Text

Technical Specification Bases Changes
	ML19184A618
Person / Time
Site:	Oconee
Issue date:	06/26/2019
From:	Dalton S; Duke Energy Carolinas
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	RA-18-0282
	Download: ML19184A618 (159)
	v • d • e

( ~ DUKE ENERGY RA-18-0282 June 26,2019 ATTN: Document Control Desk U.S. Nuclear Regulatory Commission Washington DC 20555-0001

Subject:

Duke Energy Carolinas, LLC Oconee Nuclear Station Docket Numbers 50-269, 50-270, and 50-287 Technical Specification Bases Changes Sheila Dalton Manager, Nuclear Suppott Services Oconee Nuclear Station Duke Energy ON01SC I 7800 Rochester Hwy Seneca, SC 29672 864.873.3657 864 710.3972 Sheila.Dalton@duke-energy.com The attached changes to the Oconee Nuclear Station TS Bases were processed in accordance with the provisions of Technical Specification 5_5.15, "Technical Specifications (TS) Bases Control Program."

Any questions regarding this information should be directed to Sheila Dalton, Manager Nuclear Support Services, at (864) 873-3657.

Sincerely, Sheila Dalton Manager, Nuclear Support Services Oconee Nuclear Station Attachments TSB List of Effective Pages (LOEPs ), Rev. 022 TSB Limiting Condition for Operation (LCO) Applicability, Rev. 003 TSB Reactor Protective System (RPS) Instrumentation, Rev. 004 LOEP 1 - 4 3.0 1 - 19 3.3.1 1 - 27

RA-18-0282 June 26, 2019 Page 2 Attachments (continued)

TSB Pressurizer Safety Valves, Rev. 002 TSB High Pressure Injection (HPI), Rev. 004 TSB Low Pressure Injection (LPI), Rev. 004 TSB Containment Isolation Valves, Rev. 001 TSB Reactor Building Spray and Cooling Systems, Rev. 003 TSB Main Steam Relief Valves (MSRVs), Rev. 003 TSB Main Feedwater Control Valves (MFCVs), and Startup Feedwater Control Valves (SFCVs), Rev. 002 TSB Emergency Feedwater (EFW) System, Rev. 002 TSB Protected Service Water (PSW) System, Rev. 004 TSB Spent Fuel Pool Cooling (SFPC) Purification System Isolation from Borated Water Storage Tank (BWST), Rev. 002 TSB Standby Shutdown Facility (SSF), Rev. 002 3.4.10 1-4 3.5.2 1 -15 3.5.3 1 -10 3.6.3 1 -10 3.6.5 1 -12 3.7.1 1-4 3.7.3 1-4 3.7.5 1-8 3.7.10 1 -14 3.7.19 1-6 3.10.1 1 -19

RA-18-0282 June 26, 2019 Page 3 cc:

Ms. Laura Dudes, Administrator, Region II U.S. Nuclear Regulatory Commission Marquis One Tower 245 Peachtree Center Ave., NE, Suite 1200 Atlanta, GA 30303-1257 Ms. Audrey Klett, Project Manager (ONS)

(by electronic mail only)

U.S. Nuclear Regulatory Commission 11555 Rockville Pike Mail Stop O-08B1A Rockville, MD 20852-2738 Mr. Adam Ruh Senior Resident Inspector (Acting)

Oconee Nuclear Station

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 11/28/2018 LIST OF EFFECTIVE PAGES Oconee Nuclear Station LOEP 1 Revision 022 SECTION/PAGES REVISION NUMBER IMPLEMENTATION DATE TOC 000 09/03/14 B 2.1.1 001 06/08/17 B 2.1.2 000 02/06/14 B 3.0 003 11/28/18 B 3.1.1 000 05/16/12 B 3.1.2 000 05/16/12 B 3.1.3 000 06/02/99 B 3.1.4 000 07/23/12 B 3.1.5 000 05/16/12 B 3.1.6 000 07/23/12 B 3.1.7 000 07/23/12 B 3.1.8 000 05/16/12 B 3.2.1 000 05/16/12 B 3.2.2 000 05/16/12 B 3.2.3 001 10/30/18 B 3.3.1 004 11/28/18 B 3.3.2 000 12/14/04 B 3.3.3 000 12/10/14 B 3.3.4 000 12/10/14 B 3.3.5 000 12/10/14 B 3.3.6 000 12/10/14 B 3.3.7 000 12/10/14 B 3.3.8 000 05/16/12 B 3.3.9 000 05/16/12 B 3.3.10 000 05/16/12 B 3.3.11 001 01/17/17 B 3.3.12 000 05/16/12

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 11/28/2018 LIST OF EFFECTIVE PAGES Oconee Nuclear Station LOEP 2 Revision 022 SECTION/PAGES REVISION NUMBER BASES REVISION DATE B 3.3.13 000 05/16/12 B 3.3.14 001 01/17/17 B 3.3.15 000 05/16/12 B 3.3.16 000 05/16/12 B 3.3.17 000 05/16/12 B 3.3.18 000 05/16/12 B 3.3.19 000 05/16/12 B 3.3.20 000 05/16/12 B 3.3.21 000 05/16/12 B 3.3.22 000 05/16/12 B 3.3.23 000 05/16/12 B 3.3.24 000 09/26/01 B 3.3.25 000 11/05/03 B 3.3.26 000 11/05/03 B 3.3.27 000 12/10/14 B 3.3.28 000 05/16/12 B 3.4.1 000 05/16/12 B 3.4.2 000 12/16/98 B 3.4.3 001 01/17/17 B 3.4.4 001 07/14/16 B 3.4.5 000 05/16/12 B 3.4.6 001 04/18/17 B 3.4.7 001 04/18/17 B 3.4.8 001 04/18/17 B 3.4.9 000 05/16/12 B 3.4.10 002 11/28/18 B 3.4.11 000 10/12/12 B 3.4.12 000 06/13/14

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 11/28/2018 LIST OF EFFECTIVE PAGES Oconee Nuclear Station LOEP 3 Revision 022 SECTION/PAGES REVISION NUMBER BASES REVISION DATE B 3.4.13 001 01/17/17 B 3.4.14 001 09/21/15 B 3.4.15 001 11/24/15 B 3.4.16 001 08/23/16 B 3.5.1 000 05/16/12 B 3.5.2 004 11/28/18 B 3.5.3 004 11/28/18 B 3.5.4 000 05/16/12 B 3.6.1 001 01/17/17 B 3.6.2 001 01/17/17 B 3.6.3 001 11/28/18 B 3.6.4 000 05/16/12 B 3.6.5 003 11/28/18 B 3.7.1 003 11/28/18 B 3.7.2 000 11/13/12 B 3.7.3 002 11/28/18 B 3.7.4 002 01/17/17 B 3.7.5 002 11/28/18 B 3.7.6 000 05/16/12 B 3.7.7 000 12/10/14 B 3.7.8 000 05/16/12 B 3.7.9 001 09/26/18 B 3.7.10 004 11/28/18 B 3.7.10a 001 01/17/17 B 3.7.11 000 05/16/12 B 3.7.12 002 08/09/17 B 3.7.13 000 08/19/10 B 3.7.14 000 05/16/12

OCONEE NUCLEAR STATION TECHNICAL SPECIFICATIONS-BASES REVISED 11/28/2018 LIST OF EFFECTIVE PAGES Oconee Nuclear Station LOEP 4 Revision 022 SECTION/PAGES REVISION NUMBER BASES REVISION DATE B 3.7.15 000 10/24/07 B 3.7.16 001 05/18/17 B 3.7.17 001 01/17/17 B 3.7.18 001 08/09/17 B 3.7.19 002 11/28/18 B 3.8.1 003 01/03/18 B 3.8.2 000 04/07/11 B 3.8.3 001 01/17/17 B 3.8.4 000 12/18/07 B 3.8.5 000 05/16/12 B 3.8.6 000 05/16/12 B 3.8.7 000 05/16/12 B 3.8.8 001 01/17/17 B 3.8.9 001 01/17/17 B 3.9.1 000 05/16/12 B 3.9.2 000 05/16/12 B 3.9.3 001 01/17/17 B 3.9.4 002 04/18/17 B 3.9.5 001 04/18/17 B 3.9.6 000 05/16/12 B 3.9.7 000 05/16/12 B 3.9.8 000 06/25/14 B 3.10.1 002 11/28/18 B 3.10.2 000 11/05/14 Note: With the introduction of Fusion in June 2015, all controlled documents require a three-digit revision number. Thus, the revision numbers were set to 000 in the summer of 2015. As such, the revision dates for Revision 000 are based on the implementation dates for revisions in effect prior to this change.

OCONEE UNITS 1, 2, & 3 B 3.0-1 Rev. 003 LCO Applicability B 3.0 B 3.0 LIMITING CONDITION FOR OPERATION (LCO) APPLICABILITY BASES LCOs LCO 3.0.1 through LCO 3.0.9 establish the general requirements applicable to all Specifications and apply at all times, unless otherwise stated.

LCO 3.0.1 LCO 3.0.1 establishes the Applicability statement within each individual Specification as the requirement for when the LCO is required to be met (i.e., when the unit is in the MODES or other specified conditions of the Applicability statement of each Specification).

LCO 3.0.2 LCO 3.0.2 establishes that upon discovery of a failure to meet an LCO, the associated ACTIONS shall be met. The Completion Time of each Required Action for an ACTIONS Condition is applicable from the point in time that an ACTIONS Condition is entered, unless otherwise specified.

The Required Actions establish those remedial measures that must be taken within specified Completion Times when the requirements of an LCO are not met. This Specification establishes that:

a.

Completion of the Required Actions within the specified Completion Times constitutes compliance with a Specification; and

b.

Completion of the Required Actions is not required when an LCO is met within the specified Completion Time, unless otherwise specified.

There are two basic types of Required Actions. The first type of Required Action specifies a time limit in which the LCO must be met. This time limit is the Completion Time to restore an inoperable system or component to OPERABLE status or to restore variables to within specified limits. If this type of Required Action is not completed within the specified Completion Time, a shutdown may be required to place the unit in a MODE or condition in which the Specification is not applicable. (Whether stated as a Required Action or not, correction of the entered Condition is an action that may always be considered upon entering ACTIONS.) The second type of Required Action specifies the remedial measures that permit continued operation of the unit that is not further restricted by the Completion Time.

In this case, compliance with the Required Actions provides an acceptable level of safety for continued operation.

LCO Applicability B 3.0 BASES OCONEE UNITS 1, 2, & 3 B 3.0-2 Rev. 003 LCO 3.0.2 Completing the Required Actions is not required when an LCO is met or (continued) is no longer applicable, unless otherwise stated in the individual Specification.

The nature of some Required Actions of some Conditions necessitates that, once the Condition is entered, the Required Actions must be completed even though the associated Conditions no longer exist. The individual LCO's ACTIONS specify the Required Actions where this is the case. An example of this is in LCO 3.4.3, "RCS Pressure and Temperature (P/T) Limits."

The Completion Times of the Required Actions are also applicable when a system or component is removed from service intentionally. Reasons for intentionally relying on the ACTIONS include, but are not limited to, performance of Surveillances, preventive maintenance, corrective maintenance, or investigation of operational problems. Entering ACTIONS for these reasons must be done in a manner that does not compromise safety. Intentional entry into ACTIONS should not be made for operational convenience. Additionally, if intentional entry into ACTIONS would result in redundant equipment being inoperable, alternatives should be used instead. Doing so limits the time both subsystems/trains of a safety function are inoperable and limits the time conditions exist which may result in LCO 3.0.3 being entered. Individual Specifications may specify a time limit for performing an SR when equipment is removed from service or bypassed for testing. In this case, the Completion Times of the Required Actions are applicable when this time limit expires, if the equipment remains removed from service or bypassed.

When a change in MODE or other specified condition is required to comply with Required Actions, the unit may enter a MODE or other specified condition in which another Specification becomes applicable. In this case, the Completion Times of the associated Required Actions would apply from the point in time that the new Specification becomes applicable and the ACTIONS Condition(s) are entered.

LCO 3.0.3 LCO 3.0.3 establishes the actions that must be implemented when an LCO is not met and:

a.

An associated Required Action and Completion Time is not met and no other Condition applies; or

b.

The condition of the unit is not specifically addressed by the associated ACTIONS. This means that no combination of Conditions stated in the ACTIONS can be made that exactly

LCO Applicability B 3.0 BASES OCONEE UNITS 1, 2, & 3 B 3.0-3 Rev. 003 LCO 3.0.3 corresponds to the actual condition of the unit. Sometimes, (continued) possible combinations of Conditions are such that entering LCO 3.0.3 is warranted; in such cases, the ACTIONS specifically state a Condition corresponding to such combinations and also that LCO 3.0.3 be entered immediately.

This Specification delineates the time limits for placing the unit in a safe MODE or other specified condition when operation cannot be maintained within the limits for safe operation as defined by the LCO and its ACTIONS.

It is not intended to be used as an operational convenience that permits routine voluntary removal of redundant systems or components from service in lieu of other alternatives that would not result in redundant systems or components being inoperable.

Upon entering LCO 3.0.3, 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is allowed to prepare for an orderly shutdown before initiating a change in unit operation. This includes time to permit the operator to coordinate the reduction in electrical generation with the load dispatcher to ensure the stability and availability of the electrical grid. If at the end of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , corrective measures which would allow exiting LCO 3.0.3 are not complete, but there is reasonable assurance that corrective measures will be completed in time to still allow for an orderly unit shutdown, commencing a load decrease may be delayed until that time. The time limits specified to enter lower MODES of operation permit the shutdown to proceed in a controlled and orderly manner that is well within the specified maximum cooldown rate and within the capabilities of the unit, assuming that only the minimum required equipment is OPERABLE. This reduces thermal stresses on components of the Reactor Coolant System and the potential for a plant upset that could challenge safety systems under conditions to which this Specification applies. The use and interpretation of specified times to complete the actions of LCO 3.0.3 are consistent with the discussion of Section 1.3, Completion Times.

A unit shutdown required in accordance with LCO 3.0.3 may be terminated and LCO 3.0.3 exited if any of the following occurs:

a.

The LCO is now met,

b.

The LCO is no longer applicable,

c.

A Condition exists for which the Required Actions have now been performed, or

d.

ACTIONS exist that do not have expired Completion Times. These Completion Times are applicable from the point in time that the Condition is initially entered and not from the time LCO 3.0.3 is exited.

LCO Applicability B 3.0 BASES OCONEE UNITS 1, 2, & 3 B 3.0-4 Rev. 003 LCO 3.0.3 The time limits of LCO 3.0.3 allow 37 hours4.282407e-4 days 0.0103 hours 6.117725e-5 weeks 1.40785e-5 months for the unit to be in MODE 5 (continued) when a shutdown is required during MODE 1 operation. If the unit is in a lower MODE of operation when a shutdown is required, the time limit for entering the next lower MODE applies. If a lower MODE is entered in less time than allowed, however, the total allowable time to enter MODE 5, or other applicable MODE, is not reduced. For example, if MODE 3 is entered in 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , then the time allowed for entering MODE 4 is the next 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months , because the total time for entering MODE 4 is not reduced from the allowable limit of 18 hours2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months . Therefore, if remedial measures are completed that would permit a return to MODE 1, a penalty is not incurred by having to enter a lower MODE of operation in less than the total time allowed.

In MODES 1, 2, 3, and 4, LCO 3.0.3 provides actions for Conditions not covered in other Specifications. The requirements of LCO 3.0.3 do not apply in MODES 5 and 6 because the unit is already in the most restrictive Condition required by LCO 3.0.3. The requirements of LCO 3.0.3 do not apply in other specified conditions of the Applicability (unless in MODE 1, 2, 3, or 4) because the ACTIONS of individual Specifications sufficiently define the remedial measures to be taken.

Exceptions to LCO 3.0.3 are provided in instances where requiring a unit shutdown, in accordance with LCO 3.0.3, would not provide appropriate remedial measures for the associated condition of the unit. An example of this is in LCO 3.7.11, "Spent Fuel Pool Water Level." LCO 3.7.11 has an Applicability of "During movement of irradiated fuel assemblies in the spent fuel pool." Therefore, this LCO can be applicable in any or all MODES. If the LCO and the Required Actions of LCO 3.7.11 are not met while in MODE 1, 2, 3, or 4, there is no safety benefit to be gained by placing the unit in a shutdown condition. The Required Action of LCO 3.7.11 of "Suspend movement of irradiated fuel assemblies in spent fuel pool" is the appropriate Required Action to complete in lieu of the actions of LCO 3.0.3. These exceptions are addressed in the individual Specifications.

LCO 3.0.4 LCO 3.0.4 establishes limitations on changes in MODES or other specified conditions in the Applicability when an LCO is not met. It precludes placing the unit in a MODE or other specified condition stated in that Applicability (e.g., Applicability desired to be entered) when the following exist:

a.

Unit conditions are such that the requirements of the LCO would not be met in the Applicability desired to be entered; and

b.

Continued noncompliance with the LCO requirements, if the Applicability were entered, would result in the unit being required to

LCO Applicability B 3.0 BASES OCONEE UNITS 1, 2, & 3 B 3.0-5 Rev. 003 LCO 3.0.4 exit the Applicability desired to be entered to comply with the Required (continued)

Actions. Compliance with ACTIONS that permit continued operation of the unit for an unlimited period of time in a MODE or other specified condition provides an acceptable level of safety for continued operation. This is without regard to the status of the unit before or after the MODE change.

Therefore, in such cases, entry into a MODE or other specified condition in the Applicability may be made and the Required Actions followed after entry into the Applicability. The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.

For example, the provisions of LCO 3.0.4 may be used when the Required Action to be entered states that an inoperable instrument channel must be placed in the trip condition within the Completion Time. Transition into a MODE or other specified condition in the Applicability may be made in accordance with LCO 3.0.4 and the channel is subsequently placed in the tripped condition within the Completion Time, which begins when the Applicability is entered. If the instrument channel cannot be placed in the tripped condition and the subsequent default ACTION (Required Action and associated Completion Time not met) allows the OPERABLE train to be placed in operation, use of LCO 3.0.4 is acceptable because the subsequent ACTIONS to be entered following entry into the MODE include ACTIONS (place the OPERABLE train in operation) that permit safe plant operation for an unlimited period of time in the MODE or other specified condition to be entered.

The provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of LCO 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unit shutdown.

Exceptions to LCO 3.0.4 are stated in the individual Specifications. The exceptions allows entry into MODES or other specified conditions in the Applicability when the associated ACTIONS to be entered do not provide for continued operation for an unlimited period of time. Exceptions may apply to all the ACTIONS or to a specific Required Action of a Specification.

LCO 3.0.4 is only applicable when entering MODE 4 from MODE 5, MODE 3 from MODE 4, MODE 2 from MODE 3, or MODE 1 from MODE 2.

Furthermore, LCO 3.0.4 is applicable when entering any other specified condition in the Applicability associated with operating in MODES 1, 2, 3, or

4. The requirements of LCO 3.0.4 do not apply in MODES 5 and 6, or in other specified conditions of the Applicability (unless in MODES 1, 2, 3, or 4) because the ACTIONS of individual Specifications sufficiently define the remedial measures to be taken.

LCO Applicability B 3.0 BASES OCONEE UNITS 1, 2, & 3 B 3.0-6 Rev. 003 LCO 3.0.4 Surveillances do not have to be performed on the associated inoperable (continued) equipment (or on variables outside the specified limits), as permitted by SR 3.0.1. Therefore, changing MODES or other specified conditions while in an ACTIONS Condition, in compliance with LCO 3.0.4 or where an exception to LCO 3.0.4 is stated, is not a violation of SR 3.0.1 or SR 3.0.4 for those Surveillances that do not have to be performed due to the associated inoperable equipment. However, SRs must be met to ensure OPERABILITY prior to declaring the associated equipment OPERABLE (or variable within limits) and restoring compliance with the affected LCO.

LCO 3.0.5 LCO 3.0.5 establishes the allowance for restoring equipment to service under administrative controls when it has been removed from service or declared inoperable to comply with ACTIONS. The sole purpose of this Specification is to provide an exception to LCO 3.0.2 (e.g., to not comply with the applicable Required Action(s)) to allow the performance of required testing to demonstrate:

a.

The OPERABILITY of the equipment being returned to service; or

b.

The OPERABILITY of other equipment.

The administrative controls ensure the time the equipment is returned to service in conflict with the requirements of the ACTIONS is limited to the time absolutely necessary to perform the required testing to demonstrate OPERABILITY. This Specification does not provide time to perform any other preventive or corrective maintenance. LCO 3.0.5 should not be used in lieu of other practicable alternatives that comply with Required Actions and that do not require changing the MODE or other specified conditions in the Applicability in order to demonstrate equipment is OPERABLE. LCO 3.0.5 is not intended to be used repeatedly.

An example of demonstrating equipment is OPERABLE with the Required Actions not met is opening a manual valve that was closed to comply with Required Actions to isolate a flowpath with excessive Reactor Coolant System (RCS) Pressure Isolation Valve (PIV) leakage in order to perform testing to demonstrate that RCS PIV leakage is now within limit.

Examples of demonstrating equipment OPERABILITY include instances in which it is necessary to take an inoperable channel or trip system out of a tripped condition that was directed by a Required Action, if there is no Required Action Note for this purpose. An example of verifying OPERABILITY of equipment removed from service is taking a tripped channel out of the tripped condition to permit the logic to function and indicate the appropriate response during performance of required testing

LCO Applicability B 3.0 BASES OCONEE UNITS 1, 2, & 3 B 3.0-7 Rev. 003 LCO 3.0.5 on the inoperable channel. Examples of demonstrating the OPERABILITY (continued) of other equipment are taking an inoperable channel or trip system out of the tripped condition 1) to prevent the trip function from occurring during the performance of required testing on another channel in the other trip system, or 2) to permit the logic to function and indicate the appropriate response during the performance of required testing on another channel in the same trip system.

The administrative controls in LCO 3.0.5 apply in all cases to systems or components in Chapter 3 of the Technical Specifications, as long as the testing could not be conducted while complying with the Required Actions.

This includes the realignment or repositioning of redundant or alternate equipment or trains previously manipulated to comply with ACTIONS, as well as equipment removed from service or declared inoperable to comply with ACTIONS.

LCO 3.0.6 LCO 3.0.6 establishes an exception to LCO 3.0.2 for support systems that have an LCO specified in the Technical Specifications (TS). This exception is provided because LCO 3.0.2 would require that the Conditions and Required Actions of the associated inoperable supported system LCO be entered solely due to the inoperability of the support system. This exception is justified because the actions that are required to ensure the unit is maintained in a safe condition are specified in the support system LCO's Required Actions. These Required Actions may include entering the supported system's Conditions and Required Actions or may specify other Required Actions. When a support system is inoperable and there is an LCO specified for it in the TS, the supported system(s) are required to be declared inoperable if determined to be inoperable as a result of the support system inoperability. However, it is not necessary to enter into the supported systems' Conditions and Required Actions unless directed to do so by the support system's Required Actions. The potential confusion and inconsistency of requirements related to the entry into multiple support and supported systems' LCOs' Conditions and Required Actions are eliminated by providing all the actions that are necessary to ensure the unit is maintained in a safe condition in the support system's Required Actions.

However, there are instances where a support system's Required Action may either direct a supported system to be declared inoperable or direct entry into Conditions and Required Actions for the supported system. This may occur immediately or after some specified delay to perform some other Required Action. Regardless of whether it is immediate or after some delay, when a support system's Required Action directs a supported system to be declared inoperable or directs entry in Conditions and Required Actions for a supported system, the applicable Conditions and Required Actions shall be entered in accordance with LCO 3.0.2.

LCO Applicability B 3.0 BASES OCONEE UNITS 1, 2, & 3 B 3.0-8 Rev. 003 LCO 3.0.6 Specification 5.5.16, "Safety Function Determination Program (SFDP),"

(continued) ensures loss of safety function is detected and appropriate actions are taken. Upon entry into LCO 3.0.6, an evaluation shall be made to determine if loss of safety function exists. Additionally, other limitations, remedial actions, or compensatory actions may be identified as a result of the support system inoperability and corresponding exception to entering supported system Conditions and Required Actions. The SFDP implements the requirements of LCO 3.0.6.

Cross train checks to identify a loss of safety function for those support systems that support multiple and redundant safety systems are required.

The cross train check verifies that the supported systems of the remaining OPERABLE support systems are OPERABLE, thereby ensuring safety function is retained.

a.

A required system redundant to system(s) supported by the inoperable support system is also inoperable; or (EXAMPLE B3.06-

1)

b.

A required system redundant to system(s) in turn supported by the inoperable supported system is also inoperable; or (EXAMPLE B3.06-2)

c.

A required system redundant to support system(s)for the supported systems (a) and (b) above is also inoperable. (EXAMPLE B3.06-3)

EXAMPLE B3.06-1 If System 2 of Train A is inoperable, and System 5 of Train B is inoperable, a loss of safety function exists in supported System 5.

EXAMPLE B3.06-2 If System 2 of Train A is inoperable, and System 11 of Train B is inoperable, a loss of safety function exists in System 11 which is in turn supported by System 5.

EXAMPLE B3.06-3 If System 2 of Train A is inoperable, and System 1 of Train B is inoperable, a loss of safety function exists in Systems 2, 4, 5, 8, 9, 10 and 11.

If this evaluation determines that a loss of safety function exists, the appropriate Conditions and Required Actions of the LCO in which the loss of safety function exists are required to be entered.

LCO Applicability B 3.0 BASES OCONEE UNITS 1, 2, & 3 B 3.0-9 Rev. 003 LCO 3.0.6 (continued)

EXAMPLES TRAIN A TRAIN B System 8 System 8 System 4 System 4 System 9 System 9 System 2 System 2 System 10 System 10 System 5 System 5 System 11 System 11 System 1 System 1 System 12 System 12 System 6 System 6 System 13 System 13 System 3 System 3 System 14 System 14 System 7 System 7 System 15 System 15 LCO 3.0.7 There are certain special tests and operations required to be performed at various times over the life of the unit. These special tests and operations are necessary to demonstrate select unit performance characteristics, to perform special maintenance activities, and to perform special evolutions.

Test Exception LCO 3.1.8 allows specified Technical Specification (TS) requirements to be changed to permit performances of these special tests and operations, which otherwise could not be performed if required to comply with the requirements of these TS. Unless otherwise specified, all the other TS requirements remain unchanged. This will ensure all appropriate requirements of the MODE or other specified condition not directly associated with or required to be changed to perform the special test or operation will remain in effect.

The Applicability of a Test Exception LCO represents a condition not necessarily in compliance with the normal requirements of the TS.

Compliance with Test Exception LCOs is optional. A special operation may be performed either under the provisions of the appropriate Test Exception LCO or under the other applicable TS requirements. If it is desired to perform the special operation under the provisions of the Test Exception LCO, the requirements of the Test Exception LCO shall be followed.

LCO Applicability B 3.0 BASES (continued)

OCONEE UNITS 1, 2, & 3 B 3.0-10 Rev. 003 LCO 3.0.8 LCO 3.0.8 establishes conditions under which systems are considered to remain capable of performing their intended safety function when associated snubbers are not capable of providing their associated support function(s). This LCO states that the supported system is not considered to be inoperable solely due to one or more snubbers not capable of performing their associated support function(s). This is appropriate because a limited length of time is allowed for maintenance, testing, or repair of one or more snubbers not capable of performing their associated support function(s) and appropriate compensatory measures are specified in the snubber requirements, which are located outside of the Technical Specifications (TS) under licensee control. The snubber requirements do not meet the criteria in 10 CFR 50.36(c)(2)(ii), and, as such, are appropriate for control by the licensee.

If the allowed time expires and the snubber(s) are unable to perform their associated support function(s), the affected supported systems LCO(s) must be declared not met and the Conditions and Required Actions entered in accordance with LCO 3.0.2.

LCO 3.0.8.a applies when one or more snubbers are not capable of providing their associated support function(s) to a single train of a multiple train or to a single train system. LCO 3.0.8.a allows 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to restore the snubber(s) before declaring the supported system inoperable. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is reasonable based on the low probability of a seismic event concurrent with an event that would require operation of the supported system occurring while the snubber(s) are not capable of performing their associated support function and due to the availability of the redundant train of the supported system.

LCO 3.0.8.b applies when one or more snubbers are not capable of providing their associated support function(s) to more than one train of a multiple train system. LCO 3.0.8.b allows 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months to restore the snubber(s) before declaring the supported system inoperable. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time is reasonable based on the low probability of a seismic event concurrent with an event that would require operation of the supported system occurring while the snubber(s) are not capable of performing their associated support function.

LCO 3.0.8 requires that risk be assessed and managed. Industry and NRC guidance on the implementation of 10 CFR 50.65(a)(4) (the Maintenance Rule) does not address seismic risk. However, use of LCO 3.0.8 should be considered with respect to other plant maintenance activities, and integrated into the existing Maintenance Rule process to the extent possible so that maintenance on any unaffected train is properly controlled, and emergent issues are properly addressed. The risk assessment need not be quantified, but may be a qualitative awareness of the vulnerability of systems and components when one or more snubbers are not able to perform their associated support function.

LCO Applicability B 3.0 BASES (continued)

OCONEE UNITS 1, 2, & 3 B 3.0-11 Rev. 003 LCO 3.0.9 LCO 3.0.9 establishes conditions under which systems described in the Technical Specifications are considered to remain OPERABLE when required barriers are not capable of providing their related support function (s).

Barriers are doors, walls, floor plugs, curs, hatches, installed structures or components, or other devices, not explicitly described in Technical Specifications, that support the performance of the safety function of systems described in the Technical Specifications. This LCO states that the supported system is not considered to be inoperable solely due to required barriers not capable of performing their related support function(s) under the described conditions. LCO 3.0.9 allows 30 days before declaring the supported system(s) inoperable and the LCO(s) associated with the supported system(s) not met. A maximum time is placed on each use of this allowance to ensure that as required barriers are found or are otherwise made unavailable, they are restored. However, the allowable duration may be less than the specified maximum time based on the risk assessment.

If the allowed time expires and the barriers are unable to perform their related support function(s), the supported systems LCO(s) must be declared not met and the Conditions and Required Actions entered in accordance with LCO 3.0.2.

This provision does not apply to barriers which support ventilation systems or to fire barriers. The Technical Specifications for ventilation systems provide specific Conditions for inoperable barriers. Fire barriers are addressed by other regulatory requirements and associated plant programs. This provision does not apply to barriers which are not required to support system OPERABILITY (see NRC Regulatory Issue Summary 2001-09, Control of Hazard Barriers, dated April 2, 2001.

The provisions of LCO 3.0.9 are justified because of the low risk associated with required barriers not being capable of performing their related support function. This provision is based on consideration of the following initiating event categories:

Loss of coolant accidents, High energy line breaks, Feedwater line breaks, Internal flooding, External flooding, Turbine missile ejection, and Tornado or high wind The risk impact of the barriers which cannot perform their related support function(s) must be addressed pursuant to the risk assessment and

LCO Applicability B 3.0 BASES OCONEE UNITS 1, 2, & 3 B 3.0-12 Rev. 003 LCO 3.0.9 management provision of the Maintenance Rule, 10 CFR 50.65 (a)(4),

(continued) and the associated implementation guidance, Regulatory Guide 1.160, Monitoring the Effectiveness of Maintenance at Nuclear Power Plants.

Regulatory guide 1.160 endorses the guidance in Section 11 of NUMARC 93-01, Revision 4A, Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants. This guidance provides for the consideration of dynamic plant configuration issues, emergent conditions, and other aspects pertinent to plant operation with the barriers unable to perform their related support function(s). These considerations may result in risk management and other compensatory actions being required during the period that barriers are unable to perform their related support function(s).

LCO 3.0.9 may be applied to one or more trains or subsystems of a system supported by barriers that cannot provide their related support function(s), provided that risk is assessed and managed (including consideration of the effects on Large Early Release and from external events). If applied concurrently to more than one train or subsystem of a multiple train or subsystem supported system, the barriers supporting LCO 3.0.9 each of these trains or subsystems must provide their related support function(s) for different categories of initiating events. For example, LCO 3.0.9 may be applied for up to 30 days for more than one train of a multiple train supported system if the affected barrier for one train protects against internal flooding and the affected barrier for the other train protects against tornado missiles. In this example, the affected barrier may be the same physical barrier but serve different protection functions for each train.

If during the time that LCO 3.0.9 is being used, the required OPERABLE train or subsystem becomes inoperable, it must be restored to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Otherwise, the train(s) or subsystem(s) supported by barriers that cannot perform their related support function(s) must be declared inoperable and the associated LCOs declared not met. This 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period provides time to respond to emergent conditions that would otherwise likely lead to entry into LCO 3.0.3 and a rapid plant shutdown, which is not justified given the low probability of an initiating event which would require the barrier(s) not capable of performing their related support function(s). During this 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period, the plant risk associated with the existing conditions is assessed and managed in accordance with 10 CFR 50.65(a)(4).

SR Applicability B 3.0 OCONEE UNITS 1, 2, & 3 B 3.0-13 Rev. 003 B 3.0 SURVEILLANCE REQUIREMENT (SR) APPLICABILITY BASES SRs SR 3.0.1 through SR 3.0.4 establish the general requirements applicable to all Specifications and apply at all times, unless otherwise stated. SR 3.0.2 and SR 3.0.3 apply in Chapter 5 only when invoked by a Chapter 5 Specification.

SR 3.0.1 SR 3.0.1 establishes the requirement that SRs must be met during the MODES or other specified conditions in the Applicability for which the requirements of the LCO apply, unless otherwise specified in the individual SRs. This Specification is to ensure that Surveillances are performed to verify the OPERABILITY of systems and components, and that variables are within specified limits. Failure to meet a Surveillance within the specified Frequency, in accordance with SR 3.0.2, constitutes a failure to meet an LCO.

Systems and components are assumed to be OPERABLE when the associated SRs have been met. Nothing in this Specification, however, is to be construed as implying that systems or components are OPERABLE when:

a.

The systems or components are known to be inoperable, although still meeting the SRs; or

b.

The requirements of the Surveillance(s) are known to be not met between required Surveillance performances.

Surveillances do not have to be performed when the unit is in a MODE or other specified condition for which the requirements of the associated LCO are not applicable, unless otherwise specified. The SRs associated with an Exception LCO are only applicable when the Exception LCO is used as an allowable exception to the requirements of a Specification.

Unplanned events may satisfy the requirements (including applicable acceptance criteria) for a given SR. In this case, the unplanned event may be credited as fulfilling the performance of the SR. This allowance includes those SRs whose performance is normally precluded in a given MODE or other specified condition.

Surveillances, including Surveillances invoked by Required Actions, do not have to be performed on inoperable equipment because the ACTIONS define the remedial measures that apply. Surveillances have to be met and performed in accordance with SR 3.0.2, prior to returning equipment to OPERABLE status.

SR Applicability B 3.0 BASES OCONEE UNITS 1, 2, & 3 B 3.0-14 Rev. 003 SR 3.0.1 Upon completion of maintenance, appropriate post maintenance testing is (continued) required to declare equipment OPERABLE. This includes ensuring applicable Surveillances are not failed and their most recent performance is in accordance with SR 3.0.2. Post maintenance testing may not be possible in the current MODE or other specified conditions in the Applicability due to the necessary unit parameters not having been established. In these situations, the equipment may be considered OPERABLE provided testing has been satisfactorily completed to the extent possible and the equipment is not otherwise believed to be incapable of performing its function. This will allow operation to proceed to a MODE or other specified condition where other necessary post maintenance tests can be completed.

Some example of this process are:

a.

Emergency feedwater (EFW) pump turbine maintenance during refueling that requires testing at steam pressures > 300 psi.

However, if other appropriate testing is satisfactorily completed, the EFW System can be considered OPERABLE. This allows startup and other necessary testing to proceed while the plant reaches the steam pressure required to perform the EFW pump testing.

b.

High Pressure Injection (HPI) maintenance during shutdown that requires system functional tests at a specified pressure. Provided other appropriate testing is satisfactorily completed, startup can proceed with HPI considered OPERABLE. This allows operation to reach the specified pressure to complete the necessary post maintenance testing.

SR 3.0.2 SR 3.0.2 establishes the requirements for meeting the specified Frequency for Surveillances and any Required Action with a Completion Time that requires the periodic performance of the Required Action on a "once per..."

interval.

SR 3.0.2 permits a 25% extension of the interval specified in the Frequency. This extension facilitates Surveillance scheduling and considers plant operating conditions that may not be suitable for conducting the Surveillance (e.g., transient conditions or other ongoing Surveillance or maintenance activities).

When a Section 5.5, "Programs and Manuals," specification states that the provisions of SR 3.0.2 are applicable, a 25% extension of the testing interval, whether stated in the specification or incorporated by reference, is permitted.

SR Applicability B 3.0 BASES OCONEE UNITS 1, 2, & 3 B 3.0-15 Rev. 003 SR 3.0.2 The 25% extension does not significantly degrade the reliability that results (continued) from performing the Surveillance at its specified Frequency. This is based on the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the SRs.

The exceptions to SR 3.0.2 are those Surveillances for which the 25%

extension of the interval specified in the Frequency does not apply. These exceptions are stated in the individual Specifications. The requirements of regulations take precedence over the TS. Examples of where SR 3.0.2 does not apply are the Containment Leakage Rate Testing Program required by 10 CFR 50, Appendix J, and the inservice testing of pumps and valves in accordance with applicable American Society of Mechanical Engineers Operation and Maintenance Code, as required by 10 CFR 50.55a. These programs establish testing requirements and Frequencies in accordance with the requirements of the regulations. The TS cannot, in and of themselves, extend a test interval specified in the regulations directly or by reference.

As stated in SR 3.0.2, the 25% extension also does not apply to the initial portion of a periodic Completion Time that requires performance on a "once per..."basis. The 25% extension applies to each performance after the initial performance. The initial performance of the Required Action, whether it is a particular Surveillance or some other remedial action, is considered a single action with a single Completion Time. One reason for not allowing the 25% extension to this Completion Time is that such an action usually verifies that no loss of function has occurred by checking the status of redundant or diverse components or accomplishes the function of the inoperable equipment in an alternative manner.

The provisions of SR 3.0.2 are not intended to be used repeatedly to extend Surveillance intervals (other than those consistent with refueling intervals) or periodic Completion Time intervals beyond those specified.

SR 3.0.3 SR 3.0.3 establishes the flexibility to defer declaring affected equipment inoperable or an affected variable outside the specified limits when a Surveillance has not been performed within the specified Frequency. A delay period of up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or up to the limit of the specified Frequency, whichever is greater, applies from the point in time that it is discovered that the Surveillance has not been performed in accordance with SR 3.0.2, and not at the time that the specified Frequency was not met.

When a Section 5.5, "Programs and Manuals," specification states that the provisions of SR 3.0.3 are applicable, it permits the flexibility to defer declaring the testing requirement not met in accordance with SR 3.0.3 when the testing has not been completed within the testing interval (including the allowance of SR 3.0.2 if invoked by Section 5.5 specification).

SR Applicability B 3.0 BASES OCONEE UNITS 1, 2, & 3 B 3.0-16 Rev. 003 SR 3.0.3 This delay period provides an adequate time to perform Surveillances that (continued) have been missed. This delay period permits the performance of a Surveillance before complying with Required Actions or other remedial measures that might preclude performance of the Surveillance.

The basis for this delay period includes consideration of unit conditions, adequate planning, availability of personnel, the time required to perform the Surveillance, the safety significance of the delay in completing the required Surveillance, and the recognition that the most probable result of any particular Surveillance being performed is the verification of conformance with the requirements.

When a Surveillance with a Frequency based not on time intervals, but upon specified unit conditions, operating situations, or requirements of regulations (e.g., prior to entering MODE 1 after each fuel loading, or in accordance with 10 CFR 50, Appendix J, as modified by approved exemptions, etc.) is discovered to not have been performed when specified, SR 3.0.3 allows for the full delay period of up to the specified Frequency to perform the Surveillance. However, since there is not a time interval specified, the missed Surveillance should be performed at the first reasonable opportunity.

SR 3.0.3 provides a time limit for, and allowances for the performance of, Surveillances that become applicable as a consequence of MODE changes imposed by Required Actions.

SR 3.0.3 is only applicable if there is a reasonable expectation the associated equipment is OPERABLE or that variables are within limits, and it is expected that the Surveillance will be met when performed. Many factors should be considered, such as the period of time since the Surveillance was last performed, or whether the Surveillance, or a portion thereof, has ever been performed, and any other indications, tests, or activities that might support the expectation that the Surveillance will be met when performed. An example of the use of SR 3.0.3 would be a relay contact that was not tested as required in accordance with a particular SR, but previous successful performances of the SR included the relay contact; the adjacent, physically connected relay contacts were tested during the SR performance; the subject relay contact has been tested by another SR; or historical operation of the subject relay contact has been successful. It is not sufficient to infer the behavior of the associated equipment from the performance of similar equipment. The rigor of determining whether there is a reasonable expectation a Surveillance will be met when performed should increase based on the length of time since the last performance of the Surveillance. If the Surveillance has been performed recently, a review of the Surveillance history and equipment performance may be sufficient to support a reasonable expectation that the Surveillance will be met when performed. For Surveillances that have not been performed for a long

SR Applicability B 3.0 BASES OCONEE UNITS 1, 2, & 3 B 3.0-17 Rev. 003 SR 3.0.3 period or that have never been performed, a rigorous evaluation based on (continued) objective evidence should provide a high degree of confidence that the equipment is OPERABLE. The evaluation should be documented in sufficient detail to allow a knowledgeable individual to understand the basis for the determination.

Failure to comply with specified Frequencies for SRs is expected to be an infrequent occurrence. Use of the delay period established by SR 3.0.3 is a flexibility which is not intended to be used repeatedly to extend Surveillance intervals. While up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or the limit of the specified Frequency is provided to perform the missed Surveillance, it is expected that the missed Surveillance will be performed at the first reasonable opportunity. The determination of the first reasonable opportunity should include consideration of the impact on plant risk (from delaying the Surveillance as well as any plant configuration changes required or shutting the plant down to perform the Surveillance) and impact on any analysis assumptions, in addition to unit conditions, planning, availability of personnel, and the time required to perform the Surveillance. This risk impact should be managed through the program in pIace to implement 10 CFR 50.65(a)(4) and its implementation guidance, NRC Regulatory Guide 1.182, 'Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants.' This Regulatory Guide addresses consideration of temporary and aggregate risk impacts, determination of risk management action thresholds, and risk management action up to and including plant shutdown. The missed Surveillance should be treated as an emergent condition as discussed in the Regulatory Guide. The risk evaluation may use quantitative, qualitative, or blended methods. The degree of depth and rigor of the evaluation should be commensurate with the importance of the component.

Missed Surveillances for important components should be analyzed quantitatively. If the results of the risk evaluation determine the risk increase is significant, this evaluation should be used to determine the safest course of action. All missed Surveillances will be placed in the licensee's Corrective Action Program.

If a Surveillance is not completed within the allowed delay period, then the equipment is considered inoperable or the variable is considered outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon expiration of the delay period. If a Surveillance is failed within the delay period, then the equipment is inoperable, or the variable is outside the specified limits and the Completion Times of the Required Actions for the applicable LCO Conditions begin immediately upon the failure of the Surveillance.

Satisfactory completion of the Surveillance within the delay period allowed by this Specification, or within the Completion Time of the ACTIONS, restores compliance with SR 3.0.1.

SR Applicability B 3.0 BASES (continued)

OCONEE UNITS 1, 2, & 3 B 3.0-18 Rev. 003 SR 3.0.4 SR 3.0.4 establishes the requirement that all applicable SRs must be met before entry into a MODE or other specified condition in the Applicability.

This Specification ensures that system and component OPERABILITY SR 3.0.4 requirements and variable limits are met before entry into MODES or other specified conditions in the Applicability for which these systems and components ensure safe operation of the unit. The provisions of this Specification should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified condition in the Applicability.

However, in certain circumstances, failure to meet an SR will not result in SR 3.0.4 restricting a MODE change or other specified condition change.

When a system, subsystem, division, component, device, or variable is inoperable or outside its specified limits, the associated SR(s) are not required to be performed, per SR 3.0.1, which states that surveillances do not have to be performed on inoperable equipment. When equipment is inoperable, SR 3.0.4 does not apply to the associated SR(s) since the requirement for the SR(s) to be performed is removed. Therefore, failing to perform the Surveillance(s) within the specified Frequency does not result in an SR 3.0.4 restriction to changing MODES or other specified conditions of the Applicability. However, since the LCO is not met in this instance, LCO 3.0.4 will govern any restrictions that may (or may not) apply to MODE or other specified condition changes.

The provisions of SR 3.0.4 shall not prevent entry into MODES or other specified conditions in the Applicability that are required to comply with ACTIONS. In addition, the provisions of SR 3.0.4 shall not prevent changes in MODES or other specified conditions in the Applicability that result from any unit shutdown.

The precise requirements for performance of SRs are specified such that exceptions to SR 3.0.4 are not necessary. The specific time frames and conditions necessary for meeting the SRs are specified in the Frequency, in the Surveillance, or both. This allows performance of Surveillances when the prerequisite condition(s) specified in a Surveillance procedure require entry into the MODE or other specified condition in the Applicability of the associated LCO prior to the performance or completion of a Surveillance. A Surveillance that could not be performed until after entering the LCO Applicability would have its Frequency specified such that it is not "due" until the specific conditions needed are met. Alternately, the Surveillance may be stated in the form of a Note, as not required (to be met or performed) until a particular event, condition, or time has been reached.

Further discussion of the specific formats of SRs' annotation is found in Section 1.4, Frequency.

SR Applicability B 3.0 BASES OCONEE UNITS 1, 2, & 3 B 3.0-19 Rev. 003 SR 3.0.4 SR 3.0.4 is only applicable when entering MODE 4 from MODE 5, MODE 3 (continued) from MODE 4, MODE 2 from MODE 3, or MODE 1 from MODE 2.

Furthermore, SR 3.0.4 is applicable when entering any other specified condition in the Applicability associated with operation in MODES 1, 2, 3, or 4. The requirements of SR 3.0.4 do not apply in MODES 5 and 6, or in other specified conditions of the Applicability (unless in MODES 1, 2, 3, or

4) because the ACTIONS of individual Specifications sufficiently define the remedial measures to be taken.

OCONEE UNITS 1, 2, & 3 B 3.3.1-1 Rev. 004 RPS Instrumentation B 3.3.1 B 3.3 INSTRUMENTATION B 3.3.1 Reactor Protective System (RPS) Instrumentation BASES BACKGROUND The RPS initiates a reactor trip to protect against violating the core fuel design limits and the Reactor Coolant System (RCS) pressure boundary during anticipated transients. By tripping the reactor, the RPS also assists the Engineered Safeguards (ES) Systems in mitigating accidents.

The protective and monitoring systems have been designed to assure safe operation of the reactor. This is achieved by specifying limiting safety system settings (LSSS) in terms of parameters directly monitored by the RPS, as well as the LCOs on other reactor system parameters and equipment performance.

The LSSS, defined in this Specification as the Allowable Value, in conjunction with the LCOs, establishes the threshold for protective system action to prevent exceeding acceptable limits during accidents or transients.

During anticipated transients, which are those events expected to occur one or more times during the unit's life, the acceptable limit is:

a.

The departure from nucleate boiling ratio (DNBR) shall be maintained above the Safety Limit (SL) value;

b.

Fuel centerline melt shall not occur; and

c.

The RCS pressure SL of 2750 psia shall not be exceeded.

Maintaining the parameters within the above values ensures that the offsite dose will be within the 10 CFR 20 and 10 CFR 50.67 criteria during anticipated transients. Accidents are events that are analyzed even though they are not expected to occur during the unit's life. The acceptable limit during accidents is that the offsite dose shall be maintained within reference 10 CFR 50.67 limits. Meeting the acceptable dose limit for an accident category is considered having acceptable consequences for that event.

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-2 Rev. 004 BACKGROUND RPS Overview (continued)

The RPS consists of four separate redundant protective channels that receive inputs of neutron flux, RCS pressure, RCS flow, RCS temperature, RCS pump status, reactor building (RB) pressure, main feedwater (MFW) pump turbines status, and main turbine status.

Figure 7.1 of UFSAR, Chapter 7 (Ref. 1), shows the arrangement of a typical RPS protective channel. A protective channel is composed of measurement channels, a manual trip channel, a reactor trip component (RTC), and a control rod drive (CRD) trip device. LCO 3.3.1 provides requirements for the individual measurement channels. These channels encompass all equipment and electronics from the point at which the measured parameter is sensed through the processor output trip devices in the trip string. LCO 3.3.2, "Reactor Protective System (RPS) Manual Reactor Trip," LCO 3.3.3, "Reactor Protective System (RPS) - Reactor Trip Component (RTC)," and LCO 3.3.4, "Control Rod Drive (CRD) Trip Devices," discuss the remaining RPS elements.

The RPS instrumentation measures critical unit parameters and compares these to predetermined setpoints.

If the setpoint for a parameter input to a single channel (for example, the RC high pressure input to Channel A) is exceeded, a channel trip does not occur. Due to the inter-channel communication, all 4 RPS channels recognize that this parameter input has been exceeded for one channel.

However, due to the 2.MIN/2.MAX logic within the system, the same parameter input setpoint for one of the other three channels must be exceeded before channel trips occur. Again, due to the inter-channel communication, all 4 RPS channels will then trip since the 2.MIN/2.MAX condition has been satisfied.

The Reactor Trip System (RTS) consists of four AC Trip Breakers arranged in two parallel combinations of two breakers each. Each path provides independent power to the CRD motors. Either path can provide sufficient power to operate all CRDs. Two separate power paths to the CRDs ensure that a single failure that opens one path will not cause an unwanted reactor trip.

The RPS consists of four independent protective channels (A, B, C, and D).

Each RPS protective channel contains the sensor input modules, a protective channel computer, output modules, four hardwired (energized during power operations) reactor trip relays (RTRs) (A, B, C, and D) and their associated 120 VAC contacts (closed when RTR is energized).

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-3 Rev. 004 BACKGROUND RPS Overview (continued)

Protective channel A controls the channel A RTR and also controls the A RTR in channels B, C, and D. Likewise, channels B, C and D control the respective RTR in each of the four channels. Each energized RTR (A, B, C, and D) in each RPS channel A, B, C, and D maintains two closed 120 VAC contacts. One contact from each RTR is configured in two separate redundant output trip actuation logic schemes. Each output trip actuation logic scheme contains a contact from each of the four RTRs in the four channels. This configuration results in a two-out-of-four coincidence reactor trip logic. If any channel protective set initiates a trip signal, the respective four RTRs (one in each of the four channels) de-energize and open the respective contacts. The outputs from the RTR contacts interrupt the 120 VAC power to the CRD trip devices.

Three of the four RPS protective channel computers (A, B, and C) also perform a redundant Engineered Safeguards Protective System (ESPS) logic function. Therefore, three of the four RPS protective channels calculate both RPS and ESPS functions, and the fourth RPS channel D calculates only RPS functions. See Technical Specification Bases section B 3.3.5 for additional discussion of the ESPS protective channels and the duplicated ESPS functions performed by the RPS protective channels.

The reactor is tripped by opening the reactor trip breakers.

There are three bypasses: shutdown bypass, manual bypass, and channel trip function bypass. The shutdown bypass and the manual bypass are initiated by use of a keyswitch located in the respective RPS channel cabinet. The Shutdown bypass allows the withdrawal of safety rods for SDM availability and rapid negative reactivity insertion during unit cooldowns or heatups. The manual bypass allows putting a complete RPS channel into bypass for maintenance activities. This includes the planned power-down of the bypassed RPS channel computer. If the complete RPS channel is powered down, the manual bypass condition cannot be maintained. That RPS channel output signal goes to trip and the manual bypass Unit Statalarm window will not illuminate. The channel trip function bypass allows an individual channel trip function in any RPS channel to be bypassed through the use of the RPS screens of the Graphical Service Monitor (GSM). The GSM is located on the Service Unit.

The RPS operates from the instrumentation channels discussed next. The specific relationship between measurement channels and protective channels differs from parameter to parameter. Three basic configurations are used:

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-4 Rev. 004 BACKGROUND RPS Overview (continued)

a.

Four completely redundant measurements (e.g., reactor coolant flow) with one channel input to each protective channel;

b.

Four channels that provide similar, but not identical, measurements (e.g., power range nuclear instrumentation where each RPS channel monitors a different quadrant), with one channel input to each protective channel; and

c.

Redundant measurements with combinational trip logic inside the protective channels and the combined output provided to each protective channel (e.g., main feedwater pump turbines trip instrumentation).

These arrangements and the relationship of instrumentation channels to trip Functions are discussed next to assist in understanding the overall effect of instrumentation channel failure.

Power Range Nuclear Instrumentation Power Range Nuclear Instrumentation channels provide inputs to the following trip Functions:

1.

Nuclear Overpower

a.

Nuclear Overpower - High Setpoint;

b.

Nuclear Overpower - Low Setpoint;

7.

Reactor Coolant Pump to Power;

8.

Nuclear Overpower Flux/Flow Imbalance;

9.

Main Turbine Trip (Hydraulic Fluid Pressure); and

10.

Loss of Main Feedwater (LOMFW) Pump Turbines (Hydraulic Oil Pressure).

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-5 Rev. 004 BACKGROUND Power Range Nuclear Instrumentation (continued)

The power range instrumentation has four linear level channels, one for each core quadrant. Each channel feeds one RPS protective channel.

Each channel originates in a detector assembly containing two uncompensated ion chambers. The ion chambers are positioned to represent the top half and bottom half of the core. The individual currents from the chambers are fed to individual linear amplifiers. The summation of the top and bottom is the total reactor power. The difference of the top minus the bottom neutron signal is the measured AXIAL POWER IMBALANCE for the associated core quadrant.

Reactor Coolant System Outlet Temperature The Reactor Coolant System Outlet Temperature provides input to the following Functions:

2.

RCS High Outlet Temperature; and

5.

RCS Variable Low Pressure.

The RCS Outlet Temperature is measured by two resistance temperature detection elements in each hot leg, for a total of four. One temperature detection element is associated with each protective channel.

Reactor Coolant System Pressure The Reactor Coolant System Pressure provides input to the following Functions:

3.

RCS High Pressure;

4.

RCS Low Pressure;

5.

RCS Variable Low Pressure; and

11.

Shutdown Bypass RCS High Pressure.

The RPS inputs of reactor coolant pressure are provided by two pressure transmitters in each hot leg, for a total of four. One sensor is associated with each protective channel.

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-6 Rev. 004 BACKGROUND Reactor Building Pressure (continued)

The Reactor Building Pressure measurements provide input only to the Reactor Building High Pressure trip, Function 6. There are four RB High Pressure sensors, one associated with each protective channel.

Reactor Coolant Pump Power Monitoring Reactor coolant pump power monitors are inputs to the Reactor Coolant Pump to Power trip, Function 7. Each RCP has a RCP Power Monitor (RCPPM), which monitors the electrical power and breaker status of each pump motor to determine if it is running. Each RCPPM provides inputs to all four RPS channels.

Reactor Coolant System Flow The Reactor Coolant System Flow measurements are an input to the Nuclear Overpower Flux/Flow Imbalance trip, Function 8. The reactor coolant flow inputs to the RPS are provided by eight high accuracy differential pressure transmitters, four on each loop, which measure flow through calibrated flow tubes. One flow input in each loop is associated with each protective channel.

Main Turbine Hydraulic Fluid Pressure Main Turbine Hydraulic Fluid Pressure is an input to the Main Turbine Trip (Hydraulic Fluid Pressure) reactor trip, Function 9. Each of the four protective channels receives turbine status information from one of the four pressure switches monitoring main turbine hydraulic fluid pressure. Each protective channel continuously monitors the status of the contact inputs and initiates an RPS trip when a main turbine trip is indicated.

Feedwater Pump Turbine Hydraulic Oil Pressure Feedwater Pump Turbine Hydraulic Oil Pressure is an input to the Loss of Main Feedwater Pumps (Hydraulic Oil Pressure) trip, Function 10.

Hydraulic Oil pressure is measured by four switches on each feedwater pump turbine. One switch on each pump turbine is associated with each protective channel.

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-7 Rev. 004 BACKGROUND Feedwater Pump Turbine Hydraulic Oil Pressure (continued)

Each RPS channel receives a contact input from both Feedwater Pump Turbines (A and B) Hydraulic Oil Pressure switches. When the switches from both turbines indicate that the associated Turbine Hydraulic Oil Pressure is low (turbine has tripped), a reactor trip signal is initiated on that channel.

RPS Bypasses The RPS is designed with three types of bypasses: shutdown bypass, manual bypass and channel trip function bypass.

Each bypass is discussed next.

Shutdown Bypass During unit cooldown and heatup, it is desirable to leave the safety rods at least partially withdrawn to provide shutdown capabilities in the event of unusual positive reactivity additions (moderator dilution, etc.).

However, the unit is also depressurized as coolant temperature is decreased. If the safety rods are withdrawn and coolant pressure is decreased, an RCS Low Pressure trip will occur at 1800 psig and the rods will fall into the core. To avoid this, the protective system allows the operator to bypass the low pressure trip and maintain shutdown capabilities. During the cooldown and depressurization, the safety rods are inserted prior to the low pressure trip of 1800 psig. The RCS pressure is decreased to less than 1720 psig, then each RPS channel is placed in shutdown bypass.

A shutdown bypass signal is provided by the operator from the shutdown bypass keyswitch (status shall be indicated by a light). This action bypasses the RCS Low Pressure trip, Nuclear Overpower Flux/Flow Imbalance trip, Reactor Coolant Pump to Power trip, and the RCS Variable Low Pressure trip, and inserts a new RCS High Pressure, 1720 psig trip.

The operator can now withdraw the safety rods for additional rapidly insertable negative reactivity.

The insertion of the new high pressure trip performs two functions. First, with a trip setpoint of 1720 psig, the processor output trip device prevents operation at normal system pressure, 2155 psig, with a portion of the RPS bypassed. The second function is to ensure that the bypass is removed prior to normal operation. When the RCS pressure is increased during a

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-8 Rev. 004 BACKGROUND Shutdown Bypass (continued) unit heatup, the safety rods are inserted prior to reaching 1720 psig. The shutdown bypass is removed, which returns the RPS to normal, and system pressure is increased to greater than 1800 psig. The safety rods are then withdrawn and remain at the full out condition for the rest of the heatup.

In addition to the Shutdown Bypass RCS High Pressure trip, the High Flux Reactor Trip setpoint is automatically lowered to less than 5% when the operator closes the shutdown bypass keyswitch. This provides a backup to the Shutdown Bypass RCS High Pressure trip and allows testing while preventing the generation of any significant amount of power.

Manual Bypass The RPS Manual Bypass allows putting the complete RPS channel into bypass for maintenance activities. Placing the RPS channel in bypass does not power-down the computer. If it is necessary to power-down the computer for one channel, the Manual Bypass keyswitch is used to keep the four RTRs associated with the respective channel energized while the channel computer is powered down. To place a protective channel in manual bypass, the other three channels must not be in manual bypass or otherwise inoperable (e.g., a channel trip function in bypass).

The RPS Manual Bypass status information is sent to the Unit Statalarm panel (hardwired output of the RPS Channel computer and in parallel as a hardwired signal from a keyswitch contact in case the computer is powered down) and is sent to the plant Operator Aid Computer (OAC) via a gateway.

If the complete RPS cabinet is powered down, the Manual Bypass condition cannot be maintained. That RPS channel output signal goes to trip and the Manual Bypass Unit Statalarm window will not illuminate.

Channel Trip Function Bypass An individual Channel Trip Function Bypass allows placing one trip function in bypass for maintenance activities through the RPS GSM screens. This allows the remaining trip functions in the channel to remain operable while the channel input device for the affected channel is inoperable.

Operation to put functions in bypass is administratively controlled since there is no interlock to prevent placing functions in multiple channels in bypass. Channel trip functions may be placed in bypass in only one RPS channel at a time.

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-9 Rev. 004 BACKGROUND Parameter Change Enable Mode (continued)

Parameter Change Enable Mode allows each RPS instrument input channel processor to be placed in different operating modes through the use of the Parameter Change Enable keyswitches and commands from the Service Unit. Each protective channel has a keyswitch located in that channels cabinet pair.

Placing RPS Channels A, B, or C in Parameter Change Enable Mode through the use of the Parameter Change Enable keyswitch will also place the corresponding ESPS Channels A1, B1 or C1 in Parameter Change Enable Mode.

When a keyswitch is placed from the normal Operating Mode position to the Parameter Change Enable Mode position:

The processors continue with normal operation.

A permissive is provided that allows the Service Unit to be used to change the operating mode of the processors associated with that keyswitch.

With the keyswitch in the Parameter Change Enable Position the following modes of operation are allowed for processors:

Normal Operation - with permissive for operating mode change.

Parameterization - allows changes to specific parameters (example placing a parameter into a tripped condition or performing Reactor Trip Relay testing).

Function Test - for disabling the application function and forcing output signal for testing purposes (normally not used).

Diagnostics - for downloading new application software.

The Function Test and Diagnostics modes result in the processor ceasing its cyclic processing of the application functions. Entry into these modes first requires entry into Parameterization mode and setting a separate parameter.

When a keyswitch is placed in the Parameter Change Enable Mode Position for any activity, the affected processor shall first be declared out of service. In addition to declaring the processor out of service (1) the affected RPS channel shall be bypassed and (2) either the affected ESPS input channel (A1, B1, or C1) shall be tripped OR the ESPS Set 1 voters shall be placed in Bypass for the following activities:

Loading or revising the software in a processor.

Changing parameters via the RPS High Flux Trip (Variable Setpoint) screen at the Service Unit.

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-10 Rev. 004 BACKGROUND Parameter Change Enable Mode (continued)

Changing parameters via the RPS Flux/Flow/Imbalance Parameters screen at the Service Unit.

Only one RPS channel at a time is allowed to be placed into Parameter Change Enable Mode Position for these activities.

Each Parameter Change Enable keyswitch status information is sent to the Statalarm panel and to the OAC via the Gateway.

RPS Parameter Change Enable keyswitches are administratively controlled (there are no hardware or software interlocks between channels).

Trip Setpoints/Allowable Value The Allowable Value and trip setpoint are based on the analytical limits stated in UFSAR, Chapter 15 (Ref. 2). The selection of the Allowable Value and associated trip setpoint is such that adequate protection is provided when all sensor and processing time delays are taken into account. To allow for calibration tolerances, instrumentation uncertainties, instrument drift, and severe environment errors for those RPS channels that must function in harsh environments as defined by 10 CFR 50.49 (Ref. 3), the Allowable Values specified in Table 3.3.1-1 in the accompanying LCO are conservative with respect to the analytical limits to account for all known uncertainties for each channel. The actual trip setpoint entered into the processor output trip device is more conservative than that specified by the Allowable Value to account for changes in random measurement errors detectable by a CHANNEL CALIBRATION.

A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. All field sensors and signal processing equipment for these channels are assumed to operate within the allowances of these uncertainty magnitudes. The trip setpoints are the nominal values at which the processor output trip devices are set. Any processor output trip device is considered to be properly adjusted when the "as left" value is within the band for CHANNEL CALIBRATION accuracy. A detailed description of the methodology used to determine the Allowable Value and associated uncertainties is provided in Reference 4.

Setpoints in conjunction with the Allowable Value ensure that the limits of Chapter 2.0, "Safety Limits," in the Technical Specifications are not violated during anticipated transients and that the consequences of accidents will be acceptable, providing the unit is operated from within the LCOs at the onset of the anticipated transient or accident and the equipment functions

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-11 Rev. 004 BACKGROUND Trip Setpoints/Allowable Value (continued) as designed. Note that in LCO 3.3.1 the Allowable Values listed in Table 3.3.1-1 for Functions 1 through 8 and 11 are the LSSS.

With the exception of the RB High Pressure function, each channel is tested online by manually retrieving the software setpoint to ensure it has been entered correctly. Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements.

APPLICABLE Each of the analyzed accidents and transients that require a reactor trip to SAFETY ANALYSES, meet the acceptance criteria can be detected by one or more RPS LCO, and Functions. The accident analysis contained in the UFSAR, Chapter 15 APPLICABILITY (Ref. 2), takes credit for most RPS trip Functions. Functions not specifically credited in the accident analysis were qualitatively credited in the safety analysis and the NRC staff approved licensing basis for the unit.

These Functions are high RB pressure, turbine trip, and loss of main feedwater. These Functions may provide protection for conditions that do not require dynamic transient analysis to demonstrate Function performance. These Functions also serve as backups to Functions that were credited in the safety analysis.

The LCO requires all instrumentation performing an RPS Function to be OPERABLE. Failure of any instrument renders the affected channel(s) inoperable and reduces the reliability of the affected Functions. The three channels of each Function in Table 3.3.1-1 of the RPS instrumentation shall be OPERABLE during its specified Applicability to ensure that a reactor trip will be actuated if needed. Additionally, during shutdown bypass with any CRD trip breaker closed, the applicable RPS Functions must also be available. This ensures the capability to trip the withdrawn CONTROL RODS exists at all times that rod motion is possible. The trip Function channels specified in Table 3.3.1-1 are considered OPERABLE when all channel components necessary to provide a reactor trip are functional and in service for the required MODE or Other Specified Condition listed in Table 3.3.1-1.

Only the Allowable Values are specified for each RPS trip Function in the LCO. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoint measured by CHANNEL CALIBRATIONS does not exceed the Allowable Value. A trip setpoint found less conservative than the nominal trip setpoint, but within its Allowable Value, is considered OPERABLE with respect to the uncertainty allowances assumed for the applicable surveillance interval provided that

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-12 Rev. 004 APPLICABLE operation, testing and subsequent calibration are consistent with the SAFETY ANALYSES, assumptions of the setpoint calculations. Each Allowable Value specified is LCO, and more conservative than instrument uncertainties appropriate to the trip APPLICABILITY Function. These uncertainties are defined in Reference 4.

(continued)

For most RPS Functions, the Allowable Value in conjunction with the nominal trip setpoint ensure that the departure from nucleate boiling (DNB),

center line fuel melt, or RCS pressure SLs are not challenged. Cycle specific values for use during operation are contained in the COLR.

Certain RPS trips function to indirectly protect the SLs by detecting specific conditions that do not immediately challenge SLs but will eventually lead to challenge if no action is taken. These trips function to minimize the unit transients caused by the specific conditions. The Allowable Value for these Functions is selected at the minimum deviation from normal values that will indicate the condition, without risking spurious trips due to normal fluctuations in the measured parameter.

The safety analyses applicable to each RPS Function are discussed next.

1.

Nuclear Overpower

a.

Nuclear Overpower - High Setpoint The Nuclear Overpower - High Setpoint trip provides protection for the design thermal overpower condition based on the measured out of core neutron leakage flux.

There is a setpoint for 4 and 3 RCP operation. The purpose of the 3 RCP trip is to provide protection for power excursion events initiated from 3 RCP operation, most notably the small steam line break.

The Nuclear Overpower - High Setpoint trip initiates a reactor trip when the neutron power reaches a predefined setpoint at the design overpower limit. Because THERMAL POWER lags the neutron power, tripping when the neutron power reaches the design overpower will limit THERMAL POWER to prevent exceeding acceptable fuel damage limits.

Thus, the Nuclear Overpower - High Setpoint trip protects against violation of the DNBR and fuel centerline melt SLs.

However, the RCS Variable Low Pressure, and Nuclear Overpower Flux/Flow Imbalance, provide more direct protection. The role of the Nuclear Overpower - High Setpoint trip is to limit reactor THERMAL POWER below the highest

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-13 Rev. 004 APPLICABLE

a.

Nuclear Overpower - High Setpoint (continued)

SAFETY ANALYSES, LCO, and power at which the other two trips are known to provide APPLICABILITY protection.

The Nuclear Overpower - High Setpoint trip also provides transient protection for rapid positive reactivity excursions during power operations. These events include the rod withdrawal accident and the rod ejection accident. By providing a trip during these events, the Nuclear Overpower -

High Setpoint trip protects the unit from excessive power levels and also serves to limit reactor power to prevent violation of the RCS pressure SL.

Rod withdrawal accident analyses cover a large spectrum of reactivity insertion rates (rod worths), which exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower - High Setpoint trip provides the primary protection. At low reactivity insertion rates, the high pressure trip provides primary protection.

b.

Nuclear Overpower - Low Setpoint When initiating shutdown bypass, the Nuclear Overpower -

Low Setpoint trip must be reduced to 5% RTP. The low power setpoint, in conjunction with the lower Shutdown Bypass RCS High Pressure setpoint, ensure that the unit is protected from excessive power conditions when other RPS trips are bypassed.

The setpoint Allowable Value was chosen to be as low as practical and still lie within the range of the out of core instrumentation.

2.

RCS High Outlet Temperature The RCS High Outlet Temperature trip, in conjunction with the RCS Low Pressure and RCS Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the reactor vessel outlet temperature approaches the conditions necessary for DNB. Portions of each RCS High Outlet Temperature trip channel are common with the RCS Variable Low Pressure trip. The RCS High Outlet Temperature trip provides steady state protection for the DNBR SL.

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-14 Rev. 004 APPLICABLE

2.

RCS High Outlet Temperature (continued)

SAFETY ANALYSES, LCO, and The RCS High Outlet Temperature trip limits the maximum RCS APPLICABILITY temperature to below the highest value for which DNB protection by the Variable Low Pressure trip is ensured. The trip setpoint Allowable Value is selected to ensure that a trip occurs before hot leg temperatures reach the point beyond which the RCS Low Pressure and Variable Low Pressure trips are analyzed. Above the high temperature trip, the variable low pressure trip need not provide protection, because the unit would have tripped already. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions that the equipment is expected to experience because the trip is not required to mitigate accidents that create harsh conditions in the RB.

3.

RCS High Pressure The RCS High Pressure trip works in conjunction with the pressurizer and main steam relief valves to prevent RCS overpressurization, thereby protecting the RCS High Pressure SL.

The RCS High Pressure trip has been credited in the transient analysis calculations for slow positive reactivity insertion transients (rod withdrawal transients and moderator dilution). The rod withdrawal transient covers a large spectrum of reactivity insertion rates and rod worths that exhibit slow and rapid rates of power increases. At high reactivity insertion rates, the Nuclear Overpower

- High Setpoint trip provides the primary protection. At low reactivity insertion rates, the RCS High Pressure trip provides the primary protection.

The setpoint Allowable Value is selected to ensure that the RCS High Pressure SL is not challenged during steady state operation or slow power increasing transients. The setpoint Allowable Value does not reflect errors induced by harsh environmental conditions because the equipment is not required to mitigate accidents that create harsh conditions in the RB.

4.

RCS Low Pressure The RCS Low Pressure trip, in conjunction with the RCS High Outlet Temperature and Variable Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system pressure approaches the conditions necessary for DNB. The RCS Low Pressure trip provides DNB low pressure limit for the RCS Variable Low Pressure trip.

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-15 Rev. 004 APPLICABLE

4.

RCS Low Pressure (continued)

SAFETY ANALYSES, LCO, and The RCS Low Pressure setpoint Allowable Value is selected to APPLICABILITY ensure that a reactor trip occurs before RCS pressure is reduced below the lowest point at which the RCS Variable Low Pressure trip is analyzed. The RCS Low Pressure trip provides protection for primary system depressurization events and has been credited in the accident analysis calculations for small break loss of coolant accidents (LOCAs). Harsh RB conditions created by small break LOCAs cannot affect performance of the RCS pressure sensors and transmitters within the time frame for a reactor trip. Therefore, degraded environmental conditions are not considered in the Allowable Value determination.

5.

RCS Variable Low Pressure The RCS Variable Low Pressure trip, in conjunction with the RCS High Outlet Temperature and RCS Low Pressure trips, provides protection for the DNBR SL. A trip is initiated whenever the system parameters of pressure and temperature approach the conditions necessary for DNB. The RCS Variable Low Pressure trip provides a floating low pressure trip based on the RCS High Outlet Temperature within the range specified by the RCS High Outlet Temperature and RCS Low Pressure trips.

The RCS Variable Low Pressure setpoint Allowable Value is selected to ensure that a trip occurs when temperature and pressure approach the conditions necessary for DNB while operating in a temperature pressure region constrained by the low pressure and high temperature trips. The RCS Variable Low Pressure trip is assumed for transient protection in the main steam line break analysis. The setpoint allowable value does not include errors induced by the harsh environment, because the trip actuates prior to the harsh environment.

6.

Reactor Building High Pressure The Reactor Building High Pressure trip provides an early indication of a high energy line break (HELB) inside the RB. By detecting changes in the RB pressure, the RPS can provide a reactor trip before the other system parameters have varied significantly. Thus, this trip acts to minimize accident consequences. It also provides a backup for RPS trip instruments exposed to an RB HELB environment.

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-16 Rev. 004 APPLICABLE

6.

Reactor Building High Pressure (continued)

SAFETY ANALYSES, LCO, and The Allowable Value for RB High Pressure trip is set at the lowest APPLICABILITY value consistent with avoiding spurious trips during normal operation.

The electronic components of the RB High Pressure trip are located in an area that is not exposed to high temperature steam environments during HELB transients inside containment. The components are exposed to high radiation conditions. Therefore, thedetermination of the setpoint Allowable Value accounts for errors induced by the high radiation.

7.

Reactor Coolant Pump to Power The Reactor Coolant Pump to Power trip provides protection for changes in the reactor coolant flow due to the loss of multiple RCPs.

Because the flow reduction lags loss of power indications due to the inertia of the RCPs, the trip initiates protective action earlier than a trip based on a measured flow signal.

The Reactor Coolant Pump to Power trip has been credited in the accident analysis calculations for the loss of more than two RCPs.

The Allowable Value for the Reactor Coolant Pump to Power trip setpoint is selected to prevent normal power operation unless at least three RCPs are operating. Each reactor coolant pump has an RCPPM, which monitors the electrical power and breaker status of each pump motor to determine if the pump is running. Each RCPPM provides inputs to all four RPS channels. The RCPPM will initiate a reactor trip if fewer than three reactor coolant pumps are operating and reactor power is greater than approximately 2%

rated full power.

8.

Nuclear Overpower Flux/Flow Imbalance The Nuclear Overpower Flux/Flow Imbalance trip provides steady state protection for the power imbalance SLs. A reactor trip is initiated prior to the core power, AXIAL POWER IMBALANCE, and reactor coolant flow conditions exceeding the DNB or fuel centerline temperature limits.

This trip supplements the protection provided by the Reactor Coolant Pump to Power trip, through the power to flow ratio, for loss of reactor coolant flow events. The power to flow ratio provides direct protection for the DNBR SL for the loss of one or more RCPs and for locked RCP rotor accidents.

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-17 Rev. 004 APPLICABLE

8.

Nuclear Overpower Flux/Flow Imbalance (continued)

SAFETY ANALYSES, LCO, and The power to flow ratio of the Nuclear Overpower Flux/Flow APPLICABILITY Imbalance trip also provides steady state protection to prevent reactor power from exceeding the allowable power when the primary system flow rate is less than full four pump flow. Thus, the power to flow ratio prevents overpower conditions similar to the Nuclear Overpower trip. This protection ensures that during reduced flow conditions the core power is maintained below that required to begin DNB.

The Allowable Value is selected to ensure that a trip occurs when the core power, axial power peaking, and reactor coolant flow conditions indicate an approach to DNB or fuel centerline temperature limits.

By measuring reactor coolant flow and by tripping only when conditions approach an SL, the unit can operate with the loss of one pump from a four pump initial condition at power levels at least as low as approximately 80% RTP. The Allowable Value for the Function, including the upper limits of the Function are given in the unit COLR because the cycle specific core peaking changes affect the Allowable Value.

9.

Main Turbine Trip (Hydraulic Fluid Pressure)

The Main Turbine Trip Function trips the reactor when the main turbine is lost at high power levels. The Main Turbine Trip Function provides an early reactor trip in anticipation of the loss of heat sink associated with a turbine trip. The Main Turbine Trip Function was added to the B&W designed units in accordance with NUREG-0737 (Ref. 5) following the Three Mile Island Unit 2 accident. The trip lowers the probability of an RCS power operated relief valve (PORV) actuation for turbine trip cases. This trip is activated at higher power levels, thereby limiting the range through which the Integrated Control System must provide an automatic runback on a turbine trip.

Each of the four turbine hydraulic fluid pressure switches feeds one protective channel that continuously monitors the status of the contacts.

For the Main Turbine Trip (Hydraulic Fluid Pressure), the Allowable Value of 800 psig is selected to provide a trip whenever main turbine hydraulic fluid pressure drops below the normal operating range.

This trip is bypassed at power levels < 30% RTP for unit startup.

The turbine trip is not required to protect against events that can create a harsh environment in the turbine building. Therefore, errors induced by harsh environments are not included in the determination of the setpoint Allowable Value.

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-18 Rev. 004 APPLICABLE

10.

Loss of Main Feedwater Pump Turbines (Hydraulic Oil Pressure)

SAFETY ANALYSES, LCO, and The Loss of Main Feedwater Pump Turbines (Hydraulic Oil APPLICABILITY Pressure) trip provides a reactor trip at high power levels when both (continued)

MFW pump turbines are lost. The trip provides an early reactor trip in anticipation of the loss of heat sink associated with the LOMF.

This trip was added in accordance with NUREG-0737 (Ref. 5) following the Three Mile Island Unit 2 accident. This trip provides a reactor trip at high power levels for a LOMF to minimize challenges to the PORV.

For the feedwater pump turbine hydraulic oil pressure, the Allowable Value of 75 psig is selected to provide a trip whenever feedwater pump turbine hydraulic oil pressure drops below the normal operating range. This trip is bypassed at power levels < 2% RTP for unit startup. The Loss of Main Feedwater Pump Turbines (Hydraulic Oil Pressure) trip is not required to protect against events that can create a harsh environment in the turbine building. Therefore, errors caused by harsh environments are not included in the determination of the setpoint Allowable Value.

11. Shutdown Bypass RCS High Pressure The RPS Shutdown Bypass RCS High Pressure is provided to allow for withdrawing the CONTROL RODS prior to reaching the normal RCS Low Pressure trip setpoint. The shutdown bypass provides trip protection during deboration and RCS heatup by allowing the operator to at least partially withdraw the safety groups of CONTROL RODS. This makes their negative reactivity available to terminate inadvertent reactivity excursions. Use of the shutdown bypass trip requires that the neutron power trip setpoint be reduced to 5% of full power or less. The Shutdown Bypass RCS High Pressure trip forces a reactor trip to occur whenever the unit switches from power operation to shutdown bypass or vice versa. This ensures that the CONTROL RODS are all inserted before power operation can begin.

The operator is required to remove the shutdown bypass, reset the Nuclear Overpower - High Power trip setpoint, and again withdraw the safety group rods before proceeding with startup.

Accidents analyzed in the UFSAR, Chapter 15 (Ref. 2), do not describe events that occur during shutdown bypass operation, because the consequences of these events are enveloped by the events presented in the UFSAR.

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-19 Rev. 004 APPLICABLE

11.

Shutdown Bypass RCS High Pressure (continued)

SAFETY ANALYSES, LCO, and During shutdown bypass operation with the Shutdown Bypass RCS APPLICABILITY High Pressure trip active with a setpoint of 1720 psig and the Nuclear Overpower - Low Setpoint set at or below 5% RTP, the trips listed below can be bypassed. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low Setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.

1a.

Nuclear Overpower - High Setpoint;

3.

RCS High Pressure;

4.

RCS Low Pressure;

5.

RCS Variable Low Pressure;

7.

Reactor Coolant Pump to Power; and

8.

Nuclear Overpower Flux/Flow Imbalance.

The Shutdown Bypass RCS High Pressure Function's Allowable Value is selected to ensure a trip occurs before producing THERMAL POWER.

General Discussion The RPS satisfies Criterion 3 of 10 CFR 50.36 (Ref. 6). In MODES 1 and 2, the following trips shall be OPERABLE because the reactor can be critical in these MODES. These trips are designed to take the reactor subcritical to maintain the SLs during anticipated transients and to assist the ESPS in providing acceptable consequences during accidents.

1a.

Nuclear Overpower - High Setpoint;

2.

RCS High Outlet Temperature;

3.

RCS High Pressure;

4.

RCS Low Pressure;

5.

RCS Variable Low Pressure;

6.

Reactor Building High Pressure;

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-20 Rev. 004 APPLICABLE General Discussion (continued)

SAFETY ANALYSES, LCO, and

7.

Reactor Coolant Pump to Power; and APPLICABILITY

8.

Nuclear Overpower Flux/Flow Imbalance.

Functions 1a, 3, 4, 5, 7, and 8 just listed may be bypassed in MODE 2 when RCS pressure is below 1720 psig, provided the Shutdown Bypass RCS High Pressure and the Nuclear Overpower - Low setpoint trip are placed in operation. Under these conditions, the Shutdown Bypass RCS High Pressure trip and the Nuclear Overpower - Low setpoint trip act to prevent unit conditions from reaching a point where actuation of these Functions is necessary.

The Main Turbine Trip (Hydraulic Fluid Pressure) Function is required to be OPERABLE in MODE 1 at 30% RTP. The Loss of Main Feedwater Pump Turbines (Hydraulic Oil Pressure) Function is required to be OPERABLE in MODE 1 and in MODE 2 at 2% RTP. For operation below these power levels, these trips are not necessary to minimize challenges to the PORVs as required by NUREG-0737 (Ref. 5).

Because the safety function of the RPS is to trip the CONTROL RODS, the RPS is not required to be OPERABLE in MODE 3, 4, or 5 if either the reactor trip breakers are open, or the CRD System is incapable of rod withdrawal. Similarly, the RPS is not required to be OPERABLE in MODE 6 because the CONTROL RODS are normally decoupled from the CRDs.

However, in MODE 2, 3, 4, or 5, the Shutdown Bypass RCS High Pressure and Nuclear Overpower - Low setpoint trips are required to be OPERABLE if the CRD trip breakers are closed and the CRD System is capable of rod withdrawal. Under these conditions, the Shutdown Bypass RCS High Pressure and Nuclear Overpower - Low setpoint trips are sufficient to prevent an approach to conditions that could challenge SLs.

ACTIONS Conditions A and B are applicable to all RPS protective Functions. If a channel's trip setpoint is found nonconservative with respect to the required Allowable Value in Table 3.3.1-1, or the transmitter, instrument loop, signal processing electronics or processor output trip device is found inoperable, the channel must be declared inoperable and Condition A entered immediately.

When an RPS channel is manually tripped, the functions that were inoperable prior to tripping remain inoperable. Other functions in the same channel that were OPERABLE prior to tripping remain OPERABLE.

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-21 Rev. 004 ACTIONS A.1 (continued)

For Required Action A.1, if one or more Functions in a required protective channel becomes inoperable, the affected protective channel must be placed in trip.

Placing the affected Function in trip places only the affected Function in each required channel in a one-out-of-two logic configuration. If the same function in another channel exceeds the setpoint, all channels will trip. In this configuration, the RPS can still perform its safety function in the presence of a random failure of any single Channel. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time is justified based on the continuous monitoring and signal validation being performed and is sufficient time to place a Function in trip. If the individual Function cannot be placed in trip, the Operator can trip the affected channel with the use of the Manual Trip Keyswitch until such time that the Function can be placed in trip. This places all RPS Functions in a one-out-of-two logic configuration.

B.1 Required Action B.1 directs entry into the appropriate Condition referenced in Table 3.3.1-1. The applicable Condition referenced in the table is Function dependent. If the Required Action and the associated Completion Time of Condition A are not met or if more than two channels are inoperable, Condition B is entered to provide for transfer to the appropriate subsequent Condition.

C.1 and C.2 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition C, the unit must be brought to a MODE in which the specified RPS trip Functions are not required to be OPERABLE. The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and to open all CRD trip breakers without challenging unit systems.

D.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition D, the unit must be brought to a MODE in which the specified RPS trip Functions are not

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-22 Rev. 004 ACTIONS D.1 (continued) required to be OPERABLE. To achieve this status, all CRD trip breakers must be opened. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to open CRD trip breakers without challenging unit systems.

E.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition E, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced < 30% RTP. The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach 30% RTP from full power conditions in an orderly manner without challenging unit systems.

F.1 If the Required Action and associated Completion Time of Condition A are not met and Table 3.3.1-1 directs entry into Condition F, the unit must be brought to a MODE in which the specified RPS trip Function is not required to be OPERABLE. To achieve this status, THERMAL POWER must be reduced < 2% RTP. The allowed Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable, based on operating experience, to reach 2% RTP from full power conditions in an orderly manner without challenging unit systems.

SURVEILLANCE The SRs for each RPS Function are identified by the SRs column of REQUIREMENTS Table 3.3.1-1 for that Function. Most Functions are subject to CHANNEL CHECK, CHANNEL FUNCTIONAL TEST, and CHANNEL CALIBRATION testing.

The SRs are modified by a Note. The Note directs the reader to Table 3.3.1-1 to determine the correct SRs to perform for each RPS Function.

SR 3.3.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred.

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-23 Rev. 004 SURVEILLANCE SR 3.3.1.1 (continued)

REQUIREMENTS A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria are determined based on a combination of the channel instrument uncertainties, including isolation, indication, and readability. If a channel is outside the criteria, it may be an indication that the transmitter or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE. If the channels are normally off scale during times when surveillance is required, the CHANNEL CHECK will only verify that they are off scale in the same direction.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal but more frequent checks of channel OPERABILITY during normal operational use of the displays associated with the LCO's required channels.

For Functions that trip on a combination of several measurements, such as the Nuclear Overpower Flux/Flow Imbalance Function, the CHANNEL CHECK must be performed on each input.

The CHANNEL CHECK requirement is met automatically. The digital RPS provides continuous online automatic monitoring of each of the input signals in each channel, performs signal online validation against required acceptance criteria, and provides hardware functional validation.

If any protective channel input signal is identified to be in the failure status, this condition is alarmed on the Unit Statalarm and input to the plant OAC. Immediate notification of the failure status is provided to the Operations staff.

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-24 Rev. 004 SURVEILLANCE SR 3.3.1.2 REQUIREMENTS (continued)

This SR is the performance of a heat balance calibration for the power range channels when reactor power is > 15% RTP. The heat balance calibration consists of a comparison of the results of the calorimetric with the power range channel output. The outputs of the power range channels are normalized to the calorimetric. If the calorimetric exceeds the Nuclear Instrumentation System (NIS) channel output by 2% RTP, the NIS is not declared inoperable but must be adjusted. If the NIS channel cannot be properly adjusted, the channel is declared inoperable. A Note clarifies that this Surveillance is required to be performed only if reactor power is 15%

RTP and that 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed for performing the first Surveillance after reaching 15% RTP. At lower power levels, calorimetric data are less accurate.

The power range channel's output shall be adjusted consistent with the calorimetric results if the calorimetric exceeds the power range channel's output by 2% RTP. The value of 2% is adequate because this value is assumed in the safety analyses of UFSAR, Chapter 15 (Ref. 2). These checks and, if necessary, the adjustment of the power range channels ensure that channel accuracy is maintained within the analyzed error margins. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.3 A comparison of power range nuclear instrumentation channels against incore detectors shall be performed when reactor power is 15% RTP. A Note clarifies that 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed for performing the first Surveillance after reaching 15% RTP. If the absolute value of imbalance error is 2%

RTP, the power range channel is not inoperable, but an adjustment of the measured imbalance to agree with the incore measurements is necessary.

The Imbalance error calculation is adjusted for conservatism by applying a correlation slope (CS) value to the error calculation formula. This ensures that the value of the APIo is > APII. The CS value is listed in the COLR and is cycle dependent. If the power range channel cannot be properly recalibrated, the channel is declared inoperable. The calculation of the Allowable Value envelope assumes a difference in out of core to incore measurements of 2.0%. Additional inaccuracies beyond those that are measured are also included in the setpoint envelope calculation.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-25 Rev. 004 SURVEILLANCE SR 3.3.1.4 REQUIREMENTS (continued)

This SR has been deleted.

SR 3.3.1.5 This SR manually retrieves the software setpoints and verifies they are correct. The proper functioning of the processor portion of the channel is continuously checked by an automatic cyclic self monitoring. Verification of field instrument setpoints is not required by this surveillance. This surveillance does not apply to the Reactor Building Pressure Function because it consists of pressure switches which provide a contact status to the system and there is no software setpoint to verify.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.6 This SR requires manual actuation of the output channel interposing relays to demonstrate OPERABILITY of the relays. The proper functioning of the processor portion of the channel is continuously checked by an automatic cyclic self monitoring.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.3.1.7 A Note to the Surveillance indicates that neutron detectors are excluded from CHANNEL CALIBRATION. This Note is necessary because of the difficulty in generating an appropriate detector input signal. Excluding the detectors is acceptable because the principles of detector operation ensure virtually instantaneous response.

A CHANNEL CALIBRATION is a complete check of the instrument channel, including the sensor. The test verifies that the channel responds to the measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION shall find that

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-26 Rev. 004 SURVEILLANCE SR 3.3.1.7 (continued)

REQUIREMENTS measurement errors and processor output trip device setpoint errors are within the assumptions of the uncertainty analysis. Whenever a sensing element is replaced, the CHANNEL CALIBRATION of the resistance temperature detectors (RTD) sensors is accomplished by an inplace cross calibration that compares the other sensing elements with the recently installed sensing element.

Since the CHANNEL FUNCTIONAL TEST is a part of the CHANNEL CALIBRATION a separate SR is not required. The digital RPS software performs a continuous online automated cross channel check, separately for each channel, and continuous online signal error detection and validation. The protection system also performs continuous online hardware monitoring. The CHANNEL CALIBRATION essentially validates the self monitoring function and checks for a small set of failure modes that are undetectable by the self monitoring function.

The digital processors shall be rebooted as part of the calibration. This verifies that the software has not changed. Signals into the system (from the field instrument or at the protective system cabinet) are applied during the channel calibration to ensure that the instrumentation is within the specified allowance requirements. This, in combination with ensuring the setpoints are entered into the software correctly per SR 3.3.1.5, verifies the setpoints are within the Allowable Values.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

For Functions for which TSTF-493, "Clarify Application of Setpoint Methodology for LSSS Functions" (Reference 7) has been implemented, this SR is modified by two Notes as identified in Table 3.3.1-1. The first Note requires evaluation of channel performance for the condition where the as-found setting for the channel setpoint is outside its as-found tolerance but conservative with respect to the Allowable Value. Evaluation of channel performance will verify that the channel will continue to behave in accordance with safety analysis assumptions and the channel performance assumptions in the setpoint methodology. The purpose of the assessment is to ensure confidence in the channel performance prior to returning the channel to service. The performance of these channels will be evaluated under the station's Corrective Action Program. Entry into the Corrective Action Program will ensure required review and documentation of the condition for continued OPERABILITY. The second Note requires that the as-left setting for the channel be returned to within the as-left tolerance of the Nominal Trip Setpoint (NTSP). Where a

RPS Instrumentation B 3.3.1 BASES OCONEE UNITS 1, 2, & 3 B 3.3.1-27 Rev. 004 SURVEILLANCE SR 3.3.1.7 (continued)

REQUIREMENTS setpoint more conservative than the NTSP is used in the plant surveillance procedures, the as-left and as-found tolerances, as applicable, will be applied to the surveillance procedure setpoint. This will ensure that sufficient margin to the Safety Limit and/or Analytical Limit is maintained. If the as-left channel setting cannot be returned to a setting within the as-left tolerance of the NTSP, then the channel shall be declared inoperable. The second Note also requires that the NTSP and the methodologies for calculating the as-left and the as-found tolerances be in the Selected Licensee Commitments Manual.

REFERENCES

1.

UFSAR, Chapter 7.

2.

UFSAR, Chapter 15.

3.

10 CFR 50.49.

4.

EDM-102, "Instrument Setpoint/Uncertainty Calculations."

5.

NUREG-0737, "Clarification of TMI Action Plan Requirements,"

November 1979.

6.

10 CFR 50.36.

7.

Technical Specification Task Force, Improved Standard Technical Specifications Change Traveler, TSTF 493, "Clarify Application of Setpoint Methodology for LSSS Functions," Revision 4.

OCONEE UNITS 1, 2, & 3 B 3.4.10-1 Rev. 002 Pressurizer Safety Valves B 3.4.10 B 3.4 REACTOR COOLANT SYSTEM (RCS)

B 3.4.10 Pressurizer Safety Valves BASES BACKGROUND The purpose of the two spring loaded pressurizer safety valves is to provide RCS overpressure protection. Operating in conjunction with the Reactor Protection System (RPS), two valves are used to ensure that the Safety Limit (SL) of 2750 psig is not exceeded for analyzed transients during operation in MODES 1 and 2. Two safety valves are used for portions of MODE 3. For the remainder of MODE 3, MODE 4, MODE 5, and MODE 6 with the reactor head on, overpressure protection is provided by operating procedures and LCO 3.4.12, "Low Temperature Overpressure Protection (LTOP) System."

The self actuated pressurizer safety valves are designed in accordance with the requirements set forth in the ASME Boiler and Pressure Vessel Code,Section III (Ref. 1). The setpoint of the pressurizer code safety valves is in accordance with the ASME Boiler and Pressure Vessel Code,Section III, Article 9, Summer 1967. The safety valves discharge steam from the pressurizer to a quench tank located in the containment. The discharge flow is indicated by an increase in temperature downstream of the safety valves and by an increase in the quench tank temperature and level.

The required lift pressure is 2500 psig +/- 3%. The upper and lower pressure limits are based on the requirements of ASME Boiler and Pressure Vessel Code,Section III, Article 9, Summer 1967, which limit the rise in pressure within the vessels which they protect to 10% above the design pressure.

The lift setting is for the ambient conditions associated with MODES 1, 2, and 3. This requires either that the valves be set hot or that a correlation between hot and cold settings be established.

The pressurizer safety valves are part of the primary success path and mitigate the effects of postulated accidents. OPERABILITY of the safety valves ensures that the RCS pressure will be limited to 110% of design pressure.

The consequences of exceeding the ASME pressure limit could include damage to RCS components, increased leakage, or a requirement to perform additional stress analyses prior to resumption of reactor operation.

Pressurizer Safety Valves B 3.4.10 BASES (continued)

OCONEE UNITS 1, 2, & 3 B 3.4.10-2 Rev. 002 APPLICABLE All accident analyses in the UFSAR that require safety valve SAFETY ANALYSES actuation assume operation of both pressurizer safety valves to limit increasing reactor coolant pressure. The overpressure protection analysis is also based on operation of both safety valves and assumes that the valves open at the high range of the setting (2500 psig system design pressure plus 3%). These valves must accommodate pressurizer insurges that could occur during a startup, rod withdrawal, ejected rod, or loss of main feedwater. The startup accident establishes the minimum safety valve capacity. The startup accident is assumed to occur at < 15% power.

Single failure of a safety valve is neither assumed in the accident analysis nor required to be addressed by the ASME Code. Compliance with this Specification is required to ensure that the accident analysis and design basis calculations remain valid.

Pressurizer safety valves satisfy Criterion 3 of 10 CFR 50.36 (Ref. 3).

LCO The two pressurizer safety valves are set to open at the RCS design pressure (2500 psig) and within the ASME specified tolerance to avoid exceeding the maximum RCS design pressure SL, to maintain accident analysis assumptions and to comply with ASME Code requirements. The valves will be tested per ASME Code requirements and returned to service with as-left setpoints of 2500 psig +/- 1%. The upper and lower pressure tolerance limits are based on the requirements of the ASME Boiler and Pressure Vessel Code,Section III, Article 9, Summer 1967, which limit the rise in pressure within the vessel which they protect, to 10% above the design pressure. Inoperability of one or both valves could result in exceeding the SL if a transient were to occur.

The consequences of exceeding the ASME pressure limit could include damage to one or more RCS components, increased leakage, or additional stress analysis being required prior to resumption of reactor operation.

APPLICABILITY In MODES 1, 2, and portions of MODE 3 above the LTOP cut in temperature, OPERABILITY of two valves is required because the combined capacity is required to keep reactor coolant pressure below 110% of its design value during certain accidents. Portions of MODE 3 are conservatively included, although the listed accidents may not require both safety valves for protection.

Pressurizer Safety Valves B 3.4.10 BASES OCONEE UNITS 1, 2, & 3 B 3.4.10-3 Rev. 002 APPLICABILITY The LCO is not applicable in MODE 3 when any RCS cold leg temperature (continued) is 325°F, MODE 4 and MODE 5 because LTOP protection is provided.

Overpressure protection is not required in MODE 6 with the reactor vessel head detensioned.

The Note allows entry into MODE 3 with the lift settings outside the LCO limits. This permits testing and examination of the safety valves at high pressure and temperature near their normal operating range, but only after the valves have had a preliminary cold setting. The cold setting gives assurance that the valves are OPERABLE near their design condition.

Only one valve at a time will be removed from service for testing. The 36 hour4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months exception is based on an 18 hour2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months outage time for each of the two valves. The 18 hour2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months period is derived from operating experience that hot testing can be performed in this time frame.

ACTIONS A.1 With one pressurizer safety valve inoperable, restoration must take place within 15 minutes. The Completion Time of 15 minutes reflects the importance of maintaining the RCS overpressure protection system. An inoperable safety valve coincident with an RCS overpressure event could challenge the integrity of the RCPB.

B.1 and B.2 If the Required Action cannot be met within the required Completion Time or if both pressurizer safety valves are inoperable, the unit must be brought to a MODE in which the requirement does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 3 with any RCS cold leg temperature 325°F within 18 hours2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months . The 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months allowed is reasonable, based on operating experience, to reach MODE 3 from full power conditions in an orderly manner and without challenging unit systems. Similarly, the 18 hours2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months allowed is reasonable, based on operating experience, to reach MODE 3 with any RCS cold leg temperature 325°F without challenging unit systems. With any RCS cold leg temperature at or below 325°F, overpressure protection is provided by LTOP. Reducing the RCS temperature to 325°F reduces the RCS energy (core power and pressure), lowers the potential for large pressurizer insurges, and thereby removes the need for overpressure protection by two pressurizer safety valves.

Pressurizer Safety Valves B 3.4.10 BASES (continued)

OCONEE UNITS 1, 2, & 3 B 3.4.10-4 Rev. 002 SURVEILLANCE SR 3.4.10.1 REQUIREMENTS SRs are specified in the INSERVICE TESTING PROGRAM. Pressurizer safety valves are to be tested in accordance with the requirements of the ASME Code (Ref. 2), which provides the activities and the Frequency necessary to satisfy the SRs. No additional requirements are specified.

The pressurizer safety valves setpoint is +/- 3% for OPERABILITY; however, the valves are reset to +/-1% during the Surveillance to allow for drift. These values include instrument uncertainties.

REFERENCES

1.

ASME, Boiler and Pressure Vessel Code,Section III.

2.

ASME Code for Operation and Maintenance of Nuclear Power Plants.

3.

10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.5.2-1 Rev. 004 HPI B 3.5.2 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

B 3.5.2 High Pressure Injection (HPI)

BASES BACKGROUND The function of the ECCS is to provide core cooling to ensure that the reactor core is protected after any of the following accidents:

a.

Loss of coolant accident (LOCA);

b.

Rod ejection accident (REA);

c.

Steam generator tube rupture (SGTR); and

d.

Main steam line break (MSLB).

There are two phases of ECCS operation: injection and recirculation. In the injection phase, all injection is initially added to the Reactor Coolant System (RCS) via the cold legs or Core Flood Tank (CFT) lines to the reactor vessel. After the borated water storage tank (BWST) has been depleted, the recirculation phase is entered as the suction is transferred to the reactor building sump.

The HPI System consists of two independent trains, each of which splits to discharge into two RCS cold legs, so that there are a total of four HPI injection lines. Each train takes suction from the BWST, and has an automatic suction valve and discharge valve which open upon receipt of an Engineered Safeguards Protective System (ESPS) signal. The two HPI trains are designed and aligned such that they are not both susceptible to any single active failure including the failure of any power operating component to operate or any single failure of electrical equipment. The HPI System is not required to withstand passive failures.

There are three ESPS actuated HPI pumps; the discharge flow paths for two of the pumps are normally aligned to automatically support HPI train "A" and the discharge flow path for the third pump is normally aligned to automatically support HPI train "B." The discharge flow paths can be manually aligned such that each of the HPI pumps can provide flow to either train. At least one pump is normally running to provide RCS makeup and seal injection to the reactor coolant pumps. Suction header cross-connect valves are normally open; cross-connecting the HPI suction

HPI B 3.5.2 BASES OCONEE UNITS 1, 2, & 3 B 3.5.2-2 Rev. 004 BACKGROUND headers during normal operation was approved by the NRC in (continued)

Reference 6. The discharge crossover valves (HP-409 and HP-410) are normally closed; these valves can be used to bypass the normal discharge valves and assure the ability to feed either train's injection lines via HPI pump "B." For each discharge valve and discharge crossover valve, a safety grade flow indicator is provided to enable the operator to throttle flow during an accident to assure that runout limits are not exceeded.

A suction header supplies water from the BWST or the reactor building sump (via the LPI-HPI flow path) to the HPI pumps. HPI discharges into each of the four RCS cold legs between the reactor coolant pump and the reactor vessel. There is one flow limiting orifice in each of the four injection headers that connect to the RCS cold legs. If a pipe break were to occur in an HPI line between the last check valve and the RCS, the orifice in the broken line would limit the HPI flow lost through the break and maximize the flow supplied to the reactor vessel via the other line supplied by the HPI header.

The HPI pumps are capable of discharging to the RCS at an RCS pressure above the opening setpoint of the pressurizer safety valves. The HPI pumps cannot take suction directly from the sump. If the BWST is emptied and HPI is still needed, a cross-connect from the discharge side of the LPI pump to the suction of the HPI pumps would be opened. This is known as "piggy backing" HPI to LPI and enables continued HPI to the RCS.

The HPI System also functions to supply borated water to the reactor core following increased heat removal events, such as MSLBs.

The HPI and LPI (LCO 3.5.3, "Low Pressure Injection (LPI)") components, along with the passive CFTs and the BWST covered in LCO 3.5.1, "Core Flood Tanks (CFTs)," and LCO 3.5.4, "Borated Water Storage Tank (BWST)," provide the cooling water necessary to meet 10 CFR 50.46 (Ref. 1).

APPLICABLE The LCO helps to ensure that the following acceptance criteria for the SAFETY ANALYSES ECCS, established by 10 CFR 50.46 (Ref. 1), will be met following a LOCA;

a.

Maximum fuel element cladding temperature is 2200°F;

b.

Maximum cladding oxidation is 0.17 times the total cladding thickness before oxidation;

HPI B 3.5.2 BASES OCONEE UNITS 1, 2, & 3 B 3.5.2-3 Rev. 004 APPLICABLE

c.

Maximum hydrogen generation from a zirconium water reaction is SAFETY ANALYSES 0.01 times the hypothetical amount generated if all of the metal in (continued) the cladding cylinders surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react;

d.

Core is maintained in a coolable geometry; and

e.

Adequate long term cooling capability is maintained.

The HPI System is credited in the small break LOCA analysis (Ref. 2).

This analysis establishes the minimum required flow and discharge head requirements at the design point for the HPI pumps, as well as the minimum required response time for their actuation. The SGTR and MSLB analyses also credit the HPI pumps, but these events are bounded by the small break LOCA analyses with respect to the performance requirements for the HPI System. The HPI System is not credited for mitigation of a large break LOCA.

During a small break LOCA, the HPI System supplies makeup water to the reactor vessel via the RCS cold legs. The HPI System is actuated upon receipt of an ESPS signal. If offsite power is available, the safeguard loads start immediately. If offsite power is not available, the Engineered Safeguards (ES) buses are connected to the Keowee Hydro Units. The time delay associated with Keowee Hydro Unit startup, HPI valve opening, and pump starting determines the time required before pumped flow is available to the core following a LOCA.

One HPI train provides sufficient flow to mitigate most small break LOCAs.

However, for cold leg breaks located on the discharge of the reactor coolant pumps, some HPI injection will be lost out the break; for this case, two HPI trains are required. Thus, three HPI pumps must be OPERABLE to ensure adequate cooling in response to the design basis RCP discharge small break LOCA. Additionally, in the event one HPI train fails to automatically actuate due to a single failure (e.g., failure of HPI pump "C" or HP-26), operator actions from the Control Room are required to cross-connect the HPI discharge headers within 10 minutes in order to provide HPI flow through a second HPI train (Ref. 6).

Hydraulic separation of the HPI discharge headers is required during normal operation to maintain defense-in-depth (i.e., independence of the HPI discharge headers). Additionally, hydraulic separation of the HPI discharge headers ensures that a complete loss of HPI would not occur in the event an accident were to occur with only two of the three HPI pumps

HPI B 3.5.2 BASES OCONEE UNITS 1, 2, & 3 B 3.5.2-4 Rev. 004 APPLICABLE OPERABLE coincident with the HPI discharge headers cross-connected.

SAFETY ANALYSES A single active failure of an HPI pump would leave only one HPI pump to (continued) mitigate the accident. The remaining HPI pump could experience runout conditions and could fail prior to operator action to throttle flow or start another pump.

Hydraulic separation on the suction side of the HPI pumps could cause a loss of redundancy. With any one of the normally open suction header cross-connect valves closed, a failure of an automatic suction valve to open during an accident could cause two pumps to lose suction. Thus, the suction header cross-connect valves must remain open.

The safety analyses show that the HPI pump(s) will deliver sufficient water for a small break LOCA and provide sufficient boron to maintain the core subcritical.

The HPI System satisfies Criterion 3 of 10 CFR 50.36 (Ref. 3).

LCO In MODES 1 and 2, and MODE 3 with RCS temperature > 350°F, the HPI System is required to be OPERABLE with:

a.

Two HPI trains OPERABLE;

b.

An additional HPI pump OPERABLE;

c.

Two LPI-HPI flow paths OPERABLE;

d.

Two HPI discharge crossover valves OPERABLE;

e.

HPI suction headers cross-connected; and

f.

HPI discharge headers separated.

The LCO establishes the minimum conditions required to ensure that the HPI System delivers sufficient water to mitigate a small break LOCA.

Additionally, individual components within the HPI trains may be called upon to mitigate the consequences of other transients and accidents.

Each HPI train includes the piping, instruments, pump, valves, and controls to ensure an OPERABLE flow path capable of taking suction from the BWST and injecting into the RCS cold legs upon an ESPS signal. For an HPI train to be OPERABLE, the associated HPI pump must be capable of

HPI B 3.5.2 BASES OCONEE UNITS 1, 2, & 3 B 3.5.2-5 Rev. 004 LCO taking suction from the BWST through the suction header valve associated (continued) with that train upon an ESPS signal. For example:

1) if HPI pump "B" is being credited as part of HPI train "A," then it must be capable of taking suction through HP-24 upon an ESPS signal; or

2) if HPI pump "B" is being credited as part of HPI train "B," then it must be capable of taking suction through HP-25 upon an ESPS signal.

The safety grade flow indicator associated with the normal discharge valve is required to be OPERABLE to support the associated HPI train's automatic OPERABILITY.

To support HPI pump OPERABILITY, the piping, valves and controls which ensure the HPI pump can take suction from the BWST upon an ESPS signal are required to be OPERABLE.

To support HPI discharge crossover valve OPERABILITY, the safety grade flow indicator associated with the HPI discharge crossover valve is required to be OPERABLE.

To support LPI-HPI flow path OPERABILITY, each flow path must be capable of being supplied by an OPERABLE LPI train. When capable of being supplied by an OPERABLE LPI train:

1)

An LPI-HPI flow path, including the piping, instruments, valves and controls, must be in-place to ensure the capability to transfer suction to the reactor building sump from the control room. Within the LPI-HPI flow path are the LPI discharge valves to the LPI-HPI flow path (LP-15 and LP-16).

2)

The LPI discharge valves to the LPI-HPI flow path must be capable of being opened from the control room for the LPI-HPI flow path to be OPERABLE.

The OPERABILITY requirements regarding the LPI System are addressed in LCO 3.5.3, "Low Pressure Injection (LPI)."

As part of the LPI-HPI flow path, the piping, instruments, valves and controls upstream of LP-15 and LP-16 are part of the LPI system and are subject to LCO 3.5.3 (Low Pressure Injection system) requirements. The piping, instruments, valves and controls downstream of and including LP-15 and LP-16, are part of the HPI system and are subject to LCO 3.5.2 (High Pressure Injection system) requirements.

HPI B 3.5.2 BASES OCONEE UNITS 1, 2, & 3 B 3.5.2-6 Rev. 004 LCO When a LPI-HPI flow path is inoperable due to the flow paths associated (continued)

LPI train being inoperable for maintenance only, the piggyback line and associated components may also be inoperable for greater than 72-hours up to the associated LPI trains maximum allowed outage time of 7-days.

For this scenario, any valve along the piggyback line flowpath can be used as an isolation boundary, with power removed as necessary, but no physical work is allowed to be performed on any component along the piggyback line flowpath without entering the applicable TS LCO condition.

This is allowed because with an associated LPI train inoperable, there is no water source for the LPI-HPI piggyback function. This support (LPI train) and supported (LPI-HPI piggyback) relationship is subject to the requirements of TS LCO 3.0.6.

During an event requiring HPI actuation, a flow path is provided to ensure an abundant supply of water from the BWST to the RCS via the HPI pumps and their respective discharge flow paths to each of the four cold leg injection nozzles and the reactor vessel. In the recirculation phase, this flow path is transferred from the control room to take its supply from the reactor building sump and to supply borated water to the RCS via the LPI-HPI flow path (piggy-back mode). Management of gas voids is important to HPI System OPERABILITY.

The OPERABILITY of the HPI System must be maintained to ensure that no single active failure can disable both HPI trains. Additionally, while the HPI System was not designed to cope with passive failures, the HPI trains must be maintained independent to the extent possible during normal operation. The NRC approved exception to this principle is cross-connecting the HPI suction headers during normal operation (Ref. 6).

APPLICABILITY In MODES 1 and 2, and MODE 3 with RCS temperature > 350°F, the HPI System OPERABILITY requirements for the small break LOCA are based on analysis performed at 100% RTP. The HPI pump performance is based on the small break LOCA, which establishes the pump performance curve.

Mode 2 and MODE 3 with RCS temperature > 350°F requirements are bounded by the MODE 1 analysis.

In MODE 3 with RCS temperature 350°F and in MODE 4, the probability of an event requiring HPI actuation is significantly lessened. In this operating condition, the low probability of an event requiring HPI actuation and the LCO 3.5.3 requirements for the LPI System provide reasonable assurance that the safety injection function is preserved.

In MODES 5 and 6, unit conditions are such that the probability of an event requiring HPI injection is extremely low. Core cooling requirements in MODE 5 are addressed by LCO 3.4.7, "RCS Loops - MODE 5, Loops

HPI B 3.5.2 BASES OCONEE UNITS 1, 2, & 3 B 3.5.2-7 Rev. 004 APPLICABILITY Filled," and LCO 3.4.8, "RCS Loops - MODE 5, Loops Not Filled."

(continued)

MODE 6 core cooling requirements are addressed by LCO 3.9.4, "Decay Heat Removal (DHR) and Coolant Circulation - High Water Level," and LCO 3.9.5, "Decay Heat Removal (DHR) and Coolant Circulation - Low Water Level."

ACTIONS A.1 and A.2 With one HPI pump inoperable, or one or more HPI discharge crossover valve(s) (i.e., HP-409 and HP-410) inoperable, the HPI pump and discharge crossover valve(s) must be restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The HPI System continues to be capable of mitigating an accident, barring a single failure. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is based on NRC recommendations (Ref. 4) that are based on a risk evaluation and is a reasonable time for many repairs.

In the event HPI pump "C" becomes inoperable, Condition C must be entered as well as Condition A. Until actions are taken to align an HPI pump to HPI train "B," HPI train "B" is inoperable due to the inability to automatically provide injection in response to an ESPS signal.

This Condition permits multiple components of the HPI System to be inoperable concurrently. When this occurs, other Conditions may also apply. For example, if HPI pump "C" and HP-409 are inoperable coincidentally, HPI train "B" is incapable of being automatically actuated or manually aligned from the Control Room. Thus, Required Action C.1 would apply.

In order to utilize another HPI pump to supply HPI train "B" when HPI pump C is inoperable, HP-116 must be opened. This action results in cross-connecting the HPI discharge headers; thus, Condition E must be entered.

HP-115 may be closed to provide hydraulic separation provided that pump minimum flow requirements are maintained. However, two operating pumps would be required for this configuration, one to provide makeup flow and one to provide seal injection flow.

B.1, B.2, B.3, and B.4 If the Required Action and associated Completion Time of Condition A is not met, THERMAL POWER of the unit must be reduced to 50% RTP within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time is reasonable, based on operating experience, to reach the required unit condition from full power conditions in an orderly manner and without challenging unit systems. This time is less restrictive than the Completion Time for Required Action C.1,

HPI B 3.5.2 BASES OCONEE UNITS 1, 2, & 3 B 3.5.2-8 Rev. 004 ACTIONS B.1, B.2, B.3, and B.4 (continued) because the HPI System remains capable of performing its function, barring a single failure.

Two HPI trains are required to mitigate specific small break LOCAs, if no credit for enhanced steam generator cooling is assumed in the accident analysis. However, if equipment not qualified as QA-1 (i.e., an atmospheric dump valve (ADV) flow path for a steam generator) is credited for enhanced steam generator cooling, the safety analyses have determined that the capacity of one HPI train is sufficient to mitigate a small break LOCA on the discharge of the reactor coolant pumps if reactor power is 50% RTP.

Required Actions B.2, B.3, and B.4 modify the HPI pump and discharge crossover valve OPERABILITY requirements to permit reduced requirements at power levels 50% RTP for an extended period of time.

Required Action B.2 provides a compensatory measure to verify by administrative means that the ADV flow path for each steam generator is OPERABLE within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . This compensatory measure provides additional assurance regarding the ability of the plant to mitigate an accident. Compliance with this requirement can be established by ensuring that the ADV flow path for each steam generator is OPERABLE in accordance with LCO 3.7.4, "Atmospheric Dump Valve (ADV) Flow Paths."

Required Actions B.3 and B.4 require that the HPI pump and discharge crossover valve(s) be restored to OPERABLE status within 30 days from initial entry into Condition A. The 30-day time period limits the time that the plant can operate while relying on non QA-1 ADVs to provide enhanced steam generator cooling to mitigate small break LOCAs. The 30-day time period is acceptable, because:

1.

Without crediting an ADV flow path, the HPI System remains capable of performing the safety function, barring a single failure;

2.

If credit is taken for an ADV flow path for a steam generator, the safety analysis has demonstrated that only one HPI train is required to mitigate the consequences of a small break LOCA when THERMAL POWER is 50% RTP. Thus, for this case, the HPI System would be capable of performing its safety function even with an additional single failure;

HPI B 3.5.2 BASES OCONEE UNITS 1, 2, & 3 B 3.5.2-9 Rev. 004 ACTIONS B.1, B.2, B.3, and B.4 (continued)

3.

OPERABILITY of the ADV flow path for each steam generator is required to be confirmed by Required Action B.2 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

Additional defense-in-depth is provided, because the ADV flow path for only one steam generator is required to mitigate the small break LOCA; and

4.

A risk-informed assessment (Ref. 7) concluded that operating the plant in accordance with these Required Actions is acceptable.

C.1, C.2, and C.3 If the plant is operating with THERMAL POWER > 50% RTP, two HPI pumps capable of providing flow through two HPI trains are required. One HPI train is required to provide flow automatically upon receipt of an ESPS signal, while flow through the other HPI train must be capable of being established from the Control Room within 10 minutes. Thus, if the plant is operating at > 50% RTP, and one HPI train is inoperable and incapable of being automatically actuated or manually aligned from the Control Room to provide flow post-accident, the HPI System would be incapable of performing its safety function. For this Condition, Required Action C.1 requires the power to be reduced to 50% RTP within 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months . Required Action C.1 is modified by a Note which limits its applicability to the condition defined above. The 3 hour3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months Completion Time is considered reasonable to reduce the unit from full power conditions to 50% RTP in an orderly manner and without challenging unit systems. The time frame is more restrictive than the Completion Time provided in Required Action B.1 for the same action, because the condition involves a loss of safety function.

If the plant is operating with THERMAL POWER > 50% RTP and the inoperable HPI train can be automatically actuated or manually aligned to provide flow post-accident, Required Action C.3 permits 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to restore the HPI train to an OPERABLE status.

If enhanced steam generator cooling is not credited in the accident analysis, two HPI trains are required to mitigate specific small break LOCAs with THERMAL POWER 50% RTP. However, if equipment not qualified as QA-1 (i.e., an ADV flow path for a steam generator) is credited for enhanced steam generator cooling, the safety analyses have determined that the capacity of one HPI train is sufficient to mitigate a small break LOCA on the discharge of the reactor coolant pumps if THERMAL POWER is 50% RTP. In order to permit an HPI train to be inoperable regardless of the reason when THERMAL POWER is 50% RTP, Required Action C.2 provides a compensatory measure to verify by administrative means that the ADV flow path for each steam generator is

HPI B 3.5.2 BASES OCONEE UNITS 1, 2, & 3 B 3.5.2-10 Rev. 004 ACTIONS C.1, C.2, and C.3 (continued)

OPERABLE within 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months . This Required Action is modified by a Note which states that it is only required if THERMAL POWER is 50% RTP.

This compensatory measure provides assurance regarding the ability of the plant to mitigate an accident while in the Condition and THERMAL POWER 50% RTP. Compliance with this requirement can be established by ensuring that the ADV flow path for each steam generator is OPERABLE in accordance with LCO 3.7.4, "Atmospheric Dump Valve (ADV) Flow Paths."

With one HPI train inoperable, the inoperable HPI train must be restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This action is appropriate because:

1.

With THERMAL POWER 50% RTP, the safety analysis demonstrates that only one HPI train is required to mitigate the consequences of a small break LOCA assuming credit is taken for the ADV flow path for one steam generator. The OPERABILITY of the ADV flow path for each steam generator is confirmed by Required Action C.2 within 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months . This provides additional defense-in-depth. Additionally, a risk-informed assessment (Ref. 7) concluded that operating the plant in accordance with this Required Action is acceptable.

2.

With THERMAL POWER > 50% RTP, the remaining OPERABLE HPI train is capable of automatic actuation, and the inoperable train can be manually aligned by operator action to cross-connect the discharge headers of the HPI trains. This manual action was approved by the NRC in Reference 6.

D.1 With the HPI suction headers not cross-connected, the HPI suction headers must be cross-connected within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The HPI System continues to be capable of mitigating an accident, barring a single failure.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is based on NRC recommendations (Ref. 4) that are based on a risk evaluation and is a reasonable time for many repairs.

An argument similar to that utilized for Required Actions B.2, B.3, and B.4 could have been made for operating the HPI System with the suction headers not cross-connected for an extended period of time. However, this action was not considered prudent, due to the potential of damaging two HPI pumps in the event HP-24 or HP-25 failed to open in response to an ESPS signal while the HPI suction headers were not cross-connected.

HPI B 3.5.2 BASES OCONEE UNITS 1, 2, & 3 B 3.5.2-11 Rev. 004 ACTIONS E.1 With the HPI discharge headers cross-connected, the independence of the HPI trains is not being maintained to the extent practical (i.e., defense-in-depth principle is not met). Thus, the HPI discharge headers must be hydraulically separated within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This action limits the time period that the HPI discharge headers may be cross-connected. The 72-hour allowed outage time is acceptable, because cross-connecting the HPI discharge headers in conjunction with:

1.

the rest of the HPI System being OPERABLE would not result in the inability of the HPI System to perform its safety function even assuming a single active failure; and

2.

an HPI pump being inoperable would not result in the inability of the HPI System to perform its safety function, barring a single failure.

However, in this condition, a single active failure of one of the two remaining OPERABLE HPI pumps could result in the remaining HPI pump failing due to runout.

F.1 With one LPI-HPI flow path inoperable, the inoperable LPI-HPI flow path must be restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The HPI System continues to be capable of mitigating an accident, barring a single failure.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is justified because there is a limited range of break sizes, and therefore a lower probability for a small break LOCA which would require piggy back operation.

G.1 and G.2 If a Required Action and associated Completion Time of Condition B, C, D, E, or F are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and the RCS temperature reduced to 350°F within 60 hours6.944444e-4 days 0.0167 hours 9.920635e-5 weeks 2.283e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

H.1 If two HPI trains are inoperable or two LPI-HPI flow paths are inoperable, the HPI System is incapable of performing its safety function and in a condition not explicitly addressed in the Actions for ITS 3.5.2. Thus, immediate plant shutdown in accordance with LCO 3.0.3 is required.

HPI B 3.5.2 BASES OCONEE UNITS 1, 2, & 3 B 3.5.2-12 Rev. 004 SURVEILLANCE SR 3.5.2.1 REQUIREMENTS Verifying the correct alignment for manual and non-automatic power operated valves in the HPI flow paths provides assurance that the proper flow paths will exist for HPI operation. This SR does apply to the HPI suction header cross-connect valves, the HPI discharge cross-connect valves, the HPI discharge crossover valves, and the LPI-HPI flow path discharge valves (LP-15 and LP-16). This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. Similarly, this SR does not apply to automatic valves since automatic valves actuate to their required position upon an accident signal.

This Surveillance does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

The Surveillance is modified by a Note which exempts system vent flow paths opened under administrative control. The administrative control should be proceduralized and include stationing a dedicated individual at the system vent flow path who is in continuous communication with the operators in the control room. This individual will have a method to rapidly close the system vent flow path if directed.

SR 3.5.2.2 HPI System piping and components have the potential to develop voids and pockets of entrained gases. Preventing and managing gas intrusion and accumulation is necessary for proper operation of the HPI System and may also prevent water hammer, pump cavitation, and pumping of noncondensible gas into the reactor vessel.

Selection of HPI System locations susceptible to gas accumulation is based on a review of system design information, including piping and instrumentation drawings, isometric drawings, plan and elevation drawings, and calculations. The design review is supplemented by system walk downs to validate the system high points and to confirm the location and orientation of important components that can become sources of gas or could otherwise cause gas to be trapped or difficult to remove during system maintenance or restoration. Susceptible locations depend on plant and system configuration, such as stand-by versus operating conditions.

HPI B 3.5.2 BASES OCONEE UNITS 1, 2, & 3 B 3.5.2-13 Rev. 004 SURVEILLANCE SR 3.5.2.2 (continued)

REQUIREMENTS The HPI System is OPERABLE when it is sufficiently filled with water.

Acceptance criteria are established for the volume of accumulated gas at susceptible locations. If accumulated gas is discovered that exceeds the acceptance criteria for the susceptible location (or the volume of accumulated gas at one or more susceptible locations exceeds an acceptance criteria for gas volume at the suction or discharge of a pump), the Surveillance is not met. If it Is determined by subsequent evaluation that the HPI System is not rendered inoperable by the accumulated gas (i.e., the system is sufficiently filled with water), the Surveillance may be declared met.

Accumulated gas should be eliminated or brought within the acceptance criteria limits. If the accumulated gas is eliminated or brought within the acceptance criteria limits as part of the Surveillance performance, the Surveillance is considered met and the system is OPERABLE. Past operability is then evaluated under the Corrective Action program. If It is suspected that a gas intrusion event is occurring, then this is evaluated under the Operability Determination Process.

HPI System locations susceptible to gas accumulation are monitored and, if gas is found, the gas volume is compared to the acceptance criteria for the location. Susceptible locations in the same system flow path which are subject to the same gas intrusion mechanisms may be verified by monitoring a representative sub-set of susceptible locations.

Monitoring may not be practical for locations that are inaccessible due to radiological or environmental conditions, the plant configuration, or personnel safety. For these locations alternative methods (e.g.,

operating parameters. remote monitoring) may be used to monitor the susceptible location. Monitoring is not required for susceptible locations where the maximum potential accumulated gas void volume has been evaluated and determined to not challenge system OPERABILITY. The accuracy of the method used for monitoring the susceptible locations and trending of the results should be sufficient to assure system OPERABILITY during the Surveillance interval.

The Surveillance Frequency Is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The Surveillance Frequency may vary by location susceptible to gas accumulation.

HPI B 3.5.2 BASES OCONEE UNITS 1, 2, & 3 B 3.5.2-14 Rev. 004 SURVEILLANCE SR 3.5.2.3 REQUIREMENTS (continued)

Periodic surveillance testing of HPI pumps to detect gross degradation caused by impeller structural damage or other hydraulic component problems is required by the ASME Code (Ref. 5). SRs are specified in the INSERVICE TESTING PROGRAM of the ASME Code.

SR 3.5.2.4 and SR 3.5.2.5 These SRs demonstrate that each automatic HPI valve actuates to the required position on an actual or simulated ESPS signal and that each HPI pump starts on receipt of an actual or simulated ESPS signal. This SR is not required for valves that are locked, sealed, or otherwise secured in position under administrative controls. The test will be considered satisfactory if control board indication verifies that all components have responded to the ESPS actuation signal properly (all appropriate ESPS actuated pump breakers have opened or closed and all ESPS actuated valves have completed their travel). The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The actuation logic is tested as part of the ESPS testing, and equipment performance is monitored as part of the INSERVICE TESTING PROGRAM.

SR 3.5.2.6 Periodic inspections of the reactor building sump suction inlet (for LPI-HPI flow path) ensure that it is unrestricted and stays in proper operating condition. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.7 Periodic stroke testing of the HPI discharge crossover valves (HP-409 and HP-410) and LPI-HPI flow path discharge valves (LP-15 and LP-16) is required to ensure that the valves can be manually cycled from the Control Room. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

HPI B 3.5.2 BASES (continued)

OCONEE UNITS 1, 2, & 3 B 3.5.2-15 Rev. 004 REFERENCES

1.

10 CFR 50.46.

2.

UFSAR, Section 15.14.3.3.6.

3.

10 CFR 50.36.

4.

NRC Memorandum to V. Stello, Jr., from R.L. Baer, "Recommended Interim Revisions to LCOs for ECCS Components," December 1, 1975.

5.

ASME Code for Operation and Maintenance of Nuclear Power Plants.

6.

Letter from R. W. Reid (NRC) to W. O. Parker, Jr. (Duke) transmitting Safety Evaluation for Oconee Nuclear Station, Units Nos. 1, 2, and 3, Modifications to the High Pressure Injection System, dated December 13, 1978.

7.

Letter from W. R. McCollum (Duke) to the U. S. NRC, "Proposed Amendment to the Facility Operating License Regarding the High Pressure Injection System Requirements," dated December 16, 1998.

OCONEE UNITS 1, 2, & 3 B 3.5.3-1 Rev. 004 LPI B 3.5.3 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS)

B 3.5.3 Low Pressure Injection (LPI)

BASES BACKGROUND The function of the ECCS is to provide core cooling to ensure that the reactor core is protected after any of the following accidents:

a.

Loss of coolant accident (LOCA);

b.

Rod ejection accident (REA);

c.

Steam generator tube rupture (SGTR); and

d.

Main steam line break (MSLB).

There are two phases of ECCS operation: injection and recirculation. In the injection phase, all injection is initially added to the Reactor Coolant System (RCS) via the cold legs or Core Flood Tank (CFT) lines to the reactor vessel. After the borated water storage tank (BWST) has been depleted, the recirculation phase is entered as the suction is transferred to the reactor building sump.

Two redundant low pressure injection (LPI) trains are provided. The LPI trains consist of piping, valves, instruments, controls, heat exchangers, and pumps, such that water from the borated water storage tank (BWST) can be injected into the Reactor Coolant System (RCS). In MODES 1, 2 and 3, both trains of LPI must be OPERABLE. This ensures that 100% of the core cooling requirements can be provided even in the event of a single active failure. The LPI discharge header manual crossover valves inside containment must be maintained administratively open in MODE 1, 2, and 3 to assure abundant, long term cooling. Only one LPI train is required for MODE 4.

A suction header supplies water from the BWST or the reactor building sump to the LPI pumps. LPI discharges into each of the two core flood nozzles on the reactor vessel that discharge into the vessel downcomer area.

LPI B 3.5.3 BASES OCONEE UNITS 1, 2, & 3 B 3.5.3-2 Rev. 004 BACKGROUND The LPI pumps are capable of discharging to the RCS at an RCS pressure (continued) of approximately 200 psia. When the BWST has been nearly emptied, the suction for the LPI pumps is manually transferred to the reactor building sump.

In the long term cooling period, flow paths in the LPI System are established to preclude the possibility of boric acid in the core region reaching an unacceptably high concentration. Two gravity flow paths are available by means of a drain line from the hot leg to the Reactor Building sump which draws coolant from the top of the core, thereby inducing core circulation. The system is designed with redundant drain lines.

During a large break LOCA, RCS pressure will rapidly decrease. The LPI System is actuated upon receipt of an ESPS signal. If offsite power is available, the safeguard loads start immediately. If offsite power is not available, the Engineered Safeguards (ES) buses are connected to the Keowee Hydro Units. The time delay (38 seconds) associated with Keowee Hydro Unit startup and LPI pump starting determines the time required before pumped flow is available to the core following a LOCA. Full LPI flow is not available until the LPI header isolation valve strokes full open. The ES signal has been removed from LP-21 and LP-22. These valves shall be open when automatic initiation of the LPI system is required. If either one is closed during this time, the associated LPI and RBS train is inoperable.

The LPI and HPI (LCO 3.5.2, "High Pressure Injection (HPI)"), along with the passive CFTs and the BWST covered in LCO 3.5.1, "Core Flood Tanks (CFTs)," and LCO 3.5.4, "Borated Water Storage Tank (BWST)," provide the cooling water necessary to meet 10 CFR 50.46 (Ref. 1).

APPLICABLE The LCO helps to ensure that the following acceptance criteria for the SAFETY ANALYSES ECCS, established by 10 CFR 50.46 (Ref. 1), will be met following a LOCA:

a.

Maximum fuel element cladding temperature is 2200F;

b.

Maximum cladding oxidation is 0.17 times the total cladding thickness before oxidation;

c.

Maximum hydrogen generation from a zirconium water reaction is 0.01 times the hypothetical amount generated if all of the metal in the cladding cylinders surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react;

d.

Core is maintained in a coolable geometry; and

LPI B 3.5.3 BASES OCONEE UNITS 1, 2, & 3 B 3.5.3-3 Rev. 004 APPLICABLE

e.

Adequate long term core cooling capability is maintained.

SAFETY ANALYSES (continued)

The LCO also helps ensure that reactor building temperature limits are met.

The LPI System is assumed to provide injection in the large break LOCA analysis at full power (Ref. 2). This analysis establishes a minimum required flow for the LPI pumps, as well as the minimum required response time for their actuation.

The large break LOCA event assumes a loss of offsite power and a single failure (loss of the CT-4 transformer). For analysis purposes, the loss of offsite power assumption may be conservatively inconsistent with the assumed operation of some equipment, such as reactor coolant pumps (Ref. 3). During the blowdown stage of a LOCA, the RCS depressurizes as primary coolant is ejected through the break into the reactor building. The nuclear reaction is terminated by moderator voiding during large breaks.

Following depressurization, emergency cooling water is injected into the reactor vessel core flood nozzles, then flows into the downcomer, fills the lower plenum, and refloods the core.

In the event of a Core Flood line break which results in a LOCA, with a concurrent single failure on the unaffected LPI train opposite the Core Flood line break, the system is fitted with flow restricting devices in each injection leg and an upstream cross-connect pipe. These serve to limit the ECCS spillage through the faulted header and ensure that flow is diverted from the faulted header to the intact header at lower pressures. These flow restricting devices also provide LPI pump run-out protection during LBLOCAs.

The safety analyses show that an LPI train will deliver sufficient water to match decay heat boiloff rates for a large break LOCA.

In the large break LOCA analyses, full LPI is not credited until 74 seconds after actuation of the ESPS signal. This is based on a loss of offsite power and the associated time delays in Keowee Hydro Unit startup, valve opening and pump start. Further, LPI flow is not credited until RCS pressure drops below the pump's shutoff head. For a large break LOCA, HPI is not credited at all.

The LPI trains satisfy Criterion 3 of 10 CFR 50.36 (Ref. 4).

LPI B 3.5.3 BASES (continued)

OCONEE UNITS 1, 2, & 3 B 3.5.3-4 Rev. 004 LCO In MODES 1, 2, and 3, two independent (and redundant) LPI trains are required to ensure that at least one LPI train is available, assuming a single failure in the other train. Additionally, individual components within the LPI trains may be called upon to mitigate the consequences of other transients and accidents. Each LPI train includes the piping, instruments, pumps, valves, heat exchangers and controls to ensure an OPERABLE flow path capable of taking suction from the BWST upon an ES signal and the capability to manually (remotely) transfer suction to the reactor building sump. The safety grade flow indicator of an LPI train is required to support OPERABILITY of the LPI and RBS trains to preclude NPSH or runout pro-blems. RBS flow is hydraulically maintained by system resistance, and throttling of RBS flow is not required. Therefore, RBS flow indication is not required to support LPI or RBS train OPERABILITY. The safety grade flow indicator associated with LPSW flow to an LPI cooler is required to be OPERABLE to support LPI train OPERABILITY.

LPI BWST Suction Valves, LP-21 and LP-22 do not have an ES signal to open. These valves shall be open when automatic initiation of the LPI and the RBS system is required to be OPERABLE. If either one is closed during this time, the associated LPI and RBS train is inoperable.

In MODE 4, one of the two LPI trains is required to ensure sufficient LPI flow is available to the core.

During an event requiring LPI injection, a flow path is required to provide an abundant supply of water from the BWST to the RCS, via the LPI pumps and their respective supply headers, to the reactor vessel. In the long term, this flow path may be switched to take its supply from the reactor building sump. Management of gas voids is important to LPI System OPERABILITY.

This LCO is modified by three Notes. Note 1 changes the LCO requirement when in MODE 4 for the number of OPERABLE trains from two to one. Note 2 allows an LPI train to be considered OPERABLE during alignment, when aligned or when operating for decay heat removal if capable of being manually (remotely) realigned to the LPI mode of operation. This provision is necessary because of the dual requirements of the components that comprise the LPI and decay heat removal modes of the LPI System. Note 3 requires the LPI discharge header crossover valves inside containment to be open in MODES 1, 2, and 3. If one of these valves is closed, then the system will be unable to sustain a single failure.

LPI B 3.5.3 BASES OCONEE UNITS 1, 2, & 3 B 3.5.3-5 Rev. 004 LCO The flow path for each train must maintain its designed independence (continued) outside containment to ensure that no single failure can disable both LPI trains. If train separation is not maintained outside containment then only one LPI train is considered OPERABLE.

APPLICABILITY In MODES 1, 2 and 3, the LPI train OPERABILITY requirements for the Design Basis Accident, a large break LOCA, are based on full power operation. The position requirements of the LPI discharge crossover valves inside containment for the CFT line break are based on full power operation. Although reduced power would not require the same level of performance, the accident analysis does not provide for reduced cooling requirements in the lower MODES.

In MODE 4, one OPERABLE LPI train is acceptable without single failure consideration on the basis of the stable reactivity condition of the reactor and the limited core cooling requirements.

In MODES 5 and 6, unit conditions are such that the probability of an event requiring LPI injection is extremely low. Core cooling requirements in MODE 5 are addressed by LCO 3.4.7, "RCS Loops-MODE 5, Loops Filled," and LCO 3.4.8, "RCS Loops-MODE 5, Loops Not Filled." MODE 6 core cooling requirements are addressed by LCO 3.9.4, "DHR and Coolant Circulation-High Water Level," and LCO 3.9.5, "DHR and Coolant Circulation-Low Water Level."

ACTIONS A.1 With one LPI train inoperable in MODES 1, 2 or 3, the inoperable train must be returned to OPERABLE status within 7 days. The 7 day Completion Time is based on the findings of the deterministic and probabilistic analysis in Reference 6. Reference 6 concluded that extending the Completion Time to 7 days for an inoperable LPI train improves plant operational flexibility while simultaneously reducing overall plant risk. Specifically, the risk incurred by having the LPI train unavailable for a longer time at power will be substantially offset by the benefits associated with avoiding unnecessary plant transitions and by reducing risk during shutdown operations.

LPI B 3.5.3 BASES OCONEE UNITS 1, 2, & 3 B 3.5.3-6 Rev. 004 ACTIONS B.1 (continued)

With one or more required LPI discharge header manual crossover valves inside containment closed, the closed valve(s) must be opened within 7 days. The 7 day Completion Time is based on the findings of the deterministic and probabilistic analysis in Reference 6.

C.1 If the Required Action and associated Completion Time of Condition A or B are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and MODE 4 within 60 hours6.944444e-4 days 0.0167 hours 9.920635e-5 weeks 2.283e-5 months . The allowed Completion Times are reasonable, based on operating experience, reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

D.1 With one required LPI train inoperable in MODE 4, the unit is not prepared to respond to an event requiring low pressure injection and may not be prepared to continue cooldown using the LPI pumps and LPI heat exchangers. The Completion Time of immediately, which would initiate action to restore at least one LPI train to OPERABLE status, ensures that prompt action is taken to restore the required LPI capacity. Normally, in MODE 4, reactor decay heat must be removed by a decay heat removal (DHR) loop operating with suction from the RCS. If no LPI train is OPERABLE for this function, reactor decay heat must be removed by some alternate method, such as use of the steam generator(s).

The alternate means of heat removal must continue until one of the inoperable LPI trains can be restored to operation so that continuation of decay heat removal (DHR) is provided.

With the LPI pumps (including the non ES pump) and LPI heat exchangers inoperable, it would be unwise to require the unit to go to MODE 5, where the only available heat removal system is the LPI trains operating in the DHR mode. Therefore, the appropriate action is to initiate measures to restore one LPI train and to continue the actions until the subsystem is restored to OPERABLE status.

LPI B 3.5.3 BASES OCONEE UNITS 1, 2, & 3 B 3.5.3-7 Rev. 004 ACTIONS D.2 (continued)

Required Action D.2 requires that the unit be placed in MODE 5 within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This Required Action is modified by a Note that states that the Required Action is only required to be performed if a DHR loop is OPERABLE. This Required Action provides for those circumstances where the LPI trains may be inoperable but otherwise capable of providing the necessary decay heat removal. Under this circumstance, the prudent action is to remove the unit from the Applicability of the LCO and place the unit in a stable condition in MODE 5. The Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is reasonable, based on operating experience, to reach MODE 5 in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.5.3.1 REQUIREMENTS Verifying the correct alignment for manual and non-automatic power operated valves in the LPI flow paths provides assurance that the proper flow paths will exist for LPI operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. Similarly, this SR does not apply to automatic valves since automatic valves actuate to their required position upon an accident signal.

This Surveillance does not require any testing or valve manipulation; rather, it involves verification that those valves capable of being mispositioned are in the correct position. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

When in MODE 4 an LPI train may be considered OPERABLE during alignment, when aligned or when operating for decay heat removal if capable of being manually realigned to the LPI mode of operation.

Therefore, for this condition, the SR verifies that LPI is capable of being manually realigned to the LPI mode of operation.

The Surveillance is modified by a Note which exempts system vent flow paths opened under administrative control. The administrative control should be proceduralized and include stationing a dedicated individual at the system vent flow path who is in continuous communication with the operators in the control room. This individual will have a method to rapidly close the system vent flow path if directed.

LPI B 3.5.3 BASES OCONEE UNITS 1, 2, & 3 B 3.5.3-8 Rev. 004 SURVEILLANCE SR 3.5.3.2 REQUIREMENTS (continued)

LPI System piping and components have the potential to develop voids and pockets of entrained gases. Preventing and managing gas intrusion and accumulation is necessary for proper operation of the LPI System and may also prevent water hammer, pump cavitation, and pumping of noncondensible gas into the reactor vessel.

Selection of LPI System locations susceptible to gas accumulation is based on a review of system design information, including piping and instrumentation drawings, isometric drawings, plan and elevation drawings, and calculations. The design review is supplemented by system walk downs to validate the system high points and to confirm the location and orientation of important components that can become sources of gas or could otherwise cause gas to be trapped or difficult to remove during system maintenance or restoration. Susceptible locations depend on plant and system configuration, such as stand-by versus operating conditions.

The LPI System is OPERABLE when it is sufficiently filled with water.

Acceptance criteria are established for the volume of accumulated gas at susceptible locations. If accumulated gas is discovered that exceeds the acceptance criteria for the susceptible location (or the volume of accumulated gas at one or more susceptible locations exceeds an acceptance criteria for gas volume at the suction or discharge of a pump),

the Surveillance is not met. If it is determined by subsequent evaluation that the LPI System is not rendered inoperable by the accumulated gas (i.e., the system is sufficiently filled with water), the Surveillance may be declared met. Accumulated gas should be eliminated or brought within the acceptance criteria limits. If the accumulated gas is eliminated or brought within the acceptance criteria limits as part of the Surveillance performance, the Surveillance is considered met and the system is OPERABLE. Past operability is then evaluated under the Corrective Action program. If it is suspected that a gas intrusion event is occurring, then this is evaluated under the Operability Determination Process.

LPI System locations susceptible to gas accumulation are monitored and, if gas is found, the gas volume is compared to the acceptance criteria for the location. Susceptible locations in the same system flow path which are subject to the same gas intrusion mechanisms may be verified by monitoring a representative sub-set of susceptible locations. Monitoring may not be practical for locations that are inaccessible due to radiological or environmental conditions, the plant configuration, or personnel safety.

For these locations alternative methods (e.g., operating parameters, remote monitoring) may be used to monitor the susceptible location.

Monitoring is not required for susceptible locations where the maximum potential accumulated gas void volume has been evaluated and determined to not challenge system OPERABILITY. The accuracy of the

LPI B 3.5.3 BASES OCONEE UNITS 1, 2, & 3 B 3.5.3-9 Rev. 004 SURVEILLANCE SR 3.5.3.2 (continued)

REQUIREMENTS method used for monitoring the susceptible locations and trending of the results should be sufficient to assure system OPERABILITY during the Surveillance interval.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The Surveillance Frequency may vary by location susceptible to gas accumulation.

SR 3.5.3.3 Periodic surveillance testing of LPI pumps to detect gross degradation caused by impeller structural damage or other hydraulic component problems is required by the ASME Code (Ref. 5). SRs are specified in the INSERVICE TESTING PROGRAM of the ASME Code.

SR 3.5.3.4 and SR 3.5.3.5 These SRs demonstrate that each automatic LPI valve actuates to the required position on an actual or simulated ESPS signal and that each LPI pump starts on receipt of an actual or simulated ESPS signal. This SR is not required for valves that are locked, sealed, or otherwise secured in position under administrative controls. The test will be considered satisfactory if control board indication verifies that all components have responded to the ESPS actuation signal properly (all appropriate ESPS actuated pump breakers have opened or closed and all ESPS actuated valves have completed their travel). The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

The actuation logic is tested as part of the ESPS testing, and equipment performance is monitored as part of the INSERVICE TESTING PROGRAM.

SR 3.5.3.6 Periodic inspections of the reactor building sump suction inlet ensure that it is unrestricted and stays in proper operating condition. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

LPI B 3.5.3 BASES (continued)

OCONEE UNITS 1, 2, & 3 B 3.5.3-10 Rev. 004 REFERENCES

1.

10 CFR 50.46.

2.

UFSAR, Section 15.14.3.3.6.

3.

UFSAR, Section 15.14.3.3.5.

4.

10 CFR 50.36.

5.

ASME Code for Operation and Maintenance of Nuclear Power Plants.

6.

NRC Safety Evaluation of Babcock & Wilcox Owners Group (B&WOG) Topical Report BAW-2295, Revision 1, "Justification for the Extension of Allowed Outage Time for Low Pressure Injection and Reactor Building Spray systems," (TAC No. MA3807) dated June 30, 1999.

OCONEE UNITS 1, 2, & 3 B 3.6.3-1 Rev. 001 Containment Isolation Valves B 3.6.3 B 3.6 CONTAINMENT SYSTEMS B 3.6.3 Containment Isolation Valves BASES BACKGROUND The containment isolation valves form part of the containment pressure boundary and provide a means for fluid penetrations not serving accident consequence limiting systems to be provided with two isolation barriers that are closed on an automatic isolation signal. These isolation devices consist of either passive devices or active (automatic) devices. Manual valves, non-automatic power operated valves in their closed position, de-activated automatic valves secured in their closed position (including check valves with flow through the valve secured), blind flanges, and closed systems are considered passive devices. Check valves, or other automatic valves designed to close following an accident without operator action, are considered active devices. Two barriers in series are provided for each penetration so that no single credible failure or malfunction of an active component can result in a loss of isolation or leakage that exceeds limits assumed in the safety analyses. One of these barriers may be a closed system. These barriers (typically containment isolation valves) make up the Containment Isolation System.

Containment isolation occurs upon receipt of a high containment pressure or diverse containment isolation signal. The containment isolation signal closes automatic containment isolation valves in fluid penetrations not required for operation of engineered safeguard systems to prevent leakage of radioactive material. Upon actuation, automatic containment valves also isolate systems not required for containment or Reactor Coolant System (RCS) heat removal. Other penetrations are isolated by the use of valves in the closed position or blind flanges. As a result, the containment isolation valves (and blind flanges) help ensure that the containment atmosphere will be isolated in the event of a release of radioactive material to containment atmosphere from the RCS following an accident.

OPERABILITY of the containment isolation valves (and blind flanges) supports containment OPERABILITY during accident conditions.

The OPERABILITY requirements for containment isolation valves help ensure that containment is isolated within the time limits assumed in the safety analysis. Therefore, the OPERABILITY requirements provide assurance that the containment function assumed in the safety analysis will be maintained.

Containment Isolation Valves B 3.6.3 BASES OCONEE UNITS 1, 2, & 3 B 3.6.3-2 Rev. 001 BACKGROUND The Reactor Building Purge System is part of the Reactor Building (continued)

Ventilation System. The Purge System was designed for intermittent operation, providing a means of removing airborne radioactivity caused by minor leakage from the RCS prior to personnel entry into containment. The Reactor Building Purge System consists of one 48 inch line for exhaust and one 48 inch line for supply, with exhaust fans capable of purging the containment atmosphere at a rate of approximately 35,000 ft3/min. The reactor building purge supply and exhaust lines each contain two isolation valves that receive a reactor building isolation signal.

Failure of the purge valves to close following a design basis event would cause a significant increase in the radioactive release because of the large containment leakage path introduced by these 48 inch purge lines. Failure of the purge valves to close would result in leakage considerably in excess of the containment design leakage rate of 0.25% of containment air weight per day (La) (Ref. 1). Because of their large size, the 48 inch purge valves are not qualified for automatic closure from their open position under accident conditions. Therefore, the 48 inch purge valves are maintained sealed closed (SR 3.6.3.1) in MODES 1, 2, 3, and 4 to ensure the containment boundary is maintained.

APPLICABLE The containment isolation valve LCO was derived from the assumptions SAFETY ANALYSES related to minimizing the loss of reactor coolant inventory and establishing containment boundary during major accidents. As part of the containment boundary, containment isolation valve OPERABILITY supports leak tightness of the containment. Therefore, the safety analysis of any event requiring isolation of containment is applicable to this LCO.

The accident that results in a significant release of radioactive material within containment is a loss of coolant accident (LOCA)(Ref. 2). In the analysis for this accident, it is assumed that containment isolation valves are either closed or function to close within the required isolation time following event initiation. This ensures that potential paths to the environment through containment isolation valves (including reactor building purge valves) are minimized. The safety analysis assumes that the 48 inch purge valves are closed at event initiation.

The LOCA analysis assumes a fixed amount of core inventory escapes.

No mechanistic scenario is evaluated to determine what portion of the inventory is released prior to closure of the containment isolation valves.

Industry standards for sizing valve operators govern the closure times of the containment isolation valves.

Containment Isolation Valves B 3.6.3 BASES OCONEE UNITS 1, 2, & 3 B 3.6.3-3 Rev. 001 APPLICABLE The purge valves may be unable to close in the environment following a SAFETY ANALYSES LOCA. Therefore, each of the purge valves is required to remain sealed (continued) closed during MODES 1, 2, 3, and 4.

The containment isolation valves satisfy Criterion 3 of 10 CFR 50.36 (Ref. 3).

LCO Containment isolation valves form a part of the containment boundary. The containment isolation valve safety function is related to minimizing the loss of reactor coolant inventory and establishing the containment boundary during an accident.

The automatic power operated isolation valves are required to have isolation times within limits and to actuate on an automatic isolation signal.

The 48 inch purge valves must be maintained sealed closed. The valves covered by this LCO are listed in the UFSAR (Ref. 4).

The normally closed isolation valves are considered OPERABLE when non-automatic power operated valves are closed, manual valves are closed, check valves have flow through the valve secured, blind flanges are in place, and closed systems are intact.

The containment isolation valve leakage rates are addressed by LCO 3.6.1, "Containment," as Type C testing.

This LCO provides assurance that the containment isolation valves and purge valves will perform their designated safety functions to minimize the loss of reactor coolant inventory and establish the containment boundary during accidents.

APPLICABILITY In MODES 1, 2, 3, and 4, an accident could cause a release of radioactive material to containment. In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, the containment isolation valves are not required to be OPERABLE in MODE 5. The requirements for containment isolation valves during MODE 6 are addressed in LCO 3.9.3, "Containment Penetrations."

Containment Isolation Valves B 3.6.3 BASES (continued)

OCONEE UNITS 1, 2, & 3 B 3.6.3-4 Rev. 001 ACTIONS The ACTIONS are modified by a Note allowing penetration flow paths, except for 48 inch purge valve penetration flow paths, to be unisolated intermittently under administrative controls. The opening of locked or sealed closed containment isolation valves on an intermittent basis under administrative control includes the following: (1) stationing an operator, who is in constant communication with control room, at the valve controls, (2) instructing this operator to close these valves in an accident situation, and (3) assuring that environmental conditions will not preclude access to close the valves and that this action will prevent the release of radioactivity outside the containment (Ref. 5). In this way, the penetration can be rapidly isolated when a need for containment isolation is indicated. Due to the size of the reactor building purge line penetration and the fact that those penetrations exhaust directly from the containment atmosphere to the environment, the penetration flow paths containing these valves may not be opened under administrative controls.

A second Note has been added to provide clarification that, for this LCO, separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable containment isolation valve. Complying with the Required Actions may allow for continued operation, and subsequent inoperable containment isolation valves are governed by subsequent Condition entry and application of associated Required Actions.

The ACTIONS are further modified by a third Note, which ensures appropriate remedial actions are taken, if necessary, if the affected systems are rendered inoperable by an inoperable containment isolation valve.

A.1 and A.2 In the event one containment isolation valve in one or more penetration flow paths is inoperable, the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure.

Isolation barriers that meet this criterion are a closed and de-activated automatic containment isolation valve, a closed and de-activated non-automatic power operated valve, a closed manual valve, a blind flange, and a check valve with flow through the valve secured. For a penetration isolated in accordance with Required Action A.1, the device used to isolate the penetration should be the closest available one to containment.

Required Action A.1 must be completed within the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time.

The specified time period is reasonable, considering the time required to isolate the penetration and the relative importance of supporting containment OPERABILITY during MODES 1, 2, 3, and 4.

Containment Isolation Valves B 3.6.3 BASES OCONEE UNITS 1, 2, & 3 B 3.6.3-5 Rev. 001 ACTIONS A.1 and A.2 (continued)

For affected penetration flow paths that cannot be restored to OPERABLE status within the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time and that have been isolated in accordance with Required Action A.1, the affected penetration flow paths must be verified to be isolated on a periodic basis. This periodic verification is necessary to ensure that containment penetrations required to be isolated following an accident and no longer capable of being automatically isolated will be in the isolation position should an event occur. This Required Action does not require any testing or device manipulation.

Rather, it involves verification, through a system walkdown, that those isolation devices outside containment and capable of being mispositioned are in the correct position. The Completion Time of "once per 31 days for isolation devices outside containment" is appropriate considering the fact that the devices are operated under administrative controls and the probability of their misalignment is low. The opening of locked or sealed closed containment isolation valves on an intermittent basis under administrative control includes the following: (1) stationing an operator, who is in constant communication with control room, at the valve controls, (2) instructing this operator to close these valves in an accident situation, and (3) assuring that environmental conditions will not preclude access to close the valves and that this action will prevent the release of radioactivity outside the containment (Ref. 5). For the isolation devices inside containment, the time period specified as "prior to entering MODE 4 from MODE 5 if not performed within the previous 92 days" is based on engineering judgment and is considered reasonable in view of the inaccessibility of the isolation devices and other administrative controls that will ensure that isolation device misalignment is an unlikely possibility.

Condition A has been modified by a Note indicating this Condition is only applicable to those penetration flow paths with two containment isolation valves. For penetration flow paths with only one containment isolation valve in closed systems, Condition C provides appropriate actions.

Required Action A.2 is modified by a Note that applies to isolation devices located in high radiation areas and allows the devices to be verified by use of administrative means. Allowing verification by administrative means is considered acceptable since access to these areas is typically restricted during MODES 1, 2, 3, and 4 for ALARA reasons. Therefore, the probability of misalignment of these devices, once they have been verified to be in the proper position, is small.

Containment Isolation Valves B 3.6.3 BASES OCONEE UNITS 1, 2, & 3 B 3.6.3-6 Rev. 001 ACTIONS B.1 (continued)

With two containment isolation valves in one or more penetration flow paths inoperable, the affected penetration flow path must be isolated within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure.

Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed and de-activated non-automatic power operated valve, a closed manual valve, and a blind flange. A check valve may not be used to isolate the penetration. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is consistent with the ACTIONS of LCO 3.6.1. In the event the affected penetration is isolated in accordance with Required Action B.1, the affected penetration must be verified to be isolated on a periodic basis per Required Action A.2, which remains in effect. This periodic verification is necessary to assure leak tightness of containment and that penetrations requiring isolation following an accident are isolated. The Completion Time of once per 31 days for verifying each affected penetration flow path is isolated is appropriate considering the fact that the valves are operated under administrative controls and the probability of their misalignment is low. The opening of locked or sealed closed containment isolation valves on an intermittent basis under administrative control includes the following: (1) stationing an operator, who is in constant communication with control room, at the valve controls, (2) instructing this operator to close these valves in an accident situation, and (3) assuring that environmental conditions will not preclude access to close the valves and that this action will prevent the release of radioactivity outside the containment (Ref. 5).

Condition B is modified by a Note indicating this Condition is only applicable to penetration flow paths with two containment isolation valves.

Condition A of this LCO addresses the condition of one containment isolation valve inoperable in this type of penetration flow path.

C.1 and C.2 With one or more penetration flow paths with one containment isolation valve inoperable, the inoperable valve must be restored to OPERABLE status or the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed and de-activated non-automatic power operated valve, a closed manual valve, and a blind flange. A check valve may not be used to isolate the affected penetration. Required Action C.1 must be completed within the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time. The specified time period is reasonable, considering the relative stability of the closed system (hence, reliability) to act as a

Containment Isolation Valves B 3.6.3 BASES OCONEE UNITS 1, 2, & 3 B 3.6.3-7 Rev. 001 ACTIONS C.1 and C.2 (continued) penetration isolation boundary and the relative importance of supporting containment OPERABILITY during MODES 1, 2, 3, and 4. In the event the affected penetration is isolated in accordance with Required Action C.1, the affected penetration flow path must be verified to be isolated on a periodic basis. This periodic verification is necessary to assure leak tightness of containment and that containment penetrations requiring isolation following an accident are isolated. The Completion Time of once per 31 days for verifying that each affected penetration flow path is isolated is appropriate considering the fact that the valves are operated under administrative controls and the probability of their misalignment is low. The opening of locked or sealed closed containment isolation valves on an intermittent basis under administrative control includes the following: (1) stationing an operator, who is in constant communication with control room, at the valve controls, (2) instructing this operator to close these valves in an accident situation, and (3) assuring that environmental conditions will not preclude access to close the valves and that this action will prevent the release of radioactivity outside the containment (Ref. 5).

Condition C is modified by a Note indicating that this Condition is only applicable to those penetration flow paths with only one containment isolation valve in closed systems. This Note is necessary since this Condition is written to specifically address those penetration flow paths in a closed system.

Required Action C.2 is modified by a Note that applies to valves and blind flanges located in high radiation areas and allows these devices to be verified by use of administrative means. Allowing verification by administrative means is considered acceptable since access to these areas is typically restricted during MODES 1, 2, 3, and 4 for ALARA reasons.

Therefore, the probability of misalignment of these devices, once verified to be in the proper position, is small.

D.1 and D.2 If the Required Actions and associated Completion Times are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

Containment Isolation Valves B 3.6.3 BASES (continued)

OCONEE UNITS 1, 2, & 3 B 3.6.3-8 Rev. 001 SURVEILLANCE SR 3.6.3.1 REQUIREMENTS Each 48 inch reactor building purge valve is required to be periodically verified sealed closed. This Surveillance is designed to ensure that a gross breach of containment is not caused by an inadvertent or spurious opening of a reactor building purge valve. Detailed analysis of the purge valves failed to conclusively demonstrate their ability to close during a LOCA in time to limit offsite doses. Therefore, these valves are required to be in the sealed closed position during MODES 1, 2, 3, and 4. A reactor building purge valve that is sealed closed must have motive power to the valve operator removed. This can be accomplished by de-energizing the source of electric power or by removing the air supply to the valve operator.

In this application, the term "sealed" has no connotation of leak tightness.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.6.3.2 This SR requires verification that each containment isolation manual and non-automatic power operated valve and blind flange located outside containment and not locked, sealed, or otherwise secured, and required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside the containment boundary is within design limits. This SR does not require any testing or valve manipulation. Rather, it involves verification, through a system walkdown, that those containment isolation valves outside containment and capable of being mispositioned are in the correct position.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The SR specifies that containment isolation valves open under administrative controls are not required to meet the SR during the time the valves are open. The opening of locked or sealed closed containment isolation valves on an intermittent basis under administrative control includes the following: (1) stationing an operator, who is in constant communication with control room, at the valve controls, (2) instructing this operator to close these valves in an accident situation, and (3) assuring that environmental conditions will not preclude access to close the valves and that this action will prevent the release of radioactivity outside the containment (Ref. 5). The dedicated individual can be responsible for closing more than one valve provided that the valves are all in close vicinity and can be closed in a timely manner. This SR does not apply to valves that are locked, sealed, or otherwise secured, since these were verified to be in the correct position upon locking, sealing, or securing.

Containment Isolation Valves B 3.6.3 BASES OCONEE UNITS 1, 2, & 3 B 3.6.3-9 Rev. 001 SURVEILLANCE SR 3.6.3.2 (continued)

REQUIREMENTS The Note applies to valves and blind flanges located in high radiation areas and allows these devices to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted during MODES 1, 2, 3, and 4 for ALARA reasons. Therefore, the probability of misalignment of these containment isolation valves, once they have been verified to be in the proper position, is low.

SR 3.6.3.3 This SR requires verification that each containment isolation manual and non-automatic power operated valve and blind flange that is located inside containment and not locked, sealed, or otherwise secured, and required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside the containment boundary is within design limits. For containment isolation valves inside containment, the Frequency of "prior to entering MODE 4 from MODE 5 if not performed within the previous 92 days" is appropriate, since these containment isolation valves are operated under administrative controls and the probability of their misalignment is low. The SR specifies that containment isolation valves open under administrative controls are not required to meet the SR during the time they are open. The opening of locked or sealed closed containment isolation valves on an intermittent basis under administrative control includes the following considerations: (1) stationing an operator, who is in constant communication with the control room, at the valve controls, (2) instructing this operator to close these valves in an accident situation, and (3) assuring that environmental conditions will not preclude access to close the valves and that this action will prevent the release of radioactivity outside the containment (Ref. 5).

The dedicated individual can be responsible for closing more than one valve provided that the valves are all in close vicinity and can be closed in a timely manner. This SR does not apply to valves that are locked, sealed, or otherwise secured, since these were verified to be in the correct position upon locking, sealing, or securing.

The Note allows valves and blind flanges located in high radiation areas to be verified closed by use of administrative means. Allowing verification by administrative means is considered acceptable, since the access to these areas is typically restricted during MODES 1, 2, 3, and 4 for ALARA reasons. Therefore, the probability of misalignment of these containment isolation valves, once they have been verified to be in their proper position, is small.

Containment Isolation Valves B 3.6.3 BASES OCONEE UNITS 1, 2, & 3 B 3.6.3-10 Rev. 001 SURVEILLANCE SR 3.6.3.4 REQUIREMENTS (continued)

Verifying that the isolation time of each automatic power operated containment isolation valve is within limits is required to demonstrate OPERABILITY. The isolation time and Frequency of this SR are in accordance with the INSERVICE TESTING PROGRAM.

SR 3.6.3.5 Automatic containment isolation valves close on a containment isolation signal to prevent leakage of radioactive material from containment following an accident. This SR ensures that each automatic containment isolation valve will actuate to its isolation position on a containment isolation signal.

This SR is not required for valves that are locked, sealed, or otherwise secured in position under administrative controls. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES

1.

UFSAR, Section 6.2.

2.

UFSAR, Section 15.14.

3.

10 CFR 50.36.

4.

UFSAR, Table 6-7.

5.

Generic Letter 91-08

OCONEE UNITS 1, 2, & 3 B 3.6.5-1 Rev. 003 Reactor Building Spray and Cooling Systems B 3.6.5 B 3.6 CONTAINMENT SYSTEMS B 3.6.5 Reactor Building Spray and Cooling Systems BASES BACKGROUND The Reactor Building Spray and Reactor Building Cooling systems provide containment atmosphere cooling to limit post accident pressure and temperature in containment to less than the design values. Reduction of containment pressure and the iodine removal capability of the spray reduces the release of fission product radioactivity from containment to the environment, in the event of an accident, to within limits. The Reactor Building Spray and Reactor Building Cooling systems are designed to meet ONS Design Criteria (Ref. 1).

The Reactor Building Cooling System and Reactor Building Spray System are Engineered Safeguards (ES) systems. They are designed to ensure that the heat removal capability required during the post accident period can be attained. The Reactor Building Spray System and Reactor Building Cooling System provide containment heat removal operation. The Reactor Building Spray System and Reactor Building Cooling System provide methods to limit and maintain post accident conditions to less than the containment design values.

Reactor Building Spray System The Reactor Building Spray System consists of two separate trains of equal capacity, each capable of meeting the design basis. Each train includes a reactor building spray pump, spray headers, nozzles, valves, piping and a flow indicator. Each train is powered from a separate ES bus.

The borated water storage tank (BWST) supplies borated water to the Reactor Building Spray System during the injection phase of operation. In the recirculation mode of operation, Reactor Building Spray System pump suction is manually transferred to the reactor building sump.

Reactor Building Spray and Cooling Systems B 3.6.5 BASES OCONEE UNITS 1, 2, & 3 B 3.6.5-2 Rev. 003 BACKGROUND Reactor Building Spray System (continued)

The Reactor Building Spray System provides a spray of relatively cold borated water into the upper regions of containment to reduce the containment pressure and temperature and to reduce the concentration of fission products in the containment atmosphere during an accident. In the recirculation mode of operation, heat is removed from the reactor building sump water by the decay heat removal coolers. Each train of the Reactor Building Spray System provides adequate spray coverage to meet the system design requirements for containment heat removal.

The Reactor Building Spray System is actuated automatically by a containment High-High pressure signal. An automatic actuation opens the Reactor Building Spray System pump discharge valves and starts the two Reactor Building Spray System pumps.

Reactor Building Cooling System The Reactor Building Cooling System consists of three reactor building cooling trains. Each cooling train is equipped with cooling coils, and an axial vane flow fan driven by a two speed electric motor.

During normal unit operation, typically two reactor building cooling trains with two fans operating at low speed or high speed, serve to cool the containment atmosphere. Low speed cooling fan operation is available during periods of lower containment heat load. The third unit is usually on standby. Upon receipt of an emergency signal, the operating cooling fans running at low speed or high speed will automatically trip, then restart in low speed after a 3 minute delay, and any idle unit is energized in low speed after a 3 minute delay. The fans are operated at the lower speed during accident conditions to prevent motor overload from the higher density atmosphere.

The common LPSW return header will split into two new headers downstream of the Reactor Building Cooling Units (RBCUs). Each header will contain two pneumatic discharge isolation valves and will be capable of full LPSW flow. The headers will be rejoined downstream of the discharge isolation valves into a common return.

APPLICABLE The Reactor Building Spray System and Reactor Building Cooling System SAFETY ANALYSES reduce the temperature and pressure following an accident. The limiting accidents considered are the loss of coolant accident (LOCA) and the steam line break. The postulated accidents are analyzed, with regard to containment ES systems, assuming the loss of one ES bus. This is the

Reactor Building Spray and Cooling Systems B 3.6.5 BASES OCONEE UNITS 1, 2, & 3 B 3.6.5-3 Rev. 003 APPLICABLE worst-case single active failure, resulting in one train of the Reactor Building SAFETY ANALYSES Spray System and one train of the Reactor Building Cooling System being (continued) inoperable.

The analysis and evaluation show that, under the worst-case scenario (LOCA with worst-case single active failure), the highest peak containment pressure is 57.75 psig. The analysis shows that the peak containment temperature is 283.1°F. Both results are less than the design values. The analyses and evaluations assume a power level of 2619 MWt, one reactor building spray train and two reactor building cooling trains operating, and initial (pre-accident) conditions of 80°F and 15.9 psia. The analyses also assume a delayed initiation to provide conservative peak calculated containment pressure and temperature responses.

The Reactor Building Spray System total delay time of approximately 142 seconds includes Keowee Hydro Unit startup (for loss of offsite power),

reactor building spray pump startup, and spray line filling (Ref. 2).

Reactor building cooling train performance for post accident conditions is given in Reference 2. The result of the analysis is that any combination of two trains can provide 100% of the required cooling capacity during the post accident condition. The train post accident cooling capacity under varying containment ambient conditions is also shown in Reference 2.

Reactor Building Cooling System total delay time of 3 minutes includes KHU startup (for loss of offsite power) and allows all ES equipment to start before the Reactor Building Cooling Unit on the associated train is started. This improves voltages at the 600V and 208V levels for starting loads (Ref. 2).

The Reactor Building Spray System and the Reactor Building Cooling System satisfy Criterion 3 of 10 CFR 50.36 (Ref. 3).

LCO During an accident, a minimum of two reactor building cooling trains and one reactor building spray train are required to maintain the containment pressure and temperature following a LOCA. Additionally, one reactor building spray train is required to remove iodine from the containment atmosphere and maintain concentrations below those assumed in the safety analysis. To ensure that these requirements are met, two reactor building spray trains and three reactor building cooling trains must be OPERABLE in MODES 1 and 2.

In MODES 3 or 4, one reactor building spray train and two reactor building cooling trains are required to be OPERABLE. The LCO is provided with a note that clarifies this requirement. Therefore, in the event of an accident, the minimum requirements are met, assuming the worst-case single active failure occurs.

Reactor Building Spray and Cooling Systems B 3.6.5 BASES OCONEE UNITS 1, 2, & 3 B 3.6.5-4 Rev. 003 LCO Each reactor building spray train shall include a spray pump, spray (continued) headers, nozzles, valves, piping, instruments, and controls to ensure an OPERABLE flow path capable of taking suction from the BWST (via the LPI System) upon an Engineered Safeguards Protective System signal and manually transferring suction to the reactor building sump. Management of gas voids is important to RBS OPERABILITY. The OPERABILITY of RBS train flow instrumentation is not required for OPERABILITY of the corresponding RBS train because system resistance hydraulically maintains adequate NPSH to the RBS pumps and manual throttling of RBS flow is not required. During an event, LPI train flow must be monitored and controlled to support the RBS train pumps to ensure that the NPSH requirements for the RBS pumps are not exceeded. If the flow instrumentation or the capability to control the flow in a LPI train is unavailable then the associated RBS trains OPERABILITY is affected until such time as the LPI train is restored or the associated LPI pump is placed in a secured state to prevent actuation during an event.

Each reactor building cooling train shall include cooling coils, fusible dropout plates or duct openings, an axial vane flow fan, instruments, valves, and controls to ensure an OPERABLE flow path. Two headers of the LPSW RB Waterhammer Prevention Discharge Isolation Valves are required to support flowpath OPERABILITY or one header of LPSW RB Waterhammer Prevention Discharge Isolation Valves shall be manually opened (remote or local) to prevent automatic closure. Valve LPSW-108 shall be locked open to support system OPERABILITY.

APPLICABILITY In MODES 1, 2, 3, and 4, an accident could cause a release of radioactive material to containment and an increase in containment pressure and temperature, requiring the operation of the reactor building spray trains and reactor building cooling trains.

In MODES 5 and 6, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES.

Thus, the Reactor Building Spray System and the Reactor Building Cooling System are not required to be OPERABLE in MODES 5 and 6.

ACTIONS The Actions are modified by a Note indicating that the provisions of LCO 3.0.4 do not apply for Unit 2 only. As a result, this allows entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, consideration of the results, determination of the acceptability of entering the MODE or other specified condition in the Applicability, and

Reactor Building Spray and Cooling Systems B 3.6.5 BASES OCONEE UNITS 1, 2, & 3 B 3.6.5-5 Rev. 003 ACTIONS establishment of risk management actions, if appropriate. The risk (continued) assessment may use quantitative, qualitative, or blended approaches and the risk assessment will be conducted using the plant program, procedures, and criteria in place to implement 10 CFR 50.65(a)(4), which requires that risk impacts of maintenance activities to be assessed and managed. The risk assessment must take into account all inoperable Technical Specifications equipment regardless of whether the equipment is included in the normal 10 CFR 50.65(a)(4) risk assessment scope. The risk assessments will be conducted using the procedures and guidance endorsed by Regulatory Guide 1.182, Assessing and Managing Risk Before Maintenance Activities at Nuclear Power Plants. Regulatory Guide 1.1 82 endorses the guidance in Section 11 of NUMARC 93-01, Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants. These documents address general guidance for conduct of the risk assessment, quantitative and qualitative guidelines for establishing risk management actions, and example risk management actions. These include actions to plan and conduct other activities in a manner that controls overall risk, increased risk awareness by shift and management personnel, actions to reduce the duration of the condition, actions to minimize the magnitude of risk increases (establishment of backup success paths or compensatory measures), and determination that the proposed MODE change is acceptable. Consideration should also be given to the probability of completing restoration such that the requirements of the LCO would be met prior to the expiration of ACTIONS Completion Times that would require exiting the Applicability.

The risk assessment does not have to be documented.

There is a small subset of systems and components that have been determined (Ref: B&W owners group generic qualitative risk assessments-attachment to TSTF-359, Rev. 9, "B&W owners group Qualitative Risk Assessment for Increased Flexibility in MODE Restraints," Framatome Technologies BAW-2383, October 2001.) to be of higher risk significance for which an LCO 3.0.4 exemption would not be allowed. For Oconee these are the Decay Heat Removal System (DHR) entering MODES, 5 and 4; Keowee Hydro Units entering MODES 1-5; and the emergency feedwater system (EFW) entering MODE 1. The Reactor Spray and Cooling System is not one of the higher risk significant systems noted.

The provisions of this Note should not be interpreted as endorsing the failure to exercise the good practice of restoring systems or components to OPERABLE status before entering an associated MODE or other specified Condition in the Applicability.

Reactor Building Spray and Cooling Systems B 3.6.5 BASES OCONEE UNITS 1, 2, & 3 B 3.6.5-6 Rev. 003 ACTIONS A.1 (continued)

With one reactor building spray train inoperable in MODE 1 or 2, the inoperable reactor building spray train must be restored to OPERABLE status within 7 days. In this Condition, the remaining OPERABLE spray and cooling trains are adequate to perform the iodine removal and containment cooling functions. The 7 day Completion Time takes into account the redundant heat removal capability afforded by the OPERABLE reactor building spray train, reasonable time for repairs, and the low probability of an accident occurring during this period.

The 14 day portion of the Completion Time for Required Action A.1 is based upon engineering judgment. It takes into account the low probability of coincident entry into two Conditions in this LCO coupled with the low probability of an accident occurring during this time. Refer to Section 1.3, Completion Times, for a more detailed discussion of the purpose of the from discovery of failure to meet the LCO" portion of the Completion Time.

B.1 With one of the reactor building cooling trains inoperable in MODE 1 or 2, the inoperable reactor building cooling train must be restored to OPERABLE status within 7 days. The components in this degraded condition provide iodine removal capabilities and are capable of providing at least 100% of the heat removal needs after an accident. The 7 day Completion Time was developed taking into account the redundant heat removal capabilities afforded by combinations of the Reactor Building Spray System and Reactor Building Cooling System and the low probability of an accident occurring during this period.

The 14 day portion of the Completion Time for Required Action B.1 is based upon engineering judgment. It takes into account the low probability of coincident entry into two Conditions in this LCO coupled with the low probability of an accident occurring during this time. Refer to Section 1.3 for a more detailed discussion of the purpose of the "from discovery of failure to meet the LCO" portion of the Completion Time.

C.1 With one reactor building spray train and one reactor building cooling train inoperable in MODE 1 or 2, at least one of the inoperable trains must be restored to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . In this Condition, the remaining OPERABLE spray and cooling trains are adequate to provide iodine removal capabilities and are capable of providing at least 100% of

Reactor Building Spray and Cooling Systems B 3.6.5 BASES OCONEE UNITS 1, 2, & 3 B 3.6.5-7 Rev. 003 ACTIONS C.1 (continued) the heat removal needs after an accident. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the heat removal capability afforded by the remaining OPERABLE spray train and cooling trains, reasonable time for repairs, and the low probability of an accident occurring during this period.

D.1 If the Required Action and associated Completion Time of Condition A, B or C are not met, the unit must be brought to a MODE in which the LCO, as modified by the Note, does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Time is reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

E.1 With one of the required reactor building cooling trains inoperable in MODE 3 or 4, the required reactor building cooling train must be restored to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is reasonable based on engineering judgement taking into account the iodine and heat removal capabilities of the remaining required train of reactor building spray and cooling.

F.1 With one required reactor building spray train inoperable in MODE 3 or 4, the required reactor building spray train must be restored to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is reasonable based on engineering judgement taking into account the heat removal capabilities of the remaining required trains of reactor building cooling.

G.1 If the Required Actions and associated Completion Times of Condition E or F of this LCO are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit

Reactor Building Spray and Cooling Systems B 3.6.5 BASES OCONEE UNITS 1, 2, & 3 B 3.6.5-8 Rev. 003 ACTIONS G.1 (continued) conditions from full power conditions in an orderly manner and without challenging unit systems.

H.1 With two reactor building spray trains, two reactor building cooling trains or any combination of three or more reactor building spray and reactor building cooling trains inoperable in MODE 1 or 2, the unit is in a condition outside the accident analysis. Therefore, LCO 3.0.3 must be entered immediately.

With any combination of two or more required reactor building spray and reactor building cooling trains inoperable in MODE 3 or 4, the unit is in a condition outside the accident analysis. Therefore, LCO 3.0.3 must be entered immediately.

SURVEILLANCE SR 3.6.5.1 REQUIREMENTS Verifying the correct alignment for manual and non-automatic power operated valves in the reactor building spray and cooling flow path provides assurance that the proper flow paths will exist for Reactor Building Spray and Cooling System operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these were verified to be in the correct position prior to locking, sealing, or securing. Similarly, this SR does not apply to automatic valves since automatic valves actuate to their required position upon an accident signal. This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves. This SR does not require any testing or valve manipulation.

Rather, it involves verification, through a system walkdown, that those valves outside containment and capable of potentially being mispositioned are in the correct position. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

The Surveillance is modified by a second Note which exempts reactor building spray system vent flow paths opened under administrative control. The administrative control should be proceduralized and include stationing a dedicated individual at the system vent flow path who is in continuous communication with the operators in the control room. This individual will have a method to rapidly close the system vent flow path if directed.

Reactor Building Spray and Cooling Systems B 3.6.5 BASES OCONEE UNITS 1, 2, & 3 B 3.6.5-9 Rev. 003 SURVEILLANCE SR 3.6.5.2 REQUIREMENTS (continued)

Operating each required reactor building cooling train fan unit for 15 minutes ensures that all trains are OPERABLE and that all associated controls are functioning properly. It also ensures that blockage, fan or motor failure, or excessive vibration can be detected for corrective action.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.6.5.3 Verifying that each required Reactor Building Spray pump's developed head at the flow test point is greater than or equal to the required developed head ensures that spray pump performance has not degraded during the cycle. Flow and differential pressure are normal tests of centrifugal pump performance required by the ASME Code (Ref. 4). Since the Reactor Building Spray System pumps cannot be tested with flow through the spray headers, they are tested on recirculation flow. This test confirms one point on the pump design curve and is indicative of overall performance. Such inservice tests confirm component OPERABILITY, trend performance, and may detect incipient failures by indicating abnormal performance. The Frequency of this SR is in accordance with the INSERVICE TESTING PROGRAM.

SR 3.6.5.4 Verifying the containment heat removal capability provides assurance that the containment heat removal systems are capable of maintaining containment temperature below design limits following an accident. This test verifies the heat removal capability of the Low Pressure Injection (LPI)

Coolers and Reactor Building Cooling Units. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

Reactor Building Spray and Cooling Systems B 3.6.5 BASES OCONEE UNITS 1, 2, & 3 B 3.6.5-10 Rev. 003 SURVEILLANCE SR 3.6.5.5 and 3.6.5.6 REQUIREMENTS (continued)

These SRs require verification that each automatic reactor building spray and cooling valve actuates to its correct position and that each reactor building spray pump starts upon receipt of an actual or simulated actuation signal. The test will be considered satisfactory if visual observation and control board indication verifies that all components have responded to the actuation signal properly; the appropriate pump breakers have closed, and all valves have completed their travel. This SR is not required for valves that are locked, sealed, or otherwise secured in position under administrative controls. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.6.5.7 This SR requires verification that each required reactor building cooling train actuates upon receipt of an actual or simulated actuation signal. The test will be considered satisfactory if control board indication verifies that all components have responded to the actuation signal properly, the appropriate valves have completed their travel, and fans are running at half speed. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.6.5.8 With the reactor building spray header isolated and drained of any solution, station compressed air is introduced into the spray headers. This SR requires verification that each spray nozzle is unobstructed following activities which could cause nozzle blockage. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.6.5.9 Reactor Building Spray System piping and components have the potential to develop voids and pockets of entrained gases. Preventing and managing gas intrusion and accumulation is necessary for proper operation of the required containment spray trains and may also prevent water hammer and pump cavitation.

Reactor Building Spray and Cooling Systems B 3.6.5 BASES OCONEE UNITS 1, 2, & 3 B 3.6.5-11 Rev. 003 SURVEILLANCE SR 3.6.5.9 (continued)

REQUIREMENTS Selection of Reactor Building Spray System locations susceptible to gas accumulation is based on a review of system design information, including piping and instrumentation drawings, isometric drawings, plan and elevation drawings, and calculations. The design review is supplemented by system walk downs to validate the system high points and to confirm the location and orientation of important components that can become sources of gas or could otherwise cause gas to be trapped or difficult to remove during system maintenance or restoration.

Susceptible locations depend on plant and system configuration, such as stand-by versus operating conditions.

The Reactor Building Spray System is OPERABLE when it is sufficiently filled with water. Acceptance criteria are established for the volume of accumulated gas at susceptible locations. If accumulated gas is discovered that exceeds the acceptance criteria for the susceptible location (or the volume of accumulated gas at one or more susceptible locations exceeds an acceptance criteria for gas volume at the suction or discharge of a pump), the Surveillance is not met. If it is determined by subsequent evaluation that the Reactor Building Spray System is not rendered inoperable by the accumulated gas (i.e., the system is sufficiently filled with water), the Surveillance may be declared met.

Accumulated gas should be eliminated or brought within the acceptance criteria limits. If the accumulated gas is eliminated or brought within the acceptance criteria limits as part of the Surveillance performance, the Surveillance is considered met and the system is OPERABLE. Past operability is then evaluated under the Corrective Action program. If it is suspected that a gas intrusion event is occurring, then this is evaluated under the Operability Determination Process.

Reactor Building Spray System locations susceptible to gas accumulation are monitored and, if gas is found, the gas volume is compared to the acceptance criteria for the location. Susceptible locations in the same system flow path which are subject to the same gas intrusion mechanisms may be verified by monitoring a representative sub-set of susceptible locations. Monitoring may not be practical for locations that are inaccessible due to radiological or environmental conditions, the plant configuration, or personnel safety. For these locations alternative methods (e.g., operating parameters, remote monitoring) may be used to monitor the susceptible location. Monitoring is not required for susceptible locations where the maximum potential accumulated gas void volume has been evaluated and determined to not challenge system OPERABILITY. The accuracy of the method used for monitoring the susceptible locations and trending of the results should be sufficient to assure system OPERABILITY during the Surveillance interval.

Reactor Building Spray and Cooling Systems B 3.6.5 BASES OCONEE UNITS 1, 2, & 3 B 3.6.5-12 Rev. 003 SURVEILLANCE SR 3.6.5.9 (continued)

REQUIREMENTS The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. The Surveillance Frequency may vary by location susceptible to gas accumulation.

REFERENCES

1.

UFSAR, Section 3.1.

2.

UFSAR, Section 6.2.

3.

10 CFR 50.36.

4.

ASME Code for Operation and Maintenance of Nuclear Power Plants.

OCONEE UNITS 1, 2, & 3 B 3.7.1-1 Rev. 003 MSRVs B 3.7.1 B 3.7 PLANT SYSTEMS B 3.7.1 Main Steam Relief Valves (MSRVs)

BASES BACKGROUND The primary purpose of the MSRVs is to provide overpressure protection for the secondary system. The MSRVs also provide protection against overpressurizing the reactor coolant pressure boundary (RCPB) by providing a heat sink for removal of energy from the Reactor Coolant System (RCS) if the preferred heat sink, provided by the Condenser and Circulating Water System, is not available.

Eight MSRVs are located on each main steam header, outside containment as described in the UFSAR, Section 10.3 (Ref. 1). The MSRV rated capacity passes the full steam flow at 114% RTP with the valves full open.

This meets the requirements of the ASME Code,Section III (Ref. 2). The MSRV design includes staggered setpoints, (Ref. 1) so that only the needed number of valves will actuate. Staggered setpoints reduce the potential for valve chattering because of insufficient steam pressure to fully open the valves.

APPLICABLE The design basis of the MSRVs (Ref. 2) is to limit secondary system SAFETY ANALYSES pressure to 110% of design pressure when passing 105% of design steam flow. This design basis is sufficient to cope with any anticipated transient or accident considered in the accident and transient analysis.

The events that challenge the relieving capacity of the MSRVs, and thus RCS pressure, are those characterized as decreased heat removal or increased heat addition events. MSRV relief capacity is utilized in the UFSAR (Ref. 3 and Ref. 4) for mitigation of the following events:

a.

Loss of main feedwater;

b.

Steam line break;

c.

Steam generator tube rupture;

d.

Rod withdrawal at rated power; and

e.

Loss of Electric Load.

MSRVs B 3.7.1 BASES OCONEE UNITS 1, 2, & 3 B 3.7.1-2 Rev. 003 APPLICABLE The MSRVs satisfy Criterion 3 of 10 CFR 50.36, (Ref. 5).

SAFETY ANALYSIS (continued)

LCO The MSRVs are provided to prevent overpressurization as discussed in the Applicable Safety Analysis section of these Bases. The LCO requires sixteen MSRVs, eight on each main steam line, to be OPERABLE to ensure compliance with the ASME Code following accidents and transients initiated at full power. Operation with less than a full complement of MSRVs is not permitted. To be OPERABLE, lift setpoints must remain within limits, specified in the UFSAR.

The safety function of the MSRVs is to open, relieve steam generator overpressure, and reseat when pressure has been reduced.

OPERABILITY of the MSRVs requires periodic surveillance testing in accordance with the INSERVICE TESTING PROGRAM.

The lift settings correspond to ambient conditions of the valve at nominal operating temperature and pressure.

This LCO provides assurance that the MSRVs will perform the design safety function.

APPLICABILITY In MODES 1, 2, and 3, the MSRVs must be OPERABLE to prevent overpressurization of the main steam system.

In MODES 4 and 5, there is no credible transient requiring the MSRVs.

The steam generators are not normally used for heat removal in MODES 5 and 6, and thus cannot be overpressurized. There is no requirement for the MSRVs to be OPERABLE in these MODES.

ACTIONS A.1 and A.2 With one or more MSRVs inoperable, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , and in MODE 4 within 18 hours2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months .

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

MSRVs B 3.7.1 BASES (continued)

OCONEE UNITS 1, 2, & 3 B 3.7.1-3 Rev. 003 SURVEILLANCE SR 3.7.1.1 REQUIREMENTS This SR verifies the OPERABILITY of the MSRVs by the verification of MSRV lift setpoints in accordance with the INSERVICE TESTING PROGRAM. The safety and relief valve tests are performed in accordance with ASME Code (Ref. 6) and include the following for MSRVs:

a.

Visual examination;

b.

Seat tightness determination;

c.

Setpoint pressure determination (lift setting);

d.

Compliance with owner's seat tightness criteria; and

e.

Verification of the balancing device integrity on balanced valves.

The ASME Code requires the testing of all valves every 5 years, with a minimum of 20% of the valves tested every 24 months.

This SR is modified by a Note that states the surveillance is only required to be performed in MODES 1 and 2. This note allows entry into and operation in MODE 3 prior to performing the SR, provided there is no evidence that the equipment is otherwise believed to be incapable of performing its function. Also, the guidance in the TS Bases for SR 3.0.1 states that equipment may be considered OPERABLE following maintenance provided testing has been satisfactorily completed to the extent possible and the equipment is not otherwise believed to be incapable of performing its function. This allows operation to proceed to a MODE or other specified condition where other necessary post maintenance tests can be completed.

For example, the mode change provisions described above specifically applies to scenarios where maintenance on MSRVs is performed below the mode of applicability for LCO 3.7.1, testing has been satisfactorily completed to the extent possible, and the equipment is believed capable of performing its function. The mode change provisions permit entry into Mode 3 in order to test and adjust the set pressure, as necessary, to satisfy SR 3.7.1.1 prior to entry into Mode 2.

The MSRVs may be either bench tested or tested in situ at hot conditions using an assist device to simulate lift pressure. If the MSRVs are not tested at hot conditions, the lift setting pressure must be corrected to ambient conditions of the valve at operating temperature and pressure.

MSRVs B 3.7.1 BASES (continued)

OCONEE UNITS 1, 2, & 3 B 3.7.1-4 Rev. 003 REFERENCES

1.

UFSAR, Section 10.3.

2.

ASME, Boiler and Pressure Vessel Code,Section III, Article NC-7000, Class 2 Components.

3.

UFSAR, Chapter 15.

4.

UFSAR, Chapter 10.

5.

10 CFR 50.36.

6.

ASME Code for Operation and Maintenance of Nuclear Power Plants.

OCONEE UNITS 1, 2, & 3 B 3.7.3-1 Rev. 002 MFCVs and SFCVs B 3.7.3 B 3.7 PLANT SYSTEMS B 3.7.3 Main Feedwater Control Valves (MFCVs), and Startup Feedwater Control Valves (SFCVs)

BASES BACKGROUND The main feedwater isolation valves (MFIVs) for each steam generator consist of the MFCVs and the SFCVs. The MFIVs isolate main feedwater (MFW) flow to the secondary side of the steam generators following a high energy line break (HELB). The consequences of events occurring in the main steam lines will be mitigated by their closure. Closing the MFCVs and associated SFCVs valves effectively terminates the addition of feedwater to an affected steam generator, limiting the mass and energy release for steam line breaks (SLBs) inside containment and reducing the cooldown effects for SLBs.

The MFIVs close on receipt of a MSLB detection signal generated by low steam header pressure. The MFIVs can also be closed manually.

APPLICABLE The design basis of the MFIVs is established by the containment analysis SAFETY ANALYSES for the main steam line break (MSLB).

Failure of an MFIV to close following an MSLB, can result in additional mass and energy being delivered to the steam generators, contributing to cooldown. This failure also results in additional mass and energy releases following an MSLB.

The MFIVs satisfy Criterion 3 of 10 CFR 50.36 (Ref. 1).

LCO This LCO ensures that the MFIVs will isolate MFW flow to the steam generators following a main steam line break.

Two MFCVs and two SFCVs are required to be OPERABLE. The MFIVs are considered OPERABLE when the isolation times are within limits and they close on a feedwater isolation actuation signal.

Automatic initiation instrumentation is not required to be OPERABLE in MODE 3 when main steam header pressure is < 700 psig in accordance with LCO 3.3.11, Automatic Feedwater Isolation System (AFIS)

Instrumentation.

MFCVs and SFCVs B 3.7.3 BASES OCONEE UNITS 1, 2, & 3 B 3.7.3-2 Rev. 002 LCO When automatic initiation circuitry is not required to be OPERABLE, the (continued)

MFCVs and SFCVs are OPERABLE provided manual closure capability is OPERABLE. Automatic initiation is not required in this condition since additional time is available for the operator to manually close the valves if required.

Failure to meet the LCO requirements can result in excessive cooldown and additional mass and energy being released to containment following an MSLB inside containment.

APPLICABILITY The MFCVs and SFCVs must be OPERABLE whenever there is significant mass and energy in the RCS and steam generators.

In MODES 1, 2, and 3, the MFCVs and SFCVs are required to be OPERABLE in order to limit the cooldown and the amount of available fluid that could be added to containment in the case of an MSLB inside containment. When the valves are closed, they are already performing their safety function.

In MODES 4, 5, and 6, feedwater and steam generator energy are low.

Therefore, the MFCVs and SFCVs are not required for isolation of potential main steam pipe breaks in these MODES.

ACTIONS The ACTIONS table is modified by a Note indicating that separate Condition entry is allowed for each valve.

A.1 and A.2 With one MFCV in one or more flow paths inoperable, action must be taken to restore the affected valves to OPERABLE status, or to close or isolate inoperable affected valves within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . When these valves are closed or isolated, they are performing their required safety function.

The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time provides a reasonable time to restore an inoperable MFIV to OPERABLE status and is acceptable due to the low probability of an event occurring during this time period that would require isolation of the MFW flow paths.

MFCVs and SFCVs B 3.7.3 BASES OCONEE UNITS 1, 2, & 3 B 3.7.3-3 Rev. 002 ACTIONS A.1 and A.2 (continued)

Inoperable MFCVs that are closed or isolated must be verified on a periodic basis that they are closed or isolated. This is necessary to ensure that the assumptions in the safety analysis remain valid. The 7 day Completion Time is reasonable, based on engineering judgment, in view of valve status indications available in the control room, and other administrative controls, to ensure that these valves are closed or isolated.

B.1 and B.2 With one SFCV in one or more flow paths inoperable, action must be taken to restore the affected valves to OPERABLE status, or to close or isolate inoperable affected valves within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . When these valves are closed or isolated, they are performing their required safety function.

The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time provides a reasonable time to restore an inoperable MFIV to OPERABLE status and is acceptable due to the low probability of an event occurring during this time period that would require isolation of the MFW flow paths.

Inoperable SFCVs that are closed or isolated must be verified on a periodic basis that they are closed or isolated. This is necessary to ensure that the assumptions in the safety analysis remain valid. The 7 day Completion Time is reasonable, based on engineering judgment, in view of valve status indications available in the control room, and other administrative controls, to ensure that these valves are closed or isolated.

C.1 and C.2 If the Required Actions and associated Completion Time are not met, the unit must be in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 18 hours2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

MFCVs and SFCVs B 3.7.3 BASES (continued)

OCONEE UNITS 1, 2, & 3 B 3.7.3-4 Rev. 002 SURVEILLANCE SR 3.7.3.1 REQUIREMENTS This SR verifies that the closure time of each MFCV and SFCV is 25 seconds on an actual or simulated actuation signal. The 25 seconds includes a 10 second signal delay and 15 seconds for valve movement.

The MFCV and SFCV closure time is assumed in the containment analyses. This Surveillance is normally performed upon returning the unit to operation following a refueling outage. The MFCV and SFCV should not be tested at power since even a part stroke exercise increases the risk of a valve closure with the unit generating power. This is consistent with the ASME Code (Ref. 2) requirements during operation in MODES 1 and 2.

This SR is modified by a Note that allows entry into and operation in MODE 3 prior to performing the SR.

The Frequency for this SR is in accordance with the INSERVICE TESTING PROGRAM.

REFERENCES

1.

10 CFR 50.36.

2.

ASME Code for Operation and Maintenance of Nuclear Power Plants.

OCONEE UNITS 1, 2, & 3 B 3.7.5-1 Rev. 002 EFW System B 3.7.5 B 3.7 PLANT SYSTEMS B 3.7.5 Emergency Feedwater (EFW) System BASES BACKGROUND The EFW System automatically supplies feedwater to the steam generators to remove decay heat from the Reactor Coolant System (RCS) upon the loss of normal feedwater supply. The EFW pumps take suction through suction lines from the upper surge tank (UST) and condenser Hotwell and pump to the steam generator secondary side through the EFW nozzles. The steam generators function as a heat sink for core decay heat.

The heat load is dissipated by releasing steam to the atmosphere from the steam generators via the main steam relief valves (MSRVs) (LCO 3.7.1, "Main Steam Relief Valves (MSRVs)"), or atmospheric dump valves (ADVs). If the main condenser is available, steam may be released via the Turbine Bypass System and recirculated to the condenser Hotwell.

The EFW System consists of two motor driven EFW pumps and one turbine driven EFW pump, any one of which can provide the required heat removal capability. Thus, the requirements for diversity in motive power sources for the EFW System are met. The steam turbine driven EFW pump receives steam from either of the two main steam headers, upstream of the main turbine stop valves (TSVs), or from the Auxiliary Steam System which can be supplied from the other two unit's Main Steam System. The EFW System supplies a common header capable of feeding either or both steam generators. The EFW System normally receives a supply of water from the UST. The EFW System can also be aligned to the condenser Hotwell. An additional source of water is the condensate storage tank which can be pumped to the USTs.

The EFW System is capable of supplying feedwater to the steam generators during normal unit startup, shutdown, and hot standby conditions.

The three emergency feedwater pumps are started automatically upon a loss of both main feedwater pumps or a signal from the ATWS Mitigation System Actuation Circuitry (AMSAC). The two motor driven emergency feedwater pumps are also started automatically upon a low steam generator level which exists for at least 30 seconds.

The EFW System is discussed in the UFSAR, Section 10.4.7, (Ref. 1).

EFW System B 3.7.5 BASES (continued)

OCONEE UNITS 1, 2, & 3 B 3.7.5-2 Rev. 002 APPLICABLE The EFW System mitigates the consequences of any event with a loss of SAFETY ANALYSES normal feedwater.

The design basis of the EFW System is to supply water to the steam generator to remove decay heat and other residual heat by delivering at least the minimum required flow rate to the steam generators at 1064 psia for the MDEFW pump and 1100 psig for the TDEFW pump.

The limiting event for the EFW System is the loss of main feedwater with offsite power available.

The EFW System design is such that it can perform its function following a loss of the turbine driven main feedwater pumps combined with a loss of normal or emergency electric power.

The EFW System satisfies Criterion 3 of 10 CFR 50.36 (Ref. 2).

LCO This LCO provides assurance that the EFW System will perform its design safety function to mitigate the consequences of accidents that could result in overpressurization of the reactor coolant pressure boundary. Three independent EFW pumps and two flow paths are required to be OPERABLE to ensure the availability of residual heat removal capability for all events accompanied by a loss of offsite power and a single failure. This is accomplished by powering one pump by a steam driven turbine supplied with steam from a source not isolated by the closure of the TSVs, and two pumps from a power source that, in the event of loss of offsite power, is supplied by the emergency power source.

The EFW System is considered to be OPERABLE when the components and flow paths required to provide EFW flow to the steam generators are OPERABLE. This requires that the turbine driven EFW pump be OPERABLE with a steam supply from either one of the main steam lines upstream of the TSVs or from the Auxiliary Steam System. The two motor driven EFW pump(s) are also required to be OPERABLE. The two required flow paths shall also be OPERABLE. A flowpath is defined as the flowpath to either steam generator including associated valves and piping capable of being supplied by either the turbine driven pump or the associated motor driven pump. The sources of water to the EFW System are required to be OPERABLE. The associated flow paths from the EFW System sources of water to all EFW pumps also are required to be OPERABLE. In MODES 1 and 2 automatic EFW initiation is required to be

EFW System B 3.7.5 BASES OCONEE UNITS 1, 2, & 3 B 3.7.5-3 Rev. 002 LCO OPERABLE in accordance with Specification 3.3.14, "Emergency (continued)

Feedwater (EFW) Pump Initiation Circuitry." Automatic EFW steam generator level control is required to be OPERABLE when automatic EFW initiation is required to be OPERABLE. EFW automatic initiation instrumentation is not required to be OPERABLE in MODES 3 and 4 in accordance with LCO 3.3.14. In MODES 3 and 4 the EFW System is OPERABLE provided manual initiation capability is OPERABLE. Automatic initiation is not required in MODES 3 and 4 since additional time is available in these MODES for the operator to manually initiate the system if required.

When in MODE 3 and 4 automatic EFW flow control is not required to be OPERABLE provided manual steam generator level control is OPERABLE.

The LCO is modified by a Note indicating that one motor driven EFW pump and EFW flow path, is required in MODE 4 when an SG is relied upon for heat removal. This is because of reduced heat removal requirements, the short duration of MODE 4 in which feedwater is required, and the insufficient steam supply available in MODE 4 to power the turbine driven EFW pump.

APPLICABILITY In MODES 1, 2, and 3, the EFW System is required to be OPERABLE and to function in the event that the main feedwater is lost. In MODE 4, with RCS temperature above 212°F, the EFW System may be used for heat removal via the steam generators. In MODE 4, the steam generators are used for heat removal unless the DHR System is in operation. In MODE 4 steam generators are relied upon for heat removal whenever an RCS loop is required to be OPERABLE or operating to satisfy LCO 3.4.6, "RCS Loops - Mode 4."

In MODES 5 and 6, the steam generators are not used for DHR and the EFW System is not required.

ACTIONS A.1 With one of the motor driven EFW pumps inoperable, action must be taken to restore the MDEFW pump to OPERABLE status within 7 days. The 7 day Completion Time is reasonable, based on the following reasons:

a.

The redundant OPERABLE turbine driven EFW pump(s);

b.

The availability of the redundant OPERABLE motor driven EFW pump; and

EFW System B 3.7.5 BASES OCONEE UNITS 1, 2, & 3 B 3.7.5-4 Rev. 002 ACTIONS A.1 (continued)

c.

The low probability of an event occurring that would require the EFW System during the 7 day period.

The second Completion Time for Required Action A.1 establishes a limit on the maximum time allowed for any combination of Conditions to be inoperable during any continuous failure to meet this LCO.

The 10 day Completion Time provides a limitation time allowed in this specified Condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B exist concurrently. The AND connector between 7 days and 10 days dictates that both Completion Times apply simultaneously, and the more restrictive must be met.

B.1 When the turbine driven EFW pump or one EFW flow path is inoperable, action must be taken to restore the pump and flow path to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time is reasonable, based on the redundant capabilities afforded by the EFW System, time needed for repairs, and the low probability of an accident occurring during this time period. The second Completion Time for Required Action B.1 establishes a limit on the maximum time allowed for any combination of Conditions to be inoperable during any continuous failure to meet this LCO.

The 10 day Completion Time provides a limitation time allowed in this specified Condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B exist concurrently. The AND connector between 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and 10 days dictates that both Completion Times apply simultaneously, and the more restrictive must be met.

C.1 With the two motor driven EFW pumps inoperable, action must be taken to restore at least one pump to OPERABLE status within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Completion Time is reasonable, based on the redundant capabilities afforded by the turbine driven EFW pump, time needed for repairs, and the low probability of an accident occurring during this time period.

EFW System B 3.7.5 BASES OCONEE UNITS 1, 2, & 3 B 3.7.5-5 Rev. 002 ACTIONS D.1 and D.2 (continued)

When Required Action or Completion Time for Condition A, B or C is not met or when the turbine driven EFW pump and one EFW flow path are inoperable in MODE 1, 2, or 3, the unit must be placed in a MODE in which the LCO does not apply. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

In MODE 4, with two EFW pumps and one flow path inoperable, operation is allowed to continue because only one motor driven EFW train is required in accordance with the Note that modifies the LCO. Although not required, the unit may continue to cool down and initiate DHR.

E.1 Required Action E.1 is modified by a Note indicating that all required MODE changes or power reductions are suspended until at least one EFW pump and one flow path are restored to OPERABLE status.

With all EFW pumps or flow paths inoperable in MODE 1, 2, or 3, the unit is in a seriously degraded condition. In such a condition, the unit should not be perturbed by any action, including a power change, that might result in a trip. The seriousness of this condition requires that action be started immediately to restore at least one EFW pump and flow path to OPERABLE status. LCO 3.0.3 is not applicable, as it could force the units into a less safe condition.

F.1 In MODE 4, either the steam generator loops or the DHR loops can be used to provide heat removal, which is addressed in LCO 3.4.6, "RCS Loops - MODE 4." With one required EFW pump or flow path inoperable, action must be taken to immediately restore the inoperable pump or flow path to OPERABLE status.

EFW System B 3.7.5 BASES (continued)

OCONEE UNITS 1, 2, & 3 B 3.7.5-6 Rev. 002 SURVEILLANCE SR 3.7.5.1 REQUIREMENTS Verifying the correct alignment for manual, and non-automatic power operated valves in the EFW water and steam supply flow paths provides assurance that the proper flow paths exist for EFW operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since those valves are verified to be in the correct position prior to locking, sealing, or securing.

This SR also does not apply to valves that cannot be inadvertently misaligned, such as check valves. This Surveillance does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.7.5.2 Verifying that each EFW pump's developed head at the flow test point is greater than or equal to the required developed head ensures that EFW pump performance has not degraded below the acceptance criteria during the cycle. Flow and differential head are normal indications of pump performance required by the ASME Code (Ref. 3). Because it is undesirable to introduce cold EFW into the steam generators while they are operating, this test may be performed on a test flow path.

This test confirms OPERABILITY, trends performance, and detects incipient failures by indicating abnormal performance. Performance of inservice testing as discussed in the ASME Code (Ref. 3) and the INSERVICE TESTING PROGRAM satisfies this requirement.

SR 3.7.5.3 This SR verifies that EFW can be delivered to the appropriate steam generator in the event of any accident or transient that generates an Emergency Feedwater System initiation signal by demonstrating that each automatic valve in the flow path actuates to its correct position on an actual or simulated actuation signal. This SR is not required for valves that are locked, sealed, or otherwise secured in position under administrative

EFW System B 3.7.5 BASES OCONEE UNITS 1, 2, & 3 B 3.7.5-7 Rev. 002 SURVEILLANCE SR 3.7.5.3 (continued)

REQUIREMENTS controls. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note which states that the SR is not required in MODES 3 and 4. In MODES 3 and 4, the heat removal requirements would be less, thereby providing more time for operator action to manually start the required EFW pump.

SR 3.7.5.4 This SR verifies that each EFW pump starts in the event of any accident or transient that generates an initiation signal. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. This SR is modified by a Note which states that the SR is not required in MODES 3 and 4. In MODE 3 and 4, the heat removal requirements would be less, thereby providing more time for operator action to manually start the required EFW pump.

SR 3.7.5.5 This SR ensures that the EFW System is properly aligned by verifying the flow paths to each steam generator prior to entering MODE 2 after more than 30 days in MODE 5 or 6. OPERABILITY of EFW flow paths must be demonstrated before sufficient core heat is generated that would require the operation of the EFW System during a subsequent shutdown. The Frequency is reasonable, based on engineering judgment, in view of other administrative controls to ensure that the flow paths are OPERABLE. To further ensure EFW System alignment, flow path OPERABILITY is verified, following extended outages to determine no misalignment of valves has occurred. This SR ensures that the flow path from the UST to the steam generator is properly aligned.

EFW System B 3.7.5 BASES (continued)

OCONEE UNITS 1, 2, & 3 B 3.7.5-8 Rev. 002 REFERENCES

1.

UFSAR, Section 10.4.7.

2.

10 CFR 50.36.

3.

ASME Code for Operation and Maintenance of Nuclear Power Plants.

PSW System B 3.7.10 OCONEE UNITS 1, 2, & 3 B 3.7.10-1 Rev. 004 B 3.7 PLANT SYSTEMS B 3.7.10 Protected Service Water (PSW) System BASES BACKGROUND The Protected Service Water (PSW) system is designed as a standby system for use under emergency conditions. The PSW system provides added "defense in-depth" protection by serving as a backup to existing safety systems and as such, the system is not required to comply with single failure criteria. The PSW system is provided as an alternate means to achieve and maintain safe shutdown conditions for one, two or three units following postulated scenarios that damage essential systems and components normally used for safe shutdown.

The PSW pumping system utilizes the inventory of lake water contained in the Unit 2 Condenser Circulating Water (CCW) piping. The PSW primary and booster pumps are located in the Auxiliary Building (AB) at elevation 771 and take suction from the Unit 2 CCW piping and discharge into the steam generators of each unit via the Emergency Feedwater (EFW) system headers. The raw water is vaporized in the steam generators (SGs), removing residual heat, and is dumped to atmosphere via the Main Steam Relief Valves (MSRVs) or Atmospheric Dump Valves (ADVs). For extended operation, the PSW portable pump with a flow path capable of taking suction from the intake canal and discharging into the Unit 2 CCW piping is designed to provide a backup supply of water to the PSW system in the event of loss of CCW and subsequent loss of CCW siphon flow. The PSW portable pump is stored onsite.

The PSW system is designed to support cool down of the Reactor Coolant System (RCS) and maintain safe shutdown conditions. The PSW system is designed to maintain SG water levels to promote natural circulation Decay Heat Removal (DHR) using the SGs for an extended period of time during which time other plant systems required to cool the RCS to MODE 5 conditions will be restored and brought into service. In addition, the PSW system, in combination with the High Pressure Injection (HPI) system, provides borated water for Reactor Coolant Pump (RCP) seal cooling, RCS makeup, and reactivity management.

The PSW system reduces fire risk by providing a diverse power supply to power safe shutdown equipment in accordance with the National Fire Protection Association (NFPA) 805 safe shutdown analyses (Ref. 3).

PSW System B 3.7.10 BASES OCONEE UNITS 1, 2, & 3 B 3.7.10-2 Rev. 004 BACKGROUND The PSW system consists of the following:

(continued)

1. PSW building and associated support systems.

2. Conduit duct bank from the Keowee Hydroelectric Station underground cable trench to the PSW building.

3. Conduit duct bank and raceway from the PSW Building to the Unit 3 AB.

4. Electrical power distribution system from breakers at the Keowee Hydroelectric Station and from the 100 kV PSW substation (supplied from the Central Tie Switchyard) to the PSW building, and from there to the AB.

5. PSW booster pump, PSW primary pump, and mechanical piping taking suction from the Unit 2 embedded CCW System to the EFW headers supplying cooling water to the respective units SGs and HPI pump motor bearing coolers.

6. PSW portable pumping system.

The mechanical portion of the PSW system provides decay heat removal by feeding Lake Keowee water to the secondary side of the SGs. In addition, the PSW pumping system supplies Keowee Lake water to the HPI pump motor coolers.

The PSW pumping system consists of a booster pump, a primary pump, and a portable pump. Other than the portable pump, the pumps and required valves are periodically tested in accordance with the INSERVICE TESTING PROGRAM.

The PSW piping system has pump minimum flow lines that discharge back into the Unit 2 CCW embedded piping.

The PSW primary and booster pumps, motor operated valves, and solenoid valves required to bring the system into service, are controlled from the main control rooms. Check valves and manual handwheel operated valves are used to prevent back-flow, accommodate testing, or are used for system isolation.

The PSW electrical system is designed to provide power to PSW mechanical and electrical components as well as other system components needed to establish and maintain a safe shutdown condition.

Normal power is provided by a transformer connected to a 100 kV overhead transmission line that receives power from the Central Tie Switchyard located approximately eight (8) miles from the plant. Standby power is provided from the Keowee Hydroelectric Station via an underground path. The Keowee Hydro Unit (KHU) aligned to the overhead emergency power path can automatically provide power via its auxiliary transformer (transformer 1X for KHU-1 or transformer 2X for KHU-2) to its auxiliary power loads that are required for its operation.

PSW System B 3.7.10 BASES OCONEE UNITS 1, 2, & 3 B 3.7.10-3 Rev. 004 BACKGROUND The KHU aligned to the underground power path does not provide power (continued) to its own auxiliary power loads but instead receives power for its auxiliary power loads from ONS Unit 1 1TC Switchgear via an underground 4kV feeder cable and transformer CX. This power path may not be available in an event mitigated by PSW. Therefore, when the KHU assigned to the underground power path is credited for providing power to PSW, manual operator actions are credited for isolating the KHU from the overhead power path and for realigning the auxiliary power path from transformer CX to its auxiliary transformer.

These external power sources provide power to transformers, switchgear, breakers, load centers, batteries, and battery chargers located in the PSW electrical equipment structure. There are two (2) batteries inside the PSW Building. Either battery is sized to supply PSW DC loads. The battery banks are located in different rooms separated by fire rated walls.

A separate room within the PSW building is provided for major PSW electrical equipment.

PSW building heating, ventilation, and air conditioning (HVAC) is designed to maintain transformer and battery rooms within their design temperature range. The HVAC System consists of two (2) systems; a non QA-1/non credited system designed to maintain the PSW Transformer and Battery Rooms environmental profile and a QA-1/credited system designed to actuate whenever the non QA-1 system is not able to meet its design function.

The hydrogen removal fans are designed to maintain the hydrogen in the Battery rooms below 2% in accordance with IEEE-484 (Ref. 4). The multiple thermostats in each Battery Room ensure temperatures are maintained within acceptable limits.

APPLICABLE The function of the PSW system is to provide a diverse means to achieve SAFETY ANALYSES and maintain safe shutdown by providing secondary side DHR, RCP seal cooling, RCS primary inventory control, and RCS boration for reactivity management following scenarios that disable the 4160 V essential electrical power distribution system.

To verify PSW system performance criteria, thermal-hydraulic (T/H) analysis was performed to demonstrate that the PSW system could achieve and maintain safe shutdown following postulated fires that disable the 4160 V essential power distribution system, without reliance on equipment located in the turbine building. The analysis evaluates RCS subcooling margin using inputs that are representative of plant conditions as defined by Oconees NFPA 805 fire protection program.

PSW System B 3.7.10 BASES OCONEE UNITS 1, 2, & 3 B 3.7.10-4 Rev. 004 APPLICABLE The analysis uses an initial core thermal power of 2619 MWth (102% of SAFETY ANALYSES 2568 MWth) and accounts for 24 month fuel cycles. The consequences of (continued) the postulated loss of main and emergency feedwater and 4160 VAC power were analyzed as a RCS overheating scenario. For the examined overheating scenario, an important core input is decay heat. High decay heat conditions were modeled that were reflective of maximum, end of cycle conditions. The high decay heat assumption was confirmed to be bounding with respect to the RCS subcooling response. The results of the analysis demonstrate that the PSW system is capable of meeting the relevant NFPA 805 nuclear safety performance criteria.

During periods of very low decay heat the PSW system will be used to establish conditions that support the formation of subcooled natural circulation between the core and the SGs; however, natural circulation may not occur if the amount of decay heat available is less than or equal to the amount of heat removed by ambient losses to containment and/or by other means, e.g., letdown of required minimum HPI flow through the Reactor Coolant (RC) vent valves. When these heat removal mechanisms are sufficient to remove core decay heat, they are considered adequate to meet the core cooling function and systems supporting SG decay heat removal, although available, are not necessary for core cooling.

Regarding operation in MODES 1 and 2 other than operation at nominal full power, the duration of operation in these conditions is insufficient to result in an appreciable contribution to overall plant risk. As a result, T/H analysis was performed assuming full power initial conditions, as described above and in the Oconee Fire Protection Program, Nuclear Safety Capability Assessment. The plant configuration examined in the T/H analysis is representative of risk significant operating conditions and provides reasonable assurance that a fire mitigated by PSW during these MODES will not prevent the plant from achieving and maintaining fuel in a safe and stable condition.

The PSW system is not an Engineered Safety Feature Actuation System (ESFAS) and is not credited to mitigate design basis events as contained in UFSAR Chapters 6 and 15. No credit is taken in the safety analyses for PSW system operation following design basis events. Based on its contribution to the reduction of overall plant risk, the PSW system satisfies Criterion 4 of 10 CFR 50.36 (c)(2)(ii) (Ref. 2) and is therefore included in the Technical Specifications.

LCO The OPERABILITY of the PSW system provides a diverse means to achieve and maintain safe shutdown by providing secondary side DHR, reactor coolant pump seal cooling, primary system inventory control, and RCS boration for reactivity management during certain plant scenarios that disable the 4160 V essential electrical power distribution system.

PSW System B 3.7.10 BASES OCONEE UNITS 1, 2, & 3 B 3.7.10-5 Rev. 004 LCO For OPERABILITY, the following are required:

(continued)

One (1) primary pump, one (1) booster pump, and one (1) portable pump.

A flowpath taking suction from the Unit 2 CCW piping through the PSW pumping system (including recirculation flowpath) and discharging into the secondary side of each SG and the required HPI pump motor bearing cooler.

TS 3.8.3 required number of 125 VDC Vital I&C Battery Chargers.

Note: The Standby battery chargers cannot be credited for PSW OPERABILITY because they are not supplied with PSW power.

One (1) of two (2) PSW batteries and the associated battery charger.

PSW building ventilation system (QA-1) consisting of ductwork, fans, heaters, fire `dampers, tornado dampers, motor-operated dampers and associated controls of the Transformer room AND in-service battery room.

KHU capable of powering its own auxiliary power loads.

If the KHU assigned to the underground power path is credited for supplying power to PSW, in addition to the operability requirements from TSB 3.8.1 for an operable KHU assigned to the underground power path, it must be at a standstill condition (not operating) and the following equipment must also be operable:

KHU-1 KHU-2 Keowee auxiliary transformer 1X

Keowee auxiliary transformer 2X Keowee ACB-1*

Keowee ACB-2*

Keowee ACB-5

Keowee ACB-6 DC Guide Bearing Oil Pump

DC Guide Bearing Oil Pump DC Turbine Sump Pump

DC Turbine Sump Pump PCB-9*

PCB-9*

Master Transfer Switch in Remote

Master Transfer Switch in Remote Loss of 600V Auxiliary Power Alarm in MCR

Loss of 600V Auxiliary Power Alarm in MCR Switchyard Isolate Confirm in MCR Switchyard Isolate Confirm in MCR

must be capable of being manually controlled from ONS Unit 1&2 Control Room

PSW System B 3.7.10 BASES OCONEE UNITS 1, 2, & 3 B 3.7.10-6 Rev. 004 LCO If the KHU assigned to the overhead power path is credited for (continued)

PSW, no additional operability requirements are necessary beyond those specified in TSB 3.8.1 for an operable KHU assigned to the overhead power path A PSW electrical system power path from the Keowee Hydroelectric Station.

For OPERABILITY, PSW supplied power is required for the following:

Either the "A" or "B" HPI pump motor.

PSW portable pump (unless self-powered).

HPI valve needed to align the HPI pumps to the Borated Water Storage Tanks (HP-24).

HPI valves that support RCP seal injection and RCS makeup (HP-26, HP-139, and HP-140).

Pressurizer Heaters (150 kW above pressurizer ambient heat loss).

Reactor Vessel Head Vent Valves (RC-159 and RC-160)

One (1) RCS Loop High Point Vent Pathway (RC-155 and RC-156 or RC-157 and RC-158)

Required 125 VDC Vital I&C Normal Battery Chargers.

For OPERABILITY, the following instrumentation and controls located in each main control room are required:

Two (2) high flow controllers (PSW-22 and PSW-24).

Two (2) low flow controllers (PSW-23 and PSW-25).

Two (2) flow indicators (one per SG).

One (1) SG header isolation valve (PSW-6).

One (1) HPI seal injection flow indicator One (1) A HPI train flow indication (from ICCM plasma)

The LCO is modified by a Note indicating that it is not applicable to Unit(s) until startup from a refueling outage after completion of PSW modifications and after all of the PSW system equipment installed has been tested. Certain SRs require the unit to be shutdown to perform the SR.

PSW System B 3.7.10 BASES (continued)

OCONEE UNITS 1, 2, & 3 B 3.7.10-7 Rev. 004 APPLICABILITY In MODES 1 and 2, the PSW system provides a diverse means to achieve and maintain safe shutdown by providing secondary side DHR, reactor coolant pump seal cooling, primary system inventory control, and RCS boration for reactivity management during certain plant scenarios that disable the 4160 V essential electrical power distribution system.

As a result of the systems contribution to overall plant risk in mitigating transients initiated during these operating conditions, PSW is required to be OPERABLE in MODES 1 and 2. In MODES 3 and 4, the PSW system can provide a diverse means for secondary side DHR (while the steam generators remain available), reactor coolant pump seal cooling, primary system inventory control, and RCS boration for reactivity management.

Because of the relatively short periods of operation in these MODES, the contribution to the reduction of overall plant risk in mitigating transients initiated during these operating conditions is not sufficient to warrant inclusion of OPERABILITY requirements for MODES 3 and 4 in the Technical Specifications.

In MODES 5 and 6, the steam generators are not available for secondary side DHR. As such, the PSW feed to the SGs is not required. Protected Service Water system backup power to some of the HPI components may be relied upon for shutdown risk defense-in-depth associated with primary system makeup. There are multiple means to achieve primary system makeup during these conditions. As a result, the contribution to the reduction of overall plant risk during these operating conditions is not sufficient to warrant inclusion of OPERABILITY requirements for MODES 5 and 6 in the Technical Specifications.

ACTIONS The exception for LCO 3.0.4 provided in the NOTE of the Actions, permits entry into MODES 1 or 2 with the PSW system not OPERABLE. This is acceptable because the PSW is not required to support normal operation of the facility or to mitigate a design basis event.

A.1 With the PSW system inoperable, action must be taken to restore the system to OPERABLE status within 14 days. The 14-day Completion Time (CT) is reasonable based on the Standby Shutdown Facility (SSF) Auxiliary Service Water (ASW) and reactor coolant makeup (RCMU) systems being OPERABLE and a low probability of scenarios occurring that would require the PSW system during the 14 day period.

B.1 With both the PSW and SSF systems inoperable, action must be taken to restore the PSW system to OPERABLE status within 7 days. The 7 day

PSW System B 3.7.10 BASES OCONEE UNITS 1, 2, & 3 B 3.7.10-8 Rev. 004 ACTIONS B.1 (continued)

CT is based on the diverse heat removal capabilities afforded by other systems, reasonable times for repairs, and the low probability of scenarios occurring that would require the PSW system during this period.

C.1 If the Required Action and associated CT of Condition A or B is not met, action must be taken to restore the PSW system to OPERABLE status within 30 days. Operation for up to 30 days is permitted if risk-reducing contingency measures are taken. The 30 days is from the time of discovery of initial inoperability.

The condition is modified by a note indicating that contingency measures are required to be in place prior to entry. The contingency measures provide additional assurance that key equipment is available. For example, the Keowee Hydroelectric Units (KHUs), Emergency Feedwater (EFW) pumps, High Pressure Injection (HPI) pumps, Elevated Water Storage Tank (EWST), and 230 kV switchyard, are key equipment which impact overall risk during the extended outage period. Unavailability of the specific equipment does not preclude entry into the condition nor does it require any action by this TS. Rather the appropriate actions for the specific equipment are specified in the applicable TS or Selected Licensee Commitments (SLC). For example, if the 1A HPI pump becomes inoperable before entry or becomes inoperable after entry, only TS LCO 3.5.2 (HPI), Condition A shall be entered for Unit 1 and the appropriate actions taken until the pump is restored. This does not preclude entry into LCO 3.7.10 Condition C.

The strategy for the contingency measures is to defer non-essential surveillances or other maintenance activities where human error could increase the likelihood of a loss of offsite power (LOOP) or remove key equipment that is important to overall plant risk. This does not preclude surveillances required by technical specifications or corrective maintenance to equipment that is important to overall plant risk. Technical specification required surveillances and corrective maintenance are examples of essential activities.

The following contingency measures are applied to available key equipment to reduce plant risk:

No non-essential surveillances or other maintenance activities, or testing, will be conducted in the 230 kV switchyard.

No non-essential surveillances or other maintenance activities, or testing will be conducted on the Keowee Hydro Units' emergency power system and associated power paths.

PSW System B 3.7.10 BASES OCONEE UNITS 1, 2, & 3 B 3.7.10-9 Rev. 004 ACTIONS C.1 (continued)

No non-essential surveillances or other maintenance activities, or testing, will be conducted on each unit's EFW motor-driven and turbine-driven pumps and associated equipment including the EFW cross connects.

No non-essential surveillances or other maintenance activities, or testing, will be conducted on the unit's HPI pumps and associated equipment.

No non-essential surveillances or other maintenance activities, or testing, will be conducted on the EWST.

D.1 If the Required Action and associated CTs of Condition A, B, or C are not met, the unit(s) must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed CT is appropriate to reach the required unit conditions from full power conditions in an orderly manner and without challenging plant systems, considering a three unit shutdown may be required.

SURVEILLANCE SR 3.7.10.1 REQUIREMENTS Verifying battery terminal voltage while on float charge for the batteries helps to ensure the effectiveness of the charging system and the ability of the batteries to perform their intended function. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery (or battery cell) and maintain the battery (or a battery cell) in a fully charged state. The voltage requirements are based on the nominal design voltage of the battery and are consistent with the initial voltage assumed in the battery sizing calculations. The surveillance frequency is in accordance with the Surveillance Frequency Control Program.

SR 3.7.10.2 SR verifies availability of the Keowee Hydroelectric Station power path to the PSW electrical system. Power path verification is included to demonstrate breaker OPERABILITY from the Keowee Hydroelectric Station to the PSW electrical system. To verify KHU-1 can supply the PSW electrical system, Breaker KPF-9 is closed. To verify KHU-2 can supply the PSW electrical system, Breaker KPF-10 is closed. Breakers KPF-9 and KPF-10 are electrically interlocked such that breakers cannot be closed simultaneously. The interlock is tested periodically and each breaker's charging spring is verified to be discharged after breaker testing.

PSW System B 3.7.10 BASES OCONEE UNITS 1, 2, & 3 B 3.7.10-10 Rev. 004 SURVEILLANCE SR 3.7.10.2 (continued)

REQUIREMENTS Electrical interlocks prevent compromise of existing redundant emergency power paths. To verify either KHU can supply the PSW electrical system, the PSW Feeder Breaker [B6T-A] or [B7T-C and the PSW switchgear tie breaker] is closed. The Surveillance Frequency is in accordance with the Surveillance Frequency Control Program.

SR 3.7.10.3 This SR requires the PSW primary and booster pumps be tested in accordance with the INSERVICE TESTING PROGRAM. The INSERVICE TESTING PROGRAM verifies the developed head of PSW primary and booster pumps at flow test point is greater than or equal to the required developed head. The specified Frequency is in accordance with INSERVICE TESTING PROGRAM requirements.

SR 3.7.10.4 A battery service test is a special test of the battery capability, as found, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The discharge rate and test length correspond to the design duty cycle requirements.

The surveillance frequency is in accordance with the Surveillance Frequency Control Program.

SR 3.7.10.5 This SR verifies the design capacity of the battery charger. According to Regulatory Guide 1.32 (Ref. 1), the battery charger supply is recommended to be based on the largest combined demands of the various steady state loads and the charging capacity to restore the battery from the design minimum charge state to the fully charged state, irrespective of the status of the unit during these demand occurrences.

The minimum required amperes and duration ensure that these requirements can be satisfied.

This SR provides two options. One option requires that each battery charger be capable of supplying 300 amps for greater than 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months at the minimum established float voltage. The current requirements are based on the output rating of the charger. The voltage requirements are based on the charger voltage level after a response to a loss of AC power. The time period is sufficient for the charger temperature to stabilize and to have been maintained for at least 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

PSW System B 3.7.10 BASES OCONEE UNITS 1, 2, & 3 B 3.7.10-11 Rev. 004 SURVEILLANCE SR 3.7.10.5 (continued)

REQUIREMENTS The other option requires that the battery charger be capable of recharging the battery after a service test coincident with supplying the largest coincident demands of the various continuous steady state loads (irrespective of the status of the plant during which these demands occur). This level of loading may not normally be available following the battery service test and will need to be supplemented with additional loads. The duration for this test may be longer than the charger sizing criteria since the battery recharge is affected by float voltage, temperature, and the exponential decay in charging current.

The battery is recharged when the measured charging current is < 2 amps.

The surveillance frequency is in accordance with the Surveillance Frequency Control Program.

SR 3.7.10.6 This SR verifies that the PSW switchgear can be aligned and power both the A and B HPI pump motors (not simultaneously). Although both pump motors are tested, only one (1) is required to support PSW system OPERABILITY. The surveillance frequency is in accordance with the Surveillance Frequency Control Program. Refer to the SR 3.7.10.7 table below for testing of the HPI power and transfer switches.

SR 3.7.10.7 This SR verifies that power transfer switches (shown in table below) for pressurizer heaters, PSW control, electrical panels, and valves, are functional for the required equipment.

Component 1HPI-SX-ALGN001 (PSW HPI alignment switch) 2HPI-SX-ALGN001 (PSW HPI alignment switch) 3HPI-SX-ALGN001 (PSW HPI alignment switch) 1HPI-SX-TRN001 (1A HPI pump transfer switch) 1HPI-SX-TRN002 (1B HPI pump transfer switch) 2HPI-SX-TRN001 (2A HPI pump transfer switch) 2HPI-SX-TRN002 (2B HPI pump transfer switch) 3HPI-SX-TRN001 (3A HPI pump transfer switch) 3HPI-SX-TRN002 (3B HPI pump transfer switch) 1HPI-SX-TRN003 (1HP-24 PSW transfer switch) 1HPI-SX-TRN004 (1HP-26 PSW transfer switch)

PSW System B 3.7.10 BASES OCONEE UNITS 1, 2, & 3 B 3.7.10-12 Rev. 004 SURVEILLANCE SR 3.7.10.7 (continued)

REQUIREMENTS Component 2HPI-SX-TRN003 (2HP-24 PSW transfer switch) 2HPI-SX-TRN004 (2HP-26 PSW transfer switch) 3HPI-SX-TRN003 (3HP-24 PSW transfer switch) 3HPI-SX-TRN004 (3HP-26 PSW transfer switch) 1PSW-SX-TRN001 (1CA CHARGER auto transfer switch) 1PSW-SX-TRN002 (1CB CHARGER auto transfer switch) 2PSW-SX-TRN001 (2CA CHARGER auto transfer switch) 2PSW-SX-TRN002 (2CB CHARGER auto transfer switch) 3PSW-SX-TRN001 (3CA CHARGER auto transfer switch) 3PSW-SX-TRN002 (3CB CHARGER auto transfer switch) 1PSW-SX-TRN004 (manual transfer switch for 1XJ) 1PSW-SX-TRN005 (manual transfer switch for 1XK) 2PSW-SX-TRN003 (manual transfer switch for 2XJ) 2PSW-SX-TRN004 (manual transfer switch for 2XI) 2PSW-SX-TRN005 (manual transfer switch for 2XK) 3PSW-SX-TRN003 (manual transfer switch for 3XJ) 3PSW-SX-TRN004 (manual transfer switch for 3XI) 3PSW-SX-TRN005 (manual transfer switch for 3XK) 1RC-155/1RC-156 power transfer 1RC-157/1RC-158 power transfer 1RC-159/1RC-160 power transfer 2RC-155/2RC-156 power transfer 2RC-157/2RC-158 power transfer 2RC-159/2RC-160 power transfer 3RC-155/3RC-156 power transfer 3RC-157/3RC-158 power transfer 3RC-159/3RC-160 power transfer The surveillance frequency is in accordance with the Surveillance Frequency Control Program.

SR 3.7.10.8 SR verifies PSW booster pump and check valves can supply water to the "A" and "B" HPI pump motor coolers in accordance with the INSERVICE TESTING PROGRAM.

PSW System B 3.7.10 BASES OCONEE UNITS 1, 2, & 3 B 3.7.10-13 Rev. 004 SURVEILLANCE SR 3.7.10.9 REQUIREMENTS (continued)

This SR requires that the PSW portable pump be tested to verify that the developed head of PSW portable pump at the flow test point is greater than or equal to the required developed head. The surveillance frequency is in accordance with the Surveillance Frequency Control Program.

SR 3.7.10.10 This SR requires the required PSW valves be tested in accordance with the INSERVICE TESTING PROGRAM. The specified Frequency is in accordance with INSERVICE TESTING PROGRAM requirements.

SR 3.7.10.11 Performance of the CHANNEL CHECK for each required instrumentation channel ensures that a gross failure of instrumentation has not occurred.

A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel with a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION. The instrument string to the control room is checked and calibrated periodically per the Surveillance Frequency Control Program.

Agreement criteria are determined based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE. If the channels are normally off scale during times when surveillance is required, the CHANNEL CHECK will only verify that they are off scale in the same direction. Off scale low current loop channels are verified to be reading at the bottom of the range and not failed downscale.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled in accordance with the Surveillance Frequency Control Program.

PSW System B 3.7.10 BASES OCONEE UNITS 1, 2, & 3 B 3.7.10-14 Rev. 004 SURVEILLANCE SR 3.7.10.12 REQUIREMENTS (continued)

CHANNEL CALIBRATION is a complete check of the instrument channel, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION shall find that measurement errors and bistable setpoint errors are within the assumptions of the setpoint analysis. CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the setpoint analysis.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled in accordance with the Surveillance Frequency Control Program.

SR 3.7.10.13 Visual inspection of the battery cells, cell plates, and battery racks provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance.

The presence of physical damage or deterioration does not necessarily represent a failure of this SR, provided an evaluation determines that the physical damage or deterioration does not affect the OPERABILITY of the battery (its ability to perform its design function).

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled in accordance with the Surveillance Frequency Control Program.

REFERENCES

1. Regulatory Guide 1.32, February 1977.

2. 10 CFR 50.36 (last amended September 24, 2008).

3. NFPA 805 Safety Evaluation Report, dated December 29, 2010.

4. IEEE-484-2002.

OCONEE UNITS 1, 2, & 3 B 3.7.19-1 Rev. 002 SFPC Purification System Isolation from BWST B 3.7.19 B 3.7 Plant Systems B 3.7.19 Spent Fuel Pool Cooling (SFPC) Purification System Isolation from Borated Water Storage Tank (BWST)

BASES BACKGROUND A SFPC purification loop is provided to maintain the purity of the water in the spent fuel pool. This loop is also utilized to purify the water in the BWST following refueling, and to maintain clarity in the fuel transfer canal during refueling. Water from the BWST or fuel transfer canal can be purified by using the borated water recirculation pump.

The BWST recirculation pump removes water from the BWST for demineralization and filtering. The pump may also be used for recirculating the BWST prior to sampling and while demineralizing and filtering the water in the fuel transfer canal during a transfer of fuel. It may also be used for emptying the fuel transfer canal if spent fuel coolant pumps are unavailable for use. There is one pump for Units 1 and 2, and one for Unit 3. (Reference 1)

The Reverse Osmosis (RO) System removes silica from the Spent Fuel Pools (SFPs) and BWSTs by using a reverse osmosis filtering process.

The RO System consists of an RO unit and supply and return piping from the BWSTs and SFPs. The RO unit is located in the Unit 2 Pipe Trench Area Room (Room 349) directly below the Unit 2 West Penetration Room (WPR). A single RO unit is shared by all three Oconee Nuclear Station (ONS) units. The RO unit is capable of being aligned to the Unit 1 & 2 SFP, the Unit 3 SFP, the Unit 1 BWST, the Unit 2 BWST, or the Unit 3 BWST. RO System piping and existing Spent Fuel (SF) Purification Loop piping are used for these alignments.

To establish a path from the Unit 1 and Unit 2 BWSTs, RO System piping is connected to the Unit 1 & 2 Spent Fuel (SF) Purification Loop downstream of two redundant automatic isolation valves. To establish a path from the Unit 3 BWST, RO System piping is connected to the Unit 3 SF Purification Loop downstream of two redundant automatic isolation valves.

SFPC Purification System Isolation from BWST B 3.7.19 BASES OCONEE UNITS 1, 2, & 3 B 3.7.19-2 Rev. 002 BACKGROUND The return piping from the RO unit is routed back to the purification (continued) portion of the two SFPC Purification Systems (Units 1 & 2 and Unit 3).

The RO System return piping is non-seismic up to the point where connections are made to the SF purification piping. A check valve is installed in each of the return lines to the SF purification piping. The check valve and the downstream piping are seismically qualified. The location where the discharge piping connects to the purification loop is such that the return flow can be aligned to the same source supplying the RO unit.

The BWST water is routed to the RO System from the SF purification loop. The two redundant automatic isolation valves are credited to isolate the RO system and the SFPC purification system to prevent unanalyzed radiological releases from either system. The valves are automatically isolated upon receipt of a low BWST level actuation signal prior to ECCS suction swapover to the reactor building sump.

APPLICABLE The large break LOCA assumes back-leakage from the sump to the SAFETY ANALYSES borated water storage tank (BWST). RO system operation or BWST recirculation using the BWST recirculation pump requires a flow path to be open from the BWST. Two redundant safety related automatic isolation valves are used to isolate each SFPC Purification System (Unit 1 and 2, and Unit 3) prior to ECCS Suction swapover from the BWST to the reactor building sump to prevent unanalyzed radiological releases.

With the automatic isolation of this pathway, the use of the SFPC purification system for RO operation or BWST recirculation does not impact the assumptions in the design basis LOCA dose analysis. These automatic valve isolations are part of the primary success pathway which functions to mitigate the LOCA and meet 10 CFR 50.36, Criterion 3 (Reference 2). The isolation of the SFPC purification system credits two safety related automatic isolation valves and several manual valves upstream of the automatic isolation valves to ensure the plant stays within the bounds of the design basis LOCA analysis.

LCO This LCO requires that the two automatic isolation valves used to isolate the SFPC purification system (one set for Unit 1 & 2 and one set for Unit

3) from the BWST to be OPERABLE. The automatic isolation valves are required to close on an automatic isolation signal. The LCO requires that the SFPC Purification System branch line manual valves located upstream of the automatic valves to be and closed and meet INSERVICE TESTING PROGRAM leakage requirements.

SFPC Purification System Isolation from BWST B 3.7.19 BASES (continued)

OCONEE UNITS 1, 2, & 3 B 3.7.19-3 Rev. 002 APPLICABILITY The SFPC purification system automatic isolation valves are required to be OPERABLE and the branch line manual isolation valves are required to be closed and meet INSERVICE TESTING PROGRAM leakage requirements in MODES 1, 2, 3, and 4 when the SFPC Purification System is not isolated from the BWST, consistent with emergency core cooling system (ECCS) OPERABILITY requirements. These requirements ensure the plant stays within the bounds of the design basis LOCA analysis.

ACTIONS The ACTIONS are modified by two Notes. Note 1 allows the SFPC purification system flow path from the BWST to be unisolated intermittently under administrative controls. The opening of a closed valve in the flow path on an intermittent basis under administrative control includes the following: (1) stationing an operator, who is in constant communication with control room, at the valve controls, (2) instructing this operator to close these valves in an accident situation, and (3) assuring that environmental conditions will not preclude access to close the valves and that this action will prevent the release of radioactivity outside the SFPC purification system. In this way, the flow path can be rapidly isolated when a need for isolation is indicated. The maximum continuous RO system operating period is 7 days. Procedures controlling RO System operation limit operation to a specified time period to prevent the boron concentration and water level going below the TS limit of the BWST.

A second Note has been added to provide clarification that, for this LCO, separate Condition entry is allowed for each branch line manual valve.

This is acceptable, since the Required Actions for each applicable Condition provide appropriate compensatory actions for each inoperable manual valve. Complying with the Required Actions may allow for continued operation, and subsequent inoperable manual valves are governed by subsequent Condition entry and application of associated Required Actions.

A.1 and A.2 In the event one SFPC purification system BWST automatic isolation valve is inoperable, the SFPC Purification System flow path must be isolated within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic isolation valve, a closed and de-activated non-automatic power operated valve, a closed manual valve, or a blind flange. For the SFPC Purification System flow path isolated in accordance with Required Action A.1, the device used to isolate the flow path should be the closest available to the inoperable SFPC Purification System BWST

SFPC System Isolation from BWST B 3.7.19 BASES OCONEE UNITS 1, 2, & 3 B 3.7.19-4 Rev. 002 ACTIONS A.1 and A.2 (continued) automatic isolation valve. The 4-hour Completion Time is considered reasonable, considering the time required to isolate the flow path and the low probability of an accident occurring during this time period requiring isolation of the SFPC Purification System from the BWST.

For an automatic isolation valve that cannot be restored to OPERABLE status within the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time and that has been isolated in accordance with Required Action A.1, the flow path must be verified to be isolated on a periodic basis. This periodic verification is necessary to ensure that the flow path is isolated should an event occur requiring it to be isolated. This Required Action does not require any testing or device manipulation. Rather, it involves verification, through a system walkdown, that an isolation device capable of being mispositioned is in the correct position. The Completion Time of "once per 31 days is appropriate considering the fact that the device is operated under administrative controls and the probability of its misalignment is low.

B.1 In the event two SFPC purification system BWST automatic isolation valves are inoperable, the flow path must be isolated within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic isolation valve, a closed and de-activated non-automatic power operated valve, a closed manual valve, or a blind flange. For the SFPC purification system BWST flow path isolated in accordance with Required Action B.1, the device used to isolate the flow path should be the closest available to the SFPC purification system BWST automatic isolation valves. The 1-hour Completion Time is considered reasonable, considering the time required to isolate the flow path and the low probability of an accident occurring during this time period requiring isolation of the SFPC purification system from the BWST.

In the event the affected SFPC purification system BWST flow path is isolated in accordance with Required Action B.1, the flow path must be verified to be isolated on a periodic basis per Required Action A.2, which remains in effect. This periodic verification is necessary to ensure that the flow path is isolated should an event occur requiring it to be isolated. The Completion Time of once per 31 days for verifying the flow path is isolated is appropriate considering the fact that the device is operated under administrative controls and the probability of its misalignment is low.

SFPC System Isolation from BWST B 3.7.19 BASES OCONEE UNITS 1, 2, & 3 B 3.7.19-5 Rev. 002 ACTIONS C.1 and C.2 (continued)

If a required manual valve(s) is discovered or not closed or not meeting INSERVICE TESTING PROGRAM leakage requirements, the flow path must be isolated within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic isolation valve, a closed and de-activated non-automatic power operated valve, a closed manual valve, or a blind flange. The 1-hour Completion Time is considered reasonable, considering the time required to isolate the flow path and the low probability of an accident occurring during the time period requiring this action. This is necessary to ensure that the flow path to the top of the BWST is isolated.

In the event a SFPC purification system branch line flow path is isolated in accordance with Required Action C.1, the flow path must be verified to be isolated on a periodic basis per Required Action C.2. This periodic verification is necessary to ensure that the flow path is isolated should an event occur requiring it to be isolated. The Completion Time of once per 31 days for verifying the flow path is isolated is appropriate considering the fact that the device is operated under administrative controls and the probability of its misalignment is low.

D.1 and D.2 If the Required Actions and associated Completion Times of Condition A, B, or C are not met, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 5 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

SURVEILLANCE SR 3.7.19.1 REQUIREMENTS This SR requires verification that the SFPC Purification system branch line manual valves SF-51, 53, 54, and DW-112 for Unit 1 and 2 or 3SF-51, 53, 54, and 3DW-112 for Unit 3 that are not locked, sealed, or otherwise secured in the closed position, are closed. The SR helps to ensure that post accident leakage of radioactive fluids does not impact the offsite dose analysis. This SR does not require any testing or valve manipulation.

Rather, it involves verification, through a system walkdown,

SFPC System Isolation from BWST B 3.7.19 BASES (continued)

OCONEE UNITS 1, 2, & 3 B 3.7.19-6 Rev. 002 SURVEILLANCE SR 3.7.19.1 (continued)

REQUIREMENTS (continued) that each manual isolation valve is closed. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program. This SR does not apply if a valve is locked, sealed, or otherwise secured, since it was verified to be in the correct position upon locking, sealing, or securing.

SR 3.7.19.2 This SR verifies that the SFPC Purification system branch line manual valves SF-51, 53, 54, and DW-112 for Unit 1 and 2 or 3SF-51, 53, 54, and 3DW-112 for Unit 3 meet INSERVICE TESTING PROGRAM leakage requirements. The specified Frequency is in accordance with the INSERVICE TESTING PROGRAM requirements.

SR 3.7.19.3 This SR verifies that the SFPC Purification System BWST automatic isolation valves are OPERABLE in accordance with the INSERVICE TESTING PROGRAM. As part of this SR, the INSERVICE TESTING PROGRAM leakage requirements are verified met. The specified Frequency is in accordance with the INSERVICE TESTING PROGRAM requirements.

SR 3.7.19.4 This SR requires verification that each SFPC Purification System automatic isolation valve (SF-166 and SF-167 for Unit 1 & 2 and 3SF-166 and 3SF-167 for Unit 3) actuates to the isolation position on an actual or simulated isolation signal. This SR is not required for valves that are locked, sealed, or otherwise secured in position under administrative controls. The SR helps to ensure that post accident leakage of radioactive fluids do not impact the offsite dose analysis. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES

1.

UFSAR, Section 9.1.3.

2.

10 CFR 50.36.

OCONEE UNITS 1, 2, & 3 B 3.10.1-1 Rev. 002 SSF 3.10.1 B 3.10 STANDBY SHUTDOWN FACILITY B 3.10.1 Standby Shutdown Facility (SSF)

BASES BACKGROUND The Standby Shutdown Facility (SSF) is designed as a standby system for use under certain emergency conditions. The system provides additional "defense in-depth" protection for the health and safety of the public by serving as a backup to existing safety systems. The SSF is provided as an alternate means to achieve and maintain the unit in MODE 3 with average RCS temperature 525oF (unless the initiating event causes the unit to be driven to a lower temperature) following a fire, turbine building flood, and station blackout (SBO) events. The SSF is designed in accordance with criteria associated with these events. The SSF Auxiliary Service Water (ASW) System is credited as a backup to Emergency Feedwater (EFW) due to the lack of tornado missile protection for the EFW System. In addition, the SSF may be activated as necessary in response to events associated with plant security. In that the SSF is a backup to existing safety systems, the single failure criterion is not required. Failures in the SSF systems will not cause failures or inadvertent operations in other plant systems. The SSF requires manual activation and can be activated if emergency systems are not available.

The SSF is designed to maintain the reactor in a safe shutdown condition for a period of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months following a fire or turbine building flood, and for a period of four hours following an SBO. The capability of the SSF to maintain the reactor in a safe shutdown condition is also credited for certain security-related events. This is accomplished by re-establishing and maintaining Reactor Coolant Pump Seal cooling; assuring natural circulation and core cooling by maintaining the primary coolant system filled to a sufficient level in the pressurizer while maintaining sufficient secondary side cooling water; and maintaining the reactor subcritical by isolating all sources of Reactor Coolant System (RCS) addition except for the Reactor Coolant Makeup System which supplies makeup of a sufficient boron concentration.

The main components of the SSF are the SSF Auxiliary Service Water (ASW) System, SSF Portable Pumping System, SSF Reactor Coolant (RC) Makeup System, SSF Power System, and SSF Instrumentation.

The SSF ASW System is a high head, high volume system designed to provide sufficient steam generator (SG) inventory for adequate decay heat removal for three units during a loss of normal AC power in conjunction with the loss of the normal and emergency feedwater systems. One motor driven SSF ASW pump, located in the SSF, serves all three units. The SSF ASW pump, two HVAC service water pumps, and the Diesel Service Water (DSW) pump share a common suction

SSF B 3.10.1 BASES OCONEE UNITS 1, 2, & 3 B 3.10.1-2 Rev. 002 BACKGROUND supply of lake water from the embedded Unit 2 condenser circulating (continued) water (CCW) piping. The SSF DSW pump and an HVAC pump must be operable in order to satisfy the operability requirements for the Power System. (Only one HVAC service water pump is required to be operable to satisfy the LCO.)

The SSF ASW System is used to provide adequate cooling to maintain single phase RCS natural circulation flow in MODE 3 with an average RCS temperature 525oF (unless the initiating event causes the unit to be driven to a lower temperature). In order to maintain single phase RCS natural circulation flow, an adequate number of Bank 2, Group B and C pressurizer heaters must be OPERABLE. These heaters are needed to compensate for ambient heat loss from the pressurizer. As long as the temperature in the pressurizer is maintained, RCS pressure will also be maintained. This will preclude hot leg voiding and ensure adequate natural circulation cooling.

The SSF Portable Pumping System, which includes a submersible pump and a flow path capable of taking suction from the intake canal and discharging into the Unit 2 CCW line, is designed to provide a backup supply of water to the SSF in the event of loss of CCW and subsequent loss of CCW siphon flow. The SSF Portable Pumping System is installed manually according to procedures.

The SSF RC Makeup System is designed to supply makeup to the RCS in the event that normal makeup systems are unavailable. An SSF RC Makeup Pump located in the Reactor Building of each unit supplies makeup to the RCS should the normal makeup system flow and seal cooling become unavailable. The system is designed to ensure that sufficient borated water is provided from the spent fuel pools to allow the SSF to maintain all three units in MODE 3 with average RCS temperature 525oF (unless the initiating event causes the unit to be driven to a lower temperature) for approximately 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . An SSF RC Makeup Pump is capable of delivering borated water from the Spent Fuel Pool to the RC pump seal injection lines. A portion of this seal injection flow is used to makeup for reactor coolant pump seal leakage while the remainder flows into the RCS to makeup for other RCS leakage (non LOCA).

The SSF Power System provides electrical isolation of SSF equipment from non-SSF equipment. The SSF Power System includes 4160 VAC, 600 VAC, 208 VAC, 120 VAC and 125 VDC power. It consists of switchgear, a load center, motor control centers, panelboards, remote starters, batteries, battery chargers, inverters, a diesel generator (DG),

relays, control devices, and interconnecting cable supplying the appropriate loads.

SSF B 3.10.1 BASES OCONEE UNITS 1, 2, & 3 B 3.10.1-3 Rev. 002 BACKGROUND The AC power system consists of 416O V switchgear OTS1; 600 V load (continued) center OXSF; 600 V motor control centers XSF, 1XSF, 2XSF, 3XSF, PXSF; 208 V motor control centers 1XSF, 1XSF-1, 2XSF, 2XSF-1, 3XSF, 3XSF-1; 120 V panelboards KSF, KSFC.

The SSF 125 VDC Power System provides a reliable source of power for DC loads needed to black start the diesel. The DC power system consists of two 125 VDC batteries and associated chargers, two 125 VDC distribution centers (DCSF, DCSF-1), and a DC power panelboard (DCSF). Only one battery and associated charger is required to be operable and connected to the 125 VDC distribution center to supply the 125 VDC loads. In this alignment, which is normal, the battery is floated on the distribution center and is available to assure power without interruption upon loss of its associated battery charger or AC power source. The other 125 VDC battery and its associated charger are in a standby mode and are not normally connected to the 125 VDC distribution center. However, they are available via manual connection to the 125 VDC distribution center to supply SSF loads, if required.

The SSF Power System is provided with standby power from a dedicated DG. The SSF DG and support systems consists of the diesel generator, fuel oil transfer system, air start system, diesel engine service water system, as well as associated controls and instrumentation. This SSF DG is rated for continuous operation at 3500 kW, 0.8 pf, and 4160 VAC.

The SSF electrical design load does not exceed the continuous rating of the DG. The auxiliaries required to assure proper operation of the SSF DG are supplied entirely from the SSF Power System. The SSF DG is provided with manual start capability from the SSF only. It uses a compressed air starting system with four air storage tanks. An independent fuel system, complete with a separate underground storage tank, duplex filter arrangement, a fuel oil transfer pump, and a day tank, is supplied for the DG.

SSF B 3.10.1 BASES OCONEE UNITS 1, 2, & 3 B 3.10.1-4 Rev. 002 BACKGROUND The following information will aid in determination of SSF Operability:

(continued)

Associated Inoperable Systems SSF ASW System SSF Portable Pumping System SSF RCMU System SSF Power System SSF Instruments SSF ASW System YES YES YES YES YES SSF Portable Pumping YES YES YES YES YES SSF RCMU System NO NO YES NO NO SSF Power System YES YES YES YES YES SSF Instr.

System NO NO NO NO YES SSF PZR.

Heaters**

YES NO NO NO NO SSF RCS Isolation Valves NO NO YES NO NO SSF HVAC System YES YES YES YES YES

- When SSF pressurizer heaters are inoperable, the resulting inoperability of the SSF ASW System does NOT render other SSF systems inoperable.

SSF ASW System Provides motive force for SSF ASW suction pipe air ejector. The air ejector is needed to maintain siphon flow to the SSF HVAC service water pump, the SSF DSW pump, and the SSF ASW pump when the water level in the U2 CCW supply pipe becomes too low. If the SSF DSW pump becomes inoperable, the SSF Power System will become inoperable. Since an inoperable SSF Power System causes all other SSF subsystems to be inoperable, an inoperable SSF ASW System will also cause other SSF Subsystems to be inoperable.

Provides adequate SG cooling to reduce & maintain RCS pressure below the pressure where the SSF RC makeup pump discharge relief valve, HP-404, begins to leak flow. Therefore, full SSF RC Makeup System seal injection flow will be provided to the RC pump seals in time to prevent seal degradation or failure.

SSF System Removed From Service

SSF B 3.10.1 BASES OCONEE UNITS 1, 2, & 3 B 3.10.1-5 Rev. 002 BACKGROUND SSF ASW pump should be operated when the diesel is operated to (continued) provide a load for the diesel. This is not a requirement for operability since the diesel could be operated to provide long term power to one or more units RC makeup pumps without operating the SSF ASW pump as long as a large load (SSF ASW pump ) is not added later (diesel desouping concern).

SSF Portable Pumping Supplies makeup water to the SSF ASW System, the SSF DSW System, and the SSF HVAC Service Water System after siphon flow / gravity flow and forced CCW flow are lost.

SSF Power System Other SSF Systems cannot operate without receiving power from the diesel for SSF scenarios where power from U2 MFB is not available.

SSF Pressurizer Heaters Single phase RCS natural circulation flow cannot be maintained without the pressurizer heaters. The number of SSF heaters utilized is based on testing and calculations performed on a unit by unit basis to determine the minimum number of required heaters needed to overcome actual pressurizer ambient losses. Since the heaters do not have their own action statement, the SSF ASW System is declared inoperable when the heaters are inoperable.

SSF RCS Isolation Valves (HP-3, HP-4, HP-20, RC-4, RC-5, RC-6)

These valves do not have their own action statement. When they are inoperable, their corresponding SSF RC makeup system is considered inoperable.

SSF HVAC System Portions of the SSF HVAC System, consisting of the SSF Air Conditioning (AC) and Ventilation Systems support the SSF Power System OPERABILITY. The SSF AC System, which includes the HVAC service water system and AC equipment (fan motors, compressors, condensers, and coils), must be operable to support SSF Power System operability. Since an inoperable SSF Power System results in all other SSF subsystems being inoperable, an SSF HVAC System operability problem that makes the SSF Power System inoperable also results in other SSF Subsystems being inoperable.

SSF B 3.10.1 BASES OCONEE UNITS 1, 2, & 3 B 3.10.1-6 Rev. 002 BACKGROUND The SSF AC System is designed to maintain the SSF Control Room, (continued)

Computer Room, and Battery Rooms within their design temperature range. Elevated temperatures in the SSF Control Room and Computer Room could cause the SSF Power System to fail during an accident which requires operation of the SSF. The SSF AC System consists of two refrigeration circuits and an air handling unit. The requirements for the refrigeration circuits vary with outdoor air temperature. Depending on outdoor air temperature and Air Conditioning System performance, the two refrigeration circuits may not be required to support SSF power system OPERABILITY. The air handling unit is required to circulate air regardless of the number of refrigeration circuits required. Since the SSF HVAC service water pumps perform a redundant function, only one of the two are required to be operable for the SSF HVAC service water system to be considered operable. The SSF Ventilation System, which supplies outside air to the Switchgear, Pump, HVAC and Diesel Generator Rooms, is composed of the following four subsystems: Constant Ventilation, Summer Ventilation, On-line Ventilation, and Diesel Generator Engine Ventilation. These ventilation systems work together to provide cooling to the various rooms of the SSF under both standby and on-line modes. The Diesel Generator Engine Ventilation fan is required for operability of the SSF Power System. The six fans associated with the other three ventilation systems may or may not be required for SSF operability dependent upon outside air temperature. If the SSF AC System refrigeration circuits or one of the ventilation fans fail, an engineering evaluation must be performed to determine if any of the SSF Systems or instrumentation are inoperable.

SSF Instrumentation System SSF Instrumentation is provided to monitor RCS pressure, RCS Loop A and B temperature (hot leg and cold leg), pressurizer water level, and SG A and B water level. Indication is displayed on the SSF control panel.

APPLICABLE The SSF serves as a backup for existing safety systems to SAFETY ANALYSES provide an alternate and independent means to achieve and maintain one, two, or three Oconee units in MODE 3 with average RCS temperature 525oF (unless the initiating event causes the unit to be driven to a lower temperature) for up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months following a fire or a turbine building flood. The SSF is also credited for station blackout (SBO) coping, which has a 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months coping duration (Refs. 1, 4, 5, 6, and 7.)

The OPERABILITY of the SSF is consistent with the assumptions of the Oconee Probabilistic Risk Assessment (Ref. 2). Therefore, the SSF satisfies Criterion 4 of 10 CFR 50.36 (Ref. 3).

SSF B 3.10.1 BASES (continued)

OCONEE UNITS 1, 2, & 3 B 3.10.1-7 Rev. 002 LCO The SSF Instrumentation in Table B 3.10.1-1 and the following SSF Systems shall be OPERABLE:

a.

SSF Auxiliary Service Water System;

b.

SSF Portable Pumping System;

c.

SSF Reactor Coolant Makeup System; and

d.

SSF Power System.

An OPERABLE SSF ASW System includes pressurizer heaters capable of being powered from the SSF, and an SSF ASW pump, piping, instruments, and controls to ensure a flow path capable of taking suction from the Unit 2 condenser circulating water (CCW) line and discharging into the secondary side of each SG. The minimum number of pressurizer heaters capable of being powered from the SSF is based on maintaining RCS natural circulation flow which is achieved by maintaining a steam bubble in the pressurizer at a high enough temperature to provide subcooling margin in the RCS. The pressurizer steam bubble is maintained by offsetting pressurizer heat loss due to ambient heat loss from the pressurizer and pressurizer steam space leakage. The following table provides the minimum number of SSF controlled pressurizer heaters versus steam space leakage rates that may be used in combination to meet Operability requirements for the SSF. Engineering Input is needed to determine if other combinations of pressurizer heaters versus steam space leakage rate are acceptable.

Currently, SSF thermal margin issues require an additional four (4) pressurizer heaters above the number needed to offset ambient heat loss. The additional 4 heaters are included in the required number of Pressurizer Heaters Available for each Unit presented in the tables below.

Unit 1 Number of Bank 2, Group B & C Maximum Allowed Pressurizer Pressurizer Heaters Available Steam Space Leakage 15 0.00 GPM Unit 2 Number of Bank 2, Group B & C Maximum Allowed Pressurizer Pressurizer Heaters Available Steam Space Leakage 17 0.00 GPM

SSF B 3.10.1 BASES OCONEE UNITS 1, 2, & 3 B 3.10.1-8 Rev. 002 LCO Unit 3 (continued)

Number of Bank 2, Group B & C Maximum Allowed Pressurizer Pressurizer Heaters Available Steam Space Leakage 14 0.00 GPM An OPERABLE SSF Portable Pumping System includes an SSF submersible pump and a flow path capable of taking suction from the intake canal and discharging into the Unit 2 CCW line. An OPERABLE Reactor Coolant Makeup System includes an SSF RC Makeup pump, piping, instruments, and controls to ensure a flow path capable of taking suction from the spent fuel pool and discharging into the RCS. The following leakage limits are applicable for the SSF RC Makeup System to be considered OPERABLE:

Maximum Allowed Total Combined RCS Leakage for SSF RC Makeup System Operability The maximum allowed total combined RCS leakage is 15.0 GPM for Units 1, 2, and 3. A Units total combined RCS leakage shall be less than or equal to this value for its corresponding SSF RC Makeup System to be considered OPERABLE.

Total Combined RCS leakage is based on Total RCS Leakage Rate +

Quench Tank Level Increase + Total RC Pump Seal Return Flow. Total RC Pump Seal Return Flow is determined by summing the seal return flow rate for all four RC Pumps. If the seal return flow rate for a RC Pump is not available, the seal return flow may be determined using the method described below. The seal return flow rate limits defined below have been previously determined to meet operability requirements for the SSF.

The following discussion regarding failed RCP seal stages does not permit or prohibit operation with a failed seal stage. It is included only to indicate the basis for SSF RCMU System operability. Engineering input is needed to determine operability requirements when multiple seal return flow instruments have failed.

Unit 1 If the seal return flow rate for a RC Pump is not available and at least two of three seals are intact on one RCP, 3.1 GPM may be used as the seal

SSF B 3.10.1 BASES OCONEE UNITS 1, 2, & 3 B 3.10.1-9 Rev. 002 LCO return flow rate for the affected pump. This worst case seal leakage (continued) occurs when one seal stage is failed and RCS pressure is at 2500 psig.

Engineering input is needed to determine operability requirements when two seals of an RCP have failed.

Unit 2 and Unit 3 If the seal return flow rate for a RC Pump not available, 2.9 GPM may be used as the seal return flow rate for the affected pump. This worst case leakage occurs when two seal stages are failed and RCS pressure at 2500 psig.

An OPERABLE SSF Power System includes the SSF DG, diesel support systems, 4160 VAC, 600 VAC, 208 VAC, 120 VAC, and 125 VDC systems. Only one 125 VDC SSF battery and its associated charger are required to be OPERABLE to support OPERABILITY of the 125 VDC system.

APPLICABILITY The SSF System is required in MODES 1, 2, and 3 to provide an alternate means to achieve and maintain the unit in MODE 3 with average RCS temperature 525oF (unless the initiating event causes the unit to be driven to a lower temperature) following a fire, turbine building flood, or SBO. The SSF ASW System is credited as a backup to EFW due to the lack of tornado missile protection for the EFW System. The safety function of the SSF is to achieve and maintain the unit in MODE 3 with average RCS temperature 525oF (unless the initiating event causes the unit to be driven to a lower temperature); therefore, this LCO is not applicable in MODES 4, 5, or 6.

ACTIONS The exception for LCO 3.0.4, provided in the Note of the Actions, permits entry into MODES 1, 2, and 3 with the SSF not OPERABLE. This is acceptable because the SSF is not required to support normal operation of the facility or to mitigate a design basis accident.

A.1, B.1, C.1, D.1, and E.1 With one or more of the SSF Systems inoperable or the required SSF instrumentation of Table B 3.10.1-1 inoperable, the SSF is in a degraded condition and the system(s) or instrumentation must be restored to OPERABLE status within 7 days. The 7 day Completion Time is based on the low probability of an event occurring which would require the SSF to be utilized.

SSF B 3.10.1 BASES OCONEE UNITS 1, 2, & 3 B 3.10.1-10 Rev. 002 ACTIONS F.1 (continued)

If the Required Action and associated Completion Time of Condition A, B, C, D, or E are not met when SSF Systems or Instrumentation are inoperable due to maintenance, the unit may continue to operate provided that the SSF is restored to OPERABLE status within 45 days from discovery of initial inoperability.

This Completion Time is modified by a Note that indicates that the SSF shall not be in Condition F for more than a total of 45 days in a calendar year. This includes the 7 day Completion Time that leads to entry into Condition F. For example, if the SSF ASW System is inoperable for 10 days, the 45 day special inoperability period is reduced to 35 days. If the SSF ASW System is inoperable for 6 days, Condition A applies and there is no reduction in the 45 day allowance. The limit of 45 days per calendar year minimizes the number and duration of extended outages associated with exceeding the 7 day Completion Time of a Condition.

G.1 and G.2 If the Required Action and associated Completion Time of Condition F are not met or if the Required Action and associated Completion Time of Condition A, B, C, D, or E are not met for reasons other than Condition F, the unit must be brought to a MODE in which the LCO does not apply.

To achieve this status, the plant must be brought to MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and MODE 4 within 84 hours9.722222e-4 days 0.0233 hours 1.388889e-4 weeks 3.1962e-5 months . The allowed Completion Times are appropriate, to reach the required unit conditions from full power conditions in an orderly manner and without challenging plant systems, considering a three unit shutdown may be required.

SSF B 3.10.1 BASES (continued)

OCONEE UNITS 1, 2, & 3 B 3.10.1-11 Rev. 002 SURVEILLANCE SR 3.10.1.1 REQUIREMENTS Performance of the CHANNEL CHECK for each required instrumentation channel ensures that a gross failure of instrumentation has not occurred.

A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel with a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the two instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; therefore, it is key in verifying that the instrumentation continues to operate properly between each CHANNEL CALIBRATION. This SR is modified by a Note to indicate that it is not applicable to the SSF RCS temperature instrument channels, which are common to the RPS RCS temperature instrument channels and are normally aligned through a transfer isolation device to each Unit control room. The instrument string to the SSF control room is checked and calibrated periodically per the Surveillance Frequency Control Program.

Agreement criteria are determined based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the sensor or the signal processing equipment has drifted outside its limit. If the channels are within the criteria, it is an indication that the channels are OPERABLE. If the channels are normally off scale during times when surveillance is required, the CHANNEL CHECK will only verify that they are off scale in the same direction. Off scale low current loop channels are verified to be reading at the bottom of the range and not failed downscale.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SSF B 3.10.1 BASES OCONEE UNITS 1, 2, & 3 B 3.10.1-12 Rev. 002 SURVEILLANCE SR 3.10.1.2 REQUIREMENTS (continued)

Verifying battery terminal voltage while on float charge for the batteries helps to ensure the effectiveness of the charging system and the ability of the batteries to perform their intended function. Float charge is the condition in which the charger is supplying the continuous charge required to overcome the internal losses of a battery (or battery cell) and maintain the battery (or a battery cell) in a fully charged state. The voltage requirements are based on the nominal design voltage of the battery and are consistent with the initial voltages assumed in the battery sizing calculations. The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.10.1.3 and 3.10.1.4 SR 3.10.1.3 provides verification that the level of fuel oil in the day tank is at or above the level at which fuel oil is automatically added. The level is expressed as an equivalent volume in gallons. The day tank is sized based on the amount of fuel oil required to successfully start the DG and to allow for orderly shutdown of the DG upon loss of fuel oil from the main storage tank.

SR 3.10.1.4 provides verification that there is an adequate inventory of fuel oil in the storage tanks to support SSF DG operation for 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months at full load. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months period is sufficient time to place the unit in a safe shutdown condition The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program during this period.

SSF B 3.10.1 BASES OCONEE UNITS 1, 2, & 3 B 3.10.1-13 Rev. 002 SURVEILLANCE SR 3.10.1.5 REQUIREMENTS (continued)

The SR requires the DG to start (normal or emergency) from standby conditions and achieve required voltage and frequency. Standby conditions for a DG means that the diesel engine coolant and oil are being continuously circulated and temperature is being maintained consistent with manufacturer recommendations. This SR is modified by a Note to indicate that all DG starts for this Surveillance may be preceded by an engine prelube period and followed by a warmup period prior to loading. This minimizes wear on moving parts that do not get lubricated when the engine is running.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.10.1.6 This Surveillance ensures that sufficient air start capacity for the SSF DG is available, without the aid of the refill compressor. The SSF DG air start system is equipped with four air storage tanks. Each set of two tanks will provide sufficient air to start the SSF DG a minimum of three successive times without recharging. The pressure specified in this SR is intended to reflect the lowest value at which the three starts can be accomplished.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.10.1.7 This Surveillance demonstrates that the fuel oil transfer pump automatically starts and transfers fuel oil from the underground fuel oil storage tank to the day tank. This is required to support continuous operation of SSF DG. This Surveillance provides assurance that the fuel oil transfer pump is OPERABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the controls and control systems for automatic fuel transfer systems are OPERABLE.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SSF B 3.10.1 BASES OCONEE UNITS 1, 2, & 3 B 3.10.1-14 Rev. 002 SURVEILLANCE SR 3.10.1.8 REQUIREMENTS (continued)

A sample of fuel oil is required to be obtained from the SSF day tank and underground fuel oil storage tank in accordance with the Diesel Fuel Oil Testing Program in order to ensure that fuel oil viscosity, water, and sediment are within the limits of the Diesel Fuel Oil Testing Program.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.10.1.9 This Surveillance verifies that the SSF DG is capable of synchronizing with the offsite electrical system and accepting loads greater than or equal to the equivalent of the maximum expected accident loads. A minimum run time of 60 minutes is required to stabilize electrical loads, while minimizing the time that the DG is connected to the offsite source.

Although no power factor requirements are established by this SR, the DG is normally operated at a power factor between 0.8 lagging and 1.0.

The 0.8 value is the design rating of the machine, while the 1.0 is an operational limitation to ensure circulating currents are minimized. The load band is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

This SR is modified by three Notes. Note 1 indicates that diesel engine runs for this Surveillance may include gradual loading, as recommended by the manufacturer, so that mechanical stress and wear on the diesel engine are minimized. Note 2 states that momentary transients because of changing bus loads do not invalidate this test. Similarly, momentary power factor transients above the limit will not invalidate the test. Note 3 indicates that all DG starts for this Surveillance may be preceded by an engine prelube period and followed by a warmup period prior to loading.

This minimizes wear on moving parts that do not get lubricated.

SSF B 3.10.1 BASES OCONEE UNITS 1, 2, & 3 B 3.10.1-15 Rev. 002 SURVEILLANCE SR 3.10.1.10 REQUIREMENTS (continued)

Visual inspection of the battery cells, cell plates, and battery racks provides an indication of physical damage or abnormal deterioration that could potentially degrade battery performance.

The presence of physical damage or deterioration does not necessarily represent a failure of this SR, provided an evaluation determines that the physical damage or deterioration does not affect the OPERABILITY of the battery (its ability to perform its design function).

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.10.1.11 Visual inspection of battery cell to cell and terminal connections provides an indication of physical damage that could potentially degrade battery performance. The anti-corrosion material is used to help ensure good electrical connections and to reduce terminal deterioration. The visual inspection for corrosion is not intended to require removal of and inspection under each terminal connection.

The limits established for this SR must be no more than 20% above the resistance as measured during installation or not above the ceiling value established by the manufacturer.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SSF B 3.10.1 BASES OCONEE UNITS 1, 2, & 3 B 3.10.1-16 Rev. 002 SURVEILLANCE SR 3.10.1.12 REQUIREMENTS (continued)

A battery service test is a special test of the battery capability, as found, to satisfy the design requirements (battery duty cycle) of the DC electrical power system. The discharge rate and test length correspond to the design duty cycle requirements. The design basis discharge time for the SSF battery is one hour.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.10.1.13 CHANNEL CALIBRATION is a complete check of the instrument channel, including the sensor. The test verifies that the channel responds to a measured parameter within the necessary range and accuracy.

CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drift to ensure that the instrument channel remains operational between successive tests. CHANNEL CALIBRATION shall find that measurement errors and bistable setpoint errors are within the assumptions of the setpoint analysis. CHANNEL CALIBRATIONS must be performed consistent with the assumptions of the setpoint analysis.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

SR 3.10.1.14 Inservice Testing of the SSF valves demonstrates that the valves are mechanically OPERABLE and will operate when required. These valves are required to operate to ensure the required flow path.

The specified Frequency is in accordance with the INSERVICE TESTING PROGRAM requirements. Operating experience has shown that these components usually pass the SR when performed at the INSERVICE TESTING PROGRAM Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

SSF B 3.10.1 BASES OCONEE UNITS 1, 2, & 3 B 3.10.1-17 Rev. 002 SURVEILLANCE SR 3.10.1.15 REQUIREMENTS (continued)

This SR requires the SSF pumps to be tested in accordance with the INSERVICE TESTING PROGRAM. The INSERVICE TESTING PROGRAM verifies the required flow rate at a discharge pressure to verify OPERABILITY. The SR is modified by a note indicating that it is not applicable to the SSF submersible pump.

The specified Frequency is in accordance with the INSERVICE TESTING PROGRAM requirements. Operating experience has shown that these components usually pass the SR when performed at the INSERVICE TESTING PROGRAM Frequency. Therefore, the Frequency was concluded to be acceptable from a reliability standpoint.

SR 3.10.1.16 This SR requires the SSF submersible pump to be tested on a 2 year Frequency and verifies the required flow rate at a discharge pressure to verify OPERABILITY.

The Surveillance Frequency is based on operating experience, equipment reliability, and plant risk and is controlled under the Surveillance Frequency Control Program.

REFERENCES

1.

UFSAR, Section 9.6.

2.

Oconee Probabilistic Risk Assessment.

3.

10 CFR 50.36.

4.

NRC Letter from L. A. Wiens to H. B. Tucker, "Safety Evaluation Report on Effect of Tornado Missiles on Oconee Emergency Feedwater System," dated July 28, 1989.

5.

NRC Letter from L. A. Wiens to J. W. Hampton, "Safety Evaluation for Station Blackout (10 CFR 50.63) - Oconee Nuclear Station, Units 1, 2, and 3," dated March 10, 1992.

SSF B 3.10.1 BASES OCONEE UNITS 1, 2, & 3 B 3.10.1-18 Rev. 002 REFERENCES

6.

NRC Letter from L. A. Wiens to J. W. Hampton, "Supplemental (continued)

Safety Evaluation for Station Blackout (10 CFR 50.63) - Oconee Nuclear Station, Units 1, 2, and 3," dated December 3, 1992.

7.

UFSAR Section 8.3.2.2.4.

OCONEE UNITS 1, 2, & 3 B 3.10.1-19 Rev. 002 SSF B 3.10.1 Table B 3.10.1-1 (page 1 of 1)

SSF Instrumentation FUNCTION REQUIRED CHANNELS PER UNIT

1. Reactor Coolant System Pressure 1

2. Reactor Coolant System Temperature (Tc) 1/Loop

3. Reactor Coolant System Temperature (Th) 1/Loop

4. Pressurizer Water Level 1

5. Steam Generator A & B Water Level 1/SG

RA-18-0282, Technical Specification Bases Changes

Text

Subject:

Navigation menu

RA-18-0282, Technical Specification Bases Changes

Text

Subject:

Navigation menu

Search