action of Condition F or G is not met and the associated Completion Time has expired, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

1.1 and 1.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the associated SLC subsystem(s) is declared inoperable or the RWCU System is isolated. Since this Function is required to ensure that the SLC System performs its intended function, sufficient remedial measures are provided by declaring the associated SLC subsystems inoperable or isolating the RWCU System.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing sufficient time for personnel to isolate the RWCU System .

SUSQUEHANNA - UNIT 1 3.3-173

Rev. 10 Primary Containment Isolation Instrumentation

BASES ACTIONS (continued)

Jj_

B 3.3.6.1 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the associated penetration flow path should be closed. However, if the shutdown cooling function is needed to provide core cooling, these Required Actions allow the penetration flow path to remain unisolated provided action is immediately initiated to restore the channel to OPERABLE status. Actions must continue until the channel is restored to OPERABLE status.

SURVEILLANCE As noted at the beginning of the SRs, the SRs for each Primary REQUIREMENTS Containment Isolation instrumentation Function are found in the SRs column of Table 3.3.6.1-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provided the associated Function maintains trip capability. Upon completion of the Surveillance, or expiration of the

6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 5 and 6) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the PCIVs will isolate the penetration flow path(s) when necessary.

SR 3.3.6.1.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

- SUSQUEHANNA - UNIT 1 3.3-174

Rev. 10 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES SURVEILLANCE SR 3.3.6.1.1 (continued)

REQUIREMENTS (continued) Agreement criteria which are determined by the plant staff based on an investigation of a combination of the channel instrument uncertainties, may be used to support this parameter comparison and include indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit, and does not necessarily indicate the channel is Inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.6.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function.

The Surveillance Frequency is controlled under the Surveillance Frequency

Control Program .

This SR is modified by two Notes. Note 1 provides a general exception to the definition of CHANNEL FUNCTIONAL TEST. This exception is necessary because the design of instrumentation does not facilitate functional testing of all required contacts of the relays which input into the combinational logic. (Reference 11) Performance of such a test could result in a plant transient or place the plant in an undo risk situation.

Therefore, for this SR, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the change of state of the relay which inputs into the combinational logic. The required contacts not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.6.1.5. This is acceptable because operating experience shows that the contacts not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients .

SUSQUEHANNA- UNIT 1 3.3-175

Rev. 10 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES SURVEILLANCE SR 3.3.6.1.2 (continued)

REQUIREMENTS (continued) Note 2 provides a second specific exception to the definition of CHANNEL FUNCTIONAL TEST. For Functions 2.e, 3.a, and 4.a, certain channel relays are not included in the performance of the CHANNEL FUNCTIONAL TEST. These exceptions are necessary because the circuit design does not facilitate functional testing of the entire channel through to the coil of the relay which enters the combinational logic. (Reference 11) Specifically, testing of all required relays would require rendering the affected system (i.e., HPCI or RCIC) inoperable, or require lifting of leads and inserting test equipment which could lead to unplanned transients. Therefore, for these circuits, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the actuation of circuit devices up to the point where further testing could result in an unplanned transient. (References 10 and 12)

The required relays not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.6.1.5.

This exception is acceptable because operating experience shows that the devices not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients .

- SR 3.3.6.1.3 and SR 3.3.6.1.4 A CHANNEL CALIBRATION verifies that the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.6.1.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required isolation logic for a specific channel. The system functional testing performed on PCIVs in LCO 3.6.1.3 overlaps this Surveillance to provide complete testing of the assumed safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SUSQUEHANNA - UNIT 1 3.3-176

Rev. 10 Primary Containment Isolation Instrumentation

BASES SURVEILLANCE REQUIREMENTS SR 3.3.6.1.6 B 3.3.6.1 (continued) This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the accident analysis. Testing is performed only on channels where the guidance given in Reference 9 could not be met, which identified that degradation of response time can usually be detected by other surveillance tests.

As stated in Note 1, the response time of the sensors for Function 1.b is excluded from ISOLATION SYSTEM RESPONSE TIME testing. Because the vendor does not provide a design instrument response time, a penalty value to account for the sensor response time is included in determining total channel response time. The penalty value is based on the historical performance of the sensor. (Reference 13) This allowance is supported by Reference 9 which determined that significant degradation of the sensor channel response time can be detected during performance of other Technical Specification SRs and that the sensor response time is a small part of the overall lSOLATION RESPONSE TIME testing.

Function 1.a and 1.c channel sensors and logic components are excluded

from response time testing in accordance with the provisions of References 14 and 15.

As stated in Note 2, response time testing of isolating relays is not required for Function 5.a. This allowance is supported by Reference 9. These relays isolate their respective isolation valve after a nominal 45 second time delay in the circuitry. No penalty value is included in the response time calculation of this function. This is due to the historical response time testing results of relays of the same manufacturer and model number being less than 100 milliseconds, which is well within the expected accuracy of the 45 second time delay relay.

ISOLATION SYSTEM RESPONSE TIME acceptance criteria are included in Reference 7. This test may be performed in one measurement, or in overlapping segments, with verification that all components are tested.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program .

SUSQUEHANNA - UNIT 1 3.3-177

Rev. 10 Primary Containment Isolation Instrumentation

- BASES REFERENCES 1. FSAR, Section 6.3.

B 3.3.6.1

2. FSAR, Chapter 15.

3. NEDO-31466, "Technical Specification Screening Criteria Application and Risk Assessment," November 1987.

4. FSAR, Section 9.3.5.3.

5. NEDC-31677P-A, "Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation," July 1990.

6. NEDC-30851 P-A Supplement 2, "Technical Specifications Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation," March 1989.

7. FSAR, Table 7.3-29.

8. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

9. NEDO-32291-A "System Analyses for Elimination of Selected Response Time Testing Requirements," October 1995.

10. PPL Letter to NRC, PLA-2618, Response to NRC INSPECTION

11.

12.

REPORTS 50-387/85-28 AND 50-388/85-23, dated April 22, 1986 .

NRC Inspection and Enforcement Manual, Part 9900:

Technical Guidance, Standard Technical Specification Section 1.0 Definitions, Issue date 12/08/86.

Susquehanna Steam Electric Station NRC REGION I COMBINED INSPECTION 50-387/90-20; 50-388/90-20, File R41-2, dated March 5, 1986.

13. NRC Safety Evaluation Report related to Amendment No. 171 for License No. NPF-14 and Amendment No. 144 for License No. NPF-22.

14. NEDO 32291-A, Supplement 1, "System Analyses for the Elimination of Selected Response Time Testing Requirements,"

October 1999.

15. NEDO 32291, Supplement 1, Addendum 2, "System Analyses for the Elimination of Selected Response Time Testing Requirements,"

September 5, 2003. *

SUSQUEHANNA - UNIT 1 3.3-178

Rev. 10 Primary Containment Isolation Instrumentation

- BASES B 3.3.6.1

THIS PAGE INTENTIONALLY LEFT BLANK

SUSQUEHANNA - UNIT 1 3.3-179

Rev. 10 Primary Containment Isolation Instrumentation

BASES B 3.3.6.1

- THIS PAGE INTENTIONALLY LEFT BLANK

SUSQUEHANNA- UNIT 1 3.3-180

Rev. 10 Primary Containment Isolation Instrumentation

- BASES B 3.3.6.1 i ***

THIS PAGE INTENTIONALLY LEFT BLANK

e SUSQUEHANNA - UNIT 1 3.3-181

Rev.6 LOP Instrumentation

- - B 3.3 INSTRUMENTATION B 3.3.8.1 B 3.3.8.1 Loss of Power (LOP) Instrumentation BASES BACKGROUND Successful operation of the required safety functions of the Emergency Core Cooling Systems (ECCS) is dependent upon the availability of adequate power sources for energizing the various components such as pump motors, motor operated valves, and the associated control components. The LOP instrumentation monitors the 4.16 kV emergency buses. Offsite power is the preferred source of power for the 4.16 kV emergency buses. If the monitors determine that insufficient power is available, the buses are disconnected from the offsite power sources and connected to the onsite diesel generator (DG) power sources.

Each 4.16 kV emergency bus has its own independent LOP instrumentation and associated trip logic. The voltage for each bus is monitored at three levels, which can be considered as three different undervoltage Functions: Loss of Voltage(< 20%), 4.16 kV Emergency Bus Undervoltage Degraded Voltage LOCA (< 93%), and 4.16 kV Emergency Bus Undervoltage Low Setting (Degraded Voltage)(< 65%). Each Function, with the exception of the Loss of Voltage relays is monitored by two undervoltage relays for each emergency bus, whose outputs are arranged in a two-out-of-two logic configuration. The Loss of Voltage Function is monitored by one undervoltage relay for each emergency bus, whose output is arranged in a one-out-of-one logic configuration. When voltage degrades below the setpoint, the channel output relay actuates, which then outputs a LOP trip signal to the trip logic.

APPLICABLE The LOP instrumentation is required for Engineered Safety Features to SAFETY function in any accident with a loss of offsite power. The Unit 1 LOP ANALYSES, instrumentation is required to be operable for Unit 2. Unit 2 T.S. 3.3.8.1 is LCO, and affected by this requirement. The required channels of LOP APPLICABILITY instrumentation ensure that the ECCS and other assumed systems powered from the DGs, provide plant protection in the event of any of the Reference 1 and 2 analyzed accidents in which a loss of offsite power is assumed. The initiation of the DGs on loss of offsite power, and subsequent initiation of the ECCS, ensure that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Accident analyses credit the loading of the DG based on the loss of offsite power during a loss of coolant accident. The diesel starting and loading times have been included in the delay time associated with each safety system component requiring DG supplied power following a loss of offsite power.

SUSQUEHANNA - UNIT 1 3.3-205

Rev. 6 LOP Instrumentation B 3.3.8.1 BASES APPLICABLE The LOP instrumentation satisfies Criterion 3 of the NRC Policy Statement.

SAFETY (Ref. 3)

ANALYSES, LCO, and The OPERABILITY of the LOP instrumentation is dependent upon the APPLICABILITY OPERABILITY of the individual instrumentation channel Functions (continued) specified in Table 3.3.8.1-1. Each Function must have a required number of OPERABLE channels per 4.16 kV emergency bus, with their setpoints within the specified Allowable Values. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

The Allowable Values are specified for each Function in the Table. Trip setpoints are specified in the system calculations. The setpoints are selected to ensure that the setpoints do not exceed the Allowable Value.

Operation with a trip setpoint less conservative than the nominal trip setpoint, but within the Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place.

The setpoints are compared to the actual process parameter (e.g.,

degraded voltage), and when the measured output value of the process parameter reaches the setpoint, the associated device changes state. The Allowable Values are derived from the limiting values of the process parameters obtained from the safety analysis. The trip setpoints are then derived based on engineering judgement.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

1. 4.16 kV Emergency Bus Undervoltage (Loss of Voltage < 20%)

Loss of voltage on a 4.16 kV emergency bus indicates that offsite power may be completely lost to the respective emergency bus and is unable to supply sufficient power for proper operation of the applicable equipment.

Therefore, the power supply to the bus is transferred from offsite power to DG power when the voltage on the bus drops below the Loss of Voltage Function Allowable Values (loss of voltage with a short time delay). This ensures that adequate power will be available to the required equipment.

The Bus Undervoltage Allowable Values are low enough to prevent inadvertent power supply transfer, but high enough to ensure that power is available to the required equipment. The Time Delay Allowable Values are long enough to provide time for the offsite power supply to recover to normal voltages, but short enough to ensure that power is available to the required equipment.

SUSQUEHANNA - UNIT 1 3.3-206

- - - - - - - - - - - ~

Rev. 6 LOP Instrumentation B 3.3.8.1 BASES APPLICABLE 1. 4.16 kV Emergency Bus Undervoltage (Loss of Voltage< 20%)

SAFETY (continued)

ANALYSES, LCO, and One channel of 4.16 kV Emergency Bus Undervoltage (Loss of Voltage)

APPLICABILITY Function per associated emergency bus is required to be OPERABLE (continued) when the associated DG is required to be OPERABLE to ensure that no single instrument failure can preclude the DG function. 4.16 kV Emergency Bus Undervoltage (Loss of Voltage) relay controls and provides a permissive to allow closure of the associated alternate source breaker and the associated DG breaker. (one channel input to each of the four DGs.)

Refer to LCO 3.8.1, "AC Sources-Operating" for Applicability Bases for the DGs.

2 .* 3. 4.16 kV Emergency Bus Undervoltage (Degraded Voltage)

A reduced voltage condition on a 4 kV emergency bus indicates that, while offsite power may not be completely lost to the respective emergency bus, available power may be insufficient for starting large ECCS motors without risking damage to the motors that could disable the ECCS function.

Therefore, power supply to the bus is transferred from offsite power to onsite DG power when there is no offsite power or a degraded power supply to the bus. This transfer will occur only if the voltage of the primary and alternate power sources drop below the Degraded Voltage Function Allowable Values (degraded voltage with a time delay) and the source breakers trip which causes the DG to start. This ensures that adequate power will be available to the required equipment.

Two Functions are provided to monitor degraded voltage at two different levels. These Functions are the Degraded Voltage LOCA (< 93%) and Degraded Voltage Low Setting(< 65%). These relays respond to degraded voltage as follows: 93% for approximately 5 minutes (when no LOCA signal is present) and approximately 10 seconds (with a LOCA signal present), and 65% (Degraded Voltage Low Setting). The circuitry is designed such that with the LOCA signal present, the non-LOCA time delay is physically bypassed. The Degraded Voltage LOCA Function preserves the assumptions of the LOCA analysis and the Degraded Voltage Low Setting Function preserves the assumptions of the accident sequence analysis in the FSAR.

The Bus Undervoltage Allowable Values are low enough to prevent inadvertent power supply transfer, but high enough to ensure that sufficient power is available to the required equipment. The Time Delay Allowable Values are long enough to provide time for the offsite power supply to recover to normal voltages, but short enough to ensure that sufficient power is available to the required equipment.

SUSQUEHANNA - UNIT 1 3.3-207

Rev. 6 LOP Instrumentation B 3.3.8.1 BASES APPLICABLE 2., 3. 4.16 kV Emergency Bus Undervoltage {Degraded Voltage)

SAFETY (continued)

ANALYSES, LCO, and Each 4.16 kV bus's LOP instrumentation (i.e. two channels of 4.16 kV APPLICABILITY Emergency Bus Undervoltage (Degraded Voltage) per Function (continued) (Functions 2 and 3)) is required to be OPERABLE when the associated DG is required to be OPERABLE. This ensures no single instrument failure can preclude the start of multiple DGs (each logic inputs to its respective 4.16kV bus), thereby preserving the overall DG function. Refer to LCO 3.8.1 for Applicability Bases for the DGs.

ACTIONS A Note has been provided to modify the ACTIONS related to LOP instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable LOP instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable LOP instrumentation channel.

A.1 Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.8.1-1. The applicable Condition specified in the Table is Function dependent. Each time a channel is discovered inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.

8.1 With one or more channels of a Function inoperable, the Function is not capable of performing the intended function. Therefore, only 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is allowed to restore the inoperable channel to OPERABLE status.

Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program. The ability to calculate a Risk Informed Completion Time is modified by a Note and limited to situations in which a loss of function has not occurred. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action 8.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure (within the LOP instrumentation), and allow SUSQUEHANNA - UNIT 1 3.3-208

Rev. 6 LOP Instrumentation B 3.3.8.1 BASES ACTIONS B.1 (continued)

(continued) operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the channel in trip would result in a DG initiation), Condition D must be entered and its Required Action taken.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

C.1 With one channel of the Function inoperable, the Function is not capable of performing the intended function. Therefore, only 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is allowed to restore the inoperable channel to OPERABLE status. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program. The ability to calculate a Risk Informed Completion Time is modified by a Note and limited to situations in which a loss of function has not occurred. If the inoperable* channel cannot be restored to OPERABLE status within the allowable out of service time, Condition D must be entered and its Required Action taken.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing time for restoration of channels.

0.1 If the Required Action and associated Completion Times of Conditions B or C are not met, the associated Function is not capable of performing the intended function~ Therefore, the associated DG(s) is declared inoperable immediately for both Unit 1 and Unit 2. This requires entry into applicable Conditions and Required Actions of LCO 3.8.1 for both Unit 1 and Unit 2, which provide appropriate actions for the inoperable DG(s).

SURVEILLANCE As noted at the beginning of the SRs, the SRs for each LOP REQUIREMENTS instrumentation Function are located in the SRs column of Table 3.3.8.1-1.

SUSQUEHANNA - UNIT 1 3.3-209

Rev. 6 LOP Instrumentation B 3.3.8.1 BASES SURVEILLANCE The Surveillances are modified by a Note to indicate that when a channel is REQUIREMENTS placed in an inoperable status solely for performance of required (continued) Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provided the associated Function maintains DG initiation capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken.

SR 3.3.8.1.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION .

Agreement criteria which are determined by the plant staff based on an investigation of a combination of the channel instrument uncertainties, may be used to support this parameter comparison and include indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal checks of channels during normal operational use of the displays associated with channels required by the LCO.

SR 3.3.8.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program .

SUSQUEHANNA - UNIT 1 3.3-210

Rev.6 LOP Instrumentation B 3.3.8.1 BASES SURVEILLANCE SR 3.3.8.1.3 REQUIREMENTS (continued) A CHANNEL CALIBRATION verifies that the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.8.1.4 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required actuation logic for a specific channel. The system functional testing performed in LCO 3.8.1 and LCO 3.8.2 overlaps this Surveillance to provide complete testing of the assumed safety functions .

The Surveillance Frequency is controlle_d under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 6.3.

2. FSAR, Chapter 15.

3. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 32193)

SUSQUEHANNA - UNIT 1 3.3-211

Rev. 6 LOP Instrumentation B 3.3.8.1 BASES THIS PAGE INTENTIONALLY LEFT BLANK

SUSQUEHANNA - UNIT 1 3.3-212

Rev.9 ECCS-Operating B 3.5.1 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS), REACTOR PRESSURE VESSEL (RPV) WATER INVENTORY CONTROL, AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM B 3.5.1 ECCS-Operating BASES BACKGROUND The ECCS is designed, in conjunction with the primary and secondary containment, to limit the release of radioactive materials to the environment following a loss of coolant accident (LOCA). The ECCS uses two independent methods (flooding and spraying) to cool the core during a LOCA. The ECCS network consists of the High Pressure Coolant Injection (HPCI) System, the Core Spray (CS) System, the low pressure coolant injection (LPCI) mode of the Residual Heat Removal (RHR) System, and the Automatic Depressurization System (ADS). The suppression pool provides the required source of water for the ECCS. Although no credit is taken in the safety analyses for the condensate storage tank (CST), it is capable of providing a source of water for the HPCI and CS systems.

On receipt of an initiation signal, ECCS pumps automatically start; simultaneously, the system aligns and the pumps inject water, taken either from the CST or suppression pool, into the Reactor Coolant System (RCS) as RCS pressure is overcome by the discharge pressure of the ECCS pumps. Although the system is initiated, ADS action is delayed, allowing the operator to interrupt the timed sequence if the system is not needed.

The HPCI pump discharge pressure quickly exceeds that of the RCS, and the pump injects coolant into the vessel to cool the core. If the break is small, the HPCI System will maintain coolant inventory as well as vessel level while the RCS is still pressurized. If HPCI fails, it is backed up by ADS in combination with LPCI and CS. In this event absent operator action, the ADS timed sequence would time out and open the selected safety/relief valves (S/RVs) depressurizing the RCS, thus allowing the LPCI and CS to overcome RCS pressure and inject coolant into the vessel. If the break is large, RCS pressure initially drops rapidly and the LPCI and CS cool the core.

Water from the break returns to the suppression pool where it is used again and again. Water in the suppression pool is circulated through a heat exchanger cooled by the RHR Service Water System. Depending on the location and size of the break, portions of the ECCS may be ineffective; however the overall design is effective in cooling the core regardless of the size or location of the piping break. Although no credit is taken in the safety analysis for the RCIC System, it performs a similar function as HPCI, but has reduced makeup capability. Nevertheless, it will maintain inventory and cool the core while the RCS is still pressurized following a reactor pressure vessel (RPV) isolation.

SUSQUEHANNA - UNIT 1 3.5-1

Rev.9 ECCS-Operating B 3.5.1 BASES BACKGROUND All ECCS subsystems are designed to ensure that no single active (continued) component failure will prevent automatic initiation and successful operation of the minimum required ECCS equipment.

The CS System (Ref. 1) is composed of two independent subsystems.

Each subsystem consists of two motor driven pumps, a spray sparger above the core, and piping and valves to transfer water from the suppression pool to the sparger. The CS System is designed to provide cooling to the reactor core when reactor pressure is low. Upon receipt of an initiation signal, the CS pumps in both subsystems are automatically started when AC power is available. When the RPV pressure drops sufficiently, CS System flow to the RPV begins. A full flow test line is provided to route water from and to the suppression pool to allow testing of the CS System without spraying water in the RPV.

LPCI is an independent operating mode of the RHR System. There are two LPCI subsystems (Ref. 2), each consisting of two motor driven pumps and piping and valves to transfer water from the suppression pool to the RPV via the corresponding recirculation loop. The two LPCI subsystems can be interconnected via the RHR System cross tie valves; however, at

- least one of the two cross tie valves is maintained closed with its power removed to prevent loss of both LPCI subsystems during a LOCA. The LPCI subsystems are designed to provide core cooling at low RPV pressure. Upon receipt of an initiation signal, all four LPCI pumps are automatically started. RHR System valves in the LPCI flow path are automatically positioned to ensure the proper flow path for water from the suppression pool to inject into the recirculation loops. When the RPV pressure drops sufficiently, the LPCI flow to the RPV, via the corresponding recirculation loop, begins. The water then enters the reactor through the jet pumps.

Full flow test lines are provided for each LPCI subsystem to route water from the suppression pool, to allow testing of the LPCI pumps without injecting water into the RPV. These test lines also provide suppression pool cooling capability, as described in LCO 3.6.2.3, "RHR Suppression Pool Cooling."

The HPCI System (Ref. 3) consists of a steam driven turbine pump unit, piping, and valves to provide steam to the turbine, as well as piping and valves to transfer water from the suction source to the core via the feedwater system line, where the coolant is distributed within the RPV through the feedwater sparger. Suction piping for the system is provided from the CST and the suppression pool. Pump suction for HPCI is normally aligned to the CST source to minimize injection of suppression pool water into the RPV. Whenever the CST water supply is low, an automatic transfer to the suppression pool water source ensures an adequate suction head for the pump and an uninterrupted water supply for SUSQUEHANNA - UNIT 1 3.5-2

Rev. 9 EGGS-Operating B 3.5.1 BASES BACKGROUND continuous operation of the HPCI System. The steam supply to the HPCI (continued) turbine is piped from a main steam line upstream of the associated inboard main steam isolation valve.

The HPCI System is designed to provide core cooling for a wide range of reactor pressures (165 psia to 1225 psia). Upon receipt of an initiation signal, the HPCI turbine stop valve and turbine control valve open and the turbine accelerates to a specified speed. As the HPCI flow increases, the turbine control valve is automatically adjusted to maintain design flow.

Exhaust steam from the HPCI turbine is discharged to the suppression pool. A full flow test line is provided to route water to the CST to allow testing of the HPCI System during normal operation without injecting water into the RPV.

The EGGS pumps are provided with minimum flow bypass lines, which discharge to the suppression pool. The valves in these lines automatically open to prevent pump damage due to overheating when other discharge line valves are closed. To ensure rapid delivery of water to the RPV and to minimize water hammer effects, all EGGS pump discharge lines are filled with water. The HPCI, LPCI and CS System discharge lines are kept full of water using a "keep fill" system that is supplied using the condensate transfer system.

The ADS (Ref. 4) consists of 6 of the 16 S/RVs. It is designed to provide depressurization of the RCS during a small break LOCA if HPCI fails or is unable to maintain required water level in the RPV. ADS operation reduces the RPV pressure to within the operating pressure range of the low pressure ECCS subsystems (CS and LPCI), so that these subsystems can provide coolant inventory makeup. Each of the S/RVs used for automatic depressurization is equipped with two gas accumulators and associated inlet check valves. The accumulators provide the pneumatic power to actuate the valves.

APPLICABLE The EGGS performance is evaluated for the entire spectrum of break sizes SAFETY for a postulated LOCA. The accidents for which EGGS operation is ANALYSES required are presented in References 5, 6, and 7. The required analyses and assumptions are defined in Reference 8. The results of these analyses are also described in Reference 9 .

SUSQUEHANNA - UNIT 1 3.5-3

Rev. 9 EGGS-Operating

- BASES APPLICABLE SAFETY This LCO helps to ensure that the following acceptance criteria for the ECCS, established by 10 CFR 50.46 (Ref. 10), will be met following a B 3.5.1 ANALYSES LOCA, assuming the worst case single active component failure in the (continued) ECCS:

a. Maximum fuel element cladding temperature is :s:; 2200°F;

b. Maximum cladding oxidation is :s:; 0.17 times the total cladding thickness before oxidation;

c. Maximum hydrogen generation from a zirconium water reaction is

s:; 0.01 times the hypothetical amount that would be generated if all of the metal in the cladding surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react;

d. The core is maintained in a coolable geometry; and

e. Adequate long term cooling capability is maintained.

The fuel vendor performed LOCA calculations for the ATRIUM 10 and

ATRIUM 11 fuel designs. The limiting single failures for the analyses are discussed in Reference 9. The LOCA analyses examine both recirculation pipe breaks and non-recirculation pipe breaks. For the recirculation pipe breaks, breaks on both the discharge and suction side of the recirculation pump are performed for two geometries; double-ended guillotine break and split break.

The LOCA calculations demonstrate the limiting fuel type (highest PCT) is A TRI UM 10 fuel. The most limiting (highest PCT) break is a double-ended guillotine break in the recirculation pump suction piping. The limiting single failure is the failure of the LPCI injection valve in the intact recirculation loop to open.

One ADS valve failure is analyzed as a limiting single failure for events requiring ADS operation. The remaining OPERABLE ECCS subsystems provide the capability to adequately cool the core and prevent excessive fuel damage.

The ECCS satisfy Criterion 3 of the NRC Policy Statement (Ref. 15).

LCO Each ECCS injection/spray subsystem and six ADS valves are required to be OPERABLE. The ECCS injection/spray subsystems are defined as the two CS subsystems, the two LPCI subsystems, and one HPCI System.

The low pressure ECCS injection/spray subsystems are defined as the two CS subsystems and the two LPCI subsystems.

SUSQUEHANNA - UNIT 1 3.5-4

Rev. 9 EGGS-Operating

- BASES LCO (continued)

With less than the required number of EGGS subsystems OPERABLE, the B 3.5.1 potential exists that during a limiting design basis LOCA concurrent with the worst case single failure, the limits specified in Reference 1O could be exceeded. All EGGS subsystems must therefore be OPERABLE to satisfy the single failure criterion required by Reference 10.

LPCI subsystems may be considered OPERABLE during alignment and operation for decay heat removal when below the actual RHR cut in permissive pressure in MODE 3, if capable of being manually realigned (remote or local) to the LPCI mode and not otherwise inoperable. At these low pressures and decay heat levels, a reduced complement of EGGS subsystems should provide the required core cooling, thereby allowing operation of RHR shutdown cooling when necessary.

APPLICABILITY All EGGS subsystems are required to be OPERABLE during MODES 1, 2, and 3, when there is considerable energy in the reactor core and core cooling would be required to prevent fuel damage in the event of a break in the primary system piping. In MODES 2 and 3, when reactor steam dome pressure is:::; 150 psig, ADS and HPCI are not required to be OPERABLE because the low pressure EGGS subsystems can provide sufficient flow below this pressure. Requirements for MODES 4 and 5 are specified in LCO 3.5.2, "Reactor Pressure Vessel (RPV) Water Inventory Control."

ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable HPCI subsystem. There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable HPCI subsystem and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.

A.1 If any one low pressure EGGS injection/spray subsystem is inoperable for reasons other than Condition B, the inoperable subsystem must be restored to OPERABLE status within 7 days or in accordance with the Risk Informed Completion Time Program. In this Condition, the remaining OPERABLE subsystems provide adequate core cooling during a LOCA.

However, overall EGGS reliability is reduced, because a single failure in one of the remaining OPERABLE subsystems, concurrent with a LOCA, may result in the EGGS not being able to perform its intended safety function. The 7 day Completion Time is based on a reliability study (Ref. 12) that evaluated the impact on EGGS availability, assuming various components and subsystems were taken out of service. The results were SUSQUEHANNA - UNIT 1 3.5-5

Rev.9 ECCS-Operating B 3.5.1 BASES ACTIONS A.1 (continued)

(continued) used to calculate the average availability of ECCS equipment needed to mitigate the consequences of a LOCA as a function of allowed outage times (i.e., Completion Times).

B.1 If one LPCI pump in one or both LPCI subsystems is inoperable, the inoperable LPCI pumps must be restored to OPERABLE status within 7 days or in accordance with the Risk Informed Completion Time Program.

In this Condition, the remaining OPERABLE LPCI pumps and at least one CS subsystem provide adequate core cooling during a LOCA. However, overall ECCS reliability is reduced, because a single failure in one of the remaining OPERABLE subsystems, concurrent with a LOCA, may result in the ECCS not being able to perform its intended safety function. A 7 day Completion Time is based on a reliability study cited in Reference 12 and has been found to be acceptable through operating experience.

C.1 and C.2 If the inoperable low pressure ECCS subsystem or LPCI pump(s) cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

D.1 and D.2 If the HPCI System is inoperable and the RCIC System is verified to be OPERABLE, the HPCI System must be restored to OPERABLE status within 14 days or in accordance with the Risk Informed Completion Time Program. In this Condition, adequate core cooling is ensured by the OPERABILITY of the redundant and diverse low pressure ECCS injection/spray subsystems in conjunction with ADS. Also, the RCIC System will automatically provide makeup water at most reactor operating pressures. Verification of RCIC OPERABILITY is therefore required when HPCI is inoperable. This may be performed as an administrative check by examining logs or other information to determine if RCIC is out of service for maintenance or other reasons. It does not mean to perform the Surveillances needed to demonstrate the OPERABILITY of the RCIC System. If the OPERABILITY of the RCIC System cannot be verified, however, Condition H must be immediately entered. If a single active SUSQUEHANNA - UNIT 1 3.5-6

Rev. 9 ECCS-Operating B 3.5.1 BASES ACTIONS D.1 and D.2 (continued)

(continued) component fails concurrent with a design basis LOCA, there is a potential, depending on the specific failure, that the minimum required ECCS equipment will not be available. A 14 day Completion Time is based on a reliability study cited in Reference 12 and has been found to be acceptable through operating experience.

E.1 and E.2 If Condition A or Condition B exists in addition to an inoperable HPCI System, the inoperable low pressure ECCS injection/spray subsystem or the LPCI pump(s) or the HPCI System must be restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months or in accordance with the Risk Informed Completion Time Program. In this Condition, adequate core cooling is ensured by the OPERABILITY of the ADS and the remaining low pressure ECCS subsystems. However, the overall ECCS reliability is significantly reduced because a single failure in one of the remaining OPERABLE subsystems concurrent with a design basis LOCA may result in the ECCS not being able to perform its intended safety function. Since both a high pressure system (HPCI) and a low pressure subsystem are inoperable, a more restrictive Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is required to restore either the HPCI System or the low pressure ECCS injection/spray subsystem to OPERABLE status. This Completion Time is based on a reliability study cited in Reference 12 and has been found to be acceptable through operating experience.

F.1 The LCO requires six ADS valves to be OPERABLE in order to provide the ADS function. Reference 9 contains the results of an analysis that evaluated the effect of one ADS valve being out of service. Per this analysis, operation of only five ADS valves will provide the required depressurization. However, overall reliability of the ADS is reduced, because a single failure in the OPERABLE ADS valves could result in a reduction in depressurization capability. Therefore, operation is only allowed for a limited time. The 14 day Completion Time is based on a reliability study cited in Reference 12 and has been found to be acceptable through operating experience. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program .

- SUSQUEHANNA - UNIT 1 3.5-7

Rev.9 ECCS-Operating B3.5.1 BASES ACTIONS G.1 and G.2 (continued)

If Condition A or Condition B exists in addition to one inoperable ADS valve, adequate core cooling is ensured by the OPERABILITY of HPCI and the remaining low pressure ECCS injection/spray subsystem. However, overall ECCS reliability is reduced because a single active component failure concurrent with a design basis LOCA could result in the minimum required ECCS equipment not being available. Since both a high pressure system (ADS) and a low pressure subsystem are inoperable, a more restrictive Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is required to restore either the low pressure ECCS subsystem or the ADS valve to OPERABLE status. This Completion Time is based on a reliability study cited in Reference 12 and has been found to be acceptable through operating experience.

Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program.

H.1 and H.2 If any Required Action and associated Completion Time of Condition D, E, F, or G is not met, or if two or more ADS valves are inoperable, the plant must be brought to a condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and reactor steam dome pressure reduced to::; 150 psig within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

11 When multiple ECCS subsystems are inoperable, as stated in Condition I, LCO 3.0.3 must be entered immediately.

SURVEILLANCE SR 3.5.1.1 REQUIREMENTS The flow path piping has the potential to develop voids and pockets of entrained air. Maintaining the pump discharge lines of the HPCI System, CS System, and LPCI subsystems full of water ensures that the ECCS will perform properly, injecting its full capacity into the RCS upon demand.

This will also prevent a water hammer following an ECCS initiation signal.

One acceptable method of ensuring that the lines are full is to vent at the high points. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program .

SUSQUEHANNA - UNIT 1 3.5-8

Rev. 9 ECCS-Operating

- BASES SURVEILLANCE REQUIREMENTS SR 3.5.1.2 B 3.5.1 (continued) Verifying the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths provides assurance that the proper flow paths will exist for ECCS operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an initiation signal is allowed to be in a nonaccident position provided the valve will automatically reposition in the proper stroke time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. For the HPCI System, this SR also includes the steam flow path for the turbine and the flow controller position.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that allows LPCI subsystems to be considered OPERABLE during alignment and operation for decay heat removal with reactor steam dome pressure less than the RHR cut in permissive pressure in MODE 3, if capable of being manually realigned (remote or local) to the LPCI mode and not otherwise inoperable. This allows operation in the RHR shutdown cooling mode during MODE 3, if necessary.

SR 3.5.1.3 Verification that ADS gas supply header pressure is ~ 135 psig ensures adequate gas pressure for reliable ADS operation. The accumulator on each ADS valve provides pneumatic pressure for valve actuation. The .

design pneumatic supply pressure requirements for the accumulator are such that, following a failure of the pneumatic supply to the accumulator, at least one valve actuations can occur with the drywell at 70% of design pressure.

The ECCS safety analysis assumes only one actuation to achieve the depressurization required for operation of the low pressure ECCS. This minimum required pressure of~ 135 psig is provided by the containment instrument gas system. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program .

SUSQUEHANNA - UNIT 1 3.5-9

Rev.9 ECCS-Operating

, B3.5.1 BASES SURVEILLANCE SR 3.5.1.4 REQUIREMENTS (continued) Verification that at least one RHR System cross tie valve is closed and power to its operator is disconnected ensures that each LPCI subsystem remains independent and a failure of the flow path in one subsystem will not affect the flow path of the other LPCI subsystem. Acceptable methods of removing power to the operator include opening the breaker, or racking out the breaker, or removing the breaker. If both RHR System cross tie valves are open or power has not been removed from at least one closed valve operator, both LPCI subsystems must be considered inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.1.5 Verification that each 480 volt AC swing bus transfers automatically from the normal source to the alternate source on loss of power while supplying its respective bus demonstrates that electrical power is available to ensure proper operation of the associated LPCI inboard injection and minimum flow valves and the recirculation pump discharge and bypass valves. Therefore, each 480 volt AC swing bus must be OPERABLE for the associated LPCI subsystem to be OPERABLE. The test is performed by actuating the load test switch or by disconnecting the preferred power source to the transfer switch and verifying that swing bus automatic transfer is accomplished. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.1.6 Cycling the recirculation pump discharge and bypass valves through one complete cycle of full travel demonstrates that the valves are mechanically OPERABLE and provides assurance that the valves will close when required to ensure the proper LPCI flow path is established. Upon initiation of an automatic LPCI subsystem injection signal, these valves are required to be closed to ensure full LPCI subsystem flow injection in the reactor via the recirculation jet pumps. De-energizing the valve in the closed position will also ensure the proper flow path for the LPCI subsystem. Acceptable methods of de-energizing the valve include opening the breaker, or racking out the breaker, or removing the breaker.

The specified Frequency is once during reactor startup before THERMAL POWER is> 25% RTP. However, this SR is modified by a Note that states the Surveillance is only required to be performed if the last performance was more than 31 days ago. Therefore, implementation of this Note requires this test to be performed during reactor startup before SUSQUEHANNA - UNIT 1 3.5-10

Rev. 9 ECCS-Operating 8 3.5.1 BASES SURVEILLANCE SR 3.5.1.6 (continued)

REQUIREMENTS (continued) exceeding 25% RTP. Verification during reactor startup prior to reaching

> 25% RTP is an exception to the normal lnservice Testing Program generic valve cycling Frequency, but is considered acceptable due to the demonstrated reliability of these valves. If the valve is inoperable and in the open position, the associated LPCI subsystem must be declared inoperable.

SR 3.5.1.7, SR 3.5.1.8, and SR 3.5.1.9 The performance requirements of the low pressure ECCS pumps are determined through application of the 10 CFR 50, Appendix K criteria (Ref. 8). This periodic Surveillance is performed (in accordance with the ASME OM Code requirements for the ECCS pumps) to verify that the ECCS pumps will develop the flow rates required by the respective analyses. The low pressure ECCS pump flow rates ensure that adequate core cooling is provided to satisfy the acceptance criteria of Reference 10.

The pump flow rates are verified against a system head equivalent to the RPV pressure expected during a LOCA. The total system pump outlet

-* pressure is adequate to overcome the elevation head pressure between the pump suction and the vessel discharge, the piping friction losses, and RPV pressure present during a LOCA. These values may be established during preoperational testing.

The flow tests for the HPCI System are performed at two different pressure ranges such that system capability to provide rated flow is tested at both the higher and lower operating ranges of the system. Additionally, adequate steam flow must be passing through the main turbine or turbine bypass valves to continue to control reactor pressure when the HPCI System diverts steam flow. Reactor steam pressure is considered adequate when ~ 920 psig to perform SR 3.5.1.8 and ~ 150 psig to perform SR 3.5.1.9. However, the requirements of SR 3.5.1.9 are met by a successful performance at any pressure :::;; 165 psig. Adequate steam flow is represented by at least 1.25 turbine bypass valves open. Therefore, sufficient time is allowed after adequate pressure and flow are achieved to perform these tests. Reactor startup is allowed prior to performing the low pressure Surveillance test because the reactor pressure is low and the time allowed to satisfactorily perform the Surveillance test is short. The reactor pressure is allowed to be increased to normal operating pressure since it is assumed that the low pressure test has been satisfactorily completed and there is no indication or reason to believe that HPCI is inoperable.

Therefore, SR 3.5.1.8 and SR 3.5.1.9 are modified by Notes that state the

_Surveillances are not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after the reactor steam pressure and flow are adequate to perform the test.

SUSQUEHANNA - UNIT 1 3.5-11

Rev. 9 ECCS-Operating B 3.5.1 BASES SURVEILLANCE SR 3.5.1.7, SR 3.5.1.8, and SR 3.5.1.9 (continued)

REQUIREMENTS (continued) The Frequency for SR 3.5.1. 7 and SR 3.5.1.8 is in accordance with the lnservice Testing Program requirements. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.1.10 The ECCS subsystems are required to actuate automatically to perform their design functions. This Surveillance verifies that, with a required system initiation signal (actual or simulated), the automatic initiation logic of HPCI, CS, and LPCI will cause the systems or subsystems to operate as designed, including actuation of the system throughout its emergency operating sequence, automatic pump startup and actuation of all automatic valves to their required positions. This functional test includes the LPCI and CS interlocks between Unit 1 and Unit 2 and specifically requires the following:

A functional test of the interlocks associated with the LPCI and CS pump starts in response to an automatic initiation signal in Unit 1 followed by a false automatic initiation signal in Unit 2; A functional test of the interlocks associated with the LPCI and CS pump starts in response to an automatic initiation signal in Unit 2 followed by a false automatic initiation signal in Unit 1; and A functional test of the interlocks associated with the LPCI and CS pump starts in response to simultaneous occurrences of an automatic initiation signal in both Unit 1 and Unit 2 and a loss of Offsite power condition affecting both Unit 1 and Unit 2.

The purpose of this functional test (preferred pump logic) is to assure that if a false LOCA signal were to be received on one Unit simultaneously with an actual LOCA signal on the second Unit, the preferred LPCI and CS pumps are started and the non-preferred LPCI and CS pumps are tripped for each Unit. This functional test is performed by verifying that the non-preferred LPCI and CS pumps are tripped. The verification that preferred LPCI and CS pumps start is performed under a separate surveillance test. Only one division of LPCI preferred pump logic is required to be OPERABLE for each Unit, because no additional failures needs to be postulated with a false LOCA signal. If the preferred or non-preferred pump logic for CS is inoperable, the associated CS pumps shall be declared inoperable and the pumps should not be operated to ensure that the opposite Unit's CS pumps or 4.16 kV ESS Buses are protected.

SUSQUEHANNA - UNIT 1 3.5-12

Rev. 9 EGGS-Operating B 3.5.1 BASES SURVEILLANCE SR 3.5.1.1 O (continued)

REQUIREMENTS (continued)

This SR also ensures that the HPCI System will automatically restart on an RPV low water level (Level 2) signal received subsequent to an RPV high water level (Level 8) trip and that the suction is automatically transferred from the CST to the suppression pool. The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 overlaps this Surveillance.

This SR can be accomplished by any series of sequential overlapping or total steps such that the entire channel is tested.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that excludes vessel injection/spray during the Surveillance. Since all active components are testable and full flow can be demonstrated by recirculation through the test line, coolant injection into the RPV is not required during the Surveillance.

SR 3.5.1.11 The ADS designated S/RVs are required to actuate automatically upon receipt of specific initiation signals. A system functional test is performed to demonstrate that the mechanical portions of the ADS function (i.e.,

solenoids) operate as designed when initiated either by an actual or simulated initiation signal, causing proper actuation of all the required components. SR 3.5.1.12 and the LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 overlap this Surveillance to provide complete testing of the assumed safety function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that excludes valve actuation. This prevents an RPV pressure blowdown.

SR 3.5.1.12 A manual actuation of each ADS valve actuator is performed to verify that the valve and solenoid are functioning properly. This is demonstrated by the method described below. Proper operation of the valve tailpipes is ensured through the use of foreign material exclusion during maintenance.

Valve OPERABILITY and the setpoints for overpressure protection are verified, per ASME requirements, prior to valve installation .

SUSQUEHANNA - UNIT 1 3.5-13

Rev.9 EGGS-Operating B 3.5.1 BASES SURVEILLANCE SR 3.5.1.12 (continued)

REQUIREMENTS (continued) Manual actuation of the actuator at atmospheric temperature and pressure during cold shutdown is performed. Proper functioning of the valve actuator is demonstrated by visual observation of actuator movement.

Each solenoid is independently tested and ensures the valve would remain open. The ADS actuator will be disconnected from the valve to ensure no damage is done to the valve seat or to the valve internals. Each valve shall be bench-tested prior to reinstallation. The bench-test along with the test on the ADS actuator establishes the OPERABILITY of the valves.

SR 3.5.1.11 and the LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 overlap this Surveillance to provide complete testing of the assumed safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.1.13 This SR ensures that the ECCS RESPONSE TIME for each ECCS injection/spray subsystem is less than or equal to the maximum value assumed in the accident analysis. Response Time testing acceptance criteria are included in Reference 13. This SR is modified by a Note that allows the instrumentation portion of the response time to be assumed to be based on historical response time data and therefore, is excluded from the ECCS RESPONSE TIME testing. This is allowed since the instrumentation response time is a small part of the ECCS RESPONSE TIME (e.g., sufficient margin exists in the diesel generator start time when compared to the instrumentation response time) (Ref. 14).

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

- SUSQUEHANNA - UNIT 1 3.5-14

Rev.9 ECCS-Operating B 3.5.1 BASES REFERENCES 1. FSAR, Section 6.3.2.2.3.

2. FSAR, Section 6.3.2.2.4.

3. FSAR, Section 6.3.2.2.1.

4. FSAR, Section 6.3.2.2.2.

5. FSAR, Section 15.2.8.

6. FSAR, Section 15.6.4.

7. FSAR, Section 15.6.5.

8. 10 CFR 50, Appendix K.

9. FSAR, Section 6.3.3.

10. 10 CFR 50.46.

11. Not used

12. Memorandum from R.L. Baer (NRC) to V. Stello, Jr. (NRC),

"Recommended Interim Revisions to LCOs for ECCS Components,"

December 1, 1975.

13. FSAR, Section 6.3.3.3.

14. NEDO 32291-A, "System Analysis for the Elimination of Selected Response Time Testing Requirements, October 1995.

15. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132) .

SUSQUEHANNA - UNIT 1 3.5-15

Rev. 9 EGGS-Operating

- BASES B 3.5.1 THIS PAGE INTENTIONALLY LEFT BLANK SUSQUEHANNA - UNIT 1 3.5-16

Rev. 7 RCIC System B 3.5.3 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS), REACTOR PRESSURE VESSEL (RPV) WATER INVENTORY CONTROL, AND REACTOR CORE !SOLATION COOLING (RCIC) SYSTEM B 3.5.3 RCIC System BASES BACKGROUND The RCIC System is not part of the ECCS; however, the RCIC System is included with the ECCS section because of their similar functions.

The RCIC System is designed to operate either automatically or manually following reactor pressure vessel (RPV) isolation accompanied by a loss of coolant flow from the feedwater system to provide adequate core cooling and control of the RPV water level. Under these conditions, the High Pressure Coolant Injection (HPCI) and RCIC systems perform similar functions. The RCIC System design requirements ensure that the criteria of Reference 1 are satisfied.

The RCIC System (Ref. 2) consists of a steam driven turbine pump unit,

- piping, and valves to provide steam to the turbine, as well as piping and valves to transfer water from the suction source to the core via the feedwater system line, where the coolant is distributed within the RPV through the feedwater sparger. Suction piping is provided from the condensate storage tank (CST) and the suppression pool. Pump suction is normally aligned to the CST to minimize injection of suppression pool water into the RPV. However, if the CST water supply is low, an automatic transfer to the suppression pool water source ensures an adequate suction head for the pump and an uninterrupted water supply for continuous operation of the RCIC System. The steam supply to the turbine is piped from a main steam line upstream of the associated inboard main steam line isolation valve.

The RCIC System is designed to provide core cooling for a wide range of reactor pressures (165 psia to 1225 psia). Upon receipt of an initiation signal, the RCIC turbine accelerates to a specified speed. As the RCIC flow increases, the turbine control valve is automatically adjusted to maintain design flow. Exhaust steam from the RCIC turbine is discharged to the suppression pool. A full flow test line is provided to route water to the CST to allow testi"ng of the RCIC System during normal operation without injecting water into the RPV.

- SUSQUEHANNA - UNIT 1 3.5-27

Rev. 7 RCIC System B 3.5.3 BASES BACKGROUND The RCIC pump is provided with a minimum flow bypass line, which (continued) discharges to the suppression pool. The valve in this line automatically opens to prevent pump damage due to overheating when other discharge line valves are closed. To ensure rapid delivery of water to the RPV and to minimize water hammer effects, the RCIC System discharge piping is kept full of water. The RCIC System is normally aligned to the CST. The RCIC discharge line is kept full of water using a "keep fill" system supplied by the condensate transfer system.

APPLICABLE The function of the RCIC System is to respond to transient events by SAFETY providing makeup coolant to the reactor. The RCIC System is not an ANALSES Engineered Safety Feature System and no credit is taken in the safety analyses for RCIC System operation. Based on its contribution to the reduction of overall plant risk, however, the system is included in the Technical Specifications, as required by the NRC Policy Statement (Ref. 4).

LCO The OPERABILITY of the RCIC System provides adequate core cooling such that actuation of any of the low pressure ECCS subsystems is not required in the event of RPV isolation accompanied by a loss of feedwater flow. The RCIC System has sufficient capacity for maintaining RPV inventory during an isolation event.

APPLICABILITY The RCIC System is required to be OPERABLE during MODE 1, and MODES 2 and 3 with reactor steam dome pressure >150 psig, since RCIC is the primary non-ECCS water source for core cooling when the reactor is isolated and pressurized. In MODES 2 and 3 with reactor steam dome pressure ::;150 psig, the low pressure ECCS injection/spray subsystems can provide sufficient flow to the RPV. In MODES 4 and 5, RCIC is not required to be OPERABLE since RPV water inventory control is required by LCO 3.5.2, "Reactor Pressure Vessel (RPV) Water Level Inventory Control."

ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable RCIC system. There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable RCIC system and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance .

SUSQUEHANNA - UNIT 1 3.5-28

Rev. 7 RCIC System

83.5.3 BASES ACTIONS A.1 and A.2 (continued)

If the RCIC System is inoperable during MODE 1, or MODE 2 or 3 with reactor steam dome pressure >150 psig, and the HPCI System is verified to be OPERABLE, the RCIC System must be restored to OPERABLE status within 14 days or in accordance with the Risk Informed Completion Time Program. In this Condition, loss of the RCIC System will not affect the overall plant capability to provide makeup inventory at high reactor pressure since the HPCI System is the only high pressure system assumed to function during a loss of coolant accident (LOCA). OPERABILITY of HPCI is therefore verified immediately when the RCIC System is inoperable. This may be performed as an administrative check, by examining logs or other information, to determine if HPCI is out of service for maintenance or other reasons. It does not mean it is nece~sary to perform the Surveillances needed to demonstrate the OPERABILITY of the HPCI System. If the OPERABILITY of the HPCI System cannot be verified, however, Condition B must be immediately entered. For transients and certain abnormal events with no LOCA, RCIC (as opposed to HPCI) is the preferred source of makeup coolant because of its relatively small capacity, which allows easier control of the RPV water level. Therefore, a limited time is allowed to restore the inoperable RCIC to OPERABLE status.

The 14 day Completion Time is based on a reliability study (Ref. 3) that evaluated the impact on ECCS availability, assuming various components and subsystems were taken out of service. The results were used to calculate the average availability of ECCS equipment needed to mitigate the consequences of a LOCA as a function of allowed outage times (AOTs). Because of similar functions of HPCI and RCIC, the AOTs (i.e., Completion Times) determined for HPCI are also applied to RCIC.

8.1 and 8.2 If the RCIC System cannot be restored to OPERABLE status within the associated Completion Time, or if the HPCI System is simultaneously inoperable, the plant must be brought to a condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and reactor steam dome pressure reduced to :s; 150 psig within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems .

SUSQUEHANNA - UNIT 1 3.5-29

Rev. 7 RCIC System B 3.5.3 BASES SURVEILLANCE SR 3.5.3.1 REQUIREMENTS The flow path piping has the potential to develop voids and pockets of entrained air. Maintaining the pump discharge line of the RCIC System full of water ensures that the system will perform properly, injecting its full capacity into the Reactor Coolant System upon demand. This will also prevent a water hammer following an initiation signal. One acceptable method of ensuring the line is full is to vent at the high points. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.3.2 Verifying the correct alignment for manual, power operated, and automatic valves in the RCIC flow path provides assurance that the proper flow path will exist for RCIC operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an initiation signal is allowed to be in a non-accident position provided the valve will automatically reposition in the proper stroke time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. For the RCIC System, this SR also includes the steam flow path for the turbine and the flow controller position.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.3.3 and SR 3.5.3.4 The RCIC pump flow rates ensure that the system can maintain reactor coolant inventory during pressurized conditions with the RPV isolated.

The flow tests for the RCIC System are performed at two different pressure ranges such that system capability to provide rated flow is tested both at the higher and lower operating ranges of the system.

Additionally, adequate steam flow must be passing through the main turbine or turbine bypass valves to continue to control reactor pressure when the RCIC System diverts steam flow. Reactor steam pressure is considered adequate when ;:::: 920 psig to perform SR 3.5.3.3 and ;:::: 150 psig to perform SR 3.5.3.4. However, the requirements of SR 3.5.3.4 are met by a successful performance at any pressure~ 165 psig. Adequate steam flow is represented by at least 1.25 turbine bypass valves open.

Therefore, sufficient time is allowed after adequate pressure and flow are achieved to perform these SRs. Reactor startup is allowed prior to performing the low pressure Surveillance because the reactor pressure is SUSQUEHANNA - UNIT 1 3.5-30

Rev. 7 RCIC System B 3.5.3 BASES SURVEILLANCE SR 3.5.3.3 and SR 3.5.3.4 (continued)

REQUIREMENTS (continued) low and the time allowed to satisfactorily perform the Surveillance is short. The reactor pressure is allowed to be increased to normal operating pressure since it is assumed that the low pressure Surveillance has been satisfactorily completed and there is no indication or reason to believe that RCIC is inoperable. Therefore, these SRs are modified by Notes that state the Surveillances are not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after the reactor steam pressure and flow are adequate to perform the test.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.3.5 The RCIC System is required to actuate automatically in order to verify its design function satisfactorily. This Surveillance verifies that, with a required system initiation signal (actual or simulated), the automatic initiation logic of the RCIC System will cause the system to operate as designed, including actuation of the system throughout its emergency operating sequence; that is, automatic pump startup and actuation of all automatic valves to their required positions. This test also ensures the RCIC System will automatically restart on an RPV low water level (Level 2) signal received subsequent to an RPV high water level (Level 8) trip and that the suction is automatically transferred from the CST to the suppression pool. The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.3 overlaps this Surveillance to provide complete testing of the assumed safety function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that excludes vessel injection during the Surveillance. Since all active components are testable and full flow can be demonstrated by recirculation through the test line, coolant injection into the RPV is not required during the Surveillance.

SUSQUEHANNA - UNIT 1 3.5-31

Rev. 7 RCIC System B 3.5.3 BASES REFERENCES 1. 10 CFR 50, Appendix A, GDC 33.

2. FSAR, Section 5.4.6.

3. Memorandum from R. L. Baer (NRC) to V. Stello, Jr. (NRC),

"Recommended Interim Revisions to LCOs for ECCS Components," December 1, 1975.

4. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132) .

SUSQUEHANNA - UNIT 1 3.5-32

Rev. 3 Primary Containment Air Lock

B 3.6 CONTAINMENT SYSTEMS B 3.6.1.2 Primary Containment Air Lock B 3.6.1.2 BASES BACKGROUND One double door primary containment air lock has been built into the primary containment to provide personnel access to the drywell and to provide primary containment isolation during the process of personnel entering and exiting the drywell. The air lock is designed to withstand the same loads, temperatures, and peak design internal and external pressures as the primary containment (Ref. 1). As part of the primary containment, the air lock limits the release of radioactive material to the env:ironment during normal unit operation and through a range of transients and accidents up to and including postulated Design Basis Accidents (DBAs).

Each air lock door has been designed and tested to certify its ability to withstand a pressure in excess of the maximum expected pressure following a DBA in primary containment. Each of the doors contains double gasketed seals and local leakage rate testing capability to ensure pressure integrity. To effect a leak tight seal, the air lock design uses

pressure seated doors (i.e., an increase in primary containment internal pressure results in increased sealing force on each door).

The air lock is an 8 ft 7 inch inside diameter cylindrical pressure vessel with doors at each end that are interlocked to prevent simultaneous opening.

During periods when primary containment is not required to be OPERABLE, the air lock interlock mechanism may be disabled, allowing both doors of an air lock to remain open for extended periods when frequent primary containment entry is necessary. Under some conditions as allowed by this LCO, the primary containment may be accessed through the air lock, when the interlock mechanism has failed, by manually performing the interlock function.

The primary containment air lock forms part of the primary containment pressure boundary. As such, air lock integrity and leak tightness are essential for maintaining primary containment leakage rate to within limits in the event of a OBA. Not maintaining air lock integrity or leak tightness may result in a leakage rate in excess of that assumed in the unit safety analysis .

SUSQUEHANNA - UNIT 1 3.6-7

Rev.3 Primary Containment Air Lock

BASES APPLICABLE SAFETY The OBA that postulates the maximum release of radioactive material B 3.6.1.2 within primary containment is a LOCA. In the analysis of this accident, it is ANALYSES assumed that primary containment is OPERABLE, such that release of fission products to the environment is controlled by the rate of primary containment leakage. The primary containment is designed with a maximum allowable leakage rate (La) of 1.0% by weight of the containment air per 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months at the calculated maximum peak containment pressure (Pa) of 48.6 psig (Ref. 3). This allowable leakage rate forms the basis for the acceptance criteria imposed on the SRs associated with the air lock.

Primary containment air lock OPERABILITY is also required to minimize the amount of fission product gases that may escape primary containment through the air lock and contaminate and pressurize the secondary containment.

The primary containment air lock satisfies Criterion 3 of the NRG Policy Statement. (Ref. 4) t.CO As part of the primary containment pressure boundary, the air lock's safety function is related to control of containment leakage rates following a OBA Thus, the air lock's structural integrity and leak tightness are essential to the successful mitigation of such an event.

The primary containment air lock is required to be OPERABLE. For the air lock to be considered OPERABLE, the air lock interlock mechanism must be OPERABLE, the air lock must be in compliance with the Type B air lock leakage test, and both air lock doors must be OPERABLE. The interlock allows only one air lock door to be opened at a time. This provision ensures that a gross breach of primary containment does not exist when primary containment is required to be OPERABLE. Closure of a single door in each air lock is sufficient to provide a leak tight barrier following postulated events. Nevertheless, both doors are kept closed when the air lock is not being used for normal entry or exit from primary containment.

APPLICABILITY In MODES 1, 2, and 3, a OBA could cause a release of radioactive material to primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, the primary containment air lock is not required to be OPERABLE in MODES 4 and 5 to prevent leakage of radioactive material from primary containment.

- SUSQUEHANNA - UNIT 1 3.6-8

Rev. 3 Primary Containment Air Lock B 3.6.1.2 BASES ACTIONS The ACTIONS are modified by Note 1, which allows entry and exit to perform repairs of the affected air lock component. If the outer door is inoperable, then it may be easily accessed to repair. If the inner door is the one that is inoperable, however, then a short time exists when the containment boundary is not intact (during access through the outer door).

The ability to open the OPERABLE door, even if it means the primary containment boundary is temporarily not intact, is acceptable due to the low probability of an event that could pressurize the primary containment during the short time in which the OPERABLE door is expected to be open. The OPERABLE door must be immediately closed after each entry and exit.

The ACTIONS are modified by a second Note, which ensures appropriate remedial measures are taken when necessary. This is an exception to LCO 3.0.6 which would not require action, even if primary containment is exceeding its leakage limit. Therefore, the Note is added to require ACTIONS for LCO 3.6.1.1, "Primary Containment," to be taken in this event.

A.1, A.2, and A.3 With one primary containment air lock door inoperable, the OPERABLE door must be verified closed (Required Action A.1) in the air lock. This ensures that a leak tight primary containment barrier is maintained by the use of an OPERABLE air lock door. This action must be completed within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is consistent with the ACTIONS of LCO 3.6.1.1, which requires that primary containment be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

In addition, the air lock penetration must be isolated by locking closed the OPERABLE air lock door within the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

Completion Time. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is considered reasonable for locking the OPERABLE air lock door, considering that the OPERABLE door is being maintained closed.

Required Action A.3 ensures that the air lock with an inoperable door has been isolated by the use of a locked closed OPERABLE air lock door. This ensures that an acceptable primary containment leakage boundary is maintained. The Completion Time of once per 31 days is based on engineering judgment and is considered adequate in view of the low likelihood of a locked door being mispositioned and other administrative controls. Required Action A.3 is modified by a Note that applies to air lock doors located in high radiation areas or areas with limited access due to inerting and allows these doors to be verified locked closed by use of SUSQUEHANNA - UNIT 1 3.6-9

Rev. 3 Primary Containment Air Lock B 3.6.1.2 BASES ACTIONS A.1, A.2, and A.3 (continued)

(continued) administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted.

Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small.

The Required Actions have been modified by two Notes. Note 1 ensures that only the Required Actions and associated Completion Times of Condition C are required if both doors in the air lock are inoperable. With both doors in the air lock inoperable, an OPERABLE door is not available to be closed. Required Actions C.1 and C.2 are the appropriate remedial actions. The exception of Note 1 does not affect tracking the Completion Time from the initial entry into Condition A; only the requirement to comply with the Required Actions. Note 2 allows use of the air lock for entry and exit for 7 days under administrative controls. This 7 day limit is an accumulated limit that applies to the total combined time for all entries and exits. Primary containment entry may be required to perform Technical Specifications (TS) Surveillances and Required Actions, as well as other activities on equipment inside primary containment that are required by TS or activities on equipment that support TS-required equipment. This Note is not intended to preclude performing other activities (i.e., non-TS-related activities) if the primary containment was entered, using the inoperable air lock, to perform an allowed activity listed above. This allowance is acceptable due to the low probability of an event that could pressurize the primary containment during the short time that the OPERABLE door is expected to be open.

8.1, 8.2, and 8.3 With an air lock interlock mechanism inoperable, the Required Actions and associated Completion Times are consistent with those specified in Condition A.

The Required Actions have been modified by two Notes. Note 1 ensures that only the Required Actions and associated Completion Times of Condition C are required if both doors in the air lock are inoperable. With both doors in the air lock inoperable, an OPERABLE door is not available to be closed. Required Actions C.1 and C.2 are the appropriate remedial actions. Note 2 allows entry into and exit from the primary containment under the control of a dedicated individual stationed at the air lock to ensure that only one door is opened at a time (i.e., the individual performs the function of the interlock).

SUSQUEHANNA - UNIT 1 3.6-10

Rev.3 Primary Containment Air Lock B 3.6.1.2 BASES ACTIONS 8.1, 8.2, and 8.3 (continued)

(continued)

Required Action 8.3 is modified by a Note that applies to air lock doors located in high radiation areas or areas with limited access due to inerting and that allows these doors to be verified locked closed by use of administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted.

Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small.

C.1, C.2, and C.3 If the air lock is inoperable for reasons other than those described in Condition A or 8, Required Action C.1 requires action to be immediately initiated to evaluate containment overall leakage rates using current air lock leakage test results. An evaluation is acceptable since it is overly conservative to immediately declare the primary containment inoperable if both doors in an air lock have failed a seal test or if the overall air lock leakage is not within limits. In many instances (e.g., only one seal per door has failed), primary containment remains OPERABLE, yet only 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months (according to LCO 3.6.1.1) would be provided to restore the air lock door to OPERABLE status prior to requiring a plant shutdown. In addition, even with both doors failing the seal test, the overall containment leakage rate can still be within limits.

Required Action C.2 requires that one door in the primary containment air lock must be verified closed. This action must be completed within the 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time. This specified time period is consistent with the ACTIONS of LCO 3.6.1.1, which require that primary containment be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

Additionally, the air lock must be restored to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or in accordance with the Risk Informed Completion Time Program. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is reasonable for restoring an inoperable air lock to OPERABLE status considering that at least one door is maintained closed in the air lock.

D.1 and D.2 If the inoperable primary containment air lock cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from

- full power conditions in an orderly manner and without challenging plant systems.

SUSQUEHANNA - UNIT 1 3.6-11

Rev.3 Primary Containment Air Lock B 3.6.1.2 BASES SURVEILLANCE SR 3.6.1.2.1 REQUIREMENTS Maintaining primary containment air locks OPERABLE requires compliance with the leakage rate test requirements of the Primary Containment Leakage Rate Testing Program. This SR reflects the leakage rate testing requirements with respect to air lock leakage (Type B leakage tests). The acceptance criteria were established based on engineering judgement and industry operating experience. The periodic testing requirements verify that the air lock leakage does not exceed the allowed fraction of the overall primary containment leakage rate. The Frequency is required by the Primary Containment Leakage Rate Testing Program.

The SR has been modified by two Notes, Note 1 states that an inoperable air lock door does not invalidate the previous successful performance of the overall air lock leakage test. This is considered reasonable since either air lock door is capable of providing a fission product barrier in the event of a OBA. Note 2 requires the results of airlock leakage tests be evaluated against the acceptance criteria of the Primary Containment Leakage Testing Program, 5.5.12. This ensures that the airlock leakage is properly accounted for in determining the combined Type B and C primary

containment leakage .

SR 3.6.1.2.2 The air lock interlock mechanism is designed to prevent simultaneous opening of both doors in the air lock. Since both the inner and outer doors 1

of an air lock are designed to withstand the maximum expected post accident primary containment pressure, closure of either door will support primary containment OPERABILITY. Thus, the interlock feature supports primary containment OPERABILITY while the air lock is being used for personnel transit in and out of the containment. Periodic testing of this interlock demonstrates that the interlock will function as designed and that simultaneous inner and outer door opening will not inadvertently occur.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 3.8.2.1.2.

2. 10 CFR 50, Appendix J, Option B.

3. FSAR, Section 6.2.

4. Final Policy Statement on Technical Specifications Improvements July 22, 1993 (58 FR 39132) .

SUSQUEHANNA - UNIT 1 3.6-12

Rev.3 Primary Containment Air Lock

BASES B 3.6.1.2

THIS PAGE INTENTIONALLY LEFT BLANK SUSQUEHANNA - UNIT 1 3.6-13

Rev. 3 Primary Containment Air Lock B 3.6.1.2 BASES THIS PAGE INTENTIONALLY LEFT BLANK

SUSQUEHANNA - UNIT 1 3.6-14

Rev. 19 PCIVs

B 3.6 CONTAINMENT SYSTEMS B 3.6.1.3 Primary Containment Isolation Valves (PCIVs)

B 3.6.1.3 BASES BACKGROUND The function of the PC IVs, in combination with other accident mitigation systems, including secondary containment bypass valves that are not PCIVs, is to limit fission product release during and following postulated Design Basis Accidents (DBAs) to within limits. Primary containment isolation within the time limits specified for those isolation valves designed to close automatically ensures that the release of radioactive material to the environment will be consistent with the assumptions used in the analyses for a OBA The OPERABILITY requirements for PCIVs help ensure that an adequate primary containment boundary is maintained during and after an accident by minimizing potential paths to the environment. Therefore, the OPERABILITY requirements provide assurance that primary containment function assumed in the safety analyses will be maintained. For PCIVs,

the primary containment isolation function is that the valve must be able to close (automatically or manually) and/or remain closed, and maintain leakage within that assumed in the OBA LOCA Dose Analysis. These isolation devices are either passive or active (automatic). Manual valves, de-activated automatic valves secured in their closed position (including check valves with flow through the valve secured), blind flanges, and closed systems are considered passive devices. The OPERABILITY requirements for closed systems are discussed in Technical Requirements Manual (TRM) Bases 3.6.4. Check valves, or other automatic valves designed to close without operator action following an accident, are considered active devices. Two barriers in series are provided for each penetration so that no single credible failure or malfunction of an active component can result in a loss of isolation or leakage that exceeds limits assumed in the safety analyses. One of these barriers may be a closed system.

For each division of H202 Analyzers, the lines, up to and including the first normally closed valves within the H202 Analyzer panels, are extensions of primary containment (i.e., closed system), and are required to be leak rate tested in accordance with the Leakage Rate Test Program. The H202 Analyzer closed system boundary is identified in the Leakage Rate Test Program. The closed system boundary consists of those components, piping, tubing, fittings, and valves, which meet the guidance of Reference 6. The closed system provides a secondary barrier in the event of a single failure of the PCIVs, as described below. The closed system boundary between PASS and the H202 Analyzer system ends at the process sampling solenoid operated isolation valves between the SUSQUEHANNA - UNIT 1 3.6-15

Rev. 19 PCIVs B 3.6.1.3 BASES BACKGROUND systems (SV-12361, SV-12365, SV-12366, SV-12368, and SV-12369).

(continued) These solenoid operated isolation valves do not fully meet the guidance of Reference 6 for closed system boundary valves in that they are not powered from a Class 1E power source. However, based upon a risk determination, operating these valves as closed system boundary valves is not risk significant. These valves also form the end of the Seismic Category I boundary between the systems. These process sampling solenoid operated isolation valves are normally closed and are required to be leak rate tested in accordance with the Leakage Rate Test Program as part of the closed system for the H2O2 Analyzer system. These valves are "closed system boundary valves" and may be opened under administrative control, as delineated in Technical Requirements Manual (TRM) Bases 3.6.4. Opening of these valves to permit testing of PASS in Modes 1, 2, and 3 is permitted in accordance with TRO 3.6.4.

Each H2O2 Analyzer Sampling line penetrating primary containment has two PCIVs, located just outside primary containment. While two PCIVs are provided on each line, a single active failure of a relay in the control circuitry for these valves, could result in both valves failing to close or failing to remain closed. Furthermore, a single failure (a hot short in the

common raceway to all the valves) could simultaneously affect all of the PCIVs within a H2O2 Analyzer division. Therefore, the containment isolation barriers for these penetrations consist of two PC IVs and a closed system. For situations where one or both PCIVs are inoperable, the ACTIONS to be taken are similar to the ACTIONS for a single PCIV backed by a closed system.

The drywell vent and purge lines are 24 inches in diameter; the suppression chamber vent and purge lines are 18 inches in diameter.

The containment purge valves are normally maintained closed in MODES 1, 2, and 3 to ensure the primary containment boundary is maintained. The outboard isolation valves have 2 inch bypass lines around them for use during normal reactor operation.

The RHR Shutdown Cooling return line containment penetrations

{X-13A(B)} are provided with a normally closed gate valve

{HV-151F015A(B)} and a normally open globe valve {HV-151F017A(B)}

outside containment and a testable check valve {HV-151 F0S0A(B)} with a normally .closed parallel air operated globe valve {HV-151F122A(B)}

inside containment. The gate valve is manually opened and automatically isolates upon a containment isolation signal from the Nuclear Steam Supply Shutoff System or RPV low level 3 when the RHR System is operated in the Shutdown Cooling Mode only. The LPCI subsystem is an operational mode of the RHR System and uses the same injection lines to the RPV as the Shutdown Cooling Mode.

- - SUSQUEHANNA - UNIT 1 3.6-16

Rev. 19 PCIVs

BASES BACKGROUND (continued)

The design of these containment penetrations is unique in that some B 3.6.1.3 valves are containment isolation valves while others perform the function of pressure isolation valves. In order to meet the 10 CFR 50 Appendix J leakage testing requirements, the closed system outside containment is the only barrier tested in accordance with the Leakage Rate Test Program. HV-151 F015A(B) are not required to be Appendix J leak rate tested since the Appendix J testing exemption requirements are met.

Since these containment penetrations {X-13A and X-13B} include a containment isolation valve outside containment and a closed system outside containment that meets the requirements of USNRC Standard Review Plan 6.2.4 (September 1975), paragraph I1.3.e, the containment isolation provisions for these penetrations provide an acceptable alternative to the explicit requirements of 10 CFR 50, Appendix A, GDC55.

Containment penetrations X-13A(B) are also high/low pressure system interfaces. In order to meet the requirements to have two (2) isolation valves between the high pressure and low pressure systems, the HV-151F050A(B), HV-151F122A(B), 151130 and HV-151F015A(B) valves are used to meet this requirement and ,are tested in accordance

- with the pressure test program.

APPLICABLE The PCIVs LCO was derived from the assumptions related to minimizing SAFETY the loss of reactor coolant inventory, and establishing the primary ANALYSES containment boundary during major accidents. As part of the primary containment boundary, PCIV OPERABILITY supports leak tightness of primary containment. Therefore, the safety analysis of any event requiring isolation of primary containment is applicable to this LCO.

The DBAs that result in a release of radioactive material within primary containment are a LOCA and a main steam line break (MSLB). In the analysis for each of these accidents, it is assumed that PCIVs are either closed or close within the required isolation times following event initiation. This ensures that potential paths to the environment through PCIVs (including primary containment purge valves) and secondary containment bypass valves that are not PC IVs are minimized. The closure time of the main steam isolation valves (MS IVs) for a MSLB outside primary containment is a significant variable from a radiological standpoint. The MSIVs are required to close within 3 to 5 seconds since the 5 second closure time is assumed in the analysis. The safety analyses assume that the purge valves were closed at event initiation.

Likewise, it is assumed that the primary containment is isolated such that release of fission products to the environment is controlled .

SUSQUEHANNA - UNIT 1 3.6-17

Rev. 19 PCIVs B 3.6.1.3 BASES APPLICABLE The OBA analysis assumes that within the required isolation time leakage SAFETY is terminated, except for the maximum allowable leakage rate, La.

ANALYSES (continued) The single failure criterion required to be imposed in the conduct of unit safety analyses was considered in the original design of the primary containment purge valves. Two valves in series on each purge line provide assurance that both the supply and exhaust lines could be isolated even if a single failure occurred.

The primary containment purge valves may be unable to close in the environment following a LOCA. Therefore, each of the purge valves is required to remain closed during MODES 1, 2, and 3 except as permitted under the Note of SR 3.6.1.3.1. In this case, the single failure criterion remains applicable to the primary containment purge valve due to failure*

in the control circuit associated with each valve. The primary containment purge valve design precludes a single failure from compromising the primary containment boundary as long as the system is operated in accordance with this LCO.

Both H202 Analyzer PCIVs may not be able to close given a single failure

in the control circuitry of the valves. The single failure is caused by a "hot short" in the cables/raceway to the PCIVs that causes both PCIVs for a given penetration to remain open or to open when required to be closed. This failure is required to be considered in accordance with IEEE-279 as discussed in FSAR Section 7.3.2a. However, the single failure criterion for containment isolation of the H202 Analyzer penetrations is satisfied by virtue of the combination of the associated PCIVs and the closed system formed by the H202 Analyzer piping system as discussed in the BACKGROUND section above.

The closed system boundary between PASS and the H202 Analyzer system ends at the process sampling solenoid operated isolation valves between the systems (SV-12361, SV-12365, SV-12366, SV-12368, and SV-12369). The closed system is not fully qualified to the guidance of Reference 6 in that the closed system boundary valves between the H202 system and PASS are not powered from a Class 1E power source.

However, based upon a risk determination, the use of these valves is considered to have no risk significance. This exemption to the requirement of Reference 6 for the closed system boundary is documented in License Amendment No. 195.

PCIVs satisfy Criterion 3 of the NRC Policy Statement. (Ref. 2)

SUSQUEHANNA - UNIT 1 3.6-18

Rev. 19 PCIVs

BASES LCO B 3.6.1.3 PC IVs form a part of the primary containment boundary, or in the case of SCBL valves limit leakage from the primary containment. The PCIV safety function is related to minimizing the loss of reactor coolant inventory and establishing the primary containment boundary during a DBA.

The power operated, automatic isolation valves are required to have isolation times within limits and actuate on an automatic isolation signal.

The valves covered by this LCO are listed in Table B 3.6.1.3-1 and Table B 3.6.1.3-2.

The normally closed PCIVs, including secondary containment bypass valves listed in Table B 3.6.1.3-2 that are not PCIVs, are considered OPERABLE when manual valves are 'closed or open in accordance with appropriate administrative controls, automatic valves are in their closed position, blind flanges are in place, and closed systems are intact. These passive isolation valves and devices are those listed in Table B 3.6.1.3-1.

Leak rate testing of the secondary containment bypass valves listed in Table 3.6.1.3-2 is permitted in Modes 1, 2 & 3 as described in the Primary Containment Leakage Rate Testing Program.

Purge valves with resilient seals, secondary containment bypass valves, including secondary containment bypass valves listed in Table B 3.6.1.3-2 that are not PCIVs, MSIVs, and hydrostatically tested valves must meet additional leakage rate requirements. Other PCIV leakage rates are addressed by LCO 3.6.1.1, "Primary Containment," as Type B or C testing.

This LCO provides assurance that the PCIVs will perform their designed safety functions to minimize the loss of reactor coolant inventory and establish the primary containment boundary during accidents.

APPLICABILITY In MODES 1, 2, and 3, a DBA could cause a release of radioactive material to primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, PC IVs are not required to be OPERABLE and the primary containment purge valves are not required to be closed in MODES 4 and 5.

SUSQUEHANNA - UNIT 1 3.6-19

Rev. 19 PCIVs

- - BASES ACTIONS The ACTIONS are modified by a Note allowing penetration flow path(s) to B 3.6.1.3 be unisolated intermittently under administrative controls. These controls consist of stationing a dedicated operator at the controls of the valve, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for primary containment isolation is indicated.

A second Note has been added to provide clarification that, for the purpose of this LCO, separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable PCIV. Complying with the Required Actions may allow for continued operation, and subsequent inoperable PCIVs are governed by subsequent Condition entry and application of associated Required Actions.

The ACTIONS are modified by Notes 3 and 4. Note 3 ensures that appropriate remedial actions are taken, if necessary, if the affected system(s) are rendered inoperable by an inoperable PCIV (e.g., an Emergency Core Cooling System subsystem is inoperable due to a failed open test return valve). Note 4 ensures appropriate remedial actions are taken when the primary containment leakage limits are exceeded.

Pursuant to LCO 3.0.6, these actions are not required even when the associated LCO is not met. Therefore, Notes 3 and 4 are added to require the proper actions be taken.

A.1 and A.2 With one or more penetration flow paths with one PCIV inoperable except for purge valve leakage not within limit, the affected penetration flow paths must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, a blind flange, and a check valve with flow through the valve secured. For a penetration isolated in accordance with Required Action A.1, the device used to isolate the penetration should be the closest available valve to the primary containment. The Required Action must be completed within the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time (8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months for main steam lines) or in accordance with the Risk Informed Completion Time Program. The Completion Time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is reasonable considering the time required to isolate the penetration and the relative importance of supporting primary containment OPERABILITY during MODES 1, 2, and 3. For main steam lines, an 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time is allowed. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program. The Completion Time of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months for the main SUSQUEHANNA - UNIT 1 3.6-20

Rev. 19 PCIVs

BASES ACTIONS (continued)

A.1 and A.2 (continued)

B 3.6.1.3 steam lines allows a period of time to restore the MS IVs to OPERABLE status given the fact that MSIV closure will result in isolation of the main steam line(s) and a potential for plant shutdown.

For affected penetrations that have been isolated in accordance with Required Action A.1, the affected penetration flow path(s) must be verified to be isolated on a periodic basis. This is necessary to ensure that primary containment penetrations required to be isolated following an accident, and no longer capable of being automatically isolated, will be in the isolation position should an event occur. This Required Action does not require any testing or device manipulation. Rather, it involves verification that those devices outside containment and capable of potentially being mispositioned are in the correct position. The Completion Time of "once per 31 days following isolation for isolation devices outside primary containment" is appropriate because the devices are operated under administrative controls and the probability of their misalignment is low. For the devices inside primary containment, the time period specified "prior to entering MODE 2 or 3 from MODE 4, if primary containment was de-inerted while in MODE 4, if not performed within the previous 92 days" is based on engineering judgment and is considered reasonable in view of the inaccessibility of the devices and other administrative controls ensuring that device misalignment is an unlikely possibility.

Condition A is modified by a Note indicating that this Condition is only applicable to those penetration flow paths with two PC IVs except for the H2O2 Analyzer penetrations. For penetration flow paths with one PCIV, Condition C provides the appropriate Required Actions. For the H2O2 Analyzer Penetrations, Condition D provides the appropriate Required Actions.

Required Action A.2 is modified by a Note that applies to isolation devices located in high radiation areas, and allows them to be verified by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted.

Therefore, the probability of misalignment of these devices, once they have been verified to be in the proper position, is low.

8.1 With one or more penetration flow paths with two PCIVs inoperable except for purge valve leakage not within limit, either the inoperable PCIVs must be restored to OPERABLE status or the affected penetration flow path must be isolated within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The method of isolation must include the use of at least one isolation barrier that cannot be adversely SUSQUEHANNA - UNIT 1 3.6-21

Rev. 19 PCIVs

BASES ACTIONS (continued)

B.1 (continued)

B 3.6.1.3 affected by a single active failure. Isolation barriers that meet this criterion are a closed and de--activated automatic valve, a closed manual valve, and a blind flange. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is consistent with the ACTIONS of LCO 3.6.1.1.

Condition B is modified by a Note indicating this Condition is only applicable to penetration flow paths with two PC IVs except for the H2O2 Analyzer penetrations. For penetration flow paths with one PCIV, Condition C provides the appropriate Required Actions. For the H2O2 Analyzer Penetrations, Condition D provides the appropriate Required Actions.

C.1 and C.2 With one or more penetration flow paths with one PCIV inoperable, the inoperable valve must be restored to OPERABLE status or the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely

affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. A check valve may not be used to isolate the affected penetration. Required Action C.1 must be completed within the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time. The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is reasonable considering the relative stability of the closed system (hence, reliability) to act as a penetration isolation boundary and the relative importance of supporting primary containment OPERABILITY during MODES 1, 2, and 3. The closed system must meet the requirements of Reference 6. For conditions where the PCIV and the closed system are inoperable, the Required Actions of TRO 3.6.4, Condition B apply. For the Excess Flow Check Valves (EFCV), the Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable considering the instrument and the small pipe diameter of penetration (hence, reliability) to act as a penetration isolation boundary and the small pipe diameter of the affected penetrations. In the event the affected penetration flow path is isolated in accordance with Required Action C.1, the affected penetration must be verified to be isolated on a periodic basis. This is necessary to ensure that primary containment penetrations required to be isolated following an accident are isolated.

The Completion Time of once per 31 days following isolation for verifying each affected penetration is isolated is appropriate because the valves are operated under administrative controls and the probability of their misalignment is low.

SUSQUEHANNA - UNIT 1 3.6-22

Rev. 19 PCIVs

BASES ACTIONS (continued)

C.1 and C.2 (continued)

B 3.6.1.3 Condition C is modified by a Note indicating that this Condition is only applicable to penetration flow paths with only one PCIV. For penetration flow paths with two PCIVs and the H2O2 Analyzer Penetration.

Conditions A, B and D provide the appropriate Required Actions.

Required Action C.2 is modified by a Note that applies to valves and blind flanges located in high radiation areas and allows them to be verified by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of these valves, once they have been verified to be in the proper position, is low.

D.1 and D.2 With one or more H2O2 Analyzer penetrations with one or both PCIVs inoperable, the inoperable valve(s) must be restored to OPERABLE status or the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that

cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. A check valve may not be used to isolate the affected penetration. Required Action D.1 must be completed within the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time. The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is reasonable considering the unique design of the H2O2 Analyzer penetrations. The containment isolation barriers for these penetrations consist of two PCIVs and a closed system. In addition, the Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is reasonable considering the relative stability of the closed system (hence, reliability) to act as a penetration isolation boundary and the relative importance of supporting primary containment OPERABILITY during MODES 1, 2, and 3. In the event the affected penetration flow path is isolated in accordance with Required Action D.1, the affected penetration must be verified to be isolated on a periodic basis. This is necessary to ensure that primary containment penetrations required to be isolated following an accident are isolated.

The Completion Time of once per 31 day_s following isolation for verifying each affectE?d penetration is isolated is appropriate because the valves are operated under administrative controls and the probability of their misalignment is low.

When an H2O2 Analyzer penetration PCIV is to be closed and deactivated in accordance with Condition D, this must be accomplished by pulling the fuse for the power supply, and either determinating the power cables at the solenoid valve, or jumpering of the power side of the solenoid to ground.

SUSQUEHANNA - UNIT 1 3.6-23

Rev. 19 PCIVs

- BASES ACTIONS D.1 and D.2 (continued)

B 3.6.1.3 (continued)

The OPERABILITY requirements for the closed system are discussed in Technical Requirements Manual (TRM) Bases 3.6.4. In the event that either one or both of the PC IVs and the closed system are inoperable, the Required Actions of TRO 3.6.4, Condition B apply.

Condition D is modified by a Note indicating that this Condition is only applicable to the H2O2 Analyzer penetrations.

E.1 With the secondary containment bypass leakage rate not within limit, the assumptions of the safety analysis may not be met. Therefore, the leakage must be restored to within limit within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . Restoration can be accomplished by isolating the penetration that caused the limit to be exceeded by use of one closed and de-activated automatic valve, closed manual valve, or blind flange. When a penetration is isolated, the leakage rate for the isolated penetration is assumed to be the actual pathway leakage through the isolation device. If two isolation devices are

- used to isolate the penetration, the leakage rate is assumed to be the lesser actual pathway leakage of the two devices. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time is reasonable considering the time required to restore the leakage by isolating the penetration and the relative importance of secondary containment bypass leakage to the overall containment function.

F.1 In the event one or more containment purge valves are not within the purge valve leakage limits, purge valve leakage must be restored to within limits. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is reasonable, considering that one containment purge valve remains closed, except as controlled by SR 3.6.1.3.1 so that a gross breach of containment does not exist.

G.1 and G.2 If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which the LCO does not apply.

To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems .

SUSQUEHANNA - UNIT 1 3.6-24

--7 Rev. 19 PCIVs B 3.6.1.3 BASES SURVEILLANCE SR 3.6.1.3.1 REQUIREMENTS This SR ensures that the primary containment purge valves are closed as required or, if open, open for an allowable reason. If a purge valve is open in violation of this SR, the valve is considered inoperable. If the inoperable valve is not otherwise known to have excessive leakage when closed, it is not considered to have leakage outside of limits. The SR is modified by a Note stating that the SR is not required to be met when the purge valves are open for the stated reasons. The Note states that these valves may be opened for inerting, de-inerting, pressure control, ALARA or air quality considerations for personnel entry, or Surveillances that require the valves to be open. The vent and purge valves are capable of closing in the environment following a LOCA. Therefore, these valves are allowed to be open for limited periods of time. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.1.3.2 This SR verifies that each primary containment isolation manual valve and blind flange that is located outside primary containment and not locked, sealed, or otherwise secured and is required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside the primary containment boundary is within design limits.

This SR does not require any testing or valve manipulation. Rather, it involves verification that those PCIVs outside primary containment, and capable of being mispositioned, are in the correct position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Two Notes have been added to this SR. The first Note allows valves and blind flanges located in high radiation areas to be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable since access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA reasons. Therefore, the probability of misalignment of these PCIVs, once they have been verified to be in the proper position, is low. A second Note has been included to clarify that PCIVs that are open under administrative controls are not required to meet the SR during the time that the PCIVs are open. This SR does not apply to valves that are locked, sealed, or otherwise secured in the closed position, since these were verified to be in the correct position upon locking, sealing, or securing .

SUSQUEHANNA - UNIT 1 3.6-25

Rev. 19 PCIVs

BASES SURVEILLANCE REQUIREMENTS SR 3.6.1.3.3 B 3.6.1.3

, (continued) This SR verifies that each primary containment manual isolation valve and blind flange that is located inside primary containment and not locked, sealed, or otherwise secured and is required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside the primary containment boundary is within design limits. For PCIVs inside primary containment, the Frequency defined as "prior to entering MODE 2 or 3 from MODE 4 if primary containment was de-inerted while in MODE 4, if not performed within the previous 92 days" is appropriate since these PCIVs are operated under administrative controls and the probability of their misalignment is low. This SR does not apply to valves that are locked,

sealed, or otherwise secured in the closed position, since these were verified to be in the correct position upon locking, sealing, or securing.

Two Notes have been added to this SR. The first Note allows valves and blind flanges located in high radiation areas to be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable since the primary containment is inerted and access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA reasons. Therefore, the probability of misalignment of these PCIVs, once they have been verified to be in their proper position, is low.

A second Note has been included to clarify that PCIVs that are open under administrative controls are not required to meet the SR during the time that the PCIVs are open.

SR 3.6.1.3.4 The traversing incore probe (TIP) shear isolation valves are actuated by explosive charges. Surveillance of explosive charge continuity provides assurance that TIP valves will actuate when required. Other administrative controls, such as those that limit the shelf life of the explosive charges, must be followed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.1.3.5 Verifying the isolation time of each power operated and eacti automatic PCIV is within limits is required to demonstrate OPERABILITY. MSIVs may be excluded from this SR since MSIV full closure isolation time is demonstrated by SR 3.6.1.3. 7. The isolation time test ensures that the valve will isolate in a time period less than or equal to that assumed in the Final Safety Analyses Report. The isolation time and Frequency of this SR are in accordance with the requirements of the lnservice Testing Program.

SUSQUEHANNA - UNIT 1 3.6-26

7 Rev. 19 PCIVs

BASES SURVEILLANCE REQUIREMENTS SR 3.6.1.3.6 B 3.6.1.3 (continued) For primary containment purge valves with resilient seals, the Appendix J Leakage Rate Test Interval is sufficient. The acceptance criteria for these valves is defined in the Primary Containment Leakage Rate Testing Program, 5.5.12.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.1.3.7 Verifying that the isolation time of each MSIV is within the specified limits is required to demonstrate OPERABILITY. The isolation time test ensures that the MSIV will isolate in a time period that does not exceed the times assumed in the OBA analyses. This ensures that the calculated radiological consequences of these events remain within regulatory limits.

The Frequency of this SR is in accordance with the requirements of the lnservice Testing Program .

SR 3.6.1.3.8 Automatic PCIVs close on a primary containment isolation signal to prevent leakage of radioactive material from primary containment following a OBA. This SR ensures that each automatic PCIV will actuate to its isolation position on a primary containment isolation signal. The LOGIC SYSTEM FUNCTIONAL TEST in SR 3.3.6.1.5 overlaps this SR to provide complete testing of the safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.1.3.9 This SR requires a demonstration that a representative sample of reactor instrumentation line excess flow check valves (EFCV) are OPERABLE by verifying that the valve actuates to check flow on a simulated instrument line break. As defined in FSAR Section 6.2.4.3.5 (Reference 4), the conditions under which an EFCV will isolate, simulated instrument line breaks are at flow rates, which develop a differential pressure of between 3 psid and 10 psid. This SR provides assurance that the instrumentation line EFCVs will perform its design function to check flow. No specific valve leakage limits are specified because no specific leakage limits are defined in the FSAR. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The representative sample consists of an approximate equal number of EFCVs such that each EFCV SUSQUEHANNA - UNIT 1 3.6-27

Rev. 19 PCIVs

BASES SURVEILLANCE REQUIREMENTS SR 3.6.1.3.9 (continued)

B 3.6.1.3 (continued) is tested at least once every 10 years (nominal). The nominal 10 year interval is based on other performance-based testing programs, such as lnservice Testing (snubbers) and Option B to 10 CFR 50, Appendix J. In addition, the EFCVs in the sample are representative of the various plant configurations, models, sizes and operating environments. This ensures that any potential common problems with a specific type or application of EFCV is detected at the earliest possible time. EFCV failures will be evaluated to determine if additional testing in that test interval is warranted to ensure overall reliability and that failures to isolate are very infrequent. Therefore, testing of a representative sample was concluded to be acceptable from a reliability standpoint (Reference 7).

SR 3.6.1.3.10 The TIP shear isolation valves are actuated by explosive charges. An in place functional test is not possible with this design. The explosive squib is removed and tested to provide assurance that the valves will actuate when required. The replacement charge for the explosive squib shall be

- from the same manufactured batch as the one fired or from another batch that has been certified by having one of the batch successfully fired. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.1.3.11 This SR ensures that the leakage rate of secondary containment bypass leakage paths is less than the specified leakage rate. This provides assurance that the assumptions in the radiological evaluations of Reference 4 are met. The secondary containment leakage pathways and Frequency are defined by the Primary Containment Leakage Rate Testing Program. This SR simply imposes additional acceptance criteria.

SR 3.6.1.3.12 The analyses in References 1 and 4 are based on the specified leakage rate. Leakage through each MSIV must be :s; 100 scfh for any one MSIV and :s; 300 scfh for total leakage through the MS IVs combined with the Main Steam Line Drain Isolation Valve, HPCI Steam Supply Isolation Valve and the RCIC Steam Supply Isolation Valve. The MSIVs can be tested at either~ Pt (24.3 psig) or Pa (48.6 psig). Main Steam Line Drain Isolation, HPCI and RCIC Steam Supply Line Isolation Valves, are tested at Pa (48.6 psig). The Frequency is required by the Primary Containment

- Leakage Rate Testing Program.

SUSQUEHANNA - UNIT 1 3.6-28

Rev. 19 PCIVs

- BASES SURVEILLANCE REQUIREMENTS SR 3.6.1.3.13 B 3.6.1.3 (continued) Surveillance of hydrostatically tested lines provides assurance that the calculation assumptions of Reference 2 are met. The acceptance criteria for the combined leakage of all hydrostatically tested lines is 3.3 gpm when tested at 1.1 Pa, (53.46 psig). The combined leakage rates must be demonstrated in accordance with the leakage rate test Frequency required by the Primary Containment Leakage Testing Program.

As noted in Table B 3.6.1.3-1, PCIVs associated with this SR are not Type C tested. Containment bypass leakage is prevented since the line terminates below the minimum water level in the Suppression Chamber.

These valves are tested in accordance with the 1ST Program. Therefore, these valves leakage is not included as containment leakage.

REFERENCES 1. FSAR, Chapter 15.

2. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132) .

- 3.

4.

5.

10 CFR 50, Appendix J, Option B.

FSAR, Section 6.2.

NEDO-30851-P-A, "Technical Specification Improvement Analyses for BWR Reactor Protection System," March 1988.

6. Standard Review Plan 6.2.4, Rev. 1, September 1975

7. NEDO-32977-A, "Excess Flow Check Valve Testing Relaxation,"

June 2000 .

SUSQUEHANNA - UNIT 1 3.6-29

Rev. 19 PCIVs

Table B 3.6.1.3-1 Primary Containment Isolation Valve (Page 1 of 11)

B 3.6.1.3 Isolation Signal LCO 3.3.6.1 Plant System Valve Number Valve Description Type of Valve Function No.

(Maximum Isolation Time (Seconds))

Containment 1-57-193 (d) ILRT Manual N/A Atmospheric 1-57-194 (d) ILRT Manual N/A Control HV-15703 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-15704 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-15705 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-15711 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-15713 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-15714 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-15721 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-15722 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-15723 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-15724 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-15725 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-15766 (a) Suppression Pool Cleanup Automatic Valve 2.b, 2.d (30)

HV-15768 (a) Suppression Pool Cleanup Automatic Valve 2.b, 2.d (30)

HV-157113 (ct) Hardened Containment Vent Power Operated N/A (Air)

HV-157114 (ct) Hardened Containment Vent Power Operated N/A (Air)

SV-157100 A Containment Radiation Detection Automatic Valve 2.b, 2.d Syst SV-157100 B Containment Radiation Detection Automatic Valve 2.b, 2.d Syst SV-157101 A Containment Radiation Detection Automatic Valve 2.b, 2.d Syst SV-157101 B Containment Radiation Detection Automatic Valve 2.b, 2.d Syst SV-157102 A Containment Radiation Detection Automatic Valve 2.b, 2.d Syst SV-157102 B Containment Radiation Detection Automatic Valve 2.b, 2.d Syst SV-157103 A Containment Radiation Detection Automatic Valve 2.b, 2.d Syst SV-157103 B Containment Radiation Detection Automatic Valve 2.b, 2.d Syst SV-157104 Containment Radiation Detection Automatic Valve 2.b, 2.d Syst SV-157105 Containment Radiation Detection Automatic Valve 2.b, 2.d Syst SV-157106 Containment Radiation Detection Automatic Valve 2.b, 2.d Syst SV-157107 Containment Radiation Detection Automatic Valve 2.b, 2.d Syst SV-15734 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15734 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15736 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SUSQUEHANNA - UNIT 1 3.6-30

l Rev. 19 PCIVs B 3.6.1.3 Table 8 3.6.1.3-1 Primary Containment Isolation Valve (Page 2 of 11)

Isolation Signal LCO 3.3.6.1 Plant System Valve Number Valve Description Type of Valve Function No.

(Maximum Isolation Time (Seconds))

Containment SV-15736 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d Atmospheric SV-15737 Nitrogen Makeup Automatic Valve 2.b, 2.d, 2.e Control SV-15738 Nitrogen Makeup Automatic Valve 2.b, 2.d, 2.e (continued) SV-15740 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15740 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15742 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15742 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15750 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15750 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15752 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15752 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15767 Nitrogen Makeup Automatic Valve 2.b, 2.d, 2.e SV-15774 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15774 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15776 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15776 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15780 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15780 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15782 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15782 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15789 Nitrogen Makeup Automatic Valve 2.b, 2.d, 2.e Containment 1-26-072 (d) Containment Instrument Gas Manual Check NIA Instrument Gas 1-26-074 (d) Containment Instrument Gas Manual Check NIA 1-26-152 (d) Containment Instrument Gas Manual Check NIA 1-26-154 (d) Containment Instrument Gas Manual Check NIA 1-26-164 (d) Containment Instrument Gas Manual Check NIA HV-12603 Containment Instrument Gas Automatic Valve 2.c, 2.d (20)

SV-12605 Containment Instrument Gas Automatic Valve 2.c, 2.d SV-12651 Containment Instrument Gas Automatic Valve 2.c, 2.d SV-12654A Containment Instrument Gas Power Operated NIA SV-12654 B Containment Instrument Gas Power Operated NIA SV-12661 Containment Instrument Gas Automatic Valve 2.b, 2.d SV-12671 Containment Instrument Gas Automatic Valve 2.b, 2.d Core Spray HV-152F001 A (b)(c) CS Suction Valve Power Operated NIA HV-152F001 B (b)(c) CS Suction Valve Power Operated NIA HV-152F005 A (h) CS Injection Power Operated NIA HV-152F005 B (h) CS Injection Valve Power Operated NIA HV-152F006 A (h) CS Injection Valve Air Operated Check NIA Valve HV-152F006 B (h) CS Injection Valve Air Operated Check NIA Valve HV-152F015 A (b)(c) CS Test Valve Automatic Valve 2.c, 2.d (80)

HV-152F015 B (b)(c) CS Test Valve Automatic Valve 2.c, 2.d (80)

SUSQUEHANNA - UNIT 1 3.6-31

Rev. 19 PCIVs Table B 3.6.1.3-1 Primary Containment Isolation Valve (Page 3 of 11)

B 3.6.1.3 Isolation Signal LCO 3.3.6.1 Plant System Valve Number Valve Description Type of Valve Function No.

(Maximum Isolation Time (Seconds))

Core Spray HV-152F031 A (b)(c) CS Minimum Recirculation Flow Power Operated N/A (continued) HV-152F031 B (b)(c) CS Minimum Recirculation Flow Power Operated N/A HV-152F037 A (h) CS Injection Power Operated N/A (Air)

HV-152F037 B (h) CS Injection Power Operated N/A (Air)

XV-152F018 A Core Spray Excess Flow Check N/A Valve XV-152F018 B Core Spray Excess Flow Check N/A Valve HPCI 1-55-038 (d) HPCI Injection Valve Manual N/A 155F046 (b)(c)(d) HPCI Minimum Flow Check Valve Manual Check N/A 155F049 (a)(d) HPCI Turbine Exhaust Valve Manual Check N/A HV-155F002 HPCI Steam Supply Valve Automatic Valve 3.a, 3.b, 3.c, 3.e, 3.f, 3.g (50)

HV-155F003 HPCI Steam Supply Valve Automatic Valve 3.a, 3.b, 3.c, 3.e, 3.f, 3.g (50)

HV-155F006 HPCI Injection Valve Power Operated N/A HV-155F012 (b)(c) HPCI Minimum Flow Valve Power Operated N/A HV-155F042 (b)(c) HPCI Suction Valve Automatic Valve 3.a, 3.b, 3.c, 3.e, 3.f, 3.g (115)

HV-155F066 (a) HPCI Turbine Exhaust Valve Power Operated N/A HV-155F075 HPCI Vacuum Breaker Isolation Automatic Valve 3.b, 3.d (15)

Valve HV-155F079 HPCI Vacuum Breaker Isolation Automatic Valve 3.b, 3.d (15)

Valve HV-155F100 HPCI Steam Supply Valve Automatic Valve 3.a, 3.b, 3.c, 3.e, 3.f, 3.g (6)

XV-155F024A HPCI Valve Excess Flow Check N/A Valve XV-155F024 B HPCI Valve Excess Flow Check N/A Valve XV-155F024 C HPCI Valve Excess Flow Check N/A Valve XV-155F024 D HPCI Valve Excess Flow Check N/A Valve Liquid Radwaste HV-16108 A1 Liquid Radwaste Isolation Valve Automatic Valve 2.b, 2.d (15)

Collection HV-16108 A2 Liquid Radwaste Isolation Valve Automatic Valve 2.b, 2.d (15)

HV-16116 A1 Liquid Radwaste Isolation Valve Automatic Valve 2.b, 2.d (15)

HV-16116A2 Liquid Radwaste Isolation Valve Automatic Valve 2.b, 2.d (15)

Demin Water 1-41-017 (d) Demineralized Water Manual N/A 1-41-018 (d) Demineralized Water Manual N/A N/A Nuclear Boiler 141F010A(d) Feedwater Isolation Valve Manual Check 141F010 B (d) Feedwater Isolation Valve Manual Check N/A SUSQUEHANNA - UNIT 1 3.6-32

7 Rev. 19 PCIVs B 3.6.1.3 Table B 3.6.1.3-1 Primary Containment Isolation Valve (Page 4 of 11)

Isolation Signal LCO 3.3.6.1 Plant System Valve Number Valve Description Type of Valve Function No.

(Maximum Isolation Time (Seconds))

Nuclear Boiler 141F039 A (d) Feedwater Isolation Valve Manual Check N/A (continued) 141F039 B (d) Feedwater Isolation Valve Manual Check N/A 141818 A (d) Feedwater Isolation Valve Manual Check N/A 141818 B (d) Feedwater Isolation Valve Manual Check N/A HV-141F016 MSL Drain Isolation Valve Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (10)

HV-141F019 MSL Drain Isolation Valve Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (15)

HV-141 F022 A MSIV Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (5)

HV-141F022 B MSIV Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (5)

HV-141F022 C MSIV Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (5)

HV-141F022 D MSIV Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (5)

HV-141F028A HV-141F028 B HV-141F028 C HV-141F028 D MSIV MSIV MSIV MSIV Automatic Valve Automatic Valve Automatic Valve Automatic Valve 1.a, 1.b, 1.c, (5) 1.a, 1.b, 1.c, (5) 1.a, 1.b, 1.c, (5) 1.a, 1.b, 1.c, 1.d, 1.e 1.d, 1.e 1.d, 1.e 1.d, 1.e (5)

HV-141F032A Feedwater Isolation Valve Power Operated N/A Check HV-141F032 B Feedwater Isolation Valve Power Operated N/A Check XV-141F009 Nuclear Boiler EFCV Excess Flow Check N/A Valve XV-141F070 A Nuclear Boiler EFCV Excess Flow Check N/A Valve XV-141F070 B Nuclear Boiler EFCV Excess Flow Check N/A Valve XV-141F070 C Nuclear Boiler EFCV Excess Flow Check N/A Valve XV-141F070 D Nuclear Boiler EFCV Excess Flow Check N/A Valve XV-141F071 A Nuclear Boiler EFCV Excess Flow Check N/A Valve XV-141F071 B Nuclear Boiler EFCV Excess Flow Check N/A Valve XV-141F071 C Nuclear Boiler EFCV Excess Flow Check N/A Valve

XV-141F071 D SUSQUEHANNA - UNIT 1 Nuclear Boiler EFCV 3.6-33 Excess Flow Check Valve N/A

Rev. 19 PCIVs

Table B 3.6.1.3-1 Primary Containment Isolation Valve (Page 5 of 11)

B 3.6.1.3 Isolation Signal LCO 3.3.6.1 Plant System Valve Number Valve Description Type of Valve Function No.

(Maximum Isolation Time (Seconds))

Nuclear Boiler XV-141F072A Nuclear Boiler EFCV Excess Flow Check NIA (continued) Valve XV-141F072 B Nuclear Boiler EFCV Excess Flow Check NIA Valve XV-141F072 C Nuclear Boiler EFCV Excess Flow Check NIA Valve XV-141F072 D Nuclear Boiler EFCV Excess Flow Check NIA Valve XV-141F073 A Nuclear Boiler EFCV Excess Flow Check NIA Valve XV-141F073 B Nuclear Boiler EFCV Excess Flow Check NIA Valve XV-141F073 C Nuclear Boiler EFCV Excess Flow Check NIA Valve XV-141F073 D Nuclear Boiler EFCV Excess Flow Check NIA Valve Nuclear Boiler XV-14201 Nuclear Boiler Vessel Instrument Excess Flow Check NIA Vessel Valve Instrumentation XV-14202 Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F041 Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F043 A Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F043 B Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F045 A Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F045 B Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F047 A Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F047 B Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F051 A Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F051 B Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F051 C Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F051 D Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F053 A Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F053 B Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve SUSQUEHANNA - UNIT 1 3.6-34

7 Rev. 19 PCIVs

B 3.6.1.3 Table 8 3.6.1.3-1 Primary Containment Isolation Valve (Page 6 of 11)

Isolation Signal LCO 3.3.6.1 Plant System Valve Number Valve Description Type of Valve Function No.

(Maximum Isolation Time (Seconds))

Nuclear Boiler XV-142F053 C Nuclear Boiler Vessel Instrument Excess Flow Check N/A Vessel Valve Instrumentation XV-142F053 D Nuclear Boiler Vessel Instrument Excess Flow Check N/A (continued) Valve XV-142F055 Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F057 Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 A Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 B Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 C Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 D Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 E Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 F Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 G Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 H Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 L Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 M Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 N Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 P Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 R Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 S Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 T Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 U Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F061 Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve RBCCW HV-11313 RBCCW Automatic Valve 2.c, 2.d (30)

HV-11314 RBCCW Automatic Valve 2.c, 2.d (30)

HV-11345 RBCCW Automatic Valve 2.c, 2.d (30)

HV-11346 RBCCW Automatic Valve 2.c, 2.d (30)

SUSQUEHANNA - UNIT 1 3.6-35

Rev. 19 PCIVs

Table 8 3.6.1.3-1 Primary Containment Isolation Valve (Page 7 of 11)

B 3.6.1.3 Isolation Signal LCO 3.3.6.1 Plant System Valve Number Valve Description Type of Valve Function No.

(Maximum Isolation Time (Seconds))

RCIC 1-49-020 (d) RCIC INJECTION Manual N/A 149F021 (b)(c)(d) RCIC Minimum Recirculation Flow Manual Check N/A 149F028 (a)(d) RCIC Vacuum Pump Discharge Manual Check NIA 149F040 (a)(d) RCIC Turbine Exhaust Manual Check N/A FV-149F019 (b)(c) RCIC Minimum Recirculation Flow Power Operated N/A HV-149F007 RCIC Steam Supply Automatic Valve 4.a, 4.b, 4.c, 4.e, 4.f, 4.g (20)

HV-149F008 RCIC Steam Supply Automatic Valve 4.a, 4.b, 4.c, 4.e, 4.f, 4.g (20)

HV-149F013 RCIC Injection Power Operated N/A HV-149F031 (b)(c) RCIC Suction Power Operated N/A HV-149F059 (a) RCIC Turbine Exhaust Power Operated N/A HV-149F060 (a) RCIC Vacuum Pump Discharge Power Operated N/A HV-149F062 RCIC Vacuum Breaker Automatic Valve 4.b, 4.d (10)

HV-149F084 RCIC Vacuum Breaker Automatic Valve 4.b, 4.d (10)

HV-149F088 RCIC Steam Supply Automatic Valve 4.a, 4.b, 4.c, 4.e, 4.f, 4.g (12)

XV-149F044 A RCIC Excess Flow Check N/A Valve XV-149F044 B RCIC Excess Flow Check N/A Valve XV-149F044 C RCIC Excess Flow Check N/A Valve XV-149F044 D RCIC Excess Flow Check N/A Valve RB Chilled HV-18781 A1 RB Chilled Water Automatic Valve 2.c, 2.d (40)

Water System HV-18781 A2 RB Chilled Water Automatic Valve 2.c, 2.d (40)

HV-18781 81 RB Chilled Water Automatic Valve 2.c, 2.d (40)

HV-18781 B2 RB Chilled Water Automatic Valve 2.c, 2.d (40)

HV-18782 A1 RB Chilled Water Automatic Valve 2.c, 2.d (12)

HV-18782 A2 RB Chilled Water Automatic Valve 2.c, 2.d (12)

HV-18782 81 RB Chilled Water Automatic Valve 2.c, 2.d (12)

HV-18782 82 RB Chilled Water Automatic Valve 2.c, 2.d (12)

HV-18791 A1 RB Chilled Water Automatic Valve 2.b, 2.d (15)

HV-18791 A2 RB Chilled Water Automatic Valve 2.b, 2.d (15)

HV-18791 81 RB Chilled Water Automatic Valve 2.b, 2.d (15)

HV-18791 82 RB Chilled Water Automatic Valve 2.b, 2.d (15)

HV-18792 A1 RB Chilled Water Automatic Valve 2.b, 2.d (8)

HV-18792A2 RB Chilled Water Automatic Valve 2.b, 2.d (8)

HV-18792 81 RB Chilled Water Automatic Valve 2.b, 2.d (8)

HV-18792 82 RB Chilled Water Automatic Valve 2.b, 2.d (8)

Reactor 143F013 A (d) Recirculation Pump Seal Water Manual Check N/A Recirculation 143F013 B (d) Recirculation Pump Seal Water Manual Check N/A SUSQUEHANNA - UNIT 1 3.6-36

Rev. 19 PCIVs

Table B 3.6.1.3-1 Primary Containment Isolation Valve (Page 8 of 11)

B 3.6.1.3 Isolation Signal LCO 3.3.6.1 Plant System Valve Number Valve Description Type of Valve Function No.

(Maximum Isolation Time (Seconds))

Reactor XV-143F003 A Reactor Recirculation Excess Flow Check NIA Recirculation Valve (continued) XV-143F003 B Reactor Recirculation Excess Flow Check NIA Valve XV-143F004 A Reactor Recirculation Excess Flow Check NIA Valve XV-143F004 B Reactor Recirculation Excess Flow Check NIA Valve XV-143F009 A Reactor Recirculation Excess Flow Check NIA Valve XV-143F009 B Reactor Recirculation Excess Flow Check NIA Valve XV-143F009 C Reactor Recirculation Excess Flow Check NIA Valve XV-143F009 D Reactor Recirculation Excess Flow Check NIA Valve XV-143F010A Reactor Recirculation Excess Flow Check NIA Valve XV-143F010 B Reactor Recirculation Excess Flow Check NIA Valve XV-143F010 C Reactor Recirculation Excess Flow Check NIA Valve XV-143F010 D Reactor Recirculation Excess Flow Check NIA Valve XV-143F011 A Reactor Recirculation Excess Flow Check NIA Valve XV-143F011 B Reactor Recirculation Excess Flow Check NIA Valve XV-1_43F011 C Reactor Recirculation Excess Flow Check NIA Valve XV-143F011 D Reactor Recirculation Excess Flow Check NIA Valve XV-143F012 A Reactor Recirculation Excess Flow Check NIA Valve XV-143F012 B Reactor Recirculation Excess Flow Check NIA Valve XV-143F012 C Reactor Recirculation Excess Flow Check NIA Valve XV-143F012 D Reactor Recirculation Excess Flow Check NIA Valve XV-143F017 A Recirculation Pump Seal Water Excess Flow Check NIA Valve XV-143F017 B Recirculation Pump Seal Water Excess Flow Check NIA Valve XV-143F040 A Reactor Recirculation Excess Flow Check NIA Valve SUSQUEHANNA - UNIT 1 3.6-37

7 Rev. 19 PCIVs B 3.6.1.3 Table B 3.6.1.3-1 Primary Containment Isolation Valve (Page 9 of 11)

Isolation Signal LCO 3.3.6.1 Plant System Valve Number Valve Description Type of Valve Function No.

(Maximum Isolation Time (Seconds))

Reactor XV-143F040 B Reactor Recirculation Excess Flow Check N/A Recirculation Valve (continued) XV-143F040 C Reactor Recirculation Excess Flow Check N/A Valve XV-143F040 D Reactor Recirculation Excess Flow Check N/A Valve XV-143F057 A Reactor Recirculation Excess Flow Check N/A Valve XV-143F057 B Reactor Recirculation Excess Flow Check N/A Valve HV-143F019 Reactor Coolant Sample Automatic Valve 2.b (9)

HV-143F020 Reactor Coolant Sample Automatic Valve 2.b (2)

Residual Heat HV-151 F004 A (b)(c) RHR - Suppression Pool Suction Power Operated N/A Removal HV-151F004 B (b)(c) RHR - Suppression Pool Suction Power Operated N/A HV-151F004 C (b)(c) RHR - Suppression Pool Suction Power Operated N/A HV-151F004 D (b)(c) RHR - Suppression Pool Suction Power Operated NIA HV-151F007 A (b)(c) RHR-Minimum Recirculation Flow Power Operated N/A HV-151F007 B (b)(c) RHR-Minimum Recirculation Flow Power Operated N/A HV-151F008 (h) RHR - Shutdown Cooling Suction Automatic Valve 6.a, 6.b, 6.c (52)

HV-151F009 (h) RHR - Shutdown Cooling Suction Automatic Valve 6.a, 6.b, 6.c (52)

HV-151 F011 A (b)(d) RHR-Suppression Pool Manual N/A (h) Cooling/Spray HV-151F011 B (b)(d) RHR-Suppression Pool Manual N/A (h) Cooling/Spray HV-151 F015 A (f) (h) RHR - Shutdown Cooling Power Operated N/A Return/LPG! Injection HV-151F015 B (f) (h) RHR - Shutdown Cooling Power Operated N/A Return/LPG! Injection HV-151F016A(b) (h) RHR - Drywell Spray Automatic Valve 2.c, 2.d (90)

HV-151F016 B (b) (h) RHR - Drywell Spray Automatic Valve 2.c, 2.d (90)

HV-151F022 (h) RHR - Reactor Vessel Head Spray Automatic Valve 2.d, 6.a, 6.b, 6.c (30)

HV-151 F023 (h) RHR - Reactor Vessel Head Spray Automatic Valve 2.d, 6.a, 6.b, 6.c (20)

HV-151 F028 A (b) (h) RHR - Suppression Pool Automatic Valve 2.c, 2.d (90)

Cooling/Spray HV-151F028 B (b) (h) RHR - Suppression Pool Automatic Valve 2.c, 2.d (90)

Cooling/Spray HV-151 F050 A (g) RHR - Shutdown Cooling Air Operated Check N/A Return/LPG! Injection Valve Valve HV-151 F050 B (g) RHR - Shutdown Cooling Air Operated Check N/A Return/LPCI Injection Valve Valve HV-151 F103 A (b) RHR Heat Exchanger Vent Power Operated N/A HV-151F103 B (b) RHR Heat Exchanger Vent Power Operated N/A

SUSQUEHANNA- UNIT 1 3.6-38

Rev. 19 PCIVs B 3.6.1.3 Table B 3.6.1.3-1 Primary Containment Isolation Valve (Page 10 of 11)

Isolation Signal LCO 3.3.6.1 Plant System Valve Number Valve Description Ty-pe of Valve Function No.

(Maximum Isolation Time (Seconds))

Residual Heat HV-151 F122 A (g) RHR - Shutdown Cooling Power Operated NIA Removal ReturnlLPCI Injection Valve (Air)

(continued) HV-151F122 B (g) RHR - Shutdown Cooling Power Operated NIA ReturnlLPCI Injection Valve (Air)

PSV-15106 A (b)(d) RHR - Relief Valve Discharge Relief Valve NIA PSV-15106 B (b)(d) RHR - Relief Valve Discharge Relief Valve NIA PSV-151F126 (d) (h) RHR - Shutdown Cooling Suction Relief Valve NIA XV-15109A RHR Excess Flow Check NIA Valve XV-15109 B RHR Excess Flow Check NIA Valve XV-15109 C RHR Excess Flow Check NIA Valve XV-15109 D RHR Excess Flow Check NIA Valve RWCU HV-144F001 (a) RWCU Suction Automatic Valve 5.a, 5.b, 5.c, 5.d, 5.f, 5_g (30)

HV-144F004 (a) RWCU Suction Automatic Valve 5.a, 5.b, 5.c, 5.d, 5.e, 5.f, 5.g (30)

XV-14411 A RWCU Excess Flow Check NIA Valve XV-14411 B RWCU Excess Flow Check NIA Valve XV-14411 C RWCU Excess Flow Check NIA Valve XV-14411 D RWCU Excess Flow Check NIA Valve XV-144F046 RWCU Excess Flow Check NIA Valve HV-14182 A RWCU Return Isolation Valve Power Operated NIA HV-14182 B RWCU Return Isolation Valve Power Operated NIA SLCS 148F007 (a)(d) SLCS Manual Check NIA HV-148F006 (a) SLCS Power Operated NIA Check Valve TIP System C51-J004 A (Shear TIP Shear Valves Squib Valves NIA Valve)

C51-J004 B (Shear TIP Shear Valves Squib Valves NIA Valve)

C51-J004 C (Shear TIP Shear Valves Squib Valves NIA Valve)

C51-J004 D (Shear TIP Shear Valves Squib Valves NIA Valve)

C51-J004 E (Shear TIP Shear Valves Squib Valves NIA Valve)

SUSQUEHANNA - UNIT 1 3.6-39

Rev. 19 PCIVs B 3.6.1.3 Table 8 3.6.1.3-1 Primary Containment Isolation Valve (Page 11 of 11)

Isolation Signal LCO 3.3.6.1 Plant System Valve Number Valve Description Type of Valve Function No.

(Maximum Isolation Time (Seconds))

TIP System C51-J004 A (Ball TIP Ball Valves Automatic Valve 7.a, 7.b (5)

(continued) Valve)

C51-J004 B (Ball TIP Ball Valves Automatic Valve 7.a, 7.b (5)

Valve)

C51-J004 C (Ball TIP Ball Valves Automatic Valve 7.a, 7.b (5)

Valve)

C51-J004 D (Ball TIP Ball Valves Automatic Valve 7.a, 7.b (5)

Valve)

C51-J004 E (Ball TIP Ball Valves Automatic Valve 7.a, 7.b (5)

Valve)

(a) Isolation barrier remains water filled or a water seal remains in the line post-LOCA, isolation valve is tested with water. Isolation valve leakage is not included in 0.60 La total Type B and C tests.

(b) Redundant isolation boundary for this valve is provided by the closed system whose integrity is verified by the Leakage Rate Test Program. This footnote does not apply to valve 155F046 (HPCI) when the associated PCIV, HV155F012 is closed and deactivated. Similarly, this footnote does not apply to valve 149F021 (RCIC) when it's associated PCIV, FV149F019 is closed and deactivated .

(c) Containment Isolation Valves are not Type C tested. Containment bypass leakage is prevented since the line terminates below the minimum water level in the Suppression Chamber. Refer to the 1ST Program.

(d) LCO 3.3.3.1, "PAM Instrumentation," Table 3.3.3.1-1, Function 6, does not apply since these are relief valves, check valves, manual valves or deactivated and closed.

(e) The containment isolation barriers for the penetration associated with this valve consists of two PCIVs and a closed system. The closed system provides a redundant isolation boundary for both PCIVs, and its integrity is required to be verified by the Leakage Rate Test Program.

(f) Redundant isolation boundary for this valve is provided by the closed system whose integrity is verified by the Leakage Rate Test Program.

(g) These valves are not required to be 10 CFR 50, Appendix J tested since the HV-151 F015A(B) valves (see note (h)) and a closed system form the 10 CFR 50, Appendix J boundary. These valves form a high/low pressure interface and are pressure tested in accordance with the pressure test program.

(h) Isolation barrier remains filled or a water seal remains in the line post-LOCA. Type C testing is not required .

SUSQUEHANNA - UNIT 1 3.6-40

Rev. 19 PCIVs B 3.6.1.3 Table 8 3.6.1.3-2 Secondary Containment Bypass Leakage Isolation Valves (Not PCIVs)

(Page 1 of 1)

Isolation Signal LCO 3.3.6.1 Function Plant System Valve Number Valve Description Type of Valve No. (Maximum Isolation Time (Seconds))

Residual Heat HV-151F040 RHR - RADWASTE LINE 18 ISO Automatic Valve 2.a, 2.d (45)

Removal VLV HV-151F049 RHR - RADWASTE LINE OB ISO Automatic Valve 2.a, 2.d (20)

VLV 1-51-136 RHR - COND TRANSFER 08 SCBL Check Valve N/A CHECK VALVE 1-51-137 RHR - COND TRANSFER 18 SCBL Check Valve NIA CHECK VALVE Core Spray 1-52-F029A (U1 Only) CS LOOP A/8 FILL WATER 08 Check Valve N/A 1-52-F0298 (U1 Only) SCBL CHECK VALVE 1-52-F030A (U1 Only) CS LOOP A/8 FILL WATER 18 SCBL Check Valve N/A 1-52-F0308 (U1 Only) CHECK VALVE SUSQUEHANNA - UNIT 1 3.6-40a

Rev.2 Suppression Chamber-to-Drywell Vacuum Breakers

- B 3.6 CONTAINMENT SYSTEMS B 3.6.1.6 B 3.6.1.6 Suppression Chamber-to-Drywell Vacuum Breakers BASES BACKGROUND The function of the suppression-chamber-to-drywell vacuum breakers is to relieve vacuum in the drywell. There are five pairs of vacuum breakers. Each pair consists of two valves in series. They are attached to the capped downcomers to allow air and steam flow from the suppression chamber to the drywell when the drywell is at a negative pressure with respect to the suppression chamber. Therefore, suppression chamber-to-drywell vacuum breakers prevent an excessive negative differential pressure across the suppression chamber drywell boundary. Each vacuum breaker is a self actuating valve, similar to a check valve, which can be remotely operated for testing purposes.

A negative differential pressure across the drywell floor is caused by rapid depressurization of the drywell. Events that cause this rapid depressurization are cooling cycles, inadvertent drywell spray actuation, and steam condensation from sprays or subcooled water reflood of a break in the event of a primary system rupture. Cooling cycles result in minor pressure transients in the drywell that occur slowly and are normally controlled by heating and ventilation equipment. Spray actuation or spill of subcooled water out of a break results in more significant pressure transients and becomes important in sizing the internal vacuum breakers.

In the event of a primary system rupture, steam condensation within the drywell results in the most severe pressure transient. Following a primary system rupture, nitrogen and non-combustibles in the drywell are purged into the suppression chamber free airspace, leaving the drywell full of steam. Subsequent condensation of the steam can be caused in two possible ways, namely, Emergency Core Cooling Systems flow from a recirculation line break, or drywell spray actuation following a loss of coolant accident (LOCA). These two cases determine the maximum depressurization rate of the drywell.

APPLICABLE Analytical methods and assumptions involving the suppression SAFETY chamber-to-drywell vacuum breakers are presented in Reference 1 as ANALYSES part of the accident response of the primary containment systems.

Suppression chamber-to-drywell vacuum breakers are provided as part of the primary containment to limit the negative differential pressure across the drywell and suppression chamber floor .

SUSQUEHANNA- UNIT 1 3.6-47

Rev.2 Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1*.6 BASES APPLICABLE The safety analyses assume that the vacuum breakers are closed initially

. SAFETY and are open at a differential pressure of~ 2.81 psid (Ref. 1).

ANALYSES Additionally, one of the five vacuum breaker pairs is assumed to fail in a (continued) closed position (Ref. 1). The results of the analyses show that the design pressure is not exceeded even under the worst case accident scenario.

Design Basis Accident (OBA) analyses require the vacuum breakers to be closed initially and to remain closed and leak tight, with the suppression pool at a positive pressure relative to the drywell.

The suppression chamber-to-drywell vacuum breakers satisfy Criterion 3 of the NRG Policy Statement. (Ref. 2)

LCO All suppression chamber-to-drywell vacuum breakers are required to be OPERABLE and closed (except during testing or when the vacuum breakers are performing their intended design function). The vacuum breaker OPERABILITY requirement provides assurance that the drywell-to-suppression chamber negative differential pressure remains below the design value. The requirement that the vacuum breakers be closed ensures that there is no excessive bypass leakage should a LOCA occur.

APPLICABILITY In MODES 1, 2, and 3, excessive negative pressure inside the drywell could occur due to inadvertent actuation of containment spray. The vacuum breakers, therefore, are required to be OPERABLE in MODES 1, 2, and 3 to mitigate the effects of inadvertent actuation of containment spray.

Also, in MODES 1, 2, and 3, a OBA could result in excessive negative differential pressure across the drywell floor, caused by the rapid depressurization of the drywell. The event that results in the limiting rapid depressurization of the drywell *is the primary system rupture that purges the drywell of air and fills the drywell free airspace with steam.

Subsequent condensation of the steam would result in depressurization of the drywell. The limiting pressure and temperature of the primary system prior to a OBA occur in MODES 1, 2, and 3.

In MODES 4 and 5, the probability and consequences of these events are reduced by the pressure and temperature limitations in these MODES; therefore, maintaining suppression chamber-to-drywell vacuum breakers OPERABLE is not required in MODE 4 or 5.

SUSQUEHANNA - UNIT 1 3.6-48

Rev. 2 Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.6 BASES ACTIONS A.1 With one of the vacuum breaker pairs inoperable for opening (e.g., the vacuum breaker is not open and may be stuck closed or not within its opening setpoint limit, so that it would not function as designed during an event that depressurized the drywell), the remaining four OPERABLE vacuum breaker pairs are capable of providing the vacuum relief function.

However, overall system reliability is reduced because a single failure in one of the remaining vacuum breaker pairs could result in an excessive suppression chamber-to-drywell differential pressure during a limiting plant event. Therefore, with one of the five vacuum breaker pairs inoperable, 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is allowed to restore the inoperable vacuum breaker pairs to OPERABLE status so that plant conditions are consistent with those assumed for the design basis analysis. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is considered acceptable due to the low probability of an event in which the remaining vacuum breaker capability would not be adequate.

8.1 and B.2

With one of the two suppression chamber-to-drywell vacuum breakers in a pair not closed, the remaining closed vacuum breaker is capable of preventing direct communication between the drywell and the suppression chamber airspace. However, overall system reliability is

~educed because a single failure in the one remaining vacuum breaker could result in direct communication between the drywell and the suppression chamber airspace, and, as a result, there is the potential for suppression chamber overpressurization due to this bypass leakage if a LOCA were to occur. Therefore, with one of the two vacuum breakers in a pair not closed and the other verified closed within two hours, 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is allowed to close the open vacuum breaker so that plant conditions are consistent with those assumed for the design basis analysis. If the vacuum breaker position indication is not reliable, an alternate method of verifying that the vacuum breaker is closed is to verify that a differential pressure of 0.5 psid between the drywell and suppression chamber is maintained for 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months without make-up. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is considered acceptable due to the low probability of an event in which the remaining vacuum breaker capability would not be adequate.

C. 1 Two open vacuum breakers in a vacuum breaker pair allows communication between the drywell and suppression chamber airspace, and, as a result, there is the potential for containment overpressurization due to the loss of the pressure suppression function. Therefore, one SUSQUEHANNA - UNIT 1 3.6-49

Rev.2 Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.6 BASES

. ACTIONS C.1 (continued)

(continued) open vacuum breaker must be closed. A short time is allowed to close the vacuum breaker due to the low probability of an event that would pressurize primary containment. If vacuum breaker position indication is not reliable, an alternate method of verifying that the vacuum breakers are closed is to verify that a differential pressure of 0.5 psid between the suppression chamber and drywell is maintained for 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months without makeup. The required 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time is considered adequate to perform this test.

D.1 and D.2 If the inoperable suppression chamber-to-drywell vacuum breaker cannot be closed or restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.6.1.6.1 REQUIREMENTS Each vacuum breaker is verified closed to ensure that this potential large bypass leakage path is not present. This Surveillance is performed by observing the vacuum breaker position indication or by verifying that a differential pressure of 0.5 psid between the suppression chamber and drywell is maintained for 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months without makeup. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This verification is also required within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after discharge of steam to the suppression chamber from safety/relief valve operation.

A Note is added to this SR which allows suppression chamber-to-drywell vacuum breakers opened in conjunction with the performance of a Surveillance to not be considered as failing this SR. These periods of opening vacuum breakers are controlled by plant procedures and do not represent inoperable vacuum breakers.

SR 3.6.1.6.2 Each required vacuum breaker must be cycled to ensure that it opens adequately to perform its design function and returns to the fully closed position. This ensures that the safety analysis assumptions are valid .

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SUSQUEHANNA - UNIT 1 3.6-50

Rev. 2 Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.6 BASES SURVEILLANCE SR 3.6.1.6.2 (continued)

REQUIREMENTS (continued) In addition, this functional test is required within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after either a discharge of steam to the suppression chamber from safety/relief valve operation or after an operation that causes any of the vacuum breakers to open.

SR 3.6.1.6.3 Verification of the vacuum breaker opening setpoint is necessary to ensure that the safety analysis assumption regarding vacuum breaker open differential pressure setpoint is valid. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 6.2.

2. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132) .

SUSQUEHANNA - UNIT 1 3.6-51

Rev.2 Suppression Chamber-to-Drywell Vacuum Breakers B 3.6.1.6 BASES

- THIS PAGE INTENTIONALLY LEFT BLANK

SUSQUEHANNA - UNIT 1 3.6-52

Rev. 3 RHR Suppression Pool Cooling B 3.6.2.3 B 3.6 CONTAINMENT SYSTEMS B 3.6.2.3 Residual Heat Removal (RHR) Suppression Pool Cooling BASES BACKGROUND Following a Design Basis Accident (OBA), the RHR Suppression Pool Cooling System removes heat from the suppression pool. The suppression pool is designed to absorb the sudden input of heat from the primary system. In the long term, the pool continues to absorb residual heat generated by fuel in the reactor core. Some means must be provided to remove heat from the suppression pool so that the temperature inside the primary containment remains within design limits. This function is provided by two redundant RHR suppression pool cooling subsystems. The purpose of this LCO is to ensure that both subsystems are OPERABLE in applicable MODES.

Each RHR subsystem contains either one of the two RHR pumps and a flow path capable of recirculating water from the suppression chamber through an RHR heat exchanger and is manually initiated and independently controlled. The two subsystems perform the suppression pool cooling function by circulating water from the suppression pool through the RHR heat exchangers and returning it to the suppression pool. RHR service water, circulating through the tube side of the heat exchangers, exchanges heat with the suppression pool water and discharges this heat to the external heat sink.

The heat removal capability of one RHR pump in one subsystem is sufficient to meet the overall OBA pool cooling requirement for loss of coolant accidents (LOCAs) and transient events such as a turbine trip or stuck open safety/relief valve (S/RV). S/RV leakage and High Pressure Coolant Injection and Reactor Core Isolation Cooling System testing increase suppression pool temperature more slowly. The RHR Suppression Pool Cooling System is also used to lower the suppression pool water bulk temperature following such events.

APPLICABLE Reference 1 contains the results of analyses used to predict primary SAFETY containment pressure and temperature following large and small break ANALYSES LOCAs. The intent of the analyses is to demonstrate that the heat removal capacity of the RHR Suppression Pool Cooling System is adequate to maintain the primary containment conditions within design limits. The suppression pool temperature is calculated to remain below the design limit.

The RHR Suppression Pool Cooling System satisfies Criterion 3 of the NRC Policy Statement. (Ref. 3)

SUSQUEHANNA- UNIT 1 3.6-62

Rev.3 RHR Suppression Pool Cooling B 3.6.2.3 BASES LCO During a OBA, a minimum of one RHR suppression pool cooling subsystem is required to maintain the primary containment peak pressure and temperature below design limits (Ref. 1). To ensure that these requirements are met, two RHR suppression pool cooling subsystems must be OPERABLE. Therefore, in the event of an accident, at least one subsystem is OPERABLE assuming the worst case single active failure.

An RHR suppression pool cooling subsystem is OPERABLE when one of the pumps, the heat exchanger, and associated piping, valves, instrumentation, and controls are OPERABLE.

APPLICABILITY In MODES 1, 2, and 3, a OBA could cause a release of radioactive material to primary containment and cause a heatup and pressurization of primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, the RHR Suppression Pool Cooling System is not required to be OPERABLE in MODE 4 or 5.

ACTIONS A.1

With one RHR suppression pool cooling subsystem inoperable, the inoperable subsystem must be restored to OPERABLE status within 7 days or in accordance with the Risk Informed Completion Time Program. In this Condition, the remaining RHR suppression pool cooling subsystem is adequate to perform the primary containment cooling function. However, the overall reliability is reduced because a single failure in the OPERABLE subsystem could result in loss of primary containment cooling capability.

The 7 day Completion Time is acceptable in light of the redundant RHR suppression pool cooling capabilities afforded by the OPERABLE subsystem and the low probability of a OBA occurring during this period.

B.1 With two RHR suppression pool cooling subsystems inoperable, one subsystem must be restored to OPERABLE status within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . In this condition, there is a substantial loss the of primary containment pressure and temperature mitigation function. The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time is based on this loss of function and is considered acceptable due to the low probability of a OBA and the potential avoidance of a plant shutdown transient that could result in the need for the RHR suppression pool cooling subsystems to operate .

- SUSQUEHANNA- UNIT 1 3.6-63

Rev.3 RHR Suppression Pool Cooling B 3.6.2.3 BASES ACTIONS C.1 and C.2 (continued)

If the Required Action and associated Completion Time cannot be met the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.6.2.3.1 REQUIREMENTS Verifying the correct alignment for manual, power operated, and automatic valves in the RHR suppression pool cooling mode flow path provides assurance that the proper flow path exists for system operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position provided it can be aligned to the accident position within the time assumed in the accident analysis. This is acceptable since the RHR suppression pool cooling mode is manually initiated. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.2.3.2 Verifying that each RHR pump develops a flow rate ~ 9750 gpm while operating in the suppression pool cooling mode with flow through the associated heat exchanger ensures that pump performance has not degraded during the cycle. Flow is a normal test of centrifugal pump performance required by ASME OM Code (Ref. 2). This test confirms one point on the pump design curve, and the results are indicative of overall performance. Such inservice inspections confirm component OPERABILITY, trend performance, and detect incipient failures by indicating abnormal performance. The Frequency of this SR is in accordance with the lnservice Testing Program .

SUSQUEHANNA- UNIT 1 3.6-64

Rev.3 RHR Suppression Pool Cooling

. BASES REFERENCES 1. FSAR, Section 6.2.

B 3.6.2.3

2. ASME Operation and Maintenance Code.

3. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

SUSQUEHANNA- UNIT 1 3.6-65

Rev. 2 RHR Suppression Pool Spray

- B 3.6 CONTAINMENT SYSTEMS B 3.6.2.4 Residual Heat Removal (RHR) Suppression Pool Spray B 3.6.2.4 BASES BACKGROUND Following a Design Basis Accident (OBA), the RHR Suppression Pool Spray System removes heat from the suppression chamber airspace. The suppression pool is designed to absorb the sudden input of heat from the primary system from a OBA or a rapid depressurization of the reactor pressure vessel (RP\/) through safety/relief valves. The heat addition to the suppression pool results in increased steam in the suppression chamber, which increases primary containment pressure. Steam blowdown from a OBA can also bypass the suppression pool and end up in the suppression chamber airspace. Some means must be provided to remove heat from the suppression chamber so that the pressure and temperature inside primary containment remain within analyzed design limits. This function is provided by two redundant RHR suppression pool spray subsystems. The purpose of this LCO is to ensure that both subsystems are OPERABLE in applicable MODES .

Each of the two RHR suppression pool spray subsystems includes either one of the two RHR pumps and a flow path capable of recirculating water from the suppression chamber through the RHR heat exchanger, and is manually initiated and independently controlled. The two subsystems perform the suppression pool spray function by circulating water from the suppression pool through the RHR heat exchangers and returning it to the suppression pool spray spargers. The spargers only accommodate a small portion of the total RHR pump flow; the remainder of the flow normally returns to the suppression pool through the suppression pool cooling return line. Thus, both suppression pool cooling and suppression pool spray functions are normally performed when the Suppression Pool Spray System is initiated. RHR service water, circulating through the tube side of the heat exchangers, exchanges heat with the suppression pool water and discharges this heat to the external heat sink. Either RHR suppression pool spray subsystem is sufficient to condense the steam from small bypass leaks from the drywell to the suppression chamber airspace during the postulated OBA.

- SUSQUEHANNA- UNIT 1 3.6-66

Rev. 2 RHR Suppression Pool Spray B 3.6.2.4 BASES APPLICABLE Reference 1 contains the results of analyses used to predict primary SAFETY containment pressure and temperature following large and small break loss ANALYSES of coolant accidents. The intent of the analyses is to demonstrate that the pressure reduction capacity of the RHR Suppression Pool Spray System is adequate to maintain the primary containment conditions within design limits. The time history for primary containment pressure is calculated to demonstrate that the maximum pressure remains below the design limit.

The RHR Suppression Pool Spray System satisfies Criterion 3 of the NRC Policy Statement. (Ref. 2)

LCO In the event of a OBA, a minimum of one RHR suppression pool spray subsystem is required to mitigate potential bypass leakage paths and maintain the primary containment peak pressure below the design limits (Ref. 1). To ensure that these requirements are met, two RHR suppression pool spray subsystems must be OPERABLE. Therefore, in the event of an accident, at least one subsystem is OPERABLE assuming the worst case single active failure. An RHR suppression pool spray subsystem is OPERABLE when one of the pumps, the heat exchanger, and associated piping, valves, instrumentation, and controls are OPERABLE.

APPLICABILITY In MODES 1, 2, and 3, a OBA could cause pressurization of primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining RHR suppression pool spray subsystems OPERABLE is not required in MODE 4 or 5.

ACTIONS A.1 With one RHR suppression pool spray subsystem inoperable, the inoperable subsystem must be restored to OPERABLE status within 7 days or in accordance with the Risk Informed Completion Time Program. In this Condition, the remaining OPERABLE RHR suppression pool spray subsystem is adequate to perform the primary containment bypass leakage mitigation function.

However, the overall reliability is reduced because a single failure in the OPERABLE subsystem could result in reduced primary containment bypass mitigation capability. The 7 day Completion Time was chosen in light of the redundant RHR suppression pool spray capabilities afforded by the OPERABLE subsystem and the low probability of a OBA occurring during this period .

SUSQUEHANNA- UNIT 1 3.6-67

Rev. 2 RHR Suppression Pool Spray 8 3.6.2.4 BASES ACTIONS 8.1 (continued)

With both RHR suppression pool spray subsystems inoperable, at least one subsystem must be restored to OPERABLE status within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . In this Condition, there is a substantial loss of the primary containment bypass leakage mitigation function. The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time is based on this loss of function and is considered acceptable due to the low probability of a OBA and alternate means to remove heat from primary containment are available.

C.1 and C.2 If the inoperable RHR suppression pool spray subsystem cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems .

SURVEILLANCE REQUIREMENTS SR 3.6.2.4.1 Verifying the correct alignment for manual, power operated, and automatic valves in the RHR suppression pool spray mode flow path provides assurance that the proper flow paths will exist for system operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position provided it can be aligned to the accident position within the time assumed in the accident analysis. This is acceptable since the RHR suppression pool cooling mode is manually initiated. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.2.4.2 The Surveillance Frequency is controlled under the Surveillance Frequency Control Program .

SUSQUEHANNA- UNIT 1 3.6-68

Rev. 2 RHR Suppression Pool Spray

BASES REFERENCES 1. FSAR, Section 6.2.

B 3.6.2.4

2. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132) .

SUSQUEHANNA- UNIT 1 3.6-69

Rev.8 RHRSW System and UHS B 3.7.1 B 3. 7 PLANT SYSTEMS B 3. 7.1 Residual Heat Removal Service Water (RHRSVV) System and the Ultimate Heat Sink (UHS)

BASES BACKGROUND The RHRSW System is designed to provide cooling water for the Residual Heat Removal (RHR) System heat exchangers, required for a safe reactor shutdown following a Design Basis Accident (OBA) or transient. The RHRSW System is operated whenever the RHR heat exchangers are required to operate in the shutdown cooling mode or in the suppression pool cooling or spray mode of the RHR System.

The RHRSW System consists of two independent and redundant subsystems. Each subsystem is made up of a header, one pump, a suction source, valves, piping, heat exchanger, and associated instrumentation. Either of the two subsystems is capable of providing the required cooling capacity to maintain safe shutdown conditions. The two subsystems are separated so that failure of one subsystem will not affect the OPERABILITY of the other subsystem. One Unit 1 RHRSW subsystem and the associated (same division) Unit 2 RHRSW subsystem constitute a single RHRSW loop. The two RHRSW pumps in a loop can

_each, independently, be aligned to either Unit's heat exchanger. The RHRSW System is designed with sufficient redundancy so that no single active component failure can prevent it from achieving its design function.

The RHRSW System is described in the FSAR, Section 9.2.6, Reference 1.

Cooling water is pumped by the RHRSW pumps from the UHS through the tube side of the RHR heat exchangers. After removing heat from the RHRSW heat exchanger, the water is discharged to the spray pond (UHS) by way of the UHS return loops. The UHS return loops direct the return flow to a network of sprays that dissipate the heat to the atmosphere or directly to the UHS via a bypass header.

The system is initiated manually from the control room except for the spray array bypass manual valves that are operated locally in the event of a failure of the spray array bypass valves. The system can be started any time the LOCA signal is manually overridden or clears.

SUSQUEHANNA - UNIT 1 3.7-1

Rev. 8 RHRSW System and UHS B 3.7.1 BASES BACKGROUND The ultimate heat sink (UHS) system is composed of approximately (continued) 3,300,000 cubic foot spray pond and associated piping and spray risers.

Each UHS return loop contains a bypass line, a large spray array and a small spray array. The purpose of the UHS is to provide both a suction source of water and a return path for the RHRSW and ESW systems. The function of the UHS is to provide water to the RHRSW and ESW systems at a temperature less than the 97°F design temperature of the RHRSW and ESW systems. UHS temperature is maintained less than the design temperature by introducing the hot return fluid from the RHRSW and ESW systems into the spray loops and relying on spray cooling to maintain temperature. The UHS is designed to supply the RHRSW and ESW systems with all the cooling capacity required during a combination LOCA/LOOP for thirty days without fluid addition. The UHS is described in the FSAR, Section 9.2.7 (Reference 1).

APPLICABLE The RHRSW System removes heat from the suppression pool to limit the SAFETY suppression pool temperature and primary containment pressure following ANALYSES a LOCA. This ensures that the primary containment can perform its function of limiting the release of radioactive materials to the environment following a LOCA. The ability of the RHRSW System to support long term cooling of the reactor or primary containment is discussed in the FSAR, Chapters 6 and 15 (Refs. 2 and 3, respectively). These analyses explicitly assume that the RHRSW System will provide adequate cooling support to the equipment required for safe shutdown. These analyses include the evaluation of the long term primary containment response after a design basis LOCA.

The safety analyses for long term cooling were performed for various combinations of RHR System failures and RHRSW and UHS configurations. As discussed in the FSAR, Section 6.2.2 (Ref. 2) for these analyses, manual initiation of the OPERABLE RHRSW subsystem and the associated RHR System is required. The maximum suppression chamber water temperature and pressure are analyzed to be below the design temperature of 220°F and maximum allowable pressure of 53 psig.

The UHS design takes into account the cooling efficiency of the spray arrays and the evaporation losses during design basis environmental conditions. The spray array bypass header provides the flow path for the ESW and RHRSW system to keep the spray array headers from freezing.

The small and/or large spray arrays are placed in service to dissipate heat returning from the plant. The UHS return header is comprised of the spray array bypass header, the large spray array, and the small spray array.

SUSQUEHANNA - UNIT 1 3.7-2

Rev.a RHRSW System and UHS

- BASES APPLICABLE SAFETY The spray array bypass header is capable of passing full flow fyom the RHRSW and ESW systems in each loop. The large spray array is capable B3.7.1 ANALYSES of passing full flow from the RHRSW and ESW systems in each loop. The (continued) small spray array supports heat dissipation when low system flows are required.

The RHRSW System, together with the UHS, satisfy Criterion 3 of the NRC Policy Statement. (Ref. 4)

LCO Two RHRSW subsystems are required to be OPERABLE to provide the required redundancy to ensure that the system functions to remove post accident heat loads, assuming the worst case single active failure occurs coincident with the loss of offsite power.

An RHRSW subsystem is considered OPERABLE when:

a. One pump is OPERABLE; and

b. An OPERABLE flow path is capable of taking suction from the UHS and transferring the water to the RHR heat exchanger and returning it to the UHS at the assumed flow rate, and

c. An OPERABLE UHS.

The OPERABILITY of the UHS is based on having a minimum water level at the overflow weir of 678 feet 1 inch above mean sea level and a maximum water temperature of 85°F; unless either unit is in MODE 3. If a unit enters MODE 3, the time of entrance into this condition determines the appropriate maximum ultimate heat sink fluid temperature. If the earliest unit to enter MODE 3 has been in that condition for less than twelve (12) hours, the peak temperature to maintain OPERABILITY of the ultimate heat sink remains at 85°F. If either unit has been in MODE 3 for more than twelve (12) hours but less than twenty-four (24) hours, the OPERABILITY temperature of the ultimate heat sink becomes 87°F. If either unit has been in MODE 3 for twenty-four (24) hours or more, the OPERABILITY temperature of the ultimate heat sink becomes 88°F.

In addition, the OPERABILITY of the UHS is based on having sufficient spray capacity in the UHS return loops. Sufficient spray capacity is defined as one large and one small spray array in one loop.

This OPERABILITY definition is supported by analysis and evaluations performed in accordance with the guidance given in Regulatory Guide 1.27 .

SUSQUEHANNA - UNIT 1 3.7-3

Rev.8 RHRSW System and UHS 83.7.1 BASES APPLICABILITY In MODES 1, 2, and 3, the RHRSW System and the UHS are required to be OPERABLE to support the OPERABILITY of the RHR System for primary containment cooling (LCO 3.6.2.3, "Residual Heat Removal (RHR)

Suppression Pool Cooling," and LCO 3.6.2.4, "Residual Heat Removal (RHR) Suppression Pool Spray") and decay heat removal (LCO 3.4.8, "Residual Heat Removal (RHR) Shutdown Cooling System-Hot Shutdown"). The Applicability is therefore consistent with the requirements of these systems.

Although the LCO for the RHRSW System and the UHS is not applicable in MODES 4 and 5, the capability of the RHRSW System and UHS to perform their necessary related support functions may be required for OPERABILITY of supported systems.

ACTIONS The ACTIONS are modified by a Note indicating that the applicable Conditions of LCO 3.4.8, be entered and Required Actions taken if the inoperable RHRSW subsystem results in inoperable RHR shutdown cooling (SOC) (i.e., both the Unit 1 and Unit 2 RHRSW pumps in a loop are inoperable resulting in the associated RHR SOC system being inoperable).

This is an exception to LCO 3.0.6 because the Required Actions of LCO 3. 7.1 do not adequately compensate for the loss of RHR SOC Function (LCO 3.4.8).

Condition A is modified by a separate note to allow separate Condition entry for each valve. This is acceptable since the Required Action for this Condition provides appropriate compensatory actions.

A 1, A.2, and A.3 With one spray array bypass valve not capable of being closed on demand, the associated Unit 1 and Unit 2 RHRSW subsystems cannot use the spray cooling function of the affected UHS return loop. As a result, the associated RHRSW subsystem must be declared inoperable.

With one spray array bypass valve not capable of being opened on demand, a return flow path is not available. As a result, the associated RHRSW subsystems must be declared inoperable.

With one spray array bypass manual valve not capable of being closed, the associated Unit 1 and Unit 2 RHRSW subsystems cannot use the spray cooling function of the affected UHS return path if the spray array bypass valve fails to close. As a result, the associated RHRSW subsystems must be declared inoperable .

SUSQUEHANNA - UNIT 1 3.7-4

Rev. 8 RHRSW System and UHS B 3.7.1 BASES ACTIONS A.1, A.2, and A.3 (continued)

(continued)

With one spray array bypass manual valve not open, a return flow path is not available. As a result, the associated RHRSW subsystems must be declared inoperable.

With one large spray array valve not capable of being opened on demand, the associated Unit 1 and Unit 2 RHRSW subsystems cannot use the full required spray cooling capability of the affected UHS return path. With one large spray array valve not capable of being closed on demand, the associated Unit 1 and Unit 2 RHRSW subsystems cannot use the small spray array when loop flows are low as the required spray nozzle pressure is not achievable for the small spray array. As a result, the associated RHRSW subsystems must be declared inoperable.

With one small spray array valve not capable of being opened on demand, the associated Unit 1 and Unit 2 RHRSW subsystems cannot use the spray cooling function of the affected UHS return path for low loop flow rates. For a single failure of the large spray array valve in the closed position, design bases LOCNLOOP calculations assume that flow is reduced on the affected loop within 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months after the event to allow use of the small spray array. With one small spray array valve not capable of being closed on demand, the associated Unit 1 and Unit 2 RHRSW subsystems cannot use the large spray array for a flow path as the required nozzle pressure is not achievable for the large spray array. As a result, the associated RHRSW subsystems must be declared inoperable.

With any UHS return path valve listed in Tables 3.7.1-1, 3.7.1-2, or 3.7.1-3 inoperable, the UHS return path is no longer single failure proof.

For combinations of inoperable valves in the same loop, the UHS spray capacity needed to support the OPERABILITY of the associated Unit 1 and Unit 2 RHRSW subsystems is affected. As a result, the associated RHRSW subsystems must be declared inoperable.

The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months completion time to establish the flow path provides sufficient time to open a path and de-energize the appropriate valve in the open position.

The 72-hour completion time is based on the fact that, although adequate UHS spray loop capability exists during this time period, both units are affected and an additional single failure results in a system configuration that will not meet design basis accident requirements. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program .

- SUSQUEHANNA - UNIT 1 3.7-5

Rev.8 RHRSW System and UHS B 3.7.1 BASES ACTIONS A.1, A.2, and A.3 (continued)

(continued)

If an additional RHRSW subsystem on either Unit is inoperable, cooling capacity less than the minimum required for response to a design basis event would exist. Therefore, an 8-hour Completion Time is appropriate.

The 8-hour Completion Time provides sufficient time to restore inoperable equipment and there is a low probability that a design basis event would occur during this period. The Risk Informed Completion Time Program does not apply to the 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time in Required Action A.3.

8.1 Required Action 8.1 is intended to ensure that appropriate actions are taken if one Unit 1 RHRSW subsystem is inoperable. Although designated and operated as a unitized system, the associated Unit 2 subsystem is directly connected to a common header, which can supply the associated RHR heat exchanger in either unit. The associated Unit 2 subsystem is considered capable of supporting the associated Unit 1 RHRSW subsystem when the Unit 2 subsystem is OPERABLE and can provide the assumed flow to the Unit 1 heat exchanger. A Completion time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , when the associated Unit 2 RHRSW subsystem is not capable of supporting the associated Unit 1 RHRSW subsystem, is allowed to restore the Unit 1 RHRSW subsystem to OPERABLE status. In this configuration, the remaining OPERABLE Unit 1 RHRSW subsystem is adequate to perform the RHRSW heat removal function. However, the overall reliability is reduced because a single failure in the OPERABLE RHRSW subsystem could result in loss of RHRSW function. The Completion Time is based on the redundant RHRSW capabilities afforded by the OPERABLE subsystem and the low probability of an event occurring requiring RHRSW during this period.

With one RHRSW subsystem inoperable, and the respective Unit 2 RHRSW subsystem capable of supporting the respective Unit 1 RHRSW subsystem, the design basis cooling capacity for both units can still be maintained even considering a single active failure. However, the configuration does reduce the overall reliability of the RHRSW System.

Therefore, provided the associated Unit 2 subsystem remains capable of supporting its respective Unit 1 RHRSW subsystem, the inoperable RHRSW subsystem must be restored to OPERABLE status within 7 days.

The 7-day Completion Time is based on the remaining RHRSW System heat removal capability.

Alternatively, for the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and 7 day Completion Times in Required Action 8.1, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program.

SUSQUEHANNA - UNIT 1 3.7-6

Rev. 8 RHRSW System and UHS B 3.7.1 BASES ACTIONS (continued)

Additionally, the Completion Time to restore the Unit 1 RHRSW system has been extended to 14 days in order to complete the replacement of a portion of the Unit 2 ESW piping. This is a temporary extension of the Completion Time and is applicable during the Unit 2 ESW piping replacement. When utilizing the temporary Completion Time extension, the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time, 7 day Completion Time, and the Risk Informed Completion Time Program, as provided for Required Action B.1, do not apply.

In order to cope with the consequences of a LOCA/LOOP in Unit 1 during the extended Completion Time, the following compensatory measure is required: Provisions will be implemented to restore piping integrity to allow use of the Unit 1 RHRSW system within the current LCO Completion Time. Upon completion of the Unit 2 ESW piping replacement, this temporary extension is no longer applicable and wiil expire on June 25, 2027 .

Required Action C.1 is intended to ensure that appropriate actions are taken if both Unit 1 RHRSW subsystems are inoperable. Although designated and operated as a unitized system, the associated Unit 2 subsystem is directly connected to a common header which can supply the associated RHR heat exchanger in either unit. With both Unit 1 RHRSW

subsystems inoperable, the RHRSW system is still capable of performing its intended design function. However, the loss of an additional RHRSW subsystem on Unit 2 results in the cooling capacity to be less than the minimum required for response to a design basis event. Therefore, the 8-hour Completion Time is appropriate. The 8-hour Completion Time for restoring one RHRSW subsystem to OPERABLE status is based on the Completion Times provided for the RHR suppression pool spray function.

With both Unit 1 RHRSW subsystems inoperable, and both of the Unit 2 RHRSW subsystems capable of supporting their respective Unit 1 RHRSW subsystem, if no additional failures occur which impact the RHRSW

System, the remaining OPERABLE Unit 2 subsystems and flow paths provide adequate heat removal capacity following a design basis LOCA.

However, capability for this alignment is not assumed in long term containment response analysis and an additional single failure in the RHRSW System could reduce the system capacity below that assumed in the safety analysis.

SUSQUEHANNA - UNIT 1 3.7-6a

Rev.8 RHRSW System and UHS B 3.7.1 BASES ACTIONS C.1 (continued)

(continued)

Therefore, continued operation is permitted only for a limited time. One inoperable subsystem is required to be restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time for restoring one inoperable RHRSW subsystem to OPERABLE status is based on the fact that the alternate loop is capable of providing the required cooling capability during this time period.

D.1 and D.2 If the RHRSW subsystems cannot be restored to OPERABLE status within the associated Completion Times, or the UHS is determined to be inoperable, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.7.1.1 REQUIREMENTS This SR verifies the water level to be sufficient for the proper operation of the RHRSW pumps (net positive suction head and pump vortexing are considered in determining this limit). The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.7.1.2 Verification of the UHS temperature, which is the arithmetical average of the UHS temperature near the surface, middle and bottom levels, ensures that the heat removal capability of the ESW and RHRSW Systems are within the assumptions of the OBA analysis. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.7.1.3 Verifying the correct alignment for each manual, power operated, and automatic valve in each RHRSW subsystem flow path provides assurance that the proper flow paths will exist for RHRSW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves are verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position, and yet considered in the correct position, provided it can be realigned to its accident position. This is acceptable because the RHRSW System is a manually initiat_ed system.

SUSQUEHANNA - UNIT 1 3.7-6b

Rev.8 RHRSW System and UHS B 3.7.1 BASES SURVEILLANCE SR 3.7.1.3 (continued)

REQUIREMENTS (continued) This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.7.1.4 The UHS spray array bypass valves are required to actuate to the closed position for the UHS to perform its design function. These valves receive an automatic signal to open upon emergency service water (ESW) or residual heat removal service water (RHRSW) system pump start and are required to be operated from the control room or the remote shutdown panel. A spray bypass valve is considered to be inoperable when it cannot be closed on demand. Failure of the spray bypass valve to close on demand puts the UHS at risk to exceed its design temperature. The failure of the spray bypass valve to open on demand make~ one return path unavailable, and therefore the associated RHRSW subsystems must be declared inoperable. This SR demonstrates that the valves will move to their required positions when required. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.7.1.5 The UHS return header large spray array valves are required to open in order for the UHS to perform its design function. These valves are manually actuated from either the control room or the remote shutdown panel, under station operating procedure, when the RHRSW system is required to remove energy from the reactor vessel or suppression pool.

This SR demonstrates that the valves will move to their required positions when required. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.7.1.6 The small spray array valves HV-01224A2 and 82 are required to operate in order for the UHS to perform its design function. These valves are manually actuated from the control room or the remote shutdown panel, under station operating procedure, when the RHRSW system is required to remove energy from the reactor vessel or suppression pool. This SR demonstrates that the valves will move to their required positions when required. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SUSQUEHANNA - UNIT 1 3.7-6c

Rev.a RHRSW System and UHS B 3.7.1 BASES SURVEILLANCE SR 3.7.1.7 REQUIREMENTS (continued) The spray array bypass manual valves 012287A and B are required to operate in the event of a failure of the spray array bypass valves to close in order for the UHS to perform its design function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 9.2.

2. FSAR, Chapter 6.

3. FSAR, Chapter 15.

4. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

SUSQUEHANNA - UNIT 1 3.7-6d

Rev.6 ESWSystem B 3.7.2 B 3. 7 PLANT SYSTEMS B 3.7.2 Emergency Service Water (ESW) System BASES BACKGROUND The ESW System is designed to provide cooling water for the removal of heat from equipment, such as the diesel generators (DGs), residual heat removal (RHR) pump coolers, and room coolers for Emergency Core Cooling System equipment, required for a safe reactor shutdown following a Design Basis Accident (OBA) or transient. Upon receipt of a loss of offsite power or loss of coolant accident (LOCA) signal, ESW pumps are automatically started after a time delay.

The ESW System consists of two independent and redundant subsystems.

Each of the two ESW subsystems is made up of a header, two pumps, a suction source, valves, piping and associated instrumentation. The two subsystems are separated from each other so an active single failure in one subsystem will not affect the OPERABILITY of the other subsystem. A continuous supply of water is provided to ESW from the Service Water System for the keepfill system. This supply is not required for ESW operability.

Cooling water is pumped from the Ultimate Heat Sink (UHS) by the ESW pumps to the essential components through the two main headers. After removing heat from the components, the water is discharged to the spray pond (UHS) by way of a network of sprays that dissipate the heat to the atmosphere or directly to the UHS via a bypass header.

APPLICABLE Sufficient water inventory is available for all ESW System post LOCA SAFETY cooling requirements for a 30 day period with no additional makeup water ANALYSES source available. The ability of the ESW System to support long term cooling is assumed in evaluations of the equipment required for safe reactor shutdown presented in the FSAR, Chapters 4 and 6 (Refs. 1 and 2, respectively).

The ability of the ESW System to provide adequate cooling to the identified safety equipment is an implicit assumption for the safety analyses evaluated in References 1 and 2. The ability to provide onsite emergency AC power is dependent on the ability of the ESW System to cool the DGs.

The long term cooling capability of the RHR and core spray pumps is also dependent on the cooling provided by the ESW System.

The ESW System satisfies Criterion 3 of the NRG Policy Statement.

(Ref. 3)

SUSQUEHANNA - UNIT 1 3.7-7

Rev. 6 ESWSystem B 3.7.2 BASES LCO The ESW subsystems are independent of each other to the degree that each has separate controls, power supplies, and the operation of one does not depend on the other. In the event of a OBA, one subsystem of ESW is required to provide the minimum heat removal capability assumed in the safety analysis for the system to which it supplies cooling water. To ensure this requirement is met, two subsystems of ESW must be OPERABLE. At least one subsystem will operate, if the worst single active failure occurs coincident with the loss of offsite power.

A subsystem is considered OPERABLE when it has two OPERABLE pumps, and an OPERABLE flow path capable of taking suction from the UHS and transferring the water to the appropriate equipment and returning flow to the UHS. If individual loads are isolated, the affected components may be rendered inoperable, but it does not necessarily affect the OPERABILITY of the ESW System. Because each ESW subsystem supplies all four required DGs, an ESW subsystem is considered OPERABLE if it supplies at least three of the four DGs provided no single DG does not have an ESW subsystem capable of supplying flow.

An adequate suction source is not addressed in this LCO since the minimum net positive suction head of the ESW pumps is bounded by the Residual Heat Removal Service Water System requirements (LCO 3.7.1, "Residual Heat Removal System and Ultimate Heat Sink (UHS)").

The ESW return loop requirement, in terms of operable UHS return paths or UHS spray capacity, is also not addressed in this LCO. UHS operability, in terms of the return loop and spray capacity is addressed in the RHRSW/

UHS Technical Specification (LCO 3. 7 .1, "Residual Heat Removal Service Water System and Ultimate Heat Sink (UHS)).

APPLICABILITY In MODES 1, 2, and 3, the ESW System is required to be OPERABLE to support OPERABILITY of the equipment serviced by the ESW System.

Therefore, the ESW System is required to be OPERABLE in these MODES.

Although the LCO for the ESW System is not applicable in MODES 4 and 5, the capability of the ESW System to perform its necessary related support functions may be required for OPERABILITY of supported systems.

ACTIONS The ACTIONS are modified by a Note indicating that the applicable Conditions of LCO 3.8.1, be entered and Required Actions taken if the inoperable ESW subsystem results in inoperable DGs (i.e., the supply from both subsystems of ESW is secured to the same DG). This is an exception SUSQUEHANNA - UNIT 1 3.7-8

Rev. 6 ESWSystem

- BASES ACTIONS (continued) to LCO 3.0.6 because the Required Actions of LCO 3. 7.2 do not adequately compensate for the loss of a DG (LCO 3.8.1) due to loss of B 3.7.2 ESWflow.

A.1 With one ESW pump inoperable in each subsystem, both inoperable pumps must be restored to OPERABLE status within 7 days or in accordance with the Risk Informed Completion Time Program. With the unit in this condition, the remaining OPERABLE ESW pumps are adequate to perform the ESW heat removal function; however, the overall reliability is reduced because a single failure could result in loss of ESW function. The 7 day Completion Time is based on the remaining ESW heat removal capability and the low probability of an event occurring during this time period.

8.1 With one or both ESW subsystems not capable of supplying ESW flow to two or more DGs, the capability to supply ESW to at least three DGs from each ESW subsystem must be restored within 7 days. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program. The ability to calculate a Risk Informed Completion Time is modified by a Note and limited to situations in which a loss of function has not occurred. With the units in this condition, the remaining ESW flow to DGs is adequate to maintain the full capability of all DGs; however, the overall reliability is reduced because a single failure could result in loss of the multiple DGs. The 7 day Completion Time is based on the fact that all DGs remain capable of responding to an event occurring during this time period.

Additionally, the Completion Time to restore the ESW subsystem has been extended to 14 days in order to complete the replacement of a portion of the Unit 2 ESW piping. This is a temporary extem~ion of the Completion Time and is applicable during the Unit 2 ESW piping replacement. In order to cope with the consequences of a LOCA/LOOP in Unit 1 during the extended Completion Time, the following compensatory action is required: Provisions will be implemented to restore piping integrity to allow the use of the inoperable Unit 1 ESW subsystem within the current LCO Completion Time. Upon completion of the Unit 2 ESW piping replacement, this temporary extension is no longer applicable and will expire on June 25, 2027. The Risk Informed Completion Time Program does not apply to the 14 day Completion Time .

SUSQUEHANNA - UNIT 1 3.7-9

Rev.6 ESWSystem B 3.7.2 BASES ACTIONS C.1 (continued)

With one ESW subsystem inoperable for reasons other than Condition B, the ESW subsystem must be restored to OPERABLE status within 7 days or in accordance with the Risk Informed Completion Time Program. With the unit in this condition, the remaining OPERABLE ESW subsystem is adequate to perform the heat removal function. However, the overall reliability is reduced because a single failure in the OPERABLE ESW subsystem could result in loss of ESW function.

The 7 day Completion Time is based on the redundant ESW System capabilities afforded by the OPERABLE subsystem,.the low probability of an accident occurring during this time period, and is consistent with the allowed Completion Time for restoring an inoperable Core Spray Loop, LPCI Pumps and Control Structure Chiller.

Additionally, the Completion Time to restore the ESW subsystem has been extended to 14 days in order to complete the replacement of a portion of the Unit 2 ESW piping. This is a temporary extension of the Completion Time and is applicable during the Unit 2 ESW piping replacement. In order to cope with the consequences of a LOCA/LOOP in Unit 1 during the extended Completion Time, the following compensatory action is required: Provisions will be implemented to restore piping integrity to allow the use of the inoperable Unit 1 ESW subsystem within the current LCO Completion Time. Upon completion of the Unit 2 ESW piping replacement, this temporary extension is no longer applicable and will expire on June 25, 2027. The Risk Informed Completion Time Program does not apply to the 14 day Completion Time.

D.1 and D.2 If the ESW subsystem cannot be restored to OPERABLE status within the associated Completion Time, or both ESW subsystems are inoperable for reasons other than Condition A and B (i.e., three ESW pumps inoperable),

the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SUSQUEHANNA - UNIT 1 3.7-10

Rev.6 ESWSystem

- BASES SURVEILLANCE SR 3.7.2.1 B 3.7.2 REQUIREMENTS Verifying the correct alignment for each manual, power operated, and automatic valve in each ESW subsystem flow path provides assurance that the proper flow paths will exist for ESW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve is also allowed to be in the nonaccident position, and yet considered in the correct position, provided it can be automatically realigned to its accident position within the required time.

This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.

This SR is modified by a Note indicating that isolation of the ESW System to components or systems may render those components or systems inoperable, but does not necessarily affect the OPERABILITY of the ESW System. As such, when all ESW pumps, valves, and piping are OPERABLE, but a branch connection off the main header is isolated, the ESW System is still OPERABLE. .

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.7.2.2 This SR verifies that the automatic valves of the ESW System will automatically switch to the safety or emergency position to provide cooling water exclusively to the safety related equipment during an accident event.

This is demonstrated by the use of an actual or simulated initiation signal.

This SR also verifies the automatic start capability of the ESW pumps in each subsystem.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Chapter 4.

2. FSAR, Chapter 6.

3. Fi_nal Policy Statement on Technical Specifications Improvements, July 22, 1993. (58 FR 39132)

SUSQUEHANNA - UNIT 1 3.7-11

Rev. 15 AC Sources - Operating 8 3.8.1 B 3.8 ELECTRICAL POWER SYSTEMS 8 3.8.1 AC Sources - Operating BASES BACKGROUND The unit Class 1E AC Electrical Power Distribution System AC sources consist of two offsite power sources (preferred power sources, normal and alternate), and the onsite standby power sources (diesel generators (DGs) A, 8, C and D). A fifth diesel generator, DG E, can be used as a substitute for any one of the four DGs A, 8, C or D. As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1), the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Feature (ESF) systems.

The Class 1E AC distribution system is divided into redundant load groups, so loss of any one group does not prevent the minimum safety functions from being performed. Each load group has connections to two preferred offsite power supplies and a single DG .

The two qualified circuits between the offsite transmission network and the onsite Class 1E AC Electrical Power Distribution* System are supported by two independent offsite power sources. A 230 kV line from the Susquehanna T10 230 kV switching station feeds start-up transformer No. 1O; and, a 230 kV tap from the 500-230 kV tie line feeds the startup transformer No. 20. The term "qualified circuits," as used within TS 3.8.1, is synonymous with the term "physically independent."

The two independent offsite power sources are supplied to and are shared by both units. These two electrically and physically separated circuits provide AC power, through startup transformers (ST) No. 10 and ST No. 20, to the four 4.16 kV Engineered Safeguards System (ESS) buses (A, B, C and D) for both Unit 1 and Unit 2. A detailed description of the offsite power network and circuits to the onsite Class 1E ESS buses is found in the FSAR, Section 8.2 (Ref. 2).

An offsite circuit consists of all breakers, transformers, switches, automatic tap changers, interrupting devices, cabling, and controls required to transmit power from the offsite transmission network to the onsite Class 1E ESS bus or buses.

SUSQUEHANNA - UNIT 1 3.8-1

Rev. 15 AC Sources - Operating B 3.8.1 BASES BACKGROUND ST No. 10 and ST No. 20 each provide the normal source of power to two (continued) of the four 4.16 kV ESS buses in each Unit and the alternate source of power to the remaining two 4.16 kV ESS buses in each Unit. If any 4.16 kV ESS bus loses power, an automatic transfer from the normal to the alternate occurs after the normal supply breaker trips.

When off-site power is available to the 4.16 kV ESS Buses following a LOCA signal, the required ESS loads will be sequenced onto the 4.16 kV ESS Buses in order to compensate for voltage drops in the onsite power system when starting large ESS motors.

The onsite standby power source for 4.16 kV ESS buses A, B, C and D consists of five DGs. DGs A, B, C and D are dedicated to ESS buses A, B, C and D, respectively. DG E can be used as a substitute for any one of the four DGs (A, B, C or D) to supply the associated ESS bus. Each DG provides standby power to two 4.16 kV ESS buses-one associated with Unit 1 and one associated with Unit 2. The four "required" DGs are those aligned to a 4.16 kV ESS bus to provide onsite standby power for both Unit 1 and Unit 2.

A DG, when aligned to an ESS bus, starts automatically on a loss of coolan.t accident (LOCA) signal (i.e., low reactor water level signal or high drywell pressure signal) or on an ESS bus degraded voltage or undervoltage signal. After the DG has started, it automatically ties to its respective bus after offsite power is tripped as a consequence of ESS bus undervoltage or degraded voltage, independent of or coincident with a LOCA signal. The DGs also start and operate in the standby mode without tying to the ESS bus on a LOCA signal alone. Following the trip of offsite power, non-permanent loads are stripped from the 4.16 kV ESS Buses.

When a DG is tied to the ESS Bus, loads are then sequentially connected to their respective ESS Bus by individual load timers. The individual load timers control the starting permissive signal to motor breakers to prevent overloading the associated DG.

In the event of loss of normal and alternate offsite power supplies, the 4.16 kV ESS buses will shed all loads except the 480 V I.cad centers and the standby diesel generators will connect to the ESS busses. When a DG is tied to its respective ESS bus, loads are then sequentially connected to the ESS bus by individual load timers which control the permissive and starting signals to motor breakers to prevent overloading the DG.

In the event of a loss of normal and alternate offsite power supplies, the ESS electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (OBA) such as a LOCA.

SUSQUEHANNA - UNIT 1 3.8-2

Rev. 15 AC Sources - Operating

BASES BACKGROUND (continued)

Certain required plant loads are returned to service in a predetermined 8 3.8.1 sequence in order to prevent overloading of the DGs in the process. Within 286 seconds after the initiating signal is received, all automatic and permanently connected loads needed to recover the unit or maintain it in a safe condition are returned to service. Ratings for the DGs satisfy the requirements of Regulatory Guide 1.9 (Ref. 3).

DGs A, 8, C and D have the following ratings:

a. 4000 kW - continuous,

b. 4700 kW - 2000 hours0.0231 days 0.556 hours 0.00331 weeks 7.61e-4 months , DG E has the following ratings:

a. 5000 kW - continuous,

b. 5500 kW - 2000 hours0.0231 days 0.556 hours 0.00331 weeks 7.61e-4 months .

APPLICABLE The initial conditions of OBA and transient analyses in the FSAR, Chapter 6 SAFETY (Ref. 4) and Chapter 15 (Ref. 5), assume ESF systems are OPERABLE.

ANALYSES The AC electrical power sources are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems.

The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit and supporting safe shutdown of the other unit.

This includes maintaining the onsite or offsite AC sources OPERABLE during accident conditions in the event of an assumed loss of all offsite power or all onsite AC power; and a worst case single failure.

AC sources satisfy Criterion 3 of the NRG Policy Statement (Ref. 6).

LCO Two qualified circuits between the offsite transmission network and the onsite Class 1E Distribution System and four separate and independent DGs (A, 8, C and D) ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an anticipated operational occurrence (AOO) or a postulated OBA. DG E can be used as a substitute for any one of the four DGs A, 8, C or D.

Qualified offsite circuits are those that are described in the FSAR, and are part of the licensing basis for the unit. In addition, the required automatic load timers for each ESF bus shall be OPERABLE.

SUSQUEHANNA - UNIT 1 3.8-3

Rev. 15 AC Sources - Operating B 3.8.1 BASES LCO The Safety Analysis for Unit 2 assumes the OPERABILITY of some (continued) equipment that receives power from Unit 1 AC Sources. Therefore, Unit 2 Technical Specifications establish requirements for the OPERABILITY of the DG(s) and qualified offsite circuits needed to support the Unit 1 onsite Class 1E AC electrical power distribution subsystem(s) required by LCO 3.8.7, Distribution Systems-Operating.

Each offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while connected to the ESS buses.

One OPERABLE offsite circuit exists when all of the following conditions are met:

1. An energized ST. No. 10 transformer with the load tap changer (LTC) in automatic operation.

2. The respective circuit path including energized ESS transformers 101 and 111 and feeder breakers capable of supplying three of the four 4.16 kV ESS Buses.

3. Acceptable offsite grid voltage, defined as a voltage that is within the grid voltage requirements established for SSES. The grid voltage requirements include both a minimum grid voltage and an allowable grid voltage drop during normal operation, and for a predicted voltage for a trip of the unit.

The Regional Transmission Operator (PJM), and/or the Transmission Power System Dispatcher, PPL EU, determine, monitor and report actual and/or contingency voltage (Predicted voltage) violations that occur for the SSES monitored offsite 230kV and 500kV buses.

The offsite circuit is inoperable for any actual voltage violation, or a contingency voltage violation that occurs for a trip of a SSES unit, as reported by the transmission RTO or Transmission Power System Dispatcher.

The offsite circuit is operable for any other predicted grid event (i.e., loss of the most critical transmission line or the largest supply) that does not result from the generator trip of a SSES unit.

These conditions do not represent an impact on SSES operation that has been caused by a LOCA and subsequent generator trip.

The design basis does not require entry into LCOs for predicted grid conditions that can not result in a LOCA, delayed LOOP.

SUSQUEHANNA - UNIT 1 3.8-4

Rev. 15 AC Sources - Operating

BASES LCO (continued)

B 3.8.1 The other offsite circuit is Operable when all the following conditions are met:

1. An energized ST. No. 20 transformer with the load tap changer (LTC) in automatic operation.

2. The respective circuit path including energized ESS transformers 201 and 211 and feeder breakers capable of supplying three of the four 4.16 kV ESS Buses.

3. Acceptable offsite grid voltage, defined as a voltage that is within the grid voltage requirements established for SSES. The grid voltage requirements include both a minimum grid voltage and an allowable grid voltage drop during normal operation, and for a predicted voltage for a trip of the unit.

The Regional Transmission Operator (PJM), and/or the Transmission Power System Dispatcher, PPL EU, determine, monitor and report actual and/or contingency voltage (Predicted voltage) violations that occur for the SSES monitored offsite 230kV and 500kV buses.

The offsite circuit is inoperable for any actual voltage violation, or a contingency voltage violation that occurs for a trip of a SSES unit, as reported by the transmission RTO or Transmission Power System Dispatcher.

The offsite circuit is operable for any other predicted grid event (i.e., loss of the most critical transmission line or the largest supply) that does not result from the generator trip of a SSES unit.

These conditions do not represent an impact on SSES operation that has been caused by a LOCA and subsequent generator trip.

The design basis does not require entry into LCOs for predicted grid conditions that can not result in a LOCA, delayed LOOP.

Both offsite circuits are OPERABLE provided each meets the criteria described above and provided that no 4.16 kV ESS Bus has less than one OPERABLE offsite circuit capable of supplying the required loads. If no OPERABLE offsite circuit is capable of supplying any of the 4.16 kV ESS Buses, one offsite source shall be declared inoperable.

SUSQUEHANNA - UNIT 1 3.8-5

Rev. 15 AC Sources - Operating

BASES LCO (continued)

Four of the five DGs are required to be Operable to satisfy the initial assumptions of the accident analyses. Each required DG must be capable B 3.8.1 of starting, accelerating to rated speed and voltage, and connecting to its respective ESS bus on detection of bus undeNoltage after the normal and alternate supply breakers open. This sequence must be accomplished within 10 seconds. Each DG must also be capable of accepting required loads within the assumed loading sequence inteNals, and must continue to operate until offsite power can be restored to the ESS buses. These capabilities are required to be met from a variety of initial conditions, such as DG in standby with the engine hot and DG in normal standby conditions.

Normal standby conditions for a DG mean that the diesel engine oil is being continuously circulated and engine coolant is circulated as necessary to maintain temperature consistent with manufacturer recommendations.

Additional DG capabilities must be demonstrated to meet required SuNeillances, e.g., capability of the DG to revert to standby status on an ECCS signal while operating in parallel test mode.

Although not normally aligned as a required DG, DG E is normally maintained OPERABLE (i.e., SuNeillance Testing completed) so that it can be used as a substitute for any one of the four DGs A, B, C or D.

- Proper sequencing of loads, including tripping of nonessential loads, is a required function for DG OPERABILITY.

The manual syn_chronization circuit is used to synchronize an offsite source from the normal circuit to the alternate circuit, as tested by SR 3.8.1.8. The manual synchronization circuit is also used to synchronize a bus that is powered by a DG with an offsite power source on a restoration of offsite power, as tested by SR 3.8.1.16. An inoperable manual synchronization circuit does not render an offsite circuit or a DG inoperable.

The AC sources must be separate and independent (to the extent possible) of other AC sources. For the DGs, the separation and independence are complete. For the offsite AC sources, the separation and independence are to the extent practical. A circuit may be connected to more than one ESS bus, with automatic transfer capability to the other circuit OPERABLE, and not violate separation criteria. A circuit that is not connected to an ESS bus is required to have OPERABLE automatic transfer interlock mechanisms to each ESS bus to support OPERABILITY of that offsite circuit.

- SUSQUEHANNA - UNIT 1 3.8-6

Rev. 15 AC Sources - Operating

BASES APPLICABILITY The AC sources are required to be OPERABLE in MODES 1, 2, and 3 to ensure that:

B 3.8.1

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and

b. Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the event of a postulated OBA The AC power requirements for MODES 4 and 5 are covered in LCO 3.8.2, "AC Sources-Shutdown."

ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable DG.

There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable DG and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after

performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.

The ACTIONS are modified by a Note which allows entry into associated Conditions and Required Actions to be delayed for up to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months when an OPERABLE diesel generator is placed in an inoperable status for the alignment of diesel generator E to or from the Class 1E distribution system.

Use of this allowance requires both offsite circuits to be OPERABLE. Entry into the appropriate Conditions and Required Actions shall be made immediately upon the determination that substitution of a required diesel generator will not or can not be completed.

A.1 To ensure a highly reliable power source remains with one offsite circuit inoperable, it is necessary to verify the availability of the remaining required offsite circuit on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met. However, if a second required circuit fails SR 3.8.1.1, the second offsite circuit is inoperable, and Condition C, for two offsite circuits inoperable, is entered .

SUSQUEHANNA - UNIT 1 3.8-7

Rev. 15 AC Sources - Operating

- BASES ACTIONS (continued)

B 3.8.1 Required Action A.2, which only applies if one 4.16 kV ESS bus cannot be powered from any offsite source, is intended to provide assurance that an event with a coincident single failure of the associated DG does not result in a complete loss of safety function of critical systems. These features (e.g., system, subsystem, division, component, or device) are designed to be powered from redundant safety related 4.16 kV ESS buses. Redundant required features failures consist of inoperable features associated with an emergency bus redundant to the emergency bus that has no offsite power.

The Completion Time for Required Action A.2 is intended to allow time for the operator to evaluate and repair any discovered inoperabilities. This Completion Time also allows an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. A 4.16 kV ESS bus has no offsite power supplying its loads; and

b. A redundant required feature on another 4.16 kV ESS bus is inoperable .

If, at any time during the existence of this Condition (one offsite circuit inoperable) a required feature subsequently becomes inoperable, this Completion Time would begin to be tracked.

Discovering no offsite power to one 4.16 kV ESS bus on the onsite Class 1E Power Distribution System coincident with one or more inoperable required support or supported features, or both, that are

.associated with any other emergency bus that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours is acceptable because it minimizes risk while allowing time for restoration before the unit is subjected to transients associated with shutdown.

The remaining OPERABLE offsite circuits and DGs are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection may have been lost for the required feature's function; however, function is not lost. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a OBA occurring during this period.

SUSQUEHANNA - UNIT 1 3.8-8

Rev. 15 AC Sources - Operating

BASES ACTIONS (continued)

B 3.8.1 According to Regulatory Guide 1.93 (Ref. 7), operation may continue in Condition A for a period that should not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program. With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the plant safety systems. In this condition, however, the remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class 1E Distribution System.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and the low probability of a OBA occurring during this period.

B.1 To ensure a highly reliable power source remains with one required DG inoperable, it is necessary to verify the availability of the required offsite circuits on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions must then be entered.

Required Action B.2 is intended to provide assurance that a loss of offsite power, during the period that a DG is inoperable, does not result in a complete loss of safety function of critical systems. These features are designed with redundant safety related divisions (i.e., single division systems are not included). Redundant required features failures consist of inoperable features associated with a division redundant to the division that has an inoperable DG.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins on discovery that both:

a. An inoperable DG exists; and

b. A required feature powered from another diesel generator (Division 1 or 2) is inoperable.

SUSQUEHANNA - UNIT 1 3.8-9

Rev. 15 AC Sources - Operating

BASES ACTIONS (continued)

B.2 (continued)

B 3.8.1 If, at any time during the existence of this Condition (one required DG inoperable), a required feature subsequently becomes inoperable, this Completion Time begins to be tracked.

Discovering one required DG inoperable coincident with one or more inoperable required support or supported features, or both, that are associated with the OPERABLE DGs results in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

The remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection for the required feature's function may have been lost; however, function has not been !ost. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a OBA occurring during this period.

B.3.1 and B.3.2 Required Action B.3.1 provides an allowance to avoid unnecessary testing of OPERABLE DGs. If it can be determined that the cause of the inoperable DG does not exist on the OPERABLE DG, SR 3.8.1.7 does not have to be performed. If the cause of inoperability exists on other DG(s),

they are declared inoperable upon discovery, and Condition E of LCO 3.8.1 is entered. Once the failure is repaired, and the common cause failure no longer exists, Required Action B.3.1 is satisfied. If the cause of the initial inoperable DG cannot be determined not to exist on the remaining DG(s),

performance of SR 3.8.1. 7 suffices to provide assurance of continued OPERABILITY of those DGs. However, the second Completion Time for Required Action B.3.2 allows a performance of SR 3.8.1.7 completed up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months prior to entering Condition B to be accepted as demonstration that a DG is not inoperable due to a common cause failure.

In the event the inoperable DG is restored to OPERABLE status prior to completing either B.3.1 or B.3.2, the plant corrective action program will continue to evaluate the common cause possibility. This continued evaluation, however, is no longer under the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months constraint imposed while in Condition B .

SUSQUEHANNA - UNIT 1 3.8-10

Rev. 15 AC Sources - Operating

BASES ACTIONS (continued)

B.3.1 and B.3.2 (continued)

B 3.8.1 According to Generic Letter 84-15 (Ref. 8), 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is a reasonable time to confirm that the OPERABLE DGs are not affected by the same problem as the inoperable DG.

According to Regulatory Guide 1.93 (Ref. 7), operation may continue in Condition B for a period that should not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . In Condition B, the remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite* Class 1E Distribution System. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a OBA occurring during this period. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program.

C.1 Required Action C.1 addresses actions to be taken in the event of concurrent in operability of two offsite circuits. The Completion Time for Required Action C.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities.

According to Regulatory Guide 1.93 (Ref. 7), operation may continue in Condition C for a period that should not exceed 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This level of degradation means that the offsite electrical power system does not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded. This level of degradation generally corresponds to a total loss of the immediately accessible offsite power sources.

Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more DGs inoperable.

However, two factors tend to decrease the severity of this degradation level:

a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure; and

b. The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source.

SUSQUEHANNA - UNIT 1 3.8-11

Rev. 15 AC Sources - Operating

BASES ACTIONS (continued)

C.1 (continued)

B 3.8.1 With both of the required offsite circuits inoperable, sufficient onsite AC sources are available to maintain the unit in a safe shutdown condition in the event of a OBA or transient. In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case single failure were postulated as a part of the design basis in the safety analysis. Thus, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time provides a period of time to effect restoration of one of the offsite circuits commensurate with the importance of maintaining an AC electrical power system capable of meeting its design criteria. According to Regulatory Guide 1.93 (Ref. 7), with the available offsite AC sources two less than required by the LCO, operation may continue for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . If two offsite sources are restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , unrestricted operation may continue. If only one offsite source is restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , power operation continues in accordance with Condition A. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program.

D.1 and D.2

Pursuant to LCO 3.0.6, the Distribution System Actions would not be entered even if all AC sources to it were inoperable, resulting in de-energization. Therefore, the Required Actions of Condition Dare modified by a Note to indicate that when Condition D is entered with no AC source to any ESS bus, Actions for LCO 3.8.7, "Distribution Systems-Operating,"

must be immediately entered. This allows Condition D to provide requirements for the loss of the offsite circuit and one DG without regard to whether a division is de-energized. LCO 3.8.7 provides the appropriate restrictions for a de-energized bus.

According to Regulatory Guide 1.93 (Ref. 7), operation may continue in Condition D for a period that should not exceed 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . In Condition D, individual redundancy is lost in both the offsite electrical power system and the onsite AC electrical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of the power systems in this Condition may appear higher than that in Condition C (loss of both required offsite circuits). This difference in reliability is offset by the susceptibility of this power system configuration to a single bus or switching failure. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time. for repairs, and the low probability of a OBA occurring during this period. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program .

SUSQUEHANNA - UNIT 1 3.8-12

Rev. 15 AC Sources - Operating B 3.8.1 BASES ACTIONS (continued)

With two or more DGs inoperable and an assumed loss of offsite electrical power, insufficient standby AC sources are available to power the minimum required ESF functions. Since the offsite electrical power system is the only source of AC power for the majority of ESF equipment at this level of degradation, the risk associated with continued operation for a very short time could be less than that associated with an immediate controlled shutdown. (The immediate shutdown could cause grid instability, which could result in a total loss of AC power.) Since any inadvertent unit generator trip could also result in a total loss of offsite AC power, however, the time allowed for continued operation is severely restricted. The intent here is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation.

According to Regulatory Guide 1.93 (Ref. 7), with two or more DGs inoperable, operation may continue for a period that should not exceed 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

F.1 and F.2

- If the inoperable AC electrical power sources cannot be restored to OPERABLE status within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

G.1 Condition G corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown.

SUSQUEHANNA - UNIT 1 3.8-13

Rev. 15 AC Sources - Operating B 3.8.1 BASES ACTIONS H.1 (continued)

The manual synchronization circuit is made up of a synchroscope, a bus differential voltmeter, and 37 synchronization selector switches ("sync selector switches'} Eight of the sync selector switches are for the DGs, 16 are for the primary and alternate supply of the 4.16 kV ESS Buses, and the remaining 13 switches are for the 13.8 kV Buses. All of the selector switches utilize the same synchronization bus; therefore, only one sync selector switch can be turned on at a time without blowing fuses. The sync selector switches are only utilized for manual transfers.

The automatic transfers that occur between the 4.16 kV ESS Buses or the automatic start and load of the DG during a LOOP are not impacted by the failure of a sync selector switch.

When the manual synchronization circuit is inoperable, the manual transfer function of all Class 1E ESS Buses is eliminated and operators cannot perform surveillance testing on any bus. However, inoperability of the manual transfer function does not impact the ability of the DGs to start and load on demand, nor does it impact any of the automatic transfer functions for the ESS buses. Thus, all DGs and ESS buses are available to perform their safety functions. Required Action H.1 is intended to require restoration of the manual synchronization circuit to an OPERABLE status in a timeframe commensurate with the safety significance of the condition.

The 14 day Completion Time takes into account the OPERABILITY of the automatic transfer functions of all Class 1E ESS Buses during the period of inoperability. Additionally, the 14 day Completion Time takes into account the capacity and capability of the AC sources, a reasonable time for repairs, and the low probability of a OBA occurring during the period.

SURVEILLANCE The AC sources are designed to permit inspection and testing of all REQUIREMENTS important areas and features, especially those that have a standby function, in accordance with 10 CFR 50, GDC 18 (Ref. 9). P.eriodic component tests are supplemented by extensive functional tests during refueling outages (under simulated accident conditions). The SRs for demonstrating the OPERABILITY of the DGs are in accordance with the recommendations of Regulatory Guide 1.9 (Ref. 3), and Regulatory Guide 1.137 (Ref. 11), as addressed in the FSAR.

The Safety Analysis for Unit 2 assumes the OPERABILITY of some equipment that receives power from Unit 1 AC Sources. Therefore, Surveillance requirements are established for the Unit 1 onsite Class 1E AC electrical power distribution subsystem(s) required to support SUSQUEHANNA - UNIT 1 3.8-14

Rev. 15 AC Sources - Operating

- BASES SURVEILLANCE REQUIREMENTS Unit 2 by LCO 3.8.7, Distribution Systems-Operating. The Unit 1 SRs required to support Unit 2 are identified in the Unit 2 Technical B 3.8.1 (continued) Specifications.

Where the SRs discussed herein specify voltage and frequency tolerances, the following summary is applicable. The minimum steady state output voltage of 4000 V represents the value that will allow the degraded voltage relays to reset after actuation. This value is based on the upper value of the degraded voltage relay reset voltage of 3938 V, representing 94.68% of 4160 V, plus the worst-case voltage drop from the DG to an associated 4.16 kV switchgear bus. The specified maximum steady state output voltage of 4400 V is equal to the maximum operating voltage specified for 4000 V. It ensures that for a lightly loaded distribution system, the voltage at the terminals of 4000 V motors is no more than the maximum rated operating voltages.

The minimum frequency value is derived from the recommendations found in Regulatory Guide 1.9 (Ref. 3). The allowable steady state frequency for all DGs is 60 Hz +/-2%. DG E is also required to maintain a frequency of not less than 57 Hz during transient conditions .

To provide additional margin for DG E to meet the 57 Hz criteria, the 2% margin allowed for steady state frequency is further reduced to 1%, or 0.6 Hz. This value, added to the tolerance allowed for the DG's electronic governor (0.1 Hz) provides the 59.3 Hz minimum frequency value applicable for all DGs.

The maximum frequency is derived from analysis based on an iterative approach using voltage and frequency variations of the DG to determine the maximum continuous loading on the DG such that the DG loading does not exceed its continuous rating and still performs its design function.

Through a qualitative estimation and a dynamic transient simulation, the maximum frequency meeting the iterative approach is 60.5 Hz.

The Surveillance Table has been modified by a Note, to clarify the testing requirements associated with DG E. The Note is necessary to define the intent of the Surveillance Requirements associated with the integration of DG E. Specifically, the Note defines that a DG is only considered OPERABLE and required when it is aligned to the Class 1E distribution system. For example, if DG A does not meet the requirements of a specific SR, but DG E is substituted for DG A and aligned to the Class 1E distribution system, DG E is required to be OPERABLE to satisfy the LCO requirement of 4 DGs and DG A is not required to be OPERABLE because it is not aligned to the Class 1E distribution system. This is acceptable because only 4 DGs are assumed in the event analysis.

SUSQUEHANNA- UNIT-1 3.8-15

Rev. 15 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE Furthermore, the Note identifies when the Surveillance Requirements, as REQUIREMENTS modified by SR Notes, have been met and performed, DG E can be (continued) substituted for any other DG and declared OPERABLE after performance of two SRs which verify switch alignment. This is acceptable because the testing regimen defined in the Surveillance Requirement Table ensures DG E is fully capable of performing all DG requirements.

SR 3.8.1.1 This SR ensures proper circuit continuity for the offsite AC electrical power supply to the onsite distribution network and availability of offsite AC electrical power. The breaker alignment verifies that each breaker is in its correct position to ensure that distribution buses and loads are connected to an Operable offsite power source and that appropriate independence of offsite circuits is maintained. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.2 Not Used .

SR 3.8.1.3 This Surveillance verifies that the DGs are capable of synchronizing and accepting greater than or equal to the equivalent of the maximum expected accident loads. A minimum run time of 60 minutes is required to stabilize engine temperatures, while minimizing the time that the DG is connected to the offsite source.

Al~hough no power factor requirements are established by this SR, the DG is normally operated at a power factor between 0.8 lagging and 1.0. The 0.8 value is the design rating of the machine, while 1.0 is an operational limitation to ensure circulating currents are minimized. The load band is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY.

Note 1 modifies this Surveillance to indicate that diesel engine runs for this Surveillance may include gradual loading, as recommended by the Cooper Bessemer Service Bulletin 728, so that mechanical stress and wear on the diesel engine are minimized.

Note 2 modifies this Surveillance by stating that momentary transients because of changing bus loads do not invalidate this test. Similarly, momentary power factor transients do not invalidate the test.

SUSQUEHANNA - UNIT 1 3.8-16

Rev. 15 AC Sources - Operating

BASES SURVEILLANCE REQUIREMENTS SR 3.8.1.3 (continued)

B 3.8.1 (continued) Note 3 indicates that this Surveillance should be conducted on only one DG at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations.

Note 4 stipulates a prerequisite requirement for performance of this SR. A successful DG start must precede this test to credit satisfactory performance.

Note 5 provides the allowance that DG E, when not aligned as substitute for DG A, B, C and D but being maintained available, may use the test facility to satisfy loading requirements in lieu of synchronization with an ESS bus.

Note 6 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units, with the DG synchronized to the 4.16 kV ESS bus of Unit 1 for one periodic test and synchronized to the 4.16 kV ESS bus of Unit 2 during the next periodic test. This is acceptable because the purpose of the test is to demonstrate the ability of the DG to

operate at its continuous rating (with the exception of DG E which is only required to be tested at the continuous rating of DGs A through D) and this attribute is tested at the required Frequency. Each unit's circuit breakers and breaker control circuitry, which are only being tested every second test (due to the staggering of the tests), historically have a very low failure rate If a DG fails this Surveillance, the DG should be considered inoperable for both units, unless the cause of the failure can be directly related to only one unit. In addition, if the test is scheduled to be performed on the other Unit, and the other Unit's TS allowance that provides an exception to performing the test is used (i.e., the Note to SR 3.8.2.1 for the other Unit provides an exception to performing this test when the other Unit is in MODE 4 or 5, or moving irradiated fuel assemblies in the secondary containment), or it is not possible to perform the test due to equipment availability, then the test shall be performed synchronized to this Unit's 4.16 kV ESS bus. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.4 This SR verifies the level of fuel oil in the engine mounted day tank is at or above the level at which fuel oil is automatically added. The level is expressed as an equivalent volume in gallons, and is selected to ensure adequate fuel oil for a minimum of 55 minutes of DG A-D and 62 minutes of DG E operation at DG continuous rated load conditions .

SUSQUEHANNA - UNIT 1 3.8-17

Rev. 15 AC Sources - Operating

BASES SURVEILLANCE REQUIREMENTS SR 3.8.1.4 (continued)

B 3.8.1 (continued) The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Periodic removal of water from the engine mounted day tanks eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program .

SR 3.8.1.6 This Surveillance demonstrates that each required fuel oil transfer pump operates and transfers fuel oil from its associated storage tank to its associated day tank. It is required to support continuous operation of standby power sources. This Surveillance provides assurance that the fuel oil transfer pump is OPERABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the controls and control systems for automatic fuel transfer systems are OPERABLE.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.7 This SR helps to ensure the availability of the standby electrical power supply to mitigate DBAs and transients and maintain the unit in a safe shutdown condition .

SUSQUEHANNA - UNIT 1 3.8-18

Rev. 15 AC Sources - Operating

BASES SURVEILLANCE REQUIREMENTS SR 3.8.1.7 (continued)

B 3.8.1 (continued) To minimize the wear on moving parts that do not get lubricated when the engine is not running, this SR has been modified by Note 1 to indicate that all DG starts for these Surveillances may be preceded by an engine prelube period (which for DGs A through D includes operation of the lube oil system to ensure the DGs turbo charger is sufficiently prelubicated to prevent undo wear and tear).

For the purposes of this testing, the DGs are started from standby conditions. Standby conditions for a DG mean that the diesel engine coolant and oil are being continuously circulated and temperature is being maintained consistent with manufacturer recommendations. The DG starts from standby conditions and achieves the minimum required voltage and frequency within 10 seconds and maintains the required voltage and frequency when steady state conditions are reached. The 10 second start requirement supports the assumptions in the design basis LOCA analysis of FSAR, Section 6.3 (Ref. 12).

To minimize testing of the DGs, Note 2 allows a single test to satisfy the

requirements for both units (instead of two tests, one for each unit). This is acceptable because this test is intended to demonstrate attributes of the DG that are not associated with either Unit. If the DG fails this Surveillance, the DG should be considered inoperable for both units, unless the cause of the failure can be directly related to one unit.

The time for the DG to reach steady state operatron is periodically monitored and the trend evaluated to identify degradation.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.8 Transfer of each 4.16 kV ESS bus power supply from the normal offsite circuit to the alternate offsite circuit demonstrates the OPERABILITY of the alternate circuit distribution network to power the shutdown loads. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

- SUSQUEHANNA - UNIT 1 3.8-19

Rev. 15 AC Sources - Operating

BASES SURVEILLANCE REQUIREMENTS SR 3.8.1.8 (continued)

B 3.8.1 (continued) This SR is modified by a Note. The reason for the Note is that, during operation with the reactor critical, performance of the automatic transfer of the unit power supply could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, plant safety systems. The manual transfer of unit power supply should not result in any perturbation to the electrical distribution system, therefore, no mode restriction is specified. This Surveillance tests the applicable logic associated with Unit 1. The comparable test specified in Unit 2 Technical Specifications tests the applicable logic associated with Unit 2. Consequently, a test must be performed within the specified Frequency for each unit. As the Surveillance represents separate tests, the Note specifying the restriction for not performing the test while the unit is in MODE 1 or 2 does not have applicability to Unit 2. The NOTE only applies to Unit 1, thus the Unit 1 Surveillance shall not be performed with Unit 1 in MODE 1 or 2.

SR 3.8.1.9

Each DG is provided with an engine overspeed trip to prevent damage to the engine. Recovery from the transient caused by the loss of a large load could cause diesel engine overspeed, which, if excessive, might result in a trip of the engine. This Surveillance demonstrates the DG load response characteristics and capability to reject the largest single load without exceeding predetermined voltage and frequency and while maintaining a specified margin to the overspeed trip. The largest single load for each DG is a residual heat removal (RHR) pump (1425 kW). This Surveillance may be accomplished by:

a. Tripping the DG output breaker with the DG carrying greater than or -

equal to its associated single largest post-accident load while paralleled to offsite power, or while solely supplying the bus; or

b. Tripping its associated single largest post-accident load with the DG solely supplying the bus.

As recommended by Regulatory Guide 1.9 (Ref. 3), the load rejection test is acceptable if the increase in diesel speed does not exceed 75% of the difference between synchronous speed and the overspeed trip setpoint, or 15% above synchronous speed, whichever is lower. For DGs A, B, C, D and E, this represents 64.5 Hz, equivalent to 75% of the difference between nominal speed and the overspeed trip setpoint.

SUSQUEHANNA - UNIT 1 3.8-20

Rev. 15 AC Sources - Operating

BASES SURVEILLANCE REQUIREMENTS SR 3.8.1.9 (continued)

B 3.8.1 (continued) The time, voltage, and frequency tolerances specified in this SR are derived from Regulatory Guide 1.9 (Ref. 3) recommendations for response during load sequence intervals. The 4.5 seconds specified is equal to 60%

of the 7.5 second load sequence interval between loading of the RHR and core spray pumps during an undervoltage on the bus concurrent with a LOCA. The 6 seconds specified is equal to 80% of that load sequence interval. The voltage and frequency specified are consistent with the design range of the equipment powered by the DG. SR 3.8.1.9.a corresponds to the maximum frequency excursion, while SR 3.8.1.9.b and SR 3.8.1.9.c specify the steady state voltage and frequency values to which the system must recover following load rejection.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

To minimize testing of the DGs, a Note allows a single test to satisfy the requirements for both units (instead of two tests, one for each unit). This is acceptable because this test is intended to demonstrate attributes of the

DG that are not associated with either Unit. If the DG fails this Surveillance, the DG should be considered inoperable for both units, unless the cause of the failure can be directly related to only one unit.

SR 3.8.1.10 This Surveillance demonstrates the DG capability to reject a full load without overspeed tripping or exceeding the predetermined voltage limits.

The DG full load rejection may occur because of a system fault or inadvertent breaker tripping. This Surveillance ensures proper engine generator load response under the simulated test conditions. This test simulates the loss of the total connected load that the DG experiences following a full load rejection and verifies that the DG does not trip upon loss of the load. These acceptance criteria provide DG damage protection.

While the DG is not expected to experience this transient during an event, and continues to be available, this response ensures that the DG is not degraded for future application, including reconnection to the bus if the trip initiator can be corrected or isolated .

SUSQUEHANNA - UNIT 1 3.8-21

Rev. 15 AC Sources - Operating

BASES SURVEILLANCE REQUIREMENTS SR 3.8.1.1 O (continued)

B 3.8.1 (continued) To minimize testing of the DGs, a Note allows a single test to.satisfy the requirements for both units (instead of two tests, one for each unit). This is acceptable because this test is intended to demonstrate attributes of the DG that are not associated with either Unit. If the DG fails this Surveillance, the DG should be considered inoperable for both units, unless the cause of the failure can be directly related to only one unit.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.11 As required by Regulatory Guide 1.9 (Ref. 3), this Surveillance demonstrates the as designed operation of the standby power sources during loss of the offsite source. This test verifies all actions encountered from the loss of offsite power, including shedding of the nonessential loads and energization of the ESS buses and respective 4.16 kV loads from the DG. It further demonstrates the capability of the DG to automatically

achieve and maintain the required voltage and frequency within the specified time.

The DG auto-start time of 1O seconds is derived from requirements of the licensed accident analysis for responding to a design basis large break LOCA. The Surveillance should be continued for a minimum of 5 minutes in order to demonstrate that all starting transients have decayed and stability has been achieved.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by three Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. Note 1 allows all DG starts to be preceded by an engine prelube period (which for DGs A through D includes operation of the lube oil system to ensure the DG's turbo charger is sufficiently prelubricated). For the purpose of this testing, the DGs shall be started from standby conditions that is, with the engine oil being continuously circulated and engine coolant being circulated as necessary to maintain temperature consistent with manufacturer recommendations .

SUSQUEHANNA - UNIT 1 3.8-22

Rev. 15 AC Sources - Operating

- BASES SURVEILLANCE REQUIREMENTS SR 3.8.1.11 (continued)

. B 3.8.1 (continued) This SR is also modified by Note 2. The Note specifies when this SR is required to be performed for the DGs and the 4.16 kV ESS Buses. The

Note is necessary because this SR involves an integrated test between the DGs and the 4.16 kV ESS Buses and the need for the testing regimen to include DG E being tested (substituted for all DGs for both Units) with all 4.16 kV ESS Buses. To ensure the necessary testing is performed, the following rotational testing regimen has been established:

UNIT IN OUTAGE DIESEL E SUBSTITUTED FOR 2 DG E not tested 1 Diesel Generator A 2 DG E not tested 1 DG E not tested 2 Diesel Generator B 1 Diesel Generator C

2 1

2 1

2 DG E not tested DG E not tested Diesel Generator D DG E not tested DG E not tested 1 Diesel Generator B 2 DG E not tested 1 DG E not tested 2 Diesel Generator A 1 Diesel Generator D 2 DG E not tested 1 DG E not tested 2 Diesel Generator C 1 DG E not tested SUSQUEHANNA- UNIT 1 3.8-23

Rev. 15 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.11 (continued)

REQUIREMENTS (continued)

The specified rotational testing regimen can be altered to facilitate unanticipated events which render the testing regimen impractical to implement, but any alternative testing regimen must provide an equivalent level of testing.

This SR does not have to be performed with the normally aligned DG when the associated 4.16 kV ESS bus is tested using DG E and DG E does not need to be tested when not substituted or aligned to the Class 1E distribution system. The allowances specified in the Note are acceptable because the tested attributes of each of the five DGs and each unit's four 4.16 kV ESS buses are verified at the specified Frequency (i.e., each DG and each 4.16 kV ESS bus is tested at a frequency controlled under the Surveillance Frequency Control Program). The testing allowances do result in some circuit pathways which do not need to change state (i.e.,

cabling) not being tested at the frequency established in accordance with the Surveillance Frequency Control Program. This is acceptable because these components are not required to change state to perform their safety function and when substituted--normal operation of DG E will ensure continuity of most of the cabling not tested .

The reason for Note 3 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This Surveillance tests the applicable logic associated with Unit 1. The comparable test specified in the Unit 2 Technical Specifications tests the applicable logic associated with Unit 2. Consequently, a test must be performed within the specified Frequency for each unit. As the Surveillance represents separate tests, the Note specifying the restriction for not performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 2. The Note only applies to Unit 1, thus the Unit 1 Surveillances shall not be performed with Unit 1 in MODES 1, 2 or 3.

SR 3.8.1.12 This Surveillance demonstrates that the DG automatically starts and achieves the required voltage and frequency within the specified time (10 seconds) from the design basis actuation signal (LOCA signal) and operates for 2 5 minutes. The 5 minute period provides sufficient time to demonstrate stability. SR 3.8.1.12.d and SR 3.8.1.12.e ensure that permanently connected loads and emergency loads are energized from the offsite electrical power system on a LOCA signal without loss of offsite power.

SUSQUEHANNA - UNIT 1 3.8-24

Rev. 15 AC Sources - Operating

- BASES SURVEILLANCE SR 3.8.1.12 (continued)

B 3.8.1 REQUIREMENTS (continued) The requirement to verify the connection and power supply of permanent and autoconnected loads is intended to satisfactorily show the relationship of these loads to the loading logic for loading onto offsite power. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, ECCS injection valves are not desired to be stroked open, high pressure injection systems are not capable of being operated at full flow, or RHR systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation. In lieu of actual demonstration of the connection and loading of these loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified. SR 3.8.1.12.a through SR 3.8.1.12.d are performed with the DG running. SR 3.8.1.12.e can be performed when the DG is not running.

The Surveillance Frequency is controlled under the Surveillance Frequency

Control Program .

This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. Note 1 allows all DG starts to be preceded by an engine prelube period (which for DG A through D includes operation of the lube oil system to ensure the DG's turbo-charger is sufficiently prelubricated). For the purpose of this testing, the DGs must be started from standby conditions that is, with the engine oil being continuously circulated and engine coolant being circulated as necessary to maintain temperature consistent with manufacturer recommendations.

The reason for Note 2 is to allow DG E, when not aligned as substitute for DG A, B, C or D to use the test facility to satisfy loading requirements in lieu of aligning with the Class 1E distribution system. When tested in this configuration, DG E satisfies the requirements of this test by completion of SR 3.8.1.12.a, band c only. SR 3.8.1.12.d and 3.8.1.12.e may be performed by any DG aligned with the Class 1E distribution system or by any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

SUSQUEHANNA - UNIT 1 3.8-25

Rev. 15 AC Sources - Operating

BASES SURVEILLANCE REQUIREMENTS SR 3.8.1.13 B 3.8.1 (continued) This Surveillance demonstrates that DG non-critical protective functions (e.g., high jacket water temperature) are bypassed on an ECCS initiation test signal. The non-critical trips are bypassed during DBAs and provide an alarm on an abnormal engine condition. This alarm provides the operator with sufficient time to react appropriately. The DG availability to mitigate the OBA is more critical than protecting the engine against minor problems that are not immediately detrimental to emergency operation of the DG.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

The SR is modified by two Notes. To minimize testing of the DGs, Note 1 to SR 3.8.1.13 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is acceptable because this test is intended to demonstrate attributes of the DG that are not associated with either Unit. If the DG fails this Surveillance, the DG should be considered inoperable for both units, unless the cause of the failure can be directly related to only one unit.

Note 2 provides the allowance that DG E, when not aligned as a substitute for DG A, B, C, and D but being maintained available, may use a simulated ECCS initiation signal.

SR 3.8.1.14 Regulatory Guide 1.9 (Ref. 3), requires demonstration that the DGs can start and run continuously at full load capability f.or an interval of not less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months - 22 hours2.546296e-4 days 0.00611 hours 3.637566e-5 weeks 8.371e-6 months of which is at a load equivalent to 90% to 100%

of the continuous rating of the DG, and 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months of which is at a load equivalent to 105% to 110% of the continuous duty rating of the DG. SSES has taken exception to this requirement and performs the two hour run at the 2000 hour0.0231 days 0.556 hours 0.00331 weeks 7.61e-4 months rating for each DG. The requirement to perform the two hour overload test can be performed in any order provided it is performed during a single continuous time period.

The DG starts for this Surveillance can be performed either from standby or hot conditions. The provisions for prelube discussed in SR 3.8.1.7, and for gradual loading, discussed in SR 3.8.1.3, are applicable to this SR.

A load band is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERAS! LITY.

SUSQUEHANNA - UNIT 1 3.8-26

Rev. 15 AC Sources - Operating

BASES SURVEILLANCE REQUIREMENTS SR 3.8.1.14 (continued)

B 3.8.1 (continued) The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This Surveillance has been modified by three Notes. Note 1 states that momentary transients due to changing bus loads do not invalidate this test.

To minimize testing of the DGs, Note 2 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is acceptable because this test is intended to demonstrate attributes of the DG that are not associated with either Unit. If the DG fails this Surveillance, the OG should be considered inoperable for both units, unless the cause of the failure can be directly related to only one unit.

Note 3 stipulates that DG E, when not aligned as substitute for DG A, B, C or D but being maintained available, may use the test facility to satisfy the specified loading requirements in lieu of synchronization with an ESS bus.

SR 3.8.1.15

This Surveillance demonstrates that the diesel engine can restart from a hot condition, such as subsequent to shutdown from full load temperatures, and achieve the required voltage and frequency within 10 seconds. The 10 second time is derived from the requirements of the accident analysis to respond to a design basis large break LOCA.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by three Notes. Note 1 ensures that the test is performed with the diesel sufficiently hot. The requirement that the diesel has operated for at least 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months at full load condttions prior to performance of this Surveillance is based on manufacturer recommendations for achieving hot conditions. The load band is provided to avoid routine overloading of the DG. Routine overloads may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY. Momentary transients due to changing bus loads do not invalidate this test.

Note 2 allows all DG starts to be preceded by an engine prelube period (which for DGs A through D includes operation of the lube oil system to ensure the DGs turbo charger is sufficiently prelubricated) to minimize wear and tear on the diesel during testing .

SUSQUEHANNA - UNIT 1 3.8-27

Rev. 15 AC Sources - Operating

BASES SURVEILLANCE REQUIREMENTS SR 3.8.1.15 (continued)

B 3.8.1 (continued) To minimize testing of the DGs, Note 3 allows a single test to satisfy the requirements for both units (instead of two tests, one for each unit). This is acceptable because this test is intended to demonstrate attributes of the DG that are not associated with either Unit. If the DG fails this Surveillance, the DG should be considered inoperable for both units, unless the cause of the failure can be directly related to only one unit.

SR 3.8.1.16 As required by Regulatory Guide 1.9 (Ref. 3), this Surveillance ensures that the manual synchronization and automatic load transfer from the DG to the offsite source can be made and that the DG can be returned to ready-to-load status when offsite power is restored. It also ensures that the auto-start logic is reset to allow the DG to reload if a subsequent loss of offsite power occurs. The DG is considered to be in ready-to-load status when the DG is at rated speed and voltage, the DG controls are in isochronous and the output breaker is open.

In order to meet his Surveillance Requirement, the Operators must have the capability to manually transfer loads from the D/Gs to the offsite sources. Therefore, in order to accomplish this transfer and meet this Surveillance Requirement, the synchronizing selector switch must be functional. (see ACT-1723538).

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a note to accommodate the testing regimen necessary for DG E. See SR 3.8.1.11 for the Bases of the Note.

SR 3.8.1.17 Demonstration of the test mode override ensures that the DG availability under accident conditions is not compromised as the result of testing.

Interlocks to the LOCA sensing circuits cause the DG to automatically reset to ready-to-load operation if an ECCS initiation signal is received during operation in the test mode. Ready-to-load operation is defined as the DG running at rated speed and voltage, the DG controls in isochronous and the DG output breaker open. These provisions for automatic switchover are required by IEEE-308 (Ref. 10), paragraph 6.2.6(2) .

SUSQUEHANNA - UNIT 1 3.8-28

Rev. 15 AC Sources - Operating

BASES SURVEILLANCE REQUIREMENTS SR 3.8.1.17 (continued)

B 3.8.1 (continued) The requirement to automatically energize the emergency loads with offsite power is essentially identical to that of SR 3.8.1.12. The intent in the requirements associated with SR 3.8.1.17.b is to show that the emergency loading is not affected by the DG operation in test mode. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the emergency loads to perform these functions is acceptable. This test is performed by verifying that after the DG is tripped, the offsite source originally in parallel with the DG, remains connected to the affected 4.16 kV ESS Bus. SR 3.8.1.12 is performed separately to verify the proper offsite loading sequence.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a note to accommodate the testing regimen necessary for DG E. See SR 3.8.1.11 for the Bases of the Note.

SR 3.8.1.18

- Under accident conditions, loads are sequentially connected to the bus by individual load timers which control the permissive and starting signals to motor breakers to prevent overloading of the AC Sources due to high motor starting currents. The load sequence time interval tolerance ensures that sufficient time exists for the AC Source to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding ESF equipment time delays are not violated. Reference 2 provides a summary of the automatic loading of ESS buses. A list of the required timers and the associated setpoints are included in the Bases as Table B 3.8.1-1, Unit 1 and Unit 2 Load Timers. Failure of a timer identified as an offsite power timer may result in both offsite sources being inoperable. Failure of any other timer may result in the associated DG being inoperable. A timer is considered failed for this SR if it will not ensure that the associated load will energize within the Allowable Value in

.Table B 3.8.1-1. These conditions will .require entry into applicable Conditions of this specification. With a load timer inoperable, the load can be rendered inoperable to restore OPERABILITY to the associated AC sources. In this condition, the Condition and Required Actions of the associated specification shall be entered for the equipment rendered inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program .

SUSQUEHANNA - UNIT 1 3.8-29

Rev. 15 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.18 (continued)

REQUIREMENTS (continued) This SR is modified by a Note that specifies that load timers associated with equipment that has automatic initiation capability disabled are not required to be Operable. This is acceptable because if the load does not start automatically, the adverse effects of an improper loading sequence are eliminated. Furthermore, load timers are associated with individual timers such that a single timer only affects a single load.

SR 3.8.1.19 In the event of a OBA coincident with a loss of offsite power, the DGs are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded.

This Surveillance demonstrates DG operation, as discussed in the Bases for SR 3.8.1.11, during a loss of offsite power actuation test signal in conjunction with an ECCS initiation signal. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified. To simulate the non-LOCA unit 4.16 kV ESS Bus loads on the DG, bounding loads are energized on the tested 4.16 kV ESS Bus after all auto connected emergency loads are energized.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by three Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. Note 1 allows all DG starts to be preceded by an engine prelube period (which for DGs A through D includes operation of the lube oil system to ensure the DG's turbo charger is sufficiently prelubricated.) For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine oil being continuously circulated and engine coolant being circulated as necessary to maintain temperature consistent with manufacturer recommendations.

Note 2 is necessary to accommodate the testing regimen associated with DG E. See SR 3.8.1.11 for the Bases of the Note .

SUSQUEHANNA - UNIT 1 3.8-30

Rev. 15 AC Sources - Operating

BASES SURVEILLANCE REQUIREMENTS SR 3.8.1.19 (continued)

B 3.8.1 (continued) The reason for Note 3 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This Surveillance tests the applicable logic associated with Unit 1. The comparable test specified in the Unit 2 Technical Specifications tests the applicable logic associated with Unit 2. Consequently, a test must be performed within the specified Frequency for each unit. As the Surveillance represents separate tests, the Note specifying the restriction for not performing the test while the unit is in MODE 1, 2 or 3 does not have applicability to Unit 2. The Note only applies to Unit 1, thus the Unit 1 Surveillances shall not be performed with Unit 1 in MODE 1, 2 or 3.

SR 3.8.1.20 This Surveillance demonstrates that the DG starting independence has not been compromised. Also, this Surveillance demonstrates that each engine can achieve proper speed within the specified time when the DGs are started simultaneously. The Surveillance Frequency is controlled under the

Surveillance Frequency Control Program .

This SR is modified by two Notes. The reason for Note 1 is to minimize wear on the DG during testing. The Note allows all DG starts to be preceded by an engine prelube period (which for DGs A through D includes operation of the lube oil system to ensure the DG's turbo charger is sufficiently prelubricated). For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine oil continuously circulated and engine coolant being circulated as necessary to maintain temperature consistent with manufacturer recommendations.

Note 2 is necessary to identify that this test does not have to be performed with DG E substituted for any DG. The allowance is acceptable based on the design of the DG E transfer switches. The transfer of control, protection, indication, and alarms is by switches at two separate locations.

These switches provide a double break between DG E and the redundant system within the transfer switch panel. The transfer of power is through circuit breakers at two separate locations for each redundant system.

There are four normally empty switch gear positions at DG E facility, associated with each of the four existing DGs. Only one circuit breaker is available at this location to be inserted into one of the four positions. At each of the existing DGs, there are two switchgear positions with only one circuit breaker available. This design provides two open circuits between redundant power sources. Therefore, based on the described design, it can be concluded that DG redundancy and independence is maintained regardless of whether DG E is substituted for any other DG.

SUSQUEHANNA - UNIT 1 3.8-31

Rev. 15 AC Sources - Operating

BASES REFERENCES 1. 10 CFR 50, Appendix A, GDC 17.

B 3.8.1

2. FSAR, Section 8.2.

3. Regulatory Guide 1.9.

4. FSAR, Chapter 6.

5. FSAR, Chapter 15.

6. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

7. Regulatory Guide 1.93.

8. Generic Letter 84-15.

9. 10 CFR 50, Appendix A, GDC 18.

10. IEEE Standard 308.

11.

12.

13.

Regulatory Guide 1.137.

FSAR, Section 6.3.

ASME Boiler and Pressure Vessel Code,Section XI.

SUSQUEHANNA - UNIT 1 3.8-32

Rev. 15 AC Sources - Operating

TABLE B 3.8.1-1 (page 1 of 2)

UNIT 1 AND UNIT 2 LOAD TIMERS B 3.8.1 NOMINAL DEVICE SETTING ALLOWABLE VALUE TAG NO. SYSTEM LOADING TIMER LOCATION (seconds) (seconds) 62A-20102 RHR Pump 1A 1A201 3 ;::: 2.7 ands 3.6 62A-20202 RHR Pump 1B 1A202 3 ;::: 2.7 ands 3.6 62A-20302 RHR Pump 1C 1A203 3 ;::: 2.7 ands 3.6 62A-20402 RHR Pump 10 1A204 3 ;::: 2.7 ands 3.6 62A-20102 RHRPump2A 2A201 3 ;::: 2.7 ands 3.6 62A-20202 RHRPump2B 2A202 3 ;::: 2.7 ands 3.6 62A-20302 RHRPump2C 2A203 .3 ;::: 2.7 ands 3.6 62A-20402 RHRPump2O 2A204 3 ;::: 2.7 ands 3.6 E11A-K202B RHR Pump 1C (Offsite Power Timer) 1C618 7.0 ;::: 6.5 ands 7.5 E11A-K120A RHR Pump 1C (Offsite Power Timer) 1C617 7.0 ;::: 6.5 ands 7.5 E11A-K120B RHR Pump 10 (Offsite Power Timer) 1C618 7.0 ;::: 6.5 ands 7.5 E11A-K202A RHR Pump 1O (Offsite Power Timer) 1C617 7.0 ;::: 6.5 ands 7.5 E11A-K120A RHR Pump 2C (Offsite Power Timer) 2C617 7.0 ;::: 6.5 ands 7.5 E11A-K202B RHR Pump 2C (Offsite Power Timer) 2C618 7.0 ;::: 6.5 ands 7.5 E11A-K120B RHR Pump 20 (Offsite Power Timer) 2C618 7.0 ;::: 6.5 ands 7.5 E11A-K202A RHR Pump 20 (Offsite Power Timer) 2C617 7.0 ;::: 6.5 ands 7.5 E21A-K116A CS Pump 1A 1C626 10.5 ;::: 9.4 and s 11.6 E21A-K116B CS Pump 1B 1C627 10.5 ;::: 9.4 and s 11.6 E21A-K125A CS Pump 1C 1C626 10.5 ;::: 9.4 and s 11.6 E21A-K125B CS Pump 1D 1C627 10.5 ;::: 9.4 and s 11.6 E21A-K116A CS Pump2A 2C626 10.5 ;::: 9.4 and s 11.6 E21A-K116B CS Pump2B 2C627 10.5 ;::: 9.4 and s 11.6 E21A-K125A CS Pump2C 2C626 10.5 ;::: 9.4 and s 11.6 E21A-K125B CS Pump 20 2C627 10.5 ;::: 9.4 and s 11.6 E21A-K16A CS Pump 1A (Offsite Power Timer) 1C626 15 ;::: 14.0 ands 16.0 E21A-K16B CS Pump 1B (Offsite Power Timer) 1C627 15 ;::: 14.0 ands 16.0 E21A-K25A CS Pump 1C (Offsite Power Timer) 1C626 15 ;::: 14.0 ands 16.0 E21A-K25B CS Pump 10 (Offsite Power Timer) 1C627 15 ;::: 14.0 ands 16.0 E21A-K16A CS Pump 2A (Offsite Power Timer) 2C626 15 ;::: 14.0 ands 16.0 E21A-K16B CS Pump 2B (Offsite Power Timer) 2C627 15 ;::: 14.0 ands 16.0 E21A-K25A CS Pump 2C (Offsite Power Timer) 2C626 15 ;::: 14.0 ands 16.0 E21A-K25B CS Pump 20 (Offsite Power Timer) 2C627 15 ;::: 14.0 ands 16.0 62AX2-20108 Emergency Service Water 1A201 40 ;::: 36 and s44 62AX2-20208 Emergency Service Water 1A202 40 ;:::36 and s44 62AX2-20303 Emergency Service Water 1A203 44 ;::: 39.6 and s 48.4 62AX2-20403 Emergency Service Water 1A204 48 ;::: 43.2 and s 52.8 62X3-20404 Control Structure Chilled Water System OC877B 60 ;:::54 62X3-20304 Control Structure Chilled Water System OC877A 60 ;:::54 Emergency Switchgear Rm Cooler A & RHR 62X-20104 OC877A 60 ;:::54 SW Pump H&V Fan A Emergency Switchgear Rm Cooler B & RHR 62X-20204 OC877B 60 ;:::54 SW Pumo H&V Fan B 62X-5653A OG Room Exhaust Fan E3 OB565 60 ;:::54 62X-5652A OG Room Exhausts Fan E4 OB565 60 ;:::54 262X-20204 Emergency Switchgear Rm Cooler B OC877B 120 ;:::54 262X-20104 Emergency Switchgear Rm Cooler A OC877A 120 ;:::54 SUSQUEHANNA - UNIT 1 3.8-33

Rev. 15 AC Sources - Operating B 3.8.1 TABLE B 3.8.1-1 (page 2 of 2)

UNIT 1 AND UNIT 2 LOAD TIMERS NOMINAL DEVICE SETTING ALLOWABLE VALUE TAG NO. SYSTEM LOADING TIMER LOCATION (seconds) (seconds) p2X-546 DG Rm Exh Fan D OB546 120 ;;,: 54 p2X-536 DG Rm Exh Fan C OB536 120 ;;,:54 p2X-526 DG Rm Exh Fan B OB526 120 ;;,:54 p2X-516 DG Rm Exh Fan A OB516 120 ;;,:54 CRX-5652A DG Room Supply Fans E1 and E2 OB565 120 ;;,:54 p2X2-20410 Control Structure Chilled Water System PC876B 180 ;;,:54 p2X1-20304 Control Structure Chilled Water System IOC877A 180 ;;,:54 p2X2-20310 Control Structure Chilled Water System OC876A 180 ;;,:54 p2X1-20404 Control Structure Chilled Water System OC877B 180 ;;,:54

~2X2-20304 Control Structure Chilled Water System OC877A 210 ;;,:54 p2X2-20404 Control Structure Chilled Water System IOCB77B 210 ;;,:54 Emergency Switchgear Rm Cooling p2X-K11BB 12CB250B 260 ;;,:54 Compressor B Emergency Switchgear Rm Cooling p2X-K11AB 2CB250A 260 ;;,:54 Compressor A

SUSQUEHANNA - UNIT 1 3.8-34

Rev. 15 AC Sources - Operating B 3.8.1 BASES

THIS PAGE INTENTIONALLY LEFT BLANK

SUSQUEHANNA - UNIT 1 3.8-35

Rev. 15 AC Sources - Operating

BASES B 3.8.1

THIS PAGE INTENTIONALLY LEFT BLANK SUSQUEHANNA - UNIT 1 3.8-36

Rev. 15 AC Sources - Operating

BASES B 3.8.1

THIS PAGE INTENTIONALLY LEFT BLANK

SUSQUEHANNA - UNIT 1 3.8-37

Rev. 5 DC Sources-Operating B 3.8.4 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.4 DC Sources - Operating BASES BACKGROUND The DC electrical power system provides the AC emergency power system with control power. It also provides both motive and control power to selected safety related equipment. As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1), the DC electrical power system is designed to have sufficient independence, redundancy, and testability to perform its safety functions, assuming a single failure. The DC electrical power system also conforms to the recommendations of Regulatory Guide 1.6 (Ref. 2) and IEEE-308 (Ref. 3).

The Unit 1 DC power sources provide both motive and control power to selected safety related equipment, as well as circuit breaker control power for the nonsafety related 13.8 kV, 4.16 kV, and 480 V and lower AC distribution systems. Each DC subsystem is energized by one 125/250 V battery and at least 1 Class 1E battery charger. The 250 V DC batteries for division I are supported by two full capacity chargers; the 250 V DC batteries for division II are supported by a full capacity charger; and, the 125 V DC batteries are each supported by a single full capacity charger.

Each battery is exclusively associated with a single 125/250 VDC bus and cannot be interconnected with any other 125/250 VDC subsystem. The chargers are supplied from the same AC load groups for which the associated DC subsystem supplies the control power. Transfer switches provide the capability to power Unit 1 and common DC loads from Unit 2 DC sources.

Diesel Generator (DG) E DC power sources provide control and instrumentation power for DG E.

During normal operation, the DC loads are powered from the battery chargers with the batteries floating on the system. In case of loss of normal power to the battery charger, the DC loads are automatically powered from the station batteries.

The DC power distribution system is described in more detail in Bases for LCO 3.8.7, "Distribution System - Operating," and LCO 3.8.8, "Distribution System- Shutdown."

Each battery has adequate storage capacity to meet the battery duty load profiles in the FSAR, Chapter 8 Tables (Ref. 12). The battery is designed with additional capacity above that required by the design duty cycle to allow for temperature variations and other factors.

SUSQUEHANNA - UNIT 1 3.8-54

r Rev. 5 DC Sources-Operating

- BASES BACKGROUND (continued)

Each subsystem, including the battery bank, chargers and DC switchgear, is located in an area separated physically and electrically from the other B 3.8.4 subsystems to ensure that a single failure in one subsystem does not cause a failure in a redundant subsystem. There is no sharing between redundant Class 1 E subsystems such as batteries, or battery chargers.

The batteries for the electrical power subsystems are sized to produce required capacity at 80% of design rating, corresponding to warranted capacity at end of life cycles and the 100% design demand. The minimum design voltage limit is 105/210 V, at the battery terminals.

The battery cells are of flooded lead acid construction with a nominal specific gravity of 1.215. This specific gravity corresponds to an open circuit voltage of approximately 124 V for a 60 cell battery (i.e. cell voltage of 2.06 volts per cell (Vpc)). The open circuit voltage is the voltage maintained when there is no charging or discharging. Once fully charged with its open circuit voltage;::,: 2.06 Vpc, the battery cell will maintain its capacity for 30 days without further charging per manufacturer's instructions. Optimal long term performance however, is obtained by maintaining a float voltage of 2.20 to 2.25 Vpc. This provides adequate over-potential, which limits the formation of lead sulfate and self discharge.

The nominal float voltage of 2.2 Vpc corresponds to a total float voltage output of 132 V for a 60 cell battery as discussed in the FSAR, Chapter 8 (Ref. 12).

Each battery charger of DC electrical power subsystem has ample power output capacity for the steady state operation of connected loads required during normal operation, while at the same time maintaining its battery bank fully charged. Each battery charger has sufficient capacity to restore the battery from the design minimum charge to its fully charged state within design basis requirements while supplying normal steady state loads (Ref. 12).

The battery charger is normally in the float-charge mode. Float-charge is the condition in which the charger is supplying the connected loads and the battery cells are receiving adequate current to optimally charge the battery.

This assures the internal losses of a battery are overcome and the battery is maintained in a fully charged state.

When desired, the charger can be placed in the equalize mode. The equalize mode is at a higher voltage than the float mode and charging current is correspondingly higher. The battery charger is operated in the equalize mode after a battery discharge or for routine maintenance.

Following a battery discharge, the battery recharge characteristic accepts current at the current limit of the battery charger (if the discharge was significant, e.g., following a battery service test) until the battery terminal SUSQUEHANNA - UNIT 1 3.8-55

Rev. 5 DC Sources-Operating

- BASES BACKGROUND (continued) voltage approaches the charger voltage setpoint. Charging current then reduces exponentially during the remainder of the recharge cycle. Lead-B 3.8.4 calcium batteries have recharge efficiencies of greater than 95%, so once at least 105% of the ampere-hours discharged have been returned, the battery capacity would be restored to the same condition as it was prior to the discharge. This can be monitored by direct obseNation of the exponentially decaying charging current or by evaluating the amp-hours discharged from the battery and amp-hours returned to the battery.

APPLICABLE The initial conditions of Design Basis Accident (OBA) and transient SAFETY analyses in the FSAR, Chapter 6 (Ref. 4) and Chapter 15 (Ref. 5), assume ANALYSES that Engineered Safety Feature (ESF) systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the DGs, emergency auxiliaries, and control and switching during all MODES of operation. The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining DC sources OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite AC power or all onsite AC power; and

b. A worst case single failure.

The DC sources satisfy Criterion 3 of the NRC Policy Statement (Ref. 6).

LCO The DC electrical power subsystems are required to be OPERABLE to ensure the availability of the required power to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence *

(AOO) or a postulated OBA. Loss of any DC electrical power subsystem does not prevent the minimum safety function from being performed (Ref. 12).

The DC electrical power subsystems include:

a) each Unit 1 DC electrical power subsystem identified in Table 3.8.4-1 including a 125 volt or 250 volt DC battery bank in parallel with a battery charger and the corresponding control equipment and interconnecting cabling supplying power to the associated bus; and, b) the Diesel Generator E DC electrical power subsystem identified in Table 3.8.4-1 including a 125 volt DC battery bank in parallel with a battery charger and the corresponding control equipment and interconnecting cabling supplying power to the associated bus.

SUSQUEHANNA - UNIT 1 3.8-56

Rev. 5 DC Sources-Operating 83.8.4 BASES APPLICABILITY The DC electrical power sources are required to be OPERABLE in MODES 1, 2, and 3 to ensure safe unit operation and to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and

b. Adequate core cooling is provided, and containment integrity and other vital functions are maintained in the event of a postulated OBA The DC electrical power requirements for MODES 4 and 5 are addressed in the Bases for LCO 3.8.5, "DC Sources-Shutdown."

ACTIONS A 1, A.2, A.3 Condition A represents one subsystem with one (or two) battery chargers inoperable (e.g., the voltage limit of SR 3.8.4.1 is not maintained). The ACTIONS provide a tiered response that focuses on returning the battery to the fully charged state and restoring a fully qualified charger to OPERABLE status in a reasonable time period.

Required Action A.1 requires that the battery terminal voltage be restored to greater than or equal to the minimum established float voltage within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . This time provides for returning the inoperable charger to OPERABLE status or providing an alternate means of restoring battery terminal voltage to greater than or equal to the minimum established float voltage. Restoring the battery terminal voltage to greater than or equal to the minimum established float voltage provides good assurance that, within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , the battery will be restored to its fully charged condition (Required Action A.2) from any discharge that might have occurred due to the charger inoperability.

A discharged battery having terminal voltage of at least the minimum established float voltage indicates that the battery is on the exponential charging current portion (the second part) of its recharge cycle. The time to return a battery to its fully charged state under this condition is simply a function of the amount of the previous discharge and the recharge characteristic of the battery. Thus, there is good assurance of fully recharging the battery within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , avoiding a premature shutdown .

- SUSQUEHANNA - UNIT 1 3.8-57

Rev. 5 DC Sources-Operating B 3.8.4 BASES ACTIONS A.1, A.2, A.3 (continued)

(continued)

If established battery terminal voltage cannot be restored to greater than or equal to the minimum established float voltage within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , and the charger is not operating in the current-limiting mode, a faulty charger is indicated. A faulty charger that is incapable of maintaining established battery terminal float voltage does not provide assurance that it can revert to and operate properly in the current limit mode that is necessary during the recovery period following a battery discharge event that the DC system is designed for.

If the charger is operating in the current limit mode after 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months that is an indication that the battery is partially discharged and its capacity margins will be reduced. The time to return the battery to its fully charged condition in this case is a function of the battery charger capacity, the amount of loads on the associated DC system, the amount of the previous discharge, and the recharge characteristic of the battery. The charge time can be extensive, and there is not adequate assurance that it can be recharged to comply with the 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time of Required Action A.2.

Required Action A.2 requires that the battery float current be verified as less than or equal to 2 amps. Float current less than 2 amps indicates that, if the battery had been discharged as the result of the inoperable battery charger, it is now fully capable of supplying the maximum expected load requirement. The 2 amp value is based on documentation from the battery manufacturer that charging current less than 2 amps indicates a battery with a full state of charge (Reference 13). If monitoring the battery float current during the initial 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months period does not verify that the current is less than or equal to 2 amps at the expiration of the initial 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months period the battery must be declared inoperable. During subsequent 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months periods, if battery float current is greater than 2 amps, there may be additional battery problems and the battery must be declared inoperable.

Required Action A.3 limits the restoration time for the inoperable battery charger to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months or in accordance with the Risk Informed Completion Time Program. This action is applicable if an alternate means of restoring battery terminal voltage to greater than or equal to the minimum established float voltage has been used (e.g., balance of plant non-Class 1E battery charger with sufficient capacity such that it is fully capable of restoring the battery voltage to the minimum acceptable limits, carrying respective DC bus loads, and maintaining the battery in a fully charged condition). The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time reflects a reasonable time to effect restoration of the qualified battery charger to OPERABLE status and is consistent with the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time for the SSES emergency diesel generators .

SUSQUEHANNA - UNIT 1 3.8-58

Rev. 5 DC Sources-Operating B 3.8.4 BASES ACTIONS A.1, A.2, A.3 (continued)

(continued)

Condition A is modified by a Note that states that Condition A is not applicable to the DG E DC electrical power subsystem. Condition E or F is applicable to an inoperable DG E DC electrical power subsystem.

8.1 Condition B represents one subsystem with one battery bank inoperable.

With one battery bank inoperable, the DC bus is being supplied by the OPERABLE battery charger. Any event that results in a loss of the AC bus supporting the battery charger will also result in loss of DC to that subsystem. Recovery of the AC bus, especially if it is due to a loss of offsite power, will be hampered by the fact that many of the components necessary for the recovery (e.g., diesel generator control and field flash, AC load shed, and diesel generator output circuit breakers, etc.) may rely upon the battery. In addition, the energization transients of any DC loads that are beyond the capability of the battery charger and normally require the assistance of the battery will not be able to be brought online. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit allows sufficient time to effect restoration of an inoperable

- battery bank given that the majority of the conditions that lead to battery inoperability (e.g., loss of battery charger, battery cell voltage less than 2.07 V, etc.) are identified in Specifications 3.8.4, 3.8.5, and 3.8.6 together with additional specific Completion Times. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program.

Condition B is modified by a Note that states that Condition B is not applicable to the DG. E DC electrical power subsystem. Condition E or F is applicable to an inoperable DG E DC electrical power subsystem.

C.1 Condition C represents one subsystem with a loss of ability to completely respond to an event, and a potential loss of ability to remain energized during normal operation. It is therefore imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for complete loss of DC power to the affected division. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit is consistent with the allowed time for an inoperable DC Distribution System division.

Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program .

SUSQUEHANNA - UNIT 1 3.8-59

Rev. 5 DC Sources-Operating B 3.8.4 BASES ACTIONS C.1 (continued)

(continued)

If one of the required DC electrical power subsystems is inoperable, as a result of equipment other than the battery or battery charger being inoperable, the remaining DC electrical power subsystems have the capacity to support a safe shutdown and to mitigate an accident condition.

Since a subsequent worst case single failure could, however, result in the loss of minimum necessary DC electrical subsystems to mitigate a worst case accident, continued power operation should not exceed 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time is based on Regulatory Guide 1.93 (Ref. 7) and reflects a reasonable time to assess unit status as a function of the inoperable DC electrical power subsystem and, if the DC electrical power subsystem is not restored to OPERABLE status, to prepare to effect an orderly and safe unit shutdown.

Condition C is modified by a Note that states that Condition C is not applicable to the DG E DC electrical power subsystem. Condition E or F is applicable to an inoperable DG E DC electrical power subsystem.

D.1 and D.2

If two Unit 1 DC electrical power subsystems are inoperable or if an inoperable Unit 1 DC electrical power subsystem cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant .

systems. The Completion Time to bring the unit to MODE 4 is consistent with the time required in Regulatory Guide 1.93 (Ref. 7).

If Diesel Generator E is not aligned to the class 1E distribution system, the only supported safety function is for the ESW system. Therefore, under this condition, if Diesel Generator E DC power subsystem is not OPERABLE actions are taken to either restore the battery to OPERABLE status or shutdown Diesel Generator E and close the associated ESW valves in order to ensure the OPERABILITY of the ESW system. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit is consistent with the allowed time for other inoperable DC sources and provides sufficient time to evaluate the condition of the battery

and take the corrective actions .

SUSQUEHANNA - UNIT 1 3.8-60

Rev.5 DC Sources-Operating B 3.8.4 BASES ACTIONS E.1 (continued)

If the Diesel Generator is aligned to the class 1E distribution system, the loss of Diesel Generator E DC power subsystem will result in the loss of a on-site Class 1E power source. Therefore, under this condition, if Diesel Generator E DC power subsystem is not OPERABLE actions are taken to either restore the battery to OPERABLE status or declare Diesel Generator E inoperable and take Actions of LCO 3.8.1. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit is consistent with the allowed time for other DC sources and provides sufficient time to evaluate the condition of the battery and take the necessary corrective actions.

SURVEILLANCE SR 3.8.4.1 REQUIREMENTS Verifying battery terminal voltage while on float charge for the batteries helps to ensure the effectiveness of the battery chargers, which support the ability of the batteries to perform their intended function. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery and maintain the battery in a fully charged state while supplying the continuous steady state loads of the associated DC subsystem. On float charge, battery cells will receive adequate current to optimally charge the battery. The voltage requirements are based on the nominal design voltage of the battery and are consistent with the minimum float voltage established by the battery manufacturer.

This voltage maintains the battery plates in a condition that supports maintaining the grid life (expected to be approximately 20 years). The minimum established float voltage for OPERABILITY, per SR 3.8.4.1 is 129 VDC for 125 VDC batteries and 258 VDC for 250 VDC batteries. This voltage should be adjusted downward by 2.20 VDC for any cells jumpered out of the battery bank. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.4.2 This SR verifies the design capacity of the battery chargers. According to Regulatory Guide 1.32 (Ref. 9), the battery charger supply is recommended to be based on the largest combined demands of the various steady state loads and the charging capacity to restore the battery from the design minimum charge state to the fully charged state, irrespective of the status of the unit during these demand occurrences.

The minimum required amperes and duration ensures that these requirements can be satisfied .

- SUSQUEHANNA - UNIT 1 3.8-61

Rev. 5 DC Sources-Operating B 3.8.4 BASES SURVEILLANCE SR 3.8.4.2 (continued)

REQUIREMENTS (continued) This SR requires that each battery charger be capable of supplying DC current to its associated battery bank at the minimum established float voltage for greater than or equal to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The ampere requirements are based on the output rating of the chargers. The voltage requirements are based on the charger voltage level after a response to a loss of AC power.

The time period is sufficient for the charger temperature to have stabilized and to have been maintained for at least 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.4.3 A battery service test is a special test of the battery's capability, as found, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The test can be conducted using actual or simulated loads.

The discharge rate and test length corresponds to the design duty cycle requirements as specified in Reference 12.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by two Notes. Note 1 allows the performance of a modified performance discharge test SR 3.8.6.6 in lieu of a service test SR 3.8.4.3.

The reason for Note 2 is that performing the Surveillance would remove a required DC electrical power subsystem from service, perturb the Electrical Distribution System, and challenge safety systems. Credit may be taken for unplanned events that satisfy the Surveillance. Examples of unplanned events may include:

1. Unexpected operational events which cause the equipment to perform the function specified by this Surveillance, for which adequate documentation is available; and

2. Post maintenance testing that requires performance of this Surveillance in order to restore the component to OPERABLE, provided the maintenance was required, or performed in conjunction with maintenance required to maintain OPERABILITY or reliability.

- - SUSQUEHANNA - UNIT 1 3.8-62

Rev. 5 DC Sources-Operating B 3.8.4 BASES REFERENCES 1. 10 CFR 50, Appendix A, GDC 17.

2. Regulatory Guide 1.6.

3. IEEE Standard 308.

4. FSAR, Chapter 6.

5. FSAR, Chapter 15.

6. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

7. Regulatory Guide 1.93.

8. IEEE Standard 450.

9. Regulatory Guide 1.32, February 1977.

10. Regulatory Guide 1.129, April 1977, February 1978.

11.

12.

13.

IEEE Standard 485.

FSAR, Chapter 8, Section 8.3.2.1.1.6 Letter from C&D Technologies, Inc - Power Solutions, "Float Current Used as an Indicator of Battery Charge State," to L. R. Casella, dated August 9, 2006 .

SUSQUEHANNA - UNIT 1 3.8-63

Rev. 5 DC Sources-Operating B 3.8.4 BASES

THIS PAGE INTENTIONALLY LEFT BLANK

SUSQUEHANNA - UNIT 1 3.8-64

Rev.5 DC Sources-Operating B 3.8.4 BASES THIS PAGE INTENTIONALLY LEFT BLANK

SUSQUEHANNA - UNIT 1 3.8-65

Rev.4 Distribution Systems-Operating B 3.8.7 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.7 Distribution Systems - Operating BASES BACKGROUND The onsite Class 1E AC and DC electrical power distribution system is divided into redundant and independent AC and DC electrical power distribution subsystems and a DG E electrical power distribution subsystem.

The primary AC distribution system consists of four 4.16 kV Engineered Safeguards System (ESS) buses each having a primary and alternate offsite source of power as well as an onsite diesel generator (DG) source that supports one 4.16 kV ESS bus in each unit. Each 4.16 kV ESS bus is normally supplied by either Startup Transformer (ST) No. 10 or ST No. 20.

ST No. 10 and ST No. 20 each provide the normal source of power to two of the four 4.16 kV ESS buses in each Unit and the alternate source of power to the remaining two 4.16 kV ESS buses in each Unit. If any 4.16 kV ESS bus loses power, an automatic transfer from .the normal to the alternate occurs after the normal supply breaker trips. If both offsite sources are unavailable, the onsite emergency DGs supply power to the 4.16 kV ESS buses.

There are two 250 VDC electrical power distribution subsystems, four

125 VDC electrical power distribution subsystems, and one 125 VDC DG E electrical power distribution subsystem, all of which support the necessary power for ESF functions.

In addition, some components required by Unit 2 receive power through Unit 1 electrical power distribution subsystems, the Unit 1 AC and DC electrical power distribution subsystems needed to support the required equipment are addressed in Unit 2 LCO 3.8.7.

Required distribution subsystems are listed in LCO 3.8.7, Table 3.8.7-1.

APPLICABLE The initial conditions of Design Basis Accident (OBA) and transient SAFETY analyses in the FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume ANALYSES ESF systems are OPERABLE. The AC and DC electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6 Containment Systems.

SUSQUEHANNA- UNIT 1 3.8-78

Rev.4 Distribution Systems-Operating

- BASES APPLICABLE SAFETY The OPERABILITY of the AC and DC electrical power distribution subsystems is consistent with the initial assumptions of the accident B 3.8.7 ANALYSES analyses and is based upon meeting the design basis of the unit. This (continued) includes maintaining distribution systems OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite power or all onsite AC electrical power; and

b. A worst case single failure.

The AC and DC electrical power distribution system satisfies Criterion 3 of the NRG Policy Statement (Ref. 4),

LCO The required electrical power distribution subsystems listed in Table 3.8.7-1 ensure the availability of AC and DC electrical power for the systems required to shut down the reactor and maintain it in a safe condition after an anticipated operational occurrence (AOO) or a postulated OBA. The AC and DC electrical power distribution subsystems are required to be

- OPERABLE.

Maintaining the AC and DC electrical power distribution subsystems OPERABLE ensures that the redundancy incorporated into the design of ESF is not defeated. Therefore, a single failure within any system or within the electrical power distribution subsystems will not prevent safe shutdown of the reactor.

AC electrical power distribution subsystems require the associated buses and electrical circuits to be energized to their proper voltages. DC electrical power distribution subsystems require the associated buses to be energized to their proper voltage from either the associated battery or charger. The AC and DC electrical power distribution subsystem is only considered Inoperable when the subsystem is not energized to its proper voltage.

APPLICABILITY The electrical power distribution subsystems are required to be OPERABLE in MODES 1, 2, and 3 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and

b. Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in the event of a postulated OBA.

SUSQUEHANNA - UNIT 1 3.8-79

Rev. 4 Distribution Systems-Operating

- BASES APPLICABILITY Electrical power distribution subsystem requirements for MODES 4 and 5 B 3.8.7 (continued) are covered in the Bases for LCO 3.8.8, "Distribution Systems -

Shutdown."

ACTIONS With one or more required AC buses, load centers, motor control centers, or distribution panels inoperable but not resulting in a loss of safety function, the remaining AC electrical power distribution subsystems are capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in the remaining power distribution subsystems could result in the minimum requited ESF functions not being supported. Therefore, the required AC buses, load centers, motor control centers, and distribution panels must be restored to OPERABLE status within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months .

Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program. The ability to calculate a Risk Informed Completion Time is modified by two Notes. Note 1 limits the ability to calculate a Risk Informed Completion Time to situations in which a loss of function has not occurred. Note 2 prohibits applying a Risk Informed Completion Time to losses of AC sources which are not included in the PRA model.

The Condition A worst scenario is one division without AC power (i.e., no offsite power to the division and the associated DG inoperable). In this Condition, the unit is more vulnerable to a complete loss of AC power. It is, therefore, imperative that the unit operators' attention be focused on minimizing the potential for loss of power to the remaining division by stabilizing the unit, and on restoring power to the affected division. The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months time limit before requiring a unit shutdown in this Condition is acceptable because:

a. There is a potential for decreased safety if the attention of unit operators is diverted from the evaluations and actions necessary to restore power to the affected division to the actions associated with taking the unit to shutdown within this time limit.

b. The potential for an event in conjunction with a single failure of a redundant component in the division with AC power. (The redundant component is verified OPERABLE in accordance with Specification 5.5.11, "Safety Function Determination Program (SFDP).")

SUSQUEHANNA - UNIT 1 3.8-80

Rev. 4 Distribution Systems-Operating 8 3.8.7 BASES ACTIONS A.1 (continued)

(continued)

Condition A is modified by a Note that states that Condition A is not applicable to the DG E DC electrical power subsystem. Condition D or E is applicable to an inoperable DG E DC electrical power subsystem.

Required Action A.1 is modified by a Note that requires the applicable Conditions and Required Actions of LCO 3.8.4 "DC Sources - Operating,"

to be entered for DC subsystems made inoperable by inoperable AC electrical power distribution subsystems. This is an exception to LCO 3.0.6 and ensures the proper actions are taken for inoperable DC sources.

lnoperability of a distribution subsystem can result in loss of charging power to batteries and eventual loss of DC power. This Note ensures that the appropriate attention is given to restoring charging power to batteries, if necessary, after loss of distribution systems.

8.1 With one or more Unit 1 DC buses inoperable, the remaining DC electrical power distribution subsystems may be capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure. The overall reliability is reduced, however, because a single failure in one of the remaining DC electrical power distribution subsystems could result in the minimum required ESF functions not being supported. Therefore, the required DC buses must be restored to OPERABLE status within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months by powering the bus from the associated battery or charger. Alternatively, a Completion Time can be determined in accordance with the Risk Informed Completion Time Program. The ability to calculate a Risk Informed Completion Time is modified by a Note and limited to situations in which a loss of function has not occurred.

Condition 8 represents one subsystem or multiple DC buses without adequate DC power, potentially with both the battery significantly degraded and the associated charger non-functioning. In this situation the plant is significantly more vulnerable to a loss of minimally required DC power. It is, therefore, imperative that the operator's attention focus on stabilizing the plant, minimizing the potential for loss of power to the remaining divisions, and restoring power to the affected division.

This 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit is more conservative than Completion Times allowed for the majority of components that would be without power. Taking exception

SUSQUEHANNA - UNIT 1 3.8-81

Rev.4 Distribution Systems-Operating B 3.8.7 BASES ACTIONS B.1 (continued)

(continued) to LCO 3.0.2 for components without adequate DC power, which would have Required Action Completion Times shorter than 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , is acceptable because of:

a. The potential for decreased safety when requiring a change in plant conditions (i.e., requiring a shutdown) while not allowing stable operations to continue;

b. The potential for decreased safety when requiring entry into numerous applicable Conditions and Required Actions for components without DC power, while not providing sufficient time for the operators to perform the necessary evaluations and actions for restoring power to the affected division;

c. The potential for an event in conjunction with a single failure of a redundant component.

The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time for DC buses is consistent with Regulatory Guide 1.93 (Ref. 3) .

Condition B is modified by a Note that states that Condition B is not applicable to the DG E DC electrical power subsystem. Condition D or E is applicable to an inoperable DG E DC electrical power subsystem.

C.1 and C.2 If the inoperable distribution subsystem cannot be restored to OPERABLE status within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

D.1 If Diesel Generator E is not aligned to the Class 1E distribution system, the only supported safety function is for the ESW system. Therefore, under this condition, if Diesel Generator E DC power distribution subsystem is not OPERABLE, to ensure the OPERABILITY of the ESW system, actions are taken to either restore the power distribution subsystem to OPERABLE status or shutdown Diesel Generator E and close the associated ESW valves. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit is consistent with the allowed time for other inoperable DC power distribution subsystems and provides sufficient time to evaluate the condition and take the corrective actions.

SUSQUEHANNA - UNIT 1 3.8-82

Rev. 4 Distribution Systems-Operating B 3.8.7 BASES ACTIONS (continued)

If the Diesel Generator E is aligned to the class 1 E distribution system, the loss of Diesel Generator E DC power distribution subsystem will result in the loss of a on-site class 1E power source. Therefore, under this condition, if Diesel Generator E DC power distribution subsystem is not OPERABLE actions are taken to either restore the power distribution subsystem to OPERABLE status or declare Diesel Generator E inoperable and take Actions of LCO 3.8.1. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit is consistent with the allowed time for other DC sources and provides sufficient time to evaluate the condition and take the necessary corrective actions.

E1 Condition F corresponds to a level of degradation in the electrical distribution system that causes a required safety function to be lost. When more than one AC or DC electrical power distribution subsystem is lost, and this results in the loss of a required function, the plant is in a condition outside the accident analysis. Therefore, no additional time is justified for continued operation. LCO 3.0.3 must be entered immediately to commence a controlled shutdown. Entry into Condition F is not required if the loss of safety function is the result of entry into Condition A in combination with the loss of safety functions governed by LCOs other than LCO 3.8.7. In this case, enter LCO 3.8.7, Condition A, and the Condition for loss of function in the LCO that governs the safety function that is lost.

SURVEILLANCE SR 3.8.7.1 REQUIREMENTS This Surveillance verifies that the AC and DC, electrical power distribution systems are functioning properly, with the correct circuit breaker alignment.

The correct breaker alignment ensures the appropriate independence of the electrical buses are maintained, and the appropriate voltage or indicated power is available to each required bus. This includes a verification that Unit 1 and common 125 VDC loads are aligned to a Unit 1 DC power distribution subsystem. The verification of voltage availability on the buses ensures that the required voltage is readily available for motive as well as control functions for critical system loads connected to these buses. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SUSQUEHANNA - UNIT 1 3.8-83

Rev. 4 Distribution Systems-Operating

- BASES REFERENCES 1. FSAR, Chapter 6.

B 3.8.7

2. FSAR, Chapter 15.

3. Regulatory Guide 1.93, December 1974.

4. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132) .

SUSQUEHANNA - UNIT 1 3.8-84

Rev.4

- Distribution Systems-Operating B 3.8.7 BASES

- THIS PAGE INTENTIONALLY LEFT BLANK

SUSQUEHANNA - UNIT 1 3.8-85

ML23017A055

Text

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title: