Text

Technical Specification Bases Change 2015-09
	ML17061A261
Person / Time
Site:	Oconee
Issue date:	02/23/2017
From:	Teresa Ray; Duke Energy Carolinas
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	ONS-2017-019
	Download: ML17061A261 (182)
	v • d • e

J_~DUKE Thomas D. Ray

~ ENERGY Vice President Oconee Nuclear Station Duke Energy ON01VP 17800 Rochester Hwy Seneca, SC 29672 o: 864.873.5016

t. 864.873. 4208 Tom.Ray@duke-energy.com ONS-2017-019 February 23, 2017 ATTN: Document Control Desk U.S. Nuclear Regulatory Commission 11555 Rockville Pike Rockville, Maryland 20852 Subjed: Duke Energy Carolinas, LLC

Oconee Nuclear Station Docket Numbers 50-269, 50-270, and 50-287 Technical Specification Bases Change 2015-09 The attached change to the Oconee Nuclear Station TS Bases was processed in accordance with the provisions of Technical Specification 5.5.15, "Technical Specifications (TS} Bases Control Program." *-

Technical Specification Bases (TSB) change 2015-09 removes several references associated with surveillance frequencies that were relocated to the Surveillance Frequency Control Program as part of the implementation of an approved License Amendment Request associated with TSTF-425, Rev. 3., "Relocated Surveillance Frequencies to Licensee Control - Risk-Informed Technical Specification Task Force (RITSTF} Initiative 5b." This change also updates other references in the TSB.

Any questions regarding this information should be directed to Stephen Newman, Oconee Regulatory Affairs, at (864) 873-4388.

Sincerely,

~])., __~

Thomas D. Ray Vice President Oconee Nuclear Station Attachment 4

www.duke-energy.com

U. S. Nuclear Regulatory Commission February 23, 2017 Page 2 cc: Ms. Catherine Haney Administrator, Region II U.S. Nuclear Regulatory Commission, Region II Marquis One Tower 245 Peachtree Center Ave., NE, Suite 1200 Atlanta, GA 30303-1257 Mr. James R. Hall, Senior Project Manager (QNS)

(By electronic mail only)

U. S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation 11555 Rockville Pike Mail Stop 0-8G9A Rockville, MD 20852 Mr. Eddy L. Crowe Senior Resident Inspector Oconee Nuclear Station

ONS-2017-019 February 23, 2017 Attachment T~B List of Effective Pages (LOEPs), Rev. 012 LOEP 1-4 TSB 3.3.1 Reactor Protection System (RPS)

Instrumentation, Rev. 003 3.3.1 1 -27 TSB 3.3.11 Automatic Feedwater Isolation System (AFIS) Instrumentation, Rev 001 3.3.11 1-5 TSB 3.3.14 Emergency Feedwater (EFW) Pump Initiation Circuitry, Rev. 001 3.3.14 1-4 TSB 3.4.3 RCS Pressure and Temperature (PIT) Limits

- Rev. 001 3:4.3 1-8 TSB 3.4.13 Reactor Coolant System (RCS), Rev. 001 3.4.13 1-6 TSB 3.5.3 Low P*ressure Injection (LPI) Rev. 002 3.5.3 1-9 TSB 3.6.1 Containment, Rev. 001 3.6.1 1-4 TSB 3.6.2 Containment Air Locks, Rev. 001 3.6.2 1-7 TSB 3.7.1 Main Steam Relief Valves (MSRVs), Rev. 002 3.7.1 1-4 TSB 3.7.4 Atmospheric Dump Valve (ADV)

Flow Paths, Rev. 002 3.7.4 1-5 TSB 3.7.10 P*rotected Service Water (PSW)

System, Rev. 003 3.7.10 1-13

_TSB 3.7.10a PSW Battery Cell Parameters, Rev. 001 3.7.10a 1-7 TSB 3.7.17 Spent Fuel Pool Ventilation System

-(SFPVS), Rev. 001 3.7.17 1-3 TSB 3.8.1 AG Sources - Operating, Rev. 002 3.8.1 1-26 TSB 3.8.3 DC Sources - Operating, Rev. 001 3.8.3 1-10 TSB 3.8.8 Distribution Systems - Operating, Rev. 001 3.8.8 1-9 TSB 3.8.9 Distribution Systems - Shutdown, Rev. 001 3.8.9 1-4 TSB 3.9.3 Containment Penetrations, Rev. 001 3.9.3 1-5 TSB 3.9.4 Decay Heat Removal (OHR) and Coolant Circulation-High Water Level, Rev. 001 3.9.4 1-4 TSB 3.10.1 Standby Shutdown Facility (SSF), Rev. 001 3.10.1 1-19 www.duke-energy.com

RPS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Protective System (RPS) Instrumentation BASES BACKGROUND The RPS initiates a reactor trip to protect against violating the core fuel design limits and the Reactor Coolant System (RCS) pressure boundary during anticipated transients. By tripping .the reactor, the RPS also assists the Engineered Safeguards (ES) Systems in mitigating accidents.

The protective and monitoring systems have been designed to a~sure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as the LCOs on other reactor system parameters and equipment performance.

The LSSS, defined in this Specification as the Allowable Value, in conjunction with the LCOs, establishes the threshold for protective system _

action to prevent exceeding acceptable limits during accidents, or transients.

During anticipated transients, which are those events expected to occur one or more times during the unit's life, the acceptable limit is:

a. The departure from nucleate boiling ratio (DNBR) shall be maintained above the Safety Limit (SL) value;

b. Fuel centerline melt shall not occur; and

c. The RCS pressure SL of 2750 ps_ia shall not be exceeded.

Maintaining the parameters within the above values ensures that the offsite dose will be within the 10 CFR 20 and 10 CFR 50.67 criteria during anticipated transients. Accidents are events that are analyzed even though*

they are not expected to occur during the unit's life. The acceptable limit during accidents is that the offsite dose shall be maintained within reference 10 CFR 50.67 limits. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.

OCONEE UNITS 1, 2, & 3 B 3.3.1-1 Rev.003 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)

The RPS consists of four separate redundant protective channels that receive inputs of neutron flux, RCS pressure, RCS flow, RCS temperature, RCS pump status, reactor building (RB) pressure, main feedwater (MFW) pump turbines status, and main turbine status.

Figure 7.1 of UFSAR, Chapter 7 (Ref. 1), shows the arrangement of a typical RPS protective channel. A protective channel is composed of mea~urement channels, a manual trip channel, a reactor trip component (RTC), and a control rod drive (CRD) trip device. LCO 3.3.1 provides requirements for the individual measurement channels. These channels encompass all equipment and electronics from the point at which the measured parameter is sensed through the processor output trip devices in the trip string. LCO 3.3.2, "Reactor Protective System (RPS) Manual Reactor Trip," LCO 3.3.3, "Reactor Protective System (RPS) - Reactor Trip Component (RTC)," and LCO 3.3.4, "Control Rod Drive (CRD) Trip Devices," discuss the remaining RPS elements.

The RPS instrumentation measures critical unit parameters and compares these to predetermined setpoints. **

If the setpoint for a parameter Input to a single channel (for example, the RC high pressure input to Channel A) is exceeded, a channel trip does not.occur. Due to the inter-channel communication, all 4 RPS channels recognize that this parameter input has been exceeded for one channel.

However, due*to the 2.MIN/2.MAX logic within the system, the same parameter input setpoint for one of the other three channels must be exceeded before channel trips occur. Again, due to the inter-channel communication, all 4 RPS channels will then trip since the 2.MIN/2.MAX condition has been satisfied.

The RTS consists of four AC Trip Breakers arranged in two parallel combinations of two breakers each. Each path provides independent power to the CRD motors. Either path can provide sufficient power to operate all CRD's. Two separate power paths to the CRD's ensure that a single failure that opens one path will not cause an unwanted reactor trip.

The RPS consists of four independent protective channels (A, B, C, and D).

Each RPS protective channel contains the sensor input modules, a protective channel computer, output modules, four hardwired (energized during power operations) reactor trip relays (RTRs) (A, B, C, and D) and their associated 120 VAC contacts (closed when RTR is energized).

OCONEE UNITS 1, 2, & 3 B 3.3.1-2 Rev. 003 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)

Protective channel A controls the channel A RTR and also controls the A RTR in channels B, C, and D. Likewise, channels B, C and D control the respective RTR in each of the four channels. Each energized RTR (A, B, C, and D) in each RPS channel A, B, C, and D maintains two closed 120 VAC contacts. One contact from each RTR is configured in two separate redundant output trip actuation logic schemes. Each output trip actuation logic scheme contains a contact from each of the four RTRs in the four channels. This configuration results in a two-out-of-four coincidence reactor trip logic. If any channel protective set initiates a trip signal, the respective four RTRs (one in each of the four channels) de-energize and*

open the respective contacts. The outputs from the RTR contacts interrupt the 120 VAC power to the CRD trip devices.

Three of the four RPS protective channel computers (A, B, and C) also perform a redundant Engineered Safeguards Protective System (ESPS) logic function. Therefore, three of the four RPS protective channels calculate both RPS and ESPS functions, and the fourth RPS channel D calculates only RPS functions. See Technical Specification Bases section B 3.3.5 for additional discussion of the ESPS protective channels and the duplicated ESPS functions performed.by the RPS protective channels.

The reactor is tripped by opening the reactor trip breakers.

There are three bypasses: shutdown bypass, manual bypass, and channel trip function bypass. The shutdown bypass and the manual bypass are initiated by use of a keyswitch located in the respective RPS channel cabinet. The Shutdown bypass allows the withdrawal of safety rods for SOM availability and rapid negative reactivity insertion during unit cooldowns or heatups. The manual bypass allows putting a complete RPS channel into bypass for maintenance activities. This includes the planned power-down of the bypassed RPS channel computer. If the complete RPS channel is powered down, the manual bypass condition cannot be maintained. That RPS channel output signal goes to "trip" and the manual bypass Unit Statalarm window will not illuminate. The channel trip function bypass allows an individual channel trip function in any RPS channel to be bypassed through the use of the RPS screens of the Graphical Service Monitor (GSM). The GSM is located on the Service Unit. *

The RPS operates from the instrumentation channels discussed next. The specific relationship between measurement channels and protective channels differs from parameter to parameter. Three basic configurations are used:

OCONEE UNITS 1, 2, & 3 B 3.3.1-3 Rev. 003 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND RPS Overview (continued)

a. Four completely redundant measurements (e.g., reactor coolant flow) with one channel input to each protective channel;

b. Four channels that provide similar, but not identical, measurements (e.g., power range nuclear instrumentation where each RPS channel monitors a different quadrant), with one channel input to each protective channel; and

c. Redundant measurements with combinational trip logic inside the protective channels and the combined output provided to each protective channel (e.g., main feedwater pump turbines trip instrumentation).

These arrangements and the relationship of instrumentation channels to trip Functions are discussed next to assist in understanding the overall effect of instrumentation channel failure.

Power Range Nuclear Instrumentation Power Range Nuclear Instrumentation channels provide inputs to the following trip Functions:

1. Nuclear Overpower

a. Nuclear Overpower - High Setpoint;

b. Nuclear Overpower - Low Setpoint;

7. Reactor Coolant Pump to Power;*

8. Nuclear Overpower Flux/Flo~ Imbalance;

9. Main Turbine Trip (Hydraulic Fluid Pressure); and

10. Loss of Main Feedwater (LOMFW) Pump Turbines (Hydraulic Oil Pressure).

OCONEE UNITS 1, 2, & 3 B 3.3.1-4 Rev. 003 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Power Range Nuclear Instrumentation (continued)

The power range instrumentation has four linear level channels, one for each core quadrant. Each channel feeds one RPS protective channel.

Each channel originates in a detector assembly containing two uncompensated ion chambers. The ion chambers are positioned to represent the top half and bottom half of the core. The individual currents from the chambers are fed to individual linear amplifiers. The summation of the top and bottom is the total reactor power. The difference of the top minus the bottom neutron signal is the measured AXIAL POWER IMBALANCE for the associated core quadrant.

Reactor Coolant System Outlet Temperature The Reactor Coolant System Outlet Temperature provides input to the following Functions:

2. RCS High Outlet Temperature; and

5.

RCS Variable Low Pressure.

The RCS Outlet Temperature is measured by two resistance temperature detection elements in. each hot leg, for a total of four. One temperature detection element is associated with each protective channel..

Reactor Coolant System Pressure The Reactor Coolant System Pressure provides input to the following Functions:

3. RCS High Pressure;

4. RCS Low Pressure;

5. RCS Variable Low Pressure; and

11. Shutdown Bypass RCS High Pressure.

The RPS inputs of reactor coolant pressure are provided by two pressure transmitters in each hot leg, for a total of four. One sensor is associated with each protective channel.

OCONEE UNITS 1, 2, & 3 B 3.3.1-5 Rev. 003 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Reactor Building Pressure (continued)

The Reactor Building Pressure measurements provide input only to the Reactor Building High Pressure trip, Function 6. There are four RB High Pressure sensors, one associated with each protective channel.

Reactor Coolant Pump Power Monitoring Reactor coolant pump power monitors are inputs to the. Reactor Coolant Pump to Power trip, Function 7. Each RCP has a RCP Power Monitor

. (RCPPM), which monitors the electrical power and breaker status of each pump motor to determine if it is running. Each RCPPM provides inputs to all four RPS channels.

Reactor Coolant System Flow

The Reactor Coolant System Flow measurements are an input to the Nuclear Overpower Flux/Flow Imbalance trip, Function 8. The reactor

. coolant flow inputs to the RPS are provided by eight high accuracy *

. differential pressure transmitters, four on each loop, which measure flow through calibrated flow tubes. One flow input in each loop is associated with each protective channel.

, Main Turbine Hydraulic Fluid Pressure

Main Turbine Hydraulic Fluid Pressure is an input to the Main Turbine Trip (Hydraulic Fluid Pressure) reactor trip, function 9. Each of the four protective channels receives turbine status information from one of the four pressure switches monitoring main turbine hydraulic fluid pressure. Each

protective channel continuously monitbrs the status of the contact inputs and initiates an RPS trip when a main turbine trip is indicated.

Feedwater Pump Turbine Hydraulic Oil Pressure Feedwater Pump Turbine Hydraulic Oil Pressure is an input to the Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) trip, Function 10.

Hydraulic Oil pressure is measured by four switches on each feedwater pump turbine. One switch on each pump turbine is associated with each*

protective channel.

OCONEE UNITS 1, 2, & 3 B 3.3.1-6 Rev. 003 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Feedwater Pump Turbine Hydraulic Oil Pressure (continued)

Each RPS channel receives a contact input from both Feedwater Pump Turbines (A and B) Hydraulic Oil Pressure switches. When the switches from both turbines indicate that the associated Turbine Hydraulic Oil Pressure is low (turbine has tripped), a reactor trip signal .is initiated on that channel.

RPS Bypasses The R_PS is desi_gned with three types of bypasses: shu~down bypass, manual bypass and channel trip function bypass.

Each bypass is discussed next.

Shutdown Bypass During unit cooldown and heatup, it is desirable to leave the safety rods at.

least partially withdrawn to provide shutdown capabilities in the event of unusual positive reactivity additions (moderator dilution, etc.).

However, the unit is also depressurized as coolant temperature is decreased. If the safety rods are withdrawn .and coolant pressure is decreased, an RCS Low Pressure trip will occur at 1800 psig and the rods will fall into the core. To avoid this, the protective system allows the

operator to bypass the low pressure trip and maintain shutdown .

.capabilities. During the cooldown and depressurization, the safety rods are, inserted prior to the low *pressure trip of 1800 psig. The RCS pressure is .

decreased to les~ than 1720 psig, then each RPS channel is place9 in shutdown bypass.

A shutdown bypass signal is provided by the operator from the shutdown bypass keyswitch (status shall be indicated by a light). This action bypasses the RCS Low Pressure trip; Nuclear Overpower Flux/Flow Imbalance trip, Reactor Coolant Pump to Power trip, and the RCS Variable Low Pressure trip, and inserts a new RCS High Pressure_, 1720 psig trip.

The operator can now withdraw the safety .rods for additional rapidly insertable negative reactivity.

The insertion of the new high pressure trip performs two functions. First,*

with a trip setpoint of 1720 psig, the processor output trip device prevents operation at normal system pressure, 2155 psig, with a portion of the RPS bypassed. The second function is to ensure that the bypass is removed prior to normal operation. When the RCS pressure is increased during a OCONEE UNITS 1, 2, & 3 B3.3.1-7 Rev. 003

RPS Instrumentation B 3.3.1 BASES BACKGROUND Shutdown Bypass (continued) unit heatup, the safety rods are inserted prior to reaching 1720 psig. The shutdown bypass is removed, which returns the RPS to normal, and system pressure is increased to greater than 1800 psig. The safety rods are then withdrawn and remain at the full out condition for the rest of the heatup.

In addition to the Shutdown Bypass RCS High Pressure trip, the High Flux Reactor Trip setpoint is automatically lowered to less than 5% when the operator closes the shutdown bypass keyswitch. This provides a backup to the Shutdown Bypass RCS High Pressure trip and allows testing while preventing the generation of any significant amount of power.

Manual Bypass The RPS Manual Bypass allows putting the complete RPS channel into

_ bypass for maintenance activities. Placing the RPS channel in bypass does not power-down the computer. If it is necessary to power-down the computer for one channel, the Manual Bypass keyswitch is used to keep .

the four RTRs associated with the respective channel energized while the channel computer is powered down. To place a *protective channel in manual bypass, the other three channels must not be in manual bypass or otherwise inoperable (e.g., a channel trip function in bypass).

The RPS Manual Bypass status information is sent to the Unit Statalarm panel (hardwired output of the RPS Channel computer and in parallel as a hardwired signal from a keyswitch contact in case the computer is powered down) and is sent to the plant Operator Aid Computer (OAC) via a gateway.

If the complete RPS cabinet is powered down, the Manual Bypass condition cannot be maintained. That RPS channel output signal goes to "trip" and the Manual Bypass Unit Statalarrn window will not illuminate.

Channel Trip Function Bypass An individual Channel Trip Function Bypass allows placing one trip function in bypass for maintenance activities through the RPS GSM screens. This allows the remaining trip functions in the channel to remain operable while the channel input device for the affected channel is inoperable.

Operation to put functions in bypass is administratively controlled since there is no interlock to prevent placing functions in multiple channels in bypass. Channel trip functions may be placed in bypass in only one RPS channel at a time.

OCONEE UNITS 1, 2, & 3 B 3.3.1-~ Rev. 003 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Parameter Change Enable Mode (continue.d)

Parameter Change Enable Mode allows each RPS instrument input channel processor to be placed in different operating modes through the use of the Parameter Change Enable keyswitches and commands from the Service Unit. Each protective channel has a keyswitch located in that channel's cabinet pair.

Placing RPS Channels A, B, or C in Parameter Change Enable Mode through the use of the "Parameter Change Enable" keyswitch will also place the corresponding ESPS Channels A 1, B 1 or C 1 in Parameter Change Enable Mode.

When a keyswitch is placed from the normal Operating Mode position to the Parameter Change Enable Mode position:

The processors continue with normal operation.

A permissive is provided that allows the Service Unit to be used to change the operating mode of the processors associated with that keyswitch.

With the keyswitch in the Parameter Change Enable Position the following modes of operation are.allowed for processors:

Normal Operation - with permissive for operating mode change.

Parameterization - allows changes to specific parameters (example

placing a parameter into a tripped condition or performing Reactor Trip Relay testing).

Function Test - for disabling the application function and forcing output signal for testing purposes (normally not used).

Diagnostics - for downloading new application software.

The Function Test and Diagnostics modes result in the processor ceasing its cyclic processing of the application functions. Entry into these m.odes first requires entry into Parameterization mode and setting a separate parameter.

When a keyswitch is placed in the Parameter Change Enable Mode Position (pr any activity, the affected processor shall first be declared out of service. In addition to declaring the processor out of service ( 1) the affected RPS channel shall be bypassed and (2) either the affected ESPS input channel (A 1, B 1, or C1) shall be tripped OR the ESPS Set 1 voters shall be placed in Bypass for the following activities:

Loading or revising the software in a processor.

Changing parameters via the RPS High Flux Trip (Variable Setpoint) screen at the Service Unit.

OCONEE UNITS 1, 2, & 3 B 3.3.1-9 Rev.003 I

RPS Instrumentation B 3.3.1 BASES BACKGROUND Parameter Change Enable Mode (continued)

Changfng parameters via the RPS Flux/Flow/Imbalance Parameters screen at the Service Unit.

Only one RPS channel at a time is allowed to be placed into Parameter

Change Enable Mode Position for these activities.

Each Parameter Change Enable keyswitch status information is sent to the Statalarm panel and to the OAC via the Gateway. ,

RPS Parameter Change Enable keyswitches are administratively controlled (there are no hardware or software interlocks between channels).

Trip Setpoints/Allowable Value The Allowable Value and trip setpoint are based on the analytical limits stated in UFSAR, Chapter 15 (Ref. 2). The selection of the Allowable Value and associated trip setpoint is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RPS channels that must function in harsh environments as defined by 10 9FR 50.49 (Ref. 3), the Allowable Values specified in Table 3.3.1-1 in the

accompanying LCO are conservative with respect to the analytical limits to account for all known uncertainties for each channel. The actual trip setpoint entered into the processor output trip device is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL CALIBRATION.

A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes. The trip setpoints are the nominal values at which the processor output trip devices are set. Any processor output trip device is considered to be properly adjusted when the "as left" value is within the band for CHANNEL CALIBRATION accuracy. A detailed description of the methodology used to determine the Allowable Value and associated uncertainties is provided in Reference 4.

Setpoints in conjunction with the Allowable Value ensure that the limits of Chapter 2.0, "Safety Limits," in the Technical Specifications are not violated during anticipated transients and that the consequences of accidents will be acceptable, providing the unit is operated from within the LCOs at the onset of the anticipated transient or accident and the equipment functions OCONEE UNITS 1, 2, & 3 B3.3.1-10 Rev.003 j

RPS Instrumentation B 3.3.1 BASES BACKGROUND Trip Setpoints/Allowable Value (continued) as designed. Note that in LCO 3.3.1 the Allowable Values listed in Table 3.3.1-1 for Functions 1 through 8 and 11 are the LSSS.

With the exception of the RB High Pressure function, each channel is tested online by manually retrieving the software setpoint to ensure it has been entered correctly. Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements.

APPLICABLE Each of the analyzed accidents and transients that require a reactor trip to SAFETY ANALYSES, meet the acceptance criteria can be detected by one or more RPS LCO, and Functions. The accident analysis contained in the UFSAR, Chapter 15 APPLICABILITY (Ref. 2), takes credit for most RPS trip Functions. Functions not specifically credited in the accident analysis were qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit.

These Functions are high RB pressure, turbine trip, and loss of main feedwater. These Functions may provide protection for conditions that do

. not require dynamic transient analysis to demonstrate Function performance. These Functions also serve as backups to Functions that were credited in the safety analysis.

The LCO requires all instrumentation performing an RPS Function to be OPERABLE. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions: The three channels of each Function in Table 3.3.1-1 of the RPS instrumentation shall be OPERABLE during its specified Applicability to ensure that a reactor trip will be actuated if needed. Additionally, during shutdown bypass with any CRD trip breaker closed, the applicable RPS Functions must also be available. This ensures the capability to trip the withdrawn *.

CONTROL RODS exists at all times that rod motion .is possible. The trip Function channels specified in Table 3.3.1-1 are considered OPERABLE when all channel components necessary to provide a reactor trip are functional and in service for the required MODE or Other Specified Condition listed in Table 3.3.1-1.

Only the Allowable Values are specified for each RPS trip Function in the LCO. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoint measured by CHANNEL CALIBRATIONS does not exceed the Allowable Value. A trip setpoint found less conservative than the nominal trip setpoint, but within its Allowable Value, is considered OPERABLE with respect to the uncertainty allowances assumed for the applicable surveillance interval provided that OCONEE UNITS 1, 2, & 3 B 3.3.1-11 Rev. 003 I

RPS Instrumentation B 3.3.1 BASES APPLICABLE operation, testing and subsequent calibration are consistent with the SAFETY ANALYSES, assumptions of the setpoint calculations. Each Allowable Value specified is LCO, and more conservative than instrument uncertainties appropriate to the trip APPLICABILITY Function. These uncertainties are defined in Reference 4.

(continued)

For most RPS Functions, the Allowable Value in conjunction with the nominal trip setpoint ensure that the departure from nucleate boiling (DNB),

center line fuel melt, or RCS pressure SLs are not challenged. Cycle specific values for use during operation are contained in the COLR.

Certain RPS trips function to indirectly protect the SLs by detecting specific conditions that do not immediately challenge SLs but will eventually lead to challenge if no action is taken. These trips function to minimize the unit transients caused by the specific conditions. The Allowable Value for these ..

Functions is selected at the minimum deviation from normal values that will indicate the condition, without risking spurious trips dL,Je to normal fluctuations in the measured parameter.

The safety analyses applicable to each RPS Function are discussed next.

1.

Nuclear Overpower

a. Nuclear Overpower - High Setpoint The Nuclear Overpower- High Setpoint trip provides*

protection for the design thermal overpower condition based on the measured out of core neutron leakage flux.

There is a setpoint for 4 and 3 RCP operation. The purpose of the 3 RCP trip is to' provide protection for power excursion events initiated from 3 RCP operation, most notably the small steam line break.

The Nuclear Overpower - High Setpoint trip initiates a reactor trip when the neutron power reaches a predefined setpoint at the design overpower limit. Because THERMAL POWER lags the neutron power, tripping when the neutron power reaches the design overpower will limit THERMAL POWER to prevent exceeding acceptable fuel damage limits.

Thus, the Nuclear Overpower - High Setpoint trip protects against violation of the DNBR and fuel centerline melt SLs.

However, the RCS Variable Low Pressure, and Nuclear Overpower Flux/Flow Imbalance, provide more direct protection. The role of the Nuclear Overpower - High Setpoint trip is to limit reactor THERMAL POWER below the highest OCONEE UNITS 1, 2, & 3 B3.3.1-12 Rev.003 I

RPS Instrumentation B 3.3.1 BASES APPLICABLE a. Nuclear Overpower - High Setpoint (continued)

SAFETY ANALYSES, LCO, and power at which the other two trips are known to provide APPLICABILITY protection.

The Nuclear Overpower - High Setpoint trip also provides transient protection for rapid positive reactivity excursions during power operations. These events include the rod withdrawal accident and the rod ejection accide.nt. By providing a trip during these events, the Nuclear Overpower -

High Setpoint trip protects the unit from excessive power

levels and also serves to limit reactor power to prevent violation of the RC.S pressure SL.

Rod withdrawal accident analyses cover a larg~ spectrum of .

reactivity insertion rates (rod worths), which exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower - High Setpoint trip provides the primary protection. At low reactivity insertion rates, the high pressure trip provides primary protection.

b. NuclearOverpower - Low Setpoint When initiating shutdown bypass, the Nuclear Overpower -

Low Setpoint trip must be reduced to~ 5% RTP. The low power setpoint; in conjunction with the lower Shutdown Bypass RCS High Pressure setpoint, ensure that the .unit is protected from excessive power conditions when other RPS* trips are bypassed.

The setpoint Allowable Value was chosen to be as low as practical and still lie within the range of the out of core instrumentation.

2. RCS High Outlet Temperature The RCS High Outlet Temperature trip, in conjunction with the RCS Low Pressure and RCS Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the reactor ..

vessel outlet temperature approaches the conditions necessary for.

DNB. Portions of each RCS High Outlet Temperature trip channel*

are common with the RCS Variable Low Pressure trip. The RCS High Outlet Temperature trip. provides steady state protection for the DNBR SL.

OCONEE UNITS 1, 2, & 3 B3.3.1-13 Rev. 003 I

RPS Instrumentation B 3.3.1 BASES APPLICABLE 2. RCS High Outlet Temperature (continued)

SAFETY ANALYSES, LCO, and The RCS High Outlet Temperature trip limits the maximum RCS APPLICABILITY temperature to below the highest value for which DNB protection by the Variable Low Pressure trip is ensured. The trip setpoint Allowable Value is selected to ensure that a trip occurs before hot leg temperatures reach the point beyond which the RCS Low Pressure and Variable Low Pressure trips are analyzed. Above the high temperature trip, the variable low pressure trip need not provide protection, because the unit would have tripped already. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions that the equipment is expected to experience because the trip is not required to mitigate accidents that create harsh conditions in the RB.

3. RCS High Pressure The RCS High Pressure trip works in conjunction with the pressurizer and main steam relief valves to prevent RCS overpressurization, thereby protecting the RCS High Pressure SL.

The RCS High Pressure trip has been creqited in the transient- -*

analysis calculations for slow positive reactivity insertion transients (rod withdrawal transients and moderator dilution). The rod withdrawal transient covers a large spectrum.of reactivity insertion rates and rod worths that exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower

- High Setpoint trip provides the primary protection. At low reactivity insertion rates, th~ RCS High Pressure trip provides the primary protection.

The setpoint Allowable Value is selected to ensure that the RCS

High Pressure SL is not challenged during steady state operation or slow power increasing transients. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions because the equipment is not required to mitigate accidents that create harsh conditions in the RB. *

4. RCS Low Pressure.

The RCS Low Pressure trip, in conjunction with the RCS High Outlet Temperature and Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system pressure approaches the conditions necessary for DNB. The RCS Low Pressure trip provides DNB low pressure limit for the RCS Variable Low Pressure trip.

OCONEE UNITS 1., 2, & 3 B 3.3.1-14 Rev. 003 I

RPS Instrumentation B 3.3.1 BASES APPLICABLE 4. RCS Low Pressure (continued)

SAFETY ANALYSES, LCO, and The RCS Low Pressure setpoint Allowable Value is selected to APPLICABILITY ensure that a reactor trip occurs before RCS pressure is reduced below the lowest point at which the RCS Variable Low Pressure trip is analyzed. The RCS Low Pressure trip provides protection for primary system depressurization events and has been credited in the accident analysis calculations for small break loss of coolant

accidents (LOCAs). Harsh RB conditions created by small break LOCAs cannot affect performance of the RCS pressure sensors and transmitters within the time frame for a reactor trip. Therefore, degraded environmental conditions are not considered in the Allowable Value determination.

5. RCS Variable Low Pressure The RCS Variable Low Pressure trip, in conjunction with the RCS High Outlet Temperature and RCS Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system parameters of pressure and temperature approach the conditions necessary for DNB. The RCS Variable Low Pressure trip provides a floating low pressure trip based on the RCS High Outlet Temperature within th.e range specified by the RCS High Outlet Temperature and RCS Low Pressure trips.

The RCS Variable Low Pressure setpoint Allowable Value is selected to ensure that a trip occurs when temperature and pressure approach the conditions necessary for DNB while operating in a temperature pressure region constrained by the low pressure and high temperature trips. The RCS Variable Low Pressure trip is assumed for transient protection in the main steam line break analysis. The setpoint allowable value does not include errors induced by the harsh environment, because the trip actuates prior to the harsh environment.

6. Reactor Building High Pressure The Reactor Building High Pressure trip provides an early indication of a high energy line break (HELB) inside the RB. By detecting changes in the RB pressure, the RPS can provide a reactor trip before the other system parameters have varied significantly. Thus, this trip acts to minimize accident consequences. It also provides a backup for RPS trip instruments exposed to an RB HELB environment.

OCONEE UNITS 1, 2, & 3 83.3.1-15 Rev.003 I

RPS Instrumentation B 3.3.1 BASES APPLICABLE 6. Reactor Building High Pressure (continued)

SAFETY ANALYSES, LCO, and The Allowable Value for RB High Pressure trip is set at the lowest APPLICABILITY value consistent with avoiding spurious trips during normal operation.

The electronic components of the RB High Pressure trip are located in an area that is not exposed to high temperature steam environments during HELB transients inside containment. The components are exposed to high radiation conditions. Therefore, thedetermination of the setpoint Allowable Value accounts for errors induced by the high radiatio[l., '

7. Reactor Coolant Pump to Power The Reactor Coolant Pump to Power trip provides protection for changes in the reactor coolant flow due to the loss of multiple RCPs.

Because the flow reduction lags loss of power indications due to the inertia of the RCPs, the trip initiates protective action earlier than a trip based on a measured flow signal.

The Reactor Coolant Pump to Power trip has been credited in the accident analysis calculations for the loss of more than two RCPs.

The Allowable Value for the Reactor Coolant Pump to Power trip setpoint is selected to prevent normal power operation unless at least three RCPs are operating. Each reactor coolant pump tias an RCPPM, which monitors the electrical power and breaker- status of each pump motor to determine if the pump is running. Each RCPPM provides inputs to all four RPS channels. The RCPPM will initiate a reactor trip if fewer than three reactor coolant pumps are operating and reactor power is greater than approximately 2%

rated full power.

8. Nuclear Overpower Flux/Flow Imbalance The Nuclear Overpower Flux/Flow Imbalance trip provides steady state protection for the power imbalance Sls. A reactor trip is initiated*prior to the core power, AXIAL POWER IMBALANCE, and reactor coolant flow conditions exceeding the DNB or fuel centerline

.temperature limits.

This trip supplements the protection provided by the Reactor Coolant Pump to Power trip, through the power to flow ratio, for loss of

reactor coolant flow events. The power to flow ratio provides direct protection for the DNBR SL for the loss of one or more RCPs and for locked RCP rotor accidents.

OCONEE UNITS 1, 2, & 3 B 3.3.1-16 Rev.003 I

RPS Instrumentation B 3.3.1 BASES APPLICABLE 8. Nuclear Overpower Flux/Flow Imbalance (continued)

SAFETY ANALYSES, LCO, and The power to flow ratio of the Nuclear Overpower Flux/Flow APPLICABILITY Imbalance trip also provides steady state protection to prevent reactor power from exceeding the allowable power when the primary system flow rate is less than full four pump flow. Thus, the power to flow ratio prevents overpower conditions similar to the Nuclear Overpower trip. This protection ensures that during reduced flow conditions the core power is maintained below that required to begin DNB.

The Allowable Value is selected to ensure that a trip occurs when the core power, axial power peaking, and reactor coolant flow conditions indicate an approach to DNB or fuel centerline temperature limits.

By measuring reactor coolant flow and by tripping only when*

conditions approach an SL, the unit can operate with the loss of one pump from a four pump initial condition at power levels at least as low as approximately 80% RTP. The Allowable Value for the Function, including the upper limits of the Function are given in the unit COLR because the cycle specific core peaking changes affect the Allowable Value.

9. Main Turbine Trip (Hydraulic Fluid Pressure)

The Main Turbine Trip Function trips the reactor when the main turbine is lost at high power levels. The Main Turbine Trip Function provides an early reactor trip in anticipation of the loss of heat sink associated with a turbine trip. The Main Turbine Trip Function was added to the B&W designed units in accordance with NUREG-0737 *

(Ref. 5) following the Three Mile Island Unit 2 accident. The trip lowers the probability of an RCS power operated relief valve (PORV) actuation for turbine trip cases. This trip is activated at higher power levels, thereby limiting the range through which the Integrated Control System must provide an automatic runback on a turbine trip.

Each of the four turbine hydraulic fluid pressure switches feeds one protective channel that continuously monitors the status of the contacts.

For the Main Turbine Trip (Hydraulic Fluid Pressure), the Allowable Value of 800 psig is selected to provide a trip whenever main turbine hydraulic fluid pressure drops below the normal operating range.

This trip is bypassed at power levels < 30% RTP for unit startup.

The turbine trip is not required to protect against events that can create a harsh environment in the turbine building. Therefore, errors induced by harsh environments are not included in the determination of the setpoint Allowable Value.

OCONEE UNITS 1, 2, & 3 B 3.3.1-17 Rev. 003 I

RPS Instrumentation B 3.3.1 BASES APPLICABLE 10. Loss of Main Feedwater Pump Turbines (Hydraulic Oil Pressure)

SAFETY ANALYSES, LCO, and The Loss of Main Feedwater Pump Turbines (Hydraulic Oil APPLICABILITY Pressure) trip provides a reactor trip at high power levels when both

_(continued) MFW pump turbines are lost. The trip provides an early reactor trip in anticipation of the loss of heat sink associated with the LOMF.

This trip was added in accordance with NUREG-0737 (Ref. 5) following the Three Mile Island Unit 2 accident. This trip provides a reactor trip at high power levels for a LOMF to minimize challenges to the PORV.

For the feedwater pump turbine hydraulic oil pressure, the Allowable Value of 75 psig is selected to provide a trip whenever feedwater pump turbine hydraulic oil pressure drops bel0w the normal operating range. This trip is bypassed at power levels < 2% RTP. for unit startup. The Loss of Main Feedwater Pump Turbines (Hydraulic Oil Pressure) trip is not required to protect against events that can create a harsh environment in the turbine building. Therefore, errors caused by harsh environments are not included in the determination of the setpoint Allowable Value.

11. *Shutdown Bypass RCS High Pressure The RPS Shutdown Bypass RCS High Pressure is provided to allow

for withdrawing the CONTROL RODS prior to reaching the normal RCS Low Pressure trip setpoint. The shutdown bypass provides trip protection during deboration and RCS heatup by allowing the operator to at least partially withdraw the safety groups of CONTROL RODS. This makes their negative reactivity available to terminate inadvertent reactivity excursions. Use of the shutdown bypass trip requires that the neutron power trip setpoint be reduced to 5% of full power or less. The Shutdown Bypass RCS High Pressure trip forces a reactor trip to occur whenever the unit switches from power operation to shutdown bypass or vice versa. This ensures that the CONTROL RODS are all inserted before power operation can begin .

. The operator is required to remove the shutdown bypass, reset the Nuclear Overpower - High Power trip setpoint, and again withdraw the safety group rods before proceeding with startup.

Accidents analyzed in the UFSAR, Chapter 15 (Ref. 2), do. not .

describe events that occur during shutdown bypass operation, because the consequences of these events are enveloped by the events presented ii') the UFSAR.

OCONEE UNITS 1, 2, & 3 B3.3.1-18 Rev. 003 I

RPS Instrumentation

. B 3.3.1 BASES APPLICABLE 11. Shutdown Bypass RCS High Pressure (continued)

SAFETY ANALYSES, LCO, and During shutdown bypass operation with the Shutdown Bypass RCS APPLICABILITY High Pressure trip active with a setpoint of ~ 1720 psig and the Nuclear Overpower- Low Setpoint set at or below 5% RTP, the trips listed below can be bypassed. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low Setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.

1a. Nuclear Overpower - High $etpoint;

3. . RCS High Pressure;

4. RCS Low Pressure;

5. RCS Variable Low Pressure;

7. Reactor Coolant Pump to Power; and

8. Nuclear Overpower Flux/Flow Imbalance.

The Shutdown Bypass RCS High Pressure Function's Allowable Value ,is selected to ensure a trip occurs before producing THERMAL POWER.

General Discussion

. The RPS satisfies Criterion 3 of 10 CFR 50.36 (Ref. 6). In MODES 1 and 2, the following trips shall be OPERABLE because the reactor can be critical in these MODES. These trips are desig,ned to take the reactor

. subcritical to maintain the SLs during anticipated transients and to assist the ESPS in providing acceptable consequences during accidents.

1a. Nuclear Overpower - High Setpoint;

2. RCS High Outlet Temperature;

3. RCS High Pressure;

4. RCS Low Pressure; .

5. RCS Variable Low Pressure;

6. Reactor Building High Pressure; OCONEE UNITS 1, 2, & 3 B 3.3.1-19 Rev. 003 I

RPS Instrumentation B 3.3.1 BASES APPLICABLE General Discussion (continued)

SAFETY ANALYSES, LCO, and 7. Reactor Coolant Pump to Power; and APPLICABILITY

8. Nucle~r Overpower Flux/Flow Imbalance.

Functions 1a, 3, 4, 5, 7, and 8 just listed may be bypassed in MODE 2 when RCS pressure is below 1720 psig, provided the Shutdown Bypass RCS High Pressure and the Nuclear Overpower - Low setpoint trip are placed in operation. .Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low setpoint trip. act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.

The Main Turbine Trip (Hydraulic Fluid Pressure) Function is required to be.

OPERABLE in MODE 1 at ~ 30% RTP. The Loss of Main Feedwater Pump Turbines (Hydraulic Oil Pressure) Function is required to be OPERABLE in MODE 1 and in MODE 2 at~ 2% RTP. For operation below these power levels, these trips are not necessary to minimize challenges to the PORVs as required by NUREG-0737 (Ref. 5).

Because the safety function of the RPS is to trip the CONTROL RODS, the.

RPS is not required to be OPERABLE in MOPE 3, 4, or 5 if either the reactor trip breakers are open, or the CRD System is incapable of rod withdrawal. Similarly, the RPS is not required to be OPERABLE in MODE 6 because the CONTROL RODS are normally decoupled from the CRDs.

However, in MODE 2, 3, 4, or 5, the Shutdown Bypass RCS High Pressure and Nuclear Overpower - Low setpoint trip*s are required to be OPERABLE if the CRD trip breakers are closed and the CRD System is capable of rod withdrawal. Under these conditions, the Shutdown Bypass RCS High Pressure and Nuclear Overpower - Low setpoint trips are sufficient to prevent an approach to conditions that could challenge SLs ..

ACTIONS Conditions A and B are applicable to all RPS protective Functions. If a channel's trip setpoint is found nonconservative with respect to the required Allowable Value in Table 3.3.1-1. or the transmitter, instrument loop, signal processing electronics or processor output trip device is found inoperable, the channel must be declared inoperable and Condition A entered immediately.

When an RPS channel is manually tripped, the functions that were inoperable prior to tripping remain inoperable. Other functions in the same channel that were OPERABLE prior to tripping remain OPERABLE.

OCONEE UNITS 1, 2, & 3 B 3.3.1-20 Rev. 003 I

RPS Instrumentation B 3.3.1 BASES ACTIONS A.1 (continued)

For Required Action A.1, if one or more Functions in a required protective channel becomes inoperable, the affected protective channel must be placed in_trip.

Placing the affected Function in trip places only the affected Function in each required channel in a one-out-of-two logic configuration. If the same function in another channel exceeds the setpoint, all channels will trip. In this configuration, the RPS can still perform its safety function in the presence of a random failure of any single Channel. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time is justified based on the continuous monitoring and signal validation being performed and is sufficient time to place a Function in trip. If the individual Function cannot be placed in trip, the Operator can trip the affected channel with the use of the Manual Trip Keyswitch until such time that the Function can be placed in trip. This places all RPS Functions in a one-out-of-two logic configuration.

Required Action B.1 directs entry into the appropriate Condition referenced in Table 3.3.1-1. The applicable Condition referenced in the table is Function dependent. If the Required Action and the associated Completion Time of Condition A are not met or if more than two channels are inoperable, Condition B is entered to provide for transfer to the appropriate subsequent Condition.

C.1 and C.2 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition C, the unit.must be brought to a MODE in which the specified RPS trip Functions are not required to be OPERABLE. The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and to open all CRD ,trip breakers without challenging unit systems.

If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition D, the unit must be brought to a MODE in which the specified RPS trip Functions are not OCONEE UNITS 1, 2, & 3 B 3.3.1-21 Rev. 003 I

RPS Instrumentation B 3.3.1 BASES ACTIONS D.1 (continued) required to be OPERABLE. To achieve this status, all CRD trip breakers must be opened. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to open CRD trip breakers without challenging unit systems.

If the Required Action and associated Completion Time of Condition A are not met an.d Table 3.3.1-1 directs entry into Condition E, th~ unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must.be reduced< 30% RTP. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach 30% RTP from full power conditions in an orderly manner without challenging unit systems .

.EJ.

if the Required Action ah~d associated Completion Time of Condition A are not n:iet and Table 3.3.1-1 directs entry into Condition F, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced< 2% RTP. The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is

reasonable, based on operating experience, to reach 2% RTP from full power conditions in an orderly manner witholJt challenging unit systems.

SURVEILLANCE The SRs for each RPS Function ar.e identified by the SRs column of REQUIREMENTS Table 3.3.1-1 for that Function. Mpst Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, and* CHANNEL CALIBRATION testing.

The SRs are modified by a Note. The Note directs the r.eaderto Table 3.3.1-1 to determine the correct SRs to perform for each RPS Function.

SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred.

OCONEE UNITS 1, 2, & 3 B 3.3.1-22 Rev.003 I

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.1 (continued)

REQUIREMENTS A CHANNEL CHECK is normally a comparison of the parameter indieated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations

between two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are

OPERABLE. If the channels are normally off scale during times when .

surveillance is required, the CHANNEL CHECK will only verify that they are off scale in the same direction.

The Sur\teillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal but more frequent checks of channel OPERABILITY during normal operational use of the displays associated with the LCO's required channels.

For Functions that trip on a combination of several measurements, such as the Nuclear Overpower Flux/Flow Imbalance Function, the CHANNEL CHECK must be performed on each input.

The CHANNEL CHECK requirement is met automatically. The digital

RPS provides continuous on line automatic monitoring of each of the input

signals in each channel, performs signal online validation against required acceptance criteria, and provides hardware functional validation.

If any protective channel input signal is identified to be in the failure status, this condition is alarmed on the Unit Statalarm and input to the plant OAC. Immediate notification of the failure status is provided to the Operations staff.

OCONEE UNITS 1, 2, & 3 B 3.3.1-23 Rev.003 I

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.2 REQUIREMENTS (continued) This SR is the performance of a heat balance calibration for the power range channels when reactor power is > 15% RTP. The heat balance calibration consists of a comparison of the results of the calorimetric with the power range channel output. The outputs of the power range channels are normalized to the calorimetric. If the calorimetric exceeds the Nuclear Instrumentation System (NIS) channel output by~ 2% RTP, the NIS is not declared inoperable but must be adjusted. If the NIS channel cannot be properly adjusted, the channel is declared inoperable. A Note clarifies that this Surveillance is required to be performed only if reactor power is ~ 15%

RTP and th.at 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed for performing the first Surveillance after reaching 15% RTP. At lower power levels, calorimetric data are.less.

accurate. -

The power range channel's output shall be adjusted consistent with the calorimetric results if the calorimetric exceeds the power range channel's output by~ 2% RTP. The value of 2% is adequate because this value is assumed in the safety analyses of UFSAR, Chapter *15 (Ref. 2). These

_checks and, if necessary, the adjustment of the power range channels ensure that channel accuracy is maintained within the analyzed error margins. The Surveillance Frequency is based on operating experience, equipment reliability, ~nd plant risk and is controlled under the, Surveillance Frequency Control Program. -

SR 3.3.1.3 A comparison of power range nuclear instrumentation cha.nnels against incore detectors shall be performed when reactor power is ~ 15% RTP. A Note clarifies that 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed for performing the first Surveillance after reaching 15% RTP. If the absolute value of imbalance error is ~ 2%

RTP, the power range channel is not inoperable, but an adjustment of the measured imbalance to agree with the incore measurements is necessary.

The Imbalance error calculation is adjusted for conservatism by applying a correlation slope.(CS) value to the error calculation formula. This ensures that the value of the APl 0 is > APl 1* The CS value is listed in the COLR and is cycle dependent. If the power range channel cannot be properly recalibrated, the channel is declared Inoperable. The calculation of the Allowable Value envelope assumes a difference in out of core to incore measurements of 2.0%. Additional inaccuracies beyond those that are measured are also included in the setpoint envelope calculation.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

OCONEE UNITS 1, 2, & 3 B 3.3.1-24 Rev. 003 I

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.4 REQUIREMENTS (continued) This SR has been deleted.

SR 3.3.1.5 This SR manually retrieves the software setpoints and verifies they are correct. The proper functioning of the processor portion of the channel is continuously checked by an automatic cyclic self monitoring. Verification of field instrument setpoints is not required by this surveillance. This surveillance does not apply to the Reactor Building Pressure Function because it consists of pressure switches which provide a contact' status to the system and there is no software setpoint to verify.

The Surveillance Frequency is based on operating experience, equipment reliability, arid plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.6 This SR requires manual actuation of the output channel interposing relays to demonstrate OPERABILITY of the relays. The proper functioning of the processor *portion of the channel is continuously checked by an automatic cyclic self monitoring.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.7.

A Note to the Surveillance indicates that neutron detectors are excluded from CHANNEL CALIBRATION. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure virtually instantaneous response.

A CHANNEL CALIBRATION is a complete check of the instrument channel, including the sensor. The test verifies that the channel responds to the measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION shall find that OCONEE UNITS 1, 2, & 3 B 3.3.1-25 Rev.003 I

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1.7 (continued)

REQUIREMENTS measurement errors and processor output trip device setpoint errors are within the assumptions of the uncertainty analysis. Whenever a sensing element is replaced, the CHANNEL CALIBRATION of the resistance temperature detectors (RTD) sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.

Since the CHANNEL FUNCTIONAL TEST is a part of the CHANNEL CALIBRATION a separate SR is not required. The digital RPS software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The protection system also performs continuous online hardware monitoring. The CHANNEL CALIBRATION essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring functi9n.

The digital processors shall be rebooted as part of the calibration. This verifies that the software has not changed: Signals into the.system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements. This, in *combination with ensuring the setpoints are entered into the software correctly per SR 3.3.1.5, verifies

the setpoints are within the Allowable Values.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

For Functions for which TSTF-493, "Clarify Application of Setpoint Methodology for LSSS Functions" (Reference 7) has been implemented, this SR is modified by two Notes as identified in Table 3.3.1~1. The first

Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of channel performance will verify that the channel will continue to behave

.in accordance with safety analysis assumptions and the channel

performance assumptions in the setpoint methodology. The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service. The performance of these channels will be evaluated under the.station's Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the channel be returned to within the as-left tolerance of the Nominal Trip Setpoint {NTSP). Where a OCONEE UNITS 1, 2, & 3 B 3.3.1-26 Rev. 003 I

RPS Instrumentation B 3.3.1 BASES SURVEILLANCE SR 3.3.1. 7 (continued)

REQUIREMENTS setpoint. more conservative than the NTSP is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left channel setting cannot be returned to a setting within the as-left tolerance of the NTSP, then the channel shall be declared inoperable. The second Note also requires that the NTSP and the methodologies for calculating the as-left and the as-found tolerances be in the Selected Licensee Commitments Manual. '

REFERENCES 1. UFSAR, Chapter 7.

2. UFSAR, Chapter 15.

3. 10 CFR 50.49.

4. EDM-102, "Instrument Setpoint/Uncertainty Calculations."

5. NUREG-0737, "Clarification of TMI Action Plan Requirements,"

November 1979.

6. 10 CFR 50.36.

7. Technical Specification Task Force, Improved Standard Technical Specifications Change _Traveler, TSTF 493, "Clarify Application of Setpoint Methodology for LSSS Functions," Revision 4.

OCONEE UNITS 1, 2, & 3 B 3.3.1-27 Rev. 003 I

AFIS Instrumentation B 3.3.11 B 3.3 INSTRUMENTATION B 3.3.11 Automatic Feedwater Isolation System (AFIS) Instrumentation BASES BACKGROUND A Main Steam Line Break (MSLB) can lead to containment overpressure, unacceptable thermal stresses to the steam generator tubes, and significant core overcooling. Main and.Emergency Feedwater must be promptly isolated to limit the effects of a MSLB. The AFIS instrumentation is designed to provide automatic termination of feedwater flow to the affected steam generator.* The AFIS instrumentation automatically terminates Main Feedwater (MFW) by tripping both MFVV pumps and closing the affected steam generator's main and startup feedwater control valves and block valves. Although the main and startup feedwater block valves are automatically closed, their closure is not credited for mitigation of a MSLB. The AFIS instrumentation automatically terminates emergency feedwater (EFW) by stopping the turbine-driven emergency feedwater pump (TDEFWP) and tripping the motor-driven emergency feedwater pump (MDEFWP) aligned to the affected steam generator. Manual overrides for the TDEFWP and MDEFWP's are provided to allow the operator to subsequently start the EFW pumps if necessary for decay heat removal.

In addition, AFIS instrumentation provides runout protection for the EFW pumps in the event of a MSLB and certain large break MFW line breaks with the pump in the automatic mode of operation. .

Main Steam header pressure is used as input signals to the AFIS circuitry.

There are four pressure transmitters per steam generator with each feeding a steam pressure signal to an analog isolation module. The output of the analog isolation module provides an analog signal to the trip and trip confirm modules that actuates isolation functions at desired setpoints. One pressure transmitter per steam generator, applicable associated Integrated Control System (ICS) signal isolator(s) and analog isolation module inputs constitute an AFIS analog channel.

The four AFIS analog* channels per steam generatorfeed two redundant digital channels. Each digital channel provides independent circuit functions to isolate each steam generator. If the logic is satisfied, a trip output is energized. The use of an 'energized to trip output' from the trip and trip confirm modules ensures that a loss of power to the digital c~annel will not result in an inadvertent feedwater isolation. If either digital channel is actuated, feedwater is isolated to the affected steam generator.

Energizing the trip outputs results in closure of contacts in various control circuits for systems and components used for the MSLB and feedwater OCONEE UNITS 1, 2, 3 B 3.3.11-1 Rev. 001

AFIS Instrumentation B 3.3.11 BASES BACKGROUND line break mitigation. Therefore, when the trip outputs are actuated, the (continued) systems and components perform their isolation functions. Other features of the digital channels include a test/manual initiation pushbutton and an "enable" or "arming" switch. An AFIS digital channel is defined as two analog isolation modules (AVIM), a trip module and a trip confirm module, the Enable/Disable pushbutton, the associated output relays, the trip relay outputs to the feedwater pumps, the redundant switchgear trips for the MDEFWP, the solenoid valves for the MFCV & SFCV, the trip solenoid valves for the feedwater pumps, and the TDEFWP trip function. The trip module and trip confirm module utilize 2 out of 4 logic. There are two digital channels per steam generator. The trip m'odule and trip confirm module of each digital channel a*re configured in a two out of two logic arrangement. In this configuration, a random failure of one of the modules will not result in a spurious actuation. In addition, a random failure of one of the modules will not preclude a valid AFIS actuation due to the redundant digital channel. While AFIS provides isolation of the feedwater block valves, this is not a credited function and is not a requirement for digital chann~I operability.

The AFIS digital channels are enabled and disabled administratively rather thari automatically. Appropriate operating procedures contain provisions to enable/disable the digital channels.

APPLICABLE Based on the containment pressure response reanalysis, the containment SAFETY ANALYSES design pressure would be exceeded for a MSLB inside containment without immediate operator or automatic action to isolate main feedwater to the affected steam generator.

In addition, prompt operator or automatic action would be required to isolat,e EFW to the affected steam generator to limit the resultant thermal stresses on the steam !;jenerator tuoes following a MSLB.

Main Steam header pressure is used as input signals to the AFIS circuitr}t.

When a MSLB is sensed, or upon manual actuation, main feedwater is terminated by tripping both MFW pumps and closing the affected steam generators main and startup feedwater control valves and block valves.

Although Jhe main and startup feedwater block valves are automatically closed, they are not credited for mitigation of a MSLB. In addition, EFW is terminated by stopping the TDEFWP and tr,ipping the MDEFWP aligned to the affected steam generator. Manual overrides for the TDEFWP and MDEFWP are provided to allow the operator to subsequently start the EFW pumps if necessary for decay heat removal.

The AFIS Instrumentation satisfies Criterion 3 of 10 CFR 50.36 (Ref. 1).

OCONEE UNITS 1, 2, 3 B 3.3.11-2 Rev. 001 I

AFIS Instrumentation B 3.3.11

BASES (continued)

LCO This LCO requires that instrumentation necessary to initiate a MFW and EFW isolation shall be OPERABLE. Failure of any instrument renders the affected analog channel(s) inoperable and reduces the reliability of the Function.

Four analog channels per SG are required to be OPERABLE to ensure that no single failure prevents Feedwater isolation. Each AFIS analog channel includes the sensor, ICS signal isolator and an analog isolation module.

APPLICABILITY The AFIS Function shall be OPERABLE in MODES 1 and 2, and MODE 3 with main steam header pressure ~ 700 psig because the SG inventory can be at a high energy level and contribute significantly to the peak pressure with a secondary side break. Feedwater must be able to be isolated on each SG to limit mass and energy releases to the reactor building. Once the SG pressures have decreased below 700 psig, the AFIS Function can be bypassed to avoid actuation during normal unit cooldowns. In MODES 4, 5, and 6, the energy level is low and the secondary side feedwater flow rate is low or nonexistent. In MODES 4, 5, and 6, the primary system temperatures are too low to allow the SGs to effectively remove energy and AFIS instrumen~ation is not required to be OPERABLE. .

ACTIONS If a channel's trip setpoint is found nonconservative with respect to the Allowable Value, or any of the transmitter or signal processing electronics, are found inoperable, then the Function provided by that channel must be declared inoperable and the unit must enter the appropriate Conditions.

A Note has been added to the ACTIONS indicating that a separate Condition entry is allowed for analog channels associated _ with each SG.

Condition A applies to failures of a single AFIS analog channel. With one channel inoperable or tripped, the channel(s) must be placed in bypass within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . Bypassing the affected channel places the Function in a two-out-of-three configuration. Operation in this configuration may continue indefinitely since the AFIS Function is capable of performing its isolation function in the presence of any single random failure. The Completion Time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is adequate to perform Required Action A.1.

OCONEE UNITS 1, 2, 3 B 3.3.11-3 Rev. 001 I

AFIS Instrumentation B 3.3.11 BASES ACTIONS (continued)

With two channels inoperable or if the Required Action and associated Completion Time of Condition A can not be met, the channel(s) must be returned to service within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . An inoperable channel includes any channel bypassed by Condition A.

C.1 and C.2 With the Required Action and associated Completion Time of Condition B not met, the unit must be placed in MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and main steam header pressure must be reduced to less than 700 psig within 18 hours2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months . The allowed Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.3.11.1 REQUIREMENTS Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value.* Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL FUNCTIONAL TEST and CHANNEL CALIBRATION.

Agreement criteria are based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit. If the channels are within the criteria; it is an indication that the channels are OPERABLE. If the channels are normally off scale* during times when surveillance is required, the CHANNEL CHECK will only verify that they are off scale in the same direction. Off scale low current loop channels are verified, where practical, to be reading at the bottom of the range and not. failed downscale.

A continuous, automatic CHANNEL CHECK function is provided by Software. If a channel is outside the criteria, then an alarm is provided to the control room. Manual performance of the CHANNEL CHECK is acceptable.

OCONEE UNITS 1, 2, 3 B 3.3.11-4 Rev. 001 I

AFIS Instrumentation B3.3.11 BASES SURVEILLANCE SR 3.3.11.1 (continued)

REQUIREMENTS The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal, but potentially more frequent, checks of channel OPERABILITY during normal operational use of the displays associated with the LCO required channels.

SR 3.3.11.2 A CHANNEL FUNCTIONAL TEST ii:; performed by comparing the test input signal to the value transmitted to the Calibration and Test Computer.

This enables verification of the voltage references and the signal commons. This will ensure the channel will perform its intended function.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.11.3 CHANNEL CALIBRATION is a complete check of the instrument channel including the sensor. The test verifies the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channels adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION shall find that measurement errors and setpoint errors are within the assumptions of the setpoint analysis. CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the setpoint analysis.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50.36.

OCONEE UNITS 1, 2, 3 B 3.3.11-5 Rev.001 I

EFW Pump Initiation Circuitry

. B 3.3.14 B 3.3 INSTRUMENTATION B 3.3.14 Emergency Feedwater (EFW) Pump Initiation Circuitry BASES BACKGROUND EFW pump initiation circuitry is designed to provide safety grade means of controlling the secondary system as a heat sink for core decay heat removal. To ensure the secondary system remains a heat sink, the EFW pump initiation circuitry takes action to initiate EFW when the primary source of feedwater is lost. These actions ensure that a source of cooling water is available to be supplied to a steam generator (SG), thereby establishing the heat sink temperature at the saturation temperature of the secondary system.

EFW is initiated to restore a source of cooling water to the secondary system when conditions indicate that the normal source of feedwater is not available. Loss of both main feedwater (MFW) pumps was chosen as an EFW automatic initiating parameter because it is a direct and immediate indicator of loss of MFW.

Each EFW pump has two loss of main feedwater (LOMF) pump instrumentation channels. Each EFW pump LOMF pump instrumentation channel consists of a pressure switch monitoring a MFW pump turbine hydraulic oil pressure header. There are separate pressure switches fbr each EFW pump and each LOMF instrumentation channel, three monitoring MFW pump turbine "A" hydraulic oil pressu~e and three monitoring MFW pump turbine "B" hydraulic oil pressure.

Each EFW pump has an automatic initiation circuit. An EFW pump automatic initiation circuit consists of two LOMF instrumentation channels and the subsequent relays and switches that provide the logic ties to the EFW pump start contactor I solenoid. An EFW pump initiation signal is generated when loss of both MFW pumps, indicated by low hydraulic oil pressure on both headers, satisfies the two-out-of-two logic to automatically initiate the EFW pump.

Each EFW pump also has a*dedicated. manual initiation circuit. A manual initiation circuit consists of those relays and switches that provide logic ties to the EFW pump start contactor I solenoid.

Resetting a MFW pump provides normal hydraulic oil pressure to the LOMF instrumentation channel pressure switches associated with that pump. The LOMF instrumentation channel would then provide a signal of not tripped to the EFW pump initiation circuits even though the MFW pump is not providing feedwater to the steam generators. Therefore, OCONEE UNITS 1, 2, & 3 B 3.3.14-1 Rev. 001 I

EFW Pump Initiation Circuitry B 3.3.14 BASES BACKGROUND administrative controls are in place to trip the LOMF instrumentation (continued) channels for a MFW pump prior to resetting the pump. Placing an LOMF channel in trip consists of isolating the LOMF instrument channel pressure switches such that they no longer provide a reset signal.

EFW is also initiated by .a low level in the SG (after a 30 second delay to prevent spurious actuation) for SG dryout protection. EFW initiation for SG dryoutprotection is not required by this Specification. Finally, EFW is also initiated by a loss of both MFW pumps as indicated by low hydraulic oil pressure as part of the ATWS Mitigation Circuitry (AMSAC), which is a system provided to comply with the requirements to reduce risk from an anticipated transient without scram (ATWS). EFW initiation for ATWS mitigation is not required by this Specification.

Each motor driven EFW pump is normally controlled by a four-position, OFF-AUT01-AUT02-RUN, control switch located in the control room. The pump can be manually started by turning the control switch to the RUN position. In the AUT01 mode, each motor-driven EFW pump starts automatically after a sustained low water level in either steam generator for greater than 30 seconds .. In the AUT02 Mode, each pump starts automatically on loss of both MFW pumps (or on low steam generator level or ATWS initiation).

The turbine-driven EFW pump is started by opening valve MS-93 which admits steam to the pump turbine. A four-position, RUN-AUTO-OFF-PULL TO LOCK, control switch is provided to control operation of MS-93. The

~witch is maintained in the AUTO position. In the AUTO mode, MS-93

opens on loss of both MFW pumps (or ATWS initiation). When the switch is in the RUN position, MS-93 is opened.

APPLICABLE The transient which forms the basis for initiation of the EFW systems is

SAFETY ANALYSES a loss of MFW transient (Ref. 1). In the analysis of the transient, MFW pump turbine low hydraulic oil pressure is the parameter assumed to automatically initiate EFW.

The EFW pump initiation circuitry satisfies Criterion 3 of 10 CFR 50.36 (Ref. 2).

LCO Two loss of main feedwater (LOMF) pump instrumentation channels, an automatic initiation circuit, and a manual initiation circuit are required OPERABLE for each EFW pump. The LCO is modified by a Note that limits the OPERABILITY required for the automatic initiation circuitry to MODES 1 and 2.

OCONEE UNITS 1, 2, & 3 B 3.3.14-2 Rev. 001 I

EFW Pump Initiation Circuitry B 3.3.14 BASES APPLICABILITY The initiation circuitry for EFW pumps shall be OPERABLE in MODES 1, 2 and 3 and in MODE 4 when the steam generator is relied upon for heat removal. In MODE 4 when the steam generator is not relied upon for heat removal, and MODES 5, and 6, the primary system temperatures are too low to allow the SGs to effectively remove energy and EFW Pump initiation instrumentation is not required to be OPERABLE.

ACTIONS The ACTIONS are modified by a Note indicating that this Specification may be entered independently for each EFW pump initiation circuit. The Completion Time(s) of the inoperable channels for each EFW automatic initiation circuit are tracked separately for each circuit starting from the time the Condition is entered for that circuit.

With one or more required EFW pump initiation circuits with one LOMF channel inoperable, the channel(s) must be placed in trip within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

With the channel in trip, the resultant logic is one-out-of"'.one. This channel may be considered placed in trip, after tripping, by installing jumpers or by other means that assure the channel remains in the trippe9 condition.

With one or more EFW pump initiation circuits inoperable or the Required Action and associated Completion Time of Condition A not met, the affected EFW pump(s) must be declared inoperabl~ immediately since th~

initiation function is no longer capable of performing its safety function.

SURVEILLANCE SR 3.3.14.1 REQUIREMENTS This SR requires the performance of a CHANNEL FUNCTIONALTEST to ensure the LOMF pump instrumentation channels can perform their intended function.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

OCONEE UNITS 1, 2, & 3 B 3.3.14-3 Rev. 001 I

EFW Pump Initiation Circuitry B 3.3.14 BASES SURVEILLANCE SR 3.3.14.2 REQUIREMENTS (continued) This SR requires the performance of a CHANNEL FUNCTIONAL TEST of the manual initiation circuit. This test verifies that the initiating circuitry is OPERABLE and will actuate the emergency feedwater pumps by either starting a motor driven emergency feedwater pump or opening the steam isolation valve that isolates the supply of steam to the drive for the turbine driven emergency feedwater pump.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.14.3 This SR requires the performance of a CHANNEL FUNCTIONAL TEST of the automatic initiation circuit. This test verifies that the two-out-of-tWo logic circuit is functional. This test simulates the required inputs to the logic circuit and verifies successful operation of the automatic initiation circuit.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.14.4 CHANNEL CALIBRATION is a complete check of the instrument ch,annel including the sensor. The test verifies the channel responds to a measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channels adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION shall find that mea~;urement errors and setpoint errors are within the assumptions of the setpoint analysis. CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the setpoint analysis.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Chapters 7 and 15.

2. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.3.14-4 Rev. 001 I

RCS PIT Limits B 3.4.3 B 3.4 REACTOR COOLANT SYSTEM (RC?)

B 3.4.3 RCS Pressure and Temperature (PIT) Limits BASES BACKGROUND All components of the RCS are designed to withstand effects of cyclic loads due to system pressure and temperature changes. These loads are.

introduced by startup (heatup) and shutdown (cooldown) operations, power transients, and reactor trips. This LCO limits the pressure and temperature

changes during RCS heatup and cooldown, within the design assumptions and the stress.limits for cyclic operation.

Figures 3.4.3-1 through 3.4.3-9 contain PIT limit curves for heatup, cooldown, and leak and hydrostatic (LH) testing. Tables 3.4.3-1 and 3.4.3 2 contain data for the maximum rate of change of reactor coolant temperature. The minimum temperature indicated in the PIT limit curves and tables of 60°F is the lowest unirradiated nil ductility reference temperature (RT NDT) of all materials in the reactor vessel. This temperature (60°F) is the minimum allowable reactor pressure vessel temperature if any head closure stud is not fully detensioned. There is no minimum allowable temperature limit for the

reactor vessel if all of the studs are fully deterisioned.

Figures 3.4.3-1, 3.4.3-2, 3.4.3-4, 3.4.3-5, 3.4.3-7 and 3.4.3..:a define an acceptable region for normal operation. The usual use of the curves is .

operational guidance during heatup or cooldown maneuvering, when pressure and temperature indications are monitored and compared to the applicable curve to determine ttiat operation is within the allowable region.

The LCO establishes operating limits that provide a margin to brittle failure of

the reactor vessel and piping of the reactor coolant pressure boundary (RCPB). The vessel is the component most subject to brittle failure, and the LCO limits apply mainly to the vessel. The limits do not apply to. the pressurizer, which has different design characteristics and operating functions.

10 CFR 50, Appendix G (Ref. 1), requires the establishment of PIT limits for

material fracture toughness requirements of the RCPB materials.

Reference 1.requires an adequate margin to brittle failure during normal operation, anticipated operational occurrences, and system hydrostatic tests.

It mandates the use of the American Society of Mechanical Engineers (ASME), Boiler and Pressure Vessel Code, Section Ill, Appendix G (Ref. 2).

Linear elastic fracture mechanics (LEFM) methodology is used to determine the stresses and material toughness at locations within the RCPB. The LEFM methodology follows the guidance given by 10 CFR 50, Appendix G; ASME Code, Section Ill, Appendix G; and Regulatory Guide 1.99 (Ref. 3).

OCONEE UNITS 1, 2, & 3 B 3.4.3-1 Rev. 001

RCS PIT Limits B 3.4.3 BASES BACKGROUND Material toughness properties of the ferritic materials of the reactor (continued) vessel are determined in accordance with ASTM E 185 (Ref. 4 ), and additional reactor vessel requirements. These properties are then evaluated in accordance with Reference 2.

The actual shift in the nil ductility reference temperature {RT NDT) of the vessel material will be established periodically by evaluating the irradiated reactor vessel material specimens, in accordance with ASTM E 185 (Ref. 4) and Appendix H of 10 CFR 50 (Ref. 5). The operating PIT limit curves will be adjusted, as necessary, based.on the evaluation findings and the recommendations of Reference 2.

The PIT limit curves are composite curves established by superimposing limits derived from stress analyses of those portions of the reactor vessel and head that are the most restrictive. At any specific pressure, temperature, and temperature rate of change, on(3 location within the reactor vessel will dictate the most restrictive limit. Across the span of the PIT limit curves, different locations are more restrictive,.and, thus, the curves are composites of the most restrictive regions.

The heatup curve represents a different set of restrictions than tre cooldown cl.frve because the dir(3ctiqns of the thermal gradients through the vessel wall are reversed*. The thermal*gradient reversal alters the location of the tensile stress t;>etween the outer arid inner. walls.

The calculation to generate the LH testing curve uses different safety factors (per Ref. 2) than the heatup and cooldown curves.

The PIT limit curves *and associated temperature rate of change limits are developed in conjunction with stress analyses for large numbers of operating cycles and provide conservative margins to nonductile failure.

Although created to provide limits for these specific normal operations, the curves also can be used to determine if an evaluation is necessary for an abnormal transient.

As stated in the tables associated with this LCO, reactor coolant (RC) temperature is cold leg temperature if one or more RC pumps are in operation; otherwise, it is the LPI cooler outl.et temperature. An analysis examined the effects of initiating flow through a previously idle LPI train (i.e. either placing a train of LPI in operation or swapping from one train to

the other) when none of the RC pumps are operating. The analysis assumed the initial temperature of the fluid entering the vessel to be the lowest expected temperature in an idle LPI cooler. As RC fluid is pumped through the system and returns to the reactor vessel, the temperature increases to a "stable" value. The duration of the temperature excursion is dependenfon LPI flow and volume of th_e piping system. This analysis has determined that the brief temperature excursion caused by the fluid initially in the idl.e LPI train can be accommodated if, at the time the LPI header is put in service, the RCS pressure is less than 295 psig (Instrument Uncertainty Adjusted). This value is less limiting than the OCONEE UNITS 1, 2, & 3 B 3.4.3-2 Rev. 001 I

RCS PIT Limits B 3.4.3 BASES BACKGROUND LPI initiation pressure limit imposed by procedures to protect the LPI (continued) system from overpressure. The brief temperature excursion does not place the reactor ves$el outside of the bounds of the stress analyses.

The criticality limit curve includes the Reference 1 requirement that it be 40°F above the heatup curve or the cooldown curve, and not less than the minimum permissible temperature for LH testing. However, the criticality curve is not operationally limiting; a more restrictive limit exists in LCO 3.4.2, "RCS Minimum Temperature for Criticality."

The consequence of violating the LCO limits is that the RCS has been operated under conditions that can result in brittle failure of the RCPB, possibly leading to a nonisolable leak or loss of coolant accident. In the event these limits are exceeded, an evaluation must be performed to determine the effect on the structural integrity of the RCPB components.

The ASME Code,Section XI, Appendix E (Ref. 6) provides a .

recommended methodology for evaluating an operating event that causes an excursion outside the limits.

APPLICABLE The PIT limits are not derived from accident analyses. They are SAFETY ANALYSES prescribed during normal operation to avoid encountering pressure, temperature, and temperature rate of change conditions that might cause undetected flaws to propagate and cause nonductile failure of the RCPB, an unanalyzed condition. Reference 1 establishes the methodology for determining the PIT limits. Since the PIT limits are not derived from any accident analysis, there are no acceptance limits related to the PIT limits.

Rather, the PIT limits are acceptance limits themselves since they preclude operation in an unanalyzed condition.

RCS PIT limits satisfy Criterion 2 of 10 CFR 50.36 (Ref. 7).

LCO the three elements of this LCO are:

a. The limit curves for heatup and cooldown,

b. Limits on the rate of change of temperature, and

c. Allowable RC pump combinations.

The LCO is modified by three Notes. Note 1 states that for leak tests of the RCS and leak tests of connected systems where RCS pressure and temperature are controlling, the RCS may be pressurized to the limits of the specified figures. Note 2 states that for thermal steady state hydro tests required by ASME Section XI RCS may be pressurized to the limits Specification 2.1.2 and the specified figures. The limits on the rate of change of reactor coolant temperature RCS PIT Limits are the same ones OCONEE UNITS 1, 2, & 3 B 3.4.3-3 Rev. 001 I

RCS PIT Limits B 3.4.3 BASES LCO used for normal heatup and cooldown operations. Note 3 states the RCS (continued) PIT limits are not applicable to the pressurizer.

The LCO limits apply to all components of the RCS, except the

pressurizer. These limits define allowable operating regions and permit a large number of operating cycles while providing a wide margin to nonductile failure.

Table 3.4.3-1 includes temperature rate of change limits with allowable pump combinations for RCS heatup while Table 3.4.3-2 includes temperature rate of change limits with allowable pump combinations for RCS cooldown. The breakpoints between temperature rate of change limits in these two tables are selected to limit reactor vessel thermal gradients to acceptable limits. The breakpoint between allowable pump combinations was selected based on operational requirements and are used to determine the change of RCS pressure asso.ciated*with the change in number of operating reactor coolant pumps.

The limits for the rate of change of temperature control the thermal gradient through the vessel wall and are used as inputs for calculating the heatup, cooldown, and LH PIT limit curves. Thus, the LCO for the rate of change of temperature restricts stresses caused by thermal gradients and also ensures the validity of the PIT limit curves.

The limits on allowable RC pump combinations controls the pressure differential between the vessel wall and the pressure measurement point and are used as inputs for calculating the heatup, cooldown and LH PIT limit curves. Thus, the LCO for the allowable RC pump combinations restricts the pressure at the vessel wall and ensures the validity of the PIT limit curves. *

Heatup and Cooldown Rate limits are specified in TS Table 3.4.3-1 "Operational Requirements for l.Jnit Heatup" and TS Table 3.4.3-2 "Operational Requirements fo*r Unit Cooldown." These limits are specified as a change in temperature for "any" time period .. As such, the Heatup or Cooldown period is a rolling period and is required to be considered at any point in time, i.e., the beginning, middle, or end of the period under evaluation. This action is required to ensure the heatup or cooldown rate limit meets design limits.

The LPI cooler outlet temperature during the brief period of stabilization does not need to be considered when determining heatup or cooldown rates or RCS PIT conditions when an LPI train is placed in operation with no operating RCPs. The period of stabilization is the time required to fully .

displace the stagnant fluid in the idle LPI train. The time required for LCO stabilization is a function of LPI flow rate. Operating procedures control both placing a train of LPI in service and swapping trains of LPI to limit the duration of the temperature transient to a value that has been shown to be acceptable.

OCONEE UNITS 1, 2, & 3 B 3.4.3-4 Rev. 001 I

RCS PIT Limits B 3.4.3 BASES LCO Similarly, when starting the first Reactor Coolant Pump (RCP) during (continued) heatup from MODE 5 conditions, for a brief stabilization period, the RCS cold leg temperature (Tc) does not need to be considered when determining heatup rate. The period of stabilization is the time required to fully displace the stagnant fluid in the idle steam generators (idle loop via backflow). Once stabilized, the Tc in the loop with the. operating RCP shall be used for determining subsequent heatup rates.

Violating the LCO limits places the reactor vessel outside of the bounds of the stress analyses and can increase stresses in other RCPB components. The consequences depend on several factors, as follows:

a. The severity of the departure from the allowable operating PIT regime or the severity of the rate of change of temperature;

b. The length of time the limits were violated (longer violations allow the temperature gradient in the thick vessel walls to become more pronounced); and

c. The existences, sizes, and orientations of flaws in the vessel material.

I APPLICABILITY The RCS PIT limits Specification provides a definition of acceptable operation for prevention of nonductile failure in accordance with 10 CFR 50, Appendix G (Ref. 1). Although the PIT limits were developed to provide guidance for operation during heatup or cooldown (MODES 3, 4, and 5) or LH testing, their app.licability is at all times in keeping with the concern for nonductile failure. The limits do not apply to the pressurizer.

During MODES 1 and 2, other Technical Specifications provide limits for operation that can be more restrictive than or can supplement these PIT limits. LCO 3.4.1, "RCS Pressure, Temperature, and Flow Departure from Nucleate Boiling (DNB) Limits"; LCO 3.4.2, "RCS Minimum Temperature for Criticality"; and Safety Limit (SL) 2.1, "Sls," also provide operational restrictions for pressure and temperature and maximum pressure.

MODES 1 and 2 are above the temperature range of concern for nonductile failure, and stress analyses have been performed for normal maneuvering profiles, such as power ascension or descent.

ACTIONS A.1 and A.2 Operation outside the PIT limits during MODE 1, 2, 3, or 4 must be corrected so that the RCPB is returned to a condition that has been verified by stress analyses.

The 30 minute Completion Time reflects the urgency of restoring the parameters to within the analyzed range. Most violations will not be OCONEE UNITS 1, 2, & 3 B 3.4.3-5 Rev. 001 I

RCS PIT Limits B 3.4.3 BASES ACTIONS A.1 and A.2 (continued) severe, and the activity can be accomplished in this time in a controlled manner.

Besides restoring operation to within limits, an evaluation is required to determine if RCS operation can continue. The evaluation must verify the RCPB integrity remains acceptable and must be completed before continuing operation. Several methods may be used, including comparison with pre-analyzed transients in the stress analyses, new analyses, or inspection of the components. The evaluation must be completed, documented, and approved in accordance with established plant procedures and administrative: controls ..

ASME Code,Section XI, Appendix E (Ref. 6) may be used to support the evaluation. However, its use is restricted to evaluation of the vessel beltline. The evaluation must extend to all components of the RCPB.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is reasonable to accomplish the evaluation.

The evaluation for a mild violation is possible within this time, but more severe violations may require special, event specific stress analyses or inspections, A favorable evaluation must be completed before continuing to operate.

Condition A is modified by a Note requiring Required Action A.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effects of the excursion outside the allowable limits. Restoration alone per Required Action A.1 is insufficient because higher than analyzed stresses may have occurred and may have affected the RCPB integrity.

B.1 and B.2 If a Required Action and associated Completion Time of Condition A are not met, the unit must be brought to a lower MODE because: (a) the RCS remained in an unacceptable pressure and temperature region for an extended period of increased stress, or (b) a sufficiently severe event caused entry into an unacceptable region. Either possibility indicates a need for more careful examination of the event, best accomplished with the RCS at reduced pressure and temperature. With reduced pressure and temperature conditions, the possibility of propagation of undetected flaws is decreased.

If the required restoration activity cannot be accomplished within 30 minutes, Required Action B.1 and Required Action B.2 must be implemented to reduce pressure and temperature*.

If the required evaluation for continued operation cannot be accomplished within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , or the results are indeterminate or unfavorable, action OCONEE UNITS 1, 2, & 3 B 3.4.3-6 Rev. 001 I

RCS PIT Limits B 3.4.3 BASES ACTIONS 8.1 and B.2 (continued) must proceed to reduce pressure and temperature as specified in Required Actions B.1 and 8.2. A favorable evaluation must be completed and documented before returning to operating pressure and temperature conditions. However, if the favorable evaluation is accomplished while reducing pressure and temperature conditions, a return to power operation may be considered without completing Required Action 8.2.

Pressure and temperature are reduced by bringing the unit to MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 5 within 36.hours. The allowed Completion Times are reasonable, based on operating experience, to reach the*

required MODE from full power conditions in an orderly manner and without challenging unit systems.

C.1 and C.2 Actions must be initiated immediately to correct operation outside of the PIT limits at times other than MODE 1, 2, 3, or 4, so that the RCPB is returned to a condition that has been verified acceptable by stress analysis. *

The immediate Completion Time reflects the urgency of initiating' action to restore the parameters to within the analyzed range. Most violations will not be severe, and the activity can be accomplished within this time in a controlled manne(

In addition to restoring operation to within limits, an evaluation is requireq to determine if RCS operation can. continue. The evaluation must verify

that the RCPB integrity remains acceptable and must be completed prior to entry into MODE 4. Several methods may be used, including comparison with pre-analyzed transients in the stress analysis, or inspection of the components.

ASME Code,Section XI, Appendix E (Ref. 6), may also be used to support the evaluation. However, its use is restricted to evaluation of the v~ssel beltline.

Condition C is modified by a Note requiring Required Action C.2 to be completed whenever the Condition is entered. The Note emphasizes the need to perform the evaluation of the effec;;ts of the excursion outside the allowable limits. Restoration alone, per Required Action C.1, is insufficient because higher than analyzed stresses may have occurred and may have affected RCPB integrity.

OCONEE UNITS 1, 2, & 3 B 3.4.3-7 Rev. 001 I

RCS PIT Limits B 3.4.3 BASES SURVEILLANCE SR 3.4.3.1 REQUIREMENTS Verification that operation is within limits is required when RCS pressure or temperature conditions are undergoing planned changes.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

Surveillance for heatup, cooldown, or LH testing may be discontinued when the definition given in the relevant plant procedure for ending the actfvity is satisfied.

This SR is modified by a Note that requires this SR to be performed only

.during system heatup, cooldown, and LH testing:

REFERENCES 1. 10 CFR 50, Appendix G.

2. ASME, Boiler and Pressure Vessel Code, Section Ill, Appendix G.'

3. Regulatory Guide 1.99, Revision 2, May 1988.

4. ASTM E 185-82, July 1982.

5. 10 CFR 50, Appendix H;

6. ASME, Boiler and Pressure Vessel C:::ode,Section XI, Appendix E.

7. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.4.3-8 Rev. 001 I

RCS Operational LEAKAGE B 3.4.13 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.13 RCS Operational LEAKAGE BASES BACKGROUND Components that contain or transport the coolant to or from the reactor core make up the RCS. Component joints are made by welding, bolting, rolling, or pressure loading, and valves isolate connecting systems from the RCS.

During unit life, the joint and valve interfaces can produce varying amounts of reactor coolant LEAKAGE, through either normal operational wear or mechanical deterioration. The purpose of the RCS Operational LEAKAGE LCO is to limit system operation in the presence of LEAKAGE from these sources to amounts that do not compromise safety. This LCO specifies the types and amounts of LEAKAGE.

The safety significance of RCS LEAKAGE varies widely depending on its source, rate, and duration. Therefore, detecting and monitoring reactor coolant LEAKAGE into the containment area is necessaf"Y (Ref. 1).

Separating the identified LEAKAGE from the unidentified LEAKAGE is necessary to provide quantitative information to the operators, allowing them to take corrective action should a leak occur detrimental to the safety of the facility and the public.

This LCO deals with protection of the reactor coolant pressure boundary (RCPB) from degradation and the core from inadequate cooling, in addition to preventing the accident analysis radiation release assumptions from being exceeded. The consequences of violating this LCO include the possibility of a loss of coolant accident (LOCA). However, the ability to monitor leakage provides advance warning to permit unit shutdown before a LOCA occurs. This advantage has been shown by "leak before break" studies.

APPLICABLE Except for primary to secondary LEAKAGE, the safety analyses SAFETY ANALYSES do not address operational LEAKAGE (Ref. 2). However, other operational LEAKAGE is related to the safety analyses for LOCA; the amount of leakage can affect the probability of such an event. The steam line break (SLB) analysis assumes total primary to secondary LEAKAGE of 150 gallons per day per SG as the initial condition.

OCONEE UNITS 1, 2, & 3 B 3.4.13-1 Rev. 001 I

RCS Operational LEAKAGE B 3.4.13 BASES APPLICABLE Primary to secondary LEAKAGE is a factor in the dose releases outside SAFETY ANALYSES containment resulting from a SLB accident. To a lesser extent, other (continued) accidents or transients involve secondary steam release to the atmosphere, such as a steam generator tube rupture (SGTR). The leakage contaminates the secondary fluid and can be released to the environment.

The LCO requirement to limit primary to secondary LEAKAGE through any one SG to less than or equal to 150 gallons per day is less than the conditions assumed in the safety analyses. The dose consequences resulting from the SLB accident are within the limits defined in 10 CFR 100.

RCS operational LEAKAGE satisfies Criterion 2of10 CFR 50.36 (Ref.3).

LCO RCS LEAKAGE includes leakage from connected systems up to and including the second normally closed valve for systems which do not penetrate containment and the outermost isolation valve for systems which penetrate containment. Loss of reactor coolant through reactor coolant pump seals and system valves to connecting systems which vent to the gas vent header and from which coolant can be returned to the RCS s~all not be considered as RCS LEAKAGE.

RCS operational LEAKAGE shall be limited to:

.a. Pressure Boundary LEAKAGE No pressure boundary LEAKAGE is allowed, being indicative of material deterioration. LEAKAGE of this type is unacceptable as the leak itself could cause further deterioration, resulting in higher

LEAKAGE. Violation of this LCO could result in continued degradation of the RCPB. LEAKAGE past seals, gaskets, and steam generator tubes* is not pressure boundary LEAKAGE.

b. Unidentified LEAKAGE One gallon per minute (gpm) of unidentified LEAKAGE is allowed as a reasonable minimum detectable amount that the containment air monitoring and containment sump level monitoring equipment can detect within a reasonable time period. Violation of this LCO could result in continued degradation of the RCPB, if the LEAKAGE is from the pressure boundary.

OCONEE UNITS 1, 2, & 3 B 3.4.13-2 Rev. 001 1*

RCS Operational LEAKAGE B 3.4.13 BASES LCO c. Identified LEAKAGE (continued)

Up to 1O gpm of identified LEAKAGE is considered allowable because LEAKAGE is from known sources that do not interfere with detection of unidentified LEAKAGE and is well within the capability of the RCS makeup system. Identified LEAKAGE includes LEAKAGE to the containment from specifically known and located sources, but does not include pressure boundary LEAKAGE or controlled reactor coolant pump (RCP) seal leakoff (a normal function not considered LEAKAGE). Violation of this LCO could result in continued degradation of a component or system.

d. Primary to Secondary LEAKAGE Through Any One SG

The limit of 150 gallons per day per SG is based on the operational LEAKAGE performance criterion in NEI 97-06, Steam Generator Program Guidelines (Ref. 4 ). The Steam Generator Program operational LEAKAGE performance criterion in NEI 97-06 states, "The RCS operational primary to secondary leakage through any one SG shall be limited to 150 gallons per day." The limit is based on operating experience with SG tube degradation mechanisms that result in tube leakage. The operational leakage rate criterion in conjunction with the implementation of the Steam Generator Program is an effective measure for minimizing the frequency of steam generator tube ruptures.

APPLICABILITY In MODES 1, 2, 3, and 4, the potential for RCPB LEAKAGE is greatest when the RCS is pressurized.

In MODES 5 and 6, LEAKAGE limits are not required because the reactor coolant pressure is far lower, resulting in lower stresses and reduced potentials for LEAKAGE.

LCO 3.4.14, "RCS Pressure Isolation Valve (PIV) Leakage," measures leakage through each individual PIV and can impact this LCO. Of the two PIVs in series in each isolated line, leakage measured through one PIV does not result in RCS LEAKAGE when the other is leaktight. If both

. valves leak and result in a loss of mass from the RCS, the loss must be.

included in the allowable identified LEAKAGE.

OCONEE UNITS 1, 2, & 3 B 3.4.13-3 Rev. 001 I

RCS Operational LEAKAGE B 3.4.13 BASES (continued)

ACTIONS If unidentified LEAKAGE or identified LEAKAGE are in excess of the LCO limits, the LEAKAGE must be reduced to within limits within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . This Completion Time allows time to verify leakage rates and either identify unidentified LEAKAGE or reduce LEAKAGE to within limits before the reactor must be shut down. This action is necessary to prevent further deterioration of the RCPB.

B.1 and B.2 If any pressure boundary LEAKAGE exists, or primary to secondary LEAKAGE is not within limit, or identified LEAKAGE cannot be. reduced to within limit$ within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , the reactor must be brought to lower pressure conditions to reduce the severity of the LEAKAGE and its potential consequences. The reactor must be brought to MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . This action reduces the LEAKAGE and also reduces the factors that tend to degrade the pressure boundary.

The Completion Times allowed are reasonable, based on operating experience, to reach the required conditions from full power conditions in an orderly manner and without challenging unit systems. In MODE 5, the pressure stresses acting on the RCPB are much lower and further deterioration is much less likely.

SURVEILLANCE SR 3.4.13.1 REQUIREMENTS Evaluation of RCS LEAKAGE ensures identified and unidentified leakage is maintained within the associated LCO limits and ensures that the integrity of the RCPB is maintained. Identified and unidentified LEAKAGE is determined by performance of an RCS water inventory balance. This method provides the required leakage detection sensitivity to ensure leakage is within limits.

The RCS water inventory balance must be performed with the reactor at steady state operating conditions and near operating pressure. The surveillance is modified by two Notes. Note 1 states that this SR is not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after establishmen.t of steady state operation. This 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowance provides sufficient time to collect and process all necessary data after stable plant conditions are established.

OCONEE UNITS 1, 2, & 3 B 3.4.13-4 Rev. 001 I

RCS Operational LEAKAGE B 3.4.13 BASES SURVEILLANCE SR 3.4.13.1 (continued)

REQUIREMENTS Steady state operation is required to perform a proper water inventory balance since calculations during maneuvering are not useful. For RCS operational LEAKAGE determination by water inventory balance, steady state is defined as stable RCS pressure, temperature, power level, pressurizer and makeup tank levels, makeup ar:id letdown, and RCP pump seal injection and return flows.

An early warning of LEAKAGE is provided by the automatic systems that monitor the containment atmosphere radioactivity and the' containment sump level.

These leakage detection systems are specified in LCO 3.4.15, "RCS Leakage Detection Instrumentation."

Note 2 states that this SR is not applicable to primary to secondary LEAKAGE because LEAKAGE of 150 gallons per day cannot be measured accurately by an RCS water inventory balance.

The Surveillance Frequency is based on operating experienc(3, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.4.13.2 This SR verifies that primary to secondary LEAKAGE is less than or equal to 150 gallons per day through any one SG. Satisfying the primary to

secondary LEAKAGE limit ensures that the operational LEAKAGE performance criterion in the Steam Generator Program is met. If this SR is not met, compliance with this LCO, as well as LCO 3.4.16, "Steam Generator Tube Integrity," should be evaluated. The 150 gallons per day limit is measured at room temperature as described in Ref. 5. The operational LEAKAGE rate limit applies to LEAKAGE through any one SG.

If it is not practical to assign the LEAKAGE to an individual SG, all the primary to secondary LEAKAGE should be conservatively assumed to be from one SG.

The Surveiilance is modified by a Note which states that the Surveillance is not required to be performed* until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after establishment of steady state operation. For RCS primary to secondary LEAKAGE determination, steady state is defined as stable RCS pressure, temperature, power level, pressurizer and makeup tank levels, makeup and letdown, and RCP seal injection and return flows.

OCONEE UNITS 1, 2, & 3 B 3.4.13-5 Rev. 001 I

RCS Operational LEAKAGE B 3.4.13 BASES SURVEILLANCE SR 3.4.13.2 (continued)

REQUIREMENTS The SurVeillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.' The primary to secondary LEAKAGE is d~termined using continuous process radiation monitors or radiochemical grab sampling in accordance with the EPR.I guidelines (Ref.

5).

REFERENCES 1. UFSAR, Section 3.1.

2. UFSAR, Chapter *15.

3. 10 CFR 50.36.

4. NEI 97-06, "Steam Generator Program Guidelines."

5. EPRI, ."Pressurized Water Reactor Primary-to-Secondary Leak Guidelines."

OCONEE UNITS 1, 2, & 3 B 3.4.13-6 Rev.001 I

LPI B 3.5.3 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

B 3.5.3 Low Pressure Injection (LPI)

BASES BACKGROUND The function of the ECCS is to provide core cooling to ensure that the

reactor core is protected after any of the following accidents:

a. Loss of coolant accident (LOCA);

b. Rod ejection accident (REA);

c. Steam generator tube rupture (SGTR); and

d. Main steam line break (MSLB).

There are two phases of ECCS operation: injection and recirculation. In the injection phase, all injection is initially added to the Reactor Coolant System (RCS) via the cold legs or Core Flood Tank (CFT) lines to the reactor vessel. After the borated water storage tank (BWST) has been depleted, the recirculation phase is entered.as the suction is transferred to the reactor building sump.

Two redundant low pressure injection (LPI) trains are provided. The LPI trains consist of piping, valves, instruments, controls, heat exchangers, and pumps, such that water from the borated water storage tank (BWST) can be injected into the Reactor Coolant System (RCS). In MODES 1, 2 and 3, both trains of LPI must be OPERABLE. This ensures that 100% of the core cooling requirements can be provided even in the event of a single active failure. The LPI discharge header manual crossover valves inside containment must be maintained administratively open in MODE .1. 2, and 3 to assure abundant, long term cooling. Only one LPI train is required for MODE4.

A suction header supplies water from the BWST or the reactor building sump to the LPI pumps. LPI discharges into each of the two core flood nozzles on the reactor vessel that discharge into the vessel downcomer area.

OCONEE UNITS 1, 2, & 3 B 3.5.3-1 Rev. 002

LPI B 3.5.3 BASES BACKGROUND The LPI pumps are capable of discharging to the RCS at an RCS pressure (continued) of approximately 200 psia. When the BWST has been nearly emptied, the suction for the LPI pumps is manually transferred to the reactor building sump.

In the long term cooling period, flow paths in the LPI System are

established to preclude the possibility of boric acid in the core region reaching an unacceptably high concentration. Two gravity flow paths are available by means of a drain line from the hot leg to the Reactor Building sump which draws coolant from the top of the core, thereby inducing core circulation. The system is designed with redundant drain lines.

During a large break LOCA, RCS pressure will rapidly decrease. The LPI System is actuated upon receipt of an ESPS signal. If offsite power is available, the safeguard loads start immediately. If offsite power is not available, the Engineered Safeguards (ES) buses are connected to the Keowee Hydro Units. The time delay (38 seconds) associated with

Keowee Hydro Unit startup and LPI pump starting determines the time required before pumped flow is available to the core following a LOCA. Full LPI flow is not available until the LPI header isolation valve strokes full open. The ES signal has been removed from LP-21 and LP-22. *These valves shall be open when automatic initiation of the LPI system is required. If either one is closed during this time, the associated LPI and RBS train is inoperable.

The LPI and HPI (LCO 3.5.2, "High Pressure Injection (HPI)"), along with the passive CFTs and the BWST covered in LCO 3.5.1; "Core Flood Tanks (CFTs)," and LCO 3.5.4, "Borated Water Storage Tank (BWST)," provide the cooling water necessary to meet 10 CFR 50.46 (Ref. 1).

APPLICABLE The LCO helps to ensure that the following acceptance criteria for the SAFETY ANALYSES ECCS, established by 10 CFR 50.46 (Ref. 1), will be met following a LOCA:

a. Maximum fuel element cladding temperature is $ 2200°F;

b. Maximum cladding oxidation is $ 0.17 times the total cladding thickness before oxidation; *

c. Maximum hydrogen generation from a zirconium water reaction is

$ 0.01 times the hypothetical amount generated if all of the metal in the cladding cylinders surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react;

d. Core is maintained in a coolable geometry; and OCONEE UNITS 1, 2, & 3 B 3.5.3-2 Rev. 002

LPI B 3.5.3 BASES APPLICABLE e. Adequate long term core cooling capability is maintained.

SAFETY ANALYSES (continued) The LCO also helps ensure that reactor building temperature limits are met.

The LPI System is assumed to provide injection in the large break LOCA analysis at full power (Ref. 2). This analysis establishes a minimum required flow for the LPI pumps, as well as the minimum required response time for their actuation.

The large break LOCA event assumes a loss of offsite power and a single failure (loss of the CT-4 transformer). For analysis purposes, the loss of offsite power assumption may be conservatively inconsistent with the assumed operation of some equipment, such as reactor coolant pumps (Ref. 3). During the blowdown stage of a LOCA, the RCS depressurizes as primary coolant is ejected through the break. into the reactor building. The nuclear reaction is termina_ted by moderator voiding during large breaks.

Following depressurization, emergency cooling water is injected into the reactor vessel core flood nozzles, then flows into the downcomer, fills the lower plenum, and refloods the core.

In the event of a Core Flood line break which results in a 'LOCA, with a concurrent single failure on the unaffected LPI train opposite the Core Flood line break, the system is fitted with flow restricting devices in each injection leg and an upstream cross-connect pipe. These serve to limit the ECCS spillage through the faulted header and ensure that flow is diverted from the faulted header to the intact header at lower pressures. These flow restricting devices also provide LPI pump run-out protection during ..

LBLOCAs.

The safety analyses show that an LPI train will deliver sufficient water to match decay heat boiloff rates for a large break LOCA.

In the large break LOCA analyses, full LPI is not credited until 74 seconds after actuation of the ESPS signal. This is based on a loss of offsite power and the associated time delays in Keowee Hydro Unit startup, valve opening and pump start. Further, LPI flow is not credited until RCS pressure drops below the pump's shutoff head. For a large break LOCA, HPI is not credited at all.

The LPI trains satisfy Criterion 3of10 CFR 50.36 (Ref. 4).

OCONEE UNITS 1, 2, & 3 B 3.5.3-3 Rev. 002

LPI B 3.5.3 BASES (continued)

LCO In MODES 1, 2, and 3, two independent (and redundant) LPI trains are required to ensure that at least one LPI train is available, assuming a single failure in the other train. Additionally, individual components within the LPI trains may be called upon to mitigate the consequences of other transients and accidents. Each LPI train includes the piping, instruments, pumps, valves, heat exchangers and controls to ensure an OPERABLE flow path capable of taking suction from the BWST upon an ES signal and the capability to manually (remotely) transfer suction to the reactor building sump. The safety grade flow indicator of an LPI train is required to support OPERABILITY of the LPI and RBS trains to preclude NPSH or runout pro-blems. RBS flow is hydraulically maintained by system resistance, and throttling of RBS flow is not required. Therefore, RBS flow indication is not required to support LPI or RBS train OPERABILITY. The safety grade flow indicator associated with LPSW flow to an LPI cooler is required to be OPERABLE to support LPI train OPERABILITY.

LPI BWST Suction Valves, LP-21 and LP-22 do not have an ES signal to open. These valves shall be open when automatic initiation of the LPI and the RBS system is required to be OPERABLE. If either one is closed during this time, the associated LPI and RBS train is inoperable.

In MODE 4, one of the two LPI trains is* required to ensure sufficient LPI flow is avai.lable to the core.

During an event requiring LPI injection, a flow path is required to provide an abundant supply of water from the BWST to the RCS, via the LPI pumps and their respective supply headers, to the reactor vessel. In the long term, this flow path may be switched to take its supply from the reactor building sump.

This LCO is modified by three Notes. Note 1 changes the LCO requirement when in MODE 4 for the number of OPERABLE trains from two to one. Note 2 allows an LPI train to be considered OPERABLE during alignment, when aligned or when operating for decay heat removal if capable of being manually (remotely) realigned to the LPI mode of operation. This provision is necessary because of the dual requirements of

the components that comprise the LPI and decay heat removal modes of the LPI System. Note 3 requires the LPI discharge header crossover valves inside containment to be .open in MODES 1, 2, and 3. If one of these valves is closed, then the system will be unable to sustain a single failure.

OCONEE UNITS 1, 2, & 3 B 3.5.3-4 Rev. 002

LPI B 3.5.3 BASES LCO The flow path for each train must maintain its designed independence (continued) outside containment to ensure that no single failure can disable both LPI trains. If train separation is not maintained outside containment then only one LPI train is considered OPERABLE.

APPLICABILITY In MODES 1, 2 and 3, the LPI train OPERABILITY requirements for the .

Design Basis Accident, a large break LOCA, are based on full power operation. The position requirements of the LPI discharge crossover valves inside containment for the CFT line break are based on full power operation. Although reduced power would not require the same level of performance, the accident analysis does not provide for reduced cooling requirements in the lower MODES.

In MODE 4, one OPERABLE LPI train is acceptable without single failure consideration on the basis of the stable reactivity condition of the reactor and the limited core cooling requirements.

In MODES 5 and 6, unit conditions are such that the probability of an event requiring LPI injection is eXtremely low. Core cooling requirements in MODE 5 are addressed by LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled," and LCO 3.4.8, "RCS Loops-MODE 5, Loops Not Filled." MODE 6 core cooling requirements are addressed by LCO 3.9.4, "DHR and Coolant Circulation-High Water Level," and LCO 3.9.5, "DHR and Coolant Circulation-Low Water Level."

ACTIONS With one LPI train inoperable in MODES 1, 2 or 3, the inoperable train must be returned to OPERABLE status within 7 days. The 7 day Completion Time is based on the findings of the deterministic and probabilistic analysis in Reference 6. Reference 6.concluded that extending th'e Completion Time to 7 days for an inoperable LPI train improves plant operational flexibility while simultaneously reducing overall plant risk. Specifically, the risk incurred by having the LPI train unavailable for a longer time at power will be substantially offset by the benefits associated with avoiding unnecessary plant transitions and by reducing risk during shutdown operations.

OCONEE UNITS 1, 2, & 3 B 3.5.3-5 Rev.002

LPI B 3.5.3 BASES

_ACTIONS B.1 (continued)*

With one or more required LPI discharge header manual crossover valves inside containment closed, the closed valve(s) must be opened within 7 days. The 7 day Completion Time is based on the findings of the deterministic and probabilistic analysis in Reference 6.

If the Required Action and associated Completion Time of Condition A or B are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and MODE 4 within 60 hours6.944444e-4 days 0.0167 hours 9.920635e-5 weeks 2.283e-5 months . The allowed Completion Times are*reasonable, based on operating experience, reach*

the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

With one required LPI train inoperable in MODE 4, the unit is not prepared to respond to an event requiring low pressure injection and may not be prepared to continue cooldown using the LPI pumps and LPI heat exchangers. The Completion Time of immediately, which would initiate action to restore at least one LPI train to OPERABLE status, ensures that prompt action is taken to restore the required LPI capacity. Normally, in MODE 4, reactor decay heat must be removed by a decay heat removal (OHR) loop operating .with suction from the RCS. If no LPI train is OPERABLE for this function, reactor decay he13t must be removed by some alternate method, such as use of the steam generator(s).

The alternate means of heat removal must continue until one df the inoperable LPI trains can be restored to operation so that continuation of *_

decay heat removal (OHR) is provided.*

With the LPI pumps (including the non ES pump j and LPI heat exchangers inop~rable, it would be unwise to require the unit to go to MODE 5, where

. the only available heat removal system is the LPI trains operating in the OHR mode. Therefore, the appropriate action is to initiate measures to restore one LPI train and to continue the actions until the sub'system is restored to OPERABLE status.

OCONEE UNITS 1, 2, & 3 B 3.5.3-6 Rev. 002

LPI B 3.5.3 BASES ACTIONS D.2 (continued)

Required Action D.2 requires that the unit be placed in MODE 5 within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This Required Action is modified by a Note that states that the Required Action is only required to be performed if a OHR loop is OPERABLE. This Required Action provides for those circumstances where the LPI trains may be inoperable but otherwise capable of providing the necessary decay heat removal. Under this circumstance, the prudent action is to remove the unit from the Applicability of the LCO and place the unit in a stable condition in MODE 5. The Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is reasonable, based on operating experience, to reach MODE 5 in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.5.3.1 REQUIREMENTS Verifying the correct alignment for manual. and non-automatic power operated valves in the LPI flow paths provides assurance that the proper flow paths will exist for LPI operation. This SR does not apply to valves.

that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. Similarly, this SR does not apply to automatic valves since automatic valves actuate to their required position upon an accident signal.

This Surveillance does not require any testi'ng or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position: The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

When in MODE 4 an LPI train may be considered OPERABLE during alignment, when aligned or when operating for decay heat removal if capable of being manually realigned to the LPI mode of operation.

Therefore, for this condition, the SR verifies that LPI is capable of being manually realigned to the LPI mode of operation.

SR 3.5.3.2 With the exception of systems in operation, the LPI pumps are normally in a standby, non-operating mode. As such, the flow path piping has the potential to develop voids and pockets of entrained gases. Venting the LPI pump casings periodically reduces the potential that such voids and pockets of entrained gases can adversely affect operation of the LPI System. This will also minimize the potential for water hammer, pump OCONEE UNITS 1, 2, & 3 B 3.5.3-7 Rev. 002

LPI B 3.5.3 BASES SURVEILLANCE SR 3.5.3.2 (continued)

REQUIREMENTS cavitation, and pumping of noncondensible gas (e.g., air, nitrogen, or hydrogen) into the reactor vessel following an ESPS signal or during shutdown cooling. This Surveillance is modified by a Note that indicates it is not applicable to operating LPI pump(s). The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.5.3.3 Periodic surveillance testing of LPI pumps to detect gross degradation caused by impeller structural damage or other hydraulic component problems is required by the ASME Code (Ref. 5). SRs are specified in the lnservice Testing Program of the ASME Code.

SR 3.5.3.4 and SR 3.5.3.5 These SRs demonstrate that each automatic LPI valve actuates to the required position on an actual or simulated ESPS signal and that each LPI pump starts on receipt of an actual or simulated ESPS signal. This SR is not required for valves that are locked, sealed, or otherwise secured in position under administrative controls. The test will be considered satisfactory if control board indication verifies that all components have

responded to the ESPS actuation signal properly (all appropriate ESPS actuated pump breakers have opened or closed and all ESPS actuated valves have completed their travel). The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

The actuation logic is tested as part of the ESPS testing, and equipment performance is monitored as part of the lnservice Testing Program.

OCONEE UNITS 1, 2, & 3 B 3.5.3-8 Rev.002

LPI B 3.5.3 BASES SURVEILLANCE SR 3.5.3.6 REQUIREMENTS (continued) Periodic inspections of the reactor building sump suction inlet ensure that it is unrestricted and stays in proper operating condition. The Surveillance Frequency is based on op~rating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50.46.

2. ., UFSAR, Section 15.14.3.3.6.

3. UFSAR, Section 15.14.3.3.5.

4. 10 CFR 50.36.

5.

ASME Code for Operation and Maintenance of Nuclear Power Plants. * * .

6. NRC Safety Evaluation of Babcock & Wilcox Owners Group (B&WOG) Topical Report BAW-2295, Revision 1, _"Justification for the Extension of Allowed Outage Time for Low Pressure Injection and Reactor Building Spray systems," (TAC No .. MA3807) dated June 30, 1999.

OCONEE UNITS 1, 2, & 3 B 3.5.3-9 Rev. 002 .I

Containment B 3.6.1 B 3.6 CONTAINMENT SYSTEMS B 3.6.1 Containment BASES BACKGROUND The containment consists of the reactor building (RB) structure, its steel liner, and the penetrations of this liner and structure. The containment is designed to contain radioactive material that may be released from the reactor core following a design basis loss of coolant accident (LOCA).

Additionally, the containment provides shielding from the fission products that may be present in the containment atmosphere following accident conditions.

The containment is a reinforced concrete structure with a cylindrical wall, a flat foundation mat, and a shallow dome roof The containment design includes ungrouted tendons where the cylinder wall is prestressed with a post tensioning system in the vertical and horizontal directions, and the dome roof is prestressed using a three way post tensioning system. The inside surface of the containment is lined with a carbon steel liner to ensure a high degree of leak tightness during operating and accident conditions.

The reinforced concrete structure is required for structural integrity of the containment under Design Basis Accident (DBA) conditions. The steel liner and its penetrations establish the leakage limiting boundary of the containment. Maintaining the containment OPERABLE limits the leakage of fission product radioactivity from the containment to the environment.

SR 3.6.1.1 leakage rate requirements comply with 10 CFR 50, Appendix J, Option B (Ref. 1), as modified by approved exemptions.

The isolation devices for the penetrations in the containment boundary are a part of the containment leak tight barrier. To maintain this leak tight barrier:

a. All penetrations required to be closed during accic;ient conditions are either:

1. capable of being closed by an OPERABLE automatic containment isolation system, or

2. closed by manual valves, blind flanges, or de-activated automatic valves in their closed positions, except as provided in LCO 3.6.3, "Containment Isolation Valves";

OCONEE UNITS 1, 2, & 3 B 3.6.1-1 Rev.001 I

.(

Containment B 3.6.1 BASES BACKGROUND b. Each air lock is OPERABLE, except as provided in LCO 3.6.2, (continued) "Containment Air Locks"; and

c. The equipment hatch is closed.

APPLICABLE The safety design basis for the containment is that the containment must SAFETY ANALYSES withstand the pressures and temperatures of the limiting accident without exceeding the design leakage rate.

The accidents that result in a challenge to containment from high pressures and temperatures are a LOCA and a steam line break (Ref. 2). In addition, release of significant fission product radioactivity within containment can occur from a LOCA. In the accident analyses, it is assumed that the ..

containment is OPERABLE such that; for the accidents involving release of fission product radioactivity, release to the environment is controlled by the rate of containment leakage. The containment was designed with an allowable leakage rate of 0.20% of containment air weight per day (Ref. 3).

This leakage rate, used in th~ evaluatio.n of offsite doses resulting from accidents, is defined in 10 CFR 50, Appendix J, Option B (Ref. 1), as La:

the. maximum allowable leakage rate at the calculated maximum peak containment pressure (Pa) resulting from the limiting design basis LOCA.

The allowable leakage rate represented by La forms the basis for the acceptance criteria imposed on all containment leakage rate testing. La is assumed to be 0.20% per day in the safety analysis af Pa= 59.0 psig (Ref. 3).

The containment satisfies Criterion 3 of the 10 CFR 50.36 (Ref. 4).

LCO Containment OPERABILITY is maintained by limiting leakage to $ 1.0 La.

except prior to the first startup after performing a required Containment Leakage Rate Testing Program leakage test. At this time, the applieable leakage limits must be met. Compliance with this LCO will ensure a containment configuration, including equipment hatches, that is structurally sound and that will limit leakage to those !eakage rates assumed in the safety analysis.

APPLICABILITY In MODES 1, 2, 3, and 4, an accident could cause a release of radioaetive material into containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, containment is not required to be OPERABLE in MODE 5 to prevent leakage of radioactive material from containment. The requirements for containment during MODE 6 are addressed in LCO 3.9.3, "Containment Penetrations."

OCONEE UNITS 1, 2, &3 B 3.6.1-2 Rev. 001 I

Containment B 3.6.1 BASES (continued)

ACTIONS In the event containment is inoperable, containment must be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time provides a period of time to correct the problem commensurate with the importance of maintaining containment during MODES 1, 2, 3, and 4. This time period also ensures the probability of an accident (requiring containment OPERABILITY) occurring during periods when containment is inoperable is

minimal.

B.1 and B.2 If the Required Action and associated Completion Time is not met, the~ unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the. required unit conditions from full power conditions in an orderly manner and without challenging unit systems*.

SURVEILLANCE SR 3.6.1.1

REQUIREMENTS Maintaining the containment OPERABLE requires compliance with the visual examinations and leakage rate test requirements of the Containment Leakage Rate Testing Program.* As left leakage prior to the first startup after performing a required Containment Leakage Rate Testing Program leakage test is required to be < 0.6 La for combined Type B and C leakage, and S'O. 75 La for Option B for overall Type A leakage following an outage or shutdown that included Type A testing. At all other times between required leakage rate tests, the acceptance criteria is based on an overall Type A leakage limit of~ 1.0 La. At ~ 1.0 La the offsite do'se consequences are bounded by the assumptions of the safety analysis. SR Frequencies are as required by the Containment Leakage Rate Testing Program.

These periodic testing requirements verify that the containment leak~ge rate does not exceed the leakage rate assumed in the safety analysis.

OCONEE UNITS 1, 2, & 3 B 3.6.1-3 Rev. 001

Containment B 3.6.1 BASES SURVEILLANCE SR 3.6.1.2 REQUIREMENTS (continued) This SR ensures that the structural integrity of the containment will be maintained in accordance with the provisions of the Containment Tendon Surveillance Program. Testing and Frequency are as described in Specification 5.5.7, "Pre-stressed Concrete Containment Tendon Surveillance Program."

REFERENCES 1. 10 CFR 50, Appendix J, Option B.

2. UFSAR, Sections 15.13 and 15.14.

3. UFSAR, Section 6.2.

4. 10 CFR 50.36.

.I OCONEE UNITS 1, 2, & 3 B 3.6.1-4 Rev.001

Containment Air Locks B 3.6.2 B 3.6 CONTAINMENT SYSTEMS B 3.6.2 Containment Air Locks BASES BACKGROUND Containment air locks, also known as the personnel hatch and the emergency hatch, form part of the containment pressure boundary and provide a means for personnel access during all MODES of operation.

Each air lock is nominally a right circular cylinder with a door at each end.

The doors are interlocked to prevent simultaneous opening. During periods when containment is not required to be OPERABLE, the door interlock mechanism may be disabled, allowing both doors of an air lock to remain open for extended periods when frequent containment entry is necessary. Each air lock door has been designed and is tested to certify its ability to withstand a pressure in excess of the maximum expected pressure following an accident in containment. As such, closure of a single door supports containment OPERABILITY. Each of the outer doors contains double gasketed seals and local leakage rate testing capability to ensure pressure integrity. To effect a leak tight seal, the air lock design uses pressure seated doors (i.e., an increase in containment internal pressure results in increased sealing force on each door). Each personnel air lock door is provided with limit switches that provide control room indication of. door position. .

The containment air locks form part of the containment pressure boundary.

As such, air lock integrity and leak tightness are essential for maintaining the containment leakage rate within limit in the event of an accident. Not maintaining air lock integrity or leak tightness may result in a leakage rate in excess of that assumed in the unit safety analysis.

APPLICABLE The accident that results in a release of radioactive material within SAFETY ANALYSES containment is a loss of coolant accident (LOCA) (Ref. 2). In the analysis of this accident, it is assumed that containment is OPERABLE such that release of fission products to the environment is controlled by the rate of containment leakage. The containment was designed with an allowable leakage rate of 0.20% of containment air weight per day (Ref. 3). This leakage rate is defined in 10 CFR 50, Appendix J, Option B (Ref. 1 ), as La:

the maximum allowable containment leakage rate at the calculated OCONEE UNITS 1, 2, & 3 B 3.6.2-1 Rev.001 I

Containment Air Locks B 3.6.2 BASES APPLICABLE maximum peak containment pressure (Pa) following a design bases LOCA.

SAFETY ANALYSES This allowable leakage rate forms the basis for the acceptance criteria (continued) imposed on the SRs associated with the air lock.

The containment air locks satisfy Criterion 3of10 CFR 50.36 (Ref. 4).

LCO Each containment air lock forms part of the containment pressure boundary. As a part of the containment pressure boundary; the air lock safety function is related to control of the containment leakage rate resulting from an accident. Thus, each air lock's structural integrity and leak tightness are essential to the successful mitigation of such an event.

Each air lock is required to be OPERABLE. For the air lock to be considered OPERABLE, the air lock interlock mechanism must be OPERABLE, the air lock must be in compliance with the Type B air lock leakage test, and both air lock doors must be OPERABLE. The interlock allows only one air lock door of an air lock to be opened at one time. This

provision ensures that a gross breach of containment does not existwhen containment is. required to be OPERABLE. Closure of a single door in each air lock is sufficient to provide a leak tight barrier following postulated

. events. Nevertheless, both doors are normally closed when.the air lock.is not being used for normal entry into or exit from containment.

APPLICABILITY In MODES 1, 2, 3, and 4, an accident could cause a release* of radioactive m.aterial to containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, the containment air locks are not required in MODE 5 to prevent leakage of radioactive material from containment. The requirements for the containment air locks during MODE 6 are addressed in LCO 3.9.3, "Containment Penetrations."

ACTIONS The ACTIONS are modified by a Note that allows entry and exit to perform repairs on the affected air lock component. If the outer door is inoperable, then it may be easily accessed for most repairs. An inoperable inner door can be accessed from inside containment by entering through the other OPERABLE air lock. However, if this is not practicable, or if repairs on either door must be performed from the barrel side of the door then it is permissible to enter the air lock through the OPERABLE door, which means there is a short.time during which the containment boundary is not intact (during access through the OPERABLE door). The ability to open the OPERABLE door, even if it means the containment boundary is OCONEE UNITS 1, 2, '& 3 B 3.6.2-2 Rev. 001 I

Containment Air Locks B 3.6.2 BASES ACTIONS temporarily not intact, is acceptable due to the low probability of an event (continued) that could pressurize the containment during the short time in which the OPERABLE door is expected to be open. After each entry and exit the OPERABLE door must be immediately closed. If conditions permit, entry and exit should be via an OPERABLE air lock.

A second Note has been added to provide clarification that, for this LCO, separate Condition entry is allowed for each air lock. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable air lock. Complying with the Required Actions may allow for continued operation, and a subsequent inoperable air lock is governed by subsequent Condition entry and application of associated Required Actions.

In the event the air lock leakage results in exceeding the overall (combined) containment leakage rate, Note 3 directs entry into the applicable Conditions and Required Actions of LCO 3.6.1, "Containment."

A.1, A.2, and A.3 With one air lock door inoperable in one or more containment air locks, the OPERABLE door must be verified closed (Required Action A.1) in each affected containment air lock.

This ensures that a leak tight containment barrier is maintained by the use of an OPERABLE air lock door. This action must be completed within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . This specified time period is consistent with the ACTIONS of LCO 3.6.1, which requires containment be restored to OPERABLE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

In addition, the affected air lock penetration must be isolated by locking closed the remaining OPERABLE air lock door within the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is considered reasonable for locking the OPERABLE air lock door, considering the OPERABLE door of the affected air lock is being maintained closed.

Required Action A.3 verifies that an air lock with an inoperable door has been isolated by the use of a locked and closed OPERABLE air lock door.

This ensures that an acceptable containmentleakage boundary is maintained. The Completion Time of once per 31 days is based on*

engineering judgment and is considered adequate in view of the low likelihood of a locked door being mispositioned and other administrative OCONEE UNITS 1, 2, & 3 B 3.6.2-3 Rev. 001 I

Containment Air Locks B 3.6.2 BASES ACTIONS A.1, A.2, and A.3 (continued) controls. Required Action A.3 is modified by a Note that applies to air lock doors located in high radiation areas and allows these doors to be verified locked closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small.

The Required Actions have been modified by two Notes .. Note 1 clarifies that only the Required Actions and associated Completion Times of

.Condition Care required if both doors in the same air lock are inoperable.

With both doors in the same air lock inoperable, an OPERABLE door is not available to be closed. Required Actions C.1 and C.2 are the appropriate remedial actions. ' The exception of Note 1 does not affect tracking the Completion Time from the initial entry into Condition A; only the requirement to comply with the Required Actions. Note 2 allows use of the air lock for entry and .exit for 7 days under administrative controls if both air locks are inoperable. This 7 day restriction begins when the second air lock is discover¢d inoperable, Containment entry may be required to perform Technical Specifications (TS) Surveillances and Required Actions, as well as other activities on equipment inside containment that are required by TS or activities on equipment that support TS-required equipment. This Note is not intended to preclude performing other*

activities (i.e., non-TS-required activities) if the containment was entered, using the inoperable air lock, to perform an allowe~ ac~ivity listed above.

This allowance is acceptable due to the low probabilitY of an event that could pressurize the containment during the sh9rt time that the OPERABLE door is expected to be open.

B.1. B.2,1 and B.3 With an air lock interlock mechanism inoperable in one or more air locks, the Required Actions and associated Completion Times are consistent with those specified in Condition A.

The Required Actions have been modified by two Notes. Note 1 clarifies that only the Required Actions and associated Completion Times of Condition C are required if both doors in the same air lock are inoperable.

With both doors in the same air lock inoperable, an OPERABLE door is not available to be closed. Required Actions C.1 and C.2 are the appropriate remedial actions. Note 2 allows entry into an9 exit from the containment OCONEE UNITS 1 2, & 3 I B 3.6.2-4 Rev. 001 I

Containment Air Locks B 3.6.2 BASES ACTIONS B.1. B.2. and B.3 (continued) under the control of a dedicated individual stationed at the air lock to ensure that only one door is opened at a time (i.e., the individual performs the function of the interlock).

Required Action B.3 is modified by a Note that applies to air lock doors located in high radiation areas and allows these doors to be verified locked closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of the door, once it has been verified to be in the proper position, is small.

C.1. C.2. and C.3 With one or more air locks inoperable for reasons other than those described in Condition A or B, Required Action C.1 requires action to be immediately initiated to evaluate previous combined leakage rates using current air lock test results. An evaluation is acceptable since it is overly conservative to immediately declare the containment inoperable if the

overall air lock leakage is not within limits. In many instances, containment remains OPERABLE, yet only 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months (per LCO 3.6.1) would be provided to restore the air lock door to OPERABLE status prior to requiring a unit shutdown.

Required Action C.2 requires that one door in each affected containment air lock must be verified to be closed. This action must be completed within the 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time. This specified time period is consistent with the ACTIONS of LCO 3.6.1, which requires that containment be* restored to OPERABLE status within.1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

Additionally, the affected air lock(s) must be restored to OPERABLE status within the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time. The specified time period is considered reasonable for restoring an inoperable afr lock to OPERABLE

. status assuming that at least one door is maintained closed in each '*

affected air lock.

D.1 and D.2 If the Required Actions and associated Completion Times are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within OCONEE UNITS 1, 2, & 3 B 3.6.2-5 Rev. 001 I

Containment Air Locks B 3.6.2 BASES ACTIONS D.1 and D.2 (continued) 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating *experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.6.2.1 REQUIREMENTS Maintaining containment air locks OPERABLE requires compliance with the leakage rate test requirements of the Containment Leakage Rate Testing Program. This SR reflects the leakage rate testing requirements with regard to air lock leakage (Type B leakage tests). The periodic testing requirements verify that the air lock leakage does not exceed the allowed fraction of the overall containment leakage rate. The Frequency is required by the Containment Leakage Rate Testing Program.

The SR has been modified by two Notes. Note 1 states that an inoperable air lock door does not invalidate the previous successful performance of the overall air lock leakage test. This is considered reasonable, since ..

either air lock door is capable of providing a fission product barrier in the event of an accident. Note 2 has been added to this SR requiring the results to be evaluated against the acceptance criteria which are applicable to SR 3.6.1.1. This ensures that air lock leakage is properly accounted for in determining the combined Type B and C containment leakage rate.

SR 3.6.2.2 The air lock interlock is designed to prevent simultaneous opening of both doors in a single air lock. Since both the inner and outer doors of an air lock are designed to withstand the maximum expected post accident containment pressure, closure of either door will support containment OPERABILITY. Thus, the door interlock feature supports containment OPERABILITY while the air lock is being used for personnel transit in and out of the containment. Periodic testing of this interlock demonstrates that OCONEE UNITS 1, 2, & 3 B 3.6.2-6 Rev. 001 I

Containment Air Locks B 3.6.2 BASES SURVEILLANCE SR 3.6.2.2 (continued)

REQUIREMENTS the interlock will function as designed and that simultaneous opening of the inner and outer doors will not inadvertently occur. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50, Appendix J, Option B.

2. UFSAR, Section 15.14.

3. UFSAR, Section 6.2.

4. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.6.2-7 Rev. 001 I

MS RVs B 3.7.1 B 3. 7 PLANT SYSTEMS B 3.7.1 Main Steam Relief Valves (MSRVs)

BASES BACKGROUND The primary purpose of the MSRVs is to provide overpressure protection for the secondary system. The MSRVs also provide protection against overpressurizing the reactor coolant pressure boundary (RCPB) by providing a heat sink for removal of energy from the Reactor Coolant System (RCS) if the preferred heat sink, provided by the Condenser and Circulating Water System, is not available.

Eight MSRVs are located on each main steam header, outside containment as described in the UFSAR, Section 10.3 (Ref. 1). The MSRV rated

capacity passes the full steam flow at 114% RTP with the valves full open.

This meets the requirements of the ASME Code, Section Ill (Ref. 2). The MSRV design includes staggered setpoints, (Ref. 1) so that only the needed number of valves will actuate. Staggered setpoints reduce the potential for valve chattering because of insufficient steam pressure to fully open t.he valves.

APPLICABLE The design basis of the MSRVs (Ref. 2) is to limit secondary system SAFETY ANALYSES pressure to ~* 110% of design pressure when passing 105% of design steam flow. This design basis is sufficient to cope with any anticipated transient or accident considered in the accident and transient analysis.

The events that challenge the relieving capacity of the MSRVs, and thus RCS pressure, are those characterized as decreased heat removal or increased heat addition events. MSRV relief capacity is utilized in the UFSAR (Ref. 3and Ref. 4) for mitigation of the following events:

a. Loss of main feedwater;

b. Steam line break;

c. Steam generator tube rupture;

d. Rod withdrawal at rated power; and

e. Loss of Electric Load.

OCONEE UNITS 1, 2, & 3 B 3.7.1-1

Rev. 002 I

MS RVs B 3.7.1 BASES APPLICABLE The MSRVs satisfy ..Criterion 3 of 10 CFR 50.36, (~ef. p).

SAFETY ANALYSIS (continued)

LCO The MSRVs are provided to prevent overpressurization as discussed in the Applicable Safety Analysis section of these Bases. The LCO requires sixteen MSRVs, eight on each main steam line, to be OPERABLE to ensure compliance with the ASME Code following accidents and transients initiated at full power. Operation with less than a full complement of MSRVs is not permitted. To be OPERABLE, lift setpoints must remain within limits, specified in the UFSAR.

The safety function of the MSRVs is to open, relieve steam generator

overpressure, and reseat wtien pressure has been reduced.*

OPERABILITY of the MSRVs requires periodic surveillance testing in accordance with the lnservice Testing Program.

The lift settings correspond to ambient conditions of the valve at nominal operating temperature* and pressure.

This LCO provides assurance that the MSRVs will perform the design safety function.

APPLICABILITY In MODES 1, 2, and 3, the MSRVs must be OPERABLE to prevent overpressurization of the main steam system*.

In MODES 4 and 5, there is no credible transient requiring the MSRVs.

The steam generators are not normally used for heat removal in MODES 5 and 6, and thus cannot be overpressurized. There is no requirement for the MSRVs to be OPERABLE in these MODES.

ACTIONS* A.1 and A.2 With one or more MSRVs inoperable, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , and in MODE 4 within 18 hours2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months .

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

OCONEE UNITS 1, 2, & 3 B 3.7.1-2 Rev. 002 I

MS RVs B 3.7.1 BASES (continued)

SURVEILLANCE SR 3.7.1.1 REQUIREMENTS This SR verifies the OPERABILITY of the MSRVs by the verification of MSRV lift setpoints in accordance with the lnservice Testing Program. The safety and relief valve tests are performed in accordance with ASME Code (Ref. 6) and include the following for MSRVs:

a. Visual examination;

b. Seat tightness determination;

c. Setpoint pressure determination (lift setting);

d. Compliance with owner's seat tightness criteria; and

e.

Verificatipn of the balancing device integrity on balanced valves.

The ASME Code requires the testing of all valves every 5 years, with a minimum of 20% of the valves tested every 24 months.

This SR is modified by a Note that states the surveillance is only requfred to be performed in MODES 1 and 2. This note allows entry into and operation in MODE 3 prior to performing the SR, provided there is no evidence that the equipment is otherwise believed to be incapable of performing its function. Also, the guidance in the TS Bases for SR 3.0.1 states that equipment may be considered OPERABLE following maintenance provided testing has been satisfactorily completed to the extent possible and the equipment is not otherwise believed to be incapable of performing its function. This allows operation to proceed to a MODE or other specified condition where other necessary post maintenance tests can be completed.

For example, the mode change provisions described above specifically applies to scenarios where maintenance on MSRVs is performed below the mode of applicability for LCO 3. 7 .1, testing has been satisfactorily completed to the extent possible, and the equipment is believed capable of performing its function. The mode change provisions permit entry into

Mode 3 in order to test and adjust the set pressure, as necessary, to satisfy SR 3. 7 .1.1 prior to entry into Mode 2.

The MSRVs may be either bench tested or tested in situ at hot conditions using an assist device to simulate lift pressure. If the MSRVs are not tested at hot conditions, the lift setting pressure must be corrected to ambient conditions of the valve at operating temperature and pressure.

OCONEE UNITS 1, 2, & 3 B 3.7.1-3 Rev. 002 I

MS RVs B 3.7.1 BASES (continued)

REFERENCES 1. UFSAR, Section 10.3.

2. ASME, Boiler and Pressure Vessel Code, Section Ill, Article NC-7000, Class 2 Components.

3. UFSAR, Chapter 15.

4. UFSAR, Chapter 10.

5. 10 CFR 50.36.

6. ASME Code for Operation and Maintenance of .Nuclear Power Plants.

OCONEE UNITS 1, 2, & 3 B 3.7.1-4 Rev.002 I

ADV Flow Paths B 3.7.4 B 3. 7 PLANT SYSTEMS B 3.7.4 Atmospheric Dump Valve (ADV) Flow Paths BASES BACKGROUND The ADV flow paths provide a method for cooling the unit to.decay heat removal (OHR) entry conditions, should the preferred heat sink via the Turbine Bypass System to the condenser not be available, as discussed in the UFSAR (Ref. 2). This is done in conjunction with the secondary cooling water from the Emergency Feedwater (EFW) System.

The steam generator tube rupture (SGTR) analysis (Ref. 3) credits operator action to depressurize the steam generators by opening each of the ADV flow paths.

In addition, the ADV flow path for each steam generator is* credited as a compensatory measure in Technical Specification (TS) 3.5.2, "High Pressure Injection (HPI)." In certain HPI configurations, the ADV flow path*

for one steam generator is credited to depressurize the steam generator and enhance primary-to-secondary heat transfer during certain small break loss of coolant accidents (LOCAs) (Refs. 4 and 5).

For each steam generator, the ADV flow path is comprised of the atmospheric dump block valve bypass (1" bypass), the atmospheric vent valve (a 12" block valve), the atmospheric dump control valve (i.e., throttle valve), and the atmospheric vent block valve (i.e., isolation valve). The throttle valve and the isolation valve are in parallel and are located downstream of the atmospheric vent valve.

The atmospheric vent valve should be opened prior to opening the throttle valve or isolation valve. This is accomplished by first opening the atmospheric dump block valve bypass.

This equalizes the differential pressure across the atmospheric vent valve.

Once the atmospheric vent valve is opened, the cool down rate is controlled using the throttle valve. If additional relief capacity is needed, the isolation valve can be opened. The capacity of the throttle or isolation valve exceeds decay heat loads and is sufficient to cool down the plant.

OCONEE UNITS 1, 2, & 3 B 3.7.4-1 Rev. 002 I

ADV Flow Paths B 3. 7.4 BASES (continued)

APPLICABLE The SGTR analysis credits operator action to depressurize the steam SAFETY ANALYSIS generators by opening both ADV flow paths (i.e., the ADV flow path for each steam generator) within 40 minutes of identifying the ruptured steam generator. Within this 40-minute time period, the operators are only required to open the bypass valve, the block valve, and the throttle valve.

However, later in the event, the analysis also assumes that the operators*

will open the isolation valves in each ADV flow path.

Operator action to depressurize a steam generator via its ADV flow path is credited in the analysis of certain small break LOCAs with THERMAL POWER:::; 50% RTP and the. plant operated with a degraded HPI System.

This event credits operator action to open one ADV flow path within 25 minutes of. an Engineered Safeguards Protective System (ESPS) actuation.

If enhanced steam generator cooling is not credi~ed in the small break LOCA analysis, two HPI trains are required to mitigate specific small break

LOCAs. However, if equipment not qualified as QA-1 (i.e., an ADV flow path for a steam generator) is credited for enhanced steam generator cooling, the safety analyses*have determined that the capacity of one HPI train is sufficient to mitigate a small break LOCA on the discharge of the.

reactor coolant pumps if THERMAL POWER is :::; '50% RTP.

The analysis for degraded HPI credits an ADV flow path for one steam generator as a compensatory measure in the event an HPI train is inoperable and THERMAL POWER is*::; 50% RTP. During this situation, the ADV flow path for one steam generator is credited during certain small break LOCAs to depressurize the steam generator and enhance primary-to-secondary heat transfer. This is done in conjunction with the EFW .

System providing cooling water to the steam generator. The ADV flow path is comprised of manual valves. Operator action is credit~d for establishing t.he ADV flow path within 25 minutes of an ES.PS signal.

Additionally, the ADV flow path for each steam generator is credited as a compensatory measure in TS 3.5.2, "High Pressure Injection (HPI)."

Typically, single failures are not considered once the plant has entered a condition defined in the TS. However, the Completion Time permitted when the HPI system is degraded, is an extended period of time.

In the event an accident occurred during this extended Completion Time and a single failure were to occur in the degraded HPI system, the ability of a plant to mitigate the consequences of specific small break LOCAs continues to be assured by the ADV flow path for one steam generator.

. The ADV flow paths satisfy Criterion 3 of 10 CFR 50.36 (Ref. 1).

The 50% partial-power SBLOCA analysis includes a sensitivity case that models an operator action to modulate the main steam pressure at 300 psig via the ADV during the secondary-side depressurization. The purpose of the ADV modulation to maintain steam pressure is to limit Reactor OCONEE UNITS 1, 2, & 3 Rev. 002

ADV Flow Paths B 3.7.4 BASES APPLICABLE Coolant System (RCS) depressurization, which then prevents the CFTs SAFETY ANALYSIS from completely discharging their liquid contents and introducing nitrogen (continued) gas into the RCS during the depressurization. The secondary-side pressure control to preclude significant.nitrogen injection is consistent with the generic EmergE;!ncy Operating Procedure (EOP) guidance for B&W plants provided by AREVA.

To ensure that the new SBLOCA analysis is bounding, the plant must be controlled to a main steam pressure that is less than the value assumed in the 50% partial-power SBLOCA analysis, since less borated water from the CFT would be injected at the higher analyzed value. This ensures that the 50% .Partial-power SBLOCA analysis remains conservative with respect to actual plant operation. The 50% partial-power SBLOCA analysis modeling the modulation of steam pressure at 300 psig allows operating space within the EOPs such that CFT isolation does not conflict with the applicable safety analysis in terms of isolating the borated water source from the CFTs.

A supplemental SBLOCA analysis demonstrates that long-term core cooling is assured with or without nitrogen gas intrusion for all break sizes.

The operator actions required by the ONS licensing basis remain

unchanged. The analyses show that nitrogen gas intrusion does not occur for the small break sizes that rely on steam generator heat removal for a*

number of hours. In the longer term, core cooling is still assured if the .

CFTs completely discharge their liquid contents much later because at these longer times following the reactor trip, the lower.decay heat levels can be matched by HPI cooling.

Based on the evaluation of impacts to long-term core cooling if ADV modulation does not occur, the operator action modeled in the partial-power SBLOCA analysis to maintain steam generator pressure at 300 psig is considered to be a desired action, and not a required action needed to demonstrate post-LOCA long-term core cooling.

LCO The ADV flow path for each steam generator is required to be OPERABLE.

The failure to meet the LCO can result in the inability to depressurize the steam generators following a SGTR.

The ADV flow path for each steam generator is required to be OPERABLE.

Failure to meet the LCO can result in the inability to depressurize a steam generator following a small break LOCA. This function is required to support operation with a degraded HPI System when THERMAL POWER is~ 50% RTP.

An ADV flow path is considered OPERABLE when_ it is capable of providing a controlled relief of the main steam flow, and each valve which comprises the ADV flow path is capable of opening and closing.

OCONEE UNITS 1, 2, & 3 B 3.7.4-3 Rev.002 I

ADV Flow Paths B 3.7.4 BASES (continued)

APPLICABILITY The ADV flow path for each steam generator is required to be OPERABLE in MODES 1, 2, and 3, and in MODE 4, when a steam generator is being relied upon for heat removal. In MODE 4, steam generators are relied upon for heat removal whenever an RCS loop is required to be OPERABLE or operating to satisfy LCO 3.4.5, "RCS Loops - MODE 4" or available to transfer decay heat to satisfy LCO 3.4.7, "RCS Loops - MODE 5, Loops Filled." The steam generators do not contain a significant amount of energy in MODE 4 when the unit is not relying upon a steam generator for heat transfer, and MODES 5 and 6; therefore, the ADV flow paths are not required to be OPERABLE in these MODES and condition.

With the ADV flow paths required to be OPERABLE at all times that the steam generators are being relied upon for heat removal, it is assured that the ADV flow paths will be available for use for mitigation of a SBLOCA and a SGTR. These are the only two conditions in which the use of the ADV flow paths .is credited in the analyses of any accident.

ACTIONS A.1 and A.2 With one or both of the ADV flow path(s) inoperable, the Unit must be placed in a condition in which the LCO does not apply. To achieve this status, the Unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , and at least MODE 4 without reliance on a steam generator for heat removal within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The Completion Times are reasonable, base_d on operating experience, to reach the required Unit conditions from full power conditions in an orderly manner and without challenging Unit systems.

SURVEILLANCE SR 3.7.4.1 REQUIREMENTS To perform a controlled cool down of the RCS, the valves that comprise the.

ADV flow path for each steam generator must be able to perform the following functions:

a) the atmospheric dump block valve bypass and the atmospheric vent valve must be capable of being opened and closed; and b) the atmospheric dump control valve and atmospheric vent block valve must be capable of being opened and throttled through their full range.

OCONEE UNITS 1, 2, & 3 B 3.7.4-4 Rev. 002 I

ADV Flow Paths B 3.7.4 BASES SURVEILLANCE This SR ensures that the valves that comprise the ADV flow path for each REQUIREMENTS steam generator are cycled through the full control range. Performance of (continued) inservice testing or use of an ADV flow path during a unit cool down satisfies this requirement. This surveillance does not require the valves to be tested at pressure. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50.36.

2. UFSAR, Section 10.3.

3. UFSAR, Section 15.9.

4. UFSAR, Section 15.12

5. UFSAR, Section 15.14 OCONEE UNITS 1, 2, & 3 B 3.7.4-5 Rev. 002 I

PSW System B3.7.10 B 3. 7 PLANT SYSTEMS B 3.7.10 Protected Service Water (PSW) System BASES BACKGROUND The Protected Service Water (PSW) system is designed as a standby system for use under emergency conditions. The PSW system provides added "defense in:-depth" protection by serving .as a backup to existing safety systems and as such, the system is not required to comply with single failure criteria. The PSW system is provided as an alternate means to achieve and maintain safe shutdown conditions for one, two or three units following postulated scenarios that damage essential systems and components normally used for safe shutdown.

The PSW pumping system utilizes the inventory of lake water contained in the Unit 2 Condenser Circulating Water (CCW) piping. The PSW primary and booster pumps are located in the Auxiliary Building (AB) at elevation 771' and take suction from the Unit 2 CCW piping and discharge into the steam generators of each unit via the Emergency Feedwater (EFW) system headers. The raw water is vaporized in the steam generators (SGs), removing residual heat, and is dumped to atmosphere via the Main Steam Relief Valves (MSRVs) or Atmospheric Dump Valves (ADVs). For extended operation, the PSW portable pump with a flow path capable of taking suction from the intake canal and discharging into the Unit 2 CCW piping is designed to provide a backup supply of water to the PSW system in the event of loss of CCW and subsequent loss of CCW siphon flow. The PSW portable pump is stored onsite.

1he PSW system is designed to support cool down of the Reactor Coolant System (RCS) and maintain safe shutdown conditions. The PSW system is designed to maintain SG water levels to promote natural circulation Decay Heat Removal (OHR) using the SGs for an extended period of time during which time other plant systems required to cool the RCS to MODE 5 conditions will be restored and brought into service. In addition, the PSW system, in combination with the High Pressure Injection (HPI) system, provides borated water for Reactor Coolant Pump (RCP) seal cooling, RCS makeup, and reactivity management.

The PSW system reduces fire risk by providing a diverse power supply to power safe shutdown equipment in accordance with the National Fire Protection Association (NFPA) 805 safe shutdown analyses (Ref. 3).

OCONEE UNITS 1, 2, & 3 B 3.7.10-1 Rev. 003 I

PSW System B 3.7.10 BASES BACKGROUND The PSW system consists of the following:

(continued)

1. PSW building and associated support systems.

2. Conduit duct bank from the Keowee Hydroelectric Station underground-cable trench to the PSW building.

3. Conduit duct bank and raceway from the PSW Building to the Unit 3 AB.

4. Electrical power distribution system from breakers at the Keowee Hydroelectric Station and from the 100 kV PSW substation (supplied from the Central Tie Switchyard) to the PSW building, and from there to the AB.

5. PSW booster pump, PSW primary p\Jmp, and mechar'.lical piping taking suction from the Unit 2 embedded CCW System to the EFW headers supplying cooling water to the respective unit's SGs and HPI pump motor bearing coolers. *

6. PSW portable pumping system.

The mechanical portion of the PSW system provides decay heat removal

by feeding Lake Keowee water to the secondary side of the SGs. In addition, the PSW pumping system supplie~ Keowee Lake water to the HPI pump motor coolers.

The PSW pumping system consists of a booster pump, a primary pump, and a *portable pump. Other than the portable pump, the pumps and required valves are periodically tested in accordance with the In-Service Testing (IST) Program.

The PSW piping system has pump minimum flow lines that discharge back into the Unit 2 CCW embedded piping.

The PSW primary and booster pumps, motor operated valves, and solenoid valves required to bring the system into service, are controlled*

from the main control rooms. Check valves and manual handwheel operated valves are used to prevent back-flow, accommodate testing, or are used for system isolation .

. The PSW electrical system is designed to provide power to PSW mechanical and electrical components as well as other system 1 components needed to establish and maintain a safe,shutdo':Nn condition.

Normal power is. provided by a transformer connected to a 100 kV overhead transmission line that receives power from the Central Tie Switchyard located approximately eight (8) miles from the plant. Standby power is provided from the Keowee Hydroelectric Station via an underground path. The Keowee Hydro Unit (KHU) aligned to the overhead emergency power path can automatically provide power to Keowee Hydroelectric Station in-house loads for operation of the overhead KHU.

OCONEE UNITS 1, 2, & 3 B 3.7.10-2 Rev.003 I

PSW System B 3.7.10 BASES BACKGROUND These external power sources provide power to transformers, switchgear, (continued) breakers, load centers, batteries, and battery chargers located in the PSW electrical equipment structure. There are two (2) batteries inside the PSW Building. Either battery is sized to supply PSW DC loads. The battery banks are located in different rooms separated by fire rated walls.

A separate room within the PSW building is provided for major PSW electrical equipment.

PSW building heating, ventilation, and air conditioning (HVAC) is designed to maintain transformer and battery rooms within their design temperature range. The HVAC System consists of two (2) systems; a non QA-1/non credited system designed to maintain the PSW Transformer and Battery Rooms environmental profile and a QA-1 /credited system designed to actuate whenever the non QA-1 system is not able to meet its design function.

The hydrogen removal fans are designed to maintain the hydrogen in the Battery rooms below 2% in accordance with IEEE-484 (Ref. 4). The multiple thermostats in each Battery Room ensure temperatures are maintained within acceptable. limits.

APPLICABLE The function of the PSW system is to provide a diverse means to achieve SAFETY ANALYSES and maintain safe shutdown by providing secondary side OHR, RCP seal cooling, RCS primary inventory control, and RCS boration for reactivity management following scenarios that disable the 4160 V essential

electrical power distribution system.

To verify PSW system performance criteria, thermal-hydraulic (T/H) analysis was performed to demonstrate that the PSW system could

.achieve and maintain safe shutdown following postulated fires that .

disable the 4160 v essential power distribution system, without reliance on equipment located in the* turbine building. The analysis evaluates RCS subcooling margin using inputs that are representative of plant conditior:is as defined by Oconee's NFPA 805 fire protection program.

The analysis uses an initial core thermal power of 2619 MWth ( 102% of 2568 MWth) and accounts for 24 month fuel cycles. The consequences of the postulated loss of main and emergency feedwater and 4160 VAC power were analyzed as a RCS overheating scenario. For the examined overheating scenario, an important core input is decay heat. High decay heat conditions were modeled that were reflective of maximum, end of cycle conditions. The high decay heat assumption was confirmed to be bounding with respect to the RCS subcooling response. The results of the analysis demonstrate that the PSW system is capable of meeting the relevant NFPA 805 nuclear safety performance criteria.

OCONEE UNITS 1, 2, & 3 B 3.7.10:..3 Rev. 003 I

PSW System B 3.7.10 BASES APPLICABLE During periods of very low decay heat the PSW system will be used to SAFETY ANALYSES establish conditions that support the formation of subcooled natural (continued) circulation between the core and the SGs; however, natural circulation may not occur if the amount of decay heat available is less than or equal to the amount of heat removed by ambient losses to containment and/or by other means, e.g., letdown of required minimum HPI flow through the Reactor Coolant (RC) vent valves. When these heat removal mechanisms are sufficient to remove core decay heat, they are considered adequate to meet the core cooling function and systems supporting SG decay heat removal, although available, are not necessary for core cooling.

Regarding operation in MODES 1 and 2 other than operation at nominal full power, the duration of operation in these conditions is insufficient to result in an appreciable contribution to overall plant risk. As a result, T/H analysis was performed assuming full power initial conditions, as described above and in the Oconee Fire Protection Program, Nuclear Safety Capability Assessment. The plant configuration examined in the T/H analysis is representative of risk significant operating conditions and provides reasonable assurance that a fire mitigated by PSW during these MODES will not prevent the plant from achieving and maintaining fuel in a safe and stable condition.

The PSW system is not an Engineered Safety Feature Actuation System (ESFAS) and is not credited to m_itigate design basis events as contained in UFSAR Chapters 6 and 15. Nb credit is taken *in the safety analyses for PSW system operation following design basis events. Based on its contribution to the reduction of overall. plant risk, the PSW system satisfies Criterion 4 of 10 CFR 50.36 (c)(2)(ii) (Ref. 2) and is therefore included in the Technical Specifications.

LCO The OPERABILITY of the PSW system provides a diverse means to achieve and maintain safe shutdown by providing secondary side OHR, reactor coolant pump seal cooling, primary system inventory control, and RCS boration for reactivity management during certain plant scenarios that disable the 4160 V essential electrical power distribution system.

For OPERABILITY, the following are required:

One (1) primary pump, one (1) booster pump, and one (1) portable pump.

A flowpath taking suction from the Unit 2 CCW piping through the PSW pumping system (including recirculation flowpath) and discharging into the secondary side of each SG and the required HPI pump motor bearing cooler.

OCONEE UNITS 1, 2, & 3 B 3.7.10-4 Rev.003 I

PSW System B 3.7.10 BASES LCO

TS 3.8.3 required number of 125 VDC Vital l&C Battery Chargers.

(continued) Note: The Standby battery chargers cannot be credited for PSW OPERABILITY because they are not supplied with PSW power.

One (1) of two (2) PSW batteries and the associated battery charger.

PSW building ventilation system (QA-1) consisting of ductwork, fans, heaters, fire 'dampers, tornado dampers, motor-operated dampers and associated controls of the Transformer room AND in-service battery room.

KHU aligned to the overhead emergency power path automatically capable of providing power to its auxiliary power transformer.

A PSW electrical system power path from the overhead KHU.

For OPERABILITY, PSW supplied power is required for the following:

.* Either the "A" or "B" HPI pump motor.

PSW portable pump (unless self-powered}

HPI valve needed to align the HPI pumps to the Borated Water Storage Tanks (HP-24).

HPI valves that support RCP seal injection and RCS makeup (HP-26, HP-139, and HP-140). .

Pressurizer Heaters (150 kW above pressurizer ambient heat loss).

Reactor Vessel Head Vent Valves (RC-159 and RC-160)

One ( 1) RCS Loop High Point Vent Pathway ( RC-155 and RC-156 or RC-157 and RC-158)

Required 125 VDC Vital l&C Normal Battery Chargers.

For OPERABILITY, the following instrumentation and controls located in each main control room are required:

Two (2) high flow controllers (PSW-22 and PSW-24).

Two (2) low flow controllers (PSW-23 and PSW-25).

Two (2) flow indicators (one per SG).

One (1) SG header isolation valve (PSW-6).

One (1) HPI seal injection flow indicator

One (1) "A" HPI train flow indication (from ICCM plasma)

The LCO is modified by a Note indicating that it is not applicable to Unit(s) until startup from a refueling outage after completion of PSW modifications and after all of the PSW system equipment installed has been tested. Certain SRs require the unit to be shutdown to perform the SR.

OCONEE UNITS 1, 2, & 3 B 3.7.10-5 Rev.003 I

PSW System B 3.7.10 BASES (continued)

APPLICABILITY In MODES 1 and 2, the PSW system provides a diverse means to achieve and maintain safe shutdown by providing secondary side DHR, reactor coolant pump seal cooling, primary system inventory control, and RCS boration for reactivity management during certain plant scenarios that disable the 4160 V essential electrical power distribution system.

As a result of the system's contribution to overall plant risk in mitigating transients initiated during these operating conditions, PSW is required to be*

OPERABLE in MODES 1 and 2. In MODES 3 and 4, the PSW system can provide a diverse means for secondary side DHR (while the steam generators remain available), reactor coolant pump seal cooling, primary system inventory control, and RCS boration for reactivity management.

Because of the relatively short periods of operation in these MODES, the contribution to the reduction of overall plant risk in mitigating transients initiated during these operating conditions is not sufficient to warrant inclusion of OPERABILITY requirements for MODES 3 and 4 in the Technical Specifications.

In MODES 5 and 6, the steam generators are not available for secondary side DHR. As such, the PSW feed to the SGs is not required. Protected Service Water system backup power to some of the HPI components may be relied upon for shutdown risk defense-in-depth associated with primary system makeup. There are multiple means to achieve primary system makeup during these conditions. As a result, the contribution to* the reduction of overall plant risk during these operating conditions is not sufficient to warrant inclusion of OPERABILITY requirements for MODES 5 and 6 in the Technical Specifications.

ACTIONS The exception for LCO 3.0.4 provided in the NOTE of the Actions, permits entry into MODES 1 or 2 with the PSW system not OPERABLE. This is acceptable because the PSW is not required to support normal operation of the facility or to mitigate a design basis event.

With the PSW system inoperable, action must be taken to restore the system to OPERABLE status within 14 days. The 14-day Completion Time (CT) is reasonable based on the Standby Shutdown Facility (SSF) Auxiliary Service Water (ASW) and reactor coolant makeup (RCMU) systems being OPERABLE and a low probability of scenarios. occurring that would require the PSW system during the 14 day period.

With both the PSW and SSF systems inoperable, action must be taken to restore the PSW *system to OPERABLE status within 7 days. The 7 day OCONEE UNITS 1, 2, & 3 B 3.7.10-6 Rev. 003

PSW System B 3.7.10 BASES ACTIONS B.1 (continued)

CT is based on the diverse heat removal capabilities afforded by other systems, reasonable times for repairs, and the low probability of scenarios occurring that would require the PSW system during this period.

If the Required Action and associated CT of Condition A or B is not met, action must be taken to restore the PSW system to OPERABLE status within 30 days. Operation for up to 30 days is permitted if risk-reducing

cqntingency measures are taken. The 30 days is from the time of discovery of initial inoperability.

The condition is modified by a note indicating that contingency measures are required to be in place prior to entry. The contingency measures provide additional assurance that key equipment is available. For example, the Keowee Hydroelectric Units (KHUs), Emergency Feedwater (EFW) pumps, High Pressure Injection (HPI) pumps, Elevated Water Storage Tank (EWST), and 230 kV switchyard, are key equipment which impact overall risk during the extended outage period. Unavailability of the specific equipment does not preclude entry into the condition nor does it require any action by this TS. Rather the appropriate actions for the specific equipment are specified in the applicable TS or Selected*

Licensee Commitments (SLC). For example, if the 1A HPI pump becomes inoperable before entry or becomes inoperable after entry, only TS LCO 3.5.2 (HPI), Condition A shall be entered for Unit 1 and the appropriate actions taken until the pump is restored. This does not preclude entry into LCO 3.7.10 Condition C.

The strategy for the contingency measures is to defer non-essential

surveillances or other maintenance activities wh.ere human error could.

increase the likelihood of a loss of offsite power (LOOP) or remove key equipment that is important to overall plant risk. This does not preclude surveillances required by technical specifications or corrective maintenance to equipment that is important to overall plant risk. Technical specification required surveillances and corrective maintenance are examples of essential activities.

The following contingency measures are applied to available key equipment to reduce plant risk:

No non-essential surveillances or other maintenance activities, or testing, will be conducted in the 230 kV switchyard.

No non-essential surveillances or other maintenance activities, or testing will be conducted on the Keowee Hydro Units' emergency power system and associated power paths.

OCONEE UNITS 1, 2, & 3 B3.7.10-7 Rev. 003 I

PSW System

- B 3.7.10 BASES ACTIONS C.1 (continued)

No non-essential surveillances or other maintenance activities, or testing, will be conducted on each unit's EFW motor-driven and turbine-driven pumps and associated equipment including the EFW cross connects.

No non-essential surveillances or other maintenance activities, or testing, will be conducted on the unit's HPI pumps and associated equipment.

No non-essential sul"Veillances or other maintenance activities, or testing, will be conducted on the EWST.

If the Required Action and associated CTs of Condition A; B, or C are not met, the unit(s) must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed CT is appropriate to reach the required unit conditions from full power conditions in an orderly manner and without challenging plant systems, considering a three unit shutdown may be

required.

SURVEILLANCE SR 3.7.10.1 REQUIREMENTS Verifying battery terminal voltage while on float charge for the batteries helps to ensure the effectiveness of the charging system and the ability of the batteries to perform their intended function. Float charge is the

condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery (or battery cell) and maintain the battery (or a battery cell) in a fully charged state. The *

voltage requirements are based on the nominal design voltage of the battery and are consistent with the initial voltage assumed in the battery sizing calculations. The surveillance frequency is in accordance wit.h the Surveillance Frequency Control Program.

SR 3.7.10.2 SR verifies availability of the Keowee Hydroelectric Station* power path to the PSW electrical system. Power path verification is included to demonstrate breaker OPERABILITY from the Ke.owee Hydroelectric Station to the PSW electrical system. To verify KHU-1 can supply the PSW electrical system, Breaker KPF-9 is closed. To verify KHU-2 can supply the PSW electrical system, Breaker KPF-10 is closed. *Breakers KPF-9 and KPF-10 are electrically interlocked such that breakers cannot be closed simultaneously. The interlock is tested periodically and each breaker's charging spring is verified to be discharged after breaker testing.

OCONEE UNITS 1, 2, & 3 B 3.7.10-8 Rev. 003 I

PSW System B 3.7.10 BASES SURVEILLANCE SR 3.7.10.2 (continued)

REQUIREMENTS Electrical interlocks prevent compromise of existing redundant emergency power paths. To verify either KHU can supply the PSW electrical system, the PSW Feeder Breaker [B6T-A] or [B7T-C and the PSW switchgear tie breaker] is closed. The Surveillance Frequency is in accordance with the Surveillance Frequency Control Program.

SR 3.7.10.3 This SR requires the PSW primary and booster pumps be tested in accordance with the lnservice Test (IST) Program. The IST program verifies the developed head of PSW primary and booster pumps at flow test point is greater than or equal.to the required .developed.head. The specified Frequency is in accordance with l_ST Progra.m requirements.

SR 3.7.10.4 A battery service* test is a special test of the battery capability, as found, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The discharge rate and test length correspond to the design duty cycle require~ents.

The surveillance frequency is in accordance with the Surveillance Frequency Control Program. *

SR 3.7.10.5 This SR verifies the design capacity of the battery charger. According to .

Regulatory Guide 1.32 (Ref. 1), the battery charger supply is

1 recommended to be based on the largest combined demands of the various steady state loads and the charging capacity to rester~ the battery from the design minimum charge state to the ~ully charged state,.

irrespective of the status of the unit during these demand occurrences.

-The minimum required amperes and duration ensure that these requirements can be satisfied.

This SR provides two options. One option requires that each battery charger be capable of supplying ~300 amps for greater than 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months at .

the minimum established float voltage. The current requirements are based on the output rating of the charger: The voltage requirements are based on the charger voltage level after a response to a loss of AC power. The time period is sufficient for the charger temperature to stabilize and to have been maintained for at least 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

OCONEE UNITS f, 2, & 3 B 3.7.10-9 Rev. 003 I

PSW System B 3.7.10 BASES SURVEILLANCE SR 3.7.10.5 (continued)

REQUIREMENTS The other option requires that the battery charger be capable of recharging the battery after a service test coincident with supplying the largest coincident demands of the various continuous steady state loads (irrespective of the status of the plant during which these demands occur). This level of loading may not normally be available following the battery service test and will need to be supplemented with additional loads. The duration for this test may be longer than the charger sizing criteria since the battery recharge is affected by float voltage, temperature, and the exponential decay in charging current.

The battery is recharged when the measured charging current is ~ 2 amps.

The surveillance frequency is in accordance with the Surveillance Frequency Control Program.

SR 3.7.10.6 This SR verifies that the PSW switchgear can be aligned and power both the "A" and "B" HPI pump motors (not simultaneously). Although both pump motors are tested, only one (1) is required to support PSW system OPERABILITY. The surveillance frequency is in accordance with the Surveillance Frequency Control Program. Refer to the SR 3. 7.10. 7 table below for testing of the HPI power and transfer switches.

SR 3.7.10.7 This SR verifies that power transfer switc~es (shown in table below) for pressurizer heaters, PSW control, electrical panels, and valves, are functional for the required equipment.

1HPl-SX-ALGN001 (PSW HPI alignment switch) 2HPl-SX-ALGN001 (PSW HPI alignment switch) 3HPl-SX-ALGN001 (PSW HPI alignment switch) 1HPl-SX-TRN001 (1A HPI pump transfer switch) 1HPl-SX-TRN002 (1 B HPI pump transfer switch) 2HPl-SX-TRN001 (2AHPI pump transfer switch) 2HPl-SX-TRN002 (2B HPI pump transfer switch) 3HPl-SX-TRN001 (3A HPI pump transfer switch) 3HPl-SX-TRN002 (3B HPI pump transfer switch) 1HPl-SX-TRN003 (1 HP-24 PSW transfer switch) 1HPl-SX-TRN004 (1 HP-26 PSW transfer switch)

OCONEE UNITS 1, 2, & 3 B 3.7.10-10 Rev. 003 I

PSW System B 3.7.10 BASES SURVEILLANCE SR 3.7.10.7 (continued)

REQUIREMENTS

~..,.,*.*:nn

'/

" VW>

Ji'!-;)(~>\~

2HPl-SX-TRN003.(2HP-24 PSW transfer switch) 2HPl-SX-TRN004 (2HP-26 PSW transfer switch) 3HPl-SX-TRN003 (3HP-24 PSW transfer switch) 3HPl-SX-TRN004 (3HP-26-PSW transfer switch) 1PSW-SX-TRN001 (1CA CHARGER auto transfer switch) 1PSW-SX-TRN002 (1CB CHARGER auto transfer switch) 2PSW-SX-TRN001 (2CA CHARGER auto transfer switch) 2PSW-SX-TRN002 (2CB CHARGER auto transfer switch) 3PSW-SX-TRN001 (3CA CHARGER auto transfer switch) 3PSW-SX-TRN002 (3CB CHARGER auto transfer switch) 1PSW-SX-TRN004 (manual transfer switch for 1XJ) 1PSW-SX-TRN005 (manual transfer switch for 1XK) 2PSW-SX-TRN003 (manual transfer switch for 2XJ) -

2PSW-SX-TRN004 (manual transfer switch for 2XI) 2PSW-SX-TRN005 (manual transfer switch for 2XK) 3PSW-SX-TRN003 (manual transfer switch for 3XJ) 3PSW-SX-TRN004 (manual transfer switch for 3XI) 3PSW-SX-TRN005 (manual transfer switch for 3XK)

1RC-155/1 RC-156.powertransfer 1RC-157/1 RC-158 power transfer 1RC-159/1 RC-160 power transfer 2RC-155/2RC-156 power transfer 2RC-157/2RC-158 power transfer 2RC-159/2RC-160 power transfer 3RC-155/3RC-156 power transfer 3RC:-157/3RC-158 power transfer 3RC-159/3RC-160 power transfer The surveillance frequency is in accordance with the Surveillance Frequency Control Program.

SR 3.7.10.8 SR verifies PSW booster pump and check valves ca.n supply water to the "A" and "B" HPI pump motor coolers in accordance with the IST prowam.

OCONEE UNITS 1, 2, & 3 83.7.10-11 Rev.003 I

PSW System B 3.7.10 BASES SURVEILLANCE SR 3.7.10.9 REQUIREMENTS (continued) This SR requires that the PSW portable pump be tested to verify that the developed head of PSW portable pump at the flow test point is greater than br equal to the required developed head. The surveillance frequency is in accordance with the Surveillance Frequency Control Program .

. SR 3.7.10.10 This SR requires the required PSW valves be tested in accordance with the IST Program. The specified Frequency is in accordance with IST Program requirements.

SR3.7.10.11 Performance of the CHANNEL CHECK for each required instrumentation channel ensures that a gross failure of instrumentation has not occurred.

A CHANNEL CHECK is n<;>rmally a comparison of the parameter indicated on one channel with a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two*instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION. The instrument string to the control room is checked and calibrated

. periodically per the Surveillance Frequency Control Program.

Agreement criteria are determined based on a combination of the channel i,nstrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE. If the channels are normally off scale during times when surveillance is required, the CHANNEL CHECK will only verify that they are off scale in the same direction. Off scale low current loop channels are verified to be reading at the bottom of the range and not failed downscale.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled in accordance with the Surveillance Frequency Control Program.

OCONEE UNITS 1, 2, & 3 B 3.7.10-12 Rev.003 I

PSW System B3.7.10 BASES SURVEILLANCE SR 3.7.10.12 REQUIREMENTS (continued) CHANNEL CALIBRATION is a complete check of the instrument channel, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION shall find that measurement errors and bistable setpoint errors are within the assumptions of the setpoint analysis. CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the setpoint analysis.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled in accordance with the Surveillance Frequency Control Program.

SR 3.7.10.13 Visual inspection of the battery cells, cell plates, and battery racks provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance.

The presence of physical damage or deterioration does not necessarily represent a failure of this SR, provided an evaluation determines that the physical damage or deterioration does not affect the OPERABILITY of the battery (its ability to perform its design function). *

The Surveillance Frequency is based on operating experience, equipment.

reliability, and plant risk and is controlled in accordance with the Surveillance Frequency Control Program.

.REFERENCES 1. Regulatory Guide 1.32, February 1977 .

2. 1o CFR 50.36 (last amended September ~4. 2008) ..

3. NFPA 805 Safety Evaluation Report, dated December 29, 2010.

4. IEEE-484-2002.

OCONEE UNITS 1, 2, & 3 B 3.7.10-13 Rev. 003

PSW Battery Cell Parameters B 3.7.10a B 3. 7 PLANT SYSTEMS B 3.7.10a PSW Battery Cell Parameters BASES BACKGROUND This LCO delineates the limits on battery float current as well as electrolyte temperature, level, and float voltage for the Protected Service Water (PSW) Power system batteries. In addition to the limitations of this Specification, the PSW Battery Monitoring and Maintenance Program specified in Specification 5.5.22 for monitoring various battery parameters is based on the recommendations of IEEE-450 (Ref. 1).

Each PSW battery consists of 60 cells (nominal) and either battery can meet the PSW DC System design basis duty cycle with up to two (2) cells jumpered out. A minimum of 58 of 60 cells are required for a battery to be considered OPERABLE.

The battery cells are of flooded lead acid construction with a nominal specific gravity of 1.215. This specific gravity corresponds to an open circuit battery voltage of approximately 124 V for 60 cell battery, i.e., cell voltage of 2.07 Volts per cell (Vpc). The open circuit voltage is the voltage maintained when there is no charging or discharging. Once fully charged with its open circuit voltage < 2.07 Vp:c, the battery cell will maintain its capacity for 30 days without further charging per manufacturer's instructions. Optimal long term performance however, is obtained by maintaining a float voltage 2.20 to 2.25 Vpc. This provides adequate over-potential which limits the formation of lead sulfate and self discharge. The nominal float volti::ige of 2.22 Vpc corresponds to a total float voltage output of 133.2 V for a 60 cell battery.

The PSW DC system consists of two (2) batteries, two (2) battery chargers, a distribution center and panelboards. Either battery can pe aligned to either battery charger. For PSW DC System OPERABILITY, only one (1) battery and one (1) battery charger is required to be aligned to the PSW DC Bus.

APPLICABLE The PSW system is not credited to mitigate design basis events. No SAFETY ANALYSES credit is taken in the safety analyses for PSW system operation following

design basis events. Based on its contribution to the reduction of overall plant risk, the PSW system satisfies Criterion 4of10 CFR 50.36 (c)(2)(ii)

(Ref. 3) and is therefore included in the Technical Specifications. Refer to the Applicable Safety Analysis discussion in the Bases for LC03.7.10.

OCONEE UNITS 1, 2, & 3 B 3.7.10a-1 Rev. 001

PSW Battery Cell Parameters B3.7.10a BASES (continued)

LCO For PSW DC System OPERABILITY, only one (1) battery and one (1) battery charger is required to be aligned to the PSW DC Bus*. A minimum of 58 of 60 cells are required for a battery to be considered OPERABLE.

PSW Battery parameters must remain within acceptable limits to ensure availability of the PSW DC power system after an occurrence that disables essential systems and components needed for safe shutdown.

Battery parameter limits are conservatively established, allowing continued PSW DC electrical system function even with limits not met. Additional preventative maintenance, testing, and monitoring for the PSW batteries are performed in accordance with the PSW Battery Monitoring and Maintenance Program specified in Specification 5.5.22.

APPLICABILITY The battery parameters are.required solely for the support of the associated PSW electrical power systems; therefore, battery parameter limits are only required when the PSW DC power source is required to be OPERABLE. Refer to the Applicability discussion in the Bases for LCO 3.7.10.

ACTIONS The exception for LCO 3.0.4 provided in the NOTE of the Actions, permits entry into MODES 1 or 2 with the PSW system not OPERABLE. This is acceptable because the PSW is not required to support normal operation of .

the facility or to mitigate a design basis event.

A.1. A.2. and A.3 With one or more cells in the required battery s 2.07 V, the battery cell is degradeq. Within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months verification of the required battery charger OPERABILITY is made by monitoring the battery terminal voltage (SR

3. 7 .10.1) and the overall battery state of charge by monitoring the battery float charge current (SR 3. 7.1 Oa.1). This assures that there is still sufficient battery capacity to perform the intended function. Therefore, the affected battery is not required to be considered inoperable solely as a result of one or more cells in a battery s 2.07 V, and continued operation .

is permitted for a limited period up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . *

Since the Required Actions only specify "perlorm," a failure of SR

3. 7.10.1 or SR 3.7.1 Oa.1 acceptance criteria does not result in this Required Action not met. However, if one of the SRs is failed, the OCONEE UNITS 1, 2, & 3 B 3.7.10a-2 Rev. 001

PSW Battery Cell Parameters B 3.7.10a BASES ACTIONS A.1. A.2 and A.3 (continued) appropriate Condition(s), depending on the cause of the failures, is entered. If SR 3. 7.1 Oa.1 is failed then there is no assurance that there is still sufficient battery capacity to perform the intended function and the battery must be declared inoperable immediately.

B.1 and B.2 A required battery with float current >2 amps indicates that a partial discharge of the battery capacity has occurred. This may be due to* a temporary loss of a battery charger or possibly due to one or more battery cells in a low voltage condition reflecting some loss of capacity. Within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months verification of the required battery charger OPERABILITY is made by monitoring the battery terminal voltage (SR 3. 7.10.1 ). If the terminal voltage is found to be less than the minimum established fl9at voltage,

there are two possibilities: (1) the battery charger is inoperable or (2) it is operating in the current limit mode. Condition A addresses charger inoperability. After 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , if the charger is operating in the current limit mode, it is an indication that the battery has been substantially discharged and likely cannot perform its required design functions. The time to return the battery to its fully charged condition in this case is a function of the battery charger capacity, the amount of loads on the associated DC system, the amount of the previous discharge, and the recharge characteristic of the battery. The charge time can be extensive, and there is not adequate assurance that it can be recharged within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months (Required Action B.2). The battery must therefore be declared inoperable.

If the float voltage is found to be satisfactory but there are one or more battery cells with float voltage less than 2.07 V, the associated "OR" statement in Condition E is applicable and the battery must be declared inoperable immediately. If float voltage is satisfactory and there are no cells less than 2.07 V, there is reasonable assurance that, within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , the battery will be restored to its fully charg.ed condition (Required Action B.2) from any discharge that might have occurred due to a temporary loss of the battery charger.

A discharged battery with float voltage (the charger setpoint) across its terminals indicates that the battery is on the exponential charging current portion (the second part) of its recharge cycle. The time to return a battery to its fully charged state under this condition is simply .a function of the amount of the previous discharge and the recharge characteristic of the battery. Thus there is good assurance of fully recharging the battery within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

OCONEE UNITS 1, 2, & 3 B 3.7.10a-3 Rev. 001

PSW Battery Cell Parameters B 3.7.10a BASES ACTIONS B.1 and B.2 (continued)

If the condition is due to one or more cells in a low voltage condition but still greater than 2.07 V and float voltage is found to be satisfactory, this is not indication of a substantially discharged battery and 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is a reasonable time prior to declaring the battery inoperable.

Since Required Action B.1 only specifies "perform," a failure of SR 3.7.10.1 acceptance criteria does not result in the Required Action not met.

However, if SR 3. 7.10.1 is failed, the appropriate Condition(s), depending on the cause of the failure, is entered.

C.1, C.2, and C.3 With the required battery with one or more cells electrolyte level above the top of the plates, but below the minimum established design limits, the battery still retains sufficient capacity to perform the intended function.

Therefore, the affected battery is not required to be considered inoperable solely as a result of electrolyte level not met. Within 31 days the minimum established design limits for electrolyte level must be re-established.

With electrolyte level below the top of the plates there is a potential for dryout and plate degradation. Required Actions C.1 and C.2 address this potential (as well as provisions in Specification 5.5.22, PSW Battery Monitoring arid Maintenance Program). They are modified by a note that indicates they are only applicable if electrolyte level is below the top of the plates. Within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months level is required to be restored to above the top of the plates. The Required Action C.2 requirement to verify that there is no leakage by visual inspection and the Specification 5.5.22 item to initiate action to equalize and test in accordance with manufacturer's recommendation are taken from Appendix D of IEEE-450 (Ref. 1 ). They are performed following the restoration of the electrolyte level to above the top of the plates. Based on the results of the manufacturer's recommended testing the battery may have to be declared inoperable and the affected cell[s] replaced.

With the required battery with pilot cell temperature less than the minimum established design limits, 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is allowed to restore the temperature to within limits. A low electrolyte temperature limits the current and power available. Since the battery is sized with margin, while battery capacity is degraded, sufficient capacity exists to perform the intended function and the affected battery is not required to be considered inoperable solely as a result of the pilot cell temperature not met.

OCONEE UNITS 1, 2, & 3 B 3.7.10a-4 Rev.001

PSW Battery Cell Parameters B 3.7.10a BASES ACTIONS (continued)

With the required battery having any battery parameter outside the allowances of the Required Actions for Condition A, B, C, or D,

sufficient capacity to supply the maximum expected load requirement is not assured and must be declared inoperable.

Additionally, discovering the required battery with one or more battery cells float voltage less than or equal to 2.07 V and float current greater than 2 amps indicates that the battery capacity may not be sufficient to perform the intended functions. The battery must therefore be declared inoperable immediately.

SURVEILLANCE SR 3.7.10a.1 REQUIREMENTS Verifying battery float current while on float charge is used to* determine the state of charge of the battery. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losse*s of a battery and maintain the battery in a charged state.

The float current requirements are based on the float current indicative of a charged battery. Use of float curren~ to determine the state of charge of the battery is consistent with IEEE-450 (Ref. 1). The surveillance frequency is in accordance with the Surveillance Frequency Control Program.

This SR is modified by a Note that states the float current requirement is

not required to be met when battery terminal voltage is less than the minimum established float voltage of SR 3.7.10.1. When this float voltage is not maintained, the Required Actions of LCO 3.7.10a ACTION A are being taken, which provide the necessary and appropriate verifications of the battery condition. Furthermore, the float current limit of 2 amps is established based on the nominal float voltage value and is not directly applicable when this voltage is not maintained.

SR 3.7.10a.2 and SR 3.7.10a.5 Optimal long term battery performance is obtained by maintaining a float voltage greater than or equal to the minimum established design limits provided by the battery manufacturer, which corresponds to 2.20 Vpc.

This provides adequate over potential, which limits the formation of lead sulfate and self discharge, which could eventually render the battery inoperable. Float voltages in this range or less, but greater than 2.07 Vpc, are addressed in Specification 5.5.22. SRs 3.7.10a.2 and 3.7.10a.5 require verification that the cell float voltages are greater than the short term absolute minimum voltage of 2.07 V. The surveillance frequency is in accordance with_ the Surveillance Frequency Control Program.

OCONEE UNITS 1, 2, & 3 B 3.7.10a-5 Rev. 001

PSW Battery Cell Parameters B 3.7.10a BASES SURVEILLANCE SR 3.7.10a.3 REQUIREMENTS (continued) The limit specified for electrolyte level ensures that the plates suffer no physical damage and maintains adequate electron transfer capability. The surveillance frequency is in accordance with the Surveillance Frequency Control Program.

SR 3.7.10a.4 This Surveillance verifies that the pilot cell temperature is greater than or equal to the minimum established design limit (60 °F). Pilot cell electrolyte temperature is maintained above this temperature to assure the battery can provide the required current and voltage to meet the design requirements.

Temperatures lower than assumed in battery sizing calculations act to inhibit or reduce battery capacity. The surveillance frequency is in accordance with the Surveillance Frequency Control Program.

SR 3.7.10a.6 A battery performance discharge test is a test of constant current capacity of a battery, normally done in the as-found condition, after having been in service, to detect any change in the capacity determined by the acceptance test. The test is intended to determine overall batt~ry degradation due to age and usage. ,

Either the battery performance discharge test or the modified performance discharge test is acceptable for satisfying SR 3. 7.1 Oa.6; however, only the modified performance discharge test may be used to satisfy the battery service test requirements of SR 3. 7.10.4.

A modified discharge test is a test of the battery capacity and its ability to provide a high rate, short duration load (usually the highest rate of the duty cycle). This will often confirm the battery's ability to meet the critical period of the load duty cycle, in addition to

determining its percentage of rated capacity. Initial conditions for the m_odified performance discharge test should be identical to those

i specified for a service test.

The modified discharge test may consist of just two rates; for instance the one minute rate for the battery or the largest current load of the duty cycle, followed by the test rate employed for the performance test, both of which envelope the duty cycle of the service test. Since the ampere-hours removed by a one minute discharge represents a very small portion of the battery capacity, the test rate can be changed to that for the performance

test without compromising the results of the performance discharge test.

OCONEE UNITS 1, 2, & 3 B 3.7.10a-6 Rev. 001

PSW Battery Cell Parameters B3.7.10a BASES SURVEILLANCE SR 3.7.10a.6 (continued)

REQUIREMENTS The battery terminal voltage for the modified performance discharge test must remain above the.minimum battery terminal voltage specified in the battery service test for the duration of time equal to that of the service test.

The acceptance criteria for this Surveillance are consistent with IEEE-450 (Ref. 1) and IEEE-485 (Ref. 2). These references recommend that the battery be replaced if its capacity is below 80% of the manufacturer's rating. A capacity of 80% shows that the battery rate of deterioration is increasing, even if there is ample capacity to meet the load requirements.

Furthermore, the battery is sized to meet the assumed duty cycle loads when the battery design capacity reaches this 80 percent limit.

The surveillance frequency is in accordance with the Surveillance Frequency Control Program. If the battery shows degradation, or if the battery has reached 85% of its expected life and capacity is < 100% of the manufacturer's rating, the Surveillance Frequency is reduced to 12 months. However, if the battery shows no degradation but has reached 85% of its expected life, the Surveillance Frequency is only reduced to 24 months for batteries that retain capacity ~ 100% of the manufacturer's ratings. Degradation is indicated, according to IEEE-450 (Ref. 1), when the battery capacity drops by more than 10% relative to its capacity on the previous performance test or when it is ~ 10% below the manufacturer's rating. These Frequencies are consistent with the recommendations in IEEE-450 (Ref. 1). .

REFERENCES 1. IEEE-450-1995.

2. IEEE-485-1983.

3. 10 CFR 50.36 (last amended September 24, 2008).

OCONEE UNITS 1, 2, & 3 B 3.7.10a-7 Rev. 001

SFPVS B 3.7.17 B 3. 7 PLANT SYSTEMS B 3. 7.17 Spent Fuel Pool Ventilation System (SFPVS)

BASES BACKGROUND Ventilation air for the Spent Fuel Pool Area is supplied by an air handling unit which consists of roughing filters, steam heating coil, cooling coil supplied by low pre~sure service water, and a centrifugal fan. In the normal mode of operation, the air from the Spent Fuel Pool Area is exhausted directly to the unit vents by the general Auxiliary Building exhaust fans. The filtered exhaust system consists of a single filter train

and two 100 percent capacity vane axial fans. The filter train utilized is*

the Reactor Building Purge Filter Train. The Unit 2 Reactor Building purge filter train is used for the combined Unit 1 and 2 Spent Fuel Pool Ventilation System, The Unit 3 Reactor Building purge filter train is used

.. for the Unit 3 SFP Ventilation System. The filter train is comprised of

prefilters, HEPA filters, and charcoal filters. To control the direction of air flow, i.e., to direct the air from the Fuel Pool Area to the Reactor Building Purge Filter Train, a series of pneumatic motor operated dampers are provided along with a crossover duct from the Fuel Pool to the. filter train.

The SFPVS is discussed in the UFSAR, Section 9.4.2, (Ref. 1).

APPLICABLE The analysis of the limiting*fuel handling accident, the cask drop SAFETY ANALYSES accident, given in Reference 2, assumes that a . certain number of fuel

.assemblies are** damaged. The OBA analysis for the cask drop accident, does not assume operation of the SFPVS in order to meet the requirements of 10 CFR 50.67 (Ref. 4). These assumptions and the analysis are consistent with the guidance provided in Regulatory

Guide 1.183 (Ref; 3).

The SFPVS does not satisfy the criteria in 10 CFR 50.36. The SFPVS is retained in this specification for ALARA purposes.

LCO With the adoption of the alternate source term and the installation of

various plant modifications, SFPVS is not credited in dqse analysis

calculations. Therefore, there are no specific operability requirements for this system.

OCONEE UNITS 1, 2, & 3 B 3.7.17-1 Rev.001 I

SFPVS B 3.7.17 BASES LCO An SFPVS train is considered OPERABLE when its associated:

(continued)

1. Fan is OPERABLE;

2. Filter trains are intact; and

3. Ductwork and dampers are OPERABLE, and air flow can be maintained.

APPLICABILITY During movement of recently irradiated fuel assemblies (i.e., fuel that has occupied part of a critical reactor core within the previous 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months ) in the fuel handling area, the SFPVS shall be OPERABLE.

ACTIONS A.1 and A.2 With one SFPVS train inoperable, the OPERABLE SFPVS train must be started immediately with its discharge through the associated reactor

building purge filter or recently irradiated fuel movement in the spent fuel pool suspended. This action ensures that the remaining train is OPERABLE, and that any active failures will be readily detected.

If the system is not placed in operation, this action requires suspension of recently irradiated fuel movement, which precludes a fuel handling accident. This action does not preclude the movement of recently irradiated fuel assemblies to a safe position.

OCONEE UNITS 1, 2, & 3 B 3.7.17-2 Rev. 001 I

SFPVS 83.7.17 BASES ACTIONS (continued)

When two trains of the SFPVS are inoperable during movement of recently irradiated fuel in the spent fuel pool, the unit must be placed in a condition in which the LCO does not apply. This Action involves immediately suspending movement of recently irradiated fuel assemblies in the spent fuel pool. This does not preclude the movement of recently irradiated fuel to a safe position.

SURVEILLANCE SR 3.7.17.1 REQUIREMENTS Standby systems should be checked periodically to ensure that they function properly. As the environment and normal operating conditions on this system are not severe, testing each train within 31 days prior to moving recently irradiated fuel assemblies provides an adequate check on this system. The system is no longer credited in dose analysis calculations and is not required to maintain 10 CFR 50.67 dose limits, but .

. is required for ALARA purposes.

SR 3.7.17.2 This SR verifies that the required SFPVS testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes*testing HEPA filter performance, charcoal adsorber efficiency, minimum system flow rate, and the physical properties of the activated charcoal (general use and following specific operations).

Specific test frequencies and additional information are discussed in detail in the VFTP.

REFERENCES 1. UFSAR, Section 9.4.2.

2. UFSAR, Section 15.11.

3. Regulatory Guide 1.183.

4. 10 CFR 50.67.

OCONEE UNITS 1, 2, & 3 B 3.7.17-3 Rev.001 I

AC Sources - Operating B 3.8.1 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC Sources - Operating BASES BACKGROUND The AC Power System consists of the offsite power sources (preferred power) and the onsite standby power sources, Keowee Hydro Units (KHU). This system is designed to supply the required Engineered Safeguards (ES) loads of one unit and safe shutdown loads of the other two units and is so arranged that no single failure can disable enough loads to jeopardize plant safety. The design of the AC Power System provides independence and redundancy to ensure an available source of power to the ES systems (Ref. 1). The KHU turbine generators are powered through a common penstock by water taken from Lake Keowee.

The use of a common penstock is justified on the basis of past hydro plant experience of the licensee (since 1919) which indicates that the cumulative need to dewater the penstock can be expected to be limited to about one day a year, principally for inspection, plus perhaps four days every tenth year.

The preferred power source is provided from offsite power to the red or yellow bus in the 230 kV switchyard to the units startup transformer and the E breakers. The 230 kV switchyard is electrically connected to the 525 kV switchyard via the autobank transformer. Emergency power is provided using two emergency power paths, an overhead path and an underground path. The underground emergency power path is from one KHU through the underground feeder circuit, transformer CT-4, the CT-4 incoming breakers (SK breakers), standby bus and the standby breakers (S breakers). The standby buses may also receive offsite power from the 100 kV transmission system through transformer CT-5 and the CT-5

incoming breakers (SL breakers). The overhead emergency power path is from the other KHU through the startup transformer and the startup incoming breakers (E breakers). In addition to supplying emergency power for Oconee, the KHUs provide peaking power to the generation system. During periods of commercial power generation, the KHUs are operated within the acceptable region of the KHU operating restrictions.

This ensures that the KHUs are able to perform their emergency power functions from an initial condition of commercial power generation. The KHU operating restrictions for commercial power generation are contained in UFSARChapter 16, (Ref. 2). The standby buses can also OCONEE UNITS 1, 2, & 3 B 3.8.1-1 Rev. 002 I

AC Sources - Operating

B 3.8.1 BASES BACKGROUND

receive power from a combustion turbine generator at the Lee Steam (continued) Station through a dedicated 100 kV transmission line, transformer CJ-5, and both SL breakers. The 100 kV transmission line cari 'be supplied from a Lee combustion turbine (LCT) and electrically separated from the system grid and offsite loads. The minimum capacity a_vailable from any of the multiple sources of AC power is 22.4MVA (limited by CT-4 and CT-5 transformer capacities).

APPLICABL~ The initial conditions of design basis transient and accident analyses .

SAFETY ANALYSIS in the UFSAR Chapter.6 (R~f. 4) and Chapter 15 (Ref. 5) assume ES systems are OPERABLE. The A,C power system is designed to provide sufficient capacity, c*apability, redundancy, and reliability to ensure the availability of necessary power to ES systems so that the fuel, reactor

- coolant system, and containment design limits are not exceeded.

Consistent with the accident analysis assumptions of a loss of offsite

power (LOOP) and a singl~ failure of one onsite emergency power path, two onsite ~mergency power sources are required to be OPERABLE:

AC Sources - Operating are part of the primary success path and function to mitigate an accider:it or transient that presents a challenge to

the integrity ofa fission product barrier. As such, AC Sources -

Operating satisfies th_e requirements of Criterion 3 of 10 CFR 50.36

(Ref. 3).*

LCO Two sources on separate towers connected to the 230 kV switchyard to a unit startup transformer and one main feeder bus are required to be '

.. OPERABLE. Two KHUs with one capable of automatically providing power through the underground emergency powe~ path to both main feeder buses and the other capable of automatically providing power through the overhead emergency pow.er path to both main feeder buses

are required to be OPERABLE. The Keowee Reservoir level is required to be ~ 775 feet above sea level to support OPERABILITY of the KHUs.

The zone overlap protection circuitry is required to be OPERABLE when the overhead electrical disconnects for the KHU associated with the underground power path are closed to provide single failure protection for the KHUs. The zone overlap protection circuitry includes the step-up transformer lockout, the underground KHU lockout, the Keowee

. emergency start signal, and the underground breaker for the overhead KHU to ensure the zone overlap protection circuitry logic is OPERABLE:

OCONEE UNITS 1, 2, & 3 B 3.8.1-2 Rev.002 I

AC Sources - Operating B 3.8.1 BASES LCO Operable offsite sources are required to be "physically independent" (continued) (separate towers) prior to entering the 230 kV switchyard. Once the 230 kV lines enter the switchyard, an electrical pathway must exist through OPERABLE power circuit breakers (PCBs) and disconnects such that both sources are available to energize the Unit's startup transformer either automatically or with operator.action. Once within the boundary of the switchyard, the electrical pathway may be the same for both independent offsite sources. In addition, at least one E breaker must be available to automatically supply power to a main feeder bus from the energized startup transformer. The voltage provided to the startup transformer by the two independent offsite sources must be sufficient to ensure ES equipment will operate. Two of the following offsite sources.

are required:

1) Jocassee (from Jocassee) Black or White,

2) Dacus (from North Greenville) Black or Whit~.

3) Oconee (from Central) Black or White,

4) Calhoun (from ce*ntral) Black or White, 5). Autobank transformer fed from either the Asbury (from Newport), Norcross (from Georgia Power), or Katoma (from Jocassee) 525 kV. line.

An OPERABLE KHU and its required emergency power path are required* .

to be able to provide sufficient power within specified limits of voltage and frequency within 23 seconds after an emergency start initiate signal and includes its required emergency power path, required instrumentatipn, controls, auxiliary and DC power, cooling and seal water, lubrication and

' other auxiliary equipment necessary to perform its safety function. Two

emergency power paths are available. One emergency power path.:

consists of an underground circuit while the other emergency power pathway uses an overhead ci~cuit through the 230 kV switchyard.

OCONEE UNITS 1, 2, & 3 B 3.8.1-3 Rev. 002 I

AC Sources - Operating B 3.8.1 BASES LCO An OPERABLE KHU and its required overhead emergency power path (continued) must be capable of automatically supplying power from the KHU through the KHU majn step-up transformer, the 230 kV yellow bus, the Unit startup transformer and both E breakers to both main feeder buses. At least one channel of switchyard isolation (by actuation from degraded grid voltage protection) is required to be OPERABLE to isolate the 230 kV switchyard yellow bus. If closed, each N breaker must be capable of opening using either of its associated breaker trip circuits. KPF-9 (for KHU1) and KPF-1 O (for KHU2) must remain open since there is no engineering analysis that ensures that the associated KHU can power both PSW and Engineered Safeguards (ES) system loads should an event occur (with the breaker closed). Either of*

the following combinations provides an acceptable KHU and required overhead emergency power path:

Keowee Hydro Unit Keowee Hydro Unit 1A) Keowee Unit 1 generator, 1B) Keowee Unit 2 generator, 2A) Keowee ACB 1 (enabled by 2B) Keowee ACB 2 (enabled by one channel of Switchyard one channel of Switchyard Isolate Complete), Isolate Complete),

3A) Keowee auxiliary transformer 3B) Keowee auxiliary transformer 1X, Keowee ACB 5, Keowee 2X, Keowee ACB 6, Keowee Load Center 1X, Load Center 2X, 4A) Keowee MCC 1XA, 4B) Keowee MCC 2XA, 5A) Keowee Battery #1, Charger 5B) Keowee Battery #2, Charger

1 or Standby Charger, and * #2 or Standby Charger, and

Distribution Center 1DA, Distribution Center 2DA, 6A) ACB-1 to ACB-3 interlock, 6B) ACB-2 to ACB-4 interlock, 7A) Keowee Unit 1 Voltage and 7B) Keowee Unit 2 Voltage and Frequency out of tolerance Frequency out of tolerance (OOT) logic (OOT) logic

8) Keowee reservoir level~ 775 feet above sea level, BA) KPF-9 is OPEN with closing 8B) KPF-10 is OPEN with closing*

spring discharged, . spring discharged, Overhead Emergency Power Path

9) Keowee main step-up transformer,

10) PCB 9 (enabled by one channel of Switchyard Isolate Complete),

11 ) The 230kV switchyard yellow bus capable of being isolated by one channel of Switchyard Isolate,

12) A unit startup transformer and associated yellow bus PCB (CT-1/PCB18, CT-2 /PCB 27, CT-3 /PCB 30),

13) Both E breakers.

OCONEE UNITS 1, 2, & 3 B 3.8.1-4 Rev. 002

AC Sources - Operating B 3.8.1 BASES LCO An OPERABLE KHU and its required underground emergency (continued) power path must be capable of automatically supplying power from the KHU through the underground feeder, transformer CT-4, both standby buses, and both Unit S breakers to both main feeder buses. If closed, each N breaker and each SL breaker must be capable of opening using either of its associated breaker trip circuits. KPF-9 (for KHU 1) and KPF-10 (for KHU2) must remain open since there is no engineering analysis that ensures that the associated KHU can power both PSW and Engineered Safeguards (ES) system loads should an event occur (with the breaker closed). Either of the following combinations provides an acceptable KHU and required underground emergency power path:

Keowee Hydro Unit Keowee Hydro Unit 1A) Keowee Unit 1 generator, 1B) Keowee Unit 2 generator, 2A) Keowee ACB 3, 2B) Keowee ACB 4, 3A.1) Keowee auxiliary 3B.1) 'Keowee au.xiliary transformer CX, Keowee transformer CX, Keowee ACB 7, Keowee Load ACB 8, Keowee Load Center 1X, Center 2X, 3A.2) One Oconee Unit 1 S 3B.2) One Oconee Unit 1 S breaker capable of breaker capable of feeding switchgear 1TC, feeding switchgear 1TC, 3A.3) Switchgear 1TC capable 3B.3) Switchgear 1TC capable of feeding Keowee of feeding Keowee auxiliary transformer ex, auxiliary transformer ex, "4A) Keowee MCC 1XA, 4B) Keowee MCC 2XA, 5A) Keowee Battery #1, 5B) Keowee Battery #2, Charger #1 or Standby Charger #2 or Standby Charger, and Distribution Charger; and Distribution Center 1DA, Center 2DA, 6A) ACB-1 to ACB-3 interlock, 6B) ACB-2 to ACBA interlock, 7A) Keowee Unit 1 Voltage 7B) . Keowee Unit 2 Voltage and Frequency OOT logic and Frequency OOT logic

8) Keowee reservoir level~ 775 feet above sea level, BA) KPF-9 is OPEN with closing. BB) KPF-10 is OPEN with closing spring discharged, spring discharged, Underground Emergency Power Path

9) The underground feeder,

10) Transformer CT-4, 11 ) Both SK breakers,

12) Both standby buses,

13) Both S breakers, and

14) ACB-3 to ACB-4 interlock.

OCONEE UNITS 1, 2, & 3 B 3.8.1-5 Rev. 002

AC Sources - Operating B 3.8.1 BASES LCO This LCO is modified by three Notes. Note 1 indicates that a unit startup (continued) transformer may be shared with a unit in MODES 5 and 6. Note 2 indicates that the requirements of Specification 5.5.18, "KHU Commercial Power Generation Testing Program," shall be met for commercial KHU power generation. Note 3 indicates that the requirements of Specification 5.5.19, "Lee Combustion Turbine Testing Program," shall be met when a Lee Combustion Turbine (LCT) is used to comply with Required Actions.

APPLICABILITY The AC power sources are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of accidents and transients, and b: Adequate core cooling is provided, and containment OPERABILITY and other vital functions are maintained in the event of a postulated accident.

AC source requirements during MODE 5 and 6 are covered in LCO 3.8.2, AC Sources-Shutdown.

ACTIONS The ACTIONS are modified by a Note. The Note excludes the MODE change restriction of LCO 3.0.4 when both standby buses are energized from an LCT via an isolated power path to comply with Required Actions.

This exception allow entry into an applicable MODE while relying on the ACTIONS even though the ACTIONS may eventually require a µnit shutdown. This exception is acceptable due to the additional capabilities afforded when both standby buses are energized from an LCT via an isolated power path.

A.1. A.2. A.3.1. and A.3.2 In the event a startup transformer becomes inoperable, it effectively causes the emergency overhead power path and both of the offsite sources to be inoperable. A KHU and its required underground power path remain available to ensure safe shutdown of the unit in the event of a tran~ient or accident without a single failure.

OCONEE UNITS 1, 2, & 3 B 3.8.1-6 Rev. 002

AC Sources - Operating B 3.8.1 BASES ACTIONS A.1. A.2, A.3.1. and A.3.2. (continued)

Operation may continue provided the KHU and its required underground emergency power path are tested using SR 3.8.1.3 within one hour if not performed in the previous 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . This Required Action provides assurance that no undetected failures have occurred in the KHU and its required underground emergency power path. Since Required Action A.1 only specifies "perform," a failure of SR 3.8.1.3 acceptance criteria does not result in a Required Action not met. However, if the KHU and its required underground emergency path fails SR 3.8.1.3, both emergency power paths and both required offsite circuits are inoperable, and Condition I for both KHUs and their required emergency power paths inoperable for reasons other than Condition G and H is entered concurrent with Condition A.

If available, another Unit's startup transformer should be aligned to supply power to the affected Unit's auxiliaries so that offsite power sources and the KHU an_d its required overhead emergency power path will also be available if needed. Although this alignment restores the availability of the offsite sources and the KHU and its ~equired overhead emergency power path, the shar~d startup transformer's capacity and voltage adequacy could be challenged under certain DBA conditions.

The shared alignment is acceptable because the preferred mode of Unit shutdown is with reactor coolant pumps providing forced circulation and due to the low likelihood of an event challenging the capacity of the shared transformer during a 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months period to bring a Unit to MODE 5.

Required Action A.3.1 requires that the unit startup transformer be restored to OPERABLE status and normal startup bus alignment in. 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months or Required Action 3.2 requires designating one. unit sharing the startup transformer, to be shutdown. For example, if Unit 1 and 2 are operating and CT-2 becomes inoperable, Unit 2 may align CT-1 to be available to the Unit 2 main feeder buses ahd continue operating for up to 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . At that time, if CT-2 has not been restored to OPERABLE status, one Unit must be "designated" to be shutdown. The designated Unit must be shut down per ACTION B. Note that with one Unit in MODES 1, 2, 3 or 4 and another Unit in a condition other than MODES 1, 2, 3, or 4, the units may share a startup transformer indefinitely provided that the loads on the unit not in MODES 1, 2, 3 or 4 are maintained within acceptable limits. For example, if Unit 1 is in MODE 5 and CT-2 becomes inoperable, Unit 2 may align CT-1 to the Unit 2 main feeder buses and continue operation indefinitely.

OCONEE UNITS 1, 2, & 3 B3.8.1-7 Rev. 002 I

AC Sources - Operating B 3.8.1 BASES ACTIONS B.1 and B.2 (continued)

When a unit is designated to be shutdown due to sharing a unit startup transformer per Required Action A.3.2, the unit must be brought to a MODE in which the LCO does not apply, since the shared unit startup transformer's capacity could be challenged under certain OBA conditions.

To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an or~erly manner and without challenging unit systems.

C.1. C.2.1. C.2.2.1', C.2.2.2, C.2.2.3, C.2.2.4. and C.2.2.5 With the KHU or its required overhead emergency power path inoperable due to reasons other than an inoperable startup transformer (Cc;mdition A), sufficient AC power sources remain available to ensure safe shutdown of the unit in the event of a transient or accident. Operation may continue if the OPERABILITY of the remaining KHU and its required underground emergency power path is determined by performing SR 3.8.1.3 within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months if not performed in the previous 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and once every 7 days thereafter .. This demonstration assures the remaining

emergency power path is not inopera.ble due to a common cause or other failure. Testing on a 7 day Frequency is acceptable since both standby buses must be energized from an LCT via an isolated power path when in Condition C for > 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . When the standby buses are energized by an LCT via an isolated power path, the likelihood that the OPERABLE KHU and its required underground emergency power path will be required is decreased. Since Required Action C.1 only specifies "perform," a failure of SR 3.8.1.3 acceptance criteria does not result in a Required Action not met. SR 3.8.1.3 is only required to be performed when the KHU associated with the underground emergency power path is OPERABLE.

If the KHU and its required underground emergency path fails SR 3.8.1.3, both KHUs and their required emergency power paths are inoperable, and Condition I (Both KHUs or their required emergency power paths inoperable for reasons other than Condition G or H) is entered concurrent with Condition C.

OCONEE UNITS 1, 2, & 3 B 3.8.1-8 Rev. 002 I

AC Sources ~ Operating B 3.8.1 BASES ACTIONS C.1. C.2.1, C.2.2.1, C.2.2.2, C.2.2.3. C.2.2.4. and C.2.2.5 (continued)

If the inoperable KHU or its required overhead emergency power path are not restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months as required by Required Action C.2.1. a controlled shutdown must be initiated as required by the Required Actions for Condition M unless the extended Completion Times of Required Action C.2.2.5 are applicable. The second Completion Time for Required Action C.2.1 establishes a limit on the maximum time allowed for a KHU to be inoperable during any single contiguous occurrence of having a KHU inoperable. If Condition C is.

entered as a result of switching an inoperable KHU from the underground to the overhead emergency power path, it may have bee*n inoperable for up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This could lead to a total of 144 hours0.00167 days 0.04 hours 2.380952e-4 weeks 5.4792e-5 months since the initial ** .

failure of the KHU. The second Completion Time allows for an exception to the normal "time zero" for beginning the allowed time "clock." This will result in establishing the "time zero" at the time the *KHU become inoperable, instead of at the time Condition C was entered.

The extended Completion Times of Required Action C.2.2.5 apply wheri the KHU or its required overhead emergency power path is inoperable due to an inoperable Keowee IT!ain step-up transformer, an inoperable KHU (if not used for that KHU in the previous 3 years), or a KHU made inoperable to perform generator field pole rewind work. In 9rder to use .

the extended Completion Times, within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months of entering Condition C both standby buses must be energized from an LCT (Required Action C.2.2.1 ), KHU generation to the grid except for testing must be suspended (Required Action C.2.2.2), the remaining KHU and its required underground emergency power path and both required offsite sources must be verified OPERABLE, the LCOs indicated in Required Action C.2.2.3 must be verified to be met, and alternate power source capability must be verified by performing SR 3.8.1.16.

Required Action C.2.2.5 permits maintenance and repair of a Keowee main step-up transformer which requires longer than 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

Transformer replacement is rare but is time extensive. A 28 day Completion Time'is permitted by Required Action C.2.2.5 to restore the KHU and its overhead power path to OPERABLE status when inoperable due to an inoperable Keowee main step-up transformer: This allows a reasonable period of time for transformer replacement.

Required Action C.2.2.5 also permits maintenance and repair of a KHU which requires longer than 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The primary long term maintenance items are expected to be hydro turbine runner and discharge ring welding OCONEE UNITS 1, 2, & 3 B 3.8.1-9 Rev. 002 I

AC Sources - Operating B 3.8.1 BASES ACTIONS C.1. C.2.1. C.2.2.1. C.2.2.2. C.2.2.3, C.2.2.4, and C.2.2.5 (continued) repairs which are estimated to be necessary every six to eight years*.

Also, generator thrust and guide bearing replacements are necessary.

Other items which manifest as failures are expected to be rare and may be performed during the permitted maintenance periods. The 45-day Completion Time of Required Action C.2.2.5 is allowed to be applied cumulatively over a rolling three year period for each KHU. This Completion Time is 45 days from discovery of initial inoperability of the KHU. This effectively limits the time the KHU can be inoperable to 45 days from discovery of initial inoperability rather than 45 days from entry into Condition C and precludes any additional time that may be gained as a result of switching an inoperable KHU from the underground to' the overhead emergency power path. The Completion Time is modified by three notes. Note 1 indicates that the Completion Time is cumulative per a rolling 3-year time period for each KHU. For example, if KHU-1 is inoperable for 15 days, the 45-day Completion Time for KHU-1 is

reduced to 30 days for the rolling 3-year time period containing the 15 day inoperability. This requires a review of entries for the previous 3 years to determine the remaining time allowed in the 45-day Completion Time. If the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time of C.2.1 is not exceeded, the

.45-day Completion is not applicable and is not reduced. Notes 2 and 3 indicate the Compl~tion Time is not applicable during generator field pole rewind work or until one year after the KHU is declared OPERABLE following generator field pole rewind work. Note 2 is added to avoid using up the 45-day Completion Time concurrent with the 62-day Completion Time and preserves some time to perform emergent maintenance work should the need arise after a one year waiting period.

Note 3 is added to require a one year waiting period prior to use.

The temporary 62-day Completion Time of Required Action C.2.2.5 is allowed for each KHU to perform generator field pole rewind work. The 62-day Completion Time is modified by three notes that provide conditions for using the extended outage. Note 1 indicates that no discretionary maintenance or testing is allowed on the Standby Shutdown Facility (SSF), Emergency Feedwater (EFW), and* essential alternating current (AC) Power Systems. Note 2 indicates that the 62-day Completion Time is only applicable one time for each KHU due to generator field pole rewind work and expires on January 1, 2015. Note 3 indicates that it is only applicable if the SSF and EFW are administratively verified OPERABLE prior to entering the extended Completion Time. This increases the probability, even in the unlikely event of an additional failure, that the risk significant systems will function as required to support their safety function.

Required Actions C.2.2.1, C.2.2.2, C.2.2.3, and C.2.2.4 must be met in order to allow the longer restoration times of Required Action C.2.2.5.

OCONEE UNITS 1, 2, & 3 B3.8.1-10 Rev. 002

AC Sources - Operating B 3.8.1 BASES ACTIONS C.1. C.2.1. C.2.2.1. C.2.2.2, C.2.2.3, C.2.2.4. and C.2.2.5 (continued)

Required Action C.2.2.1 requires that both standby buses be energized using an LCT through the 100 kV transmission circuit. With this arrangement ( 100 kV transmission circuit electrically separated from the system grid and all offsite loads), a high degree of reliability for the emergency power system is provided. In this configuration, the LCT is serving as a second emergency power source, however, since the* 100 kV transmission circuit is vulnerable to severe weather a time limit is imposed. The second Completion Time of Required Action C.2.2.1 permits the standby buses to be re-energized by an LCT within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months in the event this source is subsequently lost. Required Action C.2.2:2 requires suspension of KHU generation to the grid except for testing.

The restriction reduces the number of possible failures which could cause loss of the underground emergency power path. Required Action C.2.2.3 requires verifying by administrative means that the remaining KHU and its required underground emergency power path and both required offsite sources are OPERABLE. This provides additional assurance that-offsite power will be available. In addition, this assures that the KHU and its required underground emergency power path are available .

. Required Action C.2.2.3 also requires verifying by administrative means that the requirements of the following LCOs are met:

LCO 3.8.3, "DC Sources - Operating;"

LCO 3.8.6, "Vital Inverters - Operating;"

LCO 3.8.8, "Distribution Systems - Operating;"

LCO 3.3.17, "EPSL Automatic Transfer Function;"

LCO 3.3.18, "EPSL Voltage Sensing Circuits;"

LCO 3.3.19, "EPSL 230 kV Switchyard DGVP;" and LCO 3.3.21, "EPSL Keowee Emergency Start Function."

This increases the probability, even in the unlikely event of an additional failure, that the DC power system and the 120 VAC Vital Instrumentation power panelboards will function as required to support EPSL, power will not be lost to ES equipment, and EPSL will function as required.

OCONEE UNITS 1, 2, & 3 B3.8.1-11 Rev. 002 I

AC Sources - Operating B 3.8.1 BASES ACTIONS C.1. C.2.1. C.2.2.1. C.2.2.2, C.2.2.3. C.2.2.4. and C.2.2.5 (continued)

Verifying by administrative means allows a check of logs or other information to determine the OPERABILITY status of required equipment in place of requiring unique performance of Surveillance Requirements.

If the AC Source is subsequently determined inoperable, or an LCO stated in Required Action C.2.2.3 is subsequently determined not met, continued operation up to a maximum of four hours is allowed by ACTION L. Required Action C.2.2.3 is modified by a note indicating that it is not applicable to the remaining KHU and its required underground emergency power path or LCO 3.3.21 when in Condition H to perform generator field pole rewind work. This note is needed to allow entry into the 60 hour6.944444e-4 days 0.0167 hours 9.920635e-5 weeks 2.283e-5 months dual unit outage to reassemble the refurbished KHU and return it to functional condition, as well as perform balance runs and shots, post modification testing, and a commissioning run prior to

.declaring the refurbished KHU operable. Without this note, entry into Condition L would be required allowing only 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months to restore the KHU and its required underground path and only 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months to restore compliance with LCO 3.3.21 .

. Required Action C.2.2.4 requires verifying alternate power source capability by performing SR 3.8.1.16. This confirms that entry into Condition C is due only to an inoperable main step-up transformer or an inoperable KHU, as applicable. If SR 3.8.1.16 is subsequently determined not met, continued operation up to a maximum of four hours is allowed by ACTION L.

D.1, D.2 and D.3 With the KHU or its required underground emergency power path inoperable, sufficient AC power sources remain available to ensure safe shutdown of the unit in the event of a transient or accident. Operation may continue for 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months if the remaining KHU and its required overhead emergency power path are tested using SR 3.8.1.4 within one hour if not performed in the previous 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . SR 3.8.1.4 is only required to be performed when the KHU associated with the overhead emergency power path is OPERABLE. This Required Action provides assurance that no undetected failures have occurred in the overhead emergency power path. Since Required Action D.1 only specifies "perform," a failure of SR 3.8.1.4 acceptance criteria does not result in a Required Action not met. However, if the KHU and its required overhead emergency path fails SR 3.8.1.4, both KHUs and their required

emergency power paths are inoperable, and Condition I for both KHUs and their emergency power paths inoperable for reasons other than Condition G or H is entered concurrent with Condition D. This OCONEE UNITS 1, 2, & 3 B 3.8.1-12 Rev. 002 I

AC Sources - Operating B 3.8.1 BASES ACTIONS D.1. D.2 and D.3 (continued) demonstration is to assure that the remaining emergency power path is not inoperable due to a common cause or due to an undetected failure.

For outages of the KHU and its required underground emergency power path in excess of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , an LCT (using the 100 kV transmission circuit electrically separated from the grid and offsite loads) must energize a standby bus prior to the outage exceeding 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This ensures the availability of a power source on the standby buses when the KHU and its required underground emergency power path are out of service in excess of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The second Completion Time of Required Action D.2 permits the standby buses to be re-energized by an LCT within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months in the event this source is subsequently lost.

The second Completion Time for Required Action D.3 establishes a limit on the maximum time allowed for a KHU to be inoperable during any single contiguous occurrence of having a KHU inoperable. If Condition D is entered as a result of switching an inoperable KHU from the overhead to the underground emergency power path, it.may have been inoperable for up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This could lead. to a total of 144 hours0.00167 days 0.04 hours 2.380952e-4 weeks 5.4792e-5 months since the initial failure of the KHU. The second Completion Time allows for an exception to the normal "time zero" for beginning the allowed time "clock." This will result in establishing the "time zero" at the time the KHU become inoperable, instead of at the time Condition D was entered.

E.1 and E.2 If the Required Action and associated Completion Time for Required Action D.2 are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for one Oconee unit and 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for other Oconee unit(s) and to MODE 5 within 84 hour~. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging plant systems.

F.1 and F.2 With the zone overlap protection circuitry inoperable when the overhead electrical disconnects for the KHU associated with the underground power path are closed, the zone overlap protection circuitry must be restored to OPERABLE status or the overhead electrical disconnects must be opened within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . In this Condition, both KHUs and their required emergency power paths are OPERABLE, however a single failure could result in the loss of both KHUs.

OCONEE UNITS 1, 2, & 3 B3.8.1-13 Rev. 002 I

AC Sources - Operating B 3.8.1 BASES*

ACTIONS (continued)

With both emergency power paths inoperable due to an E breaker and S breaker inoperable on the same main feeder bus, one breaker must be restored to OPERABLE status. In this Condition, both emergency power paths can still provide power to the remaining main feeder bus.

I H.1 and H.2 With both KHUs or their required emergency power paths inoperable for planned maintenance or test with both standby buses energized from an LCT via an isolated power path, the KHU must be restored to OPERABLE status within 60 hours6.944444e-4 days 0.0167 hours 9.920635e-5 weeks 2.283e-5 months . Operation with both KHUs and their required power paths inoperable is permitted for 60 hours6.944444e-4 days 0.0167 hours 9.920635e-5 weeks 2.283e-5 months provided that both standby buses are energized using an LCT through the 100 kV transmission circuit and the requirements of the Note to the Condition are met. The Note to the Condition indicates that it may only be entered when both offsite sources are verified by administrative means to be OPERABLE and the requirements of the following LCOs are verified by' .

administrative means to be met:

LCO 3.8.3, "DC Sources - Operating;"

LCO 3.8.6, "Vital Inverters - Operating;"

LCO 3.8.8, "Distribution Systems - Operating;"

LCO 3.3.17, "EPSL Automatic Transfer Function;"

LCO 3.3.18, "EPSL Voltage Sensing Circuits;" and LCO 3.3.19, "EPSL 230 kV Switchyard DGVP."

This increases the probability, even in the unlikely event of an additional failure, that the DC power system and the 120 VAC Vital Instrumentation power panelboards will function as required to support EPSL, power will .

not be lost to ES equipment, and EPSL will funCtion as required.

OCONEE UNITS 1, 2, & 3 B 3.8.1-14 Rev. 002

AC Sources - Operating B 3.8.1 BASES ACTIONS H.1 and H.2 (continued)

Verifying by administrative means allows a check of logs or other information to determine the OPERABILITY status of required equipment in place of requiring unique performance of Surveillance Requirements.

If the AC Source is subsequently determined inoperable, or an LCO stated in the Nole to Condition H is subsequently determined not met, continued operation up to a maximum of four hours is allowed by ACTION L.

With both standby buses energized from an LCT via an isolated power path (100 kV transmission circuit electrically separated from the system grid and all offsite loads), a high degree of reliability for the emergency power system is provided. In this configuration, the LCT is serving as the Oconee emergency power source, however, since the.Oconee Units are vulnerable to a single failure of the 100 kV transmission circuit a time limit of 60 hours6.944444e-4 days 0.0167 hours 9.920635e-5 weeks 2.283e-5 months is imposed. Required Action H.1 permits the standby buses to be re-energized by an LCT within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months in the event this source is subsequently lost. The second Completion Time of Required Action H.2 limits the amount of time two KHUs can be inoperable during the 45-day Completion Time of Required Action C.2.2.5 to a cumulative 240 hours0.00278 days 0.0667 hours 3.968254e-4 weeks 9.132e-5 months over a rolling 3-year period. This requires a review of entries for the .

previous 3 years to qetermine the remaining time allowed in the 240-hour Completion Time. This limits the dual i<HU outage time when using the 45-day Completion Time* of Required Action C.2.2.5 on a cumulative basis over a 3-year time period.

If both emergency power paths are restored, unrestricted operation may continue. If only one power path is restored, operation *may continue per ACTIONS C or D.

1.1, 1.2, and 1.3 With both KHUs or their required emergency power paths inoperable for reasons other than Conditions G and H, insufficient standby AC power.

sources are available to supply the minimum required ES functions. In this Condition, the offsite power system is the only source of AC power

available for this level of degradation. The risk .associated with continued operation for one hour without an emergency power source is considered acceptable due to the low likelihood of a LOOP during this time period, and because of the potential for grid instability caused by the simultaneous shutdown of all three units. This instability would increase the probability of a total loss of AC power. Operation with both KHUs or their required power paths inoperable is permitted for 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months provided that Required Actions 1.1 and 1.2 are met. Required Action 1.1 requires that both standby buses be energized using an LCT via an isolated power OCONEE UNITS 1, 2, & 3 B3.8.1-1S Rev. 002

AC Sources - Operating B 3.8.1 BASES ACTIONS 1.1, 1.2. and 1.3 (continued) path. With this arrangement (100 kV transmission circuit electrically separated from the system grid and all offsite loads), a high degree of reliability for the emergency power system is provided. In this configuration, the LCT is serving as the Oconee emergency power source, however, since the Oconee Units are vulnerable to a single failure of the 100 kV transmission circuit a time limit of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is imposed. The second Completion Time of Required Action 1.1 permits

.the standby buses to be re-energized by an LCT within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months in the event this source is subsequently lost. Required Action 1.2 requires that the OPERABILITY status of both offsite sources be determined by administrative means and that the OPERABILITY status of equipment required by the following LCOs be determined by administrative means:

LCO 3.8.3, "DC Sources - Operating;"

LCO 3.8.6, "Vital Inverters - Operating;"

LCO 3.8.8, "Distribution Systems - Operating;"

LCO 3.3.17, "EPSL Automatic Transfer Function;"

LCO 3.3.18, "EPSL Voltage Sensing Circuits;" and LCO 3.3.19, "EPSL 230 kV Switchyard DGVP."

This increases the probability, even in the unlikely event of an additional :

failure, that the DC power system and the 120 VAC Vital Instrumentation power panelboards will function *as required to support EPSL, power will not be lost to ES equipment, and EPSL will function as required.

Determining by administrative means allows a check of logs or other information to determine the OPERABILITY status of required equipment in place of requiring unique performance of Surveillance Requirements.

If the AC Source is initially or subsequently determined inoperable, or an LCO stated in Required Action 1.2 is initially or subsequently determined not met, continued operation up to a maximum of four hours is allowed by ACTION L.

If both emergency power paths are restored, unrestricted operation may continue. If only one power path is restored, operation may continue per ACTIONS C or D.

OCONEE UNITS 1, 2, & 3 B 3.8.1-16 Rev. 002 I

AC Sources - Operating B 3.8.1 BASES ACTIONS J.1. J.2. and J.3 (continued)

With one or both required offsite sources inoperable for reasons other than Condition A, sufficient AC power sources are available to supply necessary loads in the event of a OBA. However, since the AC power system is degraded below the Technical Specification requirements, a time limit on continued operation is imposed. With only one of the required offsite sources OPERABLE, the likelihood of a LOOP is increased such that the Required Actions for all required offsite circuits inoperable are conservatively followed. The risk associated with continued operation for one hour without a required offsite AC source is considered acceptable due to the low likelihood of a LOOP during this time period, and because of the potential for grid instability caused by the simultaneous shutdown of all three units.

Operation with one or both required offsite sources inoperable is permitted for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months provided that Required Actions J.1 and J.2 are met. Required Action J.1 requires that both standby buses be en~rgized using an LCT via an isolated power path . .With this arrangement (100 kV transmission circuit electrically separated from the system grid and all

offsite loads), a high degree- of reliability for the emergency power system is provided. In this configuration, the LCT is serving as an emergency power source, however, since the Oconee units are vulnerable to a single failure of the 100 kV transmission circuit a time limit is imposed. The second Completion Time of Required Action J.1 permits the standby buses to be re-energized by an LCT within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months in the event this source is subsequently lost. Required Action J.2 requires that the OPERABILITY status of both KHUs and their required emergency power paths be determined by administrative means and that the OPERABILITY status of equipment required by the following LCOs be determined by administrative means:

LCO 3.8.3, "DC Sources - Operating;"

LCO 3.8.6, "Vital Inverters - Operating;"

LCO 3.8.8, "Distribution Systems - Operating;"

LCO 3.3.17, "EPSL Automatic Transfer Function;"

LCO 3.3.18, "EPSL Voltage Sensing Circuits;"

LCO 3.3.19, "EPSL 230 kV Switchyard DGVP," and LCO 3.3.21, "EPSL Keowee Emergency Start Function."

OCONEE UNITS 1, 2, & 3 B3.8.1-17 Rev. 002 I

AC Sources - Operating B 3.8.1 BASES ACTIONS J.1. J.2. and J.3 (continued)

This increases the probability, even in the unlikely event of an additional failure, that the DC power system and the 120 VAC Vital Instrumentation power panelboards will function as required to support EPSL, power will not be lost to ES equipment, and EPSL will function as required.

Determining by administrative means allows a check of logs or other information to determine the OPERABIL,.ITY status of required equipment in place of requiring unique performance of Surveillance Requirements.

If the AC Source is initially or subsequently determined inoperable, or an LCO stated in Required Action J.2 is initially or subsequently determined not met, continued operation up to a maximum of four hours is allowed by ACTION L.

The two trip circuits for each closed N and SL breakers are required to ensure both breakers will open. An N breaker trip circuit encompasses those portions of the breaker control circuits necessary t6 trip the associated N breaker from the output of the 2 out of 3 logic matrix formed by th~ auxiliary transformer's undervoltage sensing circuits up to and including an individual trip coil for the associated N breaker. The undervoltage sensing channels for the auxiliary transformer are addressed in LCO 3.3.18, "Emergency Power Switching Logic (EPSL)

Voltage Sensing Circuits." An SL breaker trip circuit encompasses those

portions of the breaker control circuits necessary to trip the SL breaker from the output of both 2 out of 3 logic matrices formed by each standby bus's undervoltage sensing circuits up to and including an individual trip coil for the associated SL breaker. The undervoltage sensing channels for the CT- 5 transformer are addressed in LCO 3.3.18, "Emergency Power Switching Logic (EPSL) Voltage Sensing Circuits." With one trip circuit inoperable a single failure could cause an N or SL breaker to not open. This could prevent the transfer to other available sources.

Therefore, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed to repair the trip circuit or open the breaker (opening the breaker results in exiting the Condition). The Completion Time is based on engineering judgement taking into consideration the time required to complete the required action and the availability of the remaining trip circuit.

A Note modifies the Condition, indicating that separate Condition Entry is permitted for each breaker. Thus, Completion Times are tracked separately for the N1, N2, SL 1, and SL2 breaker.

OCONEE UNITS 1, 2, & 3 B 3.8.1-18 Rev. 002 I

AC Sources - Operating B 3.8.1 BASES ACTIONS L.1. L.2, and L.3 (continued)

With an AC Source inoperable or LCO not met, as stated in Note for Condition H entry; or with an AC Source i"noperable or LCO not met, as stated in Required Action C.2.2.3 when in Condition C for > 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months ; or with an AC Source inoperable or LCO not met, as stated in Required Action 1.2 or J.2 when in Conditions I or J for> 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months ; or with SR 3.8.1.16 not met, Required Action L.1,. L.2 and L.3 requires restoration within four hours. Condition L is modified by a Note indicating that separate Condition entry is permitted for each inoperable AC Source, and LCO or SR not met. The Required Action is modified by a Note that allows the remaining OPERABLE KHU and its required emergency power path to be made inoperable if required to restore both KHUs and their required emergency power paths to OPERABLE status. This note is necessary since certain actions such as dewatering the penstock may be necessary to restore the inoperable KHU although these actions would also cause both KHUs to be inoperable.

The purpose of this Required Action is to restrict the allowed outage time

for an inoperable AC Source or equipment required by an LCO when in Conditions C, H, I or J. For Conditions I and J when the LCOs stated are initially not met, the maximum Completion Time is four hours or the remaining Completion Time allowed by the stated LCO, whichever is shorter.

M.1 and M.2 If a Required Action and associated Completion Time for Condition C, F, G, H, I, J, Kor Lare not met; or if a Required Action and associated Completion Time are not met for Required Action D.1 or D.3, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 5 within 84 hours9.722222e-4 days 0.0233 hours 1.388889e-4 weeks 3.1962e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.8.1.1 REQUIREMENTS This SR ensures proper circuit continuity for the offsite AC electrical power supply to the onsite distribution network and availability of offsite AC electrical power. The breaker alignment verifies that each breaker is in its correct position to ensure that distribution buses and loads are OCONEE UNITS 1, 2, & 3 83.8.1-19 Rev. 002 I

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.1 (continued)

REQUIREMENTS connected to their power source, and that appropriate separation of offsite sources is maintained .. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.2 This SR verifies adequate battery voltage when the KHU batteries are on float charge. This SR is performed to verify KHU battery OPERABILITY..

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.3 This SR verifies the availability of the KHU associated with the underground ~mergency power path to start automatically and energize the underground power path. Utilization of either the auto-start or emergency start sequence assures the control function OPERABILITY by verifying proper speed control and voltage. Power path verification is included to demonstrate breaker OPERABILITY from the KHU onto the standby buses. This is accomplished by closing the Keowee Feeder Breakers (SK) to energize each deenergized standby bus. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.4 This surv.eillance verifies the availability of the KHU associated with the overhead emergency power path. Utilization of either the auto-start or emergency start sequence assures the control function OPERABILITY by verifying proper* speed control and voltage. The ability to supply the overhead emergency power path is satisfied by demonstrating the ability to synchronize (automatically or manually) the KHU with the grid system.

If an automatic start of the KHU is performed and a manual synchronization is desired, the KHU will need to be shutdown and re-started in manual to allow a manual synchronization of the KHU. The SR also requires that the underground power path be energized after removing the KHU from the overhead emergency power path. This surveillance can be satisfied by first demonstrating the ability of the KHU OCONEE UNITS 1, 2, & 3 B 3.8.1-20 Rev. 002

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.4 (continued)

REQUIREMENTS associated with the underground emergency path to energize the underground path then synchronizing the KHU to the overhead emergency power path. The SR is modified by a Note indicating that the requirement to energize the underground emergency power path is not applicable when the overhead disconnects are open for the KHU associated with the underground emergency power path or 2) when complying with Required Action D.1. The latter exception is necessary since Required Action D.1 continues to be applicable ~hen both KHUs are inoperable.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled und~r the Surveillance Frequency Control Program.

SR 3.8.1.5 This surveillance verifies OPERABILITY of the trip functions of each closed SL and each closed N breaker. Neither of these breakers have any automatic clqse functions; therefore, only the t~ip coils require verification. Cycling of each breaker demonstrates functional OPERABILITY and the coil monitor circuits verify the integrity of each trip coil. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR modified by a Note that states it is not required to be performed for an SL breaker when its standby bus is energized from a LCT via an isolated power path. This is necessary since the standby buses are*

required to be energized from a LCT by several Required Actions of Specification 3.8.1 and. the breakers must remain closed to energize the standby buses from a LCT.

SR 3.8.1.6 Infrequently used source breakers are cycled to ensure OPERABILITY.

The Standby breakers are to be cycled one breaker at a time to prevent inadvertent interconnection of two units through the standby bus breakers. Cycling the startup breakers verifies OPERABILITY of the breakers and associated interlock circuitry between the normal and startup breakers. This circuitry provides an automatic, smooth, and safe transfer of auxiliaries in both directions between sources. The Surveillance Frequency is based on operating experience, equipment OCONEE UNITS 1, 2, & 3 B 3.8.1-21 Rev. 002 I

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.6 (continued)

REQUIREMENTS reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note which states the SR is not required to be performed for an S breaker when its standby bus is energized from a LCT via an isolated power path. This is necessary since the standby buses are required to be energized from a LCT by several Required Actions of Specification 3.8.1 and cycling the S breakers connects the standby buses with the main feeder buses which are energized from another source.

SR 3.8.1.7 The KHU tie breakers to the underground path, ACB3 and ACB4, are interlocked to prevent cross-connection of the KHU generators. The safety analysis utilizes two independent power paths for accommodating single failures in applicable accidents. Connection of both generators to the underground path compromises the redundancy of the emergency power paths. Installed test logic is used to verify a circuit to the close coil on one underground ACB does not exist with the other underground ACB closed. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.8 Each KHU tie breaker to the underground emergency power path and tie breaker to the overhead emergency path, are interlocked to prevent the

unit associated *with the underground circuit from automatically connecting to the overhead emergency power path. The safety analysis utilizes two independent power paths for accommodating single failures in applicable accidents. Connection of both generators to the overhead emergency power path compromises the redundancy of the emergency power paths. Temporary test instrumentation is used to verify a circuit to the close coil on the overhead ACB does not exist with the Underground ACB closed. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

OCONEE UNITS 1, 2, & 3 B 3.8.1-22 Rev. 002 I

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.9 REQUIREMENTS (continued) This surveillance verifies the KHUs' response time to an Emergency Start signal (normally performed using a pushbutton in the control room) to ensure ES equipment will have adequate power for accident mitigation.

UFSAR Section 6.3.3.3 (Ref. 6) establishes the 23 second time requirement for each KHU to achieve rated frequency and voltage based on the assumption that an engineered safeguards actuation in one unit occurs simultaneously with a loss of offsite power to all three units.

Emergency start without a design basis event or minimal load such as unit shutdown could conceivably cause the KHU to experience overshoot or over-frequency.

This surveillance also verifies the KHU's steady-state frequency is ~ 59.4 Hz ands 61.8 Hz. These limits were established to ensure key mechanical systems and equipment have adequate frequency for accident mitigation. The limits are automatically maintained by Keowee control systems. A nominal time of 60 seconds following the Emergency Start signal is sufficient time to begin. monitoring steady state operation.

Since the only available loads of adequate magnitude for simulating an accident is the grid, subsequent loading on the grid is required to verify the KHU's ability to assume rapid loading under accident conditions.

Sequential block loads are not available to fully test this feature. This is the reason for the requirement to load the KHUs at the maximum practical rate'. The Surveillance Frequency is based on op~rating

experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.10 A battery service test is a special test of the battery capability, as fourid, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The discharge rate and test length should correspond to the design duty cycle requirements as specified in Reference 4.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

OCONEE UNITS 1, 2, & 3 B 3.8.1-23 Rev. 002 I

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.11 REQUIREMENTS (continued) Visual inspection of the battery cells, cell plates, and battery racks provides an indication of physical damage or abnormal deterioration that could potentially.degrade battery performance. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.12 Verification of cell to cell connection cleanliness, tightness, and proper coating with anti-corrosion grease provides an indication of any abnormal condition, and assures continued OPERABILITY of the battery. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.13.

The KHU underground ACBs have a control feature which Will automatically close the KHU, that is pre-selected to the overhead path, into the underground path upon an electrical fault in the zone overlap region of the protective relaying. This circuitry prevents an electrical fault in the zone overlap region of the protective relaying from locking out both emergency power paths during dual KHU grid generation. In order to ensure this circuitry is OPERABLE, an electrical fault is simulated in the zone overlap region and the associated underground ACBs are verified to operate correctly. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note indicating the SR is only applicable when the overhead disconnects to the underground KHU are closed. When the overhead disconnects to the underground KHU are open, the circuitry preventing the zone overlap protective lockout of both KHUs is not needed.

SR 3.8.1.14 This surveillance verifies OPERABILITY of the trip functions of the SL and N breakers. This SR verifies each trip circuit of each breaker OCONEE UNITS 1, 2, & 3 B 3.8.1-24 Rev. 002 I

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.14 (continued)

REQUIREMENTS (continued) independently opens each breaker. Neither of these breakers have any automatic close functions; therefore, only the trip circuits require verification. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

The SR is modified by a Note indicating that the SR is not required for an SL breaker when its standby bus is energized by a LCT via an isolated power path. This is necessary since the standby buses are required to be energized from a LCT by several Required Actions of Specification 3.8.1 and the breakers must remain closed to energize the standby buses from a LCT.

SR 3.8.1.15 This surveillance verifies proper operation of the 230 kV switchyard circuit .

breakers upon an actual or simulated actuation of the Switchyard Isolation circuitry. This test causes an actual switchyard isolation (byactuation of degraded grid voltage protection) and alignment of KHUs to the overhead and underground emergency power paths. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The effect of this SR is not significant because the generator red bus tie breakers and feeders from the Oconee 230 kV switchyard red bus to the system grid remain closed. Either Switchyard Isolation Channel causes full system realignment, which involves a complete switchyard realignment. To avoid excessive switchyard circuit breaker cycling, realignment and KHU emergency start functions, this SR need be performed only once each SR interval.

SR 3.8.1.16 This SR verifies by administrative means that one KHU provides an .

alternate manual AC power source capability by manual or automatic KHU start with manual synchronize, or breaker closure, to energize its non-required emergency power path. That is, when the KHU to the

.overhead emergency power path is inoperable, the SR verifies by administrative means that the overhead emergency power path is OPERABLE. When the overhead emergency power path is inoperable, the SR verifies by administrative means that the KHU associated with the overhead emergency power path is OPERABLE.

OCONEE UNITS 1, 2, & 3 B 3.8.1-25 Rev. 002 I

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.16 (continued)

REQUIREMENTS This SR is modified by a Note indicating that the SR is only applicable when complying with Required Act.ion C.2.2.4.

SR 3.8.1.17 This SR verifies the Keowee Voltage and Frequency out of tolerance logic trips and blocks closure of the appropriate overhead or underground power path breakers on an out of tolerance trip signal. The Surveillance

Frequency is based on operating experience, equipment reliability, and plant risk and is c9ntrolled under the Surveillance Frequency Control Program.

There are three over voltage relays, three under voltage relays, and. three over/under frequency relays per KHU with each relay actuating an auxiliary relay used to provide two out of three logic. These relays monitor generator output voltage and if two phases are above/below setpoint, prevent the power path breakers from closing o*r if closed, provide a trip signal which is applied after a time delay, to open the power path breakers. Testing demonstrates that relays actuate at preset values, that timers time out and that two under voltage relays, two over

'voltage relays, or two over/under frequency relays will actuate the logic channel. This ensures that the power path breakers will not close and if closed, will trip after a preset time delay that becomes effective when the KHU first reaqhes the required frequency and voltage band.

REFERENCES 1. UFSAR, Section 3.1.39

2. UFSAR, Chapter 16

3. 10 CFR 50.36

4. -UFSAR, Chapter 6

5. UFSAR, Chapter 15

6. UFSAR, Section 6.3.3.3 .1 OCONEE UN.ITS 1, 2, & 3 B 3.8.1-26 Rev. 002 I

DC Sources - Operating B 3.8.3 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.3 DC Source~ - Operating BASES

BACKGROUND The 125 VDC Vital l&C electrical power sources provide the AC emergency power system with control power. It also provides both motive power and control power for selected safety related equipment.

Additionally, the 125 voe Vital l&C electrical power sources provide DC electrical power through DC panelboards to the inverters, which in turn supply the AC Vital instrumentation power panelboards.

The 125 VDC Vital l&C electrical power system is a system consisting of six power sources shared by the three Oconee units. Each unit has its own two power sources with backup sources supplied to the unit's 125 VDC Vital Instrumentation distribution system from another unit using a network of isolating diode assemblies. This provides necessary redundancy and independence for the 125 VDC Vital l&C power sources.

Each source consists of one 125 VDC battery, the associated battery charger (Normal or Standby) for each battery, the distribution center, the associated control equipment, isolating transfer diodes and interconnecting cabling. Additionally, there is one standby battery charger shared between each unit's batteries, which provides backup service in the event that the preferred (Normal) battery charger is out of service.

The 125 VDC l&C batteries of a unit are physically separated in separate enclosures from batteries of another unit to minimize their exposure to.

any damage. The battery chargers and associated DC distribution centers and switchgear of a unit are located in separate rooms from the battery chargers and associated DC distribution centers of another unit in the auxiliary building and physical separation is maintained between redundant equipment.

During normal operation, the 125 VDC Vital l&C loads are powered from the battery chargers with the batteries floating on the system. In case of loss of power to a battery charger, the associated DC loads are automatically powered from the 125 VDC Vital l&C battery. Each battery has adequate storage capacity to carry the required load continuously for at least 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

OCONEE UNITS 1, 2, & 3 B 3.8.3-1 Rev. 001 I

DC Sources - Operating B 3.8.3 BASES BACKGROUND Each 125 VDC Vital l&C power source has ample power output capacity (continued) for the steady state operation of connected loads required during normal operation, while at the same time maintaining its battery bank fully charged. Each battery charger also has sufficient capacity to restore the battery from the design minimum charge to its fully charged state while supplying normal steady state loads.

The 230 kV switchyard 125 VDC Power System provides power to power circuit breakers, protective and control relays, indicating lights, annunciators, carrier equipment and other switchyard equipment requiring an uninterrupted power source.

The 230 kV switchyard 125 VDC Power System consists of two sources.

Each source consists of one 125 VDC battery, the associated battery.

charger (Normal or Standby) for each battery, distribution panel, and associated control equipment and interconnecting cabling. Redundant batteries are located in separate rooms and redundant chargers, distribution centers and panelboards are located on different walls of the 230 kV switchyard relay house. Additionally, there is one standby battery charger shared between the sources, which provides backup service in the event that the preferred (Normal) battery charger is out of service.

During normal operation, the 230 kV .1.25 VDC loads are powered from

. the battery chargers with the batteries floating on the system. In case of loss of power to a battery charger, the associated DC load is automatically powered from the 230 kV 125 VDC battery. Each battery has adequate storage capacity to carry the required load continuously for at least 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . Therefore, the temporary alignment of both battery chargers to the same train of input power for testing or maintenance is allowed provided both batteries meet the requirements for energizing their respective panelboards as stated in the Bases for LCO 3.8.8, "Distribution System - Operating."

Each 230 kV 125 VDC power source has ample power output capacity for the steady state operation of connected loads required during normal operation, while at the same time maintaining its battery bank fully charged. Each battery charger also has sufficient capacity to restore the battery from the design minimum charge to its fully charged state while supplying normal steady state loads.

The 125 VDC Vital l&C power and 230 kV 125 VDC power distribution systems are described in more detail in the Bases for LCO 3.8.8, "Distribution System - Operating," and for LCO 3.8.9, "Distribution Systems - Shutdown."

OCONEE UNITS 1, 2, & 3 B 3.8.3-2 Rev. 001 I

DC Sources - Operating B 3.8.3 BASES (continued)

APPLICABLE The initial conditions of accident and transient analyses in the UFSAR, SAFETY ANALYSES Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume that Engineered Safeguards (ES) systems are OPERABLE. The 125 VDC Vital l&C electrical power system provides normal and emergency DC electrical power for the emergency auxiliaries, and control and switching during all MODES of operation.

The 230 kV switchyard 125 VDC Power System provides control power for circuit breaker operation in the 230 kV switchyard as well as DC power for degraded grid voltage protection circuits during all MODES of operation.

The OPERABILITY of the DC sources is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining the DC sources OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite AC power or all onsite AC power; and

b. A worst-case single failure.

The DC sources satisfy Criterion 3 of 10 CFR 50.36 (Ref. 3).

LCO Each required 125 VDC electrical source consisting of one battery, associated battery charger (Normal or Standby), distribution center and the corresponding control equipment and interconnecting cabling

. supplying power to the associated panelboards is required to be OPERABLE to ensure the availability of the required power to shut down the reactor and maintain it in a sate condition after an anticipated transient or an accident. The battery chargers are OPERABLE when they are energized or available to be energized during a power source transfer.

For operation of any Oconee unit, three of four 125 VDC Vital l&C Sources capable of supplying the unit's DC distribution system shall be OPERABLE as follows:

Unit 1: 1CA, 1CB, 2CA, 2CB Unit 2: 2CA, 2CB, 3CA, 3CB Unit 3: .3CA, 3CB, 1CA, 1CB and aligned to at least one panelboard provided that a power source is not the only source for two or more of the Unit's panelboards. The three of four requirement ensures that a single failure will not result in a loss of OCONEE UNITS 1, 2, & 3 B 3.8.3-3 Rev. 001 I

DC Sources - Operating B 3.8.3 BASES LCO power to more than one 125 VDC Vital l&C panelboard. This (continued) requirement ensures supported safety functions are not vulnerable to a single failure.

When any other unit is in MODES 1, 2, 3, or 4, two additional 125 VDC Vital l&C Sources are required to be OPERABLE as modified by LCO Note 2. When no other Unit is in MODES 1, 2, 3, or 4, one additional 125 VDC Vital l&C power source is required to be OPERABLE as modified by LCO Notes 2 and 3. These additional requirements ensure sufficient capacity and voltage for supported DC loads assuming a single failure.

The requirement that two 230 kV 125 VDC sources be OPERABLE ensures that supported safety functions are not vulnerable to a single failure.

The LCO is modified by three Notes. Note 1, which applies to Units 2 and 3 only, indicates that no single 125 VDC Vital l&C source shall be the only source for panelboards 1DIC and 1DID. This is necessary since vital l&C panel boards 1DIC and 1DID supply power for SK and SL breaker control, protective relaying for both standby buses, breaker control for both standby breakers for the three Oconee units, and retransfer to startup source logic circuits for the three Oconee units. The requirement that no single 125 VDC source be the only source of power for : .

panelboards 1DIC and 1DID ensures than a single failure will not result in a loss of power to both panelboards. This requirement ensures supported safety functions are not vulnerable to a single failure.

Note 2 indicates that each additional 125 VDC Vital l&C source required by part b or part c of the LCO shall be connected to at least one panelboard associated with the unit where the.source is physically located. For example, when applying the LCO requirements to Unit 1, an additional source from Unit 2 must be connected to at least one Unit 2

panelboard ahd an additional source from Unit 3 must be connected to at least one Unit 3 panelboard. If the additional sources are from Unit 3, each additional source need only be connected to at least one Unit 3 panelboard. Note 3 specifies that the additional 125 VDC Vital l&C power source required by LCO 3.8.3 part c shall not be a power source that is available to meet the three of four requirement of LCO 3.8.3 part a. This ensures that there is one source physically located on each unit not in MODES 1, 2, 3, or 4. For example; when applying the LCO requirements to Unit 1, the additional source cannot be a Unit 1 or Unit 2 power source since these are available to meet the three of four requirement. Therefore, a Unit 3 power source must be OPERABLE.

Note 2 and 3 requirements are necessary to assure assumptions in the DC capacity and voltage drop analyses for the operating unit are valid.

OCONEE UNITS 1, 2, & 3 B 3.8.3-4 Rev. 001 I

DC Sources - Operating B 3.8.3 BASES (continued)

APPLICABILITY The DC electrical power sources are required to be OPERABLE in M9DES 1, 2, 3, and 4 to ensure safe unit operation and to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of transients and accidents; and

b. Adequate core cooling is provided, and containment integrity and other vital functions are maintained in the event of a postulated accident.

_The DC electrical power requirements for MODES 5 and 6 are addressed in the Bases for LCO 3.8.4, "DC Sources - Shutdown."

ACTIONS The ACTIONS are modified by a Note indicating that the Completion Times for Required Actions A through Dare reduced when in Condition L of LCO 3.8.1. Condition L limits the Completion Time for restoring inoperable power sources to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months when emergency power source( s) or offsite power source(s) are inoperable for extended time periods or for specific reasons.

With one of the required 125 VDC Vital l&C sources inoperable, the.

remaining sources are fully capable of providing adequate voltage to the four unit DC panel boards and will assure alignment of power to at least*

three panelboards. Three panelboards are necessary to shut down th.e operating unit and maintain it in a safe shutdown condition. However, overall reliability is reduced because an additional failure could result in the minimum required ES functions not being supported. Therefore, the.

inoperable source must be restored to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Required Action A.1- is modified by a Note indicating that it is not .

applicablE:l for up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to perform an equalization charge after completion of a performance test or service test. This note allows a maximum Completion Time of 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months (a cumulative 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for an inoperable battery due to performing a service or performance test plus 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to perform an equalization charge). The allowed 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months includes the amount of time prior to and after the equalization charge ..

The Completion Time for this Required Action is based on engineering judgment, taking into consideration the extent of degradation involved, the likelihood of events or failures which could challenge the system, and the time required to complete the equalization charge.

OCONEE UNITS 1, 2, & 3 B 3.8.3-5 Rev. 001 I

DC Sources - Operating B 3.8.3 BASES ACTIONS (continued)

In this condition, a single failure of a battery (or its associated equipment) could cause loss of more than one unit panelboard during an accident, so that required safety functions might not be supported. Specifically, if a single source were providing the only power source for panelboards DIA and DIB, single failure of the source would result in failure of both ES digital channels. Vulnerability of the ES digital channels to single failure for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is considered acceptable due to the limited scope of potential failures. Similarly, if the panelboards are isolated from their backup Unit (e.g., the Unit's DC system is isolated from the other Units),

a single failure could result in loss of two or more panelboards so that required safety functions may not be supported. If the panelboards are isolated from their backup Unit when one of that Unit's batteries are inoperable (and the DC buses are cross tied), the remaining battery has the capacity to support all required loads, however, a single failure could .

result in loss of.all four panelboards so that required safety functions may not be supported. Therefore, within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after such a condition arises, affected equipment shall be restored and aligned such that no single source is the only battery power supply for more than one 125 VDC Vital l&C panelboard for the unit under consideration. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is based on engineering judgement taking into consideration the time to complete the Required Action and the redLmdancy available in the 125 VDC Vital l&C System.

With a single source providing the only power supply for 125 VDC Vital l&C panelboards 1DIC and 1DID, a single failure of a battery (or its associated equipment) could cause loss of both panelboards, so that required automatic EPSL functions for all three units may not be supported, These panelboards provide primary and backup control power for the SK and SL breaker control power, standby bus protective.

relaying, standby breaker control power and retransfer to startup logic.

Therefore, within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after such a condition arises, affected equipment shall be restored and aligned such that no single source is the only battery power supply for both DC panelboards 1DIC and 1DID.

'The Completion Time is based on engineering judgement, provides a reasonable time to complete repairs and considers the redundancy available in the 125 VDC Vital l&C DC System.

This Condition is modified by a Note indicating that this ACTION is only applicable to Units 2 and 3. For Unit 1 the appropriate action is specified in ACTION B.

OCONEE UNITS 1, 2, & 3 B 3.8.3-6 Rev. 001 I

DC Sources - Operating B 3.8.3 BASES ACTIONS (continued)

With one of the required 230 kV switchyard DC power sources inoperable, the remaining source is fully capable of providing adequate voltage to the associated panelboards and is fully capable of powering the necessary panelboards. However, another failure of a DC source or panelboard could result in failure of the overhead emergency power path.

In addition, in the event of grid voltage degradation the station and onsite emergency power sources could fail to separate from the grid.

Therefore, the inoperable source mus~ be restored to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

The Completion Time for this Required Action is based on engineering judgment, taking into consideration the extent of degradation involved, the likelihood of events or failures which could challenge the system, and the time required to complete the required actions.

Required Action D.1 is modified by two notes. Note 1 indicates that Required Action D.1 is not applicable for up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to perform an equalization charge after completion of a performance test or service test. This note allows a maximum Completion Time of 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months (a cumulative 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for an inoperable battery due to performing a service or performance test plus 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to perform an equalization charge).

The allowed 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months includes the amount of time prior to and after the equalization charge.

Note 2 indicates that Required Action D.1 is not applicable for up to 10 days for replacement of an entire battery bank and the performance of necessary tests to restore the battery to service. Relief from Required Action D.1 for 10 days during the replacement of a battery bank is based on taking the compensatory measures listed below:

1. The Switchyard batteries will be replaced one bank at a time.

The health of the in-service battery will be evaluated prior to beginning the replacement. Once good health is established, the loads will be tied together on the remaining, in-service battery which is fully capable of powering all of the loads.

2. Verify the grid reliability for the duration of the evolution.

3. Verify that the transmissions operator's Real Time Contingency Analysis Program is functioning.

4. Ensure that work on the Lee circuit is restricted during the evolution and that it is protected.

5. Verify the underground path circuit from Keowee is available and protected.

6. Ensure the standby charger is aligned to the alternate power source from the inservice battery charger.

7. Treat the 480 VAC Power system as a protected train.

OCONEE UNITS 1, 2, & 3 B 3.8.3-7 Rev. 001 I

DC Sources - Operating B 3.8.3 BASES ACTIONS D.1 (continued)

8. No discretionary maintenance or testing will be performed in the Standby Shutdown Facility, Emergency Feedwater System, and 230kV Relay House.

E.1 and E.2 If the inoperable DC electrical power source! cannot be restored to OPERABLE status within the required Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 5 within 84 hours9.722222e-4 days 0.0233 hours 1.388889e-4 weeks 3.1962e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.8.3.1 REQUIREMENTS This Surveillance verifies that the distribution centers are functioning properly, with the correct circuit breaker alignment to the isolating transfer diodes. The correct breaker alignment ensures the appropriate separation and independence is maintained, and the appropriate voltage is available to each required isolating transfer diode. The verification of proper voltage availability on the distribution centers ensures that the required voltage is readily available for isolating transfer diodes connected to these distribution centers. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.3.2 Verifying battery terminal voltage while on float charge for the batteries helps to ensure the effectiveness of the charging system and the ability of the batteries to perform their intended function. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery (or battery cell) and maintain the battery (or a battery cell) in a fully charged state. The voltage requirements are based on the nominal design voltage of the battery and are consistent with the initial voltages assumed in the battery sizing calculations. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

OCONEE UNITS 1, 2, & 3 B 3.8.3-8 Rev. 001 I

DC Sources - Operating B 3.8.3 BASES SURVEILLANCE SR 3.8.3.3 REQUIREMENTS (continued) Visual inspection of the battery cells, cell plates, and battery racks provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance. The presence of physical damage or deterioration does not necessarily represent a failure of this SR, provided an evaluation determines that the physical damage or deterioration does not affect the OPERABILITY of the battery (its ability to perform its design function).

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.3.4 Visual inspection of inter-cell, inter-rack, inter-tier, and terminal connections provide an indication of physical damage or abnormal deterioration that could indicate degraded battery condition. The anticorrosion material is used to help ensure good electrical connections and to reduce terminal deterioration. The visual inspection for corrosion is not intended to require removal of and inspection under each terminal connection.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.3.5 A battery service test is a special test of the battery capability, as found, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The discharge rate and test length should correspond to the design duty cycle requirements as specified in Reference 4.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

OCONEE UNITS 1, 2, & 3 B 3.8.3-9 Rev. 001 I

DC Sources - Operating B 3.8.3 BASES SURVEILLANCE SR 3.8.3.6 REQUIREMENTS (continued) This SR requires battery capacity be verified in accordance with the Battery Discharge Testing Program. A battery performance discharge test is a test of constant current capacity of a battery, normally done in the as found condition, after having been in service, to detect any change in the capacity determined by the acceptance test.

The test is intended to determine overall battery degradation due to age and usage.

The Surveillance Frequencies for this test are in accordance with the Battery Discharge Testing Program and are consistent with the recommendations in IEEE-450 (Ref. 5). These periodic frequencies are based on the outcome of the previous battery capacity test.

REFERENCES 1. UFSAR; Chapter 6.

2. UFSAR, Chapter 15.

3. 10 CFR 50.36.

4. UFSAR, Chapter 8.

5. IEEE-450-1987.

OCONEE UNITS 1, 2, & 3 B 3.8.3-10 Rev. 001 I

Distribution Systems - Operating

. B 3.8.8 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.8 Distribution Systems - Operating BASES BACKGROUND The onsite AC, DC, and AC vital electrical power distribution systems are divided into redundant and independent AC, DC, and AC vital electrical power distribution buses and panelboards.

The electrical power distribution system consists of two 4.16 kV main feeder buses each connected to three 4.16 kV Engineered Safeguards (ES) power strings, and secondary 600 V load centers; and 600 V and 208 V motor control centers. Both main feeder buses can be connected to the offsite sources or the emergency power sources. Upon a loss of power to the normal unit auxiliary transformer, the main feeder buses are transferred to the startup transformer powered from either the offsite sources through the 230 kV switchyard or the overhead emergency

power path. If power is not available from the startup transformer, the main feeder buses are transferred to the standby buses powered from either the underground emergency power path or a Lee combustion turbine using a 100 kV transmission line separated from the system grid and offsite loads .. Control power for the 4 ..16 kV breakers is supplied fro.m the 125 VDC Vital l&C batteries. Control power for the circuit breakers in the 230 kV switchyard is provided from the 230 kV Switchyard 125 VDC batterie~. Additionally, power to grid voltage protection circuits are also provided from the 230 kV switchyard 125 VDC batteries. Additional description of this system may be found in the Bases for LCO 3.8.1, "AC Sources - Operating," and the Bases for LCO 3.8.3, "DC Sources - Operating."

The 120 VAC Vital Instrumentation panelboards are normally powered from the inverters. The alternate power supply for the vital panelboards

., is a regulated voltage source and its use is governed by LCO 3.8.6, "Inverters - Operating." Each regulated voltage source is powered from a non-safety related non-load shed source.

There are four 125 VDC Vital l&C panelboards supplying power to DC .

loads. Each 125 VDC l&C panelboard is connected to two *125 VDC Vital l&C sources through isolating transfer diodes. Upon a loss of power from either source, power is supplied to the panelboard through the redundant source. There are two 230 kV switchyard 125 VDC sources each

supplying power to three required DC panelboards.

OCONEE UNITS 1, 2, & 3 B 3.8.8-1 Rev.001 I

Distribution Systems - Operating B 3.8.8 BASES (continued)

APPLICABLE The initial conditions of accidents and transient analyses in the UFSAR, SAFETY ANALYSES Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume ES systems are OPERABLE. The AC, DC, and AC vital electrical power distribution systems are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ES systems so that the fuel, Reactor Coolant System, and containment design limits* are not exceeded. These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS); and Section 3.6, Containment Systems .

. The OPERABILITY of the AC, DC, and AC vital electrical power distribution systems is consistent with the initial assumptions of the accident analyses and is based upon meeting the design basis of the unit. This includes maintaining power distribution systems OPERABLE during accident conditions in the event of:

a. An assumed loss of all offsite power or all onsite AC electrical power; and

b. A worst-case single failure.

The distribution systems satisfy Criterion 3 of the .10 CFR 50.36 (Ref. 3).

LCO The AC, DC, and AC vital electrical power distribution systems are required to be OPERABLE. To be considered OPERABLE the AC Distribution System must include two energized main feeder buses capable of being automatically powered by a Keowee Hydro Unit. Each main feeder bus is considered OPERABLE if it is energized and connected to at least two ES power strings. Each of the three ES power strings is required to be energized. The three ES power Strings consist of the following:

1A) Switchgear TC 18) Switchgear TD 1C) Switchgear TE 2C) Load Center 2A) Load Center X8 28) Load Center X9 X10 3A) 600V MCC XS 1, 38) 600V MCC XS2, 3C) 600V MCC XS3, XS4 (when and XSS (when and XS6 (when supplying safety supplying safety supplying safety related loads), related loads) related loads) and 1, 2, 3XSF 4A) 208V MCC XS1 48) 208V MCC XS2 4C) 208V MCC XS3 and 1, 2, 3XSF OCONEE UNITS 1, 2, & 3 B 3.8.8-2 Rev.001 I

Distribution Systems - Operating B 3.8.8 BASES LCO Each string is considered OPERABLE if it is energized by at least one (continued) main. feeder bus except when MCC 1, 2, or 3XSF is powered from load center OXSF. These MCCs would not be available during a OBA when powered from load center OXSF and therefore are considered inoperable.

An OPERABLE 125 VDC Vital l&C Distribution System must include energized 125 VDC Vital l&C panelboards DIA, DIB, DIC, and DID.

Additionally, for Units 2 and 3 only, Vital l&C panelboards 1DIC and 1DID shall be energized.

To be considered OPERABLE, 230 kV switchyard 125 VDC panelboards OYA, DYS, DYC, DYE, DYF, and DYG must be energized.

An OPERABLE 120 VAC Vital Instrumentation Distribution System must include energized 120 VAC Vital Instrumentation panelboards KVIA, KVIB, KVIC, and KVID.

These distribution systems ensure the availability of AC, DC, and AC vital electrical power for the systems required to shut down the reactor and maintain it in a safe condition after a transient or accident.

Maintaining the AC, DC, and AC vital electrical power distribution

systems OPERABLE ensures that the redundancy incorporated into the design of ES is not defeated. Therefore, a single failure within any system or within the electrical power distribution systems will not prevent safe shutdown of the reactor.

An OPERABLE AC electrical power distribution system requires the associated buses, ES power strings, load centers, and motor control centers to be energized to their proper voltages. OPERABLE 125 VDC Vital l&C panelboards require the panelboards to be energized to their proper voltage from either a battery or charger. OPERABLE 120 VAC Vital Instrumentation panelboards require the panelboards to be energized to their proper voltage from the associated inverter via inverted DC voltage or alternate regulated voltage source.

APPLICABILITY The electrical power distribution systems are required to be OPERABLE in MODES 1, 2, 3, and 4 to ensure that:

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of accident or transients; and OCONEE UNITS 1, 2, & 3 B 3.8.8-3 Rev. 001 I

Distribution Systems - Operating B 3.8.8 BASES APPLICABILITY b. Adequate core cooling is provided, and containment (continued) OPERABILITY and other vital functions are maintained in the event of a postulated OBA.

Electrical power distribution system requirements for MODES 5 and 6 are covered in the Bases for LCO 3.8.9, "Distribution Systems - Shutdown."

ACTIONS The ACTIONS are modified by a Note indicating that the Completion Times for Required Actions A through F are reduced when in Condition L .

of LCO 3.8.1. Condition L limits the Completion Time for restoring inoperable power sources to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months when emergency power source(s) or offsite power source(s) are inoperable for extended time periods or for specific reasons.

A.1 and B.1 With one Main Feeder bus inoperable or not connected to two ES power strings or one ES power string inoperable, the remaining portion of the AC electrical power distribution system is capable of supporting the minimum safety functions necessary to shut down the reactor and maintain it in a safe shutdown condition, assuming no single failure: The overall reliability is reduced, however, because a single failure in the remaining portion of the power distribution systems could result in the minimum required ES functions not being supported. Therefore, the required AC buses, ES power strings, load centers, and motor control centers must be restored to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

Condition A and B's worst scenario is one main feeder bus and one ES power string without AC power. In this Condition, the unit is more vulnerable to a complete loss of AC power. It is, therefore, imperative that the unit operator's attention be focused on minimizing the potential for loss of power to the remaining bus or ES power strings by stabilizing the unit, and on restoring power to the affected bus or ES power string.

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months time limit before requiring a unit shutdown in this Condition is acceptable because of:

a. The potential for decreased safety if the unit operator's attention is diverted from the evaluations and actions necessary to restore power to the affected train to the actions assotiated with taking the unit to shutdown within this time limit; and

b. The potential fpr an event in conjunction with a single failure of a redundant component.

OCONEE UNITS 1, 2, & 3 B 3.8.8-4 Rev. 001 I

Distribution Systems - Operating B 3.8.8 BASES ACTIONS (continued)

With one of the unit's 125 VDC Vital l&C panelboard inoperable, the remaining 125 VDC Vital l&C panelboards are capable of supporting the minimum safety functions necessary to shutdown the reactor and maintain it in a safe shutdown condition, assuming no additional failure.

The overall reliability is reduced, however, because an additional failure in the remaining 125 VDC Vital l&C panelboards could result in the minimum required ES functions not being supported. Therefore, the 125 VDC Vital l&C panelboard must be restored to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months by powering the bus from a battery or charger.

Condition C represents one of the unit's 125 VDC Vital l&C panelboard without adequate 125 VDC Vital l&C power; potentially with both the batteries significantly degraded and the associated chargers nonfunctioning. In this situation, the unit is significantly more vulnerable to a complete loss of all 125 VDC Vital l&C power. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the remaining panelboard(s) and restoring power to the affected panel board( s ).

This 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months limit is longer than Completion Times allowed for some of the components that are without power. Utilizing the LCO 3.0.6 exception to LCO 3.0.2 for components without adequate 125 VDC Vital l&C power, which would have Required Action Completion Times shorter than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , is acceptable because of:

a. The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) while allowing stable operations to continue;

b. The potential for decreased safety by requiring entry into numerous applicable Conditions and Required Actions for components without DC power and not providing sufficient time for the operators to perform the necessary evaluations and actions to restore power to the affected panelboard( s ); and

c. The potential for an event in conjunction with a single failure of a redundant component.

OCONEE UNITS 1, 2, & 3 B 3.8.8-5 Rev. 001 I

Distribution Systems - Operating B 3.8.8 BASES ACTIONS D.1 (continued)

If a required 230 kV switchyard 125 VDC panelboard or combination of required panelboards which are not redundant to each other are inoperable, the required panelboard(s) shall be restored to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Loss of the remaining distribution center or a redundant panelboard could result in failure of the overhead emergency power path. In addition, in the event of grid degradation, the station and onsite emergency power sources could fail to separate from the grid.

Condition D is modified by two Notes. Note 1 indicates that Separate Condition entry is allowed for each 230 kV switchyard 125 VDC power panelboard. Note 2 indicates that Condition Dis not applicable to the following loss of function combinations: DYA and DYE, DYB and DYF, and DYC and DYG.

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is based on engineering judgement taking into consideration the time to complete the required action, the redundancy available in the 230 kV switchyard 125 VDC system, 'the redundancy available in the emergency power paths, and the infrequency of an actual grid system degradation.

With either panelboard 1DIC inopera.ble or panelboard 1DID inoperable, a single failure of the remaining panelboard would result in failure of control power for the S, SK, and SL breakers, standby bus protective relaying, and retransfer to startup logic. Within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after such a condition arises, the inoperable panelboard shall be restored. The Completion Time is based on engineering judgement taking into consideration the time to complete the required action and the redundancy available in the Vital l&C DC System and AC electrical power system.

This Condition is modified by a Note indicating that it is only applicable to Units 2 and 3. For Unit 1 the appropriate action is specified in

ACTION C.

OCONEE UNITS 1, 2, & 3 B 3.8.8-6 Rev. 001

Distribution Systems - Operating B 3.8.8 BASES ACTIONS F.1 and F.2 (continued)

With one 120 VAC Vital Instrumentation power panelboard inoperable, the remaining three OPERABLE 120 VAC Vital Instrumentation power panelboards are capable of supporting the minimum safety functions necessary to shut down the unit and maintain it in the safe shutdown condition. Overall reliability is reduced, however, since an additional single failure could result in the minimum required functions not being supported. Therefore, the inoperable 120 VAC Vital Instrumentation power panelboard must be restored to OPERABLE status within 4 or 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months dependent upon which panelboard is inoperable. The Completion Time for restoring panelboard KVIA or KVIB is limited to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months since these panelboards power the digital Engineered Safeguards Protective System (ESPS) channels and they cannot actuate without power. The Completion Time for restoring KVIC or KVID is 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

Condition F represents one 120 VAC Vital Instrumentation panelboard without power; potentially both the 125 VDC Vital l&C source and the alternate AC source are nonfunctioning. In this situation the unit is significantly more vulnerable to a complete loss of all 120 VAC Vital Instrumentation panelboards. It is, therefore, imperative that the operator's attention focus on stabilizing the unit, minimizing the potential for loss of power to the remaining 120 VAC Vital Instrumentation panelboards and restoring power to the affected 120 VAC Vital Instrumentation panel board.

The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months and 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months limits are longer than Completion Times allowed for some of the components that are without adequate vital AC power.

Utilizing the LCO 3.0.6 exception to LCO 3.0.2 for components without adequate vital AC power, that would have the Required Action Completion Times shorter than 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months or 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months if declared inoperable, is acceptable because of:

a. The potential for decreased safety by requiring a change in unit conditions (i.e., requiring a shutdown) and not allowing stable operations to continue;

b. The potential for decreased safety by requiring entry into numerous applicable Conditions and Required Actions for components without adequate vital AC power and not providing sufficient time for the operators to perform the necessary .

evaluations and actions for restoring power to the affected train; and

c. The potential for an event in conjunction with a single failure of a redundant component.

OCONEE UNITS 1, 2, & 3 B 3.8.8-7 Rev. 001

Distribution Systems - Operating B 3.8.8 BASES ACTIONS F.1 and F.2 (continued)

The digital ESPS channels are powered from KVIA and KVIB, and cannot actuate without power. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the importance to safety of restoring the 120 VAC Vital Instrumentation panelboards to OPERABLE status, the redundant capability afforded by the other OPERABLE 120 VAC Vital Instrumentation panelboards, and the low probability of an accident occurring during this period.

Panelboards KVIC and KVID supply some loads which trip upon loss of power. For example, RPS channels and ES analog channels go to a tripped state upon loss of power. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the importance to safety of restoring the 120 VAC Vital Instrumentation panelboards to OPERABLE status, the redundant capability afforded by the other OPERABLE 120 VAC Vital Instrumentation panelboards, and the low probability of an accident occurring during this period.

G.1 and G.2 If the Required Action and associated Completion Time are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 5 within 84 hours9.722222e-4 days 0.0233 hours 1.388889e-4 weeks 3.1962e-5 months .. The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

Condition H corresponds to a level of degradation in the electrical distribution system that causes a required safety function to be lost.

When more than one Condition is entered, and this results in the loss of a required safety function, the plant is in a condition outside the accident analysis. Therefore, no additional time is justified for continued operation.

LCO 3.0.3 must be entered immediately to commence a controlled shutdown.

OCONEE UNITS 1, 2, & 3 B 3.8.8-8 *Rev. 001 I

Distribution Systems - Operating B 3.8.8 BASES (continued)

SURVEILLANCE SR 3.8.8.1 REQUIREMENTS This Surveillance verifies that the main feeder buses are functioning properly, with the correct circuit breaker alignment. The correct breaker alignment ensures the appropriate separation and independence is maintained, and the appropriate voltage is available to each required bus.

The verification of proper voltage availability on the buses ensures that the required voltage is readily available for motive as well as control functions for critical system loads connected to these buses. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.8.8.2 This Surveillance verifies that the required AC, DC, and AC vital electrical power distribution systems are functioning properly, with the correct circuit breaker alignment. The correct breaker alignment ensures the appropriate separation and independence is maintained, and the appropriate voltage is available to each ES power string 'c:ind panel board.

The verification of voltage availability on the ES power strings, and panelboards ensures that voltage is readily available for motive as well as control functions for critical system loads connected to the ES power

strings, and panelboards. Verification of voltage availability may be accomplished by observing alarm conditions, status lights or by confirming proper operation of a component supplied from each ES power string or parielboard. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. .UFSAR, Chapter 6.

2. UFSAR, Chapter 15.

3. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.8.8-9 Rev. 001 I

Distribution Systems - Shutdown B 3.8.9 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.9 Distribution Systems - Shutdown BASES BACKGROUND A description of the AC, DC and AC vital electrical power distribution systems is provided in the Bases for LCO 3.8.8, "Distribution Systems -

Operating."

APPLICABLE The initial conditions of accident and transient analyses in the UFSAR, SAFETY ANALYSES Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume Engineered Safeguards (ES) systems are OPERABLE. The AC, DC, and AC vital electrical power distribution systems are designed to provide sufficient capa~ity, capability, redundancy, and reliability to ensure the availability of necessary power to ES systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded.

The OPERABILITY of the AC, DC, and AC vital electrical power distribution systems is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum AC, DC, and AC vital electrical power distribution systems during MODES 5 and 6, and during movement of recently irradiated fuel assemblies ensures that:

a. The unit can be maintained in the shutdown or refueling conditiQn for extended periods;

b. Sufficient instrumentation and control "capability is available for

monitoring and maintaining the unit status; and*

c. Adequate power is provided to mitigate events postulated during shutdown, such as a fuel handling accident involving handling recently irradiated fuel. Due to radioactive decay, AC, Dc,* and AC vital bus electrical power is only required to mitigate fuel handling accidents involving handling recently irradiated fuel (i.e.,

fuel that has occupied part of a critical reactor core within the previous 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months ).

The Ac and DC electrical power distribution systems satisfy Criterion 3 of 10 CFR 50.36 (Ref. 3).

OCONEE UNITS 1, 2, & 3 B 3.8.9-1 Rev. 001 I

Distribution Systems - Shutdown B 3.8.9 BASES (continued)

LCO Various combinations of portions of systems, equipment, and components are required OPERABLE by other LCOs, depending on the specific plant condition. Implicit in those requirements is the required OPERABILITY of necessary support requireq feature_s. *This LCO explicitly requires the portions of the electrical distribution system necessary to support OPERABILITY of required systems, equipment, and components - all specifically addressed in each LCO and implicitly required via the definition of OPERABILITY- be energized or available to be automatically energized by control logicduring a power source

transfer.

Maintaining these portions of the distribution system as described above ensures the availability of sufficient power to operate the unit in a safe manner to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents involving handling recently irradiated fuel). *

APPLICABILITY The AC and DC electrical power distribution buses, ES power strings and panelboards required to be OPERABLE in MODES 5 and 6, and during movement of recently irradiated fuel assemblies, provide assurance that:

a. Systems to provide adequate coolant inventory makeup are available for the irradiated fuel in the core;

b. Systems needed to mitigate a fuel handling accident accidents involving handling recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months ) are availab,le;

.c. Systems neqessary to mitigate the effects of events that can le~d to core damage during shutdown are available; and

d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.

The AC, DC, and AC vital electrical power distribution buses, ES power strings and panelboards requirements for MODES 1, 2, ~. and 4 are covered in LCO 3.8.8.

OCONEE UNITS 1, 2, & 3 B 3.8.9-2 Rev. 001 I

Distribution Systems - Shutdown B 3.8.9 BASES (continued)

ACTIONS A.1. A.2.1. A.2.2. A.2.3. A.2.4. and A.2.5 Although redundant required equipment may requir~ redundant buses,.

ES power strings and panelboards of electrical power distribution systems to be OPERABLE, a reduced set of OPERABLE distribution buses, ES power strings and panelboards may be capable of supporting sufficient required features to allow continuation of CORE AL TERATIONS and recently irradiated fuel movement. By allowing the option to declare required equipment associated with an inoperable distribution buses, ES power strings and panelboards inoperable, appropriate restrictions c;:ire implemented in accordance with. the affected

. distribution buses, ES power strings and panelboards LCO's Required Actions. In many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS, movement of recently irradiated fuel assemblies, and operations involvin_g positive reactivity additions).

Suspension of these activities does not preclude completion of actions to establish: a safe conservative condition. These actions minimize: the probability of the occurrence of postulated events. It is further required to

'. immediately initiate action to restore the required AC and DC electrical :

power. distribution buses, ES power strings and panelboards and to continue this action until restoration is accomplished in order to provide the necessary power to the unit safety systems.

Notwithstanding performance of the above conservative Required

Actions, a required decay heat removal (DHR) subsystem may be inoperable. In this case, Required Actions A.2.1 through A.2.4 do not adequately address the concerns relating to coolant circulation and heat removal. Pursuant to LCO 3.0.6, the DHR ACTIONS would not be entered. Therefore, Required Action A.2.5 is provided to direct declaring DHR inoperable, which results in taking the appropriate DHR actions.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required distribution buses, ES_ power strings and panelboards should be completed as quickly as possible in order to minimize the time the* unit

safety systems may be without power.

OCONEE UNITS 1, 2, & 3 B 3.8.9-3 ' Rev. 001 I

Distribution Systems - Shutdown B 3.8.9 BASES (continued)

SURVEILLANCE SR 3.8.9.1 REQUIREMENTS This Surveillance verifies that the required main feeder buses are functioning properly, with all the required main feeder buses energized.

The verification of proper voltage availability on the buses, ES power strings and panelboards ensures that the required power is readily available for motive as well as control functions for critical system loads connected to these buses. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR*3.8.9.2

This Surveillance verifies that the required AC, DC, and AC vital electrical power distribution systems are functioning properly, with the correct circuit breaker alignment. The correct breaker alignment ensures the appropriate separation and independence is maintained, and the appropriate voltage is available to each ES power strings and panelboards. The verification of voltage availability on the ES power strings, and panelboards ensures that voltage is readily available for motive as well as control functions for critical system loads connected to the ES power strings, and panelboards. Verification of voltage availability may be accomplished by observing alarm conditions, status lights or by confirming proper operation.of a component supplied from each ES power string or panelboard. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. UFSAR, Chapter 6.

2. UFSAR, Chapter 15.

3. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.8.9-4 Rev.001 I

Containment Penetrations B 3.9.3 B 3.9 REFUELING OPERATIONS B 3.9.3 Containment Penetrations BASES BACKGROUND During movement of recently irradiated fuel assemblieswithin containment, a release of fission product radioactivity within containment will be restricted from escaping to the environment when the LCO requirements are met. In MODES 1, 2, 3, and 4, this is accomplished by maintaining containment OPERABLE as described in LCO 3.6.1, "Containment.". In MODE 6, the potential for containment pressurization as a result of an accident is not likely; therefore, requirements to isolate the containment from the outside atmosphere can be less stringent. In order to make this distinction, the penetration requirements are referred to as "containment closure" rather than "containment OPERABILITY."

Containment closure means that specified escape paths are closed or capable of being closed. Since there is no significant potential for containment pressurization, the Appendix J leakage criteria and tests are not required.

The containment serves to contain fission product radioactivity that may be released from the reactor core following an accident, such that offsite radiation exposures are maintained within the requirements of 10 CFR 50.67 (Ref. 3). Additionally, the containment provides radiation shielding from the fission products that may be present in the containment atmosphere following accident conditions.

The containment equipment hatch, which is part of the containment pressure boundary, pro~ides a means for moving large equipment and components into and out of containment. During movement of recently irradiated fuel assemblies within containment, the equipment hatch must be held in place by at least four bolts. Good engineering practice dictates that the bolts required by this LCO be approximately equally spaced.

The containment air locks, which are also part of the containment pressure boundary, provide a means for personnel access during MODES 1, 2, 3, and 4 unit operation in accordance with LCO 3.6.2, "Containment Air Locks." Each air lock has a door at both ends. The doors are normally interlocked to prevent simultaneous opening when containment OPERABILITY is required. During periods of unit shutdown OCONEE UNITS 1, 2, & 3 B 3.9.3-1 Rev. 001 I

Containment Penetrations B 3.9.3 BASES BACKGROUND when containment OPERABILITY is not required, the door interlock (continued) mechanism may be disabled, allowing both doors of an air lock to remain open for extended periods when frequent containment ingress and egress is necessary. During movement of recently irradiated fuel assemblies within containment, containment closure is required; therefore, the door interlock mechanism may remain disabled, but one air lock door must always remain closed. Placement of a temporary cover plate in the emergency air lock is an acceptable means for providing containment closure.

The temporary cover plate is installed and sealed against the inner emergency air lock door flange gasket. The temporary cover plate is .

visually inspected to ensure that no gaps exist. All cables, hos.es and service air piping run through the sleeves on the temporary cover plate will also be installed and sealed. The sleeves will also be inspected to ensure that no gaps exist. Leak testing is not required prior to beginning fuel handling operations. Therefore, visual inspection of the temporary cover plate over the emergency air lock satisfies the requirement that the air lock be closed, which constitutes operability for this requirement.

The requirements on containment penetration closure ensure that a release of fission product radioactivity within containment will be restrieted from escaping to the environment. The closure restrictions are sufficient to restrict fission product radioactivity release from containment due to a fuel handling accident involving handling recently irradiated fuel during refueling.

The Reactor Building Purge System includes a supply penetration and exhaust penetration. During MODES 1, 2, 3, and 4, two valves in each of the supply and exhaust penetrations are secured in the closed position.

The system is not subject to-a Specification in MOPE 5.

In MODE 6, large air exchanges are necessary to support refueling operations. The purge system is used for this purpose, and two valves in each penetration flow path may be closed on a unit vent high radiation signal.

Other containment penetrations that provide direct access from containment atmosphere. to outside atmosphere must be isolated on at least one side. Isolation may be achieved by a closed automatic isolation valve, non-automatic power operated valve, manual isolation valve, blind flange, or equivalent. Equivalent isolation methods may include use of a material that can provide a temporary, atmospheric pressure ventilation barrier for the containment penetration(s) during fuel movements involving handling recently irradiated fuel.

OCONEE UNITS 1, 2, & 3 B 3.9.3-2 Rev. 001 I

Containment Penetrations B 3.9.3 BASES (continued)

APPLICABLE During movement of recently irradiated fuel assemblies within SAFETY ANALYSES containment, the most severe radiological consequences result from a fuel handling accident involving handling recently irradiated fuel. The fuel handling accident is a postulated event that involves damage to irradiated fuel (Ref. 1 ). A minimum fuel transfer canal water level in conjunction with the minimum decay time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months prior to irradiated fuel movement with or without containment closure capability ensure that the release of fission product radioactivity subsequent to a fuel handling,,

accident results in doses that are within the guideline values specified in 10 CFR 50.67. The design basis for fuel handling accidents has historically separated the radiological consequences from the containment capability. The NRC staff has treated the containment capability for fuel handling conditions as a logical part of the "primary success path" to mitigate fuel handling accidents, irrespective of the assumptions used to calculate the radiological consequences of such accidents (Ref. 2).

Containment penetrations satisfy Criterion 3 of 10 CFR 50.36 (Ref. 4 ).

LCO This LCO reduces the consequences of a fuel handling accident involving handling recently irradiated fuel in containment by limiting the potential escape paths for fission product radioactivity from containment. The LCO requires any penetration providing direct access from the containment atmosphere to the outside atmosphere to be closed except for the OPERABLE containment purge and exhaust penetrations. For the OPERABLE containment purge and exhaust penetrations, this LCO

.ensures that these penetrations are isolable by the RB purge isolation signal.

This LCO is modified by a note indicating that an emergency air lock door is not required to be closed when a temporary cover plate is installed.

APPLICABILITY The containment penetration requirements are applicable during movement of recently irradiated fuel assemblies within containment because this is when there is a potential for the limiting fuel handling accident. In MODES 1, 2, 3, and 4, containment penetration requirements are addressed by LCO 3.6.1. In MODES 5 and 6, when movement of irradiated fuel assemblies within containment is not being conducted, the potential for a fuel handling accident does not exist.

Additionally, due to radioactive decay, a fuel handling acCident involving handling recently irradiated fuel (i.e., fuel that has occupied part of a critical reactor core within the previous 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months ) will result in doses that are well.within the guideline values specified in 10 CFR 50.67 even OCONEE UNITS 1, 2, & 3 B 3.9.3-3 Rev. 001 I

Cor:itainment Penetrations B 3.9.3 BASES (continued)

APPLICABILITY without containment closure capability. Therefore, under these (continued) conditions no requirements are placed on containment penetration status.

ACTIONS With the containment equipment hatch, air locks, or any containment penetration that provides direct access from the containment atmosphere to the outside atmosphere not in the required status, including the Containment Purge and Exhaust Isolation System not capable of automatic actuation when the purge and exhaust valves are open, the unit must be placed in a condition in which the isolation function is not

needed. This is accomplished by immediately suspending movement of recently irradiated fuel assemblies within containment. Performance of these actions shall not preclude moving a component to a safe position.

SURVEILLANCE SR 3.9.3.1 REQUIREMENTS This Surveillance demonstrates that each of the containment penetrations required to be in its closed position is in that position. Also the Surveillance will demonstrate that each. open penetration's valve operator has motive power, which will ensure each valve is capable of being closed. -

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

As such, this Surveillance ensures that a postulated fuel handling accident involving handling recently irradiated fuel that releases fission

product radioactivity within the containment will not result in a release of significant fission product radioactivity to the environment.

SR 3.9.3.2 This Surveillance demonstrates that each containment purge supply and exhaust isolation valve that is not locked, sealed or otherwise secured in the isolation position actuates to its isolation position on an actual or simulated high radiation signal. The frequency requires the isolation .

capability of the reactor building purge valves to be verified functional once each refueling outage prior to movement of recently irradiated fuel assemblies within containment. This ensures that this function is verified prior to movement of recently irradiated fuel assemblies within OCONEE UNITS 1, 2, & 3 B 3.9.3-4 Rev. 001 I

Containment Penetrations B 3.9.3 BASES SURVEILLANCE SR 3.9.3.2 (continued)

REQUIREMENTS containment. This Surveillance will ensure that the valves are capable of closing after a postulated fuel handling accident involving handling recently irradiated fuel to limit a release of fission product radioactivity from the containment.

REFERENCES 1. UFSAR, Section 15.11.

2. NRC letter to RG & E dated December 7, 1995, RE. Ginna Nuclear Power Plant Conversion to Improved Standard Technical Specifications - Resolutions of Ginna Design Basis for Refueling Accidents.

3. Regulatory Guide 1.183, July 2000

4. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.9.3-5 Rev. 001 I

DHR and Coolant Circulation - High Water Level B 3.9.4 B 3.9 REFUELING OPERATIONS B 3.9.4 Decay Heat Removal (DHR) and Coolant Circulation - High Water Level BASES BACKGROUND The purposes of the DHR Loops in MODE 6 are to remove decay heat and sensible heat from the Reactor Coolant System (RCS), to provide mixing of borated coolant, to provide suJficient coolant circulation to minimize the effects of a boron dilution accident, and to prevent boron stratification. Heat is removed from the RCS by circulating reactor coolant.through the LPI heat exchanger(s), where the heat is transferred to the Low Pressure Service Water (LPSW) System via the LPI heat exchanger(s). The coolant is then returned to the reactor vessel via the core flood tank injection 11ozzles. Operation of a DHR Loop for normal cooldown or decay heat removal is manually accomplished from the control room. The heat removal rate is adjusted by control of the flow of reactor coolant through the LPI heat exchanger(s), bypassing the heat exchanger(s) and throttling of LPSW through the heat exchangers.

Mixing of the reactor coolant is maintained by this continuous circulation of reactor coolant through the DHR Loop, APPLICABLE

If the reactor coolant temperature is not maintained below 200°F, SAFETY ANALYSES boiling of the reactor coolant could result. This could lead to inadequate cooling of the reactor fuel as a result qf a loss of coolant in the reactor vessel. Additionally, boiling of the reactor coolant could lead to a reduction in boron concentration in the coolant due to boron plating out on components near the areas of the boiling the activity, and because of the possible addition of water to reactor vessel with a lower boron concentration than is required to keep the reactor subcritical. The loss of reactor coolant and the reduction in boron concentration in the reactor coolant would eventually challenge the integrity of the fuel cladding, which is a fission product barrier. One loop of .DHR is required to be operational in MODE 6, with the water level~ 21.34 feet above the top of the reactor vessel flange, to prevent this challenge. The LCO does permit de-energizing the DHR pump for short durations under the condition that the boron concentration is not diluted. This conditional de-energizing of the DHR pump does not result in a challenge to the fission prodJ,JCt barrier. The DHR loop satisfies Criteria 4 of 10 CFR 50.36 (Ref. 1).

OCONEE UNITS 1, 2, & 3 B 3.9.4-1 Rev. 001 I

OHR and Coolant Circulation B 3.9.4 BASES LCO Only one OHR loop is required for decay heat removal in MODE 6 with a water level ~ 21.34 feet above the top of the reactor vessel flange. Only one OHR Loop is required to be operable because the volume of water above the reactor vessel flange provides backup decay heat removal capability. At least one OHR loop must be OPERABLE and in operation to provide:

a. Removal of decay heat;

b. Mixing of borated coolant to minimize the possibility of criticality; and

c. Indication of reactor coolant temperature.

To be considered OPERABLE, a OHR loop must include a pump, a heat exchanger, valves, piping, instruments, and controls to ensure an OPERABLE flow path and to determine the temperature. The flow path starts in one of the RCS hot legs and is returned to reactor vessel via either one or both of the Core Flood tank injection nozzles when using an LPI pump. The BWST recirculation 'crossover line through valves LP-40 and LP-41 may be part of a flow path if it provides adequate decay heat removal capability. The operability of the operating OHR loop and the supporting heat sink is dependent on the ability to maintain the desired RCS temperature. LPSW and ECCW are required to support the OHR train.

Additionally, to be considered OPERABLE, a OHR loop must be capable of being manually aligned (remote or local) in the OHR mode for removal of decay heat. Operation of one loop can maintain the reactor coolant temperature as required. The LCO is modified by a Note that allows the required OHR loop to be removed from operation for up to 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months in an 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months period, provided no operation that would cause reduction of the RCS boron concentration is in progress. Boron concentration reduction is prohibited because uniform concentration distribution cannot be ensured without forced circulation, etc. This allowance permits operations such as core mapping, alterations or maintenance in the vicinity of the reactor vessel hot leg nozzles and RCS to LPI isolation valve testing. During this 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months period, decay heat is removed by natural convection.

OCONEE UNITS 1, 2, & 3 B 3.9.4-2 Rev. 001 I

OHR and Coolant Circulation B 3.9.4 BASES APPLICABILITY One OHR loop must be OPERABLE and in operation in MODE 6 with the water level~ 21.34 ft above the top of the reactor vessel flange, to provide decay heat removal. The 21.34 ft level was selected because it corresponds to the 21.34 ft requirement established for fuel movement in the fuel handling accident analysis. Requi~ements for the OHR Loops in other MODES are covered by LCOs in Section 3.4, Reactor Coolant System (RCS), and Section 3.5, Emergency Core Cooling Systems*

(ECCS). OHR loop requirements in MODE 6, with the water level < 21.34 ft above the reactor vessel flange, are located in LCO 3.9.5, "Decay Heat Removal (OHR) and Coolant Circulation-Low Water Level.

ACTIONS If OHR loop requirements are not met, there will be no forced circulation to provide mixing to establish uniform boron concentrations. Reduced boron concentrations can occur by adding water with a lower boron concentration than that contained in the RCS. Therefore, actions that reduce boron concentration shall be suspended immediately.

If OHR loop requirements are not met, actions shall be taken immediately to suspend the loading of irradiated fuel assemblies in the core. With no forced circulation cooling, decay heat removal from the core occurs by natural convection to the heat sink provided by the water above the core.

A minimum refueling water level 21.34 feet above the reactor vessel flange provides an adequate available heat sink. Suspending any operation that would increase decay heat load, such as loading an irradiated fuel assembly, is prudent under this condition.

OCONEE UNITS 1, 2, & 3 B 3.9.4-3 Rev. 001

OHR and Coolant Circulation B 3.9.4 BASES ACTIONS . A.3 (continued)

If OHR loop requirements are not met actions shall be initiated immediately in order to satisfy OHR loop requirements.

Restoration of one decay heat removal loop is required because this is the only active method of removing decay heat. Dissipation of decay heat through natural convection should not be relied upon for an.

extended period of time. Reliance on natural convection can lead to boiling which results in inventory loss. Sustained inventoli)' loss can eventually result in *inadequate decay heat removal from the. core with subsequent release of fission products from the core to the reactor building atmosphere. *The immediate Completion Time reflects the importance of restoring an adequate heat cooling loop:

If OHR loop requirements are not met, all containment penetrations providing direct access from the containmen~*atmosphere to outside

. atmosphere shall be closed within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months .

If no means of decay heat removal can be restored, the core decay heat

could raise temperatures and cause boiling in the core which could resul_t in uncovering the core and the release of radioactivity to the reactor building atmosphere. Closure of penetrations providing access to the *

outside atmosp~ere will prevent uncontrolled release of radioactivity to the environment.

SURVEILLANCE SR 3.9.4.1

. REQUIREMENTS This Surveillance demonstrates that the OHR loop is in operation and

circulating reactor coolant. Verification includes flow rate, temperature, or pump status monitoring, which help assure that forced flow is providing

heat removal. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.9.4-4 Rev. 001 I

SSF 3.10.1 B 3.10 STANDBY SHUTDOWN FACILITY B 3.10.1 Standby Shutdown Facility (SSF)

BASES BACKGROUND The Standby Shutdown Facility (SSF) is designed as a standby system for use under certain emergency conditions. The system provides additional "defense in-depth" protection for the health and safety of the public by serving as a backup to existing safety systems. The SSF is provided as an alternate means to achieve and maintain the unit in MODE 3 with average RCS temperature~ 525°F (unless the initiating event causes the unit to be driven to a lower temperature) following a fire, turbine building flood, and station blackout (SBO) events. The SSF is designed in accordance with criteria associated with these events. The SSF Auxiliary Service Water (ASW) System is credited as a backup to Emergency Feedwater (EFW) due to the lack of tornado missile protection for the EFW System. In addition, the SSF may be activated as necessary in response to events associated with plant security. In that the SSF is a backup to existing safety systems, the single failure criterion is not required. Failures in the SSF systems will not cause failures or inadvertent operations in other plant systems. The SSF requires manual activation and can be activated if emergency systems are not available.

The SSF is designed to maintain the reactor in a safe shutdown condition for a period of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months following a fire or turbine building flood, and for a period of four hours following an SBO. The capability of the SSF to maintain the reactor in a safe shutdown condition is also credited for certain security-related events. This is accomplished by re-establishing and maintaining Reactor Coolant Pump Seal cooling; assuring natural circulation and core cooling by maintaining the primary coolant system filled to a sufficient level in the pressurizer while maintaining sufficient secondary side cooling water; and maintaining the react9r subcritical by isolating all sources of Reactor Coolant System (RCS) addition except for the Reactor Coolant Makeup System which supplies makeup of a

.sufficient boron concentration.

The main components of the SSF are the SSF Auxiliary Service Water (ASW) System, SSF Portable Pumping System, SSF Reactor Coolant (RC) Makeup System, SSF Power System, and SSF Instrumentation.

The SSF ASW System is a high head, high volume system designed to provide sufficient steam generator (SG) inventory for adequate decay heat removal for three units during a loss of normal AC power in conjunction with the loss of the normal and emergency feedwater systems. One motor driven SSF ASW pump, located in the SSF, serves all three units. The SSF ASW pump, two.HVAC service water pumps, and the Diesel Service Water (DSW) pump share a common suction OCONEE UNITS 1, 2, & 3 B3.10.1-1 Rev.001

SSF B 3.10.1 BASES BACKGROUND supply of lake water from the embedded Unit 2 condenser circulating (continued) water (CCW) piping. The SSF DSW pump and an HVAC pump must be operable in order to satisfy the operability requirements for the Power System. (Only one HVAC service water pump is required to be operable to satisfy the LCO.)

The SSF ASW System is used to provide adequate cooling to maintain single phase RCS natural circulation flow in MODE 3 with an average RCS temperature~ 525°F (unless the initiating event causes the unit to be driven to a lower temperature). In order to maintain single phase RCS natural circulation flow, an adequate number of Bank 2, Group B and C pressurizer heaters must be OPERABLE. These heaters are needed to compensate for ambient heat loss from the pressurizer. As long as the temperature in the pressurizer is maintained, RCS pressure will also be*

maintained. This will preclude hot leg voiding and ensure adequate natural circulation cooling.

The SSF Portable Pumping System, which includes a submersible pump and a flow path capable of taking suction from the intake canal and discharging into the Unit 2 CCW line, is designed to provide a backup supply of water to the SSF in the event of loss of CCW and subsequent loss of CCW siphon flow. The SSF Portable Pumping System is installed manually according to procedures. *,

The SSF RC Makeup System is designed to supply makeup to the RCS in the event that normal makeup systems are unavailable. An SSF RC Makeup Pump located in the Reactor Building of each unit supplies makeup to the RCS should the normal makeup system flow and seal cooling become unavailable. The system is designed to ensure that sufficient borated water is provided from the spent fuel pools to allow the

SSF to maintain all three units in MODE 3 with average RCS temperature

~ 525°F (unless the initiating event causes the unit to be driven to a lower temperature) for approximately 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . An SSF RC Makeup Pump is capable of delivering borated water from the Spent Fuel Pool to the RC pump seal injection lines. A portion of this seal injection flow is used to makeup for reactor coolant pump seal leakage while the remainder flows into the RCS to makeup for other RCS leakage (non LOCA).

The SSF Power System provides electrical isolation of SSF equipment from non-SSF equipment. The SSF Power System includes 4160 VAC,

. , 600 VAC, 208 VAC, 120 VAC and 125 VDC power. It consists of switchgear; a load center, motor control centers, panelboards, remote starters, batteries, battery chargers, inverters, a diesel generator (DG),

relays, control devices, and interconnecting cable supplying the appropriate loads.

OCONEE UNITS 1, 2, & 3 B 3.10.1-2 Rev. 001 I

SSF B 3.10.1 BASES BACKGROUND The AC power system consists of 4160 V switchgear OTS 1; 600 V load (continued) center OXSF; 600 V motor control centers XSF, 1XSF, 2XSF, 3XSF, PXSF; 208 V motor control centers 1XSF, 1XSF-1, 2XSF, 2XSF-1, 3XSF, 3XSF-1; 120 V panelboards KSF, KSFC.

The SSF 125 VDC Power System provides a reliable source of power for DC loads needed to black start the diesel. The DC power system consists of two 125 VDC batteries and associated chargers, two 125 VDC distribution centers (DCSF, DCSF-1 ), and a DC power panelboard (DCSF). Only one battery and associated charger is required to be operable and connected to the 125 VDC distribution center to supply the 125 VDC loads. In this alignment, which is normal, the battery is floated on the distribution center and is available to assure power without interruption upon loss of its associated battery charger or AC ,

power source. The other 125 VDC battery and its associated charger are in a standby mode and are not normally connected to the 125 VDC distribution center. However, they are available via manual connection to the 125 VDC distribution center to supply SSF loads, if required.

The SSF Power System is provided with standby power from a dedicated DG. The SSF DG and support systems consists of the diesel generator, fuel oil transfer system, air start system, diesel engine service water system, as well as associated controls and instrumentation. This SSF DG is rated for continuous operation at 3500 kW, 0.8 pf, and 4160 VAC.

The SSF electrical design load does not exceed the continuous rating of the DG. The auxiliaries required to assure proper operation of the SSF DG are supplied entirely from the SSF Power System. The SSF DG is provided with manual start capability from the SSF only. It uses a compressed air starting system with four air storage tanks. An independent fuel system, complete with a separate underground storage tank, duplex filter arrangement, a fuel oil transfer pump, and a day tank, is supplied for the DG.

OCONEE UNITS 1, 2, & 3 B 3.10.1-3 Rev. 001 I

SSF B 3.10.1 BASES BACKGROUND The following information will aid in determination of SSF Operability:

(continued)

Associated Inoperable Systems SSF SSF SSF SSF SSF ASW Portable RCMU Power Instruments System Pumping System System System SSFASW Q) System YES YES YES YES YES u SSF

~ Portable YES YES YES. YES YES Q) en Pumping E SSF RCMU 0 System NO NO YES NO NO a..

LL Q)

SSF Power Svstem YES YES YES YES YES 0 SSF Instr.

E Q)

System NO NO NO NO YES ct:: SSF PZR.

-E Q)

I /)

en>-

LL, Heaters**

SSF RCS Isolation Valves YES NO NO NO NO YES NO NO NO NO en SSF HVAC en System YES YES YES YES YES

- When SSF pressurizer heaters are inoperable, the resulting inoperability of the SSF ASW System does NOT render other SSF systems inoperabl~. *

SSF ASW System Provides motive force for SSF ASW. suction pipe air ejector. The air ejector is needed to maintain siphon flow to the SSF HVAC service water pump, the SSF DSW pump, and the SSF ASW pump when the water level in the U2 CCW supply pipe becomes too low. if the SSF DSW pump becomes inoperable, the SSF Power System will become inoperable. Since an inoperable SSF Power System causes all other SSF subsystems to be inoperable, an inoperable SSF ASW System will also cause other SSF Subsystems to be inoperable.

Provides adequate SG cooling to reduce & maintain RCS pressure below the pressure where the SSF RC makeup pump discharge relief valve, HP-404, begins to leak flow. Therefore, full SSF RC Makeup System seal injection flow will be provided to the RC pump seals in time to prevent seal degradation or failure.

OCONEE UNITS 1, 2, & 3 B 3.10.1-4 Rev.001 I

SSF B 3.10.1 BASES BACKGROUND SSF ASW pump should be operated when the diesel is operated to (continued) provide a load for the diesel. This is not a requirement for operability since the diesel could be operated to provide long term power to one or more units RC makeup pumps without operating the SSF ASW pump as long as a large load (SSF ASW pump) is not added later (diesel desouping concern).

SSF Portable Pumping Supplies makeup water to the SSF ASW System, the SSF DSW System, and the SSF HVAC Service Water System after siphon flow I gravity flow and forced CCW flow are lost.

SSF Power System

Other SSF Systems cannot operate without receiving pqwer from the diesel for SSF scenarios where power from U2 MFB is not available ..

SSF Pressurizer Heaters Single phase RCS natural Circulation flow cannot be maintained without the pressurizer heaters. The number of SSF heaters utilized is based on.

testing and calculations performed on a unit by unit basis to determine the minimum number of required heaters needed to overcome actual pressurizer ambient losses. Since the heaters do not have their own action statement, the SSF ASW System is declared inoperable when the heaters are inoperable.

SSF RCS Isolation Valves (HP-3, HP-4, HP-20, RC-4, RC-5. RC-6).

These valves do not have their own action statement. When they are inoperable, their 'corresponding SSF RC makeup system is considered inoperable.

SSF HVAC System Portions of the SSF HVAC System, consisting of the SSF Air Conditioning (AC) and Ventilation Systems support the SSF Power System OPERABILITY. The SSF AC System, which includes the HVAC.

service water system and AC equipment (fan motors, compressors, condensers, and coils), must be operable to support SSF Power'System operability. Since an inoperable SSF Power System results in all other SSF subsystems being inoperable, an SSF HVAC System operability problem that makes the SSF Power System inoperable also results in other SSF Subsystems being inoperable.

OCONEE UNITS 1, 2, & 3 B 3.10.1-5 Rev.001 I

SSF B 3.10.1 BASES BACKGROUND The SSF AC System is designed to maintain the SSF Control Room, (continued) Computer Room, and Battery Rooms within their design temperature range. Elevated temperatures in the SSF Control Room and Computer Room could cause the SSF Power System to fail during an accident which requires operation of the SSF. The ~SF AC System consists of two refrigeration circuits and an air handling unit. The requirements for the refrigeration circuits vary with outdoor air temperature. Depending on outdoor air temperature and Air Conditioning System performance, the two refrigeration circuits may not be required to support SSF power system OPERABILITY. The air handling unit is required to circulate air regardless of the number of refrigeration circuits required. Since the SSF HVAC service water pumps perform a redundant function, only one of the two are required to be operable for the SSF HVAC service water system to be considered operable. The SSF Ventilation System, which supplies outside air to the Switchgear, Pump, HVAC and Diesel Generator Rooms, is composed of the following four subsystems: Constant Ventilation, Summer Ventilation, On-line Ventilation, and Diesel Generator Engine Ventilation. These ventilation systems work together to provide cooling to the various rooms of th~ SSF under both standby and on-line modes. The Diesel Generator Engine Ventilation fan is required for operability of the SSF Power System. The six fans associated with the other three ventilation systems may or may not be required for SSf .

operability dependent upon outside air temperature. *If the SSF AG

System refrigeration circuits or one of the ventilation fans fail, an engineering evaluation must be performed to determine if any of the SSF Systems or instrumentation are .inoperable.

SSF Instrumentation System

' SSF Instrumentation is provided to monitor RCS pressure, RCS Loop A and B temperature (hot leg and cold leg), pressurizer water level, and SG A and B water level. Indication is displayed on the SSF control panel.

APPLICABLE The SSF serves as a backup for existing safety systems to

.SAFETY ANALYSES provide an alternate and independent means to achieve and maintain one, two, or three Oconee units in MODE 3 with average RCS temperature~ 525°F (unless the initiating event causes the unit to be driven to a lower temperature) for up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months following a fire or a turbine building flood. The SSF is also credited for station blackout *

(SBO) coping, which has a 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months coping duration (Refs. 1, 4, 5, 6, and :

7.) . .

I The OPERABILITY of the SSF is consistent with the assumptions of the Oconee Probabilistic Risk Assessment (Ref. 2). Therefore, the SSF satisfies Criterion 4 of 10 CFR 50.36 (Ref. 3).

OCONEE UNITS 1, 2, & 3 B 3.10.1-6 Rev.001 I

SSF B 3.10.1 BASES (continued)

LCO The SSF Instrumentation in Table B 3.10.1-1 and the following SSF Systems shall be OPERABLE:

a. SSF Auxiliary Service Water System;

b. SSF Portable Pumping System;

c. SSF Reactor Coolant Makeup System; and

d. SSF Power System.

An OPERABLE SSF ASW System includes pressurizer heaters capable of being powered from the SSF, and an SSF ASW pump, piping, instruments, and controls to ensure a flow path capable of taking suction from the Unit 2 condenser circulating water (CCW) line and discharging into the secondary side of each SG. The minimum number of pressurizer heaters capable of being powered from the SSF is based on maintaining

, RCS natural circulation flow which is achieved by maintaining a steam bubble in the pressurizer at a high enough temperature to provide subcooling margin in the RCS. The pressurizer steam bubble is maintained by offsetting pressurizer heat loss due to ambient heat loss from the pressurizer and pressurizer steam space leakage. The following table provides the minimum number of SSF controlled pressl!rizer

heaters versus steam space leakage rates that may be used in combination to meet Operability req.uirements for the SSF. Engineering Input is needed to determine if other combinations of pressurizer heaters versus steam space leakage rate are acceptable.

Currently, SSF thermal margin issues require an additional four (4) pressurizer heaters above the number needed to offset ambient heat loss. The additional 4 heaters are included in the required number of Pressurizer Heaters Available for each Unit presented in the tables below.

Unit 1 Number .of Bank 2, Group B & C Maximum Allowed Pressurizer Pressurizer Heaters Available Steam Space Leakage 15 0.00 GPM Unit 2 Number of Bank 2, Group B & C Maximum Allowed Pressurizer Pressurizer Heaters Available Steam Space Leakage 17 0.00 GPM OCONEE UNITS 1, 2, & 3 B 3.10.1-7 Rev.001 I

SSF B 3.10.1 BASES LCO Unit 3 (continued) Number of Bank 2, Group B & C Maximum Allowed Pressurizer Pressurizer Heaters Available Steam Space Leakage 14 0.00 GPM An OPERABLE SSF Portable Pumping System includes an SSF submersible pump and a flow path capable of taking suction from the intake canal and discharging into the Unit 2 CCW line. An OPERABLE Reactor Coolant Makeup System includes an SSF RC Makeup pump, piping, instruments, and controls to ensure a flow path capable of taking suction from the spent fuel pool and discharging into the RCS. The following leakage limits are applicable for the SSF RC Makeup System to be considered OPERABLE:

Maximum Allowed Total Combined RCS Leakage for SSF RC Makeup System Operability.

The "maximum allowed total combined RCS leakage" is 15.0 GPM for Units 1, 2, and 3. A Unit's "total combined RCS leakage" shall be less than or equal to this value for its corresponding SSF RC Makeup System to be considered OPERABLE.

Total Combined RCS leakage is based on "Total RCS Leakage.Rate+

Quench Tank Level- Increase +Total RC Pump Seal Return Flow." Total RC Pump Seal Return Flow is determined by summing the seal return flow rate for all four RC Pumps. If the seal return flow rate for a RC Pump is not available, the seal return flow may be determined using the method described below. The seal return flow rate limits defined below have been previously determined to meet operability requirements for the SSF.

The following discussion regarding failed RCP seal stages does not permit or prohibit operation with a failed seal stage. It is included only to indicate the basis for SSF RCMU System operability. Engineering input is needed to determine operability requirements when multiple seal return flow instruments have failed.

If the seal return flow rate for a RC Pump is not available and at least two of three seals are intact on one RCP, 3.1 GPM may be used as the seal OCONEE UNITS 1, 2, & 3 B 3.10.1-8 Rev.001 I

SSF B 3.10.1 BASES LCO return flow rate for the affected pump. This worst case seal leakage (continued) occurs when one seal stage is failed and RCS pressure is at 2500 psig.

Engineering input is needed to determine operability requirements when

two seals of an RCP have failed.

Unit 2 and Unit 3 If the seal return flow rate for a RC Pump not available, 2.9 GPM may be used as the seal return flow rate for the affected pump. This worst case leakage occurs when two seal stages are failed and RCS pressure at 2500 psig.

An OPERABLE SSF Power System includes the SSF DG, diesel support systems, 4160 VAC, 600 VAC, 208 VAC, 120 VAC, and 125 VDC systems. Only one 125 VDC SSF battery and its associated charger are required to be OPERABLE to support OPERABILITY of the 125 VDC system.

APPLICABILITY The SSF System is required in MODES 1, 2, and 3 to provide an alternate means to achieve and maintain the unit in MODE 3,with average RCS temperature ~525°F (unless the initiating event causes the unit to be driven to a lower temperature) following a fire, turbine building flood, or SBO. The SSF ASW System is credited .as a backup to EFW due to the lack of tornado missile protection for the EFW System. The safety function of the SSF is to achieve and maintain the unit in MODE 3 with average RCS temperature~ 525°F (unless the initiating event causes the unit to be driven to a lower temperature); therefore, this LCO is not applicable in MODES 4, 5, or 6. .

ACTIONS The exception for LCO 3.0.4, provided in the Note of the Actions, permits entry into MODES 1, 2, and 3 with the SSF not OPERABLE. This is acceptable because the SSF is not required to support normal operation of the facility or to mitigate a design basis accident.

A.1. B.1. C.1. D.1. and E.1 With one or more of the SSF Systems inoperable or the required SSF instrumentation of Table B 3.10.1-1 inoperable, the SSF is in a degraded condition and the system(s) or instrumentation must be restored to OPERABLE status within 7 days. The 7 day Completion Time is based

.on the low probability of an event occurring which would require the SSF to be utilized.

OCONEE UNITS 1, 2, & 3 B 3.10.1-9 Rev.001 I

SSF B 3.10.1 BASES ACTIONS (continued)

If the Required Action and associated Completion Time of Condition A, B, C, D, or E are not met when SSF Systems or Instrumentation are inoperable due to maintenance, the unit may continue to operate provided that the SSF is restored to OPERABLE status within 45 days from discovery of initial inoperability.

This Completion Time is modified by a Note that indicates that the SSF shall not be in Condition F for more than a total of 45 days in a calendar year. This includes the 7 day Completion Time that leads to entry into Condition F. For example, if the SSF ASW System is inoperable for 10 days, the 45 day special inoperability period is reduced to 35 days. If the SSF ASW System is inoperable for 6 days, Condition A applies and there is no reduction in the 45 d~y allowance. The limit of 45 days per calendar year minimizes the number and duration of extended outages associated with exceeding the 7 day Completion Time of a Condition.

G.1 and G.2 If the Required Action arid associated Completion Time of Condition F are not met or if the Required Action and associated Completion Time of Condition A, B, C, D, or E are not met for reasons other than Condition F, the unit must be brought to a MODE in which the LCO does not apply.

To achieve this status, the plant must be brought to MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and MODE 4 within 84 hours9.722222e-4 days 0.0233 hours 1.388889e-4 weeks 3.1962e-5 months . The allowed Completion Times are appropriate, to reach the required unit conditions from full power conditions in an orderly manner and without challenging plant systems, considering a three unit shutdown may be required.

OCONEE UNITS 1, 2, & 3 B 3.10.1-10 Rev.001 I

SSF B 3.10.1 BASES (continued)

SURVEILLANCE SR 3.10.1.1 REQUIREMENTS Performance of the CHANNEL CHECK for each required instrumentation channel ensures that a gross failure of instrumentation has not occurred.

A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel with a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even

. more serious. ACHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHAN.NEL CALIBRATION. This SR is modified by a Note to indicate that it is not applicable to the SSF RCS temperature instrument channels, which are common to the RPS RCS temperature instrument channels and are normally aligned through a transfer isolation device to each Unit control room. The instrument string to the SSF control room is checked and calibrated periodically per the Surveillance Frequency Control Program.

Agreement criteria are determined.based on a combination of the channel instrument uncertainties, including indication, and readability. If a .

channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. If the

channels are within the criteria, it is an indication that the channels are OPERABLE. If the channels are normally off scale during times when surveill~nce is required, the CHANNEL CHECK wi'll only verify that they are off scale in the same direction. Off scale low current loop channels.

are verified to be reading at the bottom of the range and not failed dowri'scale.

The Surveillance Frequency is based on operating experience, equipment reliability, and. plant risk and is controlled under the Surveillance Frequency Control Program.

OCONEE UNITS 1, 2,. & 3 B 3.10.1-11 Rev.001 I

SSF B 3.10.1 BASES SURVEILLANCE SR 3.10.1.2 REQUIREMENTS (continued) Verifying battery terminal voltage while on float charge for the batteries helps to ensure the effectiveness of the charging system and the ability of the batteries to perform their intended function. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery (or battery cell} and maintain the battery (or a battery cell) in a fully charged state. The voltage requirements are based on the nominal design voltage of the battery and are consistent with the initial voltages assumed in the battery sizing calculations. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.10.1.3 and 3.10.1.4 SR 3.10.1.3 provides verification that the level of fuel oil in the day tank is at or above the level at which fuel oil is automatically added. The level is expressed as an equivalent volume in gallons. The day tank is sized based on the amount of fuel oil required to successfully start the DG and to allow for orderly shutdown of the DG upon loss of fuel oil from the main storage tank.

SR 3.10.1.4 provides verification that there is an adequate inventory of fuel oil in the storage tanks to support SSF DG operation for 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months at full load. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months period is sufficient time to place the unit in a safe

shutdown condition The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the

Surveillance Frequency Control Program during this period.

OCONEE UNITS 1, 2, & 3 B 3.10.1-12 Rev.001 I

SSF B 3.10.1 BASES SURVEILLANCE SR 3.10.1.5 REQUIREMENTS (continued) The SR requires the DG to start (normal or emergency) from standby conditions and achieve required voltage and frequency. Standby conditions for a DG means that the diesel engine coolant and oil are being continuously circulated and temperature is being maintained consistent with manufacturer recommendations. This SR is modified by a Note to indicate that all DG starts for this Surveillance may be preceded by an engine prelube period and followed by a warmup period prior to loading. This minimizes wear on moving parts that do not get lubricated when the engine is running.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.10.1.6 This Surveillance ensures that sufficient air start capacity for the SSF DG is available, without the aid of the refill compressor. The SSF DG air start system is equipped with four air storage tanks. Each set of two tanks will provide sufficient air to start the SSF DG a minimum of three successive times without recharging. The pressure specified in this SR is intended to reflect the lowest value at which the three starts can be accomplished.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.10.1.7 This Surveillance demonstrates that the fuel oil transfer pump automatically starts and transfers fuel oil from the underground fuel oil storage tank to the day tank. This is required to support continuous operation of SSF DG. This Surveillance provides assurance that the fuel oil transfer pump is OPERABLE, the fuel oil piping system is intad, the fuel delivery piping is not obstructed, and the controls and control systems for automatic fuel transfer systems are OPERABLE.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program,

OCONEE UNITS 1, 2, & 3 B 3.10.1-13 Rev.001 I

SSF B 3.10.1 BASES SURVEILLANCE SR 3.10.1.8 REQUIREMENTS (continued) A sample of fuel oil is required to be obtained from the SSF day tank and underground fuel oil storage tank in accordance with the Diesel Fuel Oil

Testing Program in order to ensure that fuel oil viscosity, water, and sediment are within the limits of the Diesel Fuel Oil Testing Program.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.10.1.9 This Surveillance verifies that the SSF DG is capable of synchronizing with the offsite electrical system and accepting loads greater than or equal to the equivalent of the maximum expected accident loads. A minimum run time of 60 minutes is required to stabilize electrical loads, while minimizing the time that the DG is connected to the offsite source.

Although no power factor requirements are established by this SR, the DG is normally operated at a power factor between 0.8 lagging and 1.0.

The 0.8 value is the design rating of the machine, while the 1.0 is an operational limitation. to ensure circulating currents are minimized. The load band is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program .

. This SR is modified by three Notes. Note 1 indicates that diesel engine runs for this Surveillance may include gradual loading, as recommended by the manufacturer, so that mechanical stress and wear on the diesel engine are minimized. Note 2 states that momentary transients because of changing bus loads do not invalidate this test. Similarly, momentary power factor transients above the limit will not invalidate the test. Note 3 indicates that all DG starts for this Surveillance may be preceded by an engine prelube period and followed by a warmup period prior to loading.

This minimizes wear on moving parts that do not get lubricated.

OCONEE UNITS 1, 2, & 3 B 3.10.1-14 Rev. 001 I

SSF B 3.10.1 BASES SURVEILLANCE SR 3.10.1.10 REQUIREMENTS (continued) Visual inspection of the battery cells, cell plates, and battery racks provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance.

The presence of physical damage or deterioration does not necessarily represent a failure of this SR, provided an evaluation determines that the physical damage or deterioration does not affect the OPERABILITY of the battery (its ability to perform its design function).

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surv"eillance Frequency Control Program.

SR 3.10.1.11 Visual inspection of battery cell t.o cell and terminal connections provides an indication of physical damage that could potentially degrade battery performance. The anti-corrosion material is used to help ensure good electrical connections and to .reduce terminal deterioration. The visual inspection for corrosion is not intended to require removal of and inspection under each terminal connection.

The limits established for this SR must be no more than 20% above the resistance as measured during .installation or not above the ceiling value established by the manufacturer.

The Surveillance Frequency is based on operating experience; equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

OCONEE UNITS 1, 2, & 3 83.10.1-15 Rev. 001 I

SSF B 3.10.1 BASES SURVEILLANCE SR 3.10.1.12 REQUIREMENTS (continued) A battery service test is a special test of the battery capability, as found, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The discharge rate and test length correspond to the design duty cycle requirements. The design basis discharge time for the

SSF battery is one hour.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.10.1.13 CHANNEL CALIBRATION is a complete check of the instrument channel, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to*ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION shall find that

measurement errors and bistable setpoint errors are within the assumptions of the setpoint'analysis. CHANNEL CALIBRATIONS must b.e performed consistent with the assumptions of the setpoint analysis.

The Surveillance Frequency is based on operating experience, equipment reliabllity, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.10.1.14 lnservice Testing of the SSF valves demonstrates that the valves are mechanically OPERABLE and will operate when required. *These valves are required to operate to ensure the required flow path.

The specified Frequency is in accordance with the IST Program requirements. Operating experience has shown that these components usually pass the SR when performed at the IST Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint. * *

OCONEE UNITS 1, 2, & 3 B 3.10.1-16 Rev. 001 I

SSF B 3.10.1 BASES SURVEILLANCE SR 3.10.1.15 REQUIREMENTS.

(continued) This SR requires the SSF pumps to be tested in accordance with the IST Program. The IST verifies the required flow rate at a discharge pressure to verify OPERABILITY. The SR is modified by a note indicating that it is not applicable to the SSF submersible pump.

The specified Frequency is in accordance with the IST Program requirements. Operating experience has shown that these compon!3nts usually pass the SR when performed at the IST Frequency. Therefore, the Frequency was concluded to be .acceptable from a reliat;>ility standpoint.

SR 3.10.1.16 This SR requires the SSF submersible pump to be tested on a 2 year Frequency and verifies the required flow rate at a discharge pressure to verify OPERABILITY.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program:

REFERENCES 1. UFSAR, Section 9.6.

2. Oconee Probabilistic Risk Assessment. *

3. 10 CFR 50.36.

4. NRC Letter from L. A. Wiens to H. B. Tucker, "Safety Evaluation Report on Effect of Tornado Missiles on Oconee Emergency

,Feedwater System," dated July 28, 1989.

5. NRC Letter from L.A. Wiens to J. W. Hampton, "Safety Evaluation for Station Blackout (10 CFR 50.63)- Oconee Nuclear Station, Units 1, 2, and 3," dated March 10, 1992.

OCONEE UNITS 1, 2, & 3 B 3.10.1-17 Rev.001 I

SSF B 3.10.1 BASES REFERENCES 6. NRC Letter from L.A. Wiens to J. W. Hampton, "Supplemental (continued) Safety Evaluation for Station Blackout (10 CFR 50.63) - Oconee Nuclear Station, Units 1, 2, and 3," dated December 3, 1992.

7. UFSAR Section 8.3.2.2.4.

OCONEE UNITS 1, 2, & 3 B 3.10.1-18 Rev. 001 I

SSF B 3.10.1 Table B 3.10.1-1(page1of1)

SSF Instrumentation FUNCTION REQUIRED CHANNELS PER UNIT

1. Reactor Coolant System Pressure 1

2. Reactor Coolant System Temperature (Tc) 1/Loop

3. Reactor Coolant System Temperature (Th) 1/Loop

4. Pressurizer Water Level 1

5. Steam Generator A & B Water Level 1/SG OCONEE UNITS 1, 2, & 3 B 3.10.1-19 Rev.001 I

ONS-2017-019, Technical Specification Bases Change 2015-09

Text

Navigation menu

ONS-2017-019, Technical Specification Bases Change 2015-09

Text

Navigation menu

Search