Text

Technical Specification (TS) Bases Change
	ML15303A003
Person / Time
Site:	Oconee
Issue date:	10/26/2015
From:	Batson S; Duke Energy Carolinas
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	ONS-2015-106
	Download: ML15303A003 (91)
	v • d • e

~~DUKE scottLBto E

Oconee Nuclear Station Duke Energy ONOIVP 7600 Rochester Hwy Seneca, SC 29672 o; 864.873.3274 f: 864.873. 4208 ONS-201 5-1 06 Scot. Batson@duke-energy.coml October 26, 2015 ATTN: Document Controi Desk U.S. Nuclear Regulatory Commission 11555 Rockville Pike Rockville, Maryland 20852

Subject:

Duke Energy Carolinas, LLC Oconee Nuclear Station Docket Numbers 50-269, 50-270, and 50-287 Technical Specification (TS) Bases Change Please find attached changes to the Oconee Nuclear Station (ONS) TS Bases. These changes were processed in accordance with the provisions of Technical Specification 5.5.15, "Technical Specifications (TS) Bases Control Program."

TS Bases 3.3.1 was revised to remove outdated references to 10 CFR 100 and replace with 10 CFR 50.67 for offsite dose limits. NRC granted full-scope implementation of Alternate Source Team (AST) methodology for. ONS with Amendments 338/339/339 on June 1, 2005.

Update of these references was inadvertently omitted.

Amendments 393/395/394 were issued for Oconee to revise ONS TS 5.5.9, "Inservice Testing Program, (IST)" to reflect the current edition of the American Society of Mechanical Engineers (ASME) Code that is reference in 10 CFR 50.55a(b). Throughout the TS Bases documents, references to ASME Section XI, as associated with the IST Program were removed. Where appropriate, the Section XI wording was replaced with "ASME OM Code." TS Bases 3.4.10, 3.4.14, 3.5.2, 3.5.3, 3.6.5, 3.7.1, 3.7.3 and 3.7.5 associated with CM Code License Amendment Request (LAR) are attached.

Any questions regarding this information should be directed to Sandra N. Severance, ONS Regulatory Affairs Group, at (864) 873-3466.

Sincerely, Scott L. Batson Vice President Oconee Nuclear Station Attachment 1

)"

www.duke-energy.com

U. S. Nuclear Regulatory Commission October 26, 2015 Page 2 cc: Mr. Leonard 0. Wert, Jr.

Administrator, Region II (Acting)

U.S. Nuclear Regulatory Commission, Region II Marquis One Tower 245 Peachtree Center Ave., NE, Suite 1200 Atlanta, GA 30303-1257 Mr. James R. Hall, Senior Project Manager (ONS)

(By electronic mail only)

U. S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation 11555 Rockville Pike Mail Stop O-8G9A Rockville, MD 20852 Mr. Jeffrey A. Whited, Project Manager (By electronic mail only)

U. S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation 11555 Rockville Pike Mail Stop O-8B1A Rockville, MD 20852 Mr. Eddy Crowe Senior Resident Inspector Oconee Nuclear Station

ONS-201 5-106 October 26, 2015 Attachment Revised ONS TS Bases Pages TSB List of Effective Pages (LOEPs), Rev. 002 TSB 3.3.1, RPS Instrumentation, Rev. 001 TSB 3.4.10, Pressurizer Safety Valves, Rev. 001 TSB 3.4.14, RCS Pressure Isolation Valve Leakage, Rev. 001 TSB 3.5.2, High Pressure Injection (HPI), Rev. 001 TSB 3.5.3, Low Pressure Injection (LPI), Rev. 001 TSB 3.6.5, Reactor Building Spray and Cooling System, Rev. 001 TSB 3.7.1, Main Steam Relief Valves (MSRVs), Rev. 001 TSB 3.7.3, Main Feedwater Control Valves (MFCVs) and Startup Feedwater Conltrol Valves (SFCVs), Rev. 001 TSB 3.7.5, Atmospheric Dump Valve (ADV) Flow Paths, Rev.001 LOEP 1 thru 4 B 3.3.1 - 1 thru 26 B 3.4.10 -1 thru 4 B 3.4.14-1 thru 5 B 3.5.2 -1 thru 14 B 3.5.3 -1 thr'u 9 B 3.6.5 -1 thru 10 B 3.7.1 -1 thru 4 B 3.7.3 -1 thru 4 B 3.7.5 -1 thru 8

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 09/30/15 LIST OF EFFECTIVE PAGES SECTION/PAGES REVISION NUMBER IMPLEMENTATION DATE TOG B 2.1.1 B 2.1.2 B 3.0 B 3.1.1 B 3.1.2 B 3.1.3 B 3.1.4 B 3.1.5 B 3.1.6 B 3.1.7 B 3.1.8 B 3.2.1 B 3.2.2 B 3.2.3 B 3.3.1 B 3.3.2 B 3.3.3 B 3.3.4 B 3.3.5 B 3.3.6 B 3.3.7 B 3.3.8 B 3.3.9 B 3.3.10 B 3.3.11 B 3.3.12 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 001 000 000 000 000 000 000 000 000 000 000 000 09/03/14 05/31/12 02/06/14 10/20/11 05/16/12 05/16/12 06/02/99 07/23/12 05/16/12 07/23/12 07/23/12 05/16/12 05/16/12 05/16/12 05/16/12 09/30/15 12/14/04 12/10/14 12/10/14 12/10/14 12/10/14 12/10/14 05/16/12 05/16/12 05/16/12 05/16/12 05/16/12 Oconee Nuclear StationLEP1R iio02 LOEP 1 Revision 002

OCONEE NUJCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 09/30/15 LIST OF EFFECTIVE PAGES SECTION/PAGES REVISION NUMBER BASES REVISION DATE B 3.3.13 B 3.3.14 B 3.3.15 B 3.3.16 B 3.3.17 B 3.3.18 B 3.3.19 B 3.3.20 B 3.3.21 B 3.3.22 B 3.3.23 B 3.3.24 B 3.3.25 B 3.3.26 B 3.3.27 B 3.3.28 B 3.4.1 B 3.4.2 B 3.4.3 B 3.4.4 B 3.4.5 B 3.4.6 B 3.4.7 B 3.4.8 B 3.4.9 B 3.4.10 B 3.4.11 B 3.4.12 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 001 000 000 05/16/12 05/16/12 05/16/12 05/16/12 05/16/12 05/16/12 05/16/12 05/16/12 05/16/12 05/16/12 05/16/12 9/26/01 11/5/03 11/5/03 12/10/14 05/16/12 05/16/12 12/16/98 03/04/15 05/16/12 05/16/12 05/16/12 05/16/12 05/16/12 05/16/12 09/21/15 10/12/12 06/13/14 Oconee Nuclear StationLEP2Rvso02 LOEP 2 Revision 002

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 09/30/15 LIST OF EFFECTIVE PAGES SECTION/PAGES REVISION NUMBER BASES REVISION DATE 3.4.13 3.4.14 3.4.15 3.4.16 3.5.1 3.5.2 3.5.3 3.5.4 3.6.1 3.6.2 3.6.3 3.6.4 3.6.5 3.7.1 3.7.2 3.7.3 3.7.4 3.7.5 3.7.6 3.7.7 3.7.8 3.7.9 3.7.10 3.7.10a 3.7.11 3.7.12 3.7.13 3.7.14 000 001 o000 o00 001 001 000 000 000 000 000 001 001 000 001 000 001 o000 000 o000 000 000 000 000 o000 000 o00 05/16/12 09/21/15 05/16/12 4/2/07 05/16/12 09/21/15 09/21 /15 05/16/12 10/20/11 05/16/12 05/16/12 05/16/12 09/21/15 09/21/15 11/13/12 09/21/15 05/16/12 09/21/15 05/16/12 12/10/14 05/16/12 08/28/14 09/03/14 09/03/14 05/16/12 05/16/12 08/19/10 05/16/12 Oconee Nuclear StationLEP3Rvso02 LOEP3 Revision 002

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 09/30/15 LIST OF EFFECTIVE PAGES SECTION/PAGES REVISION NUMBER BASES REVISION DATE B 3.7.15 B 3.7.16 B 3.7.17 B 3.7.18 B 3.7.19 B 3.8.1 B 3.8.2 B 3.8.3 B 3.8.4 B 3.8.5 B 3.8.6 B 3.8.7 B 3.8.8 B 3.8.9 B 3.9.1 B 3.9.2 B 3.9.3 B 3.9.4 B 3.9.5 B 3.9.6 B 3.9.7 B 3.9.8 B 3.10.1 B 3.10.2 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 o00 000 000 000 000 10/24/07 05/16/12 04/12/06 06/15/06 06/25/14 05/21/15 04/07/11 04/28/15 12/18/07 05/16/12 05/16/12 05/16/12 05/16/12 05/16/12 05/16/12 05/16/12 05/16/12 05/16/12 05/16/12 05/16/12 05/16/12 06/25/14 11/05/14 11/05/14 Note: With the introduction of Fusion in June 201 5,- all controlled documents require a three-digit revision number. Thus, the revision numbers were set to '000" in the summer of 2015. As such, the revision dates for Revision 000 are based on the implementation dates for revisions in effect prior to this change.

Oconee Nuclear StationLEP4Rvso02 LOEP 4 Revision 002

RPS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Protective System (RPS) Instrumentation BASES BACKGROUND The RPS initiates a reactor trip to protect against violating the core fuel design limits and the Reactor Coolant System (RCS) pressure boundary during anticipated transients. By tripping the reactor, the RPS also assists the Engineered Safeguards (ES) Systems in mitigating accidents.

The protective and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as the LCOs on other reactor system parameters and equipment performance.

The LSSS, defined in this Specification as the Allowable Value, in conjunction with the LCOs, establishes the threshold for protective system action to prevent exceeding acceptable limits during accidents or transients.

During anticipated transients, which are those events expected to occur one or more times during the unit's life, the acceptable limit is:

a.

The departure from nucleate boiling ratio (DNBR) shall be maintained above the Safety Limit (SL) value;

b.

Fuel centerline melt shall not occur; and

c.

The RCS pressure SL of 2750 psia shall not be exceeded.

Maintaining the parameters within the above values ensures that the offsite dose will be within the 10 CFR 20 and 10 CER 50.67 criteria during anticipated transients. Accidents are events that are analyzed even though they are not expected to occur during the unit's life. The acceptable limit during accidents is that the offsite dose shall be maintained within reference 10 CFR 50.67 limits. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.

OCONEE UNITS 1, 2, & 3 B3311Rv 0

B3.3.1-1 Rev. 001

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)

The RPS consists of four separate redundant protective channels that receive inputs of neutron flux, RCS pressure, RCS flow, RCS temperature, RCS pump status, reactor building (RB) pressure, main feedwater (MEW) pump turbines status, and main turbine status.

Figure 7.1 of UFSAR, Chapter 7 (Ref. 1), shows the arrangement of a typical RPS protective channel. A protective channel is composed of measurement channels, a manual trip channel, a reactor trip component (RTC), and a controi rod drive (CRD) trip device. LCO 3.3.1 provides requirements for the individual measurement channels. These channels encompass all equipment and electronics from the point at which the measured parameter is sensed through the processor output trip devices in the trip string. LCO 3.3.2, "Reactor Protective System (RPS) Manual Reactor Trip," LCO 3.3.3, "Reactor Protective System (RPS) - Reactor Trip Component (RTC)," and LCO 3.3.4, "Control Rod Drive (CRD) Trip Devices," discuss the remaining RPS elements.

The RPS instrumentation measures critical unit parameters and compares these to predetermined setpoints.

If the setpoint for a parameter input to a single channel (for example, the RC high pressure input to Channel A) is exceeded, a channel trip does not occur. Due to the inter-channel communication, all 4 RPS channels recognize that this parameter input has been exceeded for one channel.

However, due to the 2.MIN/2.MAX logic within the system, the same parameter input setpoint for one of the other three channels must be exceeded before channel trips occur. Again, due to the inter-channel communication, all 4 RPS channels will then trip since the 2.MIN/2.MAX condition has been satisfied.

The RTS consists of four AC Trip Breakers arranged in two parallel combinations of two breakers each. Each path provides independent power to the CRD motors. Either path can provide sufficient power to operate all CRD's. Two separate power paths to the CRD's ensure that a single failure that opens one path will not cause an unwanted reactor trip.

The RPS consists of four independent protective channels (A, B, C, and D).

Each RPS protective channel contains the sensor input modules, a protective channel computer, output modules, four hardwired (energized during power operations) reactor trip relays (RTRs) (A, B, C, and D) and their associated 120 VAC contacts (closed when RTR is energized).

OCONEE UNITS 1, 2, & 3 B3312Rv 0

B 3.3.1-2 Rev. 001 I

RPS Instrumentation B 3.3.1 BASES BACKGROU ND RPS Overview (continued)

Protective channel A controls the channel A RTR and also controls the A RTR in channels B, C, and D. Likewise, channels B, C and D control the respective RTR in each of the four channels. Each energized RTR (A, B, C, and D) in each RPS channel A, B, C, and D maintains two closed 120 VAC contacts. One contact from each RTR is configured in two separate redundant output trip actuation logic schemes. Each output trip actuation logic scheme contains a contact from each of the four RTRs in the four channels. This configuration results in a two-out-of-four coincidence reactor trip logic. If any channel protective set initiates a trip signal, the respective four RTRs (one in each of the four channels) de-energize and open the respective contacts. The outputs from the RTR contacts interrupt the 120 VAC power to the CRD trip devices.

Three of the four RPS protective channel computers (A, B, and C) also perform a redundant Engineered Safeguards Protective System (ESPS) logic function. Therefore, three of the four RPS protective channels calculate both RPS and ESPS functions, and the fourth RPS channel 0 calculates only RPS functions. See Technical Specification Bases section B 3.3.5 for additional discussion of the ESPS protective channels and the duplicated ESPS functions performed by the RPS protective channels.

The reactor is tripped by opening the reactor trip breakers.

There are three bypasses: shutdown bypass, manual bypass, and channel trip function bypass. The shutdown bypass and the manual bypass are initiated by use of a keyswitch located in the respective RPS channel cabinet. The Shutdown bypass allows the withdrawal of safety rods for SDM availability and rapid negative reactivity insertion during unit cooldowns or heatups. The manual bypass allows putting a complete RPS channel into bypass for maintenance activities. This includes the planned power-down of the bypassed RPS channel computer. If the complete RPS channel is powered down, the manual bypass condition cannot be maintained. That RPS channel output signal goes to "trip" and the manual bypass Unit Statalarm window will not illuminate. The channel trip function bypass allows an individual channel trip function in any RPS channel to be bypassed through the use of the RPS Screens of the Graphical Service Monitor (GSM). The GSM is located on the Service Unit.

The RPS operates from the instrumentation channels discussed next. The specific relationship between measurement channels and protective channels differs from parameter to parameter. Three basic configurations are used:

OCONEE UNITS 1, 2, & 3 B3313Rv 0

B 3.3.1-3 Rev. 001 I

RPS Instrumentation B 3.3.1 BASES BACKG ROUND RPS Overview (continued)

a.

Four completely redundant measurements (e.g., reactor coolant flow) with one channel input to each protective channel;

b.

Four channels that provide similar, but not identical, measurements (e.g., power range nuclear instrumentation where each RPS channel monitors a different quadrant), with one channel input to each protective channel; and

c.

Redundant measurements with combinational trip logic inside the protective channels and the combined output provided to each protective channel (e.g., main feedwater pump turbines trip instrumentation).

These arrangements and the relationship of instrumentation channels to trip Functions are discussed next to assist in understanding the overall effect of instrumentation channel failure.

Power Ranqie Nuclear Instrumentation Power Range Nuclear Instrumentation channels provide inputs to the following trip Functions:

1.

Nuclear Overpower

a.

Nuclear Overpower - High Setpoint;

b.

Nuclear Overpower - Low Setpoint;

7.

Reactor Coolant Pump to Power;

8.

Nuclear Overpower Flux/Flow Imbalance;

9.

Main Turbine Trip (Hydraulic Fluid Pressure); and

10.

Loss of Main Feedwater (LOMEW) Pump Turbines (Hydraulic Oil Pressure).

OCONEE UNITS 1, 2, & 3 B3314Rv 0

B 3.3.1-4 Rev. 001 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Power Rancie Nuclear Instrumentation (continued)

The power range instrumentation has four linear level channels, one for each core quadrant. Each channel feeds one RPS protective channel.

Each channel originates in a detector assembly containing two uncompensated ion chambers. The ion chambers are positioned to represent the top half and bottom half of the core. The individual currents from the chambers are fed to individual linear amplifiers. The summation of the top and bottom is the total reactor power. The difference of the top minus the bottom neutron signal is the measured AXIAL POWER IMBALANCE for the associated core quadrant.

Reactor Coolant System Outlet Temperature The Reactor Coolant System Outlet Temperature provides input to the following Functions:

2.

RCS High Outlet Temperature; and

5.

RCS Variable Low Pressure.

The RCS Outlet Temperature is measured by two resistance temperature detection elements in each hot leg, for a total of four. One temperature detection element is associated with each protective channel.

Reactor Coolant System Pressure The Reactor Coolant System Pressure provides input to the following Functions:

3.

RCS High Pressure;

4.

RCS Low Pressure;

5.

RCS Variable Low Pressure; and

11.

Shutdown Bypass RCS High Pressure.

The RPS inputs of reactor coolant pressure are provided by two pressure transmitters in each hot leg, for a total of four. One sensor is associated with each protective channel.

OCONEE UNITS 1, 2, & 3 B3315Rv 0

B 3.3.1-5 Rev. 001 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Reactor Buildinq Pressure (continued)

The Reactor Building Pressure measurements provide input only to the Reactor Buiiding High Pressure trip, Function 6. There are four RB High Pressure sensors, one associated with each protective channel.

Reactor Coolant Pump Power Monitoringq Reactor coolant pump power monitors are inputs to the Reactor Coolant Pump to Power trip, Function 7. Each RCP has a RCP Power Monitor (RCPPM), which monitors the electrical power and breaker status of each pump motor to determine if it is running. Each RCPPM provides inputs to all four RPS channels.

Reactor Coolant System Flow The Reactor Coolant System Flow measurements are an input to the Nuclear Overpower Flux/Flow Imbalance trip, Function 8. The reactor coolant flow inputs to the RPS are provided by eight high accuracy differential pressure transmitters, four on each loop, which measure flow through calibrated flow tubes. One flow input in each loop is associated with each protective channel.

Main Turbine Hydraulic Fluid Pressure Main Turbine Hydraulic Fluid Pressure is an input to the Main Turbine Trip (Hydraulic Fluid Pressure) reactor trip, Function 9. Each of the four protective channels receives turbine status information from one of the four pressure switches monitoring main turbine hydraulic fluid pressure. Each protective channel continuously monitors the status of the contact inputs and initiates an RPS trip when a main turbine trip is indicated.

Feedwater Pump Turbine Hydraulic OiliPressure Feedwater Pump Turbine Hydraulic Oil Pressure is an input to the Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) trip, Function 10.

Hydraulic Oil pressure is measured by four switches on each feedwater pump turbine. One switch on each pump turbine is associated with each protective channel.

OCONEE UNITS 1, 2, & 3 B3316Rv 0

B 3.3.1-6 Rev. 001 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Feedwater Pump Turbine Hydraulic Oil Pressure (continued)

Each RPS channel receives a contact input from both Feedwater Pump Turbines (A and B) Hydraulic Oil Pressure switches. When the switches from both turbines indicate that the associated Turbine Hydraulic Oil Pressure is low (turbine has tripped), a reactor trip signal is initiated on that channel.

RPS Bypasses The RPS is designed with three types of bypasses: shutdown bypass, manual bypass and channel trip function bypass.

Each bypass is discussed next.

Shutdown Bypass During unit cooldown and heatup, it is desirable to leave the safety rods at least partially withdrawn to provide shutdown capabilities in the event of unusual positive reactivity additions (moderator dilution, etc.).

However, the unit is also depressurized as coolant temperature is decreased. If the safety rods are withdrawn and coolant pressure is decreased, an RCS Low Pressure trip will occur at 1800 psig and the rods will fall into the core. To avoid this, the protective system allows the operator to bypass the low pressure trip and maintain shutdown capabilities. During the cooldown and depressurization, the safety rods are inserted prior to the low pressure trip of 1800 psig. The RCS pressure is decreased to less than 1720 psig, then each RPS channel is placed in shutdown bypass.

A shutdown bypass signal is provided by the operator from the shutdown bypass keyswitch (status shall be indicated by a light). This action bypasses the RCS Low Pressure trip, Nuclear Overpower Flux/Flow Imbalance trip, Reactor Coolant Pump to Power trip, and the RCS Variable Low Pressure trip, and inserts a new RCS High Pressure, 1720 psig trip.

The operator can now withdraw the safety rods for additional rapidly insertable negative reactivity.

The insertion of the new high pressure trip performs two functions. First, with a trip setpoint of 1720 psig, the processor output trip device prevents operation at normal system pressure, 2155 psig, with a portion of the RPS bypassed. The second function is to ensure that the bypass is removed prior to normal operation. When the RCS pressure is increased during a OCONEE UNITS 1, 2, & 3 B3317Rv 0

B 3.3.1-7 Rev. 001 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Shutdown Bypass (continued) unit heatup, the safety rods are inserted prior to reaching 1720 psig. The shutdown bypass is removed, which returns the RPS to normal, and system pressure is increased to greater than 1800 psig. The safety rods are then withdrawn and remain at the full out condition for the rest of the heatup.

In addition to the Shutdown Bypass RCS High Pressure trip, the High Flux Reactor Trip setpoint is automatically lowered to less than 5% when the operator closes the shutdown bypass keyswitch. This provides a backup to the Shutdown Bypass RCS High Pressure trip and allows testing while preventing the generation of any significant amount of power.

Manual Bypass The RPS Manual Bypass allows putting the complete RPS channel into bypass for maintenance activities. Placing the RPS channel in bypass does not power-down the computer. If it is necessary to power-down the computer for one channel, the Manual Bypass keyswitch is used to keep the four RTRs associated with the respective channel energized while the channel computer is powered down. To place a protective channel in manual bypass, the other three channels must not be in manual bypass or otherwise inoperable (e.g., a channel trip function in bypass).

The RPS Manual Bypass status information is sent to the Unit Statalarm panel (hardwired output of the RPS Channel computer and in parallel as a hardwired signal from a keyswitch contact in case the computer is powered down) and is sent to the plant Operator Aid Computer (OAC) via a gateway.

If the complete RPS cabinet is powered down, the Manual Bypass condition cannot be maintained. That RPS channel output signal goes to "trip" and the Manual Bypass Unit Statalarm window will not illuminate.

Channel Trip Function Bypass An individual Channel Trip Function Bypass allows placing one trip function in bypass for maintenance activities through the RPS GSM screens. -This allows the remaining trip functions in the channel to remain operable while the channel input device for the affected channel is inoperable.

Operation to put functions in bypass is administratively controlled since there is no interlock to prevent placing functions in multiple channels in bypass. Channel trip functions may be placed in bypass in only one RPS channel at a time.

OCONEE UNITS 1, 2, & 3 B3318Rv 0

B 3.3.1-8 Rev. 001 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Parameter Chancqe Enable Mode (continued)

Parameter Change Enable Mode allows each RPS instrument input channel processor to be placed in different operating modes through the use of the Parameter Change Enable keyswitches and commands from the Service Unit. Each protective channel has a keyswitch located in that channel's cabinet pair.

Placing RPS Channels A, B, or C in Parameter Change Enable Mode through the use of the "Parameter Change Enable" keyswitch will also place the corresponding ESPS Channels Al, B1 or Cl in Parameter Change Enable Mode.

When a keyswitch is placed from the normal Operating Mode position to the Parameter Change Enable Mode position:

The processors continue with normal operation.

A permissive is provided that allows the Service Unit to be used to change the operating mode of the processors associated with that keyswitch.

With the keyswitch in the Parameter Change Enable Position the following modes of operation are allowed for processors:

Normal Operation - with permissive for operating mode change.

Parameterization - allows changes to specific parameters (example placing a parameter into a tripped condition or performing Reactor Trip Relay testing).

Function Test - for disabling the application function and forcing output signal for testing purposes (normally not used).

Diagnostics - for downloading new application software.

The Function Test and Diagnostics modes result in the processor ceasing its cyclic processing of the application functions. Entry into these modes first requires entry into Parameterization mode and setting a separate parameter.

When a keyswitch is placed in the Parameter Change Enable Mode Position for any activity, the affected processor shall first be declared out of service. In addition to declaring the processor out of service (1) the affected RPS channel shall be bypassed and (2) either the affected ESPS input channel (Al, B1, or Cl) shall be tripped OR the ESPS Set 1 voters shall be placed in Bypass for the following activities:

Loading or revising the software in a processor.

Changing parameters via the RPS High Flux Trip (Variable Setpoint) screen at the Service Unit.

OCONEE UNITS 1, 2, & 3 B3319Rv 0

B 3.3.1-9 Rev. 001 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Parameter Chanqie Enable Mode (continued)

Changing parameters via the RPS Flux/Flow/Imbalance Parameters screen at the Service Unit.

Only one RPS channel at a time is allowed to be placed into Parameter Change Enable Mode Position for these activities.

Each Parameter Change Enable keyswitch status information is sent to the Statalarm panel and to the OAC via the Gateway.

RPS Parameter Change Enable keyswitches are administratively controlled (there are no hardware or software interlocks between channels).

Trip Setpoints/AIlowable Value The Allowable Value and trip setpoint are based on the analytical limits stated in UFSAR, Chapter 15 (Ref. 2). The selection of the Allowable Value and associated trip setpoint is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 3), the Allowable Values specified in Table 3.3.1-1 in the accompanying LCO are conservative with respect to the analytical limits to account for all known uncertainties for each channel. The actual trip setpoint entered into the processor output trip device is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL CALIBRATION.

A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes. The trip setpoints are the nominal values at which the processor output trip devices are set. Any processor output trip device is considered to be properly adjusted when the "as left" value is within the band for CHANNEL CALIBRATION accuracy. A detailed description of the methodology used to determine the Allowable Value and associated uncertainties is provided in Reference 4.

Setpoints in conjunction with the Allowable Value ensure that the limits of Chapter 2.0, "Safety Limits," in the Technical Specifications are not violated during anticipated transients and that the consequences of accidents will be acceptable, providing the unit is operated from within the LCOs at the onset of the anticipated transient or accident and the equipment functions OCONEE UNITS 1, 2, &3 B3..-0Rv 0

B 3.3.1-10 Rev. 001

RPS Instrumentation B 3.3.1 BASES BACKGROUND Trip Setpoints/AIlowable Value (continued) as designed. Note that in LCO 3.3.1 the Allowable Values listed in Table 3.3.1-1 for Functions 1 through 8 and 11 are the LSSS.

With the exception of the RB High Pressure function, each channel is tested online by manually retrieving the software setpoint to ensure it has been entered correctly. Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements.

APPLICABLE Each of the analyzed accidents and transients that require a reactor trip to SAFETY ANALYSES, meet the acceptance criteria can be detected by one or more RPS LCO, and Functions. The accident analysis contained in the UFSAR, Chapter 15 APPLICABILITY (Ref. 2), takes credit for most RPS trip Functions. Functions not specifically credited in the accident analysis were qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit.

These Functions are high RB pressure, turbine trip, and loss of main feedwater. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions also serve as backups to Functions that were credited in the safety analysis.

The LCO requires all instrumentation performing an RPS Function to be OPERABLE. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions. The three channels of each Function in Table 3.3.1-1 of the RPS instrumentation shall be OPERABLE during its specified Applicability to ensure that a reactor trip will be actuated if needed. Additionally, during shutdown bypass with any CR0 trip breaker closed, the applicable RPS Functions must also be available. This ensures the capability to trip the withdrawn CONTROL RODS exists at all times that rod motion is possible. The trip Function channels specified in Table 3.3.1-1 are considered OPERABLE when all channel components necessary to provide a reactor trip are functional and in service for the required MODE or Other Specified Condition listed in Table 3.3.1-1.

Only the Allowable Values are specified for each RPS trip Function in the LCO. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoint measured by CHANNEL CALIBRATIONS does not exceed the Allowable Value. A trip setpoint found less conservative than the nominal trip setpoint, but within its Allowable Value, is considered OPERABLE with respect to the uncertainty allowances assumed for the applicable surveillance interval provided that OCONEE UNITS 1, 2, & 3B331-1Rv01 B 3.3.1-11 Rev. 001

RPS Instrumentation B 3.3.1 BASES APPLICABLE operation, testing and subsequent calibration are consistent with the SAFETY ANALYSES, assumptions of the setpoint calculations. Each Allowable Value specified is LCO, and more conservative than instrument uncertainties appropriate to the trip APPLICABILITY Function. These uncertainties are defined in Reference 4.

(continued)

For most RPS Functions, the Allowable Value in conjunction with the nominal trip setpoint ensure that the departure from nucleate boiling (DNB),

center line fuel melt, or RCS pressure SLs are not challenged. Cycle specific values for use during operation are contained in the COLR.

Certain RPS trips function to indirectly protect the SLs by detecting specific conditions that do not immediately challenge SLs but will eventually lead to challenge if no action is taken. These trips function to minimize the unit transients caused by the specific conditions. The Allowable Value for these Functions is selected at the minimum deviation from normal values that will indicate the condition, without risking spurious trips due to normal fluctuations in the measured parameter.

The safety analyses applicable to each RPS Function are discussed next.

1.

Nuclear Overpower

a.

Nuclear Overpower -

Hiqih Setpoint The Nuclear Overpower - High Setpoint trip provides protection for the design thermal overpower condition based on the measured out of core neutron leakage flux.

The Nuclear Overpower - High Setpoint trip initiates a reactor trip when the neutron power reaches a predefined setpoint at the design overpower limit. Because THERMAL POWER lags the neutron power, tripping when the neutron power reaches the design overpower will limit THERMAL POWER to prevent exceeding acceptable fuel damage limits.

Thus, the Nuclear Overpower - High Setpoint trip protects against violation of the DNBR and fuel centerline melt SLs.

However, the RCS Variable Low Pressure, and Nuclear Overpower Flux/Flow Imbalance, provide more direct protection. The role of the Nuclear Overpower - High Setpoint trip is to limit reactor THERMAL POWER below the highest power at which the other two trips are known to provide protection.

The Nuclear Overpower - High Setpoint trip also provides transient protection for rapid positive reactivity excursions OCONEE UNITS 1, 2, & 3B331-2Rv01 B 3.3.1-12 Rev. 001 I

RPS Instrumentation B 3.3.1 BASES APPLICABLE

a.

Nuclear Overpower -

Hiqh Setpoint (continued)

SAFETY ANALYSES, LCO, and during power operations. These events include the rod APPLICABILITY withdrawal accident and the rod ejection accident. By providing a trip during these events, the Nuclear Overpower -

High Setpoint trip protects the unit from excessive power levels and also serves to limit reactor power to prevent violation of the ROS pressure SL.

Rod withdrawal accident analyses cover a large spectrum of reactivity insertion rates (rod worths), which exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower - High Setpoint trip provides the primary protection. At low reactivity insertion rates, the high pressure trip provides primary protection.

b.

Nuclear Overpower - Low Setpoint When initiating shutdown bypass, the Nuclear Overpower -

Low Setpoint trip must be reduced to < 5% RTP. The low power setpoint, in conjunction with the lower Shutdown Bypass RCS High Pressure setpoint, ensure that the unit is protected from excessive power conditions when other RPS trips are bypassed.

The setpoint Allowable Value was chosen to be as low as practical and still lie within the range of the out of core instrumentation.

2.

RCS Hiqh Outlet Temperature The RCS High Outlet Temperature trip, in conjunction with the RCS Low Pressure and RCS Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the reactor vessel outlet temperature approaches the conditions necessary for DNB. Portions of each RCS High Outlet Temperature trip channel are common with the RCS Variable Low Pressure trip. The RCS High Outlet Temperature trip provides steady state protection for the DNBR SL.

The RCS High Outlet Temperature trip limits the maximum RCS temperature to below the highest value for which DNB protection by the Variable Low Pressure trip is ensured. The trip setpoint Allowable Value is selected to ensure that a trip occurs before hot leg temperatures reach the point beyond which the RCS Low Pressure OCONEE UNITS 1, 2, &3 B3..-3Rv 0

B 3.3.1-13 Rev. 001 I

RPS Instrumentation B 3.3.1 BASES APPLICABLE

2.

RCS Hiqh Outlet Temperature (continued)

SAFETY ANALYSES, LCO, and and Variable Low Pressure trips are analyzed. Above the high APPLICABILITY temperature trip, the variable low pressure trip need not provide protection, because the unit would have tripped already. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions that the equipment is expected to experience because the trip is not required to mitigate accidents that create harsh conditions in the RB.

3.

ROS Hiqh Pressure The RCS High Pressure trip works in conjunction with the pressurizer and main steam relief valves to prevent RCS overpressurization, thereby protecting the RCS High Pressure SL.

The RCS High Pressure trip has been credited in the transient analysis calculations for slow positive reactivity insertion transients (rod withdrawal transients and moderator dilution). The rod withdrawal transient covers a large spectrum of reactivity insertion rates and rod worths that exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower

- High Setpoint trip provides the primary protection. At low reactivity insertion rates, the RCS High Pressure trip provides the primary protection.

The setpoint Allowable Value is selected to ensure that the RCS High Pressure SL is not challenged during steady state operation or slow power increasing transients. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions because the equipment is not required to mitigate accidents that create harsh conditions in the RB.

4.

RCS Low Pressure The RCS Low Pressure trip, in conjunction with the RCS High Outlet Temperature and Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system pressure approaches the conditions necessary for DNB. The RCS Low Pressure trip provides DNB low pressure limit for the ROS Variable Low Pressure trip.

The RCS Low Pressure setpoint Allowable Value is selected to ensure that a reactor trip occurs before ROS pressure is reduced below the lowest point at which the RCS Variable Low Pressure trip is analyzed. The RCS Low Pressure trip provides protection for OCONEE UNITS 1, 2, & 3B33114Rv01 B 3.3.1-14 Rev. 001 I

RPS Instrumentation B 3.3.1 BASES APPLICABLE

4.

RCS Low Pressure (continued)

SAFETY ANALYSES, LCO, and primary system depressurization events and has been credited in APPLICABILITY the accident analysis calculations for small break loss of coolant accidents (LOCAs). Harsh RB conditions created by small break LOCAs cannot affect performance of the RCS pressure sensors and transmitters within the time frame for a reactor trip. Therefore, degraded environmental conditions are not considered in the Allowable Value determination.

5.

RCS Variable Low Pressure The RCS Variable Low Pressure trip, in conjunction with the RCS High Outlet Temperature and RCS Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system parameters of pressure and temperature approach the conditions necessary for DNB. The RCS Variable Low Pressure trip provides a floating low pressure trip based on the RCS High Outlet Temperature within the range specified by the RCS High Outlet Temperature and RCS Low Pressure trips.

The RCS Variable Low Pressure setpoint Allowable Value is selected to ensure that a trip occurs when temperature and pressure approach the conditions necessary for DNB while operating in a temperature pressure region constrained by the low pressure and high temperature trips. The RCS Variable Low Pressure trip is assumed for transient protection in the main steam line break analysis. The setpoint allowable value does not include errors induced by the harsh environment, because the trip actuates prior to the harsh environment.

6.

Reactor BuildinQ Hicqh Pressure The Reactor Building High Pressure trip provides an early indication of a high energy line break (HELB) inside the RB. By detecting changes in the RB pressure, the RPS can provide a reactor trip before the other system parameters have varied significantly. Thus, this trip acts to minimize accident consequences. It also provides a backup for RPS trip instruments exposed to an RB HELB environment.

The Allowable Value for RB High Pressure trip is set at the lowest value consistent with avoiding spurious trips during normal operation.

The electronic components of the RB High Pressure trip are located in an area that is not exposed to high temperature steam environments during HELB transients inside containment. The OCONEE UNITS 1, 2, & 3B33115Rv01 B 3.3.1-15 Rev. 001

RPS Instrumentation B 3.3.1 BASES APPLICABLE

6.

Reactor Buildinq Higqh Pressure (continued)

SAFETY ANALYSES, LCO, and components are exposed to high radiation conditions. Therefore, the APPLICABILITY determination of the setpoint Allowable Value accounts for errors induced by the high radiation.

7.

Reactor Coolant Pump to Power The Reactor Coolant Pump to Power trip provides protection for changes in the reactor coolant flow due to the loss of multiple RCPs.

Because the flow reduction lags loss of power indications due to the inertia of the RCPs, the trip initiates protective action earlier than a trip based on a measured flow signal.

The Reactor Coolant Pump to Power trip has been credited in the accident analysis calculations for the loss of more than two RCPs.

The Allowable Value for the Reactor Coolant Pump to Power trip setpoint is selected to prevent normal power operation unless at least three RCPs are operating. Each reactor coolant pump has an RCPPM, which monitors the electrical power and breaker status of each pump motor to determine if the pump is running. Each RCPPM provides inputs to all four RPS channels. The RCPPM will initiate a reactor trip if fewer than three reactor coolant pumps are operating and reactor power is greater than approximately 2%

rated full power.

8.

Nuclear Overpower Flux/Flow Imbalance The Nuclear Overpower Flux/Flow Imbalance trip provides steady state protection for the power imbalance SLs. A reactor trip is initiated prior to the core power, AXIAL POWER IMBALANCE, and reactor coolant flow conditions exceeding the DNB or fuel centerline temperature limits.

This trip supplements the protection provided by the Reactor Coolant Pump to Power trip, through the power to flow ratio, for loss of reactor coolant flow events. The power to flow ratio provides direct protection for the DNBR SL for the loss of one or more RCPs and for locked RCP rotor accidents.

The power to flow ratio of the Nuclear Overpower Flux/Flow Imbalance trip also provides steady state protection to prevent reactor power from exceeding the allowable power when the primary system flow rate is less than full four pump flow. Thus, the power to flow ratio prevents overpower conditions similar to the Nuclear OCONEE UNITS 1, 2, & 3B331-6Rv01 B 3.3.1-16 Rev. 001

RPS Instrumentation B 3.3.1 BASES APPLICABLE

8.

Nuclear Overpower Flux/Flow Imbalance (continued)

SAFETY ANALYSES, LCO, and Overpower trip. This protection ensures that during reduced flow APPLICABILITY conditions the core power is maintained below that required to begin DNB.

The Allowable Value is selected to ensure that a trip occurs when the core power, axial power peaking, and reactor coolant flow conditions indicate an approach to DNB or fuel centerline temperature limits.

By measuring reactor coolant flow and by tripping only when conditions approach an SL, the unit can operate with the loss of one pump from a four pump initial condition at power levels at least as low as approximately 80% RTP. The Allowable Value for the Function, including the upper limits of the Function are given in the unit COLR because the cycle specific core peaking changes affect the Allowable Value.

9.

Main Turbine Trip (Hydraulic Fluid Pressure)

The Main Turbine Trip Function trips the reactor when the main turbine is lost at high power levels. The Main Turbine Trip Function provides an early reactor trip in anticipation of the loss of heat sink associated with a turbine trip. The Main Turbine Trip Function was added to the B&W designed units in accordance with NUIREG-0737 (Ref. 5) following the Three Mile Island Unit 2 accident. The trip lowers the probability of an RCS power operated relief valve (PORV) actuation for turbine trip cases. This trip is activated at higher power levels, thereby limiting the range through which the Integrated Control System must provide an automatic runback on a turbine trip.

Each of the four turbine hydraulic fluid pressure switches feeds one protective channel that continuously monitors the status of the contacts.

For the Main Turbine Trip (Hydraulic Fluid Pressure), the Allowable Value of 800 psig is selected to provide a trip whenever main turbine hydraulic fluid pressure drops below the normal operating range.

This trip is bypassed at power levels < 30% RTP for unit startup.

The turbine trip is not required to protect against events that can

create a harsh environment in the turbine building. Therefore, errors induced by harsh environments are not included in the determination of the setpoint Allowable Value.

OCONEE UNITS 1, 2, & 3B33117Rv01B 3.3.1-17 Rev. 001

RPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY (continued)

10.

Loss of Main Feedwater Pump~ Turbines (Hydraulic Oil Pressure)

The Loss of Main Feedwater Pump Turbines (Hydraulic Oil Pressure) trip provides a reactor trip at high power levels when both MEW pump turbines are lost. The trip provides an early reactor trip in anticipation of the loss of heat sink associated with the LOMF.

This trip was added in accordance with NUREG-0737 (Ref. 5) following the Three Mile Island Unit 2 accident. This trip provides a reactor trip at high power levels for a LOMF to minimize challenges to the PORV.

For the feedwater pump turbine hydraulic oil pressure, the Allowable Value of 75 psig is selected to provide a trip whenever feedwater pump turbine hydraulic oil pressure drops below the normal operating range. This trip is bypassed at power levels < 2% RTP for unit startup. The Loss of Main Feedwater Pump Turbines (Hydraulic Oil Pressure) trip is not required to protect against events that can create a harsh environment in the turbine building. Therefore, errors caused by harsh environments are not included in the determination of the setpoint Allowable Value.

11.

Shutdown Bypass RCS Hi~qh Pressure The RPS Shutdown Bypass RCS High Pressure is provided to allow for withdrawing the CONTROL RODS prior to reaching the normal RCS Low Pressure trip setpoint. The shutdown bypass provides trip protection during deboration and RCS heatup by allowing the operator to at least partially withdraw the safety groups of CONTROL RODS. This makes their negative reactivity available to terminate inadvertent reactivity excursions. Use of the shutdown bypass trip requires that the neutron power trip setpoint be reduced to 5% of full power or less. The Shutdown Bypass RCS High Pressure trip forces a reactor trip to occur whenever the unit switches from power operation to shutdown bypass or vice versa. This ensures that the CONTROL RODS are all inserted before power operation can begin.

The operator is required to remove the shutdown bypass, reset the Nuclear Overpower - High Power trip setpoint, and again withdraw the safety group rods before proceeding with startup.

Accidents analyzed in the UFSAR, Chapter 15 (Ref. 2), do not describe events that occur during shutdown bypass operation, because the consequences of these events are enveloped by the events presented in the UFSAR.

OCONEE UNITS 1, 2, & 3B331-8Rv01 B 3.3.1-18 Rev. 001 I

RPS Instrumentation B 3.3.1 BASES APPLICABLE SAFETY ANALYSES, LCO, and APPLICABILITY

11.

Shutdown Bypass ROS Hiqh Pressure (continued)

During shutdown bypass operation with the Shutdown Bypass RCS High Pressure trip active with a setpoint of < 1720 psig and the Nuclear Overpower - Low Setpoint set at or below 5% RTP, the trips listed below can be bypassed. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low Setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.

1la.

Nuclear Overpower - High Setpoint;

3.

RCS High Pressure;

4.

ROS Low Pressure;

5.

RCS Variable Low Pressure;

7.

Reactor Coolant Pump to Power; and

8.

Nuclear Overpower FluxIFlow Imbalance.

The Shutdown Bypass ROS High Pressure Function's Allowable Value is selected to ensure a trip occurs before producing THERMAL POWER.

General Discussion The RPS satisfies Criterion 3 of 10 CER 50.36 (Ref. 7). In MODES 1 and 2, the following trips shall be OPERABLE because the reactor can be critical in these MODES. These trips are designed to take the reactor subcritical to maintain the SLs during anticipated transients and to assist the ESPS in providing acceptable consequences during accidents.

1 a.

Nuclear Overpower - High Setpoint;

2.

RCS High Outlet Temperature;

3.

RCS High Pressure;

4.

RCS Low Pressure;

5.

RCS Variable Low Pressure;

6.

Reactor Building High Pressure; OCONEE UNITS 1, 2, & 3B331-9Rv01 B 3.3.1-19 Rev. 001I

RPS Instrumentation B 3.3.1 BASES APPLICABLE General Discussion (continued)

SAFETY ANALYSES, LCO, and

7.

Reactor Cooiant Pump to Power; and APPLICABILITY

8.

Nuclear Overpower Flux/Flow Imbalance.

Functions la, 3, 4, 5, 7, and 8 just listed may be bypassed in MODE 2 when RCS pressure is below 1720 psig, provided the Shutdown Bypass RCS High Pressure and the Nuclear Overpower - Low setpoint trip are placed in operation. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.

The Main Turbine Trip (Hydraulic Fluid Pressure) Function is required to be OPERABLE in MODE 1 at _> 30% RTP. The Loss of Main Feedwater Pump Turbines (Hydraulic Oil Pressure) Function is required to be OPERABLE in MODE 1 and in MODE 2 at Ž>2% RTP. For operation below these power levels, these trips are not necessary to minimize challenges to the PORVs as required by NUREG-0737 (Ref. 5).

Because the safety function of the RPS is to trip the CONTROL RODS, the RPS is not required to be OPERABLE in MODE 3, 4, or 5 if either the reactor trip breakers are open, or the CRD System is incapable of rod withdrawal. Similarly, the RPS is not required to be OPERABLE in MODE 6 because the CONTROL RODS are normally decoupled from the CRDs.

However, in MODE 2, 3, 4, or 5, the Shutdown Bypass RCS High Pressure and Nuclear Overpower - Low setpoint trips are required to be OPERABLE if the CRD trip breakers are closed and the CRD System is capable of rod withdrawal. Under these conditions, the Shutdown Bypass RCS High Pressure and Nuclear Overpower - Low setpoint trips are sufficient to prevent an approach to conditions that could challenge SLs.

ACTIONS Conditions A and B are applicable to all RPS protective Functions. If a channel's trip setpoint is found nonconservative with respect to the required Allowable Value in Table 3.3.1-1, or the transmitter, instrument loop, signal processing electronics or processor output trip device is found inoperable, the channel must be declared inoperable and Condition A entered immediately.

When an RPS channel is manually tripped, the functions that were inoperable prior to tripping remain inoperable. Other functions in the same channel that were OPERABLE prior to tripping remain OPERABLE.

OCONEE UNITS 1, 2, & 3B331-0Rv01B 3.3.1-20 Rev. 001 I

RPS Instrumentation B 3.3.1 BASES ACTIONS A.1 (continued)

For Required Action A.1, if one or more Functions in a required protective channel becomes inoperable, the affected protective channel must be placed in trip.

Placing the affected Function in trip places only the affected Function in each required channel in a one-out-of-two logic configuration. If the same function in another channel exceeds the setpoint, all channels will trip. In this configuration, the RPS can still perform its safety function in the presence of a random failure of any single Channel. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time is justified based on the continuous monitoring and signal validation being performed and is sufficient time to place a Function in trip. If the individual Function cannot be placed in trip, the Operator can trip the affected channel with the use of the Manual Trip Keyswitch until such time that the Function can be placed in trip. This places all RPS Functions in a one-out-of-two logic configuration.

B. 1 Required Action B.1 directs entry into the appropriate Condition referenced in Table 3.3..1-1. The applicable Condition referenced in the table is Function dependent. If the Required Action and the associated Completion Time of Condition A are not met or if more than two channels are inoperable, Condition B is entered to provide for transfer to the appropriate subsequent Condition.

C.1 and C.2 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition C, the unit must be brought to a MODE in which the specified RPS trip Functions are not required to be OPERABLE. The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and to open all CRD trip breakers without challenging unit systems.

D. 1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition D, the unit must be brought to a MODE in which the specified RPS trip Functions are not OCONEE UNITS 1, 2, & 3B33121Rv01 B 3.3.1-21 Rev. 001

RPS Instrumentation B 3.3.1 BASES ACTIONS D.1 (continued) required to be OPERABLE. To achieve this status, all CR0 trip breakers must be opened. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to open CRD trip breakers without challenging unit systems.

E. 1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition E, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced < 30% RTP. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach 30% RTP from full power conditions in an orderly manner without challenging unit systems.

F. 1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition F, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced < 2% RTP. The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach 2% RTP from full power conditions in an orderly manner without challenging unit systems.

SURVEILLANCE The SRs for each RPS Function are identified by the SRs column of REQUIREMENTS Table 3.3.1-1 for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, and CHANNEL CALIBRATION testing.

The SRs are modified by a Note. The Note directs the reader to Table 3.3.1-1 to determine the correct SRs to perform for each RPS Function.

SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred.

OCONEE UNITS 1, 2, & 3B331-2Rv01 B 3.3.1-22 Rev. 001 I

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.1 (continued)

REQUIREMENTS A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALlIBRATI ON.

Agreement criteria are determined based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE. If the channels are normally off scale during times when surveillance is required, the CHANNEL CHECK will only verify that they are off scale in the same direction.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal but more frequent checks of channel OPERABILITY during normal operational use of the displays associated with the LCO's required channels.

For Functions that trip on a combination of several measurements, such as the Nuclear Overpower Flux/Flow Imbalance Function, the CHANNEL CHECK must be performed on each input.

The CHANNEL CHECK requirement is met automatically. The digital RPS provides continuous online automatic monitoring of each of the input signals in each channel, performs signal online validation against required acceptance criteria, and provides hardware functional validation.

If any protective channel input signal is identified to be in the failure status, this condition is alarmed on the Unit Statalarm and input to the plant OAC. Immediate notification of the failure status is provided to the Operations staff.

OCONEE UNITS 1, 2, &3 B3..-3Rv 0

B 3.3.1-23 Rev. 001 I

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.3.1.2 This SR is the performance of a heat balance calibration for the power range channels when reactor power is > 15% RTP. The heat balance calibration consists of a comparison of the results of the calorimetric with the power range channel output. The outputs of the power range channels are normalized to the calorimetric. If the calorimetric exceeds the Nuclear Instrumentation System (NIS) channel output by >_ 2% RTP, the NIS is not declared inoperable but must be adjusted. If the NIS channel cannot be properly adjusted, the channel is declared inoperable. A Note clarifies that this Surveillance is required to be performed only if reactor power is _> 15%

RTP and that 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed for performing the first Surveillance after reaching 15% RTP. At lower power levels, calorimetric data are less accurate.

The power range channel's output shall be adjusted consistent with the calorimetric results if the calorimetric exceeds the power range channel's output by > 2% RTP. The value of 2% is adequate because this value is assumed in the safety analyses of UFSAR, Chapter 15 (Ref. 2). These checks and, if necessary, the adjustment of the power range channels ensure that channel accuracy is maintained within the analyzed error margins. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.3 A comparison of power range nuclear instrumentation channels against incore detectors shall be performed when reactor power is >_ 15% RTP. A Note clarifies that 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed for performing the first Surveillance after reaching 15% RTP. If the absolute value of imbalance error is >_ 2%

RTP, the power range channel is not inoperable, but an adjustment of the measured imbalance to agree with the incore measurements is necessary.

The Imbalance error calculation is adjusted for conservatism by applying a correlation slope (CS) value to the error calculation formula. This ensures that the value of the APIo is > API1. The CS value is listed in the COLR and is cycle dependent. If the power range channel cannot be properly recalibrated, the channel is declared inoperable. The calculation of the Allowable Value envelope assumes a difference in out of core to incore measurements of 2.0%. Additional inaccuracies beyond those that are measured are also included in the setpoint envelope calculation.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

OCONEE UNITS 1, 2, & 3B33124Rv01 B 3.3.1-24 Rev. 001 I

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.4 REQUIREMENTS (continued)

This SR has been deleted.

SIR 3.3.1.5 This SIR manually retrieves the software setpoints and verifies they are correct. The proper functioning of the processor portion of the channel is continuously checked by an automatic cyclic self monitoring. Verification of field instrument setpoints is not required by this surveillance. This surveillance does not apply to the Reactor Building Pressure Function because it consists of pressure switches which provide a contact status to the system and there is no software setpoint to verify.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SIR 3.3.1.6 This SIR requires manual actuation of the output channel interposing relays to demonstrate OPERABILITY of the relays. The proper functioning of the processor portion of the channel is continuously checked by an automatic cyclic self monitoring.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance. Frequency Control Program.

SR 3.3.1.7 A Note to the Surveillance indicates that neutron detectors are excluded from CHANNEL CALIBRATION. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure virtually instantaneous response.

A CHANNEL CALIBRATION is a complete check of the instrument channel, including the sensor. The test verifies that the channel responds to the measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION shall find that OCONEE UNITS 1, 2, & 3B331-5Rv01 B 3.3.1-25 IRev. 001 I

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.7 (continued)

REQUIREMENTS measurement errors and processor output trip device setpoint errors are within the assumptions of the uncertainty analysis. Whenever a sensing element is replaced, the CHANNEL CALIBRATION of the resistance temperature detectors (RTD) sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.

Since the CHANNEL FUNCTIONAL TEST is a part of the CHANNEL CALIBRATION a separate SR is not required. The digital RPS software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The protection system also performs continuous online hardware monitoring. The CHANNEL CALIBRATION essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function.

The digital processors shall be rebooted as part of the calibration. This verifies that the software has not changed. Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements. This, in combination with ensuring the setpoints are entered into the software correctly per SR 3.3.1.5, verifies the setpoints are within the Allowable Values.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES

1.

UFSAR, Chapter 7.

2.

UFSAR, Chapter 15.

3.

10 CFR 50.49.

4.

EDM-1 02, "Instrument Setpoint/Uncertainty Calculations."

5.

NUREG-0737, "Clarification of TMI Action Plan Requirements,"

November 1979.

6.

BAW-1 01 67, May 1986.

7.

10 CFR 50.36.

OCONEE UNITS 1, 2, &3 B3..-6Rv 0

B 3.3.1-26 Rev. 001 I

Pressurizer Safety Valves B 3.4.10 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.10 Pressurizer Safety Valves BASES BACKGROUND The purpose of the two spring loaded pressurizer safety valves is to provide RCS overpressure protection. Operating in conjunction with the Reactor Protection System (RPS), two valves are used to ensure that the Safety Limit (SL) of 2750 psig is not exceeded for analyzed transients during operation in MODES 1 and 2. Two safety valves are used for portions of MODE 3. For the remainder of MODE 3, MODE 4, MODE 5, and MODE 6 with the reactor head on, overpressure protection is provided by operating procedures and LCO 3.4.12, "Low Temperature Overpressure Protection (LTOP) System."

The self actuated pressurizer safety valves are designed in accordance with the requirements set forth in the ASME Boiler and Pressure Vessel Code, Section I11 (Ref. 1). The setpoint of the pressurizer code safety valves is in accordance with the ASME Boiler and Pressure Vessel Code,Section III, Article 9, Summer 1967. The safety valves discharge steam from the pressurizer to a quench tank located in the containment. The discharge flow is indicated by an increase in temperature downstream of the safety valves and by an increase in the quench tank temperature and level.

The required lift pressure is 2500 psig + 3%. The upper and lower pressure limits are based on the requirements of ASME Boiler and Pressure Vessel Code, Section IIl, Article 9, Summer 1967, which limit the rise in pressure within the vessels which they protect to 10% above the design pressure.

The lift setting is for the ambient conditions associated with MODES 1, 2, and 3. This requires either that the valves be set hot or that a correlation between hot and cold settings be established.

The pressurizer safety valves are part of the primary success path and mitigate the effects of postulated accidents. OPERABILITY of the safety valves ensures that the RCS pressure will be limited to 110% of design pressure.

The consequences of exceeding the ASME pressure limit could include damage to RCS components, increased leakage, or a requirement to perform additional stress analyses prior to resumption of reactor operation.

OCONEE UNITS 1, 2, & 3B34101Rv01 B3.4.10-1 Rev. 001 I

Pressurizer Safety Valves B 3.4.10 BASES (continued)

APPLICABLE SAFETY ANALYSES All accident analyses in the UFSAR that require safety valve actuation assume operation of both pressurizer safety valves to limit increasing reactor coolant pressure. The overpressure protection analysis is also based on operation of both safety valves and assumes that the valves open at the high range of the setting (2500 psig system design pressure plus 3%). These valves must accommodate pressurizer insurges that could occur during a startup, rod withdrawal, ejected rod, or loss of main feedwater. The startup accident establishes the minimum safety valve capacity. The startup accident is assumed to occur at < 15% power.

Single failure of a safety valve is neither assumed in the accident analysis nor required to be addressed by the ASME Code. Compliance with this Specification is required to ensure that the accident analysis and design basis calculations remain valid.

Pressurizer safety valves satisfy Criterion 3 of 10 CFR 50.36 (Ref. 3).

LCO The two pressurizer safety valves are set to open at the RCS design pressure (2500 psig) and within the ASME specified tolerance to avoid exceeding the maximum RCS design pressure SL, to maintain accident analysis assumptions and to comply with ASME Code requirements. The valves will be tested per ASME Code requirements and returned to service with as-left setpoints of 2500 psig +/- 1%. The upper and lower pressure tolerance limits are based on the requirements of the ASME Boiler and Pressure Vessel Code,Section III, Article 9, Summer 1967, which limit the rise in pressure within the vessel which they protect, to 10% above the design pressure. Inoperability of one or both valves could result in exceeding the SL if a transient were to occur.

The consequences of exceeding the ASME pressure limit could include damage to one or more RCS components, increased leakage, or additional stress analysis being required prior to resumption of reactor operation.

APPLICABILITY In MODES 1, 2, and portions of MODE 3 above the LTOP cut in temperature, OPERABILITY of two valves is required because the combined capacity is required to keep reactor coolant pressure below 110% of its design value during certain accidents. Portions of MODE 3 are conservatively included, although the listed accidents may not require both safety valves for protection.

OCONEE UNITS 1, 2, & 3B34102Rv01 B 3.4.10-2 Rev. 001 I

Pressurizer Safety Valves B 3.4.10 BASES APPLICABILITY The LCO is not applicable in MODE 3 when any RCS cold leg temperature (continued) is *< 325°F, MODE 4 and MODE 5 because LTOP protection is provided.

Overpressure protection is not required in MODE 6 with the reactor vessel head detensioned.

The Note allows entry into MODE 3 with the lift settings outside the LCO limits. This permits testing and examination of the safety valves at high pressure and temperature near their normal operating range, but only after the valves have had a preliminary cold setting. The cold setting gives assurance that the valves are OPERABLE near their design condition.

Only one valve at a time will be removed from service for testing. The 36 hour4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months exception is based on an 18 hour2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months outage time for each of the two valves. The 18 hour2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months period is derived from operating experience that hot testing can be performed in this time frame.

ACTIONS A.'I With one pressurizer safety valve inoperable, restoration must take place within 15 minutes. The Completion Time of 15 minutes reflects the importance of maintaining the RCS overpressure protection system. An inoperable safety valve coincident with an RCS overpressure event could challenge the integrity of the RCPB.

B.1 and B.2 lf the Required Action cannot be met within the required Completion Time or if both pressurizer safety valves are inoperable, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 3 with any RCS cold leg temperature _* 325°F within 18 hours2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months . The 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. Similarly, the 18 hours2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months allowed is reasonable, based on operating experience, to reach MODE 3 with any RCS cold leg temperature _* 325°F without challenging unit systems. With any RCS cold leg temperature at or below 325°F, overpressure protection is provided by LTOP. Reducing the RCS temperature to < 3250F reduces the RCS energy (core power and pressure), lowers the potential for large pressurizer insurges, and thereby removes the need for overpressure protection by two pressurizer safety valves.

OCONEE UNITS 1, 2, & 3B341-3Rv01 B 3.4.10-3 Rev. 001 I

Pressurizer Safety Valves B 3.4.10 BASES (continued)

SURVEILLANCE REQUIREMENTS SR 3.4.10.1 SRs are specified in the Inservice Testing Program. Pressurizer safety valves are to be tested in accordance with the requirements of the ASME Code (Ref. 2), which provides the activities and the Frequency necessary to satisfy the SRs. No additional requirements are specified.

The pressurizer safety valves setpoint is + 3% for OPERABILITY; however, the valves are reset to +/-1% during the Surveillance to allow for drift. These values include instrument uncertainties.

REFERENCES

1.

ASME, Boiler and Pressure Vessel Code,Section III.

2.

ASME Code for Operation and Maintenance of Nuclear Power Plants.

3.

10 CFR 50.36.

OCONEE UNITS 1, 2, & 3B34104Rv01 B 3.4.10-4 Rev. 001

RCS PIV Leakage B 3.4.14 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.14 RCS Pressure Isolation Valve (PIV) Leakage BASES BACKGROUND 10 CFR 50.2 (Ref. 1), 10 CER 50.55a(c) (Ref. 2), and Ref. 3 define RCS PIVs as any two normally closed valves in series within the RCS pressure boundary that separate the high pressure RCS from an attached low pressure system. During their lives, these valves can produce varying amounts of reactor coolant leakage through either normal operational wear or mechanical deterioration. The RCS PIV Leakage LCO allows RCS high pressure operation when leakage through these valves exists in amounts that do not compromise safety.

The PIV leakage limit applies to each individual valve. Leakage through both series PIVs in a line must be included as part of the identified LEAKAGE, governed by LCO 3.4.13, "RCS Operational LEAKAGE." This is true during operation only when the loss of RCS mass through two series valves is determined by a water inventory balance (SR 3.4.1t3.1). A known component of the identified LEAKAGE before operation begins is the least of the two individual leakage rates determined for leaking series PIVs during the required surveillance testing; leakage measured through one PIV in a line is not RCS operational LEAKAGE if the other is leaktight.

Although this specification provides a limit on allowable PIV leakage rate, its main purpose is to prevent overpressure failure of the low pressure portions of connecting systems. The leakage limit is an indication that the PIVs between the RCS and the connecting systems are degraded or degrading. PIV leakage could lead to overpressure of the low pressure piping or components. Failure consequences could be a loss of coolant accident (LOCA) outside of containment, an unanalyzed accident that could degrade the ability for low pressure injection.

The basis for this LCO is the 1975 NRC "Reactor Safety Study" (Ref. 4) that identified potential intersystem LOCAs as a significant contributor to the risk of core melt.

A subsequent study (Ref. 5) evaluated various PIV configurations to determine the probability of intersystem LOCAs.

PIVs are provided to isolate the RCS from the Low Pressure Injection (LPI)

System.

OCONEE UNITS 1,2, & 3B341-1Rv01B 3.4.14-1 Rev. 001 I

RCS PIV Leakage B 3.4.14 BASES BACKGROUND (continued)

Violation of this LCO could result in continued degradation of a PIV, which could lead to overpressurization of a low pressure system and the loss of the integrity of a fission product barrier.

APPLICABLE SAFETY ANALYSES Reference 4 identified potential intersystem LOCAs as a significant contributor to the risk of core melt. The dominant accident sequence in the intersystem LOCA category is the failure of the low pressure portion of the LPI System outside of containment. The accident is the result of a postulated failure of the PIVs, which are part of the reactor coolant pressure boundary (RCPB), and the subsequent pressurization of the LPI System downstream of the PIVs from the RCS. Because the low pressure portion of the LPI System is designed for pressures significantly less than RCS pressure, overpressurization failure of the LPI low pressure line would result in a LOCA outside containment and subsequent risk of core melt.

Reference 5 evaluated various PIV configurations, leakage testing of the valves, and operational changes to determine the effect on the probability of intersystem LOCAs. This study concluded that periodic leakage testing of the PIVs can substantially reduce the probability of an intersystem LOCA.

RCS PIV leakage satisfies Criterion 2 of 10 CFR 50.36 (Ref. 6).

LCO RCS PIV leakage is identified LEAKAGE into closed low pressure systems connected to the RCS. PIV leakage is usually on the order of drops per minute. Leakage that increases significantly suggests that something is operationally wrong and corrective action must be taken.

The PIV leakage limit for specified valves is 0.5 gpm per nominal inch of valve size with a maximum limit of 5 gpm. A study concluded a leakage rate limit based on valve size was superior to a single allowable value.

Reference 7 permits leakage testing at a lower pressure differential than between the specified maximum RCS pressure and the normal pressure of the connected system during RCS operation (the maximum pressure differential) in those types of valves in which the higher service pressure will tend to diminish the overall leakage channel opening. In such cases, the observed rate may be adjusted to the maximum pressure differential by assuming leakage is directly proportional to the pressure differential to the one half power.

OCONEE UNITS 1, 2, & 3B341-2Rv01B 3.4.14-2 Rev. 001

RCS PIV Leakage B 3.4.14 BASES LCO (continued)

The LCO is modified by two Notes. Note 1 indicates that the limits for LP-47 and LP-48 are not applicable except as stated in Note 2. Note 2 indicates that the limits of both LP-47 and LP-48 may be met in lieu of either LP-1 76 or LP-1 77 limits. If either LP-1 76 or LP-1 77 limits are not met both LP-47 and LP-48 limits must be met.

APPLICABILITY In MODES 1, 2, 3, and 4, this LCO applies because the PIV leakage potential is greatest when the RCS is pressurized. In MODE 4, valves in the DHR flow path are not required to meet the requirements of this LCO when in, or during the transition to or from, the DHR mode of operation.

In MODES 5 and 6, leakage limits are not provided because the lower reactor coolant pressure results in a reduced potential for leakage and for a LOCA outside the containment.

ACTIONS The ACTIONS are modified by two Notes. Note 1 is added to provide clarification that each flow path allows separate entry into a Condition. This is allowed based upon the functional independence of the flow path.

Note 2 requires an evaluation of affected systems if a PIV is inoperable.

The leakage may have affected system OPERABILITY, or isolation of a leaking flow path with an alternate valve may have degraded the ability of the interconnected system to perform its safety function.

A.1 and A.2 The flow path with leakage must be isolated by two valves. Required Actions A.1 and A.2 are modified by a Note that the valves used for isolation must meet the same leakage requirements as the PIVs and must be on the RCS pressure boundary or the high pressure portion of the system.

Required Action A.1 requires that the isolation with one valve must be performed within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . Four hours provides time to reduce leakage in excess of the allowable limit and to isolate the affected system if leakage cannot be reduced. The 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months allows the actions and restricts the operation with leaking isolation valves.

OCONEE UNITS 1, 2, & 3B341-3Rv01B 3.4.14-3 Rev. 001 I

RCS PIV Leakage B 3.4.14 BASES ACTIONS A.1 and A.2 (continued)

Required Action A.2 specifies that the double isolation barrier of two valves be restored by closing some other valve qualified for isolation. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months time after exceeding the limit considers the time required to complete the Action and the low probability of a second valve failing during this time period.

B.1 and B.2 If Required Actions and associated Completion Times are not met, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . This Required Action may reduce the leakage and also reduces the potential for a LOCA outside the containment. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.4.14.1 REQUIREMENTS Performance of leakage testing on each required RCS PIV or isolation valve used to satisfy Required Action A.1 or A.2 is required to verify that leakage is below the specified limit and to identify each leaking valve. The leakage limit of 0.5 gpm per inch of nominal valve diameter up to 5 gpm maximum applies to each valve. Leakage testing requires a stable pressure condition.

For the two PIVs in series, the leakage requirement applies to each valve individually and not to the combined leakage across both valves. If the PIVs are not individually leakage tested, one valve may have failed completely and not detected if the other valve in series meets the leakage requirement. In this situation, the protection provided by redundant valves would be lost.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program..

OCONEE UNITS 1, 2, & 3B34144Rv01 B 3.4.14-4 Rev. 001 I

RCS PIV Leakage B 3.4.14 BASES SURVEILLANCE SR 3.4.14.1 (continued)

REQUIREMENTS The leakage limit is to be met at the RCS pressure associated with MODES 1 and 2. This permits leakage testing at high differential pressures with stable conditions not possible in the MODES with lower pressures.

To satisfy ALARA requirements, leakage may be measured indirectly (as from the performance of pressure indicators) if accomplished in accordance with approved procedures and supported by computations showing that the method is capable of demonstrating valve compliance with the leakage criteria.

Entry into MODES 3 and 4 is allowed to establish the necessary differential pressures and stable conditions to allow for performance of this Surveillance. The Note that allows this provision is complimentary to the Frequency of prior to entry into MODE 2 whenever the unit has been in MODE 5 for 7 days or more, if leakage testing has not been performed in the previous 9 months. In addition, this Surveillance is not required to be performed on the LPI System when the LPI System is aligned to the RCS in the decay heat removal mode of operation. PIVs contained in the DHR flow path must be leakage rate tested after DHR is secured and stable unit conditions and the necessary differential pressures are established. For the purposes of meeting this SR, test activities including contingencies may be performed prior to declaring a PIV inoperable. A PIV will be considered "in testing" until the test procedure is complete, or the test coordinator determines that further test contingencies would not be expected to produce an acceptable result.

REFERENCES

1.

10 CFR 50.2.

2.

10 CFR 50.55a(c).

3.

NRC letter to DPC, "Order for Modification of License Concerning Primary Coolant System Pressure Isolation Valves," dated April 20, 1981.

4.

NUREG-75/014, Appendix V, October 1975.

5.

NUREG-0677, NRC, May 1980.

6.

10 CFR 50.36.

7.

ASME Code for Operation and Maintenance of Nuclear. Power Plants.

OCONEE UNITS 1, 2, &3 B3..45Rv 0

B 3.4.14-5 Rev. 001 I

HPI B 3.5.2 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

B 3.5.2 High Pressure Injection (HPI)

BASES BACKGROUND The function of the ECCS is to provide core cooling to ensure that the reactor core is protected after any of the following accidents:

a.

Loss of coolant accident (LOCA);

b.

Rod ejection accident (REA);

c.

Steam generator tube rupture (SGTR); and

d.

Main steam line break (MSLB).

There are two phases of ECCS operation: injection and recirculation. In the injection phase, all injection is initially added to the Reactor Coolant System (RCS) via the cold legs or Core Flood Tank (OFT) lines to the reactor vessel. After the borated water storage tank (BWST) has been depleted, the recirculation phase is entered as the suction is transferred to the reactor building sump.

The HPI System consists of two independent trains, each of which splits to discharge into two RCS cold legs, so that there are a total of four HPI injection lines. Each train takes suction from the BWST, and has an automatic suction valve and discharge valve which open upon receipt of an Engineered Safeguards Protective System (ESPS) signal. The two HPI trains are designed and aligned such that they are not both susceptible to any single active failure including the failure of any power operating component to operate or any single failure of electrical equipment. The HPI System is not required to withstand passive failures.

There are three ESPS actuated HPI pumps; the discharge flow paths for two of the pumps are normally aligned to automatically support HPI train "A" and the discharge flow path for the third pump is normally aligned to automatically support HPI train "B." The discharge flow paths can be manually aligned such that each of the HPI pumps can provide flow to either train. At least one pump is normally running to provide RCS makeup and seal injection to the reactor coolant pumps. Suction header cross-connect valves are normally open; cross-connecting the HPI suction OCONEE UNITS 1, 2, & 3 B3521Rv 0

B3.5.2-1 Rev. 001 I

HPI B 3.5.2 BASES BACKGROUND headers during normal operation was approved by the NRC in (continued)

Reference 6. The discharge crossover valves (HP-409 and HP-410) are normally closed; these valves can be used to bypass the normal discharge valves and assure the ability to feed either train's injection lines via HPI pump "B." For each discharge valve and discharge crossover valve, a safety grade flow indicator is provided to enable the operator to throttle flow during an accident to assure that runout limits are not exceeded.

A suction header supplies water from the BWST or the reactor building sump (via the LPI-HPI flow path) to the HPI pumps. HPI discharges into each of the four RCS cold legs between the reactor coolant pump and the reactor vessel. There is one flow limiting orifice in each of the four injection headers that connect to the RCS cold legs. If a pipe break were to occur in an HPI line between the last check valve and the RCS, the orifice in the broken line would limit the HPI flow lost through the break and maximize the flow supplied to the reactor vessel via the other line supplied by the HPI header.

The HPI pumps are capable of discharging to the RCS at an RCS pressure above the opening setpoint of the pressurizer safety valves. The HPI pumps cannot take suction directly from the sump. If the BWST is emptied and HPI is still needed, a cross-connect from the discharge side of the LPI pump to the suction of the HPI pumps would be opened. This is known as "piggy backing" HPI to LPI and enables continued HPI to the RCS.

The HPI System also functions to supply borated water to the reactor core following increased heat removal events, such as MSLBs.

The HPI and LPI (LCO 3.5.3, "Low Pressure Injection (LPI)") components, along with the passive CFTs and the BWST covered in LCO 3.5.1, "Core Flood Tanks (CFTs)," and LCO 3.5.4, "Borated Water Storage Tank (BWST)," provide the cooling water necessary to meet 10 CFR 50.46 (Ref. 1 ).

APPLICABLE The LCO helps to ensure that the following acceptance criteria for the SAFETY ANALYSES ECCS, established by 10 CFR 50.46 (Ref. 1 ), will be met following a LOCA;

a.

Maximum fuel element cladding temperature is _< 2200°F;

b.

Maximum cladding oxidation is _< 0.17 times the total cladding thickness before oxidation; OCONEE UNITS 1, 2, & 3 B3522Rv 0

B 3.5.2-2 Rev. 001I

HPI B 3.5.2 BASES APPLICABLE

c.

Maximum hydrogen generation from a zirconium water reaction is SAFETY ANALYSES

< 0.01 times the hypothetical amount generated if all of the metal in (continued) the cladding cylinders surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react;

d.

Core is maintained in a coolable geometry; and

e.

Adequate long term cooling capability is maintained.

The HPI System is credited in the small break LOCA analysis (Ref. 2).

This analysis establishes the minimum required flow and discharge head requirements at the design point for the HPI pumps, as well as the minimum required response time for their actuation. The SGTR and MSLB analyses also credit the HPI pumps, but these events are bounded by the small break LOCA analyses with respect to the performance requirements for the HPI System. The HPI System is not credited for mitigation of a large break LOCA.

During a small break LOCA, the HPI System supplies makeup water to the reactor vessel via the RCS cold legs. The HPI System is actuated upon receipt of an ESPS signal. If offsite power is available, the safeguard loads start immediately. If offsite power is not available, the Engineered Safeguards (ES) buses are connected to the Keowee Hydro Units. The time delay associated with Keowee Hydro Unit startup, HPI valve opening, and pump starting determines the time required before pumped flow is available to the core following a LOCA.

One HPI train provides sufficient flow to mitigate most small break LOCAs.

However, for cold leg breaks located on the discharge of the reactor coolant pumps, some HPI injection will be lost out the break; for this case, two HPI trains are required. Thus, three HPI pumps must be OPERABLE to ensure adequate cooling in response to the design basis RCP discharge small break LOCA. Additionally, in the event one HPI train fails to automatically actuate due to a single failure (e.g., failure of HPI pump "C" or HP-26), operator actions from the Control Room are required to cross-connect the HPI discharge headers within 10 minutes in order to provide HP! flow through a second HPI train (Ref. 6).

Hydraulic separation of the HPI discharge headers is required during normal operation to maintain defense-in-depth (i.e., independence of the HPI discharge headers). Additionally, hydraulic separation of the HPI discharge headers ensures that a complete loss of HPI would not occur in the event an accident were to occur with only two of the three HPI pumps OCONEE UNITS 1, 2, & 3 B3523Rv 0

B 3.5.2-3 Rev. 001

HPI B 3.5.2 BASES APPLICABLE OPERABLE coincident with the HP! discharge headers cross-connected.

SAFETY ANALYSES A single active failure of an HPI pump would leave only one HPI pump to (continued) mitigate the accident. The remaining HPI pump could experience runout conditions and could fail prior to operator action to throttle flow or start another pump.

Hydraulic separation on the suction side of the HPI pumps could cause a loss of redundancy. With any one of the normally open suction-header cross-connect valves ciosed, a failure of an automatic suction valve to open during an accident could cause two pumps to lose suction. Thus, the suction header cross-connect valves must remain open.

The safety analyses show that the HPI pump(s) will deliver sufficient water for a small break LOCA and provide sufficient boron to maintain the core subcritical.

The HPI System satisfies Criterion 3 of 10 CFR 50.36 (Ref. 3).

LCO In MODES I and 2, and MODE 3 with RCS temperature > 350°F, the HP! System is required to be OPERABLE with:

a.

Two HP! trains OPERABLE;

b.

An additional HPI pump OPERABLE;

c.

Two LPI-HPI flow paths OPERABLE;

d.

Two HPI discharge crossover valves OPERABLE;

e.

HPI suction headers cross-connected; and

f.

HPI discharge headers separated.

The LCO establishes the minimum conditions required to ensure that the HPI System delivers sufficient water to mitigate a small break LOCA.

Additionally, individual components within the HPI trains may be called upon to mitigate the consequences of other transients and accidents.

Each HP! train includes the piping, instruments, pump, valves, and controls to ensure an OPERABLE flow path capable of taking suction from the BWST and injecting into the RCS cold legs upon an ESPS signal. For an HP! train to be OPERABLE, the associated HPI pump must be capable of OCONEE UNITS 1, 2, & 3 B3524Rv 0

B 3.5.2-4 Rev. 001 I

HPI B 3.5.2 BASES LCO taking suction from the BWST through the suction header valve associated (continued) with that train upon an ESPS signal. For example:

1 )

if HPI pump "B" is being credited as part of HPI train "A," then it must be capable of taking suction through HP-24 upon an ESPS signal; or

2) if HPI pump "B" is being credited as part of HPI train "B," then it must be capable of taking suction through HP-25 upon an ESPS signal.

The safety grade flow indicator associated with the normal discharge valve is required to be OPERABLE to support the associated HPI train's automatic OPERABILITY.

To support HPI pump OPERABILITY, the piping, valves and controls which ensure the HPI pump can take suction from the BWST upon an ESPS signal are required to be OPERABLE.

To support HPI discharge crossover valve OPERABILITY, the safety grade flow indicator associated with the HPI discharge crossover valve is required to be OPERABLE.

To support LPI-HPI flow path OPERABILITY, each flow path must be capable of being supplied by an OPERABLE LPI train. When capable of being supplied by an OPERABLE LPI train:

1 )

An LPI-HPI flow path, including the piping, instruments, valves and controls, must be in-place to ensure the capability to transfer suction to the reactor building sump from the control room. Within the LPI-HPI flow path are the LPI discharge valves to the LPI-HPI flow path (LP-15 and LP-16).

2)

The LPI discharge valves to the LPI-HPI flow path must be capable of being opened from the control room for the LPI-HPI flow path to be OPERABLE.

The OPERABILITY requirements regarding the LPI System are addressed in LCO 3.5.3, "Low Pressure Injection (LPI)."

As part of the LPI-HPI flow path, the piping, instruments, valves and controls upstream of LP-1 5 and LP-1 6 are part of the LPI system and are subject to LCO 3.5.3 (Low Pressure Injection system) requirements. The piping, instruments, valves and controls downstream of and including LP-15 and LP-1 6, are part of the HPI system and are subject to LCO 3.5.2 (High Pressure Injection system) requirements.

OCONEE UNITS 1, 2, & 3 B3525Rv 0

B 3.5.2-5 Rev. 001 I

HPI B 3.5.2 BASES LCO (continued)

When a LPI-HPI flow path is inoperable due to the flow path's associated LPI train being inoperable for maintenance only, the piggyback line and associated components may also be inoperable for greater than 72-hours up to the associated LPI train's maximum allowed outage time of 7-days.

For this scenario, any valve along the piggyback line flowpath can be used as an isolation boundary, with power removed as necessary, but no physical work is allowed to be performed on any component along the piggyback line flowpath without entering the applicable TS LCO condition.

This is allowed because with an associated LPI train inoperable, there is no water source for the LPI-HPI piggyback function. This support (LPI train) and supported (LPI-HPI piggyback) relationship is subject to the requirements of TS LCO 3.0.6.

During an event requiring HP! actuation, a flow path is provided to ensure an abundant supply of water from the BWST to the RCS via the HP! pumps and their respective discharge flow paths to each of the four cold leg injection nozzles and the reactor vessel. In the recirculation phase, this flow path is transferred from the control room to take its supply from the reactor building sump and to supply borated water to the RCS via the LPI-HPI flow path (piggy-back mode).

The OPERABILITY of the HPI System must be maintained to ensure that no single active failure can disable both HPI trains. Additionally, while the HPI System was not designed to cope with passive failures, the HPI trains must be maintained independent to the extent possible during normal operation. The NRC approved exception to this principle is cross-connecting the HPI suction headers during normal operation (Ref. 6).

APPLICABILITY In MODES 1 and 2, and MODE 3 with RCS temperature > 350°F, the HPI System OPERABILITY requirements for the small break LOCA are based on analysis performed at 100% RTP. The HPI pump performance is based on the small break LOCA, which establishes the pump performance curve.

Mode 2 and MODE 3 with RCS temperature > 350°F requirements are bounded by the MODE 1 analysis.

In MODE 3 with RCS temperature < 350°F and in MODE 4, the probability of an event requiring HPI actuation is significantly lessened. In this operating condition, the low probability of an event requiring HPI actuation and the LCO 3.5.3 requirements for the LPI System provide reasonable assurance that the safety injection function is preserved.

In MODES 5 and 6, unit conditions are such that the probability of an event requiring HPI injection is extremely low. Core cooling requirements in MODE 5 are addressed by LCO 3.4.7, "RCS Loops - MODE 5, Loops OCONEE UNITS 1, 2, &3 B3..-

Rv 0 B3.5.2-6 Rev. 001 I

HPI B 3.5.2 BASES APPLICABILITY Filled," and LCO 3.4.8, "RCS Loops - MODE 5, Loops Not Filled."

(continued)

MODE 6 core cooling requirements are addressed by LCO 3.9.4, "Decay Heat Removal (DHR) and Coolant Circulation - High Water Level," and LCO 3.9.5, "Decay Heat Removal (DHR) and Coolant Circulation - Low Water Level."

ACTIONS A.1 and A.2 With one HPI pump inoperable, or one or more HPI discharge crossover valve(s) (i.e., HP-409 and HP-410) inoperable, the HPI pump and discharge crossover valve(s) must be restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The HPi System continues to be capable of mitigating an accident, barring a single failure. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is based on NRC recommendations (Ref. 4) that are based on a risk evaluation and is a reasonable time for many repairs.

In the event HPI pump "C" becomes inoperable, Condition C must be entered as well as Condition A. Until actions are taken to align an HPI pump to HPI train "B," HPI train "B" is inoperable due to the inability to automatically provide injection in response to an ESPS signal.

This Condition permits multiple Components of the HPI System to be inoperable concurrently. When this occurs, other Conditions may also apply. For example, if HPI pump "C" and HP-409 are inoperable coincidentally, HPI train "B" is incapable of being automatically actuated or manually aligned from the Control Room. Thus, Required Action C.I would.

apply.

In order to utilize another HPI pump to supply HPI train "B" when HPI pump "C" is inoperable, HP-I116 must be opened. This action results in cross-connecting the HPI discharge headers; thus, Condition E must be entered.

HP-I115 may be closed to provide hydraulic separation provided that pump minimum flow requirements are maintained. However, two operating pumps would be required for this configuration, one to provide makeup flow and one to provide seal injection flow.

B.1, B.2, B.3, and B.4 If the Required Action and associated Completion Time of Condition A is not met, THERMAL POWER of the unit must be reduced to _< 75% RTP within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time is reasonable, based on operating experience, to reach the required unit condition from full power conditions in an orderly manner and without challenging unit systems. This time is less restrictive than the Completion Time for Required Action C.1, OCONEE UNITS 1, 2, & 3 B3527Rv 0

B 3.5.2-7 Rev. 001 I

HPI B 3.5.2 BASES ACTIONS B.1, B.2, B.3, and B.4 (continued) because the HPI System remains capable of performing its function, barring a single failure.

Two HPI trains are required to mitigate specific small break LOCAs, if no credit for enhanced steam generator cooling is assumed in the accident analysis. However, if equipment not qualified as QA-1 (i.e., an atmospheric dump valve (ADV) flow path for a steam generator) is credited for enhanced steam generator cooling, the safety analyses have determined that the capacity of one HPI train is sufficient to mitigate a small break LOCA on the discharge of the reactor coolant pumps if reactor power is

< 75% RTP.

Required Actions B.2, B.3, and B.4 modify the HPI pump and discharge crossover valve OPERABILITY requirements to permit reduced requirements at power levels < 75% RTP for an extended period of time.

Required Action B.2 provides a compensatory measure to verify by administrative means that the ADV flow path for each steam generator is OPERABLE within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . This compensatory measure provides additional assurance regarding the ability of the plant to mitigate an accident. Compliance with this requirement can be established by ensuring that the ADV flow path for each steam generator is OPERABLE in accordance with LCO 3.7.4, "Atmospheric Dump Valve (ADV) Flow Paths."

Required Actions B.3 and B.4 require that the HP! pump and discharge crossover valve(s) be restored to OPERABLE status within 30 days from initial entry into Condition A. The 30-day time period limits the time that the plant can operate while relying on non QA-1 ADVs to provide enhanced steam generator cooling to mitigate small break LOCAs. The 30-day time period is acceptable, because:

1.

Without crediting an ADV flow path, the HPI System remains capable of performing the safety function, barring a single failure;

2.

If credit is taken for an ADV flow path for a steam generator, the safety analysis has demonstrated that only one HP! train is required to mitigate the consequences of a small break LOCA when THERMAL POWER is

75% RTP. Thus, for this case, the HPI System would be capable of performing its safety function even with an additional single failure; OCONEE UNITS 1, 2, & 3 B3528Rv 0

B 3.5.2-8 Rev. 001 I

HPI B 3.5.2 BASES ACTIONS B.1, B.2, B.3, and B.4 (continued)

3.

OPERABILITY of the ADV flow path for each steam generator is required to be confirmed by Required Action B.2 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

Additional defense-in-depth is provided, because the ADV flow path for only one steam generator is required to mitigate the small break LOCA; and

4.

A risk-informed assessment (Ref. 7) concluded that operating the plant in accordance with these Required Actions is acceptable.

ACTIONS C.1, C.2, and 0.3 If the plant is operating with THERMAL POWER > 75% RTP, two HPI pumps capable of providing flow through two HPI trains are required. One HPI train is required to provide flow automatically upon receipt of an ESPS signal, while flow through the other HPI train must be capable of being established from the Control Room within 10 minutes. Thus, if the plant is operating at > 75% RTP, and one HPI train is inoperable and incapable of being automatically actuated or manually aligned from the Control Room to provide flow post-accident, the HPI System would be incapable of performing its safety function.

For this Condition, Required Action C.1 requires the power to be reduced to _< 75% RTP within 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months . Required Action C.1 is modified by a Note which limits its applicability to the condition defined above. The 3 hour3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months Completion Time is considered reasonable to reduce the unit from full power conditions to < 75% RTP in an orderly manner and without challenging unit systems. The time frame is more restrictive than the Completion Time provided in Required Action B.1 for the same action, because the condition involves a loss of safety function.

If the plant is operating with THERMAL POWER > 75% RTP and the inoperable HPI train can be automatically actuated or manually aligned to provide flow post-accident, Required Action C.3 permits 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to restore the HPI train to an OPERABLE status.

If enhanced steam generator cooling is not credited in the accident analysis, two HPI trains are required to mitigate specific small break LOCAs with THERMAL POWER <*75% RTP. However, if equipment not qualified as QA-1 (i.e., an ADV flow path for a steam generator) is credited for enhanced steam generator cooling, the safety analyses have determined that the capacity of one HPI train is sufficient to mitigate a small break LOCA on the discharge of the reactor coolant pumps if THERMAL POWER is < 75% RTP. In order to permit an HPI train to be inoperable regardless of the reason when THERMAL POWER is < 75% RTP, Required Action C.2 provides a compensatory measure to verify by administrative means that the ADV flow path for each steam generator is OCONEE UNITS 1, 2, & 3 B3529Rv 0

B 3.5.2-9 Rev. 001 I

HPI B 3.5.2 BASES ACTIONS C.1, C.2, and 0.3 (continued)

OPERABLE within 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months . This Required Action is modified by a Note which states that it is only required if THERMAL POWER is < 75% RTP.

This compensatory measure provides assurance regarding the ability of the plant to mitigate an accident while in the Condition and THERMAL POWER

_<75% RTP. Compliance with this requirement can be established by ensuring that the ADV flow path for each steam generator is OPERABLE in accordance with LCO 3.7.4, "Atmospheric Dump Valve (ADV) Flow Paths."

With one HPI train inoperable, the inoperable HPI train must be restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This action is appropriate because:

1.

With THERMAL POWER < 75% RTP, the safety analysis demonstrates that only one HPI train is required to mitigate the consequences of a small break LOCA assuming credit is taken for the ADV flow path for one steam generator. The OPERABILITY of the ADV flow path for each steam generator is confirmed by Required Action C.2 within 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months . This provides additional defense-in-depth. Additionally, a risk-informed assessment (Ref. 7) concluded that operating the plant in accordance with this Required Action is acceptable.

2.

With THERMAL POWER > 75% RTP, the remaining OPERABLE HPI train is capable of automatic actuation, and the inoperable train can be manually aligned by operator action to cross-connect the discharge headers of the HPI trains. This manual action was approved by the NRC in Reference 6.

D.1 With the HPI suction headers not cross-connected, the HPI suction headers must be cross-connected within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The HPI System continues to be capable of mitigating an accident, barring a single failure.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is based on NRC recommendations (Ref. 4) that are based on a risk evaluation and is a reasonable time for many repairs.

An argument similar to that utilized for Required Actions B.2, B.3, and B.4 could have been made for operating the HPI System with the suction headers not cross-connected for an extended period of time. However, this action was not considered prudent, due to the potential of damaging two HPI pumps in the event HP-24 or HP-25 failed to open in response to an ESPS signal while the HPI suction headers were not cross-connected.

OCONEE UNITS 1, 2, & 3B35210Rv01 B 3.5.2-10 Rev. 001

HPI B 3.5.2 BASES ACTIONS E.1 With the HPI discharge headers cross-connected, the independence of the HPI trains is not being maintained to the extent practical (i.e., defense-in-depth principle is not met). Thus, the HPI discharge headers must be hydraulically separated within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This action limits the time period that the HPI discharge headers may be cross-connected. The 72-hour allowed outage time is acceptable, because cross-connecting the HPI discharge headers in conjunction with:

1.

the rest of the HPI System being OPERABLE would not result in the inability of the HPI System to perform its safety function even assuming a single active failure; and

2.

an HPI pump being inoperable would not result in the inability of the HPI System to perform its safety function, barring a single failure.

However, in this condition, a single active failure of one of the two remaining OPERABLE HPI pumps could result in the remaining HPI pump failing due to runout.

F. 1 With one LPI-HPI flow path inoperable, the inoperable LPI-HPI flow path must be restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The HPI System continues to be capable of mitigating an accident, barring a single failure.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is justified because there is a limited range of break sizes, and therefore a lower probability for a small break LOCA which would require piggy back operation.

G.1 and G.2 If a Required Action and associated Completion Time of Condition B, C, D, E, or F are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and the RCS temperature reduced to _< 350°F within 60 hours6.944444e-4 days 0.0167 hours 9.920635e-5 weeks 2.283e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

H.1 If two HPI trains are inoperable or two LPI-HPI flow paths are inoperable, the HPI System is incapable of performing its safety function and in a condition not explicitly addressed in the Actions for ITS 3.5.2. Thus, immediate plant shutdown in accordance with LCO 3.0.3 is required.

OCONEE UNITS 1, 2, & 3B35211Rv01 B 3.5.2-11 Rev. 001 I

HPI B 3.5.2 BASES SURVEILLANCE SR 3.5.2.1 REQU IREMENTS Verifying the correct alignment for manual and non-automatic power operated valves in the HPI flow paths provides assurance that the proper flow paths will exist for HPI operation. This SR does apply to the HPI suction header cross-connect valves, the HPI discharge cross-connect valves, the HPI discharge crossover valves, and the LPI-HPI flow path discharge valves (LP-1 5 and LP-1 6). This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. Similarly, this SR does not apply to automatic valves since automatic valves actuate to their required position upon an accident signal.

This Surveillance does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.2 With the exception of the HPI pump operating to provide normal makeup, the other two HPI pumps are normally in a standby, non-operating mode.

AS such, the emergency injection flow path piping has the potential to develop voids and pockets of entrained gases. Venting the HPI pump casings periodically reduces the potential that such voids and pockets of entrained gases can adversely affect operation of the HPI System. This will also reduce the potential for water hammer, pump cavitation, and pumping of noncondensible gas (e.g., air, nitrogen, or hydrogen) into the reactor vessel following an ESPS signal. This Surveillance is modified by a Note that indicates it is not applicable to operating HPI pump(s) providing normal makeup. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.3 Periodic surveillance testing of HPI pumps to detect gross degradation caused by impeller structural damage or other hydraulic component problems is required by the ASME Code (Ref. 5). SIRs are specified in the Inservice Testing Program of the ASME Code.

OCONEE UNITS 1, 2, &3 B3..-2Rv 0

B 3.5.2-12 Rev. 001

HPI B 3.5.2 BASES SURVEILLANCE REQU IREMENTS (continued)

SR 3.5.2.4 and SR 3.5.2.5 These SRs demonstrate that each automatic HPI valve actuates to the required position on an actual or simulated ESPS signal and that each HPI pump starts on receipt of an actual or simulated ESPS signal. This SR is not required for valves that are locked, sealed, or otherwise secured in position under administrative controls. The test will be considered satisfactory if control board indication verifies that all components have responded to the ESPS actuation signal properly (all appropriate ESPS actuated pump breakers have opened or closed and all ESPS actuated valves have completed their travel). The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The actuation logic is tested as part of the ESPS testing, and equipment performance is monitored as part of the Inservice Testing Program.

SR 3.5.2.6 Periodic inspections of the reactor building sump suction inlet (for LPI-HPI flow path) ensure that it is unrestricted and stays in proper operating condition. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.7 Periodic stroke testing of the HPI discharge crossover valves (HP-409 and HP-410) and LPI-HPI flow path discharge valves (LP-15 and LP-16) is required to ensure that the valves can be manually cycled from the Control Room. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

OCONEE UNITS 1, 2, & 3B352-3Rv01 B 3.5.2-13 Rev. 001

HPI B 3.5.2 BASES REFERENCES

1.

10 CFR 50.46.

2.

UFSAR, Section 15.14.3.3.6.

3.

10 CFR 50.36.

4.

NRC Memorandum to V. Stello, Jr., from R.L. Baer, "Recommended Interim Revisions to LCOs for ECCS Components," December 1, 1975.

5.

ASME Code for Operation and Maintenance of Nuclear Power Plants.

6.

Letter from R. W. Reid (NRC) to W. 0. Parker, Jr. (Duke) transmitting Safety Evaluation for Oconee Nuclear Station, Units Nos. 1, 2, and 3, Modifications to the High Pressure Injection System, dated December 13, 1978.

7.

Letter from W. R. McCollum (Duke) to the U. S. NRC, "Proposed Amendment to the Facility Operating License Regarding the High Pressure Injection System Requirements," dated December 16, 1998.

OCONEE UNITS 1, 2, & 3B352-4Rv01 B3.5.2-14 Rev. 001 I

LPI B 3.5.3 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

B 3.5.3 Low Pressure Injection (LPI)

BASES BACKGROUND The function of the ECCS is to provide core cooling to ensure that the reactor core is protected after any of the following accidents:

a.

Loss of coolant accident (LOCA);

b.

Rod ejection accident (REA);

c.

Steam generator tube rupture (SGTR); and

d.

Main steam line break (MSLB).

There are two phases of ECCS operation: injection and recirculation. In the injection phase, all injection is initially added to the Reactor Coolant System (RCS) via the cold legs or Core Flood Tank (CFT) lines to the reactor vessel. After the borated water storage tank (BWST) has been depleted, the recirculation phase is entered as the suction is transferred to the reactor building sump.

Two redundant low pressure injection (LPI) trains are provided. The LPI trains consist of piping, valves, instruments, controls, heat exchangers, and pumps, such that water from the borated water storage tank (BWST) can be injected into the Reactor Coolant System (RCS). In MODES 1, 2 and 3, both trains of LPI must be OPERABLE. This ensures that 100% of the core cooling requirements can be provided even in the event of a single active failure. The LPI discharge header manual crossover valves inside containment must be maintained administratively open in MODE 1, 2, and 3 to assure abundant, long term cooling. Only one LPI train is required for MODE 4.

A suction header supplies water from the BWST or the reactor building sump to the LPI pumps. LPI discharges into each of the two core flood nozzles on the reactor vessel that discharge into the vessel downcomer area.

OCONEE UNITS 1, 2, &3 B3..-

Rv 0

B3.5.3-1 Rev. 001

LPI B 3.5.3 BASES BACKGROUND The LPI pumps are capable of discharging to the RCS at an RCS pressure (continued) of approximately 200 psia. When the BWST has been nearly emptied, the suction for the LPI pumps is manually transferred to the reactor building sump.

In the long term cooling period, flow paths in the LPI System are established to preclude the possibility of boric acid in the core region reaching an unacceptably high concentration. Two gravity flow paths are available by means of a drain line from the hot leg to the Reactor Building sump which draws coolant from the top of the core, thereby inducing core circulation. The system is designed with redundant drain lines.

During a large break LOCA, RCS pressure will rapidly decrease. The LPI System is actuated upon receipt of an ESPS signal. If offsite power is available, the safeguard loads start immediately. If offsite power is not available, the Engineered Safeguards (ES) buses are connected to the Keowee Hydro Units. The time delay (38 seconds) associated with Keowee Hydro Unit startup and LPI pump starting determines the time required before pumped flow is available to the core following a LOCA. Full LPI flow is not available until the LPI header isolation valve strokes full open. The ES signal has been removed from LP-21 and LP-22. These valves shall be open when automatic initiation of the LPI system is required. If either one is closed during this time, the associated LPI and RBS train is inoperable.

The LPI and HPI (LCO 3.5.2, "High Pressure Injection (HPI)"), along with the passive CFTs and the BWST covered in LCO 3.5.1, "Core Flood Tanks (CFTs)," and LCO 3.5.4, "Borated Water Storage Tank (BWST)," provide the cooling water necessary to meet 10 CER 50.46 (Ref. 1I).

APPLICABLE The LCO helps to ensure that the following acceptance criteria for the SAFETY ANALYSES ECCS, established by 10 CFR 50.46 (Ref. 1 ), will be met following a LOCA:

a.

Maximum fuel element cladding temperature is __ 2200°F;

b.

Maximum cladding oxidation is _< 0.17 times the total cladding thickness before oxidation;

c.

Maximum hydrogen generation from a zirconium water reaction is

< 0.01 times the hypothetical amount generated if all of the metal in the cladding cylinders surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react;

d.

Core is maintained in a coolable geometry; and OCONEE UNITS 1, 2, & 3 B3532Rv 0

B3.5.3-2 Rev. 001 I

LPI B 3.5.3 BASES APPLICABLE

e.

Adequate long term core cooling capability is maintained.

SAFETY ANALYSES (continued)

The LCO also helps ensure that reactor building temperature limits are met.

The LPI System is assumed to provide injection in the large break LOCA analysis at full power (Ref. 2). This analysis establishes a minimum required flow for the LPI pumps, as well as the minimum required response time for their actuation.

The large break LOCA event assumes a loss of offsite power and a single failure (loss of the CT-4 transformer). For analysis purposes, the loss of offsite power assumption may be conservatively inconsistent with the assumed operation of some equipment, such as reactor coolant pumps (Ref. 3). During the blowdown stage of a LOCA, the ROS depressurizes as primary coolant is ejected through the break into the reactor building. The nuclear reaction is terminated by moderator voiding during large breaks.

Following depressurization, emergency cooling water is injected into the reactor vessel core flood nozzles, then flows into the downcomer, fills the lower plenum, and refloods the core.

In the event of a Core Flood line break which results in a LOCA, with a concurrent single failure on the unaffected LPI train opposite the Core Flood line break, the system is fitted with flow restricting devices in each injection leg and an upstream cross-connect pipe. These serve to limit the ECCS spillage through the faulted header and ensure that flow is diverted from the faulted header to the intact header at lower pressures. These flow restricting devices also provide LPI pump run-out protection during LBLOCAs.

The safety analyses show that an LPI train will deliver sufficient water to match decay heat boiloff rates for a large break LOCA.

In the large break LOCA analyses, full LPI is not credited until 74 seconds after actuation of the ESPS signal. This is based on a loss of offsite power and the associated time delays in Keowee Hydro Unit startup, valve opening and pump start. Further, LPI flow is not credited until RCS pressure drops below the pump's shutoff head. For a large break LOCA, HPI is not credited at all.

The LPI trains satisfy Criterion 3 of 10 CFR 50.36 (Ref. 4).

OCONEE UNITS 1, 2, &3 B3.-

Rv 0 B3.5.3-3 Rev. 001

LPI B 3.5.3 BASES (continued)

LCO In MODES 1, 2, and 3, two independent (and redundant) LPI trains are required to ensure that at least one LPI train is available, assuming a single failure in the other train. Additionally, individual components within the LPI trains may be called upon to mitigate the consequences of other transients and accidents. Each LPI train includes the piping, instruments, pumps, valves, heat exchangers and controls to ensure an OPERABLE flow path capable of taking suction from the BWST upon an ES signal and the capability to manually (remotely) transfer suction to the reactor building sump. The safety grade flow indicator of an LPI train is required to support OPERABILITY of the LPI and RBS trains to preclude NPSH or runout pro-blems. RBS flow is hydraulically maintained by system resistance, and throttling of RBS flow is not required. Therefore, RBS flow indication is not required to support LPI or RBS train OPERABILITY. The safety grade flow indicator associated with LPSW flow to an LPI cooler is required to be OPERABLE to support LPI train OPERABILITY.

LPI BWST Suction Valves, LP-21 and LP-22 do not have an ES signal to open. These valves shall be open when automatic initiation of the LPI and the RBS system is required to be OPERABLE. If either one is closed during this time, the associated LPI and RBS train is inoperable.

In MODE 4, one of the two LPI trains is required to ensure sufficient LPI flow is available to the core.

During an event requiring LPI injection, a flow path is required to provide an abundant supply of water from the BWST to the RCS, via the LPI pumps and their respective supply headers, to the reactor vessel. In the long term, this flow path may be switched to take its supply from the reactor building sump.

This LCO is modified by three Notes. Note 1 changes the LCO requirement when in MODE 4 for the number of OPERABLE trains from two to one. Note 2 allows an LPI train to be considered OPERABLE during alignment, when aligned or when operating for decay heat removal if capable of being manually (remotely) realigned to the LPI mode of operation. This provision is necessary because of the dual requirements of the components that comprise the LPI and decay heat removal modes of the LPI System. Note 3 requires the LPI discharge header crossover valves inside containment to be open in MODES 1, 2, and 3. If one of these valves is closed, then the system will be unable to sustain a single failure.

OCONEE UNITS 1, 2, & 3 B3534Rv 0

B3.5.3-4 Rev. 001 I

LPI B 3.5.3 BASES LCO (continued)

The flow path for each train must maintain its designed independence outside containment to ensure that no single failure can disable both LPI trains. If train separation is not maintained outside containment then only one LPI train is considered OPERABLE.

APPLICABILITY In MODES 1, 2 and 3, the LPI train OPERABILITY requirements for the Design Basis Accident, a large break LOCA, are based on full power operation. The position requirements of the LPI discharge crossover valves inside containment for the OFT line break are based on full power operation. Although reduced power would not require the same level of performance, the accident analysis does not provide for reduced cooling requirements in the lower MODES.

In MODE 4, one OPERABLE LPI train is acceptable without single failure consideration on the basis of the stable reactivity condition of the reactor and the limited core cooling requirements.

In MODES 5 and 6, unit conditions are such that the probability of an event requiring LPI injection is extremely low. Core cooling requirements in MODE 5 are addressed by LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled," and LCO 3.4.8, "RCS Loops-MODE 5, Loops Not Filled." MODE 6 core cooling requirements are addressed by LCO 3.9.4, "DHR and Coolant Circulation-High Water Level," and LCO 3.9.5, "DHR and Coolant Circulation-Low Water Level."

ACTIONS A.1 With one LPI train inoperable in MODES 1, 2 or 3, the inoperable train must be returned to OPERABLE status within 7 days. The 7 day Completion Time is based on the findings of the deterministic and probabilistic analysis in Reference 7. Reference 7 concluded that extending the Completion Time to 7 days for an inoperable LPI train improves plant operational flexibility while simultaneously reducing overall plant risk. Specifically, the risk incurred by having the LPI train unavailable for a longer time at power will be substantially offset by the benefits associated with avoiding unnecessary plant transitions and by reducing risk during shutdown operations.

OCONEE UNITS 1, 2, & 3 B3535Rv 0

B3.5.3-5 Rev. 001

LPI B 3.5.3 BASES ACTIONS B.1 (continued)

With one or more required LPI discharge header manual crossover valves inside containment closed, the closed valve(s) must be opened within 7 days. The 7 day Completion Time is based on the findings of the deterministic and probabilistic analysis in Reference 7.

C.1 If the Required Action and associated Completion Time of Condition A or B are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and MODE 4 within 60 hours6.944444e-4 days 0.0167 hours 9.920635e-5 weeks 2.283e-5 months . The allowed Completion Times are reasonable, based on operating experience, reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

D.1 With one required LPI train inoperable in MODE 4, the unit is not prepared to respond to an event requiring low pressure injection and may not be prepared to continue cooldown using the LPI pumps and LPI heat exchangers. The Completion Time of immediately, which would initiate action to restore at least one LPI train to OPERABLE status, ensures that prompt action is taken to restore the required LPI capacity. Normally, in MODE 4, reactor decay heat must be removed by a decay heat removal (DHR) loop operating with suction from the RCS. If no LPI train is OPERABLE for this function, reactor decay heat must be removed by some alternate method, such as use of the steam generator(s).

The alternate means of heat removal must continue until one of the inoperable LPI trains can be restored to operation so that continuation of decay heat removal (DHR) is provided.

With the LPI pumps (including the non ES pump) and LPI heat exchangers inoperable, it would be unwise to require the unit to go to MODE 5, where the only available heat removal system is the LPI trains operating in the DHR mode. Therefore, the appropriate action is to initiate measures to restore one LPI train and to continue the actions until the subsystem is restored to OPERABLE status.

OCONEE UNITS 1, 2, & 3 B3536Rv 0

B3.5.3-6 Rev. 001

LPI B 3.5.3 BASES ACTIONS D._.2 (continued)

Required Action D.2 requires that the unit be placed in MODE 5 within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This Required Action is modified by a Note that states that the Required Action is only required to be performed if a DHR loop is OPERABLE. This Required Action provides for those circumstances where the LPI trains may be inoperable but otherwise capable of providing the necessary decay heat removal. Under this circumstance, the prudent action is to remove the unit from the Applicability of the LCO and place the unit in a stable condition in MODE 5. The Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is reasonable, based on operating experience, to reach MODE 5 in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.5.3.1 REQUIREMENTS Verifying the correct alignment for manual and non-automatic power operated valves in the LPI flow paths provides assurance that the proper flow paths will exist for LPI operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. Similarly, this SR does not apply to automatic valves since automatic valves actuate to their required position upon an accident signal.

This Surveillance does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

When in MODE 4 an LPI train may be considered OPERABLE during alignment, when aligned or when operating for decay heat removal if capable of being manually realigned to the LPI mode of operation.

Therefore, for this condition, the SR verifies that LPI is capable of being manually realigned to the LPI mode of operation.

SR 3.5.3.2 With the exception of systems in operation, the LPI pumps are normally in a standby, non-operating mode. As such, the flow path piping has the potential to develop voids and pockets of entrained gases. Venting the LPI pump casings periodically reduces the potential that such voids and pockets of entrained gases can adversely affect operation of the LPI System. This will also minimize the potential for water hammer, pump OCONEE UNITS 1, 2, & 3 B3537Rv 0

B3.5.3-7 Rev. 001 I

LPI B 3.5.3 BASES SURVEILLANCE SR 3.5.3.2 (continued)

REQUIREMENTS cavitation, and pumping of noncondensible gas (e.g., air, nitrogen, or hydrogen) into the reactor vessel following an ESPS signal or during shutdown cooling. This Surveillance is modified by a Note that indicates it is not applicable to operating LPI pump(s). The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.5.3.3 Periodic surveillance testing of LPI pumps to detect gross degradation caused by impeller structural damage or other hydraulic component problems is required by the ASME Code (Ref. 6). SRs are specified in the Inservice Testing Program of the ASME Code.

SR 3.5.3.4 and SR 3.5.3.5 These SRs demonstrate that each automatic [P1 valve actuates to the required position on an actual or simulated ESPS signal and that each LPI pump starts on receipt of an actual or simulated ESPS signal. This SR is not required for valves that are locked, sealed, or otherwise secured in position under administrative controls. The test will be considered satisfactory if control board indication verifies that all components have responded to the ESPS actuation signal properly (all appropriate ESPS actuated pump breakers have opened or closed and all ESPS actuated valves have completed their travel). The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

The actuation logic is tested as part of the ESPS testing, and equipment performance is monitored as part of the Inservice Testing Program.

OCONEE UNITS 1, 2, &3 B3..-

Rv 0 B3.5.3-8 Rev. 001

LPI B 3.5.3 BASES SURVEILLANCE SR 3.5.3.6 REQUIREMENTS (continued)

Periodic inspections of the reactor building sump suction inlet ensure that it is unrestricted and stays in proper operating condition. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES

1.

10 CFR 50.46.

2.

UFSAR, Section 15.14.3.3.6.

3.

UFSAR, Section 15.14.3.3.5.

4.

10 CFR 50.36.

5.

NRC Memorandum to V. Stello, Jr., from R.L. Baer, "Recommended Interim Revisions to LCOs for ECOS Components," December 1, 1975.

6.

ASME Code for Operation and Maintenance of Nuclear Power Plants.

7.

NRC Safety Evaluation of Babcock & Wilcox Owners Group (B&WOG) Topical Report BAW-2295, Revision 1, "Justification for the Extension of Allowed Outage Time for Low Pressure Injection and Reactor Building Spray systems," (TAC No. MA3807) dated June 30, 1999.

OCONEE UNITS 1, 2, & 3 B3539Rv 0

B3.5.3-9 Rev. 001

Reactor Building Spray and Cooling Systems B 3.6.5 B 3.6 CONTAINMENT SYSTEMS B 3.6.5 Reactor Building Spray and Cooling Systems BASES BACKGROUND The Reactor Building Spray and Reactor Building Cooling systems provide containment atmosphere cooling to limit post accident pressure and temperature in containment to less than the design values. Reduction of containment pressure and the iodine removal capability of the spray reduces the release of fission product radioactivity from containment to the environment, in the event of an accident, to within limits. The Reactor Building Spray and Reactor Building Cooling systems are designed to meet ONS Design Criteria (Ref. 1).

The Reactor Building Cooling System and Reactor Building Spray System are Engineered Safeguards (ES) systems. They are designed to ensure that the heat removal capability required during the post accident period can be attained. The Reactor Building Spray System and Reactor Building Cooling System provide containment heat removal operation. The Reactor Building Spray System and Reactor Building Cooling System provide methods to limit and maintain post accident conditions to less than the containment design values.

Reactor Buildina Spray System The Reactor Building Spray System consists of two separate trains of equal capacity, each capable of meeting the design basis. Each train includes a reactor building spray pump, spray headers, nozzles, valves, piping and a flow indicator. Each train is powered from a separate ES bus.

The borated water storage tank (BWST) supplies borated water to the Reactor Building Spray System during the injection phase of operation. In the recirculation mode of operation, Reactor Building Spray System pump suction is manually transferred to the reactor building sump.

OCONEE UNITS 1, 2, & 3 B3651Rv 0

B3.6.5-1 Rev. 001 I

Reactor Building Spray and Cooling Systems B 3.6.5 BASES BACKGROUND Reactor Building Spray System (continued)

The Reactor Building Spray System provides a spray of relatively cold borated water into the upper regions of containment to reduce the containment pressure and temperature and to reduce the concentration of fission products in the containment atmosphere during an accident. In the recirculation mode of operation, heat is removed from the reactor building sump water by the decay heat removal coolers. Each train of the Reactor Building Spray System provides adequate spray coverage to meet the system design requirements for containment heat removal.

The Reactor Building Spray System is actuated automatically by a containment High-High pressure signal. An automatic actuation opens the Reactor Building Spray System pump discharge valves and starts the two Reactor Building Spray System pumps.

Reactor Buildingq Coolingq System The Reactor Building Cooling System consists of three reactor building cooling trains. Each cooling train is equipped with cooling coils, and an axial vane flow fan driven by a two speed electric motor.

During normal unit operation, typically two reactor building cooling trains with two fans operating at low speed or high speed, serve to cool the containment atmosphere. Low speed cooling fan operation is available during periods of lower containment heat load. The third unit is usually on standby. Upon receipt of an emergency signal, the operating cooling fans running at low speed or high speed will automatically trip, then restart in low speed after a 3 minute delay, and any idle unit is energized in low speed after a 3 minute delay. The fans are operated at the lower speed during accident conditions to prevent motor overload from the higher density atmosphere.

The common LPSW return header will split into two new headers downstream of the Reactor Building Cooling Units (RBCUs). Each header will contain two pneumatic discharge isolation valves and will be capable of full LPSW flow. The headers will be rejoined downstream of the discharge isolation valves into a common return.

APPLICABLE The Reactor Building Spray System and Reactor Building Cooling System SAFETY ANALYSES reduce the temperature and pressure following an accident. The limiting accidents considered are the loss of coolant accident (LOCA) and the steam line break. The postulated accidents are analyzed, with regard to containment ES systems, assuming the loss of one ES bus. This is the OCONEE UNITS 1, 2, & 3 B3652Rv 0

B3.6.5-2 Rev. 001 I

Reactor Building Spray and Cooling Systems B 3.6.5 BASES APPLICABLE worst-case single active failure, resulting in one train of the Reactor Building SAFETY ANALYSES Spray System and one train of the Reactor Building Cooling System being (continued) inoperable.

The analysis and evaluation show that, under the worst-case scenario (LOCA with worst-case single active failure), the highest peak containment pressure is 57.75 psig. The analysis shows that the peak containment temperature is 283.1°F. Both results are less than the design values. The analyses and evaluations assume a power level of 2619 MWt, one reactor building spray train and two reactor building cooling trains operating, and initial (pre-accident) conditions of 80°F and 15.9 psia. The analyses also assume a delayed initiation to provide conservative peak calculated containment pressure and temperature responses.

The Reactor Building Spray System total delay time of approximately 142 seconds includes Keowee Hydro Unit startup (for loss of offsite power),

reactor building spray pump startup, and spray line filling (Ref. 2).

Reactor building cooling train performance for post accident conditions is given in Reference 2. The result of the analysis is that any combination of two trains can provide 100% of the required cooling capacity during the post accident condition. The train post accident cooling capacity under varying containment ambient conditions is also shown in Reference 2.

Reactor Building Cooling System total delay time of 3 minutes includes KHU startup (for loss of offsite power) and allows all ES equipment to start before the Reactor Building Cooling Unit on the associated train is started. This improves voltages at the 600V and 208V levels for starting loads (Ref. 2).

The Reactor Building Spray System and the Reactor Building Cooling System satisfy Criterion 3 of 10 CFR 50.36 (Ref. 3).

LCO During an accident, a minimum of two reactor building cooling trains and one reactor building spray train are required to maintain the containment pressure and temperature following a LOCA. Additionally, one reactor building spray train is required to remove iodine from the containment atmosphere and maintain concentrations below those assumed in the safety analysis. To ensure that these requirements are met, two reactor building spray trains and three reactor building cooling trains must be OPERABLE in MODES 1 and 2.

In MODES 3 or 4, one reactor building spray train and two reactor building cooling trains are required to be OPERABLE. The LCO is provided with a note that clarifies this requirement. Therefore, in the event of an accident, the minimum requirements are met, assuming the worst-case single active failure occurs.

OCONEE UNITS 1, 2, & 3 B3653Rv 0

B3.6.5-3 Rev. 001 I

Reactor Building Spray and Cooling Systems B 3.6.5 BASES LCO (continued)

Each reactor building spray train shall include a spray pump, spray headers, nozzles, valves, piping, instruments, and controls to ensure an OPERABLE flow path capable of taking suction from the BWST (via the LPI System) upon an Engineered Safeguards Protective System signal and manually transferring suction to the reactor building sump. The OPERABILITY of RBS train flow instrumentation is not required for OPERABILITY of the corresponding RBS train because system resistance hydraulically maintains adequate NPSH to the RBS pumps and manual throttling of RBS flow is not required. During an event, LPI train flow must be monitored and controlled to support the RBS train pumps to ensure that the NPSH requirements for the RBS pumps are not exceeded. If the flow instrumentation or the capability to control the flow in a LPI train is unavailable then the associated RBS train's OPERABILITY is affected until such time as the LPI train is restored or the associated LPI pump is placed in a secured state to prevent actuation during an event.

Each reactor building cooling train shall include cooling coils, fusible dropout plates or duct openings, an axial vane flow fan, instruments, valves, and controls to ensure an OPERABLE flow path. Two headers of the LPSW RB Waterhammer Prevention Discharge Isolation Valves are required to support flowpath OPERABILITY or one header of LPSW RB Waterhammer Prevention Discharge Isolation Valves shall be manually opened (remote or local) to prevent automatic closure. Valve LPSW-1 08 shall be locked open to support system OPERABILITY.

APPLICABILITY In MODES 1, 2, 3, and 4, an accident could cause a release of radioactive material to containment and an increase in containment pressure and temperature, requiring the operation of the reactor building spray trains and reactor building cooling trains.

In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES.

Thus, the Reactor Building Spray System and the Reactor Building Cooling System are not required to be OPERABLE in MODES 5 and 6.

ACTIONS The Actions are modified by a Note indicating that the provisions of LCO 3.0.4 do not apply for Unit 2 only. As a result, this allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering the MODE or other specified condition in the Applicability, and OCONEE UNITS 1, 2, & 3 B3654Rv 0

B 3.6.5-4 Rev. 001 I

Reactor Building Spray and Cooiing Systems B 3.6.5 BASES ACTIONS (continued) establishment of risk management actions, if appropriate. The risk assessment may use quantitative, qualitative, or blended approaches and the risk assessment will be conducted using the plant program, procedures, and criteria in place to implement 10 CFR 50.65(a)(4), which requires that risk impacts of maintenance activities to be assessed and managed. The risk assessment must take into account all inoperable Technical Specifications equipment regardless of whether the equipment is included in the normal 10 CFR 50.65(a)(4) risk assessment scope. The risk assessments will be conducted using the procedures and guidance endorsed by Regulatory Guide 1.182, "Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants." Regulatory Guide 1.1 82 endorses the guidance in Section 11 of NUMARC 93-01, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants." These documents address general guidance for conduct of the risk assessment, quantitative and qualitative guidelines for establishing risk management actions, and example risk management actions. These include actions to plan and conduct other activities in a manner that controls overall risk, increased risk awareness by shift and management personnel, actions to reduce the duration of the condition, actions to minimize the magnitude of risk increases (establishment of backup success paths or compensatory measures), and determination that the proposed MODE change is acceptable. Consideration should also be given to the probability of completing restoration such that the requirements of the LCO would be met prior to the expiration of ACTIONS Completion Times that would require exiting the Applicability.

The risk assessment does not have to be documented.

There is a small subset of systems and components that have been determined (Ref: B&W owners group generic qualitative risk assessments-attachment to TSTF-359, Rev. 9, "B&W owners group Qualitative Risk Assessment for Increased Flexibility in MODE Restraints," Framatome Technologies BAW-2383, October 2001.) to be of higher risk significance for which an LCO 3.0.4 exemption would not be allowed. For Oconee these are the Decay Heat Removal System (DHR) entering MODES, 5 and 4; Keowee Hydro Units entering MODES 1-5; and the emergency feedwater system (EFW) entering MODE 1. The Reactor Spray and Cooling System is not one of the higher risk significant systems noted.

The provisions of this Note should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified Condition in the Applicability.

OCONEE UNITS 1, 2, & 3 B3655Rv 0

B 3.6.5-5 Rev. 001

Reactor Building Spray and Cooling Systems B 3.6.5 BASES ACTIONS A.1 (continued)

With one reactor building spray train inoperable in MODE 1 or 2, the inoperable reactor building spray train must be restored to OPERABLE status within 7 days. In this Condition, the remaining OPERABLE spray and cooling trains are adequate to perform the iodine removal and containment cooling functions. The 7 day Completion Time takes into account the redundant heat removal capability afforded by the OPERABLE reactor building spray train, reasonable time for repairs, and the low probability of an accident occurring during this period.

The 14 day portion of the Completion Time for Required Action A.1 is based upon engineering judgment. It takes into account the low probability of coincident entry into two Conditions in this LCO coupled with the low probability of an accident occurring during this time. Refer to Section 1.3, Completion Times, for a more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.

B..__

With one of the reactor building cooling trains inoperable in MODE 1 or 2, the inoperable reactor building cooling train must be restored to OPERABLE status within 7 days. The components in this degraded condition provide iodine removal capabilities and are capable of providing at least 100% of the heat removal needs after an accident. The 7 day Completion Time was developed taking into account the redundant heat removal capabilities afforded by combinations of the Reactor Building Spray System and Reactor Building Cooling System and the low probability of an accident occurring during this period.

The 14 day portion of the Completion Time for Required Action B.1 is based upon engineering judgment. It takes into account the low probability of coincident entry into two Conditions in this LCO coupled with the low probability of an accident occurring during this time. Refer to Section 1.3 for a more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.

C.1 With one reactor building spray train and one reactor building cooling train inoperable in MODE 1 or 2, at least one of the inoperable trains must be restored to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . In this Condition, the remaining OPERABLE spray and cooling trains are adequate to provide iodine removal capabilities and are capable of providing at least 100% of OCONEE UNITS 1, 2, & 3 B3656Rv 0

B3.6.5-6 Rev. 001 I

Reactor Building Spray and Cooling Systems B 3.6.5 BASES ACTIONS C.1 (continued) the heat removal needs after an accident. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the heat removal capability afforded by the remaining OPERABLE spray train and cooling trains, reasonable time for repairs, and the low probability of an accident occurring during this period.

D..j_

If the Required Action and associated Completion Time of Condition A, B or C are not met, the unit must be brought to a MODE in which the LCO, as modified by the Note, does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

E.1I With one of the required reactor building cooling trains inoperable in MODE 3 or 4, the required reactor building cooling train must be restored to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is reasonable based on engineering judgement taking into account the iodine and heat removal capabilities of the remaining required train of reactor building spray and cooling.

F.1I With one required reactor building spray train inoperable in MODE 3 or 4, the required reactor building spray train must be restored to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is reasonable based on engineering judgement taking into account the heat removal capabilities of the remaining required trains of reactor building cooling.

G.1 If the Required Actions and associated Completion Times of Condition E or F of this LCO are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit OCONEE UNITS 1, 2, & 3 B3657Rv 0

B3.6.5-7 Rev. 001 J

Reactor Building Spray and Cooling Systems B 3.6.5 BASES ACTIONS G.1 (continued) conditions from full power conditions in an orderly manner and without challenging unit systems.

H.1 With two reactor building spray trains, two reactor building cooling trains or any combination of three or more reactor building spray and reactor building cooling trains inoperable in MODE 1 or 2, the unit is in a condition outside the accident analysis. Therefore, LCO 3.0.3 must be entered immediately.

With any combination of two or more required reactor building spray and reactor building cooling trains inoperable in MODE 3 or 4, the unit is in a condition outside the accident analysis. Therefore, LCO 3.0.3 must be entered immediately.

SURVEILLANCE SR 3.6.5.1 REQU IREMENTS Verifying the correct alignment for manual and non-automatic power operated valves in the reactor building spray and cooling flow path provides assurance that the proper flow paths will exist for Reactor Building Spray and Cooling System operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these were verified to be in the correct position prior to locking, sealing, or securing. Similarly, this SR does not apply to automatic valves since automatic valves actuate to their required position upon an accident signal. This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves. This SR does not require any testing or valve manipulation.

Rather, it involves verification, through a system walkdown, that those valves outside containment and capable of potentially being mispositioned are in the correct position. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

OCONEE UNITS 1, 2, & 3 B3658Rv 0

B3.6.5-8 Rev. 001 [

Reactor Building Spray and Cooling Systems B 3.6.5 BASES SURVEILLANCE REQU IREMENTS (continued)

SR 3.6.5.2 Operating each required reactor building cooling train fan unit for

>_ 15 minutes ensures that all trains are OPERABLE and that all associated controls are functioning properly. It also ensures that blockage, fan or motor failure, or excessive vibration can be detected for corrective action.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.6.5.3 Verifying that each required Reactor Building Spray pump's developed head at the flow test point is greater than or equal to the required developed head ensures that spray pump performance has not degraded during the cycle. Flow and differential pressure are normal tests of centrifugal pump performance required by the ASME Code (Ref. 4). Since the Reactor Building Spray System pumps cannot be tested with flow through the spray headers, they are tested on recirculation flow. This test confirms one point on the pump design curve and is indicative of overall performance. Such inservice tests confirm component OPERABILITY, trend performance, and may detect incipient failures by indicating abnormal performance. The Frequency of this SR is in accordance with the Inservice Testing Program.

SR 3.6.5.4 Verifying the containment heat removal capability provides assurance that the containment heat removal systems are capable of maintaining containment temperature below design limits following an accident. This test verifies the heat removal capability of the Low Pressure Injection (LPI)

Coolers and Reactor Building Cooling Units. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

OCONEE UNITS 1, 2, & 3 B3659Rv 0

B 3.6.5-9 Rev. 001 I

Reactor Building Spray and Cooling Systems B 3.6.5 BASES SURVEILLANCE REQUIREMENTS (continued)

SR 3.6.5.5 and 3.6.5.6 These SRs require verification that each automatic reactor building spray and cooling valve actuates to its correct position and that each reactor building spray pump starts upon receipt of an actual or simulated actuation signal. The test will be considered satisfactory if visual observation and control board indication verifies that all components have responded to the actuation signal properly; the appropriate pump breakers have closed, and all valves have completed their travel. This SR is not required for valves that are locked, sealed, or otherwise secured in position under administrative controls. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.6.5.7 This SR requires verification that each required reactor building cooling train actuates upon receipt of an actual or simulated actuation signal. The test will be considered satisfactory if control board indication verifies that all components have responded to the actuation signal properly, the appropriate valves have completed their travel, and fans are running at half speed. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.6.5.8 With the reactor building spray header isolated and drained of any solution, station compressed air is introduced into the spray headers. This SR requires verification that each spray nozzle is unobstructed following activities which could cause nozzle blockage. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES

1.

UFSAR, Section 3.1.

2.

UFSAR, Section 6.2.

3.

10OCFR 50.36.

4.

ASME Code for Operation and Maintenance of Nuclear Power Plants.

OCONEE UNITS 1, 2, & 3B3.5-0Rv01 B 3.6.5-10 Rev. 001

MSRVs B 3.7.1 B 3.7 PLANT SYSTEMS B 3.7.1 Main Steam Relief Valves (MSRVs)

BASES BACKGROUND The primary purpose of the MSRVs is to provide overpressure protection for the secondary system. The MSRVs also provide protection against overpressurizing the reactor coolant pressure boundary (RCPB) by providing a heat sink for removal of energy from the Reactor Coolant System (RCS) if the preferred heat sink, provided by the Condenser and Circulating Water System, is not available.

Eight MSRVs are located on each main steam header, outside containment as described in the UFSAR, Section 10.3 (Ref. 1). The MSRV rated capacity passes the full steam flow at 114% RTP with the valves full open.

This meets the requirements of the ASME Code,Section III (Ref. 2). The MSRV design includes staggered setpoints, (Ref. 1 ) so that only the needed number of valves will actuate. Staggered setpoints reduce the potential for valve chattering because of insufficient steam pressure to fully open the valves.

APPLICABLE SAFETY ANALYSES The design basis of the MSRVs (Ref. 2) is to limit secondary system pressure to _< 110% of design pressure when passing 105% of design steam flow. This design basis is sufficient to cope with any anticipated transient or accident considered in the accident and transient analysis.

The events that challenge the relieving capacity of the MSRVs, and thus ROS pressure, are those characterized as decreased heat removal or increased heat addition events. MSRV relief capacity is utilized in the UFSAR (Ref. 3 and Ref. 4) for mitigation of the following events:

a.

Loss of main feedwater;

b.

Steam line break;

c.

Steam generator tube rupture;

d.

Rod withdrawal at rated power; and

e.

Loss of Electric Load.

OCONEE UNITS 1, 2, & 3 B3711Rv 0

B 3.7.1-1 Rev. 001 I

MSIRVs B 3.7.1 BASES APPLICABLE SAFETY ANALYSIS (continued)

The MSRVs satisfy Criterion 3 of 10 CFR 50.36, (Ref. 5).

LCO The MSRVs are provided to prevent overpressurization as discussed in the Applicable Safety Analysis section of these Bases. The LCO requires sixteen MSRVs, eight on each main steam line, to be OPERABLE to ensure compliance with the ASME Code following accidents and transients initiated at full power. Operation with less than a full complement of MSRVs is not permitted. To be OPERABLE, lift setpoints must remain within limits, specified in the UFSAR.

The safety function of the MSRVs is to open, relieve steam generator overpressure, and reseat when pressure has been reduced.

OPERABILITY of the MSRVs requires periodic surveillance testing in accordance with the Inservice Testing Program.

The lift settings correspond to ambient conditions of the valve at nominal operating temperature and pressure.

This LCO provides assurance that the MSRVs will perform the design safety function.

APPLICABILITY In MODES 1, 2, and 3, the MSRVs must be OPERABLE to prevent overpressurization of the main steam system.

In MODES 4 and 5, there is no credible transient requiring the MSRVs.

The steam generators are not normally used for heat removal in MODES 5 and 6, and thus cannot be overpressurized. There is no requirement for the MSRVs to be OPERABLE in these MODES.

ACTIONS A.1 and A.2 With one or more MSRVs inoperable, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , and in MODE 4 within 18 hours2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months .

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

OCONEE UNITS 1, 2, & 3 B3712Rv 0

B 3.7.1-2 Rev. 001 I

MSRVs B 3.7.1 BASES (continued)

SURVEILLANCE SR 3.7.1.1 REQUIREMENTS This SR verifies the OPERABILITY of the MSRVs by the verification of MSRV lift setpoints in accordance with the Inservice Testing Program. The safety and relief valve tests are performed in accordance with ASME Code (Ref. 6) and include the following for MSRVs:

a.

Visual examination;

b.

Seat tightness determination;

c.

Setpoint pressure determination (lift setting);

d.

Compliance with owner's seat tightness criteria; and

e.

Verification of the balancing device integrity on balanced valves.

The ASME Code requires the testing of all valves every 5 years, with a minimum of 20% of the valves tested every 24 months.

This SR is modified by a Note that states the surveillance is only required to be performed in MODES 1 and 2. This note allows entry into and operation in MODE 3 prior to performing the SR, provided there is no evidence that the equipment is otherwise believed to be incapable of performing its function. Also, the guidance in the TS Bases for SR 3.0.1 states that equipment may be considered OPERABLE following maintenance provided testing has been satisfactorily completed to the extent possible and the equipment is not otherwise believed to be incapable of performing its function. This allows operation to proceed to a MODE or other specified condition where other necessary post maintenance tests can be completed.

For example, the mode change provisions described above specifically applies to scenarios where maintenance on MSRVs is performed below the mode of applicability for LCO 3.7.1, testing has been satisfactorily completed to the extent possible, and the equipment is believed capable of performing its function. The mode change provisions permit entry into Mode 3 in order to test and adjust the set pressure, as necessary, to satisfy SR 3.7.1.1 prior to entry into Mode 2.

The MSRVs may be either bench tested or tested in situ at hot conditions using an assist device to simulate lift pressure. If the MSRVs are not tested at hot conditions, the lift setting pressure must be corrected to ambient conditions of the valve at operating temperature and pressure.

OCONEE UNITS 1,2, & 3 B3713Rv 0

B 3.7.1-3 Rev. 001 I

MSRVs B 3.7.1 BASES (continued)

REFERENCES 1.

2.

3.

4.

5.

6.

UFSAR, Section 10.3.

ASME, Boiler and Pressure Vessel Code,Section III, Article NC-7000, Class 2 Components.

UFSAR, Chapter 15.

UFSAR, Section 10.3.3.

10 CFR 50.36.

ASME Code for Operation and Maintenance of Nuclear Power Plants.

OCONEE UNITS 1, 2, & 3 B3714Rv 0

B 3.7.1-4 Rev. 001

MFCVs and SFCVs B 3.7.3 B 3.7 PLANT SYSTEMS B 3.7.3 Main Feedwater Controi Valves (MFCVs), and Startup Feedwater Control Valves (SFCVs)

BASES BACKGROUND The main feedwater isolation valves (MFI Vs) for each steam generator consist of the MFCVs and the SFCVs. The MFIVs isolate main feedwater (MFW) flow to the secondary side of the steam generators following a high energy line break (HELB). The consequences of events occurring in the main steam lines will be mitigated by their closure. Closing the MFCVs and associated SFCVs valves effectively terminates the addition of feedwater to an affected steam generator, limiting the mass and energy release for steam line breaks (SLBs) inside containment and reducing the cooldown effects for SLBs.

The MFlIVs close on receipt of a MSLB detection signal generated by low steam header pressure. The MFlIVs can also be closed manually.

APPLICABLE The design basis of the MFI Vs is established by the containment analysis SAFETY ANALYSES for the main steam line break (MSLB).

Failure of an MFIV to close following an MSLB, can result in additional mass and energy being delivered to the steam generators, contributing to cooldown. This failure also results in additional mass and energy releases following an MSLB.

The MFIVs satisfy Criterion 3 of 10 CFR 50.36 (Ref. 1).

LCO This LCO ensures that the MFIVs will isolate MFW flow to the steam generators following a main steam line break.

Two MFCVs and two SFCVs are required to be OPERABLE. The MFIVs are considered OPERABLE when the isolation times are within limits and they close on a feedwater isolation actuation signal.

Automatic initiation instrumentation is not required to be OPERABLE in MODE 3 when main steam header pressure is < 700 psig in accordance with LCO 3.3.11, "Automatic Feedwater Isolation System (AFIS)

Instrumentation."

OCONEE UNITS 1, 2, & 3 B3731Rv 0

B3.7.3-1 Rev. 001 I

MFCVs and SFCVs B 3.7.3 BASES LCO When automatic initiation circuitry is not required to be OPERABLE, the (continued)

MFCVs and SFCVs are OPERABLE provided manual closure capability is OPERABLE. Automatic initiation is not required in this condition since additional time is available for the operator to manually close the valves if required.

Failure to meet the LOCO requirements can result in excessive cooldown and additional mass and energy being released to containment following an MSLB inside containment.

APPLICABILITY The MFCVs and SFCVs must be OPERABLE whenever there is significant mass and energy in the RCS and steam generators.

In MODES 1, 2, and 3, the MFCVs and SFCVs are required to be OPERABLE in order to limit the cooldown and the amount of available fluid that could be added to containment in the case of an MSLB inside containment. When the valves are closed, they are already performing their safety function.

In MODES 4, 5, and 6, feedwater and steam generator energy are low.

Therefore, the MFCVs and SFCVs are not required for isolation of potential main steam pipe breaks in these MODES.

ACTIONS The ACTIONS table is modified by a Note indicating that separate Condition entry is allowed for each valve.

A.1 and A.2 With one MFCV in one or more flow paths inoperable, action must be taken to restore the affected valves to OPERABLE status, or to close or isolate inoperable affected valves within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . When these valves are closed or isolated, they are performing their required safety function.

The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time provides a reasonable time to restore an inoperable MFIV to OPERABLE status and is acceptable due to the low probability of an event occurring during this time period that would require isolation of the MEW flow paths.

OCONEE UNITS 1, 2, & 3 B3732Rv 0

B 3.7.3-2 Rev. 001 I

MFCVs and SFCVs B 3.7.3 BASES ACTIONS A.1 and A.2 (continued)

Inoperable MFCVs that are closed or isolated must be verified on a periodic basis that they are closed or isolated. This is necessary to ensure that the assumptions in the safety analysis remain valid. The 7 day Completion Time is reasonable, based on engineering judgment, in view of valve status indications available in the control room, and other administrative controls, to ensure that these valves are closed or isolated.

B.1 and B.2 With one SFCV in one or more flow paths inoperable, action must be taken to restore the affected valves to OPERABLE status, or to close or isolate inoperable affected valves within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . When these valves are closed or isolated, they are performing their required safety function.

The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time provides a reasonable time to restore an inoperable MFIV to OPERABLE status and is acceptable due to the low probability of an event occurring during this time period that would require isolation of the MEW flow paths.

Inoperable SFCVs that are closed or isolated must be verified on a periodic basis that they are closed or isolated. This is necessary to ensure that the assumptions in the safety analysis remain valid. The 7 day Completion Time is reasonable, based on engineering judgment, in view of valve status indications available in the control room, and other administrative controls, to ensure that these valves are closed or isolated.

C.1 and C.2 If the Required Actions and associated Completion Time are not met, the unit must be in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 18 hours2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

OCONEE UNITS 1, 2, & 3 B3733Rv 0

B 3.7.3-3 Rev. 001 I

MFCVs and SFCVs B 3.7.3 BASES (continued)

SURVEILLANCE REQUIREMENTS SR 3.7.3.1 This SR verifies that the closure time of each MFCV and SFCV is

< 25 seconds on an actual or simulated actuation signal. The 25 seconds includes a 10 second signal delay and 15 seconds for valve movement.

The MFCV and SFCV closure time is assumed in the containment analyses. This Surveillance is normally performed upon returning the unit to operation following a refueling outage. The MFCV and SFCV should not be tested at power since even a part stroke exercise increases the risk of a valve closure with the unit generating power. This is consistent with the ASME Code (Ref. 2) requirements during operation in MODES 1 and 2.

This SR is modified by a Note that allows entry into and operation in MODE 3 prior to performing the SR.

The Frequency for this SR is in accordance with the Inservice Testing Program.

REFERENCES

1.

10 CFR 50.36.

2.

ASME Code for Operation and Maintenance of Nuclear Power Plants.

OCONEE UNITS 1, 2, &3 B3..-

Rv 0 B3.7.3-4 Rev. 001

EFW System B 3.7.5 B 3.7 PLANT SYSTEMS B 3.7.5 Emergency Feedwater (EFW) System BASES BACKGROUND The EFW System automatically supplies feedwater to the steam generators to remove decay heat from the Reactor Coolant System (RCS) upon the loss of normal feedwater supply. The EFW pumps take suction through suction lines from the upper surge tank (UST) and condenser Hotwell and pump to the steam generator secondary side through the EFW nozzles. The steam generators function as a heat sink for core decay heat.

The heat load is dissipated by releasing steam to the atmosphere from the steam generators via the main steam relief valves (MSRVs) (LCO 3.7.1, "Main Steam Relief Valves (MSRVs)"), or atmospheric dump valves (ADVs). If the main condenser is available, steam may be released via the Turbine Bypass System and recirculated to the condenser Hotwell.

The EFW System consists of two motor driven EFW pumps and one turbine driven EFW pump, any one of which can provide the required heat removal capability. Thus, the requirements for diversity in motive power sources for the EFW System are met. The steam turbine driven EFW pump receives steam from either of the two main steam headers, upstream of the main turbine stop valves (TSVs), or from the Auxiliary Steam System which can be supplied from the other two unit's Main Steam System. The EFW System supplies a common header capable of feeding either or both steam generators. The EFW System normally receives a supply of water from the UST. The EFW System can also be aligned to the condenser Hotwell. An additional source of water is the condensate storage tank which can be pumped to the USTs.

The EFW System is capable of supplying feedwater to the steam generators during normal unit startup, shutdown, and hot standby conditions.

The three emergency feedwater pumps are started automatically upon a loss of both main feedwater pumps or a signal from the ATWS Mitigation System Actuation Circuitry (AMSAC). The two motor driven emergency feedwater pumps are also started automatically upon a low steam generator level which exists for at least 30 seconds.

The EFW System is discussed in the UFSAR, Section 10.4.7, (Ref. 1 ).

OCONEE UNITS 1, 2, & 3 B3751Rv 0

B3.7.5-1 Rev. 001 I

EFW System B 3.7.5 BASES (continued)

APPLICABLE The EFW System mitigates the consequences of any event with a loss of SAFETY ANALYSES normal feedwater.

The design basis of the EFW System is to supply water to the steam generator to remove decay heat and other residual heat by delivering at least the minimum required flow rate to the steam generators at 1064 psia for the MDEFW pump and 1100 psig for the TDEFW pump.

The limiting event for the EFW System is the loss of main feedwater with offsite power available.

The EFW System design is such that it can perform its function following a loss of the turbine driven main feedwater pumps combined with a loss of normal or emergency electric power.

The EFW System satisfies Criterion 3 of 10 CFR 50.36 (Ref. 2).

LCO This LCO provides assurance that the EFW System will perform its design safety function to mitigate the consequences of accidents that could result in overpressurization of the reactor coolant pressure boundary. Three independent EFW pumps and two flow paths are required to be OPERABLE to ensure the availability of residual heat removal capability for ail events accompanied by a loss of offsite power and a single failure. This is accomplished by powering one pump by a steam driven turbine supplied with steam from a source not isolated by the closure of the TSVs, and two pumps from a power source that, in the event of loss of offsite power, is supplied by the emergency power source.

The EFW System is considered to be OPERABLE when the components and flow paths required to provide EFW flow to the steam generators are OPERABLE. This requires that the turbine driven EFW pump be OPERABLE with a steam supply from either one of the main steam lines upstream of the TSVs or from the Auxiliary Steam System. The two motor driven EFW pump(s) are also required to be OPERABLE. The two required flow paths shall also be OPERABLE. A flowpath is defined as the flowpath to either steam generator including associated valves and piping capable of being supplied by either the turbine driven pump or the associated motor driven pump. The sources of water to the EFW System are required to be OPERABLE. The associated flow paths from the EFW System sources of water to all EFW pumps also are required to be OPERABLE. In MODES 1 and 2 automatic EFW initiation is required to be OCONEE UNITS 1, 2, & 3 B3752Rv 0

B 3.7.5-2 Rev. 001 I

EFW System B 3.7.5 BASES LCO (continued)

OPERABLE in accordance with Specification 3.3.14, "Emergency Feedwater (EFW) Pump Initiation Circuitry." Automatic EFW steam generator level control is required to be OPERABLE when automatic EFW initiation is required to be OPERABLE. EFW automatic initiation instrumentation is not required to be OPERABLE in MODES 3 and 4 in accordance with LCO 3.3.14. In MODES 3 and 4 the EFW System is OPERABLE provided manual initiation capability is OPERABLE. Automatic initiation is not required in MODES 3 and 4 since additional time is available in these MODES for the operator to manually initiate the system if required.

When in MODE 3 and 4 automatic EFW flow control is not required to be OPERABLE provided manual steam generator level control is OPERABLE.

The LCO is modified by a Note indicating that one motor driven EFW pump and EFW flow path, is required in MODE 4 when an SG is relied upon for heat removal. This is because of reduced heat removal requirements, the short duration of MODE 4 in which feedwater is required, and the insufficient steam supply available in MODE 4 to power the turbine driven EFW pump.

APPLICABILITY In MODES 1, 2, and 3, the EFW System is required to be OPERABLE and to function in the event that the main feedwater is lost. In MODE 4, with RCS temperature above 212°F, the EFW System may be used for heat removal via the steam generators. In MODE 4, the steam generators are used for heat removal unless the DHR System is in operation. In MODE 4 steam generators are relied upon for heat removal whenever an RCS loop is required to be OPERABLE or operating to satisfy LCO 3.4.6, "RCS Loops - Mode 4."

In MODES 5 and 6, the steam generators are not used for DHR and the EFW System is not required.

ACTIONS A.1 With one of the motor driven EFW pumps inoperable, action must be taken to restore the MDEFW pump to OPERABLE status within 7 days. The 7 day Completion Time is reasonable, based on the following reasons:

a.

The redundant OPERABLE turbine driven EFW pump(s);

b.

The availability of the redundant OPERABLE motor driven EFW pump; and OCONEE UNITS 1, 2, & 3 B3753Rv 0

B3.7.5-3 Rev. 001 I

EFW System B 3.7.5 BASES ACTIONS A.1 (continued)

c.

The low probability of an event occurring that would require the EFW System during the 7 day period.

The second Completion Time for Required Action A.1 establishes a limit on the maximum time allowed for any combination of Conditions to be inoperable during any continuous failure to meet this LCO.

The 10 day Completion Time provides a limitation time allowed in this specified Condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B exist concurrently. The AND connector between 7 days and 10 days dictates that both Completion Times apply simultaneously, and the more restrictive must be met.

B.1 When the turbine driven EFW pump or one EFW flow path is inoperable, action must be taken to restore the pump and flow path to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is reasonable, based on the redundant capabilities afforded by the EFW System, time needed for repairs, and the low probability of an accident occurring during this time period. The second Completion Time for Required Action B.1 establishes a limit on the maximum time allowed for any combination of Conditions to be inoperable during any continuous failure to meet this LCO.

The 10 day Completion Time provides a limitation time allowed in this specified Condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B exist concurrently. The AND connector between 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and 10 days dictates that both Completion Times apply simultaneously, and the more restrictive must be met.

C.1 With the two motor driven EFW pumps inoperable, action must be taken to restore at least one pump to OPERABLE status within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time is reasonable, based on the redundant capabilities afforded by the turbine driven EFW pump, time needed for repairs, and the low probability of an accident occurring during this time period.

OCONEE UNITS 1, 2, & 3 B3754Rv 0

B3.7.5-4 Rev. 001 I

EFW System B 3.7.5 BASES ACTIONS D.1 and D.2 (continued)

When Required Action or Completion Time for Condition A, B or C is not met or when the turbine driven EFW pump and one EFW flow path are inoperable in MODE 1, 2, or 3, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at [east MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

In MODE 4, with two EFW pumps and one flow path inoperable, operation is allowed to continue because only one motor driven EFW train is required in accordance with the Note that modifies the LCO. Although not required, the unit may continue to cool down and initiate DHR.

E. 1 Required Action E.1 is modified by a Note indicating that all required MODE changes or power reductions are suspended until at least one EFW pump and one flow path are restored to OPERABLE status.

With all EFW pumps or flow paths inoperable in MODE 1, 2, or 3, the unit is in a seriously degraded condition. In such a condition, the unit should not be perturbed by any action, including a power change, that might result in a trip. The seriousness of this condition requires that action be started immediately to restore at least one EFW pump and flow path to OPERABLE status. LCO 3.0.3 is not applicable, as it could force the units into a less safe condition.

F. 1 In MODE 4, either the steam generator loops or the DHR loops can be used to provide heat removal, which is addressed in LCO 3.4.6, "RCS Loops - MODE 4." With one required EFW pump or flow path inoperable, action must be taken to immediately restore the inoperable pump or flow path to OPERABLE status.

OCONEE UNITS 1, 2, & 3 B3755Rv 0

B 3.7.5-5 Rev. 001 I

EFW System B 3.7.5 BASES (continued)

SURVEILLANCE SR 3.7.5.1 REQUIREMENTS Verifying the correct alignment for manual, and non-automatic power operated valves in the EFW water and steam supply flow paths provides assurance that the proper flow paths exist for EFW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since those valves are verified to be in the correct position prior to locking, sealing, or securing.

This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves. This Surveillance does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.7.5.2 Verifying that each EFW pump's developed head at the flow test point is greater than or equal to the required developed head ensures that EFW pump performance has not degraded below the acceptance criteria during the cycle. Flow and differential head are normal indications of pump performance required by the ASME Code (Ref. 3). Because it is undesirable to introduce cold EFW into the steam generators while they are operating, this test may be performed on a test flow path.

This test confirms OPERABILITY, trends performance, and detects incipient failures by indicating abnormal performance. Performance of inservice testing in the ASME Code (Ref. 3), at 3 month intervals, satisfies this requirement.

SR 3.7.5.3 This SR verifies that EFW can be delivered to the appropriate steam generator in the event of any accident or transient that generates an Emergency Feedwater System initiation signal by demonstrating that each automatic valve in the flow path actuates to its correct position on an actual or simulated actuation signal. This SR is not required for valves that are locked, sealed, or otherwise secured in position under administrative OCONEE UNITS 1, 2, & 3 B3756Rv 0

B 3.7.5-6 Rev. 001

EFW System B 3.7.5 BASES SURVEILLANCE SR 3.7.5.3 (continued)

REQU IREMENTS controls. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note which states that the SR is not required in MODES 3 and 4. In MODES 3 and 4, the heat removal requirements would be less, thereby providing more time for operator action to manually start the required EFW pump.

SR 3.7.5.4 This SR verifies that each EFW pump starts in the event of any accident or transient that generates an initiation signal. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note which states that the SR is not required in MODES 3 and 4. In MODE 3 and 4, the heat removal requirements would be less, thereby providing more time for operator action to manually start the required EFW pump.

SR 3.7.5.5 This SR ensures that the EFW System is properly aligned by verifying the flow paths to each steam generator prior to entering MODE 2 after more than 30 days in MODE 5 or 6. OPERABILITY of EFW flow paths must be demonstrated before sufficient core heat is generated that would require the operation of the EFW System during a subsequent shutdown. The Frequency is reasonable, based on engineering judgment, in view of other administrative controls to ensure that the flow paths are OPERABLE. To further ensure EFW System alignment, flow path OPERABILITY is verified, following extended outages to determine no misalignment of valves has occurred. This SR ensures that the flow path from the UST to the steam generator is properly aligned.

OCONEE UNITS 1, 2, & 3 B3757Rv 0

B 3.7.5-7 Rev. 001 I

EFW System B 3.7.5 BASES (continued)

REFERENCES

1.

UFSAR, Section 10.4.7.

2.

10 CFR 50.36.

3.

ASME Code for Operation and Maintenance of Nuclear Power Plants.

OCONEE UNITS 1, 2, & 3 B3758Rv 0

B 3.7.5-8 Rev. O01