Text

Technical Specification Bases, Manual
	ML19078A210
Person / Time
Site:	Susquehanna
Issue date:	03/06/2019
From:	; Susquehanna
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	Download: ML19078A210 (282)
	v • d • e

.L".lU.L.

VVt .t:..V..L-1 Page 1 of 5 MANUAL HARD COPY DISTRIBUTION DOCUMENT TRANSMITTAL 2019-3556 USER INFORMATION:

GERLACH*ROSEY M EMPL#:028401 CA#: 0363 Address: NUCSA2 Phone#: 542-3194 TRANSMITTAL INFORMATION:

TO: GERLACH*ROSEY M 03/06/2019 LOCATION: USNRC FROM: NUCLEAR RECORDS DOCUMENT CONTROL CENTER (NUCSA-2)

THE FOLLOWING CHANGES HAVE OCCURRED TO THE HARDCOPY OR ELECTRONIC MANUAL ASSIGNED TO YOU. HARDCOPY USERS MUST ENSURE THE DOCUMENTS PROVIDED MATCH THE INFORMATION ON THIS TRANSMITTAL. WHEN REPLACING THIS MATERIAL IN YOUR HARDCOPY MANUAL, ENSURE THE UPDATE DOCUMENT ID rs THE SAME DOCUMENT ID YOU'RE REMOVING FROM YOUR MANUAL. TOOLS FROM THE HUMAN PERFORMANCE TOOL BAG SHOULD BE UTILIZED TO ELIMINATE THE CHANCE OF

.F.RRORS.

1rTENTION: "REPLACE" directions do not affect the Table of Contents, Therefore no

_i::oc will be issued with the updated material.

TSBl - TECHNICAL SPECIFICATION BASES UNIT 1 MANUAL REMOVE MANUAL TABLE OF CONTENTS DATE: 02/27/2019 ADD MANUAL TABLE OF CONTENTS DATE: 03/05/2019 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.10.1 ADD: REV: 2 REMOVE: REV:1

Page 2 of 5 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.3.5.1 REMOVE : REV: 4 ADD: REV: 5 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.3.5.2 ADD: REV: 2 REMOVE: REV:1 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.3.5.3 ADD: REV: 0 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.3.6.1 REMOVE: REV: 8 ADD: REV: 9 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.3.6.2

,OD: REV: 6 REMOVE: REV:5 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.3.7.1 ADD: REV: 4 REMOVE: REV:3 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.5.1 ADD: REV: 6 REMOVE: REV:5 CATEGORY: DOCUMENTS TYPE: TSBl

.l"JU..1..

VU/ .£.,V..1.J Page 3 of 5 ID: TEXT 3.5.2 ADD: REV: 3 REMOVE: REV:2 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.5.3 ADD: REV: 6 REMOVE: REV:5 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.6.1.3 ADD: REV: 15 REMOVE: REV:14 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.6.2.2 ADD: REV: 2 REMOVE: REV:1 CATEGORY: DOCUMENTS TYPE: TSBl D: TEXT 3.6.4.1 JDD: REV: 15 REMOVE: REV:14 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.6.4.2 ADD: REV: 14 REMOVE: REV:13 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.6.4.3 REMOVE: REV:6 ADD: REV: 7

J."J.U.1..

VU I .&..V..L.,.I Page 4 of 5 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.7.3 REMOVE: REV:3 ADD: REV: 4 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.7.4 ADD: REV: 2 REMOVE: REV:1 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.8.1 ADD: REV: 10 REMOVE: REV:9 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.8.2 ADD: REV: 1 REMOVE: REV:O

\~TEGORY: DOCUMENTS TYPE: TSBl c<*): TEXT 3.8.5 REMOVE: REV:1 ADD: REV: 2 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT 3.8.8 ADD: REV: 2 REMOVE: REV:1 CATEGORY: DOCUMENTS TYPE: TSBl ID: TEXT TOC ADD: REV: 25 REMOVE: REV:24

Page 5 of 5 ANY DISCREPANCIES WITH THE MATERIAL PROVIDED, CONTACT DCS@ X3171 OR X3194 FOR ASSISTANCE. UPDATES FOR HARDCOPY MANUALS WILL BE DISTRIBUTED WITHIN 3 DAYS IN ACCORDANCE WITH DEPARTMENT PROCEDURES. PLEASE MAKE ALL CHANGES AND ACKNOWLEDGE COMPLETE IN YOUR NIMS INBOX UPON COMPLETION OF UPDATES. FOR ELECTRONIC MANUAL USERS, ELECTRONICALLY REVIEW THE APPROPRIATE DOCUMENTS AND ACKNOWLEDGE COMPLETE IN YOUR NIMS INBOX.

SSES MANUAL Manual Name: TSBl Manual

Title:

TECHNICAL SPECIFICATION BASES UNIT 1 MANUAL Table Of Contents Issue Date: 03/05/2019 Procedure Name Rev Issue Date Change ID Change Number TEXT LOES 134 01/03/2019

Title:

LIST OF EFFECTIVE SECTIONS TEXT TOC 25 03/05/2019

Title:

TABLE OF CONTENTS

//~

TEXT 2 .1.1 6 01/22/2015

<0~

0 'V

Title:

SAFETY LIMITS (SLS) REACTOR CORE SLS TEXT 2 . 1. 2 1 10/04/2007 \_A ". ' -, .V. . ~

Title:

SAFETY LIMITS (SLS) REACTOR COOLANT SYSTEM~RESSURE S TEXT 3.0 4 01/03/2~

I Tit1e, LIMITING CONDITION FOR OPERAT)"~~~~CABILITY TEXT 3.1.1 1 /-~~,~~

Title:

REACTIVITY CONTROL SYSJ~El':J:S"'-~OWN MARGIN (SDM)

TEXT 3 . 1. 2 (

"' ~

'- --.._, 11/15/2002

Title:

REACTIVITY CONTROL-*-._SYSTEMS REACTIVITY ANOMALIES TBXT3.1.3 ,C;(CJ): 11/16/2016

Title:

REACTIVLTY CONTROL~SYSTEMS CONTROL ROD OPERABILITY TEXT 3 .1.4

\\J)

'-.._._.,/ 5 11/16/2016

Title:

REACTIVITY CONTROL SYSTEMS CONTROL ROD SCRAM TIMES TEXT 3 .1. 5 2 11/16/2016

Title:

REACTIVITY CONTROL SYSTEMS CONTROL ROD SCRAM ACCUMULATORS TEXT 3 .1. 6 4 11/16/2016

Title:

REACTIVITY CONTROL SYSTEMS ROD PATTERN CONTROL Page 1 of _!!. Report Date: 03/06/19

SSES MANUAL Manual Name: TSBl Manual

Title:

TECHNICAL SPECIFICATION BASES UNIT 1 MANUAL TEXT 3 .1. 7 4 11/16/2016

Title:

REACTIVITY CONTROL SYSTEMS STANDBY LIQUID CONTROL (SLC) SYSTEM TEXT 3 .1. 8 4 11/16/2016

Title:

REACTIVITY CONTROL SYSTEMS SCRAM DISCHARGE VOLUME (SDV) VENT AND DRAIN VALVES TEXT 3.2.1 3 11/16/2016

Title:

POWER DISTRIBUTION LIMITS AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR)

TEXT 3.2.2 4 11/16/2016

Title:

POWER DISTRIBUTION LIMITS MINIMUM CRITICAL POWER RATIO (MCPR)

TEXT 3.2.3 3 11/16/2016

Title:

POWER DISTRIBUTION LIMITS LINEAR HEAT GENERATION RATE (LHGR)

TEXT 3.3.1.1 7 11/16/2016

Title:

INSTRUMENTATION REACTOR PROTECTION SYSTEM (RPS) INSTRUMENTATION TEXT 3 . 3 . 1. 2 4 01/23/2018

Title:

INSTRUMENTATION SOURCE RANGE MONITOR (SRM) INSTRUMENTATION TEXT 3.3.2.1 5 11/16/2016

Title:

INSTRUMENTATION CONTROL ROD BLOCK INSTRUMENTATION TEXT 3.3.2.2 3 11/16/2016

Title:

INSTRUMENTATION FEEDWATER MAIN TURBINE HIGH WATER LEVEL TRIP INSTRUMENTATION TEXT 3.3.3.1 10 11/16/2016

Title:

INSTRUMENTATION POST ACCIDENT MONITORING (PAM) INSTRUMENTATION TEXT 3.3.3.2 2 11/16/2016

Title:

INSTRUMENTATION REMOTE SHUTDOWN SYSTEM TEXT 3.3.4.1 3 11/16/2016

Title:

INSTRUMENTATION END OF CYCLE RECIRCULATION PUMP TRIP (EOC-RPT) INSTRUMENTATION Page _a of ~ Report Date: 03/06/19

SSES MANUAL Manual Name: TSB1 Manual

Title:

TECHNICAL SPECIFICATION BASES UNIT 1 MANUAL TEXT 3.3.4.2 1 11/16/2016

Title:

INSTRUMENTATION ANTICIPATED TRANSIENT WITHOUT SCRAM RECIRCULATION PUMP TRIP (ATWS-RPT) INSTRUMENTATION TEXT 3.3.5.1 5 03/05/2019

Title:

INSTRUMENTATION EMERGENCY CORE COOLING SYSTEM (ECCS) INSTRUMENTATION TEXT 3.3.5.2 2 03/05/2019

Title:

REACTOR PRESSURE VESSEL (RPV) WATER INVENTORY CONTROL INSTRUMENTATION TEXT 3.3.5.3 0 03/05/2019

Title:

INSTRUMENTATION REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM INSTRUMENTATION

- PREVIOUSLY TEXT 3.3.5.2 REV l**

TEXT 3.3.6.1 9 03/05/2019

Title:

INSTRUMENTATION PRIMARY CONTAINMENT ISOLATION INSTRUMENTATION TEXT 3.3.6.2 6 03/05/2019

Title:

INSTRUMENTATION SECONDARY CONTAINMENT ISOLATION INSTRUMENTATION TEXT 3.3.7.1 4 03/05/2019

Title:

INSTRUMENTATION CONTROL ROOM EMERGENCY OUTSIDE AIR SUPPLY (CREOAS) SYSTEM INSTRUMENTATION TEXT 3.3.8.1 3 11/16/2016

Title:

INSTRUMENTATION LOSS OF POWER (LOP) INSTRUMENTATION TEXT 3.3.8.2 1 11/16/2016

Title:

INSTRUMENTATION REACTOR PROTECTION SYSTEM (RPS) ELECTRIC POWER MONITORING TEXT 3.4.1 5 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) RECIRCULATION LOOPS OPERATING TEXT 3.4.2 4 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) JET PUMPS TEXT 3.4.3 3 01/13/2012

Title:

REACTOR COOLANT SYSTEM RCS SAFETY RELIEF VALVES S/RVS Pagel of 8 Report Date: 03/06/19

SSES MANUAL Manual Name: TSB1 i

\ __ .. Manual

Title:

TECHNICAL SPECIFICATION BASES UNIT 1 MANUAL TEXT 3.4.4 1 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) RCS OPERATIONAL LEAKAGE TEXT 3.4.5 2 04/13/2016

Title:

REACTOR COOLANT SYSTEM (RCS) RCS PRESSURE ISOLATION VALVE (PIV) LEAKAGE TEXT 3.4.6 5 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) RCS LEAKAGE DETECTION INSTRUMENTATION TEXT 3.4.7 3 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) RCS SPECIFIC ACTIVITY TEXT 3.4.8 3 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) RESIDUAL HEAT REMOVAL (RHR) SHUTDOWN COOLING SYSTEM

- HOT SHUTDOWN TEXT 3.4.9 2 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) RESIDUAL HEAT REMOVAL (RHR) SHUTDOWN COOLING SYSTEM

- COLD SHUTDOWN TEXT 3.4.10 5 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) RCS PRESSURE AND TEMPERATURE (P/T) LIMITS TEXT 3.4.11 1 11/16/2016

Title:

REACTOR COOLANT SYSTEM (RCS) REACTOR STEAM DOME PRESSURE TEXT 3.5.1 6 03/05/2019

Title:

EMERGENCY CORE COOLING SYSTEMS (ECCS) REACTOR PRESSURE VESSEL (RPV) WATER INVENTORY CONTROL AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM ECCS OPERATING TEXT 3.5.2 3 03/05/2019

Title:

EMERGENCY CORE COOLING SYSTEMS (ECCS) REACTOR PRESSURE VESSEL (RPV) WATER INVENTORY CONTROL AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM ECCS OPERATING TEXT 3.5.3 6 03/05/2019

Title:

EMERGENCY CORE COOLING SYSTEMS (ECCS) REACTOR PRESSURE VESSEL (RPV) WATER INVENTORY CONTROL AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM ECCS OPERATING

(

of ~ Report Date: 03/06/19

SSES MANUAL Manual Name: TSBl Manual

Title:

TECHNICAL SPECIFICATION BASES UNIT 1 MANUAL TEXT 3 . 6 . 1. 1 6 11/16/2016

Title:

PRIMARY CONTAINMENT TEXT 3 . 6 . 1. 2 2 11/16/2016

Title:

CONTAINMENT SYSTEMS PRIMARY CONTAINMENT AIR LOCK TEXT 3 . 6 . 1. 3 15 03/05/2019

Title:

CONTAINMENT SYSTEMS PRIMARY CONTAINMENT ISOLATION VALVES (PCIVS)

TEXT 3.6.1.4 2 11/16/2016

Title:

CONTAINMENT SYSTEMS CONTAINMENT PRESSURE TEXT 3.6.1.5 2 11/16/2016

Title:

CONTAINMENT SYSTEMS DRYWELL AIR TEMPERATURE

TEXT 3 . 6 . 1. 6 1 11/16/2016

Title:

CONTAINMENT SYSTEMS SUPPRESSION CHAMBER-TO-DRYWELL VACUUM BREAKERS TEXT 3.6.2.1 3 11/16/2016

Title:

CONTAINMENT SYSTEMS SUPPRESSION POOL AVERAGE TEMPERATURE TEXT 3.6.2.2 2 03/05/2019

Title:

CONTAINMENT SYSTEMS SUPPRESSION POOL WATER LEVEL TEXT 3.6.2.3 2 11/16/2016

Title:

CONTAINMENT SYSTEMS RESIDUAL HEAT REMOVAL (RHR) SUPPRESSION POOL COOLING TEXT 3.6.2.4 1 11/16/2016

Title:

CONTAINMENT SYSTEMS RESIDUAL HEAT REMOVAL (RHR) SUPPRESSION POOL SPRAY TEXT 3.6.3.1 2 06/13/2006

Title:

CONTAINMENT SYSTEMS PRIMARY CONTAINMENT HYDROGEN RECOMBINERS TEXT 3.6.3.2 3 09/29/2017

Title:

CONTAINMENT SYSTEMS DRYWELL AIR FLOW SYSTEM Page .2. of 8 Report Date: 03/06/19

SSES MANUAL Manual Name: TSBl Manual

Title:

TECHNICAL SPECIFICATION BASES UNIT 1 MANUAL TEXT 3.6.3.3 3 09/29/2017

Title:

CONTAINMENT SYSTEMS PRIMARY CONTAINMENT OXYGEN CONCENTRATION TEXT 3.6.4.1 15 03/05/2019

Title:

CONTAINMENT SYSTEMS SECONDARY CONTAINMENT TEXT 3.6.4.2 14 03/05/2019

Title:

CONTAINMENT SYSTEMS SECONDARY CONTAINMENT ISOLATION VALVES (SCIVS)

TEXT 3.6.4.3 7 03/05/2019

Title:

CONTAINMENT SYSTEMS STANDBY GAS TREATMENT (SGT) SYSTEM TEXT 3.7.1 5 11/16/2016

Title:

PLANT SYSTEMS RESIDUAL HEAT REMOVAL SERVICE WATER (RHRSW) SYSTEM AND THE ULTIMATE HEAT SINK (UHS)

TEXT 3.7.2 3 11/16/2016

Title:

PLANT SYSTEMS EMERGENCY SERVICE WATER (ESW) SYSTEM TEXT 3.7.3 4 03/05/2019

Title:

PLANT SYSTEMS CONTROL ROOM EMERGENCY OUTSIDE AIR SUPPLY (CREOAS) SYSTEM TEXT 3.7.4 2 03/05/2019

Title:

PLANT SYSTEMS CONTROL ROOM FLOOR COOLING SYSTEM TEXT 3.7.5 2 11/16/2016

Title:

PLANT SYSTEMS MAIN CONDENSER OFFGAS TEXT 3.7.6 3 11/16/2016

Title:

PLANT SYSTEMS MAIN TURBINE BYPASS SYSTEM TEXT 3.7.7 2 11/16/2016

Title:

PLANT SYSTEMS SPENT FUEL STORAGE POOL WATER LEVEL TEXT 3.7.8 1 11/16/2016

Title:

PLANT SYSTEMS Page .§. of 8 Report Date: 03/06/19

,J*

/ SSES MANUAL Manual Narne: TSBl

- Manual

Title:

TECHNICAL SPECIFICATION BASES UNIT 1 MANUAL TEXT 3.8.1 10 03/05/2019

Title:

ELECTRICAL POWER SYSTEMS AC SOURCES - OPERATING TEXT- 3.8.2 1 03/05/2019

Title:

ELECTRICAL POWER SYSTEMS AC SOURCES - SHUTDOWN TEXT 3.8.3 6 12/14/2017

Title:

ELECTRICAL POWER SYSTEMS DIESEL FUEL OIL, LUBE OIL, AND STARTING AIR TEXT 3.8.4 4 11/16/2016

Title:

ELECTRICAL POWER SYSTEMS DC SOURCES - OPER.1\.TING TEXT 3.8.5 2 03/05/2019

Title:

ELECTRICAL POWER SYSTEMS DC SOURCES - SHUTDOWN TEXT 3.8.6 2 11/16/2016

Title:

ELECTRICAL POWER SYSTEMS BATTERY CELL PARAMETERS TEXT 3.8.7 2 11/16/2016

Title:

ELECTRICAL POWER SYSTEMS DISTRIBUTION SYSTEMS - OPERATING TEXT 3.8.8 2 03/05/2019

Title:

ELECTRICAL POWER SYSTEMS DISTRIBUTION SYSTEMS - SHUTDOWN TEXT 3.9.1 1 11/16/2016

Title:

REFUELING OPERATIONS REFUELING EQUIPMENT INTERLOCKS TEXT 3.9.2 2 11/16/2016

Title:

REFUELING OPERATIONS REFUEL POSITION ONE-ROD-OUT INTERLOCK TEXT 3.9.3 1 11/16/2016

Title:

REFUELING OPERATIONS CONTROL ROD POSITION TEXT 3.9.4 0 11/15/2002

Title:

REFUELING OPERATIONS CONTROL ROD POSITION INDICATION Page 1 of 8 Report Date: 03/06/19

SSES MANUAL Manua1 Na.me: TSB1 Manua1 Tit1e: TECHNICAL SPECIFICATION BASES UNIT 1 MANUAL TEXT 3.9.5 1 11/16/2016 Tit1e: REFUELING OPERATIONS CONTROL ROD OPERABILITY - REFUELING TEXT 3.9.6 2 11/16/2016

Title:

REFUELING OPERATIONS REACTOR PRESSURE VESSEL (RPV) WATER LEVEL TEXT 3.9.7 1 11/16/2016 Tit1e: REFUELING OPERATIONS RESIDUAL HEAT REMOVAL (RHR) - HIGH WATER,LEVEL TEXT 3.9.8 1 11/16/2016

Title:

REFUELING OPERATIONS RESIDUAL HEAT REMOVAL (RHR) - LOW WATER LEVEL TEXT 3.10.1 2 03/05/2019 Tit1e: SPECIAL OPERATIONS INSERVICE LEAK AND HYDROSTATIC TESTING OPERATION TEXT 3.10.2 1 11/16/2016

Title:

SPECIAL OPERATIONS REACTOR MODE SWITCH INTERLOCK TESTING TEXT 3'. 10 . 3 1 11/16/2016

Title:

SPECIAL OPERATIONS SINGLE CONTROL ROD WITHDRAWAL~ HOT SHUTDOWN TEXT 3.10.4 1 11/16/2016

Title:

SPECIAL OPERATIONS SINGLE CONTROL ROD WITHDRAWAL - COLD SHUTDOWN TEXT 3.10.5 1 11/16/2016

Title:

SPECIAL OPERATIONS SINGLE CONTROL ROD DRIVE (CRD) REMOVAL - REFUELING TEXT 3.10.6 1 11/16/2016 Tit1e: SPECIAL OPERATIONS MULTIPLE CONTROL ROD WITHDRAWAL - REFUELING TEXT 3.10.7 1 04/18/2006

Title:

SPECIAL OPERATIONS CONTROL ROD TESTING - OPERATING TEXT 3.10.8 2 11/16/2016 Tit1e: SPECIAL OPERATIONS SHUTDOWN MARGIN (SDM) TEST - REFUELING r'

1

\

Page .§. of .§. Report Date: 03/06/19

-n "-- -. -_ - .

*- . - . '* * * * . TAIBL.Fi OF GQ:NTltNTS *-(T6'GHNilCAL $P8CIFIGATIONS IBASg-S)*

-~ -_ ~ *. '=f~,1 ' M~ETY ~=:i~ ~':::::::~:::':~::,':~::::::::::::::::::::::f:::.::,;{:::J:;

E32.t:z-*. ' Rea©t9r CoolantSysterm (RCS;)_ !Dressure SL..,.,...........,i.:.:.\.* .... ,,.: ........ 2.0-7

'~"" : -

ffi3.0 - LIMITING C0ND1TION,f0R O~EAATION (LCQ)APP,LICABl ~rrY .:.,.:: .._*..... 3~0-1, 1 "B3.1 _. *... : REACTIVITY * * . ~ .' -:-* -_,-: '<$YSTEMS.

.~' __ *, '~~* * *.*, ....... CONTROL .... ~~-** _-.1 v )-:',::..............

, *~ ,'

,...,..,,.. *,.,,. ~ ......,........ : , *_ t~

,-.............. ,........_ 3.1>./ *~:

1 IB3.1.1 Shutdown Mai:Qitl' (SOM)*...-... ~ .**...,., ......... :-..............,............-.............. :...... 3.. 1-1 ... _.

IB3.1.. 2 *- ~eaetlvity Alilomalies ,, .*. 1 ** _........... , : *** *"'* **** , : **** *** , .**** ::,............................., ....... : .* 3 :1--8 EJS.1 ..3- Control Rod OP~RABlUTY...... ,.~............................ .,.,.......,.......,........ , ......... 3.1--t:3 * . *

B3.1.4 ' Control Rod Scram Times ........~.-........ ;.**'.,.. :.......... ;.....,.;.':,. ....,...... ~ .......... 3.1-22

B3.1.5 . - Coritrol Rod Seram Ac0umw.iatoiis .** ** <,. *.- -*. - . -.

31-29 , *

/, . . . . , .* . . . :,. .,.,...:*:**'".L***?;;**;*;:***\***"~*-*,:***"'"** 3\.::34 . **'

_ffi3.1.6 **** J Rod Pattern Cont.rol ........ ..,..,............,.............., .. \..., .._ ... ,... :.,~........ :................. _ .*

BB.1.:7 . . , Standqy Liqu.id CoAtroJ ($LC) syst~rn ..'. .....,/;/...,::,.:,.. ,::,(.~.'. ...... :...... *3.1-39

.IB6.1,.8:-*- : S.or:~mDischar9e

. Volume (SD\/) Vent.am.d Otain,Vatv~s ' - *_ ., , ..... (*.;..~ ' ' -~ .,.. .,..,........... 3*. 1-47 Bi.2 POWER DIST~IBUTl:ON LIMITS .......... }:.,......... ::'..:.*..*::.-::"......... :... :..:*:, ....... 3:2-1 aa.2.-1, Average Planar Linear Heat Gemeratiptt*,Ratef(;A;PLH~:R) ....*...:: ... ::. ~.2:.1* _ ;,

133.2.2 Mi1<1imu!T<}.Critica1*Power Ratio (f\OCPR)'.... ~ ... ,~.'.... :.:..... :....... :.......,...... 3.2-5 B3.2.3.. Li gear Heat Generation Rate *ctH~,R) .:/ ~. :~.: ....... ;........ :.....,. . *: .. :.~;,;,: .... -~:2-1'0

. !133.3 ,* .

*. INSTRUMENTATl~N ....... -1:f'.?~?~t.;?:.~::?<.............:..... .-....~ . '.:.:~.'.*; . . . *. ~-.3-1 133;3, 1.{ s Re.actor Proteoti.on steqt(RRS) lnstri.ii:nentattQm ,.....,,.,.'.........~............ 3.J-1 *: *- * *

$11lir©e ~ange Mp.!)t ,SRM)~hstrumentaticm*:~ .... ;............... :, .*.,.. :.. ~.3-BS, ,'.;*",

IB:l,3.1.2' S:3.3.2.1 Central Rod Bio,.:*"

ntation ............,...... .,, ..........., ._....... ;., ........ 3,.3-44

~3:3.~.2 Fe*edwater ~.;~ai _ ., High Water level Tr.ip , *. -, . *

t * '., . :. * : * ,, * *

lnstrl!ntfgtati 1"14';,-....... : .. >..,...............,, .... ~...*.::,;, .... ~.'.,; ...,: ..... :... :.-:*.. a.$-5'5. /'.

B3.3.3.*1.. PostAcci,den~Mqnitoring (PAM) Instrumentation: ........... .'............... ,.. 3.3-64 B<t3.3.2 Remoltttbl!Jtd6¥lfn;S,ystem ......'...... .'.,...........~,.... ,....... ,.,...... ,.,....,...,. .. ,.:. ,.,,_..,.,..........3;3-76 B$.3A.1-_ E :;yel~ Recirculation Pump Trip (li':OC~RPl) . .,. *. . *

~Ntation ... .....:.., .......... *"~...............,_., ... ....:....,... ,............ ::... ....~. :............. ~:3-81

~B'.3:.3:4.2 :' ed Translent'Without*Scram*Reeii:teulattom .. **, *- ..

m~*Trip (ATWS:.R:PT) lnstrumentatiorn ,...::......_..... :................... 3.'.3-92 ..

B~.3 ..5.1 enoy Core Gooltmg System {ECOS) ,. *

., ;. _.

strwrnemtatiqlil ...........,........... '......................... :'.:'..: ...... ;, ..... ~.* .,.,.* ;.*:'**.,..*..'3,3--1101 ,

93.3,.5.2. Reactor Pressure Vessel (RPV) ~Water Inventory Gootrol .

.,; **- lnstrur:ner:itatlon .....,.,..,..............~ ..........., ,.... ,.~ *..,....,.................................._............. 3,.3-1 '3'2 .

6J3.3.. .5.3' ..::.::_;.::/ Reactor*Cote lsolati'on OooliAg (RCIG) ystem Instrumentation .... ,.:,......,...,.. :................................... , ......,.................. 3 ..3-.140 1:33.3.6.1 . Primary Co111tai11'1mer:1t Isolation J:Qstrum~mJation.s. ........,.. .,:... ,,.,..-....**. , .........:. 3.p-1*50 ..

IB3.3.6.2 $eco.ndary Containment Isolation lrnstrumentatiO!l :......:.-:.......-......... : 3.3-1 182 ;,' -*

133.3:7.1 Control R(Dom Em;1ergency Outside Air Supply (CREOAS) * . *

- .system lmstrw'mentafion .....,,,. .. .,..........,,.......,.. ": ..,.,~.. ~ .............;.,....... : .1..~: ** ,. **,: 3.3-193

{confirmed~

SUSQU~HA:NNA - UNIT 1 TOC-1 Revision 2*5 0.

TABLE OF CONTENTS (TECHNICAL SPECIFICATIONS BASES) 83.3 INSTRUMENTATION (continued) 83.3.8.1 Loss of Power (LOP) Instrumentation ............................................. 3.3-205 83.3.8.2 Reactor Protection System (RPS) Electric Power Monitoring ................................................................. :................ 3.3-213 83.4 REACTOR COOLANT SYSTEM (RCS) ................................................ 3.4-1 83.4.1 Recirculation Loops Operating ........................................................ 3.4-1 83.4.2 Jet Pumps ........................................................................................ 3.4-10 83.4.3 Safety/Relief Valves (S/RVs) ........................................................... 3.4-15 83.4.4 RCS Operational LEAKAGE ........................................................... 3.4-19 83.4.5 RCS Pressure Isolation Valve (PIV) Leakage ................................. 3.4-24 1;33.4.6 RCS Leakage Detection Instrumentation ........................................ 3.4-30 83.4.7 RCS Specific Activity ....................................................................... 3.4-35 83.4.8 Residual Heat Removal (RHR) Shutdown Cooling System - Hot Shutdown ............................................................ 3.4-39 83.4.9 Residual Heat Removal (RHR) Shutdown Cooling System - Cold Shutdown .......................................................... 3.4-44 83.4.10 RCS Pressure and Temperature (PIT) Limits 3.4-49 83.4.11 Reactor Steam Dome Pressure ....................................................... 3.4-58 83.5 EMERGENCY CORE COOLING SYSTEMS (ECCS), REACTOR PRESSURE VESSEL (RPV) WATER INVENTORY CONTROL, AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM ................ 3.5-1 83.5.1 ECCS - Operating ........................................................................... 3.5-1 83.5.2 Reactor Pressure Vessel (RPV) Water Inventory Control ............... 3.5-17 83.5.3 RCIC System ................................................................................... 3.5-27 83.6 CONTAINMENT SYSTEMS .................................................................. 3.6-1 83.6.1.1 Primary Containment ....................................................................... 3.6-1 83.6.1.2 Primary Containment Air Lock ......................................................... 3.6-7 83.6.1.3 Primary Containment Isolation Valves (PCIVs) ............................... 3.6-15 83.6.1.4 Containment Pressure ..................................................................... 3.6-41 83.6.1.5 Drywell Air Temperature .................................................................. 3.6-44 83.6.1.6 Suppression Chamber-to-Drywell Vacuum Breakers ...................... 3.6-47 83.6.2.1 Suppression Pool Average Temperature ........................................ 3.6-53 83.6.2.2 Suppression Pool Water Level ................................. :...................... 3.6-59 83.6.2.3 Residual Heat Removal (RHR) Suppression Pool Cooling ....................................................................................... 3.6-62 83.6.2.4 Residual Heat Removal (RHR) Suppression Pool Spray ................ 3.6-66 83.6.3.1 Not Used .......................................................................................... 3.6-70 83.6.3.2 Drywell Air Flow System .................................................................. 3.6-76 83.6.3.3 Primary Containment Oxygen Concentration .................................. 3.6-81 83.6.4.1 Secondary Containment .................................................................. 3.6-84 83.6.4.2 Secondary Containment Isolation Valves (SC IVs) .......................... 3.6-92 83.6.4.3 Standby Gas Treatment (SGT) System ........................................... 3:6-104 (continued)

SUSQUEHANNA - UNIT 1 TOC-2 Revision 25

TABLE OF CONTENTS (TECHNICAL SPECIFICATIONS BASES)

B3.7 PLANT SYSTEMS ................................................................................. 3.7-1 B3.7.1 Residual Heat Removal Service Water (RHRSW) System and the Ultimate Heat Sink (UHS) ............................................. 3.7-1 B3.7.2 Emergency Service Water (ESW) System ...................................... 3.7-7 B3.7.3 Control Room Emergency Outside Air Supply (CREOAS) System .................................................................... 3.7-12 B3.7.4 Control Room Floor Cooling System ............................................... 3.7-20 B3.7.5 Main Condenser Offgas ................................................................... 3.7-24 B3.7.6 Main Turbine Bypass System .......................................................... 3.7-27 B3.7.7 Spent Fuel Storage Pool Water Level ............................................. 3.7-31 B3.7.8 Main Turbine Pressure Regulation System ..................................... 3.7-34 B3.8 ELECTRICAL POWER SYSTEM .......................................................... 3.8-1 B3.8.1 AC Sources - Operating .................................................................. 3.8-1 B3.8.2 AC Sources - Shutdown ................................................................. 3.8-38 B3.8.3 Diesel Fuel Oil, Lube Oil, and Starting Air ....................................... 3.8-45 B3.8.4

DC Sources - Operating ................................................................. 3.8-54 B3.8.5 DC Sources - Shutdown ................................................................. 3.8-66 B3.8.6 Battery Cell Parameters .................................................................. 3.8-71 B3.8.7 Distribution Systems - Operating .................................................... 3.8-78 B3.8.8 Distribution Systems - Shutdown .................................................... 3.8-86 B3.9 REFUELING OPERATIONS ................................................................. 3.9-1 B3.9.1 Refueling Equipment Interlocks ....................................................... 3.9-1 B3.9.2 Refuel Position One-Rod-Out Interlock ........................................... 3.9-5 B3.9.3 Control Rod Position ........................................................................ 3.9-9 B3.9.4 Control Rod Position Indication ....................................................... 3.9-12 83.9.5 Control Rod OPERABILITY - Refueling .......................................... 3.9-16 B3.9.6 Reactor Pressure Vessel (RPV) Water Level. ................................. 3.9-19 B3.9.7 Residual Heat Removal (RHR) - High Water Level ........................ 3.9-22 B3.9.8 Residual Heat Removal (RHR) - Low Water Level ......................... 3.9-26 B3.10 SPECIAL OPERATIONS ....................................................................... 3.10-1 B3.10.1 lnservice Leak and Hydrostatic Testing Operation .......................... 3.10-1 B3.10.2 Reactor Mode Switch Interlock Testing ........................................... 3.10-6 B3.10.3 Single Control Rod Withdrawal- Hot Shutdown ............................. 3.10-11 B3.10.4 Single Control Rod Withdrawal - Cold Shutdown ........................... 3.10-16 B3.10.5 Single Control Rod Drive (CRD) Removal- Refueling .................... 3.10-21 B3.10.6 Multiple Control Rod Withdrawal - Refueling .................................. 3.10-26 B3.10.7 Control Rod Testing - Operating ..................................................... 3.10-29 B3.10.8 SHUTDOWN MARGIN (SOM) Test - Refueling .............................. 3.10-33 SUSQUEHANNA - UNIT 1 TOC-3 Revision 25

Rev. 5 ECCS Instrumentation B 3.3.5.1 B 3.3 INSTRUMENTATION B 3.3.5.1 Emergency Core Cooling System (ECCS) Instrumentation BASES BACKGROUND The purpose of the ECCS instrumentation is to initiate appropriate responses from the systems to ensure that the fuel is adequately cooled in the event of a design basis accident or transient.

For most anticipated operational occurrences and Design Basis Accidents (DBAs), a wide range of dependent and independent parameters are monitored.

The ECCS instrumentation actuates core spray (CS), low pressure coolant injection (LPCI), high pressure coolant injection (HPCI), Automatic Depressurization System (ADS), the diesel generators (DGs) and other features described in the DG background. The equipment involved with each of these systems with exception of the DGs and other features, is described in the Bases for LCO 3.5.1, "ECCS-Operating."

Core Spray System The CS System may be initiated by either automatic or manual means.

Automatic initiation occurs for conditions of Reactor Vessel Water Level Low, Low, Low, Level 1 or Drywell Pressure - High concurrent with Reactor Pressure - Low. Each of these diverse variables is monitored by four redundant instruments. The initiation logic for one CS loop is arranged in a one-out-of-two-twice network using level and pressure instruments which will generate a signal when: *

(1) both level sensors are tripped, or (2) two high drywell pressure sensors and two low reactor vessel pressure sensors are tripped, or (3) a combination of one channel of level sensor and one of the other channel of high drywell pressure sensor together with its associated low reactor vessel pressure sensor (i.e. Channel A level sensor and Channel C high drywell and low reactor vessel pressure sensor).

(continued)

SUSQUEHANNA - UNIT 1 3.3-101

Rev.5 ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Core Spray System (continued)

(continued)

Once an initiation signal is received by the CS control circuitry, the signal is sealed in until manually reset.

The logic can also be initiated by use of a manual push button (one push button per subsystem). Upon receipt of an initiation signal, the CS pumps are started 15 seconds after initiation signal if normal offsite power is available and 10.5 seconds after diesel generator power is available.

The CS test line isolation valve, which is also a primary containment isolation valve (PCIV), is closed on a CS initiation signal to allow full system flow assumed in the accident analyses and maintain primary containment isolated.

The CS System also monitors the pressure in the reactor to ensure that, before the injection valves open, the reactor pressure has fallen to a value below the CS System's maximum design pressure. The variable is monitored by four redundant instruments. The instrument outputs are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic.

Low Pressure Coolant Injection System The LPCI is an operating mode of the Residual Heat Removal (RHR)

System, with two LPCI subsystems. The LPCI subsystems may be initiated by automatic or manual means. Automatic initiation occurs for conditions of Reactor Vessel Water Level Low, Low, Low, Level 1 or Drywell Pressure - High concurrent with Reactor Pressure - Low. Each of these diverse variables is monitored by four instruments in two divisions. Each division is arranged in a one-out-of-two-twice network using level and pressure instruments which will generate a signal when:

(1) both level sensors are tripped, or (2) two high drywell pressure sensors and two low reactor vessel pressure sensors are tripped, or (3) a combination of one channel level sensor and one of the other channel of high drywell pressure sensor together with its associated low reactor vessel pressure sensor. (i.e. Channel A level sensor and Channel C high drywell and low reactor vessel pressure sensor).

(continued)

SUSQUEHANNA - UNIT 1 3.3-102

Rev. 5 ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Low Pressure Coolant Injection System (continued)

(continued)

The initiation logic is cross connected between divisions (i.e., either start .

signal will start all four pumps and open both loop's injection valves). Once an initiation signal is received by the LPCI control circuitry, the signal is sealed in until manually reset. The cross division start signals for the pumps affect both the opposite division's start logic and the pump's 4KV breaker start logic. The cross division start signal to the opposite division's start logic is for improved reliability. The cross division start signals to the pump's 4KV breaker start logic is needed to ensure specific control power failures do not prevent the start of an adequate number of LPCI pumps.

Upon receipt of an initiation signal, all LPCI pumps start after a 3 second time delay when normal AC power is lost and standby diesel generator power is available. If normal power is available, LPCI pumps A and B will start immediately and pumps C and D will start 7.0 seconds after initiation signal to limit loading of the offsite sources.

The RHR test line and spray line are also isolated on a LPCI initiation signal to allow the full system flow assumed in the accident analyses and for those valves which are also PCIVs maintain primary containment isolated.

The LPCI System monitors the pressure in the reactor to ensure that, before an injection valve opens, the reactor pressure has fallen to a value below the LPCI System's maximum design pressure. The variable is monitored by four redundant instruments. The instrument outputs are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic.

Logic is provided to close the recirculation pump discharge valves to ensure that LPCI flow does not bypass the core when it injects into the recirculation lines. The logic consists of an initiation signal (Low reactor water level and high drywell pressure in a one out of two taken twice logic) from both divisions of LPCI instruments and a pressure permissive. The pressure variable is monitored by four redundant instruments.

The instrument outputs are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic.

(continued)

SUSQUEHANNA - UNIT 1 3.3-103

Rev.5 ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND High Pressure Coolant Injection System (continued)

The HPCI System may be initiated by either automatic or manual means.

Automatic initiation occurs for conditions of Reactor Vessel Water Level-Low Low, Level 2 or Drywell Pressure-High. Each of these variables is monitored by four redundant instruments. The instrument outputs are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic for each Function.

The HPCI System also monitors the water level in the condensate storage tank (CST). HPCI suction is normally maintained on the CST until it transfers

. to the suppression pool on low CST level or is manually transferred by the operator. Reactor grade water in the CST is the normal source. Upon receipt of a HPCI initiation signal, the CST suction valve is automatically signaled to open (it is normally in the open position) unless the suppression pool suction valve is open. If the water level in the CST falls to the level switch process setpoint value, an automatic suction transfer is initiated. The suppression pool suction valve receives a signal to open and in parallel, the

. CST suction valve receives a signal to close to complete the transfer. Two level switches are used to detect low water level in the CST. Either switch can cause the suppression pool suction valve to open and the CST suction valve to close.

The HPCI provides makeup water to the reactor until the reactor vessel water level reaches the Reactor Vessel Water Level-High, Level 8 trip, at which time the HPCI turbine trips, which causes the turbine's stop valve, minimum flow valve, the cooling water isolation valve, and the injection valve to close.

The logic is two-out-of-two to provide high reliability of the HPCI System.

The HPCI System automatically restarts if a Reactor Vessel Water Level-Low Low, Level 2 signal is subsequently received.

(continued)

SUSQUEHANNA - UNIT 1 3.3-104

Rev. 5 ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Automatic Depressurization System (continued)

The ADS may be initiated by either automatic or_manual means. Automatic initiation occurs wheri signals indicating Reactor Vessel Water Level-Low Low Low, Level 1; Drywell Pressure-High or ADS Drywell Bypass Actuation Timer; confirmed Reactor Vessel Water Level-Low, Level 3; and CS or LPCI Pump Discharge Pressure~High are all present and the ADS Initiation Timer has timed out. There are two instruments each for Reactor Vessel Water Level-Low Low Low, Level 1 and Drywell Pressur&-High, and one instrument for confirmed Reactor Vessel Water Level-Low, Level 3 in each of the two ADS trip systems. Each of these instruments drives a relay whose contacts form the initiation logic.

Each ADS trip system includes a time delay between satisfying the initiation logic and the actuation of the ADS valves. The ADS Initiation Timer time delay setpoint is chosen to be long enough that the HPCI system has sufficient operating time to recover to a level above Level 1, yet not so long that the LPCI and CS Systems are unable to adequately cool the fuel if the HPCI fails to maintain that level. An alarm in the control room is annunciated when either of the timers is timing. Resetting the ADS initiation signals resets the ADS Initiation Timers. The ADS also monitors the discharge pressures of the four LPCI pumps and the four CS pumps. Each ADS trip system includes two discharge pressure permissive instruments from both CS pumps in the division and from either of the two LPCI pumps in the associated Division (i.e., Division 1 LPCI pumps A or C input to ADS trip system A, and Division 2 LPCI pumps B or D input to ADS trip system 8).

The signals are used as a permissive for ADS actuation, indicating that there is a source of core coolant available once the ADS has depressurized the vessel. With both CS pumps in a division or one of the LPCI pumps operating sufficient flow is available to permit automatic depressurization.

The ADS logic in each trip system is arranged in two strings. Each string has a contact from each of the following variables: Reactor Vessel Water Level-Low Low Low, Level 1; Drywell Pressure-High; or Drywell Pressure Bypass Actuation Timer. One of the two strings in each trip system must also have a confirmed Reactor Vessel Water Level-Low, Level 3. All contacts in both logic strings must close, the ADS initiation timer must time out, and a lqop of CS or LPCI pump discharge pressure signal must be present to initiate an ADS trip system. Either the A or B trip system will cause all the ADS relief valves to open. Once the Orywell Pressure-High signal, the ADS Drywell Pressure Bypass Actuation Timer, or the ADS in.itiation signal is present, it is individually sealed in until manually reset.

(continued)

SUSQUEHANNA - UNIT 1 3.3-105

Rev.5 ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Automatic Depressurization System (continued)

(continued)

Manual inhibit switches are provided in the control room for the ADS; however, their function is not required for ADS OPERABILITY (provided ADS is not inhibited when required to be OPERABLE).

Diesel Generators and Other Initiated Features The DGs may be initiated by either automatic or manual means. Automatic initiation occurs for conditions of Reactor Vessel Water Level-Low Low Low, Level 1 or Drywell Pressure-High. The DGs are also initiated upon loss of voltage signals (Refer to the Bases for LCO 3.3.8.1, "Loss of Power (LOP) Instrumentation," for a discussion of these signals.) The initiation logic is arranged in a one-out-of-two-twice network using level and pressure instruments which will generate a signal when:

(1) both level sensors are tripped, or (2) both high drywell pressure sensors are tripped, or (3) a combination of one level sensor and one high drywell pressure sensor is tripped.

DGs A and B receive their initiation signal from CS system initiation logic Division I and Division II respectively. DGs C and D receive their initiation signals from either LPCI systems initiation logic Division I or Division II. The DGs can also be started manually from the control room and locally from the associated DG room. The DG initiation signal is a sealed in signal and must be manually reset. The DG initiation logic is reset by resetting the associated ECCS initiation logic. Upon receipt of a loss of coolant accident (LOCA) initiation signal, each DG is automatically started, is ready to load in approximately 10 seconds, and will run in standby conditions (rated voltage and speed, with the DG output breaker open). The DGs will only energize their respective Engineered Safety Feature buses if a loss of offsite power occurs. (Refer to Bases for LCO 3.3.8.1.).

(continued)

SUSQUEHANNA - UNIT 1 3.3-106

Rev. 5 ECCS Instrumentation B 3.3.5.1 BASES BACKGROUND Diesel Generators and other Initiated Features (continued)

(continued)

In addition to DG initiation, the ECCS instrumentation initiates other design features. Signals from the CS System logic initiate (1) the reset of two Emergency Service Water (ESW) timers, (2) the reset of the degraded grid timers for the 4kV buses on Unit 1, (3) LOCA load shed schemes, and (4) the trip of Drywell Cooling equipment. Signals from the LPCI System logic initiate (1) the reset of two Emergency Service Water (ESW) timers, (2) the trip of turbine building chillers, and (3) the trip of reactor building chillers. The ESW pump timer reset feature assures the ESW pumps do not start concurrently with the CS or LPCI pumps. If one or both ESW pump timer resets in a division or reactor building/turbine building chiller trips are inoperable; two offsite circuits with the 4kV buses aligned to their normal configuration are required to be OPERABLE. If one or both ESW pump timer resets in a division or reactor building/turbine building chiller trips are inoperable; the effects on one offsite circuit have not been analyzed; and therefore, the offsite circuit is assumed not to be capable of accepting the required loads during certain accident events. The ESW pump timer reset is not required in MODES 4 and 5 because concurrent pump starts, on a LOCA signal, of the ESW pumps (initiated by the DG start circuitry) with CS or LPCI pumps cannot occur in these MODES.

APPLICABLE The actions of the ECCS are explicitly assumed in the safety analyses of SAFETY References 1 and 2. The ECCS is initiated to preserve the integrity of the ANALYSES, fuel cladding by limiting the post LOCA peak cladding temperature to less LCO, and than the 10 CFR 50.46 limits.

APPLICABILITY ECCS instrumentation satisfies Criterion 3 of the NRC Policy Statement (Ref.

4). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITY of the ECCS instrumentation is dependent upon the OPERABILITY of the individual instrumentation and channel Functions specified in Table 3.3.5.1-1. Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. Each ECCS subsys!em must also respond within its assumed response time. Table 3.3.5.1-1, footnotes (a) and (b), are added to show that certain ECCS instrumentation Functions are also requir~d to be OPERABLE to perform DG initiation and actuation of other Technical Specifications (TS) function.

(continued)

SUSQUEHANNA - UNIT 1 3.3-107

Rev. 5 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE Allowable Values are specified for each ECCS Function specified in the SAFETY table. Nominal trip setpoints are specified in the _setpoint calculations. The ANALYSES, nominal setpoints are selected to ensure that the setpoints do not exceed the LCO, and Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip APPLICABILITY setpoint less consef"\.(ative than the nominal trip setpoint, but within its (continued) Allowable Value, is acceptable. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter reaches the setpoint, the associated device changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors.

The trip setpoints are then determined, accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for by 10 CFR 50.49) are accounted for.

An exception to the methodology described to derive the Allowable Value is the methodology used to determine the Allowable Values for the ECCS pump start time delays and HPCI CST Level 1 - Low. These Allowable Values are based on system calculations and/or engineering judgement which establishes a conservative limit at which the function should occur.

In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions that may require ECCS (or DG) initiation to mitigate the consequences of a design basis transient or accident. To ensure reliable ECCS and DG function, a combination of Functions is required to provide primary and secondary initiation signals.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

(continued)

SUSQUEHANNA - UNIT 1 3.3-108

Rev. 5 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE Core Spray and Low Pressure Coolant Injection Systems SAFETY ANALYSES, 1.a, 2.a. Reactor Vessel Water Level-Low Low Low, Level 1 LCO, and APPLICABILITY Low reactor pressure vessel (RPV) water level indicates that the capability to (continued) cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. The low pressure ECCS and associated DGs are initiated at Level 1 to ensure that core spray and flooding functions are available to prevent or minimize fuel damage. The Reactor Vessel Water Level-Low Low Low, Level 1 is one of the Functions assumed to be OPERABLE and capable of initiating the ECCS during the transients analyzed in References 2. In addition, the Reactor Vessel Water Level-Low Low Low, Level 1 Function is directly assumed in the analysis of the recirculation line break (Ref. 1). The core cooling function of the ECCS, along with the scram action of the Reactor Protection System (RPS),

ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel Water Level-Low Low Low, Level 1 signals are initiated from four level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel Water Level-Low Low Low, Level 1 Allowable Value is chosen to allow time for the low pressure core flooding systems to activate and provide adequate cooling The initiation logic for LPCI pumps and injection valves is cross connected such that either division's start signal will start all four pumps and open both loop's injection valves. This cross division logic is required in MODES 1, 2, and 3.

DGs C and D which are initiated from the LPCI LOCA initiation are cross connected such that both DGs receive an initiation signal from both Divisions of the LPCI LOCA initiation circuitry. This cross connected logic is only required in MODES 1, 2, and 3.

Four channels of Reactor Vessel Water level-Low Low Low, Level 1 Function are only required to be OPERABLE when the ECCS or DG(s) are required to be OPERABLE to ensure that no single instrument failure can preclude ECCS and DG initiation.

(continued)

SUSQUEHANNA - UNIT 1 3.3-109

Rev. 5 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 1.b, 2.b. Drywell Pressure-High SAFETY ANALYSES, High pressure in the drywell could indicate a break in the reactor coolant LCO, and pressure boundary (RCPB). The low pressure ECCS (provided a concurrent APPLICABILITY low reactor pressure signal is present) and associated DGs, without a (continued) concurrent low reactor pressure signal, are initiated upon receipt of the Drywell Pressure-High Function in order to minimize the possibility of fuel damage. The Drywell Pressure-High Function, along with the Reactor Water Level-Low Low Low, Level 1 Function, is directly assumed in the analysis of the recirculation line break (Ref. 1). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

High drywell pressure signals are initiated from four pressure instruments that sense drywell pressure. The Allowable Value was selected to be as low as practical and be indicative of a LOCA inside primary containment. The Drywell Pressure-High Function is required to be OPERABLE when the ECCS or DG is required to be OPERABLE in conjunction with times when the primary containment is required to be OPERABLE. Thus, four channels of the CS and LPCI Drywell Pressure-High Function are required to be OPERABLE in MODES 1, 2, and 3 to ensure that no single instrument failure can preclude ECCS and DG initiation. In MODES 4 and 5, the Drywell Pressure-High Function is not required, since there is insufficient energy in the reactor to pressurize the primary containment to Drywell Pressure-High setpoint. Refer to LCO 3.5.1 for Applicability Bases for the low pressure ECCS subsystems and to LCO 3.8.1 for Applicability Bases for the DGs.

1.c, 1.d, 2.c, 2.d Reactor Steam Dome Pressure-Low Low reactor steam dome pressure signals are used as permissives for the low pressure ECCS subsystems. The low reactor pressure permissive is provided to prevent a high drywell pressure condition which is not accompanied by low reactor pressure, i.e. a false LOCA signal, from disabling two RHR pumps on the other unit. The low reactor steam dome pressure permissive also ensures that, prior to opening the injection valves of the low pressure ECCS subsystems, the reactor pressure has fallen to a value below these subsystems' maximum design pressure. The Reactor Steam Dome Pressure-Low is one of the Functions assumed to be OPERABLE and capable of permitting initiation of the ECCS during the transients analyzed in Reference 2. In addition, the Reactor Steam Dome Pressure-Low Function is directly assumed in the analysis of the recirculation line break (Ref. 1). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

(continued)

SUSQUEHANNA - UNIT 1 3.3-110

Rev. 5 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 1.c, 1.d, 2.c, 2.d Reactor Steam Dome Pressure-Low (continued)

SAFETY ANALYSES, The Reactor Steam Dome Pressure-Low signals are initiated from four LCO, and pressure instruments that sense the reactor dome pressure.

APPLICABILITY (continued) The pressure instruments are set to actuate between the Upper and Lower Allowable Values on decreasing reactor dome pressure.

The Upper Allowable Value is low enough to ensure that the reactor dome pressure has fallen to a value below the Core Spray and RHR/LPCI maximum design pressures to preclude piping over pressurization.

The Lower Allowable Value is high enough to ensure that the ECCS injection prevents the fuel peak cladding temperature from exceeding the limits of 10 CFR 50.46.

DGs C and D which are initiated from the LPCI LOCA initiation are cross connected such that both DGs receive an initiation signal from both Divisions of the LPCI LOCA initiation circuitry. This cross connected logic is only required in MODES 1, 2, and 3. In MODES 4 and 5, redundancy in the DG initiation circuitry is not required. Therefore, in MODES 4 and 5 for DGs C and D only one division of ECCS initiation logic is required.

Four channels of Reactor Steam Dome Pressure-Low Function are required to be OPERABLE only when the ECCS is required to be OPERABLE to ensure that no single instrument failure can preclude ECCS initiation.

1.e, 2.f. Manual Initiation The Manual Initiation push button channels introduce signals into the appropriate ECCS logic to provide manual initiation capability and are redundant to the automatic protective instrumentation. There is one push button for each of the CS and LPCI subsystems (i.e., two for CS and two for LPCI).

The Manual Initiation Function is not assumed in any accident or transient analyses in the FSAR. However, the Function is retained for overall redundancy and diversity of the low pressure ECCS function as required by the NRG in the plant licensing basis.

(continued)

SUSQUEHANNA - UNIT 1 3.3-111

Rev.5 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 1.e, 2.f. Manual Initiation (continued)

SAFETY ANALYSES, There is no Allowable Value for this Function since the channels are LCO, and mechanically actuated based solely on the position of the push buttons.

APPLICABILITY Each channel of the Manual Initiation Function (one channel per subsystem)

(continued) is required to be OPERABLE only when the associated ECCS is required to be OPERABLE.

2.e. Reactor Steam Dome Pressure-Low (Recirculation Discharge Valve Permissive)

Low reactor steam dome pressure signals are used as permissives for recirculation discharge and bypass valves closure. This ensures that the LPCI subsystems inject into the proper RPV location assumed in the safety analysis. The Reactor Steam Dome Pressure-Low is one of the Functions assumed to be OPERABLE and capable of closing the valves during the transients analyzed in Reference 2. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Steam Dome Pressure-Low Function is directly assumed in the analysis of the recirculation line break (Ref. 1).

The Reactor Steam Dome Pressure-Low signals are initiated from four pressure instruments that sense the reactor dome pressure.

The Allowable Value is chosen to ensure that the valves close prior to commencement of LPCI injection flow into the core, as assumed in the safety analysis.

Four channels of the Reactor Steam Dome Pressure-Low Function are only required to be OPERABLE in MODES 1, 2, and 3 with the associated recirculation pump discharge valve open. With the valve(s) closed, the function instrumentation has been performed; thus, the Function is not required. In MODES 4 and 5, the loop injection location is not critical since LPCI injection through the recirculation loop in either direction will still ensure that LPCI flow reaches the core (i.e., there is no significant reactor steam dome back pressure).

(continued)

SUSQUEHANNA - UNIT 1 3.3-112

Rev. 5 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE HPCI System SAFETY ANALYSES, 3.a. Reactor Vessel Water Level-Low Low, Level 2 LCO, and APPLICABILITY Low RPV water level indicates that the capability to cool the fuel may be (continued) threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, the HPCI System is initiated at Level 2 to maintain level above the top of the active fuel. The Reactor Vessel Water Level-Low Low, Level 2 is one of the Functions assumed to be OPERABLE analyzed in Reference 2. Additionally, the Reactor Vessel Water Level-Low Low, Level 2 Function associated with HPCI is directly assumed in the analysis of the recirculation line break (Ref. 2). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel Water Level-Low Low, Level 2 signals are initiated from four level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The HPCI Reactor Vessel Water Level-Low Low, Level 2 Allowable Value is chosen to be consistent with the Reactor Core Isolation Cooling (RCIC)

System Reactor Vessel Water Level - Low Low, Level 2 Allowable value.

Four channels of Reactor Vessel Water Level-Low Low, Level 2 Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI initiation.

Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.b. Drywell Pressure-High High pressure in the drywell could indicate a break in the RCPB. The HPCI System is initiated upon receipt of the Drywell Pressure-High Function in order to minimize the possibility of fuel damage. The Drywell Pressure--

High Function, along with the Reactor Water Level-Low Low, Level 2 Function, is* directly assumed in the analysis of the recirculation line break (Ref. 1). The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

(continued)

SUSQUEHANNA - UNIT 1 3.3-113

Rev.5 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.b. Drywell Pressure-High (continued)

SAFETY ANALYSES, High drywell pressure signals are initiated from four pressure instruments LCO, and that sense drywell pressure. The Allowable Value was selected to be as low APPLICABILITY as possible to be ind.icative of a LOCA inside primary containment.

(continued)

Four channels of the Drywell Pressure-High Function are required to be OPERABLE when HPCI is required to be OPERABLE to ensure that no single instrument failure cari preclude HPCI initiation. Refer to LCO 3.5.1 for the Applicability Bases for the HPCI System.

3.c. Reactor Vessel Water Level-High, Level 8 High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel. Therefore, the Level 8 signal is used to trip the HPCI turbine to prevent overflow into the main steam lines (MSLs). The Reactor Vessel Water Level-High, Level 8 Function is not assumed in the accident and transient analyses. It was retained since it is a potentially significant contributor to risk.

Reactor Vessel Water Level-High, Level 8 signals for HPCI are initiated from two level instruments. Both Level 8 signals are required in order to trip HPCI. This ensures that no single instrument failure can preclude an HPCI initiation or trip. The Reactor Vessel Water Level-High, Level 8 Allowable Value is chosen to prevent flow from the HPCI System from overflowing into the MSLs.

Two channels of Reactor Vessel Water Level-High, Level 8 Function are required to be OPERABLE only when HPCI is required to be OPERABLE.

Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.d. Condensate Storage Tank Level-Low The Condensate Storage Tank-Low signal indicates that a conservatively calculated NPSH-available limit is being approached.

(continued)

SUSQUEHANNA - UNIT 1 3.3-114

Rev. 5 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 3.d. Condensate Storage Tank Level-Low (continued)

SAFETY*

ANALYSES, Normally the suction valves between HPCI and the CST are open and, upon LCO, and receiving a HPCI initiation signal, water for HPCI injection would be taken APPLICABILITY from the CST. However, if the water level in the CST falls to the level switch (continued) process setpoint value, an automatic suction transfer is initiated. The suppression pool suction valve receives a signal to open and in parallel, the CST suction valve receives a signal to close to complete the transfer. The HPCI suction transfer must be initiated prior to CST level dropping below the technical specification allowable value to ensure that an adequate suction head for the pump and an uninterrupted supply of makeup water is available to the HPCI pump. The Function is implicitly assumed in the accident and transient analyses (which take credit for HPCI) since the analyses assume that the HPCI suction source is the suppression pool.

Condensate Storage Tank Level-Low signals are initiated from two level instruments. The logic is arranged such that either level switch can cause the suppression pool suction valves to open and the CST suction valve to

close. The Condensate Storage Tank Level-Low Function Allowable Value is high enough to ensure adequate pump suction head while water is being taken from the CST.

Two channels of the Condensate Storage Tank Level-Low Function are required to be OPERABLE only when HPCI is required to be OPERABLE to ensure that no single instrument failure can preclude HPCI swap to suppression pool source. Refer to LCO 3.5.1 for HPCI Applicability Bases.

3.e. Manual Initiation The Manual Initiation push button channel introduces signals into the HPCI logic to provide manual initiation capability and is redundant to the automatic protective instrumentation. There is one push button for the HPCI System.

The Manual Initiation Function is not assumed in any accident or transient analyses in the FSAR. However, the Function is retained for overall redundancy and diversity of the HPCI function as required by the NRC in the plant licensing basis.

There is no Allowable Value for this Function since the channel is mechanically actuated based solely on the position of the push button. One channel of the Manual Initiation Function is required to be OPERABLE only when the HPCI System is required to be OPERABLE. Refer to LCO 3.5.1 for HPCI Applicability Bases.

(continued)

SUSQUEHANNA - UNIT 1 3.3-115

Rev.5 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE Automatic Depressurization System SAFETY ANALYSES, 4.a, 5.a. Reactor Vessel Water Level-Low Low Low, Level 1 LCO, and APPLICABILITY Low RPV water level indicates that the capability to cool the fuel may be (continued) threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, ADS receives one of the signals necessary for initiation from this Function. The Reactor Vessel Water Level-Low Low Low, Level 1 is one of the Functions assumed to be OPERABLE and capable of initiating the ADS during the accident analyzed in Reference 1. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Reactor Vessel Water Level-Low Low Low, Level 1 signals are initiated from four level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low Low Low, Level 1 Function are required to be OPERABLE only when ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two channels input to ADS trip system A, while the other two channels input to ADS trip system B.

Refer to LCO 3.5.1 for ADS Applicability Bases.

The Reactor Vessel Water Level-Low Low Low, Level 1 Allowable Value is chosen to allow time for the low pressure core flooding systems to initiate and provide adequate cooling.

4.b, 5.b. Drywell Pressure-High High pressure in the drywell could indicate a break in the RCPB. Therefore, ADS receives one of the signals necessary for initiation from this Function in order to minimize the possibility of fuel damage. The Drywell Pressure-High is assumed to be OPERABLE and capable of initiating the ADS during the accidents analyzed in Reference 2. The core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46.

Drywell Pressure-High signals are initiated from four pressure instruments that sense drywell pressure. The Allowable Value was selected to be as low as possible and be indicative of a LOCA inside primary containment.

(continued)

SUSQUEHANNA - UNIT 1 3.3-116

Rev. 5 ECCS Instrumentation B 3.3.5.1

- BASES APPLICABLE 4.b. 5.b. Dr:vwell Pressure-High (continued)

SAFETY ANALYSES, Four channels of Drywell Pressure-High Function are only required to be LCO, and OPERABLE when ADS is required to be OPERABLE to ensure that no APPLICABILITY single instrument failure can preclude ADS initiation. Two channels input to (continued) ADS trip system A, while the other two channels input to ADS trip system B.

Refer to LOO 3.5.1 for ADS Applicability Bases.

4.c. 5.c. Automatic Depressurization System Initiation Timer The purpose of the Automatic Depressurization System Initiation Timer is to delay depressurization of the reactor vessel to allow the HPCI System time to maintain reactor vessel water level. Since the rapid depressurization caused by ADS operation is one of the most severe transients on the reactor vessel, its occurrence should be limited. By delaying initiation of the ADS Function, the operator is given the chance to monitor the success or failure of the HPCI System to maintain water level, and then to decide whether or not to allow ADS to initiate, to delay initiation further by recycling the timer, or to inhibit initiation permanently. The Automatic Depressurization System Initiation Timer Function is assumed to be OPERABLE for the accident analyses of Reference 1 that require ECCS initiation and assume failure of the HPCI System.

There are two Automatic Depressurization System Initiation Timer relays, one in each of the two ADS trip systems. The Allowable Value for the Automatic Depressurization System Initiation Timer is chosen so that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling.

Two channels of the Automatic Depressurization System Initiation Timer Function are only required to be OPERABLE when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. (One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.d. 5.d. Reactor Vessel Water Level-Low. Level 3 The Reactor Vessel Water Level-Low, Level 3 Function is used by the ADS only as a confirmatory low water level signal. ADS receives one of the signals necessary for initiation from Reactor Vessel Water Level-Low Low Low, Level 1 signals. In order to prevent spurious initiation of the ADS due to spurious Level 1 signals, a Level 3 signal must also be received before ADS initiation commences.

(continued)

SUSQUEHANNA - UNIT 1 3.3-117

Rev. 5 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.d, 5.d. Reactor Vessel Water Level-Low, Level 3 (continued)

SAFETY ANALYSES, Reactor Vessel Water Level-Low, Level 3 signals are initiated from two LCO, and level instruments that sense the difference between the pressure due to a APPLICABILITY constant column of water (reference leg) and the pressure due to the actual (continued) water level (variable leg) in the vessel. The Allowable Value for Reactor Vessel Water Level-Low, Level 3 is selected at the RPS Level 3 scram Allowable Value for convenience. Refer to LCO 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," for the Bases discussion of this Function.

Two channels of Reactor Vessel Water Level-Low, Level 3 Function are required to be OPERABLE only when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. One channel inputs to ADS trip system A, while the other channel inputs to ADS trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.e, 4.f, 5.e, 5.f. Core Spray and Low Pressure Coolant Injection Pump Discharge Pressure-High The Pump Discharge Pressure-High signals from the CS and LPCI pumps are used as permissives for ADS initiation, indicating that there is a source of low pressure cooling water available once the ADS has depressurized the vessel. Pump Discharge Pressure-High is one of the Functions assumed to be OPERABLE and capable of permitting ADS initiation during the events analyzed in Reference 1 with an assumed HPCI failure. For these events the ADS depressurizes the reactor vessel so that the low pressure ECCS can perform the core cooling functions. This core cooling function of the ECCS, along with the scram action of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Pump discharge pressure signals are initiated from twelve pressure instruments, two on the discharge side of each of the four LPCI pumps and one on the discharge of each of CS pumps. In order to generate an ADS permissive in one trip system, it is necessary that only one LPCI pump or one CS subsystem indicate the high discharge pressure condition. The Pump Discharge Pressure-High Allowable Value is less than the pump discharge pressure when the pump is operating in a full flow mode and high enough to avoid any condition that results in a discharge pressure permissive when the CS and LPCI pumps are aligned for injection and the pumps are not running.

The actual operating point of this function is not assumed in any transient or accident analysis.

(continued)

SUSQUEHANNA - UNIT 1 3.3-118

Rev.5 ECCS Instrumentation B 3.3.5.1 BASES APPLICABLE 4.e, 4.f, 5.e, 5.f. Core Spray and Low Pressure Coolant Injection SAFETY Pump Discharge Pressure-High (continued)

ANALYSES, LCO, and Twelve channels of Core Spray and Low Pressure Coolant Injection Pump APPLICABILITY Discharge Pressure-High Function are only required to be OPERABLE (continued) when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Two CS channels associated with CS pumps A and C and four LPCI channels associated with LPCI pumps A and C are required for trip system A. Two CS channels associated with CS pumps B and D and four LPCI channels associated with LPCI pumps B and D are required for trip system B. Refer to LCO 3.5.1 for ADS Applicability Bases.

4.g, 5.g. Automatic Depressurization System Drywell Pressure Bypass Actuation Timer One of the signals required for ADS initiation is Drywell Pressure-High.

However, if the event requiring ADS initiation occurs outside the drywell (e.g.,

main steam line break outside containment), a high drywell pressure signal may never be present. Therefore, the Automatic Depressurization System Drywell Pressure Bypass Actuation Timer is used to bypass the Drywell Pressure-High Function after a certain time period has elapsed. Operation of the Automatic Depressurization System Drywell Pressure Bypass Actuation Timer Function is not assumed in any accident analysis. The instrumentation is retained in the TS because ADS is part of the primary suc*cess path for mitigation of a OBA.

There are four Automatic Depressurization System Drywell Pressure Bypass Actuation Timer relays, two in each of the two ADS trip systems. The Allowable Value for the Automatic Depressurization System Low Water Level Actuation Timer is chosen to ensure that there is still time after depressurization for the low pressure ECCS subsystems to provide adequate core cooling.

Four channels of the Automatic Depressurization System Drywell Pressure Bypass Actuation Timer Function are required to be OPERABLE only when the ADS is required to be OPERABLE to ensure that no single instrument failure can preclude ADS initiation. Refer to LCO 3.5.1 for ADS Applicability Bases.

(continued)

SUSQUEHANNA - UNIT 1 3.3-119

Rev. 5 ECCS Instrumentation

BASES APPLICABLE 4.h, 5.h. Manual Initiation B 3.3.5.1 SAFETY ANALYSES, The Manual Initiation push button channels introduce signals into the ADS LCO, and logic to provide manual initiation capability and are redundant to the APPLICABILITY automatic protective instrumentation. There are two push buttons for each (continued) ADS trip system for a total of four.

The Manual Initiation Function is not assumed in any accident or transient analyses in the FSAR. However, the Function is retained for overall redundancy and diversity of the ADS functions as required by the NRC in the plant licensing basis.

There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons.

Four channels of the Manual Initiation Function (two channels per trip system) are only required to be OPERABLE when the ADS is required to be OPERABLE. Refer to LCO 3.5.1 for ADS Applicability Bases.

ACTIONS A Note has been provided to modify the ACTIONS related to ECCS instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable ECCS instrumentation channels provide appropriate compensatory measures for separate inoperable Condition entry for each inoperable ECCS instrumentation channel.

Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.1-1. The applicable Condition referenced in the table is Function dependent. Each time a channel is discovered inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition .

SUSQUEHANNA - UNIT 1 3.3-120 (continued)

Rev. 5 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS 8.1, 8.2, and 8.3 (continued)

Required Actions 8.1 and 8.2 are intended to ensure that appropriate actions are taken if multiple, inoperable, unfripped channels within the same Function result in redundant automatic initiation capability being lost for the feature(s). Required Action 8.1 features would be those that are initiated by Functions 1.a, 1.b, 1.c, 2.a, 2.b, and 2.c (e.g., low pressure ECCS). The Required Action B.2 system would be HPCI. For Required Action 8.1, redundant automatic initiation capability is lost if (a) one Function 1.a, 1.b, 1.c, 2.a, or 2.b is inoperable and untripped with only one offsite source OPERABLE, or (b) one or more Function 1.a or Function 2.a channels in both divisions are inoperable and untripped, or (c) one or more Function 1.b or Function 2.b channels in both divisions are inoperable and untripped, or (d) one or more Function 1.c or Function 2.c channels in both divisions are inoperable and untripped.

For (a) above (Function 1.a, 1.b, 1.c, 2.a, or 2.b is inoperable and untripped with only one offsite source OPERABLE), the ESW pump timer resets may not receive a reset signal and the Reactor Building chillers, Turbine Building chillers and the Drywell cooling equipment may not receive a trip signal.

Without the reset of the ESW pump timers and without the trip of the Reactor Building and Turbine Building chillers, the OPERABLE offsite circuit may not be capable of accepting starts of the ESW pumps concurrently with CS or LPCI pumps. For this situation, both the OPERABLE offsite circuit and the DG, that would not be capable of starting, should be declared inoperable.

Actions required by LCO 3.8.1 "AC Sources Operating" or LCO 3.8.2 "AC Sources Shutdown" should be taken or disable the affected reactor building/turbine building chillers and disable the affected ESW pumps automatic initiation capability and take the ACTIONS required by LCO 3.7.2 "ESW System".

For the Drywell cooling equipment trip, inoperability of this feature would require that the associated drywell cooling fans be declared inoperable in accordance with LCO 3.6.3.2 "Drywell Air Flow System".

With two offsite sources OPERABLE and one Function 1.a, 1.b, 1.c, 2.a, or 2.b inoperable and untripped, sufficient ECCS equipment is available to meet the design basis accident analysis.

(continued)

SUSQUEHANNA - UNIT 1 3.3-121

Rev.5 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS 8.1, 8.2, and 8.3 (continued)

(continued)

For (b), (c) and (d) above, for each Division, since each inoperable channel would have Required Action 8.1 applied separately (refer to ACTIONS Note),

each inoperable channel would only require the affected portion of the associated system of low pressure ECCS, DGs, and associated features to be declared inoperable.* However, since channels in both Divisions are inoperable and untripped, and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in the associated low pressure ECCS and DGs being concurrently declared inoperable.

For Required Action 8.2, redundant automatic initiation capability is lost if two Function 3.a or two Function 3.b channels are inoperable and untripped in the same trip system. In this situation (loss of redundant automatic initiation capability), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Action 8.3 is not appropriate and the feature(s) associated with the inoperable, untripped channels must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . Notes are also provided (the Note to Required Action 8.1 and the Note to Required Action 8.2) to delineate which Required Action is applicable for each Function that requires entry into Condition B if an associated channel is inoperable. This ensures that the proper loss of initiation capability check is performed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action 8.1, the Completion Time only begins upon discovery that a redundant feature in both Divisions (e.g., both CS subsystems) cannot be automatically initiated due to inoperable, untripped channels within the same Function as described in the paragraph above.

For Required Action 8.2, the Completion Time only begins upon discovery that the HPCI System cannot be automatically initiated due to two inoperable, untripped channels for the associated Function in the same trip system. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

(continued)

SUSQUEHANNA - UNIT 1 3.3-122

Rev.5 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS B.1, 8.2, and B.3 (continued)

(continued)

Because of the diversity of sensors available to provide initiation signals artd the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable. cha_nnel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action 8.3. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition G must be entered and its Required Action taken.

C.1 and C.2 Required Action C.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within the same Function result in redundant automatic initiation capability being lost for the feature(s). Required Action C.1 features would be those that are initiated by Functions 1.d, 2.d, ar:id 2.e (i.e., low pressure ECCS). Redundant automatic initiation capability is lost if either (a) two or more Function 1.d channels are inoperable such that the trip system loses initiation capability, (b) two or more Function 2.d channels are inoperable in the same trip system such that the trip system loses initiation capability, or (c) two or more Function 2.e channels are inoperable affecting LPCI pumps in different subsystems. In this situation (loss of redundant automatic initiation capability), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Action C.2 is not appropriate and the feature(s) associated with the inoperable channels must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . Since each inoperable channel would have Required Action C.1 applied separately (refer to ACTIONS Note), each inoperable channel would only require the affected portion of the associated system to be declared inoperable. However, since channels for both low pressure ECCS subsystems are inoperable (e.g., both CS subsystems), and the Completion Times started concurrently for the channels in both subsystems, this results in the affected portions in both subsystems being concurrently declared inoperable. For Functions 1.d, 2.d, and 2.e, the affected portions are the associated low pressure ECCS pumps.

(continued)

SUSQUEHANNA - UNIT 1 3.3-123

Rev. 5 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS C.1 and C.2 (continued)

(continued) The Note states that Required Action C.1 is only applicable for Functions 1.d, 2.d, and 2.e. Required Action C.1 is not applicable to Functions 1.e, 2.f, and 3.e (which also require entry into this Condition if a channel in these Functions is inoperable),

since they are the Manual Initiation Functions and are not assumed in any accident or transient analysis. Thus, a total loss of manual initiation capability for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (as allowed by Required Action C.2) is allowed. Required Action C.1 is also not

. applicable to Function 3.c (which also requires entry into this Condition if a channel in this Function is inoperable), since the loss of one channel results in a loss of the Function (two-out-of-two logic). This loss was considered during the development of Reference 3 and considered acceptable for the 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowed by Required Action C.2.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action C.1, the Completion Time only begins upon discovery that the same feature in both subsystems (e.g., both CS subsystems) cannot be automatically initiated due to inoperable channels within the same Function as described in the paragraph above. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition G must be entered and its Required Action taken. The Requir~d Actions do not allow placing the channel in trip since this action would either cause the initiation or it would not necessarily result in a safe state for the channel in all events.

(continued)

SUSQUEHANNA - UNIT 1 3.3-124 .

Rev. 5 EGGS Instrumentation B 3.3.5.1 BASES ACTIONS 0.1, 0.2.1, and 0.2.2 (continued)

Required Action 0.1- is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic component initiation capability for the HPCI System. Automatic component initiation capability is lost if two Function 3.d channels are inoperable and untripped. In this situation (loss of automatic suction swap), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Actions 0.2.1 and 0.2.2 is not appropriate and the HPCI System must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after discovery of loss of HPCI initiation capability. A Note identifies that Required Action 0.1 is only applicable if the HPCI pump suction is not aligned to the suppression pool, since, if aligned, the Function is already performed. This allows the HPCI pump suction to be realigned to the Suppression Pool within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , if desired.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action 0.1, the Completion Time only begins upon discovery that the HPCI System cannot be automatically aligned to the suppression pool due to two inoperable, untripped channels in the same Function. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels. Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of seivice time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action 0.2.1 or the suction source must be aligned to the suppression pool per Required Action 0.2.2.

Placing the inoperable channel in trip performs the intended function of the channel (shifting the suction source to the suppression pool). Performance of either *of these two Required Actions will allow operation to continue. If it is not desired to perform Required Actions 0.2.1 and D.2.2, Condition G must be entered and its Required Action taken.

(continued)

SUSQUEHANNA - UNIT 1 3.3-125

Rev.5 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS E.1 and E.2

(continued)

Required Action E.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within similar ADS trip system A and B Functions result in redundant automatic initiation capability being lost for the ADS. Redundant automatic initiation capability is lost if either (a) one Function 4.a channel and one Function 5.a channel are inoperable and untripped, (b) one Function 4.b channel and one Function 5.b channel are inoperable and untripped, or (c) one Function 4.d channel and one Function 5.d channel are inoperable and untripped.

In this situation (loss of automatic initiation capability), the 96 hour0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months or 8 day allowance, as applicable, of Required Action E.2 is not appropriate and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after discovery of loss of ADS initiation capability.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action E.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable, untripped channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE. If either HPCI or RCIC is inoperable, the time is shortened to 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months . If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months , the 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable, untripped channel cannot exceed 8 days. If the _status of HPCI or RCIC changes such that the Completion Time changes from 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable, untripped channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action E.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow (continued)

SUSQUEHANNA - UNIT 1 3.3-126

Rev. 5 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS E.1 and E.2 (continued)

(continued) operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition G must be entered and its Required Action taken.

F.1 and F.2 Required Action F.1 is intended to ensure that appropriate actions are taken if multiple, inoperable channels within similar ADS trip system Functions result in automatic initiation capability being lost for the ADS. Automatic initiation capability is lost if either (a) one Function 4.c channel and one Function 5.c channel are inoperable, (b) a combination of Function 4.e, 4.f, 5.e, and 5.f channels are inoperable such that both ADS trip systems lose initiation capability, or (c) one or more Function 4.g channels and one or more Function 5.g channels are inoperable.

In this situation (loss of automatic initiation capability), the 96 hour0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months or 8 day allowance, as applicable, of Required Action F.2 is not appropriate, and all ADS valves must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after discovery of loss of ADS initiation capability. The Note to Required Action F.1 states that Required Action F.1 is only applicable for Functions 4.c, 4.e, 4.f, 4.g, 5.c, 5.e, 5.f, and 5.g. Required Action F.1 is not applicable to Functions 4.h and 5.h (which also require entry into this Condition if a channel in these Functions is inoperable), since they are the Manual Initiation Functions and are not assumed in any accident or transient analysis. Thus, a total loss of manual initiation capability for 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months or 8 days (as allowed by Required Action F.2) is allowed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action F.1, the Completion Time only begins upon discovery that the ADS cannot be automatically initiated due to inoperable channels within similar ADS trip system Functions as described in the paragraph above. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

(continued)

SUSQUEHANNA - UNIT 1 3.3-127

Rev. 5 ECCS Instrumentation B 3.3.5.1 BASES ACTIONS F.1 and F.2 (continued)

(continued)

Because of the diversity of sensors available to provide initiation signals and the redundancy of the ECCS design, an allowable out of service time of 8 days has been shown to be acceptable (Ref. 3) to permit restoration of any inoperable channel to OPERABLE status if both HPCI and RCIC are OPERABLE (Required Action F.2). If either HPCI or RCIC is inoperable, the time shortens to 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months . If the status of HPCI or RCIC changes such that the Completion Time changes from 8 days to 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months , the 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months begins upon discovery of HPCI or RCIC inoperability. However, the total time for an inoperable channel cannot exceed 8 days. If the status of HPCI or RCIC changes such that the Completion Time changes from 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months to 8 days, the "time zero" for beginning the 8 day "clock" begins upon discovery of the inoperable channel. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, Condition G must be entered and its Required Action taken. The Required Actions do not allow placing the channel in trip since this action would not necessarily result in a safe state for the channel in all events.

With any Required Action and associated Completion Time not met, the associated supported feature(s) may be incapable of performing the intended function, and those associated with inoperable untripped channels must be declared inoperable immediately.

SURVEILLANCE As noted in the beginning of the SRs, the SRs for each ECCS REQUIREMENTS instrumentation Function are found in the SRs column of Table 3.3.5.1-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillance§i, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months as follows: (a) for Function 3.c and 3.f; and (b) for Functions other than 3.c and 3.f provided the associated Function or redundant Function maintains ECCS initiation capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 3) assumption of the average time required to perform channel surveillance.

That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the ECCS will initiate when necessary.

(continued)

SUSQUEHANNA - UNIT 1 3.3-128

Rev. 5 ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE In addition, for Functions 1.a, 1.b, 1.c, 2.a and 2.b, the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance is REQUIREMENTS acceptable provided both offsite sources are OPERABLE.

(continued)

SR 3.3.5.1.1 Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK guarantees that undetected channel failure is limited to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria which are determined by the plant staff based on an investigation of a combination of the channel instrument uncertainties, may be used to support this parameter comparison and include indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit, and does not necessarily indicate the channel is Inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.5.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 1 3.3-129

Rev. 5 ECCS Instrumentation B 3.3.5.1 BASES SURVEILLANCE SR 3.3.5.1.2 (continued)

REQUIREMENTS (continued) This SR is modified by a Note that provides a general exception to the definition of CHANNEL FUNCTIONAL TEST. This exception is necessary

because the design of instrumentation does not.facilitate* functional testing of all required contacts of the relay which input into the combinational logic.

(Reference 5) Performance of such a test could result in a plant transient or place the plant in an undo risk situation. Therefore, for this SR, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the change of state of the relay which inputs into the combinational logic.

The required contacts not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.5.1.5.

This is acceptable because operating experience shows that the contacts not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients.

SR 3.3.5.1.3 and SR 3.3.5.1.4 A CHANNEL CALIBRATION is a complete check that verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.1.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.1, LCO 3.5.2, LCO 3.8.1, and LCO 3.8.2 overlaps this Surveillance to complete testing of the assumed safety function.

The LOGIC SYSTEM FUNCTIONAL TEST tests the operation of the initiation logic up to but not including the first contact which is unique to an individually supported feature such as the starting of a DG.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 1 3.3-130

Rev. 5 ECCS Instrumentation B 3.3.5.1 BASES REFERENCES 1. FSAR, Section 6.3.

2. FSAR, Chapter 15.

3. NEDC-30936-P-A, "BWR Owners' Group Technical Specification Improvement Analyses for ECCS Actuation Instrumentation, Part 2,"

December 1988.

4. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 32193).

5. NRC Inspection and Enforcement Manual, Part 9900: Technical Guidance, Standard Technical Specification Section 1.0 Definitions, Issue date 12/08/86.

SUSQUEHANNA - UNIT 1 3.3-131

Rev.2 RPV Water Inventory Control Instrumentation B 3.3.5.2 B 3.3 INSTRUMENTATION B 3.3.5.2 Reactor Pressure Vessel (RPV) Water Inventory Control Instrumentation BASES BACKGROUND The RPV contains penetrations below the top of the active fuel (TAF) that have the potential to drain the reactor coolant inventory to below the TAF.

If the water level should drop below the TAF, the ability to remove decay heat is reduced, which could lead to elevated cladding temperatures and clad perforation. Safety Limit 2.1.1.3 requires the RPV water level to be above the top of the active irradiated fuel at all times to prevent such elevated cladding temperatures.

Technical Specifications are required by 10 CFR 50.36 to include limiting safety system settings (LSSS) for variables that have significant safety functions. LSSS are defined by the regulation as 11Where a LSSS is specified for a variable on which a safety limit has been placed, the setting must be chosen so that automatic protective actions will correct the abnormal situation before a Safety Limit (SL) is exceeded. 11 The Analytical Limit is the limit of the process variable at which a safety action is initiated to ensure that a SL is not exceeded. Any automatic protection action that occurs on reaching the Analytical Limit therefore ensures that the SL is not exceeded. However, in practice, the actual settings for automatic protection channels must be chosen to be more conservative than the Analytical Limit to account for instrument loop uncertainties related to the setting at which the automatic protective action would actually occur. The actual settings for the automatic isolation channels are the same as those established for the same functions in MODES 1, 2, and 3 in LCO 3.3.5.1, 11 Emergency Core Cooling System (ECCS)

Instrumentation," or LCO 3.3.6.1, "Primary Containment Isolation Instrumentation".

With the unit in MODE 4 or 5, RPV water inventory control is not required to mitigate any events or accidents evaluated in the safety analyses.

RPV water inventory control is required in MODES 4 and 5 to protect Safety Limit 2.1.1.3 and the fuel cladding barrier to prevent the release of radioactive material should a draining event occur. Under the definition of ORAi N Tl ME, some penetration flow paths may be excluded from the DRAIN TIME calculation if they will be isolated by valves that will close automatically without offsite power prior to the RPV water level being equal to the TAF when actuated by RPV water Ieve I isolation instrumentation.

(continued)

SUSQUEHANNA - UNIT 1 3.3-132

Rev. 2 RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES BACKGROUND The purpose of the RPV Water Inventory Control Instrumentation is to (continued) support the requirements of LCO 3.5.2, "Reactor Pressure Vessel (RPV)

Water Inventory Control," and the definition of DRAIN TIME. There are functions that are required for manual initiation or operation of the ECCS injection/spray subsystem required to be OPERABLE by LCO 3.5.2 and other functions that support automatic isolation of Residual Heat Removal subsystem and Reactor Water Cleanup system penetration flow path(s) on low RPV water level.

The RPV Water Inventory Control Instrumentation supports operation of core spray (CS) and low pressure coolant injection (LPCI). The equipment involved with each of these systems is described in the Bases for LCO 3.5.2.

APPLICABLE With the unit in MODE 4 or 5, RPV water inventory control is not required SAFETY to mitigate any events or accidents evaluated in the safety analyses.

ANALYSES, LCO, RPV water inventory control is required in MODES 4 and 5 to protect and Safety Limit 2.1.1.3 and the fuel cladding barrier to prevent the release of APPLICABILITY radioactive material should a draining event occur.

A double-ended guillotine break of the Reactor Coolant System (RCS) is not postulated in MODES 4 and 5 due to the reduced RCS pressure, reduced piping stresses, and ductile piping systems. Instead, an event is postulated in which a single operator error or initiating event allows draining of the RPV water inventory through a single penetration flow path with the highest flow rate, or the sum of the drain rates through multiple penetration flow paths susceptible to a common mode failure (e.g., seismic event, loss of normal power, single human error). It is assumed, based on engineering judgment, that while in MODES 4 and 5, one low pressure ECCS injection/spray subsystem can be manually initiated to maintain adequate reactor vessel water level.

As discussed in References 1, 2, 3, 4, and 5, operating experience has shown RPV water inventory to be significant to public health and safety.

Therefore, RPV Water Inventory Control satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).

Permissive and interlock setpoints are generally considered as nominal values without regard to measurement accuracy.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

(continued)

SUSQUEHANNA - UNIT 1 3.3-133

Rev. 2 RPV Water Inventory. Control Instrumentation B 3.3.5.2 BASES APPLICABLE Core Spray and Low Pressure Coolant Injection Systems SAFETY 1.a. 2.a. Reactor Steam Dome Pressure - Low {Injection Permissive)

ANALYSES, LCO, and Low reactor steam dome pressure signals are used as permissives for APPLICABILITY the low pressure ECCS injection/spray subsystem manual injection (continued) functions. This function ensures that, prior to opening the injection valves of the low pressure ECCS subsystems, the reactor pressure has fallen to a value below these subsystems' maximum design pressure. While it is assured during MODES 4 and 5 that the reactor steam dome pressure will be below the ECCS maximum design pressure, the Reactor Steam Dome Pressure .: Low signals are assumed to be OPERABLE and capable of permitting initiation of the ECCS.

The Reactor Steam Dome Pressure - Low signals are initiated from four pressure transmitters that sense the reactor dome pressure. The transmitters are connected to four trip units. The outputs of the trip units are connected to relays \l\.lhose contacts are arranged in a one-out-of-two taken twice logic.

The Allowable Value is low enough to prevent overpressuring the equipment in the low pressure ECCS.

The four channels of Reactor Steam Dome Pressure -:- Low Function are required to be OPERABLE in MODES 4 and 5 when ECCS manual initiation is required to be OPERABLE by LCO 3.5.2.

1.b. 2.b. Manual Initiation The Manual Initiation push button channels introduce signals into the appropriate ECCS logic to provide manual initiation capability. There is one push button for each of the CS and LPCI subsystems (i.e., two for CS and two for LPCI).

There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons.

A channel of the Manual Initiation Function (one channel per subsystem) is required to be OPERABLE in MODES 4 and 5 when the associated ECCS subsystems are required to be OPERABLE per LCO 3.5.2.

(continued)

SUSQUEHANNA - UNIT 1 3.3-134

Rev. 2 RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES APPLICABLE RHR System Isolation SAFETY 3.a - Reactor Vessel Water Level - Low, Level 3 ANALYSES, LCO, and APPLICABILITY The definition of DRAIN TIME allows crediting the closing of penetration (continued) flow paths that are capable of being isolated by valves that will close automatically without offsite power prior to the RPV water level being equal to the TAF when actuated by RPV water level isolation instrumentation. The Reactor Vessel Water Level - Low, Level 3 Functior associated with RHR System isolation may be credited for automatic isolation of penetration flow paths associated with the RHR System.

Reactor Vessel Water Level - Low, Level 3 signals are initiated from four level transmitters that sense the difference between the pressure due to c constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. While four channels (two channels per trip system) of the Reactor Vessel Water Level - Low, Level 3 Function are available, only two channels (all in the same trip system) are required to be OPERABLE.

The Reactor Vessel Water Level - Low, Level 3 Allowable Value was chosen to be the same as the Primary Containment Isolation Instrumentation Reactor Vessel Water Level - Low, Level 3 Allowable Value (LCO 3.3.6.1), since the capability to cool the fuel may be threatened.

The Reactor Vessel Water Level - Low, Level 3 Function is only required to be OPERABLE when automatic isolation of the associated penetration flow path is credited in calculating DRAIN TIME.

Reactor Water Cleanup (RWCU) System Isolation 4.a - Reactor Vessel Water level - Low Low, Level 2 The definition of DRAIN TIME allows crediting the closing of penetration flow paths that are capable of being isolated by valves that will close automatically without offsite power prior to the RPV water level being equal to the TAF when actuated by RPV water level isolation instrumentation. The Reactor Vessel Water Level - Low Low, Level 2 Function associated with RWCU System isolation may be credited for automatic isolation of penetration flow paths associated with the RWCU System.

(continued)

SUSQUEHANNA - UNIT 1 3.3-135

Rev.2 RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES APPLICABLE Reactor Water Cleanup (RWCU) System Isolation SAFETY 4.a - Reactor Vessel Water level - Low Low, Level 2 (continued)

ANALYSES, LCO, and Reactor Vessel Water Level - Low Low, Level 2 signals are initiated from APPLICABILITY four level transmitters that sense the difference between the pressure due (continued) to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. While four channels (two channels per trip system) of the Reactor Vessel Water Level - Low Low, Level 2 Function are available, only two channels (all in the same trip system) are required to be OPERABLE.

The Reactor Vessel Water Level - Low Low, Level 2 Allowable Value was chosen to be the same as the ECCS Reactor Vessel Water Level - Low Low, Level 2 Allowable Value (LCO 3.3.5.1), since the capability to cool the fuel may be threatened.

The Reactor Vessel Water Level - Low Low, Level 2 Function is only required to be OPERABLE when automatic isolation of the associated penetration flow path is credited in calculating DRAIN TIME.

ACTIONS A Note has been provided to modify the ACTIONS related to RPV Water Inventory Control instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed .in the Condition discovered to be inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable RPV Water Inventory Control instrumentation channels provide appropriate compensatory measures for separate inoperable Condition entry for each inoperable RPV Water Inventory Control instrumentation channel.

Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.2-1. The applicable Condition referenced in the Table is Function dependent. Each time a channel is discovered inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.

(continued)

SUSQUEHANNA - UNIT 1 3.3-136

Rev. 2 RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES ACTIONS (continued) B.1 and B.2 RHR System Isolation, Reactor Vessel Water Level - Low Level 3, and Reactor Water Cleanup System, Reactor Vessel Water Level - Low Low, Level 2 functions are applicable when automatic isolation of the associated penetration flow path is credited in calculating DRAIN TIME. If the instrumentation is inoperable, Required Action B.1 directs an immediate declaration that the associated penetration flow path(s) are incapable of automatic isolation. Required Action B.2 directs calculation of DRAIN TIME. The calculation cannot credit automatic isolation of the affected penetration flow paths.

Low reactor steam dome pressure signals are used as permissives for the low pressure ECCS injection/spray subsystem manual injection functions. If the permissive is inoperable, manual initiation of ECCS is prohibited. Therefore, the permissive must be placed in the trip condition within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . With the permissive in the trip condition, manual initiation may be performed. Prior to placing the permissive in the tripped condition, the operator can take manual control of the pump and the injection valve to inject water into the RPV.

The Completion Time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is intended to allow the operator time to evaluate any discovered inoperabilities and to place the channel in trip.

If a manual initiation function is inoperable, the ECCS subsystem pumps can be started manually and the valves can be opened manually, but this is not the preferred condition.

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time was chosen to allow time for the operator to evaluate and repair any discovered inoperabilities. The Completion Time is appropriate given th~ ability to manually start the ECCS pumps and open the injection valves.

E.1 With the Required Action and associated Completion Time of Condition C or D not met, the associated low pressure ECCS injection/spray subsystem may be incapable of performing the intended function, and must be declared inoperable immediately.

(continued)

SUSQUEHANNA - UNIT 1 3.3-137

Rev. 2 RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES SURVEILLANCE As rioted in the beginning of the SRs, the SRs for each RPV Water REQUIREMENTS Inventory Control instrument Function are found in the SRs column of Table 3.3.5.2-1.

SR 3.3.5.2.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK guarantees that undetected outright channel failure is limited; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL FUNCTIONAL TEST.

Agreement criteria are determined by the plant staff, based on a combination of the channel instrument uncertainties, including indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

The CHANNEL CHECK supplements less formal, but more frequent, checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.5.2.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function.

This SR is modified by a Note that provides a general exception to the definition of CHANNEL FUNCTIONAL TEST. This exception is necessary because the design of instrumentation does not facilitate functional testing of all required contacts of the relay which input into the combinational logic.

Performance of such a test could result in a plant transient or place the plant in an undue risk situation. Therefore, for this SR, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the change of state of the relay which inputs into the combinational logic. The required contacts not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.5.2.3. This is (continued)

SUSQUEHANNA - UNIT 1 3.3-138

Rev. 2 RPV Water Inventory Control Instrumentation B 3.3.5.2 BASES SURVEILLANCE SR 3.3.5.2.2 (Continued)

REQUIREMENTS (continued) acceptable because operating experience shows that the contacts not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients.

Any setpoint adjustment shall be consistent with the assumptions of the current plant specific setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.2.3 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.2 overlaps this Surveillance to complete testing of the assumed safety function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. Information Notice 84-81 "Inadvertent Reduction in Primary Coolant Inventory in Boiling Water Reactors During Shutdown and Startup,"

November 1984.

2. Information Notice 86-74, "Reduction of Reactor Coolant Inventory Because of Misalignment of RHR Valves," August 1986.

3. Generic Letter 92-04, "Resolution of the Issues Related to Reactor Vessel Water Level Instrumentation in BWRs Pursuant to 10 CFR 50.54(F), "August 1992.

4. NRC Bulletin 93-03, "Resolution of Issues Related to Reactor Vessel Water Level Instrumentation in BWRs," May 1993.

5. Information Notice 94-52, "Inadvertent Containment Spray and Reactor Vessel Draindown at Millstone 1," July 1994.

SUSQUEHANNA - UNIT 1 3.3-139

Rev.a RCIC System Instrumentation 83.3.5.3 B 3.3 INSTRUMENTATION B 3.3.5.3 Reactor Core Isolation Cooling (RCIC) System Instrumentation BASES BACKGROUND The purpose of the RCIC System instrumentation is to initiate actions to ensure adequate core cooling when the reactor vessel is isolated from its primary heat sink (the main condenser) and normal coolant makeup flow from the Reactor Feedwater System is unavailable, such that initiation of the low pressure Emergency Core Cooling Systems (ECCS) pumps does not occur.

A more complete discussion of RCIC System operation is provided in the Bases of LCO 3.5.3, "RCIC System."

The RCIC System may be initiated by either automatic or manual means.

Automatic initiation occurs for conditions of reactor vessel Low Low water level. The variable is monitored by four instruments. The outputs of the trip units are connected to relays whose contacts are arranged in a one-out-of-two taken twice logic arrangement. Once initiated, the RCIC logic seals in and can be reset by the operator only when the reactor vessel water level signals have cleared.

The RCIC test line isolation valve is closed on a RCIC initiation signal to allow full system flow and maintain primary containment isolated in the event RCIC is not operating.

The RCIC System also monitors the water levels in the condensate storage tank (CST) which is the normal suction source of reactor grade water for RCIC. Upon receipt of a RCIC initiation signal, the CST suction valve is automatically signaled to open (it is normally in the open position) unless the pump suction from the suppression pool valve is open. If the water level in the CST falls below a preselected level, first the suppression pool suction valve automatically opens, and then the CST suction valve automatically closes. Two level switches are used to detect low water level in the CST.

Either switch can cause the suppression pool suction valve to open and the CST suction valve to close.

The RCIC System provides makeup water to the reactor until the reactor vessel water level reaches the high water level (Level 8) trip (two-out-of-two logic), at which time the RCIC steam supply and cooling water supply valves close (the injection valve also closes due to the closure of the steam supply valves). The RCIC System restarts if vessel level again drops to the low level initiation point (Level 2).

(continued)

SUSQUEHANNA - UNIT 1 3.3-140

Rev. O RCIC System Instrumentation

BASES APPLICABLE SAFETY B 3.3.5.3 The function of the RCIC System to provide makeup coolant to the reactor is used to respond to transient events. The RCIC System is not an Engineered ANALYSES, Safety Feature System and no credit is taken in the safety analyses for RCIC LCO, and System operation. Based on its contribution to the reduction of overall plant APPLICABILITY risk, however, the system, and therefore its instrumentation, are included in the Technical Specifications as required by the NRG Policy Statement (Ref. 2). Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITY of the RCIC System instrumentation is dependent upon the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.5.3-1. Each Function must have a required number of OPERABLE channels with their setpoints within the specified Allowable Values, where appropriate. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Allowable Values are specified for each RCIC System instrumentation Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Each Allowable Value specified accounts for instrument uncertainties appropriate to the Function. These uncertainties are described in the setpoint methodology.

An exception to the methodology described to derive the Allowable Value is the methodology used to determine the Allowable Value for the Condensate Storage Tank Low Level. This Allowable Value is based on a system calculation and engineering judgement which establishes a conservative limit at which the Function should occur.

The individual Functions are required to be OPERABLE in MODE 1, and in MODES 2 and 3 with reactor steam dome pressure > 150 psig since this is when RCIC is required to be OPERABLE. (Refer to LCO 3.5.3 for Applicability Bases for the RCIC System).

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis .

SUSQUEHANNA - UNIT 1 3.3-141 (continued)

Rev.a RCIC System Instrumentation B 3.3.5.3 BASES APPLICABLE 1. Reactor Vessel Water Level-Low Low, Level 2 SAFETY ANALYSES, Low reactor pressure vessel (RPV) water level indicates that normal LCO, and feedwater flow is insufficient to maintain reactor vessel water level and that APPLICABILITY the capability to cool the fuel may be threatened. Should RPV water level (continued) decrease too far, fuel damage could result. Therefore, the RCIC System is initiated at Level 2 to assist in maintaining water level above the top of the active fuel.

Reactor Vessel Water Level-Low Low, Level 2 signals are initiated from four level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel Water Level-Low Low, Level 2 Allowable Value is set high enough such that for complete loss of feedwater flow, the RCIC System flow with high pressure coolant injection assumed to fail will be sufficient to avoid initiation of low pressure ECCS at Level 1.

Four channels of Reactor Vessel Water Level-Low Low, Level 2 Function are available and are required to be OPERABLE when RCIC is required to be OPERABLE to ensure that no single instrument failure can preclude RCIC initiation. Refer to LCO 3.5.3 for RCIC Applicability Bases.

2. Reactor Vessel Water Level-High, Level 8 High RPV water level indicates that sufficient cooling water inventory exists in the reactor vessel such that there is no danger to the fuel. Therefore, the Level 8 signal is used to close the RCIC steam supply and cooling water supply valves to prevent overflow into the main steam lines (MSLs). (The injection valve also closes due to the closure of the steam supply valve).

Reactor Vessel Water Level-High, Level 8 signals for RCIC are initiated from two level instruments, which sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel.

The Reactor Vessel Water Level-High, Level 8 Allowable Value is high enough to preclude isolating the injection valve of the RCIC during normal operation, yet low enough to trip the RCIC System prior to water overflowing into the MSLs.

(continued)

SUSQUEHANNA - UNIT 1 3.3-142

Rev. O RCIC Syste!T) Instrumentation B 3.3.5.3 BASES APPLICABLE 2. Reactor Vessel Water Level-High, Level 8 (continued)

SAFETY ANALYSES, --- Two channels of Reactor Vessel Water Level-High, Level 8 Function are LCO, and available and are required to be OPERABLE when RCIC is required to be APPLICABILITY OPERABLE to ensure that no single instrument failure can preclude RCIC (continued) initiation. Refer to LCO 3.5.3 for RCIC Applicability Bases.

3. Condensate Storage Tank Level-Low The Condensate Storage Tank-Low signal indicates that a conservatively calculated NPSH-available limit is being approached. Normally, the suction valve between the RCIC pump and the CST is open and, upon receiving a RCIC initiation signal, water for RCIC injection would be taken from the CST.

However, if the water level in the CST falls below a preselected level, first the suppression pool suction valve automatically opens, and then the CST suction valve automatically closes. This ensures that an adequate suction head for the pump and an uninterrupted supply of makeup water is available to the RCIC pump. This logic also has a manual override function initiated by manual closure of the suppression pool suction valve should it be desired to realign the suction to the remaining reserve volume in the CST. To prevent losing suction to the pump, the suction valves are interlocked so that the suppression pool suction valves must be open before the CST suction valve automatically closes.

Two level switches are used to detect low water level in the CST. The Condensate Storage Tank Level-Low Function Allowable Value is set high enough to ensure adequate pump suction head while water is being taken from the CST.

Two channels of Condensate Storage Tank Level-Low Function are available and are required to be OPERABLE when RCIC is require_d to be OPERABLE to ensure that no single instrument failure can preclude RCIC swap to suppression pool source. Refer to LCO 3.5.3 for RCIC Applicability Bases.

(continued)

SUSQUEHANNA - UNIT 1 3.3-143

Rev. O RCIC System Instrumentation

BASES APPLICABLE SAFETY

4. Manual Initiation B 3.3.5.3 ANALYSES, The.Manual Initiation push button switch introduces a signal into the RCIC LCO, and System initiation logic that is redundant to the automatic protective APPLICABILITY instrumentation and provides manual initiation capability. There is one push (continued) button for the RCIC System resulting in a single channel trip Function.

The Manual Initiation Function is not assumed in any accident or transient analyses in the FSAR. However, the Function is retained for overall redundancy and diversity of the RCIC function as required by the NRC in the plant licensing basis.

There is no Allowable Value for this Function since the channel is mechanically actuated based solely on the position of the push button. One channel of Manual Initiation is required to be OPERABLE when RCIC is required to be OPERABLE.

ACTIONS A Note has been provided to modify the ACTIONS related to RCIC System instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be

. inoperable or not within limits will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable RCIC System instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable RCIC System !nstrumentation channel.

Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.3.5.3-1. The applicable Condition referenced in the Table is Function dependent. Each time a channel is discovered to be inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition .

SUSQUEHANNA - UNIT 1 3.3-144 (continued)

Rev. O RCIC System Instrumentation B 3.3.5.3 BASES ACTIONS 8.1 and B.2 (continued)

Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic initiation capability for the RCIC System. In this case, automatic initiation capability is lost if two Function 1 channels in the same trip system are inoperable and untripped. In this situation (loss of automatic initiation capability), the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Action 8.2 is not appropriate, and the RCIC System must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after discovery of loss of RCIC initiation capability.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action B.1, the Completion Time only begins upon discovery that the RCIC System cannot be automatically initiated due to two inoperable, untripped Reactor Vessel Water Level-Low Low, Level 2 channels in the same trip system. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the redundancy of sensors available to provide initiation signals and the fact that the RCIC System is not assumed in any accident or transient analysis, an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months has been shown to be acceptable (Ref. 1) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action 8.2. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an initiation), Condition E must be entered and its Required Action taken.

A risk based analysis was performed and determined that an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (Ref. 1) is acceptable to permit restoration of any inoperable channel to OPERABLE status (Required Action C.1). A Required Action (similar to Required Action B.1) limiting the allowable out of service time, if a loss of automatic RCIC initiation capability exists, is not required.

This Condition applies to the Reactor Vessel Water Level-High, Level 8 Function whose logic is arranged such that any inoperable channel will result (continued)

SUSQUEHANNA - UNIT 1 3.3-145

Rev.a RCIC System Instrumentation B 3.3.5.3 BASES ACTIONS C.1 (continued)

(continued) in a loss of automatic RCIC trip protection capability. As stated above, this loss of automatic RCIC trip protection capability was analyzed and determined to be acceptable. This Condition also applies to the Manual Initiation Function. Since this Function is not assumed in any accident or transient analysis, a total loss of manual initiation capability (Required Action C.1) for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is allowed. The Required Action does not allow placing a channel in trip since this action would not necessarily result in a safe state for the channel in all events.

D.1, D.2.1, and D.2.2 Required Action D.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in automatic component initiation capability being lost for the feature(s). For Required Action D.1, the RCIC System is the only associated feature. In this case, automatic initiation capability is lost if two Function 3 channels are inoperable and untripped. In this situation (loss of automatic suction swap),

the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months allowance of Required Actions D.2.1 and D.2.2 is not appropriate, and the RCIC System must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months from discovery of loss of RCIC initiation capability. A note identifies that required Action D.1 is only applicable if the RCIC pump suction is not aligned to the suppression pool since, if aligned, the Function is already performed. This allows the RCIC pump suction to be realigned to the suppression pool within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , if desired.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." For Required Action D.1, the Completion Time only begins upon discovery that the RCIC System .cannot be automatically aligned to the suppression pool due to two inoperable, untripped channels in the same Function. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time from discovery of loss of initiation capability is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Because of the redundancy of sensors available to provide initiation signals and the fact that the RCIC System is not assumed in any accident or transient analysis, an allowable out of service time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months has been shown to be acceptable (Ref. 1) to permit restoration of any inoperable channel to OPERABLE status. If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action D.2.1, which performs (continued)

SUSQUEHANNA - UNIT 1 3.3-146

Rev. O RCIC System Instrumentation B 3.3.5.3 BASES ACTIONS D.1, D.2.1, and D.2.2 (continued)

(continued) the intended function of the channel (shifting the suction source to the suppression pool). Alternatively, Required Action D.2.2 allows the manual alignment of the RCIC suction to the suppression pool, which also performs the intended function. If it is not desired to perform Required Actions D.2.1 and D.2.2, Condition E must be entered and its Required Action taken.

With any Required Action and associated Completion Time not met, the RCIC System may be incapable of performing the intended function, and the RCIC System must be declared inoperable immediately.

SURVEILLANCE As noted in the beginning of the SRs, the SRs for each RCIC System REQUIREMENTS instrumentation Function are found in the SRs column of Table 3.3.5.3-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed as follows: (a) for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months for Function 2 and 4; and (b) for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months for Functions other than Function 2 and 4, provided the associated Function maintains trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Ref. 1) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the RCIC will initiate when necessary.

SR 3.3.5.3.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a parameter on other similar channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

(continued)

SUSQUEHANNA - UNIT 1 3.3-147

Rev. 0 RCIC System Instrumentation 8 3.3.5.3 BASES SURVEILLANCE SR 3.3.5.3.1 (continued)

REQUIREMENTS (continued) . Agreement criteria which are determined by the plant staff based on an investigation of a combination of the channel instrument uncertainties, may be used to support this parameter comparison and include indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit, and does not necessarily indicate the channel is Inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.5.3.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that provides a general exception to the definition of CHANNEL FUNCTIONAL TEST. This exception is necessary because the design of instrumentation does not facilitate functional testing of all required contacts of the relay which input into the combinational logic.

(Reference 3) Performance of such a test could result in a plant transient or place the plant in an undo risk situation. Therefore, for this SR, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the change of state of the relay which inputs into the combinational logic. The required contacts not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNC1IONAL TEST, SR 3.3.5.3.5. This is acceptable because operating experience shows that the contacts not tested

during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients.

(continued)

SUSQUEHANNA - UNIT 1 3.3-148

Rev. O RCIC System Instrumentation B 3.3.5.3 BASES SURVEILLANCE SR 3.3.5.3.3 and SR 3.3.5.3.4 REQUIREMENTS (continued) ' A CHANNEL CALIBRATION verifies that the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.5.3.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.5.3 overlaps this Surveillance to provide complete testing of the safety function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. NEDE-770-06-2, "Addendum to Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991.

2. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 32193).

3. NRC Inspection and Enforcement Manual, Part 9900: Technical Guidance, Standard Technical Specification Section 1.0 Definitions, Issue date 12/08/86.

SUSQUEHANNA - UNIT 1 3.3-149

Rev. 9 Primary Containment Isolation Instrumentation

B 3.3 B 3.3.6.1 INSTRUMENTATION Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND The primary containment isolation instrumentation automatically initiates closure of appropriate primary containment isolation valves (PCIVs). The function of the PC IVs, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs). Primary containment isolation within the time limits specified for those isolation valves designed to close automatically ensures .

that the release of radioactive material to the environment will be consistent with the assumptions used in the analyses for a OBA.

The isolation instrumentation includes the sensors, relays, and instruments that are necessary to cause initiation of primary containment and reactor coolant pressure boundary (RCPB) isolation. When the setpoint is reached, the sensor actuates, which then outputs an isolation signal to the isolation logic. Functional diversity is provided by monitoring a wide range of independent parameters. The input parameters to the isolation logics are (a) reactor vessel water level, (b) area ambient and emergency cooler temperatures, (c) main steam line (MSL) flow measurement, (d) Standby Liquid Control (SLC) System initiation, (e) condenser vacuum, (f) main steam line pressure, (g) high pressure coolant injection (HPCI) and reactor core isolation cooling (RCIC) steam line Li pressure, (h) SGTS Exhaust radiation, (i) HPCI and RCIC steam line pressure, G) HPCI and RCIC turbine exhaust diaphragm pressure, (k) reactor water cleanup (RWCU) differential flow and high flow, (I) reactor steam dome pressure, and (m) drywell pressure.

Redundant sensor input signals from each parameter are provided for initiation of isolation. The only exception is SLC System initiation. In addition, manual isolation of the logics is provided.

Primary containment isolation instrumentation has inputs to the trip logic of the isolation functions listed below.

1. Main Steam Line Isolation Most MSL Isolation Functions receive inputs from four channels. The outputs from these channels are combined in a one-out-of-two taken twice logic to initiate isolation of all main steam isolation valves (MS IVs). The outputs from the same channels are arranged into two two-out-of-two logic trip systems to isolate all MSL drain valves. The MSL drain line has two isolation valves with one two-out-of-two logic system associated with each valve .

SUSQUEHANNA - UNIT 1 3.3-150 (continued)

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND 1. Main Steam Line Isolation (continued)

(continued)

The exceptions to this arrangement are the Main Steam Line Flow-High Function. The Main Steam Line Flow-High Function uses 16 flow channels, four for each steam line. One channel from each steam line inputs to one of the four trip strings. Two trip strings make up each trip system and both trip systems must trip to cause an MSL isolation. Each trip string has four inputs (one per MSL), any one of which will trip the trip string. The trip strings are arranged in a one-out-of-two taken twice logic.

This is effectively a one-out-of-eight taken twice logic arrangement to initiate isolation of the MSIVs. Similarly, the 16 flow channels are connected into two two-out-of-two logic trip systems (effectively, two one-out-of-four twice logic), with each trip system isolating one of the two MSL drain valves.

2. Primary Containment Isolation Most Primary Containment Isolation Functions receive inputs from four channels. The outputs from these channels are arranged into two two-out-of-two logic trip systems. One trip system initiates isolation of all inboard primary containment isolation valves, while the other trip system initiates isolation of all outboard primary containment isolation valves.

Each logic closes one of the two valves on each penetration, so that operation of either logic isolates the penetration.

The exceptions to this arrangement are as follows. Hydrogen and Oxygen Analyzers which isolate Division I Analyzer on a Division I isolation signal, and Division II Analyzer on a Division II isolation signal. This is to ensure monitoring capability is not lost. Chilled Water to recirculation pumps and Liquid Radwaste Collection System isolation valves where both inboard and outboard valves will isolate on either division providing the isolation signal. Traversing incore probe ball valves and the instrument gas to the drywell to suppression chamber vacuum breakers only have one isolation valve and receives a signal from only one division.

(continued)

SUSQUEHANNA - UNIT 1 3.3-151

Rev. 9 Primary Containment Isolation Instrumentation

BASES BACKGROUND (continued)

B 3.3.6.1 3., 4. High Pressure Coolant Injection System Isolation and Reactor Core Isolation Cooling System Isolation Most Functions that isolate HPCI and RCIC receive input from two channels, with each channel in one trip system using a one-out-of-one logic. Each of the two trip systems in each isolation group is connected to one of the two valves on each associated penetration.

The exceptions are the HPCI and RCIC Turbine Exhaust Diaphragm Pressure-High and Steam Supply Line Pressure-Low Functions. These Functions receive inputs from four turbine exhaust diaphragm pressure and four steam supply pressure channels for each system. The outputs from the turbine exhaust diaphragm pressure and steam supply pressure channels are each connected to two two-out-of-two trip systems. Each trip system isolates one valve per associated penetration.

5. Reactor Water Cleanup System Isolation The Reactor Vessel Water Level-Low Low, Level 2 Isolation Function receives input from four reactor vessel water level channels. The outputs from the reactor vessel water level channels are connected into two two-out-of-two trip systems. The Differential Flow-High, Flow-High, and

SLC System Initiation Functions receive input from two channels, with each channel in one trip system using a one-out-of-one logic. The temperature isolations are divided into three Functions. These Functions are Pump Area, Penetration Area, and Heat Exchanger Area. Each area is monitored by two temperature monitors, one for each trip system. These are configured so that any one input will trip the associated trip system.

Each of the two trip systems is connected to one of the two valves on each RWCU penetration.

6. Shutdown Cooling System Isolation The Reactor Vessel Water Level-Low, Level 3 Function receives input from four reactor vessel water level channels. The outputs from the reactor vessel water level channels are connected to two two-out-of-two trip systems. The Reactor Vessel Pressure-High Function receives input from two channels, with each channel in one trip system using a one-out-of-one logic. Each of the two trip systems is connected to one of the two valves on each shutdown cooling penetration .

SUSQUEHANNA - UNIT 1 3.3-152 (continued)

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES BACKGROUND 7. Traversing lncore Probe System Isolation (continued)

The Reactor Vessel Water Level-Low, Level 3 Isolation Function receives input from two reactor vessel water level channels. The Drywell Pressure-High Isolation Function receives input from two drywell pressure channels. The outputs from the reactor vessel water level channels and drywell pressure channels are connected into one two-out-of-two logic trip system.

When either Isolation Function actuates, the TIP drive mechanisms will withdraw the TIPs, if inserted, and close the inboard TIP System isolation ball valves when the proximity probe senses the TIPs are withdrawn into the shield. The TIP System isolation ball valves are only open when the TIP System is in use. The outboard TIP System isolation valves are manual shear valves.

APPLICABLE The isolation signals generated by the primary containment isolation SAFETY instrumentation are implicitly assumed in the safety analyses of ANALYSES, References 1 and 2 to initiate closure of valves to limit offsite doses.

LCO, and Refer to LCO 3.6.1.3, "Primary Containment Isolation Valves (PCIVs),"

APPLICABILITY Applicable Safety Analyses Bases for more detail of the safety analyses.

Primary containment isolation instrumentation satisfies Criterion 3 of the NRG Policy Statement. (Ref.. 8) Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITY of the primary containment instrumentation is dependent on the OPERABILITY of the individual instrumentation channel Functions specified in Table 3.3.6.1-1. Each Function must have a required number of OPERABLE channels, with their setpoints within the specified Allowable Values, where appropriate. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. Each channel must also respond within its assumed response time, where appropriate.

(continued)

SUSQUEHANNA - UNIT 1 3.3-153

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE Allowable Values are specified for each Primary Containment Isolation SAFETY Function specified in the Table. Nominal trip setpoints are specified in the ANALYSES, setpoint calculations. The nominal setpoints are selected to ensure that LCO, and the setpoints do not exceed the Allowable Value between CHANNEL APPLICABILITY CALIBRATIONS. Operation with a trip setpoint less' conservative than the (continued) nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter reaches the setpoint, the associated device changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process* effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

In general, the individual Functions are required to be OPERABLE in MODES 1, 2, and 3 consistent with the Applicability for LCO 3.6.1.1, "Primary Containment." Functions that have different Applicabilities are discussed below in'the individual Functions discussion.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

The penetrations which are isolated by the below listed functions can be determined by referring to the PCIV Table found in the Bases of LCO 3.6.1.3, "Primary Containment Isolation Valves."

(continued)

SUSQUEHANNA - UNIT 1 3.3-154

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE Main Steam Line Isolation SAFETY ANALYSES, 1.a. Reactor Vessel Water Level-Low Low Low, Level 1 LCO, and APPLICABILITY Low reactor pressure vessel (RPV) water level indicates that the capability (continued) to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of the MS IVs and other interfaces with the reactor vessel occurs to prevent offsite dose limits from being exceeded. The Reactor Vessel Water Level-Low Low Low, Level 1 Function is one of the many Functions assumed to be OPERABLE and capable of providing isolation signals. The Reactor Vessel Water Level-Low Low Low, Level 1 Function associated with isolation is assumed in the analysis of the recirculation line break (Ref. 1). The isolation of the MS Ls on Level 1 supports actions to ensure that offsite dose limits are not exceeded for a OBA.

Reactor vessel water level signals are initiated from four level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low Low Low, Level 1 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level-Low Low Low, Level 1 Allowable Value is chosen to be the same as the ECCS Level 1 Allowable Value (LCO 3.3.5.1) to ensure that the MSLs isolate on a potential loss of coolant accident (LOCA) to prevent offsite and control room doses from exceeding regulatory limits.

1.b. Main Steam Line Pressure-Low Low MSL pressure indicates that there may be a problem with the turbine pressure regulation, which could result in a low reactor vessel water level condition and the RPV cooling down more than 100°F/hr if the pressure loss is allowed to continue. The Main Steam Line Pressure-Low Function is directly assumed in the analysis of the pressure regulator failure (Ref. 2).

For this event, the closure of the MS IVs ensures that the RPV temperature change limit (100°F/hr) is not reached. In addition, this Function supports actions to ensure that Safety Limit 2.1.1.1 is not exceeded. (This Function closes the MSIVs prior to pressure decreasing below 785 psig, which results in a scram due to MSIV closure, thus reducing reactor power to

< 23% RTP.)

(continued)

SUSQUEHANNA - UNIT 1 3.3-155

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 1.b. Main Steam Line Pressure-Low (continued)

SAFETY ANALYSES, The MSL low pressure signals are initiated from four instruments that are LCO, and connected to the MSL header. The instruments are arranged such that, APPLICABILITY even though physically separated from each other, each instrument is able (continued) to detect low MSL pressure. Four channels of Main Steam Line Pressure-Low Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Main Steam Line Pressure-Low trip will only occur after a 500 milli-second time delay to prevent any spurious isolations.

The Allowable Value was selected to be high enough to prevent excessive RPV depressurization. The Main Steam Line Pressure-Low Function is only required to be OPERABLE in MODE 1 since this is when the assumed transient can occur (Ref. 2).

1.c. Main Steam Line Flow-High Main Steam Line Flow-High* is provided to detect a break of the MSL and to initiate closure of the MS IVs .. If the steam were allowed to continue flowing out of the break, the reactor would depressurize artd the core *could uncover. If the RPV water level decreases too far, fuel damage could occur. Therefore, the isolation is initiated on high flow to prevent or minimize core damage. The Main Steam Line Flow-High Function is directly assumed in the analysis of the main steam line break (MSLB)

(Ref. 1). The isolation action, along with the scram function of the Reactor Protection System (RPS), ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46 and offsite and control room doses do not exceed regulatory limits.

The MSL flow signals are initiated from 16 instruments that are connected to the four MSLs. The instruments are arranged such that, even though physically separated from each other, all four connected to one MSL would be able to detect the high flow. Four channels of Main Stearn Line Flow-High Function for each unisolated MSL (two channels per trip system) are available and are required to be OPERABLE so that no single instrument failure will preclude detecting a break in any individual MSL.

(continued)

SUSQUEHANNA - UNIT 1 3.3-156

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 1.d. Condenser Vacuum-Low SAFETY ANALYSES, The Allowable Value is chosen to ensure that offsite dose limits are not LCO, and exceeded due to the break.

APPLICABILITY.

(continued) The Condenser Vacuum-Low Function is provided to prevent over pressurization of the main condenser in the event of a loss of the main condenser vacuum. Since the integrity of the condenser is an assumption in offsite dose calculations, the Condenser Vacuum-Low Function is assumed to be OPERABLE and capable of initiating closure of the MSIVs.

Th~ closure of the MS IVs is initiated to prevent the addition of steam that would lead to additional condenser pressurization and possible rupture of the diaphragm installed to protect the turbine exhausfhood, thereby preventing a potential radiation leakage path following an accident.

Condenser vacuum pressure signals are derived from four pressure instruments that sense the pressure in the condenser. Four channels of Condenser Vacuum-Low Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Value is chosen to prevent damage to the condenser due to pressurization, thereby ensuring its integrity for offsite dose analysis. As noted (footnote (a) to Table 3.3.6.1-1), the channels are not required to be OPERABLE in MODES 2 and 3 when all main turbine stop valves (TSVs) are closed, since the potential for condenser overpressurization is minimized. Switches are provided to manually bypass the channels when all TSVs are closed.

1.e. Reactor Building Main Steam Tunnel Temperature-High Reactor Building Main Steam Tunnel temperature is provided to detect a leak in the RCPB and provides diversity to the high flow instrumentation.

The isolation occurs when a very small leak has occurred. If the small leak is allowed to continue without isolation, offsite dose limits may be reached.

However, credit for these instruments is not taken in any transient or accident analysis in the FSAR, since bounding analyses are performed for large breaks, such as MSLBs.

Area temperature signals are initiated from thermocouples located in the area being monitored. Four channels of Reactor Building Main Steam Tunnel Temperature-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

(continued)

SUSQUEHANNA - UNIT 1 3.3-157

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 1.e. Reactor Building Main Steam Tunnel Temperature-High (continued)

SAFETY ANALYSES, The reactor building main steam tunnel temperature trip will only occur LCO, and after a one second time delay.

APPLICABILITY (continued) The temperature monitoring Allowable Value is chosen to detect a leak equivalent to approximately 25 gpm of water.

1.f. Manual Initiation The Manual Initiation push button channels introduce signals into the MSL isolation logic that are redundant to the automatic protective instrumentation and provide manual isolation capability. There is no specific FSAR safety analysis that takes credit for this Function. It is retained for the overall redundancy and diversity of the is_olation function as required by the NRC in the plant licensing basis.

There are four push buttons for the logic, two manual initiation push button per trip system. There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons.

Two channels of Manual Initiation Function are available and are required to be OPERABLE in MODES 1, 2, and 3, since these are the MODES in which the MSL isolation _automatic Functions are required to be OPERABLE.

Primary Containment Isolation 2.a. Reactor Vessel Water Level - Low, Level 3 Low RPV water level indicates that the capability to cool the fuel may be threatened. The valves whose penetrations communicate with the primary containment are isolated to limit the release of fission products. The isolation of the primary containment on Level 3 supports actions to ensure that offsite and control room dose regulatory limits are not exceeded. The Reactor Vessel Water Level-Low, Level 3 Function associated with isolation*is implicitly assumed in the_ FSAR analysis as these leakage paths are assumed to be isolated post LOCA.

(continued)

SUSQUEHANNA - UNIT 1 3.3-158

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 2.a. Reactor Vessel Water Level - Low, Level 3 (continued)

SAFETY ANALYSES, Reactor Vessel Water Level-Low, Level 3 signals are initiated from level LCO, and instruments that sense the difference between the pressure due to a APPLICABILITY constant column of water (reference leg) and the pressure due to the (continued) actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low, Level 3 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level-Low, Level 3 Allowable Value was chosen to be the same as the RPS Level 3 scram Allowable Value (LCO 3.3.1.1),

since isolation of these valves is not critical to orderly plant shutdown.

2.b. Reactor Vessel Water Level-Low Low, Level 2 Low RPV water level indicates that the capability to cool the fuel may be threatened. The valves whose penetrations communicate with the primary containment are isolated to limit the release of fission products. The isolation of the primary containment on Level 2 supports actions to ensure that offsite and control room dose regulatory limits are not exceeded. The Reactor Vessel Water Level-Low Low, Level 2 Function associated with isolation is implicitly assumed in the FSAR analysis as these leakage paths are assumed to be isolated post LOCA.

ReactorVessel Water Level-Low Low, Level 2 signals are initiated from level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low Low, Level 2 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclt_.1de the isolation function.

The Reactor Vessel Water Level-Low Low, Level 2 Allowable Value was chosen to be the same as the ECCS Level 2 Allowable Value (LCO 3.3.5.1), since this may be indicative of a LOCA.

(continued)

SUSQUEHANNA - UNIT 1 3.3-159

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 2.c. Reactor Vessel Water Level-Low Low Low, Level 1 SAFETY ANALYSES, Low reactor pressure vessel (RPV) water level indicates that the capability LCO, and to cool the fuel may be threatened. Should RPV water level decrease too APPLICABILITY far, fuel damage could result. The valves whose penetrations (continued) communicate with the primary containment are isolated to limit the release of fission products. The isolation of the primary containment on Level 1 supports actions to ensure the offsite and control room dose regulatory limits are not exceeded. The.Reactor Vessel Water Level - Low Low Low, Level 1 Function associated with isolation is implicitly assumed in the FSAR analysis as these leakage paths are assumed to be isolated post LOCA.

Reactor vessel water level signals are initiated from four level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low Low Low, Level 1 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level-Low Low Low, Level 1 Allowable Value is chosen to be the same as the ECCS Level 1 Allowable Value (LCO 3.3.5.1) to ensure that the associated penetrations isolate on a potential loss of coolant accident (LOCA) to prevent offsite and control room doses from exceeding regulatory limits.

2.d. Drywell Pressure-High High drywell pressure can indicate a break in the RCPB inside the primary containment. The isolation of some of the primary containment isolation valves on high drywell pressure supports actions to ensure that offsite and control room dose regulatory limits are not exceeded. The Drywell Pressure-High Function, associated with isolation of the primary containment, is implicitly assumed in the FSAR accident analysis as these Ieakage paths are assumed to be isolated post LOCA.

High drywell pressure signals are initiated from pressure instruments that sense the pressure in the drywelf. Four channels of Drywell Pressure-High per Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude *the isolation function.

(continued)

SUSQUEHANNA - UNIT 1 3.3-160

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 2.d. Dryw;ell Pressure-High (continued)

SAFETY ANALYSES, The Allowable Value was selected to be the same as the ECCS Drywell LCO, and , Pressure-High Allowable Value (LCO 3.3.5.1), since this may be indicative APPLICABILITY of a LOCA inside primary containment.

(continued) 2.e. SGTS Exhaust Radiation-High High SGTS Exhaust radiation indicates possible gross failure of the fuel cladding. Therefore, when SGTS Exhaust Radiation High is detected, an isolation is initiated to limit the release of fission products. However, this Function is not assumed in any accident or transient analysis in the FSAR because other leakage paths (e.g., MSIVs) are more limiting.

The SGTS Exhaust radiation signals are initiated from radiation detectors that are located in the SGTS Exhaust. Two channels of SGTS Exhaust Radiation-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Value is low enough to promptly detect gross failures in the fuel cladding.

2.f. Manual Initiation The Manual Initiation push button channels introduce signals into the primary containment isolation logic that are redundant to the automatic protective instrumentation and provide manual isolation capability. There is no specific FSAR safety analysis that takes credit for this Function. It is retained for overall redundancy and diversity of the isolation function as required by the NRC in the plant licensing basis.

There are two push buttons for the logic, one manual initiation push button per trip system. There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons.

Two channels of the Manual Initiation Function are available and are required to be OPERABLE in MODES 1, 2, and 3, since these are the MODES in which the Primary Containment Isolation automatic Functions are required to be OPERABLE.

(continued)

SUSQUEHANNA - UNIT 1 3.3-161

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE High Pressure Coolant Injection and Reactor Core Isolation SAFETY Cooling Systems Isolation

ANALYSES, LCO, and 3.a .* 4.a. HPCI and RCIC Steam Line A Pressure-High APPLICABILITY (continued) Steam Line A Pressure High Functions are provided to detect a break of the RCIC or HPCI steam lines and initiate closure of the steam line isolation valves of the appropriate system. If the steam is allowed to continue flowing out of the break, the reactor will depressurize and the core can uncover. Therefore, the isolations are initiated on high flow to prevent or minimize core damage. The isolation action, along with the scram function of the RPS, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Specific credit for these Functions is not assumed in any FSAR accident analyses since the bounding analysis is performed for large breaks such as recirculation and MSL breaks. Howev~r. these instruments prevent the RCIC or HPCI steam line breaks from becoming bounding.

The HPCI and RCIC Steam Line A Pressure - High signals are initiated from instruments (two for HPCI and two for RCIC) that are connected to the system steam lines. Two channels of both HPCI and RCIC Steam Line A pressure-High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The steam line A Pressure - High will only occur after a 3 second time delay to prevent any spurious isolations.

The Allowable Values are chosen to be low enough to ensure that the trip occurs to prevent fuel damage and maintains the MSLB event as the bounding event, and high enough to be above the maximum transient steam flow during system startup.

3.b .* 4.b. HPCI and RCIC Steam Supply Line Pressure-Low Low MSL pressure indicates that the pressure of the steam in the HPCI or RCIC turbine may be too low to continue operation of the associated system's turbine. These isolations are for equipment protection and are not assumed in any transient or accident analysis in the FSAR. However, they also provide a diverse signal to indicate a possible system break.

These instruments are included in Technical Specifications (TS) because of the potential for risk due to possible failure of the instruments preventing HPCI and RCIC initiations (Ref. 3).

(continued)

SUSQUEHANNA - UNIT 1 3.3-162

Rev. 9 Primary Containment Isolation Instrumentation

BASES APPLICABLE SAFETY 3.b., 4.b. HPCI and RCIC Steam Supply Line Pressure-Low (continued)

B 3.3.6.1 ANALYSES, The HPCI and RCIC Steam Supply Line Pressure-Low signals are LCO, and initiated from instruments (four for HPCI and four for RCI C) that are APPLICABILITY connected to the system steam fine. Four channels of both HPCI and (continued) RCIC Steam Supply Line Pressure-Low Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Values are selected to be high enough to prevent damage to the system's turbine.

3.c., 4.c. HPCI and RCIC Turbine Exhaust Diaphragm Pressure-High High turbine exhaust diaphragm pressure indicates that a release of steam into the associated compartment is possible. That is, one of two exhaust diaphragms has ruptured. These isof ations are to prevent steam from entering the associated compartment and are not assumed in any transient or accident analysis in the FSAR. These instruments are included in the TS because of the potential for risk due to possible failure of the instruments preventing HPCI and RCIC initiations (Ref. 3) .

The HPCI and RCI C Turbine Exhaust Diaphram Pressure-High signals and initiated from instruments (four for HPCI and four for RCI C) that are connected to the area between the rupture diaphragms on each system's turbine exhaust line. Four channels of both HPCI and RCI C Turbine Exhaust Diaphragm Pressure-High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Values is low enough to identify a high turbine exhaust pressure condition resulting from a diaphragm rupture, or a leak in the diaphragm adjacent to the exhaust fine and high enough to prevent inadvertent system isolation.

(continued)

SUSQUEHANNA - UNIT 1 3.3-163

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 3.d., 4.d. Drywell Pressure-High SAFETY ANALYSES, High drywell pressure can indicate a break in the RCPB. The HPCI and LCO, and RCIC isolation of the turbine exhaust vacuum breaker line is provided to APPLICABILITY prevent communication with the wetwell when high drywell pressure exists.

(continued) A potential leakage path exists via the turbine exhaust. The isolation is delayed until the system becomes unavailable for injection (i.e., low steam supply line pressure). The isolation of the HPCI and RCIC turbine exhaust vacuum breaker line by Drywell Pressure-High is indirectly assumed in the FSAR accident analysis because the turbine exhaust vacuum breaker line leakage path is not assumed to contribute to offsite doses and is provided for long term containment isolation.

High drywell pressure signals are initiated from pressure instruments that sense the pressure in the drywell. Four channels of both HPCI and RCIC Drywell Pressure-High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Allowable Value was selected to be the same as the ECCS Drywell Pressure-High Allowable Value (LCO 3.3.5.1 ), since this is indicative of a LOCA inside primary containment.

3.e., 3.f., 3.g., 4.e., 4.f., 4.g., HPCI and RCIC Area and Emergency Cooler Temperature-High HPCI and RCIC Area and Emergency Cooler temperatures are provided to detect a leak from the associated system steam piping. The isolation occurs when a small leak has occurred and is diverse to the high flow instrumentation. If the small leak is allowed to continue without isolation, offsite dose limits may be reached. These Functions are not assumed in any FSAR transient or accident analysis, since bounding analyses are performed for large breaks such as recirculation or MSL breaks.

Area and Emergency Cooler Temperature-High signals are initiated from thermocouples that are appropriately located to protect the system that is being monitored. Two Instruments monitor each area. Two channels for each HPCI and RCIC Area and Emergency Cooler Temperature-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

(continued)

SUSQUEHANNA - UNIT 1 3.3-164

Rev. 9 Primary Containment Isolation Instrumentation

BASES APPLICABLE SAFETY B 3.3.6.1 3.e .* 3.f.* 3.g .* 4.e., 4.f.* 4.g .* HPCI and RCIC Area and Emergency Cooler Temperature-High (continued)

ANALYSES, LCO, and The HPCI and RCIC Pipe Routing area temperature trips will only occur APPLICABILITY after a 15 minute time delay to prevent any spurious temperature isolations (continued) due to short temperature increases and allows*operators sufficient time to determine which system is leaking. The other ambient temperature trips will only occur after a one second time delay to prevent any spurious temperature isolations.

The Allowable Values are set low enough to detect a leak equivalent to 25 gpm, and high enough to avoid trips at expected operating temperature.

3.h .* 4.h. Manual Initiation The Manual Initiation push button channels introduce signals into the HPCI and RCIC systems' isolation logics that are redundant to the automatic protective instrumentation and provide manual isolation capability. There is no specific FSAR safety analysis that takes credit for these Functions.

They are retained for overall redundancy and diversity of the isolation

function as required by the NRG in the plant licensing basis There is one manual initiation push button for each of the HPCI and RCIC systems. One isolation pushbutton per system will introduce an isolation to one of the two trip systems. There is no Allowable Value for these Functions, since the channels are mechanically actuated based solely on the position of the push buttons.

Two channels of both HPCI and RCIC Manual Initiation Functions are available and are required to be OPERABLE in MODES 1, 2, and 3 since these are the MODES in which the HPCI and RCIC systems' Isolation automatic Functions are required to be OPERABLE.

(continued)

SUSQUEHANNA - UNIT 1 3.3-165

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE Reactor Water Cleanup System Isolation SAFETY ANALYSES, 5.a. RWCU Differential Flow-High LCO, and APPLICABILITY The high differential flow signal is provided to detect a break in the RWCU (continued) System. This will detect leaks in the RWCU System when area temperature would not provide detection (i.e., a cold leg break). Should the reactor coolant continue to flow out of the break, offsite dose limits may be exceeded. Therefore, isolation of the RWCU System is initiated when high differential flow is sensed to prevent exceeding offsite doses. A 45 second time delay is provided to prevent spurious trips during most RWCU operational transients. This Function is not assumed in any FSAR transient or accident analysis, since bounding analyses are performed for large breaks such as MSLBs.

The high differential flow signals are initiated from instruments that are connected to the inlet (from the recirculation suction) and outlets (to condenser and feedwater) of the RWCU System. Two channels of Differential Flow-High Function are available and are required to be OPERABLE to ensure that no single instrument failure downstream of the common summer can preclude the isolation function.

The Differential Flow-High Allowable Value ensures that a break of the RWCU piping is detected.

5.b, 5.c, 5.d RWCU Area Temperatures-High RWCU area temperatures are provided to detect a leak from the RWCU System. The isolation occurs even when small leaks have occurred and is diverse to the high differential flow instrumentation for the hot portions of the RWCU System. If the small leak continues without isolation, offsite dose limits may be reached. Credit for these instruments is not taken in any transient or accident analysis in the FSAR, since bounding analyses are performed for large breaks such as recirculation or MSL breaks.

Area temperature signals are initiated from temperature elements that are located in the area that is being monitored. Six thermocouples provide input to the Area Temperature-High Function (two per area). Six channels are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

(continued)

SUSQUEHANNA - UNIT 1 3.3-166

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 5.b, 5.c, 5.d RWCU Area Temperatures-High (continued)

SAFETY ANALYSES, The area temperature trip will only occur after a one second time to prevent LCO, and any spurious temperature isolations.

APPLICABILITY (continued) The Area Temperature-High Allowable* Values are set low enough to detect a leak equivalent to 25 gpm.

5.e. SLC System Initiation The isolation of the RWCU System is required when the SLC System has been initiated to prevent dilution and removal of the boron solution by the RWCU System (Ref. 4). SLC System initiation signals are initiated from the two SLC pump start signals.

There is no Allowable Value associated with this Function since the channels are mechanically actuated based solely on the position of the SLC System initiation switch.

Two channels (one from each pump) of the SLC System Initiation Function are available and are required to be OPERABLE only in MODES 1, 2, and 3 which is consistent with the Applicability for the SLC System (LCO 3.1.7).

As noted (footnote (b) to Table 3.3.6.1-1), this Function is only required to close the outboard RWCU isolation valve trip systems.

5.f. Reactor Vessel Water Level-Low Low, Level 2 Low RPV water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. Therefore, isolation of some interfaces with the reactor vessel occurs to isolate the potential sources of a break. The isolation of the RWCU System on Level 2 supports actions to ensure that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. The Reactor Vessel Water Level-Low Low, Level 2 Function associated with RWCU isolation is not directly assumed in the FSAR safety analyses because the RWCU System line break is bounded by breaks of larger systems (recirculation and MSL breaks are more limiting).

(continued)

SUSQUEHANNA - UNIT 1 3.3-167

Rev. 9 Primary Containment Isolation Instrumentation

. B 3.3.6.1 BASES APPLICABLE 5.f. Reactor Vessel Water Level-Low Low, Level 2 (continued)

SAFETY ANALYSES, Reactor Vessel Water Level-Low Low, Level 2 signals are initiated from LCO, and four level instruments that sense the difference between the pressure due APPLICABILITY to a constant column of water (reference leg) and the pressure due to the (continued) actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low Low, Level 2 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level-Low Low, Level 2 Allowable Value was chosen to be the same as the ECCS Reactor Vessel Water Level-Low Low, Level 2 Allowable Value (LCO 3.3.5.1), since the capability to cool the fuel may be threatened.

5.g. RWCU Flow - High RWCU Flow-High Function is provided to detect a break of the RWCU System. Should the reactor coolant continue to flow out of the break, offsite dose limits may be exceeded. Therefore, isolation is initiated on high flow to prevent or minimize core damage. The isolation action, along with the scram function of the RP_S, ensures that the fuel peak cladding temperature remains below the limits of 10 CFR 50.46. Specific credit for this Function is not assumed in any FSAR :accident analyses since the bounding analysis is performed for large breaks such as recirculation and MSL breaks.

The RWCU Flow-High signals are initiated from two instruments. Two channels of RWCU Flow-High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The RWCU flow trip will only occur after a 5 second time delay to prevent spurious trips.

The Allowable Value is chosen to be low enough to ensure that the trip occurs to prevent fuel damage and maintains the MSLB event as the bounding event.

(continued)

SUSQUEHANNA - UNIT 1 3.3-168

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 5.h. Manual Initiation SAFETY ANALYSES, The Manual Initiation push button channels introduce signals into the LCO, and RWCU System isolation logic that are redundant to the automatic APPLICABILITY protective instrumentation and provide manual isolation capability. There is (continued) no specific FSAR safety analysis that takes credit for this Function. It is retained for overall redundancy and diversity of the isolation function as required by the NRC in the plant licensing basis.

There are two push buttons for the logic, one manual initiation push button per trip system. There is no Allowable Value for this Function, since the channels are mechanically actuated based solely on the position of the push buttons.

Two channels of the Manual Initiation Function are available and are required to be OPERABLE in MODES 1, 2, and 3 since these are the MODES in which the RWCU System Isolation automatic Functions are required to be OPERABLE.

Shutdown Cooling System Isolation 6.a. Reactor Steam Dome Pressure-High The Reactor Steam Dome Pressure-High Function is provided to isolate the shutdown cooling portion of the Residual Heat Removal (RHR) System.

This interlock is provided only for equipment protection to prevent an intersystem LOCA scenario, and credit for the interlock is not assumed in the accident or transient analysis in the FSAR.

The Reactor Steam Dome Pressure-High signals are initiated from two instruments. Two channels of Reactor Steam Dome Pressure-High Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function. The Function is only required to be OPERABLE in MODES 1, 2, and 3, since these are the only MODES in which the reactor can be pressurized with the exception of Special Operations LCO 3.10.1; thus, equipment protection is needed. The Allowable Value was chosen to be low enough to protect the system equipment from over pressurization.

(continued)

SUSQUEHANNA - UNIT 1 3.3-169

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 6.b. Reactor Vessel Water Level-Low, Level 3 SAFETY ANALYSES, Low RPV water level indicates that the capability to cool the fuel may be LCO, and threatened. Should RPV water level decrease too far, fuel damage could APPLICABILITY result. Therefore, isolation of some reactor vessel interfaces occurs to (continued) begin isolating the potential sources of a break. The Reactor Vessel Water Level-Low, Level 3 Function associated with RHR Shutdown Cooling System isolation is not directly assumed in safety analyses because a break of the RHR Shutdown Cooling System is bounded by breaks of the recirculation and MSL.

The RHR Shutdown Cooling System isolation on Level 3 supports actions to ensure that the RPV water level does not drop below the top of the active fuel during a vessel draindown event caused by a leak (e.g., pipe break or inadvertent valve opening) in the RHR Shutdown Cooling System.

Reactor Vessel Water Level-Low, Level 3 signals are initiated from four level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels (two channels per trip system) of the Reactor Vessel Water Level-Low, Level 3 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level-Low, Level 3 Allowable Value was chosen to be the same as the RPS Reactor Vessel Water Level-Low, Level 3 Allowable Value (LCO 3.3.1.1), since the capability to cool the fuel may be threatened.

The Reactor Vessel Water Level-Low, Level 3 Function is only required to be OPERABLE in MODE 3 to prevent this potential flow path from lowering the reactor vessel level to the top of the fuel.

In MODES 1 and 2, another isolation (i.e., Reactor Steam Dome Pressure-High) and administrative controls ensure that this flow path remains isolated to prevent unexpected loss of inventory via this flow path.

(continued)

SUSQUEHANNA - UNIT 1 3.3-170

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 6.c Manual Initiation SAFETY ANALYSES, The Manual Initiation push button channels introduce signals to RHR LCO, and Shutdown Cooling System isolation logic that is"redundant to the automatic APPLICABILITY protective instrumentation and provide manual isolation capability. There is (continued) no specific FSAR safety analysis that takes credit for this Function. It is retained for overall redundancy and diversity of the isolation function as required by the NRG in the plant licensing basis.

There are two push buttons for the logic, one manual initiation push button per trip system. There is no Allowable Value for this Function since the channels are mechanically actuated based solely on the position of the push buttons.

Two channels of the Manual Initiation Function are available and are required to be OPERABLE in MODE 3.

Traversing lncore Probe System Isolation 7.a Reactor Vessel Water Level - Low, Level 3 Low RPV water level indicates that the capability to cool the fuel may be threatened. The valves whose penetrations communicate with the primary containment are isolated to limit the release of fission products. The isolation of the primary containment on Level 3 supports actions to ensure that offsite and control room dose regulatory limits are not exceeded.

The Reactor Vessel Water Level - Low, Level 3 Function associated with isolation is implicitly assumed in the FSAR analysis as these leakage paths are assumed to be isolated post LOCA. Reactor Vessel Water Level -

Low, Level 3 signals are initiated from level transmitters that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Two channels of Reactor Vessel Water Level - Low, Level 3 Function are available and are required to be OPERABLE to ensure that no single instrument failure can initiate an inadvertent isolation actuation.

The isolation function is ensured by the manual shear valve in each penetration.

The Reactor Vessel Water Level - Low, Level 3 Allowable Value was chosen to be the same as the RPS Level 3 scram Allowable Value (LCO 3.3.1.1 ), since isolation of these valves is not critical to orderly plant shutdown.

(continued)

SUSQUEHANNA - UNIT 1 3.3-171

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES APPLICABLE 7.b. Drywell Pressure- High SAFETY ANALYSES, High drywell pressure can indicate a break in the RCPB inside the primary LCO, and containment. The isolation of some of the primary containment isolation APPLICABILITY valves on high drywell pressure supports actions to ensure that offsite and (continued) control room dose regulatory limits are not exceeded. The Drywell Pressure - High Function, associated with isolation of the primary containment, is implicitly assumed in the FSAR accident analysis as these leakage paths are assumed to be isolated post LOCA.

High <;lrywell pressure signals are initiated from pressure transmitters that sense the pressure in the drywell. Two channels of Drywell Pressure -

High per Function are available and are required to be OPERABLE to ensure that no single instrument failure can initiate an inadvertent actuation. The isolation function is ensured by the manual shear valve in each penetration.

The Allowable Value was selected to be the same as the ECCS Drywell Pressure - High Allowable Value (LCO 3.3.5.1), since this may be indicative of a LOCA inside primary containment.

ACTIONS The ACTIONS are modified by two Notes. Note 1 allows penetration flow path(s) to be unisolated intermittently under administrative controls. These controls consist of stationing a dedicated operator at the controls of the valve, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for primary containment isolation is indicated. Note 2 has been provided to modify the ACTIONS related to primary containment isolation instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered., subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable primary containment isolation instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable primary containment isolation instrumentation channel.

(continued)

SUSQUEHANNA - UNIT 1 3.3-172

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS A.1 (continued)

Because of the diversity of sensors available to provide isolation signals and the redundancy of the isolation design, an allowable out of service time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for Functions 2.a, 2.d, 6.b, 7.a, and 7.b and 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for Functions other than Functions 2.a, 2.d, 6.b, 7.a, and 7.b has been shown to be acceptable (Refs. 5 and 6) to permit restoration of any inoperable channel to OPERABLE status. This out of service time is only acceptable provided the associated Function is still maintaining isolation capability (refer to Required Action B.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.1.

Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue with no further restrictions. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an isolation), Condition C must be entered and its Required Action taken.

8.1 and B.2 Required Action 8.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in redundant automatic isolation capability being lost for the associated penetration flow path(s). The MSL Isolation Functions are considered to be maintaining isolation capability when sufficient channels are OPERABLE or in trip, such that both trip systems will generate a trip signal from the given Function on a valid signal. The other isolation functions are considered to be maintaining isolation capability when sufficient channels are OPERABLE or in trip, such that one trip system will generate a trip signal from the given Function on a valid signal. This ensures that one of the two PC IVs in the associated penetration flow path can receive an isolation signal from the given Function. For Functions 1.a, 1.b, 1.d, and 1.e, this would require both trip systems to have one channel OPERABLE or in trip. For Function 1.c, this would require both trip systems to have one channel, associated with each MSL, OPERABLE or in trip. Therefore, this would require both trip systems to have one channel per location OPERABLE or in trip. For Functions 2.a, 2.b, 2.c, 2.d, 3.b, 3.c, 3.d, 4.b, 4.c, 4.d, 5.f, and 6.b, this would require one trip system to have two channels, each OPERABLE or in trip. For (continued)

SUSQUEHANNA - UNIT 1 3.3-173

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS 8.1 and 8.2 (continued)

(continued)

Functions 2.e, 3.a, 3.e, 3.f, 3.g, 4.a, 4.e, 4.f, 4.g, 5.a, 5.b, 5.c, 5.d, 5.e, 5.g, and 6.a, this would require one trip system to have one channel OPERABLE or in trip. The Condition does not include the Manual Initiation Functions (Functions 1.f, 2.f, 3.h, 4.h, 5.h, and 6.c), since they are not assumed in any accident or transient analysis. Thus, a total loss of manual initiation capab,ility for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (as allowed by Required Action A 1) is allowed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

Required Action C.1 directs entry into the appropriate Condition referenced in Table 3.3.6.1-1. The applicable Condition specified in Table 3.3.6.1-1 is Function and MODE or other specified condition dependent and may change as the Required Action of a previous Condition is completed. Each time an inoperable channel has not met any Required Action of Condition A or B and the associated Completion Time has expired, Condition C will be entered for that channel and provides for transfer to the appropriate subsequent Condition.

0.1, D.2.1, and D.2.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months (Required Actions D.2.1 and D.2.2). Alternately, the associated MSLs may be isolated (Required Action 0.1), and, if allowed (i.e., plant safety analysis allows operation with an MSL isolated), operation with that MSL isolated may continue. Isolating the affected MSL accomplishes the safety function of the inoperable channel. The Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

(continued)

SUSQUEHANNA - UNIT 1 3.3-174

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS E.1 (continued)

If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 2 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

The allowed Completion Time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is reasonable, based on operating experience, to reach MODE 2 from full power conditions in an orderly manner and without challenging plant systems.

E.1 If the channel is not restored to OPERABLE status or placed .in trip within the allowed Completion Time, plant operations may continue if the affected penetration flow path(s) is isolated. Isolating the affected penetration flow path(s) accomplishes the safety function of the inoperable channels.

If it is not desired to isolate the affected penetration flow path(s) (e.g., as in the case where isolating the penetration flow path(s) could result in a reactor scram), Condition H must be entered and its Required Actions taken.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing sufficient time for plant operations personnel to isolate the affected penetration flow path(s).

(continued)

SUSQUEHANNA - UNIT 1 3.3-175

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS G.1 (continued)

If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, plant operations may continue if the affected penetration flow path(s) is isolated. Isolating the affected penetration flow path(s) accomplishes the safety function of the inoperable channels. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is acceptable due to the fact that these Functions are either not assumed in any accident or transient analysis in the FSAR (Manual Initiation) or, in the case of the TIP System isolation, the TIP System penetration is a small bore (0.280 inch), its isolation in a design basis event (with loss of offsite power) would be via the manually operated shear valves, and the ability to manually isolate by either the normal isolation valve or the shear valve is unaffected by the inoperable instrumentation. It should be noted, however, that the TIP System is powered from an auxiliary instrumentation bus which has an uninterruptible power supply and hence, the TIP drive mechanisms and ball valve control will still function in the event of a loss of offsite power. Alternately, if it is not desired to isolate the affected penetration flow path(s) (e.g., as in the case where isolating the penetration flow path(s) could result in a reactor scram),

Condition H must be entered and its Required Actions taken.

H.1 and H.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, or any Required Action of Condition F or G is not met and the associated Completion Time has expired, the plant must be placed in a MODE or other specified condition in which the LCO does not apply. This is done by placing the plant in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

1.1 and 1.2 If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the associated SLC s*ubsystem(s) is declared inoperable or the RWCU System is isolated. Since this Function is required to ensure that the SLC System performs its intended function, sufficient remedial measures are provided by declaring the associated SLC subsystems inoperable or isolating the RWCU System.

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing sufficient time for personnel to isolate the RWCU System.

(continued)

SUSQUEHANNA - UNIT 1 3.3-176

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES ACTIONS .Jj_

(continued)

If the channel is not restored to OPERABLE status or placed in trip within the allowed Completion Time, the associated penetration flow path should be closed. However, if the shutdown cooling function is needed to provide core cooling, these Required Actions allow the penetration flow path to remain unisolated provided action is immediately initiated to restore the channel to OPERABLE status. Actions must continue until the channel is restored to OPERABLE status.

SURVEILLANCE As noted at the beginning of the SRs, the SRs for each Primary REQUIREMENTS Containment Isolation instrumentation Function are found in the SRs column of Table 3.3.6.1-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provided the associated Function maintains trip capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 5 and 6) assumption of the average time required to perform channel surveillance. That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the PCIVs will isolate the penetration flow path(s) when necessary.

SR 3.3.6.1.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or of something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

(continued)

SUSQUEHANNA - UNIT 1 3.3-177

Rev. 9 Primary Containment Isolation Instrumentation ,

B 3.3.6.1 BASES SURVEILLANCE SR 3.3.6.1.1 (continued)

REQUIREMENTS (continued) Agreement criteria which are determined by the plant staff based on an investigation of a co*mbination of the channel instrument uncertainties, may be used to support this parameter comparison and include indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit, and does not necessarily indicate the channel is Inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal checks of channels during normal operational use of the displays associated with the channels required by the LCO.

SR 3.3.6.1.2 A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by two Notes. Note 1 provides a general exception to the definition of CHANNEL FUNCTIONAL TEST. This exception is necessary because the design of instrumentation does not facilitate functional testing of all required contacts of the relays which input into the combinational logic. (Reference 11) Performance of such a test could result in a plant transient or place the plant in an undo risk situation.

Therefore, for this SR, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the change of state of the relay which inputs into the combinational logic. The required contacts not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM F.UNCTIONAL TEST, SR 3.3.6.1.5. This is acceptable because operating experience shows that the contacts not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients.

(continued)

SUSQUEHANNA - UNIT 1 3.3-178

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES SURVEILLANCE SR 3.3.6.1.2 (continued)

REQUIREMENTS (continued) Note 2 provides a second specific exception to the definition of CHANNEL FUNCTIONAL TEST. For Functions 2.e, 3.a, and 4.a, certain channel relays are not included in the performance of the CHANNEL FUNCTIONAL TEST. These exceptions are necessary because the circuit design does not facilitate functional testing of the entire channel through to the coil of the relay which enters the combinational logic. (Reference 11)

Specifically, testing of all required relays would require rendering the affected system (i.e., HPCI or RCIC) inoperable, or require lifting of leads and inserting test equipment which could lead to unplanned transients.

Therefore, for these circuits, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the actuation of circuit devices up to the point where further testing could result in an unplanned transient.

(References 10 and 12) The required relays not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.6.1.5. This exception is acceptable because operating experience shows that the devices not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients.

SR 3.3.6.1.3 and SR 3.3.6.1.4 A CHANNEL CALIBRATION verities that the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpbint methodology.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.6.1.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required isolation logic for a specific channel. The system functional testing performed on PCIVs in LCO 3.6.1.3 overlaps this Surveillance to provide complete testing of the assumed safety function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 1 3.3-179

Rev.9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES SURVEILLANCE SR 3.3.6.1.6 REQUIREMENTS (continued) This SR ensures that the individual channel response times are less than or equal to the maximum values assumed in the accident analysis. Testing is performed only on channels where the guidance given in Reference 9 could not be met, which identified that degradation of response time can usually be detected by other surveillance tests.

As stated in Note 1, the response time of the sensors for Functions 1.b, is excluded from ISOLATION SYSTEM RESPONSE TIME testing. Because the vendor does not provide a design instrument response time, a penalty value to account for the sensor response time is included in determining total channel response time. The penalty value is based on the historical performance of the sensor. (Reference 13) This allowance is supported by Reference 9 which determined that significant degradation of the sensor channel response time can be detected during performance of other Technical Specification SRs and that the sensor response time is a small part of the overall ISOLATION RESPONSE TIME testing.

Function 1.a and 1.c channel sensors and logic components are excluded from response time testing in accordance with the provisions of References 14 and 15.

As stated in Note 2, response time testing of isolating relays is not required for Function 5.a. This allowance is supported by Reference 9. These relays isolate their respective isolation valve after a nominal 45 second time delay in the circuitry. No penalty value is included in the response time calculation of this function. This is due to the historical response time testing results of relays of the same manufacturer and model number being less than 100 milliseconds, which is well within the expected accuracy of the 45 second time delay relay.

ISOLATION SYSTEM RESPONSE TIME acceptance criteria are included in Reference 7. This test may be performed in one measurement, or ill overlapping segments, with verification that all components are tested.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 1 3.3-180

Rev. 9 Primary Containment Isolation Instrumentation B 3.3.6.1 BASES REFERENCES 1. FSAR, Section 6.3.

2. FSAR, Chapter 15.

3. NED0-31466, "Technical Specification Screening Criteria Application and Risk Assessment," November 1987.

4. FSAR, Section .4.2.3.4.3.

5. NEDC-31677P-A, "Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation," July 1990.

6. NEDC-30851 P-A Supplement 2, "Technical Specifications Improvement Analysis for BWR Isolation Instrumentation Common to RPS and ECCS Instrumentation," March 1989.

7. FSAR, Table 7.3-29.

8. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

9.

NED0-32291-A "System Analyses for Elimination of Selected Response Time Testing Requirements," October 1995.

10. PPL Letter to NRC, PLA-2618, Response to NRC INSPECTION REPORTS 50-387/85-28 AND 50-388/85-23, dated April 22, 1986.

11. NRC Inspection and Enforcement Manual, Parf9900:

Technical Guidance, Standard Technical Specification Section 1.0 Definitions, Issue date 12/08/86.

12. Susquehanna Steam Electric Station NRC REGION I COMBINED INSPECTION 50-387/90-20; 50-388/90-20, File R41-2, dated March 5, 1986.

13. NRC Safety Evaluation Report related to Amendment No. 171 for License No. NPF-14 and Amendment No. 144 for License No. NPF-22.

14. NEDO 32291-A, Supplement 1, "System Analyses for the Elimination of Selected Response Time Testing Requirements,"

October 1999.

15. NEDO 32291, Supplement 1, Addendum 2, "System Analyses for the Elimination of Selected Response Time Testing Requirements,"

September 5, 2003.

SUSQUEHANNA - UNIT 1 3.3-181

Rev. 6 Secondary Containment Isolation Instrumentation B 3.3.6.2 B 3.3 INSTRUMENTATION B 3.3.6.2 Secondary Containment Isolation Instrumentation BASES BACKGROUND The secondary containment isolation instrumentation automatically initiates closure of appropriate secondary containment isolation valves (SCIVs) and starts the Standby Gas Treatment (SGT) System. The function of these systems, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs) (Ref. 1). Secondary containment isolation and establishment of vacuum with the SGT System within the assumed time limits ensures that fission products that leak from primary containment following a OBA, or are released outside primary containment, or are released during certain operations when primary containment is not required to be OPERABLE are maintained within applicable limits.

The isolation instrumentation includes the sensors, relays, and switches that are necessary to cause initiation of secondary containment isolation. When the setpoint is reached, the channel sensor actuates, which then outputs a secondary containment isolation signal to the isolation logic. Functional diversity is provided by monitoring a wide range of independent parameters.

The input parameters to the isolation logic are (1) reactor vessel water level, (2) drywell pressure, (3) refuel floor high exhaust duct radiation - high, (4) refuel floor wall exhaust duct radiation - high, and (5) railroad access shaft exhaust duct radiation - high. Only appropriate ventilation zones are isolated for different isolation signals. Isolation signals for drywell pressure and vessel water level will isolate the affected Unit's zone (Zone I for Unit 1 and Zone II for Unit 2) and Zone Ill. Redundant sensor input signals from each parameter are provided for initiation of isolation. In addition, manual initiation of the logic is provided.

The Functions are arranged as follows for each trip system. The Reactor Vessel Water Level - Low Low, Level 2 and Drywell Pressure - High are each arranged in a two-out-of-two logic. The Refuel Floor High Exhaust Duct Radiation - High, Refuel Floor Wall Exhaust Duct Radiation - High and the Railroad Access Shaft Exhaust Duct Radiation - High are arranged into one-out-of-one trip systems. One trip system initiates isolation of one automatic isolation valve (damper) and starts one SGT subsystem (including its associated reactor building recirculation subsystem) while the other trip system initiates isolation of the other automatic isolation valve in the penetration and starts the other SGT subsystem (including its associated reactor building recirculation subsystem). Each logic closes one of the two (continued)

SUSQUEHANNA - UNIT 1 3.3-182

Rev. 6 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES BACKGROUND valves on each penetration and starts one SGT subsystem, so that operation (continued) of either logic isolates the secondary containment and provides for the necessary filtration of fission products.

APPLICABLE The isolation signals generated by the secondary containment isolation SAFETY instrumentation are implicitly assumed in the safety analyses of References 1 ANALYSES, and 2 to initiate closure of valves and start the SGT System to limit offsite LCO, and and control room doses.

APPLICABILITY Refer to LCO 3.6.4.2, "Secondary Containment Isolation Valves (SCIVs),"

and LCO 3.6.4.3, "Standby Gas Treatment (SGT) System," Applicable Safety Analyses Bases for more detail of the safety analyses.

The secondary containment isolation instrumentation satisfies Criterion 3 of the NRC Policy Statement. (Ref. 7) Certain instrumentation Functions are retained for other reasons and are described below in the individual Functions discussion.

The OPERABILITY of the secondary co'ntainment isolation instrumentation is dependent on the OPERABILITY of the individual instrumentation channel Functions. Each Function must have the required number of OPERABLE channels with their setpoints set within the specified Allowable Values, as shown in Table 3.3.6.2-1. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions. A channel is inoperable if its actual trip setpoint is not within its required Allowable Value. Each channel must also respond within its assumed response time, where appropriate.

Allowable Values are specified for each Function specified in the Table.

Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable.

Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter reaches the setpoint, the associated device changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis. The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g., drift). The trip SAFETY (continued)

SUSQUEHANNA - UNIT 1 3.3-183

Rev. 6 Secondary Containment Isolation Instrumentation

BASES APPLICABLE ANALYSES, setpoints derived in this manner provide adequate protection B 3.3.6.2 SAFETY because instrumentation uncertainties, process effects, calibration ANALYSES, tolerances, instrument drift, and severe environment errors (for channels that LCO, and must function in harsh environments as defined by 10 CFR 50.49) are APPLICABILITY accounted for.

(continued)

In general, the individual Functions are required to be OPERABLE in the MODES or other specified conditions when SC IVs and the SGT System are required.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

1. Reactor Vessel Water Level-Low Low, Level 2 Low reactor pressure vessel (RPV) water level indicates that the capability to cool the fuel may be threatened. Should RPV water level decrease too far, fuel damage could result. An isolation of the secondary containment and actuation of the SGT System are initiated in order to minimize the potential of an offsite dose release. The Reactor Vessel Water Level-Low Low, Level 2 Function is one of the Functions assumed to be OPERABLE and capable of providing isolation and initiation signals. The isolation and initiation systems on Reactor Vessel Water Level-Low Low, Level 2 support actions to ensure that any offsite releases are within the limits calculated in the safety analysis.

Reactor Vessel Water Level-Low Low, Level 2 signals are initiated from level instruments that sense the difference between the pressure due to a constant column of water (reference leg) and the pressure due to the actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low Low, Level 2 Function are available and are required to be OPERABLE to ensure that no single instrument failure can preclude the isolation function.

The Reactor Vessel Water Level-Low Low, Level 2 Allowable Value was chosen to be the same as the High Pressure Coolant Injection/Reactor Core Isolation Cooling (HPCI/RCIC) Reactor Vessel Water Level-Low Low, Level 2 Allowable Value (LCO 3.3.5.1 and LCO 3.3.5.3), since this could indicate that the capability to cool the fuel is being threatened .

SUSQUEHANNA - UNIT 1 3.3-184 (continued)

Rev.6 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE 1. Reactor Vessel Water Level-Low Low, Level 2 (continued)

SAFETY ANALYSES, The Reactor Vessel Water Level-Low Low, Level 2 Function is required to be LCO, and OPERABLE in MODES 1, 2, and 3 where considerable energy exists in the APPLICABILITY Reactor Coolant System (RCS); thus, there is a probability of pipe breaks (continued) resulting in significant releases of radioactive steam and gas. In MODES 4 and 5, the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES; thus, this Function is not required.

Reactor Vessel Water Level-Low Low, Level 2 will isolate the affected Unit's zone (i.e., Zone I for Unit 1 and Zone II for Unit 2) and Zone Ill.

2. Drywell Pressure-High High drywell pressure can indicate a break in the reactor coolant pressure boundary (RCPB). An isolation of the secondary containment and actuation of the SGT System are initiated in order to minimize the potential of an offsite dose release. The isolation on high drywell pressure supports actions to ensure that any offsite releases are within the limits calculated in the safety analysis. However, the Drywell Pressure-High Function associated with isolation is not assumed in any FSAR accident or transient analyses. It is retained for the overall redundancy and diversity of the secondary containment isolation instrumentation as required by the NRC approved licensing basis.

High drywell pressure signals are initiated from pressure instruments that sense the pressure in the drywell. Four channels of Drywell Pressure-High Functions are available and are required to be OPERABLE to ensure that no single instrument failure can preclude performance of the isolation function.

The Allowable Value was chosen to be the same as the ECCS Drywell Pressure-High Function Allowable Value (LCO 3.3.5.1) since this is indicative of a loss of coolant accident (LOCA).

The Drywell Pressure-High Function is required to be OPERABLE in MODES 1, 2, and 3 where considerable energy exists in the RCS; thus, there is a probability of pipe breaks resulting in significant releases of radioactive steam and gas. This Function is not required in MODES 4 and 5 because the probability and consequences of these events are low due to the RCS pressure and temperature limitations of these MODES.

(continued)

SUSQUEHANNA - UNIT 1 3.3-185

Rev.6 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE 2. Drywell Pressure - High (continued)

SAFETY ANALYSES, Drywell Pressure-High will isolate the affected Unit's zone (i.e., Zone I for LCO, and Unit 1 and Zone II for Unit 2) and Zone Ill.

APPLICABILITY (continued) 3, 4, 5, 6, 7 Refuel Floor High Exhaust Duct, Refuel Floor Wall Exhaust Duct, and Railroad Access Shaft Exhaust Duct Radiation-High High secondary containment exhaust radiation is an indication of possible gross failure of the fuel cladding due to a fuel handling accident. When Exhaust Radiation-High is detected, secondary containment isolation and actuation of the SGT System are initiated to limit the release of fission products as assumed in the FSAR safety analyses (Ref. 4).

The Exhaust Radiation-High signals are initiated from radiation detectors that are located on the ventilation exhaust ductwork coming from the refueling floor zones and the Railroad Access Shaft. The signal from each detector is input to an individual monitor whose trip outputs are assigned to an isolation channel. Eight channels of Refuel Floor High Exhaust Duct and Wall Exhaust Duct Radiation-High Function (four from Unit 1 and four from Unit 2) and two channels of Railroad Access Shaft Exhaust Duct Radiation - High Function (both from Unit 1) are available to ensure that no single instrument failure can preclude the isolation function.

Operability of the Unit 1 and Unit 2 Refuel Floor High Exhaust Duct Radiation Instrumentation and the Unit 1 and Unit 2 Refuel Floor Wall Exhaust Duct Radiation Instrumentation does not require HVAC system airflow in the ductwork.

The Allowable Values are chosen to promptly detect gross failure of the fuel cladding.

The Refuel Floor Exhaust Radiation-High Functions are required to be OPERABLE during CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment, because the capability of detecting radiation releases due to fuel failures (due to a fuel handling accident) must be provided to ensure that offsite and control room dose limits are not exceeded.

(continued)

SUSQUEHANNA - UNIT 1 3.3-186

Rev. 6 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES APPLICABLE 3, 4. 5, 6, 7 Refuel Floor High Exhaust Duct. Refuel Floor Wall Exhaust SAFETY Duct. and Railroad Access Shaft Exhaust Duct Radiation-High (continued)

ANALYSES, LCO, and The Railroad Access Shaft Exhaust Duct Radiation-High Function is only APPLICABILITY required to be OPERABLE during handling of irradiated fuel within the (continued) Railroad Access Shaft, and directly above the Railroad Access Shaft with the Railroad Access Shaft Equipment Hatch open. This provides the capability of detecting radiation releases due to fuel failures resulting from dropped fuel assemblies which ensures that offsite and control room dose limits are not exceeded.

Refuel Floor High and Wall Exhaust Duct and Railroad Access Shaft Exhaust Duct Radiation - High Functions will isolate Zone Ill of secondary containment.

8. Manual Initiation A Manual Initiation can be performed for secondary containment isolation by initiating a Primary Containment Isolation. There is no specific FSAR safety analysis that takes credit for this Function. It is retained for the overall redundancy and diversity of the secondary containment isolation instrumentation as required by the NRC approved licensing basis.

There are two push buttons for the logic, one manual initiation push button per trip system. There is no Allowable Value for this Function, since the .

channels are mechanically actuated based solely on the position of the push buttons.

Two channels of Manual Initiation Function are available and are required to be OPERABLE in MODES 1, 2, and 3, and during CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment.

These are the MODES and other specified conditions in which the Secondary Containment Isolation automatic Functions are required to be OPERABLE.

(continued)

SUSQUEHANNA - UNIT 1 3.3-187

Rev.6 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES ACTIONS A Note has been provided to modify the ACTIONS related to secondary containment isolation instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable secondary containment isolation instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable secondary containment isolation instrumentation channel.

Because of the diversity.of sensors available to provide isolation signals and the redundancy of the isolation design, an allowable out of service time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for Function 2, and 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for Functions other than Function 2, has been shown to be acceptable (Refs. 5 and 6) to permit restoration of any inoperable channel to OPERABLE status. This out of service time is only acceptable provided the associated Function is still maintaining isolation capability (refer to Required Action 8.1 Bases). If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action A.1. Placing the inoperable channel in trip would conservatively compensate for the inoperability, restore capability to accommodate a single failure, and allow operation to continue. Alternately, if it is not desired to place the channel in trip (e.g., as in the case where placing the inoperable channel in trip would result in an isolation), Condition C must be entered and its Required Actions taken.

Required Action B.1 is intended to ensure that appropriate actions are taken if multiple, inoperable, untripped channels within the same Function result in a complete loss of automatic isolation capability for the associated penetration flow path(s) or a complete loss of automatic initiation capability for the SGT System. A Function is considered to be maintaining secondary containment isolation capability when sufficient channels are OPERABLE or in trip, such that one trip system will generate a trip signal from the given Function on a valid signal. This ensures that one of the two SC IVs in the (continued)

SUSQUEHANNA - UNIT 1 3.3-188

Rev. 6 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES ACTIONS B.1 (continued)

(continued) associated penetration flow path and one SGT subsystem (including its associated reactor building recirculation subsystem) can be initiated on an isolation signal from the given Function. For the Functiqns with two logic trip systems (Functions 1, 2, 3, 4, 5, 6 and 7), this would require one trip system to have the required channel(s) OPERABLE or in trip. The Condition does not include the Manual Initiation Function (Function 8), since it is not assumed in any accident or transient analysis. Thus, a total loss of manual initiation capability for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (as allowed by Required Action A.1) is allowed.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is acceptable because it minimizes risk while allowing time for restoration or tripping of channels.

C.1, C.2.1, and C.2.2 If any Required Action and associated Completion Time of Condition A or B are not met, the ability to isolate the secondary containment and start the SGT System cannot be ensured. Therefore, further actions must be performed to ensure the ability to maintain the secondary containment function. Isolating the associated zone (closing the ventilation supply and exhaust automatic isolation dampers) and starting the associated SGT subsystem (including its associated reactor building recirculation subsystem) in emergency mode (Required Action C.1) performs the intended function of the instrumentation and allows operation to continue.

Alternately, declaring the associated SCIVs and SGT subsystem(s)

(including its associated reactor building recirculation subsystem) inoperable (Required Actions C.2.1 and C.2.2) is also acceptable since the Required Actions of the respective LCOs (LCO 3.6.4.2 and LCO 3.6.4.3) provide appropriate actions for the inoperable components.

One hour is sufficient for plant operations personnel to establish required plant conditions or to declare the associated components inoperable without unnecessarily challenging plant systems.

(continued)

SUSQUEHANNA - UNIT 1 3.3-189

Rev. 6 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES SURVEILLANCE As noted at the beginning of the SRs, the SRs for each Secondary REQUIREMENTS Containment l~olation instrumentation Function are located in the SRs column of Table 3.3.6.2-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of re.quired Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months provided the associated Function maintains secondary containment isolation *capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 5 and 6) assumption of the average time required to perform channel surveillance. That analysis demonstrated the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the SCIVs will isolate the associated penetration flow paths and that the SGT System will initiate when necessary.

SR 3.3.6.2.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value.

Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria which are determined by the plant staff based on an investigation of a combination of the channel instrument uncertainties, may be used to support this parameter comparison and include indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit, and does not necessarily indicate the channel is Inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 1 3.3-190

Rev. 6 Secondary Containment lsol ation Instrumentation B 3.3.6.2 BASES SURVEILLANCE SR 3.3.6.2.2 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function.

This SR is modified by a Note that provides a general exception to the definition of CHANNEL FUNCTIONAL TEST. This exception is necessary because the design of instrumentation does not facilitate functional testing of all required contacts of the relay which input into the combinational logic.

(Reference 8) Performance of such a test could result in a plant transient or place the plant in an undo risk situation. Therefore, for this SR, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the change of state of the relay which inputs into the combinational logic.

The required contacts not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.6.2.5.

This is acceptable because operating experience shows that the contacts not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.6.2.3 and SR 3.3.6.2.4 A CHANNEL CALIBRATION verifies that the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.6.2.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required isolation logic for a specific channel. The system functional testing performed on SCIVs and the SGT System in LCO 3.6.4.2 and LCO 3.6.4.3, respectively, overlaps this Surveillance to provide complete testing of the assumed safety function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 1 3.3-191

Rev. 6 Secondary Containment Isolation Instrumentation B 3.3.6.2 BASES REFERENCES 1. FSAR, Section 6.3.

2. FSAR, Chapter 15

3. FSAR, Section 15.2.

4. FSAR, Sections 15.7.

5. NEDC-31677P-A, "Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation," July 1990.

6. NEDC-30851 P-A Supplement 2, "Technical Specifications Improvement Analysis for BWR Isolation ln~trumentation Common to RPS and ECCS Instrumentation," March 1989.

7. Final Policy Statement on Technical Specifications Improvements, July 22, 1993. (58 FR 32193)

8. NRC Inspection and Enforcement Manual, Part 9900: Technical Guidance, Standard Technical Specification Section 1.0 Definitions, Issue date 12/08/86.]

SUSQUEHANNA..: UNIT 1 3.3-192

Rev.4 CREOAS System Instrumentation B 3.3.7.1 B 3.3 INSTRUMENTATION B 3.3.7.1 Control Room Emergency Outside Air Supply (CREOAS) System Instrumentation BASES BACKGROUND The CREOAS System is designed to provide a radiologically controlled environment to ensure the habitability of the control room for the safety of control room operators under all plant conditions. Two independent CREOAS subsystems are each capable of fulfilling the stated safety function. The instrumentation and controls for the CREOAS System automatically initiate action to pressurize the main control room to minimize the consequences of radioactive materia_l in the control room environment.

In the event of a loss of coolant accident (LOCA) signal (Reactor Vessel Water Level-Low Low, Level2 or Drywell Pressure-High), Refuel Floor High Exhaust Duct Radiation-High, Refuel Floor Wall Exhaust Duct Radiation-High, Railroad Access Shaft Exhaust Duct Radiation-High or Main Control Room Outside Air Intake Radiation-High signal, the CREOAS System is automatically started in the pressurization/filtration mode.

The CREOAS System instrumentation has two trip systems. Each trip system receives input from each of the Functions listed above and initiates associated subsystem. The Functions are arranged for each trip system as follows: the Reactor Vessel Water Level-Low Low, Level 2 and Drywell Pressure-High are each arranged in a two-out-of-two logic. The Refuel Floor High Exhaust Duct Radiation - High, Refuel Floor Wall Exhaust Duct Radiation - High, the Main Control Room Outside Air Intake Radiation -

High and the Railroad Access Shaft Exhaust Duct Radiation - High are arranged in a one-out-of-one logic. With the exception of the Main Control Room Outside Air Intake Radiation - High all the instruments also initiate a secondary containment isolation. When the setpoint is reached, the sensor actuates, which then outputs a CREOAS System initiation signal to the initiation logic.

APPLICABLE The ability of the CREOAS System to maintain the habitability of the main SAFETY control room is explicitly assumed for certain accidents as discussed in the ANALYSES, FSAR safety analyses (Refs. 1 and 2). CREOAS System operation LCO, and ensures that the radiation exposure of control room personnel, through the APPLICABILITY duration of any one of the postulated accidents, does not exceed regulatory limits.

CREOAS System instrumentation satisfies Criterion 3 of the NRC Policy Statement. (Ref. 5)

(continued)

SUSQUEHANNA - UNIT 1 3.3-193

Rev.4 CREOAS System Instrumentation B 3.3.7.1 BASES APPLICABLE The OPERABILITY of the CREOAS System instrumentation is dependent SAFETY upon the OPERABILITY of the individual instrumentation channel ANALYSES, Functions specified in Table 3.3.7.1-1. Each Function must have a LCO, and required number of OPERABLE channels, with their setpoints within the APPLICABILITY specified Allowable Values, where appropriate. A channel is inoperable if (continued) its actual trip setpoint is not within its required Allowable Value. The actual setpoint is calibrated consistent with applicable setpoint methodology assumptions.

Allowable Values are specified for each CREOAS System Function specified in the Table. Nominal trip setpoints are specified in the setpoint calculations. The nominal setpoints are selected to ensure that the setpoints do not exceed the Allowable Value between successive CHANNEL CALIBRATIONS. Operation with a trip setpoint less conservative than the nominal trip setpoint, but within its Allowable Value, is acceptable. Trip setpoints are those predetermined values of output at which an action should take place. The setpoints are compared to the actual process parameter (e.g., reactor vessel water level), and when the measured output value of the process parameter reaches the setpoint, the associated device changes state. The analytic limits are derived from the limiting values of the process parameters obtained from the safety analysis.

The Allowable Values are derived from the analytic limits, corrected for calibration, process, and some of the instrument errors. The trip setpoints are then determined accounting for the remaining instrument errors (e.g.,

drift). The trip setpoints derived in this manner provide adequate protection because instrumentation uncertainties, process effects, calibration tolerances, instrument drift, and severe environment errors (for channels that must function in harsh environments as defined by 10 CFR 50.49) are accounted for.

The specific Applicable Safety Analyses, LCO, and Applicability discussions are listed below on a Function by Function basis.

1. Reactor Vessel Water Level-Low Low, Level 2 Low reactor pressure vessel (RPV) water level indicates that the capability of cooling the fuel may be threatened. A low reactor vessel water level could indicate a LOCA and will automatically initiate the CREOAS System, since this could be a precursor to a potential radiation release and subsequent radiation exposure to control room personnel.

(continued)

SUSQUEHANNA - UNIT 1 3.3-194

Rev.4 CREOAS System Instrumentation B 3.3.7.1 BASES APPLICABLE 1. Rea~tor Vessel Water Level-Low Low, Level 2 (continued)

SAFETY ANALYSES, Reactor Vessel Water Level-Low Low, Level 2 signals are initiated from LCO, and four level instruments that sense the difference between the pressure due APPLICABILITY to a constant column of water (reference leg) and the pressure due to the (continued) actual water level (variable leg) in the vessel. Four channels of Reactor Vessel Water Level-Low Low, Level 2 Function are available (two channels per trip system) and are required to be OPERABLE to ensure that no single instrument failure can preclude a CREOAS System initiation. The Reactor Vessel Water Level-Low Low, Level 2 Allowable Value was chosen to be the same as the HPCI and RCIC Reactor Vessel Water Level-Low Low Low, Level 1 Allowable Value (LCO 3.3.5.1, "EGGS Instrumentation and LCO 3.3.5.3 "RCIC Instrumentation").

The Reactor Vessel Water Level-Low Low, Level 2 Function is required to be OPERABLE in MODES 1, 2, and 3 to ensure that the control room personnel are protected during a LOCA. In MODES 4 and 5, adequate protection is performed by the Control Room Air Inlet Radiation-High Function. Therefore, this Function is not required in other MODES and specified conditions. *

2. Drywell Pressure-High High pressure in the drywell could indicate a break in the reactor coolant pressure boundary. A high drywell pressure signal could indicate a LOCA and will automatically initiate the CREOAS System, since this could be a precursor to a potential radiation release and subsequent radiation exposure to control room personnel.

Drywell Pressure-High signals are initiated from four pressure instruments that sense drywell pressure. Four channels of Drywell Pressure-High Function are available (two channels per trip system) and are required to be OPERABLE to ensure that no single instrument failure can preclude CREOAS System initiation. The Drywell Pressure-High Allowable Value was chosen to be the same as the EGGS Drywell Pressure-High Allowable Value (LCO 3.3.5.1 ).

The Drywell Pressure-High Function is required to be OPERABLE in MODES 1, 2, and 3 to ensure that control room personnel are protected in the event of a LOCA. In MODES 4 and 5, the Drywell Pressure-High Function is not required since there is insufficient energy in the rer;1ctor to pressurize the drywell to the Drywell Pressure-High setpoint.

(continued)

SUSQUEHANNA - UNIT 1 3.3-195

Rev.4 CREOAS System Instrumentation B 3.3.7.1 BASES APPLICABLE 3, 4, 5, 6, 7 Refuel Floor High Exhaust Duct, Refuel Floor Wall Exhaust SAFETY Duct and Railroad Access Shaft Exhaust Duct Radiation-High

ANALYSES, LCO, and High secondary containment exhaust radiation is an indication of possible APPLICABILITY gross failure of the fuel cladding. The release may have originated from (continued) the refueHng floor due to a fuel handling accident. When Exhaust Radiation-High is detected CREOAS is initiated to maintain the habitability of the main control room.

The Exhaust Radiation-High signals are initiated from radiation detectors that are located on the ventilation exhaust ducting coming from the refueling floor zone and the Railroad Access Shaft. The signal from each detector is input to an individual monitor whose trip outputs are assigned to an isolation channel. Eight total channels Refuel Floor High Exhaust Duct and Wall Exhaust Duct Radiation-High Function (four from Unit 1 and four from Unit 2), and two channels of the Railroad Access Shaft Exhaust Radiation - High Function (both from Unit 1) are available and are required to be OPERABLE when the associated Refuel Floor Exhaust System is in operation to ensure that no single instrument failure can preclude the initiation function.

The Allowable Values are chosen to promptly detect gross failure of the fuel cladding. The Refuel Floor Exhaust Duct and Wall Exhaust Duct Radiation-High are required to be OPERABLE during CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment, because the capability of detecting radiation releases due to fuel failures (e.g., due to dropped fuel assemblies) must be provided to ensure that offsite and control room dose limits are not exceeded.

The Railroad Access Shaft Exhaust Duct Radiation - High Function is only required to be OPERABLE during handling of irradiated fuel within the Railroad Access Shaft, and directly above the Railroad Access Shaft with the Railroad Access Shaft Equipment Hatch open, because the capability of detecting radiation releases due to fuel failures (e.g., dropped fuel assemblies) must be provided to ensure that offsite and control room dose limits are not exceeded.

(continued)

SUSQUEHANNA - UNIT 1 3.3-196

Rev.4 CREOAS System Instrumentation B 3.3.7.1 BASES APPLICABLE 8. Main Control Room Outside Air Intake Radiation-High SAFETY ANALYSES, The main control room outside air intake radiation monitors measure LCO, and radiation levels at the control structure outside air intake duct. A high APPLICABILITY radiation level may pose a threat to main control room personnel; thus, (continued) automatically initiating the CREOAS System. The Control Room Air Inlet Radiation-High Function consists of two independent monitors. Two channels of Control Room Air Inlet Radiation-High are available and are required to be OPERABLE to ensure that no single instrument failure can preclude CREOAS System initiation. The Allowable Value was selected to ensure protection of the control room personnel.

The Control Room Air Inlet Radiation-High Function is required to be OPERABLE in MODES 1, 2, and 3 and during CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment, to ensure that control room personnel are protected during a LOCA or fuel handling event. During MODES 4 and 5, when these specified conditions are not in progress (e.g., CORE ALTERATIONS), the probability of a LOCA or fuel damage is low; thus, the Function is not required.

9. Manual Initiation A Manual Initiation can be performed for CREOAS isolation by initiating a Primary Containment Isolation. There is no specific FSAR safety analysis that takes credit for this Function. It is retained for the overall redundancy and diversity of the secondary containment isolation instrumentation as required by the NRC approved licensing basis.

There are two push buttons for the logic, one manual initiation push button per trip system. There is no Allowable Value for this Function, since the channels are mechanically actuated based solely on the position of the push buttons.

Two channels of Manual Initiation Function are available and are required to be OPERABLE in MODES 1, 2, and 3, and during CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment. These are the MODES and other specified conditions in which the Secondary Containment Isolation automatic Functions are required to be OPERABLE.

(continued)

SUSQUEHANNA - UNIT 1 3.3-197

Rev.4 CREOAS System Instrumentation B 3.3.7.1 BASES ACTIONS A Note has been provided to modify the ACTIONS related to CREOAS System instrumentation channels. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition, discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for inoperable CREOAS System instrumentation channels provide appropriate compensatory measures for separate inoperable channels. As such, a Note has been provided that allows separate Condition entry for each inoperable CREOAS System instrumentation channel.

Required Action A.1 directs entry into the appropriate Condition referenced in Table 3.37.1-1. The applicable Condition specified in the Table is Function dependent. Each time a channel is discovered inoperable, Condition A is entered for that channel and provides for transfer to the appropriate subsequent Condition.

8.1.1, 8.1.2, 8.2.1, and B.2.2 Because of the diversity of sensors available to provide initiation signals and the redundancy of the CREOAS System design, an allowable out of service time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months for Function 2 and 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for all other Functions has been shown to be acceptable (Refs. 3 and 4) to permit restoration of any inoperable channel to OPERABLE status. However, this out of service time is only acceptable provided the associated Function is still maintaining CREOAS System initiation capability. A Function is considered to be maintaining CREOAS System initiation capability when sufficient channels are OPERABLE or in trip such that one trip system will generate an initiation signal from the given Function on a valid signal. For Functions 1 and 2, this would require one trip system to have two channels per logic string OPERABLE or in trip. For Functions 3, 4, 5, 6 and 7, this would require one trip system to have one channel OPERABLE.

(continued)

SUSQUEHANNA - UNIT 1 3.3-198

Rev.4 CREOAS System Instrumentation B3.3.7.1 BASES ACTIONS B.1.1, B.1.2, B.2.1, and B.2.2 (continued)

(continued)

Required Action B.1.2 is provided to allow the associated CREOAS subsystem(s) to be placed in the pressurization/filtration mode of operation within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . This is acceptable because placing the associated CREOAS subsystem(s) in the pressurization/filtration mode performs the safety function of the affected instrumentation. The method used to place the CREOAS subsystem(s) in operation must provide for automatically re-initiating the subsystem(s) upon restoration of power following a loss of power to the CREOAS subsystem(s).

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time (B.1.1, B.1.2) is acceptable because it minimizes risk while allowing time for restoring, tripping of channels or placing in operation.

ff the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action B.2.1. Placing the inoperable channel in trip would conservatively compensate for the inoperabifity, restore capability to accommodate a single failure, and allow operation to continue.

Required Action B.2.2 is provided to allow the associated CREOAS subsystem(s) to be placed in the pressurization/filtration mode of operation.

This is acceptable because placing the associated CREOAS subsystem(s) in the pressurization/filtration mode performs the safety function of the affected instrumentation. The method used to place the CREOAS subsystem(s) in operation must provide for automatically re-initiating the subsystem(s) upon restoration of power following a loss of power to the CREOAS subsystem(s).

C.1.1, C.1.2 and C.2 Because of the diversity of sensors available to provide initiation signals and the redundancy of the CREOAS System design, an allowable out of service time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is provided to permit restoration of any inoperable channel to OPERABLE status. However, this out of service time is only acceptable provided the associated Function is stiff maintaining CREOAS System initiation capability. A Function is considered to be maintaining CREOAS System initiation capability when sufficient channels are OPERABLE or in trip such that one trip system will generate an initiation signal from the given Function on a valid signal. For Function 8, this would require one trip system to have one channel OPERABLE or in trip. For loss of CREOAS System initiation capability, the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance of Required Action C.2 is not appropriate. If the Function is not maintaining (continued)

SUSQUEHANNA - UNIT 1 3.3-199

Rev.4 CREOAS System Instrumentation B 3.3.7.1 BASES ACTIONS C.1.1, C.1.2 and C.2 (continued)

(continued)

CREOAS System initiation capability, the CREOAS System must be declared inoperable within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of discovery of the loss of CREOAS System initiation capability in both trip systems.

Required Action C.1.2 is provided to allow the associated CREOAS subsystem(s) to be placed in pressurization/filtration mode of operation within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . This is acceptable because placing the associated CREOAS subsystem(s) in the pressurization/filtration mode performs the safety function of the affected instrumentation. The method used to place the CREOAS subsystem(s) in operation must provide for automatically re-initiating the subsystem(s) upon restoration of power following a loss of power to the CREOAS subsystem(s).

The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time (C.1.1 and C.1.2) is acceptable because it minimizes risk while allowing time for restoring or tripping of channels.

If the inoperable channel cannot be restored to OPERABLE status within the allowable out of service time, the channel must be placed in the tripped condition per Required Action C.2. Placing the inoperable channel in trip performs the intended function of the channel (starts the lead CREOAS subsystems in the pressurization/filtration mode). Alternately, if it is not desired to place the channel in trip (e.g., as in the case where it is not desired to start the subsystem), Condition D must be entered and its Required Action taken. The 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Completion Time is based on the consideration that this Function provides the primary signal to start the CREOAS System; thus, ensuring that the design basis of the CREOAS System is met.

With any Required Action and associated Completion Time not met, the associated CREOAS subsystem must be declared inoperable immediately per Required Action D.1 to ensure that control room personnel will be protected in the event of a Design Basis Accident.

(continued)

SUSQUEHANNA- UNIT 1 3.3-200

Rev.4 CREOAS System Instrumentation B 3.3.7.1 BASES SURVEILLANCE As noted at the beginning of the SRs, the SRs for each CREOAS System REQUIREMENTS instrumentation Function are located in the SRs column of Table 3.3.7.1-1.

The Surveillances are modified by a Note to indicate that when a channel is placed in an inoperable status solely for performance of required Surveillances, entry into associated Conditions and Required Actions may be delayed for up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , provided the associated Function maintains CREOAS System initiation capability. Upon completion of the Surveillance, or expiration of the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months allowance, the channel must be returned to OPERABLE status or the applicable Condition entered and Required Actions taken. This Note is based on the reliability analysis (Refs. 3 and 4) assumption of the average time required to perform channel surveillance.

That analysis demonstrated that the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months testing allowance does not significantly reduce the probability that the CREOAS System will initiate when necessary.

SR 3.3.7.1.1 Performance of the CHANNEL CHECK ensures that a gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same valu_e. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or something even more serious. A CHANNEL CHECK will detect gross channel failure; thus, it is key to verifying the instrumentation continues to operate properly between each CHANNEL CALIBRATION.

Agreement criteria, which are determined by the plant staff based on an investigation of a combination of the channel instrument uncertainties, may be used to support this parameter comparison and include indication and readability. If a channel is outside the criteria, it may be an indication that the instrument has drifted outside its limit, and does not necessarily indicate the channel is Inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The CHANNEL CHECK supplements less formal checks of channel status during normal operational use of the displays associated with channels required by the LCO.

(continued)

SUSQUEHANNA - UNIT 1 3.3-201

Rev.4 CREOAS System Instrumentation B 3.3.7.1 BASES SURVEILLANCE SR 3.3.7.1.2 REQUIREMENTS (continued) A CHANNEL FUNCTIONAL TEST is performed on each required channel to ensure that the entire channel will perform the intended function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by two Notes. Note 1 provides a general exception to the definition of CHANNEL FUNCTIONAL TEST. This exception is necessary because the design of instrumentation does not facilitate functional testing of all required contacts of the relays which input into the combinational logic. (Reference 6) Performance of such a test could result in a plant transient or place the plant in an undo risk situation. Therefore, for this SR, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the change of state of the relay which inputs into the combinational logic. The required contacts not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.7.1.5. This is acceptable because operating experience shows that the contacts not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients.

Note 2 provides a second specific exception to the definition of CHANNEL FUNCTIONAL TEST. For Function 8, certain channel relays are not included in the performance of the CHANNEL FUNCTIONAL TEST. These exceptions are necessary because the circuit design does not facilitate functional testing of the entire channel through to the coil of the relay, which enters the combinational logic. (Reference 6)

Specifically, testing of all required relays would require lifting of leads and inserting test equipment, which could lead to unplanned transients.

Therefore, for these circuits, the CHANNEL FUNCTIONAL TEST verifies acceptable response by verifying the actuation of circuit devices up to the point where further testing would result in an unplanned transient.

(References 7 and 8) The required relays not tested during the CHANNEL FUNCTIONAL TEST are tested under the LOGIC SYSTEM FUNCTIONAL TEST, SR 3.3.7.1.5. This is acceptable because operating experience shows that the devices not tested during the CHANNEL FUNCTIONAL TEST normally pass the LOGIC SYSTEM FUNCTIONAL TEST, and the testing methodology minimizes the risk of unplanned transients.

(continued)

SUSQUEHANNA - UNIT 1 3.3-202

Rev.4 CREOAS System Instrumentation B 3.3.7.1 BASES SURVEILLANCE SR 3.3.7.1.3 and SR 3.3.7.1.4 REQUIREMENTS (continued) A CHANNEL CALIBRATION verifies that the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with* the plant specific setpoint methodology.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.3.7.1.5 The LOGIC SYSTEM FUNCTIONAL TEST demonstrates the OPERABILITY of the required initiation logic for a specific channel. The system functional testing performed in LCO 3.7.3, "Control Room Emergency Outside Air Supply (CREOAS) System," overlaps this Surveillance to provide complete testing of the assumed safety function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 1 3.3-203

Rev.4 CREOAS System Instrumentation B 3.3.7.1 BASES REFERENCES 1. FSAR, Section 6.4.1.

2. FSAR, Table 15.2.

3. GENE-770-06-1, "Bases for Changes to Surveillance Test Intervals and Allowed Out-of-Service Times for Selected Instrumentation Technical Specifications," February 1991.

4. NEDC-31677P-A, "Technical Specification Improvement Analysis for BWR Isolation Actuation Instrumentation," July 1990.

5. Final Policy Statement on Technical Specification Improvements, July 22, 1993 (58 FR 32193).

6. NRC Inspection and Enforcement Manual, Part 9900: Technical Guidance, Standard Technical Sp~cification Section 1.0 Definitions, Issue date 12/08/86.

7. PPL Letter to NRC, PLA-2618, Response to NRC INSPECTION REPORTS 50-387/85-28 and 50-388/85-23, dated April 22, 1986.

8. Susquehanna Steam Electric Station NRC REGION I COMBINED INSPECTION 50-387/90-20; 50-388/90-20, File R41-2, dated March 5, 1986.

SUSQUEHANNA - UNIT 1 3.3-204

Rev. 6 ECCS-Operating B 3.5.1 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS), REACTOR PRESSURE VESSEL (RPV) WATER INVENTORY CONTROL, AND REACTOR CORE !SOLATION COOLING (RCIC) SYSTEM B 3.5.1 ECCS-Operating BASES BACKGROUND The ECCS is designed, in conjunction with the primary and secondary containment, to limit the release of radioactive materials to the environment following a loss of coolant accident (LOCA). The ECCS uses two independent methods (flooding and spraying) to cool the core during a LOCA. The ECCS network consists of the High Pressure Coolant Injection (HPCI) System, the Core Spray (CS) System, the low pressure coolant injection (LPCI) mode of the Residual Heat Removal (RHR) System, and the Automatic Depressurization System (ADS). The suppression pool provides the required source of water for the ECCS. Although no credit is taken in the safety analyses for the condensate storage tank (CST), it is capable of providing a source of water for the HPCI and CS systems.

On receipt of an initiation signal, ECCS pumps automatically start; simultaneously, the system aligns and the pumps inject water, taken either from the CST or suppression pool, into the Reactor Coolant System (RCS) as RCS pressure is overcome by the discharge pressure of the ECCS pumps. Although the system is initiated, ADS action is delayed, allowing the operator to interrupt the timed sequence if the system is not needed. The HPCI pump discharge pressure quickly exceeds that of the RCS, and the pump injects coolant into the vessel to cool the core. If the break is small, the HPCI System will maintain coolant inventory as well as vessel level while the RCS is still pressurized. If HPCI fails, it is backed up by ADS in combination with LPCI and CS. In this event absent operator action, the ADS timed sequence would time out and open the selected safety/relief valves (S/RVs) depressurizing the RCS, thus allowing the LPCI and CS to overcome RCS pressure and inject coolant into the vessel. If the break is large, RCS pressure initially drops rapidly and the LPCI and CS cool the core.

Water from the break returns to the suppression pool where it is used again and again. Water in the suppression pool is circulated through a heat exchanger cooled by the RHR Service Water System. Depending on the location and size of the break, portions of the ECCS may be ineffective; however the overall design is effective in cooling the core regardless of the size or location of the piping break. Although no credit is taken in the safety analysis for the RCIC System, it performs a similar function as HPCI, (continued)

SUSQUEHANNA- UNIT 1 3.5-1

Rev. 6 ECCS-Operating B 3.5.1

BASES, BACKGROUND but has reduced makeup capability. Nevertheless, it will maintain inventory (continued) and cool the core while the RCS is still pressurized following a reactor pressure vessel (RPV) isolation.

All ECCS subsystems are designed to ensure that no single active component failure will prevent automatic initiation and successful operation of the minimum required ECCS equipment.

The CS System (Ref. 1) is composed of two independent subsystems. Each subsystem consists of two motor driven pumps, a spray sparger above the core, and piping and valves to transfer water from the suppression pool to the sparger. The CS System is designed to provide cooling to the reactor core when reactor pressure is low. Upon receipt of an initiation signal, the CS pumps in both subsystems are automatically started when AC power is available. When the RPV pressure drops sufficiently, CS System flow to the RPV begins. A full flow test line is provided to route water from and to the suppression pool to allow testing of the CS System without spraying water in the RPV.

LPCI is an independent operating mode of the RHR System. There are two LPCI subsystems (Ref. 2), each consisting of two motor driven pumps and piping and valves to transfer water from the suppression pool to the RPV via the corresponding recirculation loop. The two LPCI subsystems can be interconnected via the RHR System cross tie valves; however, at least one of the two cross tie.valves is maintained closed with its power removed to prevent loss of both LPCI subsystems during a LOCA. The LPCI subsystems are designed to provide core cooling at low RPV pressure.

Upon receipt of an initiation signal, all four LPCI pumps are automatically started. RHR System valves in the LPCI flow path are automatically positioned to ensure the proper flow path for water from the suppression pool to inject into the recirculation loops. When the RPV pressure drops sufficiently, the LPCI flow to the RPV, via the corresponding recirculation loop, begins. The water then enters the reactor through the jet pumps.

Full flow test lines are provided for each LPCI subsystem to route water from the suppression pool, to allow testing of the LPCI pumps without injecting water into the RPV. These test lines also provide suppression pool cooling capability, as described in LCO 3.6.2.3, "RHR Suppression Pool Cooling."

(continued)

SUSQUEHANNA - UNIT 1 3.5-2

Rev. 6 ECCS-Operating B 3.5.1 BASES BACKGROUND The HPCI System (Ref. 3) consists of a steam driven turbine pump unit, (continued) piping, and valves to provide steam to the turbine, as well as piping and valves to transfer water from the suction source to the core via the feedwater system line, where the coolant is distributed within the RPV through the feedwater sparger. Suction piping for the system is provided from the CST and the suppression pool. Pump suction for HPCI is normally aligned to the CST source to minimize injection of suppression pool water into the RPV.

Whenever the CST water supply is low, an automatic transfer to the suppression pool water source ensures an adequate suction head for the pump and an uninterrupted water supply for continuous operation of the HPCI System. The steam supply to the HPCI turbine is piped from a main steam line upstream of the associated inboard main steam isolation valve.

The HPCI System is designed to provide core cooling for a wide range of reactor pressures (165 psia to 1225 psia). Upon receipt of an initiation signal, the HPCI turbine stop valve and turbine control valve open and the turbine accelerates to a specified speed. As the HPCI flow increases, the turbine control.valve is automatically adjusted to maintain design flow.

Exhaust steam from the HPCI turbine is discharged to the suppression pool.

A full flow test line is provided to route water to the CST to allow testing of the HPCI System during normal operation without injecting water into the RPV.

The ECCS pumps are provided with minimum flow bypass lines, which discharge to the suppression pool. The valves in these lines automatically open to prevent pump damage due to overheating when other discharge line valves are closed. To ensure rapid delivery of water to the RPVand to minimize water hammer effects, all ECCS pump discharge lines are filled with water. The HPCI, LPCI and CS System discharge lines are kept full of water using a "keep fill" system that is supplied using the condensate transfer system.

The ADS (Ref. 4) consists of 6 of the 16 S/RVs. It is designed to provide depressurization of the RCS during a small break LOCA if HPCI fails or is unable to maintain required water level in the RPV. ADS operation reduces the RPV pressure to within the operating pressure range of the low pressure ECCS subsystems (CS and LPCI), so that these subsystems can provide coolant inventory makeup. Each of the S/RVs used for automatic depressurization is equipped with two gas accumulators and associated inlet check valves. The accumulators provide the pneumatic power to actuate the valves.

(continued)

SUSQUE_HANNA - UNIT 1 3.5-3

Rev.6 ECCS-Operating B 3.5.1 BASES APPLICABLE The ECCS performance is evaluated for the entire spectrum of break sizes SAFETY for a postulated LOCA. The accidents for which ECCS operation is required ANALYSES are presented in References 5, 6, and 7. The required analyses and assumptions are defined in Reference 8. The results of these analyses are also described in Reference 9.

This LCO helps to ensure that the following acceptance criteria for the ECCS, established by 10 CFR 50.46 (Ref. 10), will be met following a LOCA, assuming the worst case single active component failure in the ECCS:

a. Maximum fuel element cladding temperature is :s; 2200°F;

b. Maximum cladding oxidation is :s; 0.17 times the total cladding thickness before oxidation;

c. Maximum hydrogen generation from a zirconium water reaction is :s; 0.01 times the hypothetical amount that would be generated if all of the metal in the cladding surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react;

d. The core is maintained in a coolable geometry; and

e. Adequate long term cooling capability is maintained.

SPC performed LOCA calculations for the SPC ATRIUM'-10 fuel design.

The limiting single failures for the SPC analyses are discussed in Reference 11. For a large break LOCA, the SPC analyses identify the recirculation loop suction piping as the limiting break location. The SPC analysis identifies the failure of the LPCI injection valve into the intact recirculation loop as the most limiting single failure.

For a small break LOCA, the SPC analyses identify the recirculation loop discharge piping as the limiting break location, and a battery failure as the most severe single failure. One ADS valve failure is analyzed as a limiting single failure for events requiring ADS operation. The remaining OPERABLE ECCS subsystems provide the capability to adequately cool the core and prevent excessive fuel damage.

The ECCS satisfy Criterion 3 of the NRC Policy Statement (Ref. 15).

(continued)

SUSQUEHANNA - UNIT 1 3.5-4

Rev. 6 EGGS-Operating B 3.5.1 BASES LCO Each ECCS injection/spray subsystem and six ADS valves are required to be OPERABLE. The ECCS injection/spray subsystems are defined as the two CS subsystems, the two LPCI subsystems, and one HPCI System, The low pressure ECCS injection/spray subsystems are defined as the two CS subsystems and the two LPCI subsystems.

With less than the required number of ECCS subsystems OPERABLE, the potential exists that during a limiting design basis LOCA concurrent with the worst case single failure, the limits specified in Reference 10 could be exceeded. All ECCS subsystems must therefore be OPERABLE to satisfy the single failure criterion required by Reference 10.

LPCI subsystems may be considered OPERABLE during alignment and operation for decay heat removal when below the actual RHR cut in permissive pressure in MODE 3, if capable of being manually realigned (remote or local) to the LPCI mode and not otherwise inoperable. At these low pressures and decay heat levels, a reduced complement of ECCS subsystems should provide the required core cooling, thereby allowing operation of RHR shutdown cooling when necessary.

APPLICABILITY All ECCS subsystems are required to be OPERABLE during MODES 1, 2, and 3, when there is considerable energy in the reactor core and core cooling would be required to prevent fuel damage in the event of a break in the primary system piping. In MODES 2 and 3, when reactor steam dome.

pressure is :,;; 150 psig, ADS and HPCI are not required to be OPERABLE because the low pressure ECCS subsystems can provide sufficient flow below this pressure. Requirements for MODES 4 and 5 are specified in LCO 3.5.2, "Reactor Pressure Vessel (RPV) Water Inventory Control."

ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable HPCI subsystem. There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable HPCI subsystem and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.

(continued)

SUSQUEHANNA - UNIT 1 3.5-5

Rev. 6 EGGS-Operating B 3.5.1 BASES ACTIONS A.1 (continued)

If any one low pressure ECCS injection/spray subsystem is inoperable for reasons other than Condition B, the inoperable subsystem must be restored to OPERABLE status within 7 days. In this Condition, the remaining OPERABLE subsystems provide adequate core cooling during a LOCA.

However, overall ECCS reliability is reduced, because a single failure in one of the remaining OPERABLE subsystems, concurrent with a LOCA, may result in the ECCS not being able to perform its intended safety function.

The 7 day Completion Time is based on a reliability study (Ref. 12) that evaluated the impact on ECCS availability, assuming various components and subsystems were taken out of service. The results were used to calculate the average availability of ECCS equipment needed to mitigate the consequences of a LOCA as a function of allowed outage times (i.e.,

Completion Times).

B.1 If one LPCI pump in one or both LPCI subsystems is inoperable, the inoperable LPCI pumps must be restored to OPERABLE status within 7 days. In this Condition, the remaining OPERABLE LPCI pumps and at least one CS subsystem provide adequate core cooling during a LOCA.

However, overall ECCS reliability is reduced, because a single failure in one of the remaining OPERABLE subsystems, concurrent with a LOCA, may result in the ECCS not being able to perform its intended safety function. A 7 day Completion Time is based on a reliability study cited in Reference 12 and has been found to be acceptable through operating experience.

C.1 and C.2 If the inoperable low pressure ECCS subsystem or LPCI pump(s) cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

(continued)

SUSQUEHANNA - UNIT 1 3.5-6

Rev.6 EGGS-Operating 8 3.5.1 BASES ACTIONS D.1 and D.2 (continued)

If the HPCI System is inoperable and the RCIC System is verified to be OPERABLE, the HPCI System must be restored to OPERABLE status within 14 days. In this Condition, adequate core cooling is ensured by the OPERABILITY of the redundant and diverse low pressure ECCS injection/spray subsystems in conjunction with ADS. Also, the RCIC System will automatically provide makeup water at most reactor operating pressures.

Verification of RCIC OPERABILITY is therefore required when HPCI is inoperable. This may be performed as an administrative check by examining logs or other information to determine .if RCIC is out of service for maintenance or other reasons. It does not mean to perform the Surveillances needed to demonstrate the OPERABILITY of the RCIC System. If the OPERABILITY of the RCIC System cannot be verified, however, Condition H must be immediately entered. If a single active component fails concurrent with a design basis LOCA, there is a potential, depending on the specific failure, that the minimum required ECCS equipment will not be available. A 14 day Completion Time is based on a reliability study cited in Reference 12 and has been found to be acceptable through operating experience.

E.1 and E.2 If Condition A or Condition B exists in addi~ion to an inoperable HPCI System, the inoperable low pressure ECCS injection/spray subsystem or the LPCI pump(s) or the HPCI System must be restored to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . In this Condition, adequate core cooling is ensured by the OPERABILITY of.the ADS and the remaining low pressure ECCS subsystems. However, the overall ECCS reliability is significantly reduced because a single failure. in one of the remaining OPERABLE subsystems concurrent with a design basis LOCA may result in the ECCS not being able to perform its intended safety function. Since both a high pressure system (HPCI) and a low pressure subsystem are inoperable, a more restrictive Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is required to restore either the HPCI System or the low pressure ECCS injection/spray subsystem to OPERABLE status. This Completion Time is based on a reliability study cited in Reference 12 and has been found to be acceptable through operating experience.

(continued)

SUSQUEHANNA - UNIT 1 3.5-7

Rev. 6 EGGS-Operating B 3.5.1 BASES ACTIONS Ll (continued)

The LCO requires six ADS valves to be OPERABLE in order to provide the ADS function. Reference 11 contains the results of an analysis that evaluated the effect of one ADS valve being out of service. Per this analysis, operation of only five ADS valves will provide the required depressurization.

However, overall reliability of the ADS is reduced, because a single failure in the OPERABLE ADS valves could result in a reduction in depressurization capability. Therefore, operation is only allowed for a limited time. The 14 day Completion Time is based on a reliability study cited in Reference 12 and has been found to be acceptable through operating experience.

G.1 and G.2 If Condition A or Condition B exists in addition to one inoperable ADS valve, adequate core cooling is ensured by the OPERABILITY of HPCI and the remaining low pressure ECCS injection/spray subsystem. However, overall ECCS reliability is reduced because a single active component failure concurrent with a design basis LOCA could result in the minimum required ECCS equipment not being available. Since both a high pressure system (ADS) and a low pressure subsystem are inoperable, a more restrictive Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is required to restore either the low pressure ECCS subsystem or the ADS valve to OPERABLE status. This Completion Time is based on a reliability study cited in Reference 12 and has been found to be acceptable through operating experience.

H.1 and H.2 If any Required Action and associated Completion Time of Condition D, E, F, or G is not met, or if two or more ADS valves are inoperable, the plant must be brought to a condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and reactor steam dome pressure reduced to :,;; 150 psig within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

11 When multiple ECCS subsystems are inoperable, as stated in Condition I, LCO 3.0.3 must be entered immediately.

(continued)

SUSQUEHANNA - UNIT 1 3.5-8

Rev.6 EGGS-Operating B 3.5.1 BASES.

SURVEILLANCE SR 3.5.1.1 REQUIREMENTS The flow path piping has the potential to develop voids and pockets of entrained air. Maintaining the pump discharge lines of the HPCI System, CS System, and LPCI subsystems full of water ensures that the ECCS will perform properly, injecting its full capacity into the RCS upon demand. This will also prevent a water hammer following an ECCS initiation signal. One acceptable method of ensuring that the lines are full is to vent at the high points .. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.1.2 Verifying the correct alignment for manual, power operated, and automatic valves in the ECCS flow paths provides assurance that the proper flow paths will exist for ECCS operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position since these were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an initiation signal is allowed to be in a nonaccident position provided tlie valve will automatically reposition in the proper stroke time.

This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. For the HPCI System, this SR also includes the steam flow path for the turbine and the flow controller position.

The Surveillance Frequency is controlled under the Surveillance Frequency Control-Program.

This SR is modified by a Note that allows LPCI subsystems to be considered OPERABLE during alignment and operation for decay heat removal with reactor steam dome pressure less than the RHR cut in permissive pressure in MODE 3, if capable of being manually realigned (remote or local) to the LPCI mode and not otherwise inoperable. This allows operation in the RHR shutdown cooling mode during MODE 3, if necessary.

(continued)

SUSQUEHANNA - UNIT 1 3.5-9

Rev.6 EGGS-Operating 8 3.5.1 BASES SURVEILLANCE SR.3.5.1.3 REQUIREMENTS (continued) Verification that ADS gas supply header pressure is ~ 135 psig ensures adequate gas pressure for reliable ADS operation. The accumulator on each ADS valve provides pneumatic pressure for valve actuation. The design pneumatic supply pressure requirements for the accumulator are such that, following a failure of the pneumatic supply to the accumulator, at least one valve actuations can occur with the drywell at 70% of design pressure.

The ECCS safety analysis assumes only one actuation to achieve the depressurization required for operation of the low pressure ECCS. This minimum required pressure of~ 135 pSig is provided by the containment instrument gas system. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.1.4 Verification every 31 days that at least one RHR System cross tie valve is closed and power to its operator is disconnected ensures that each LPCI subsystem remains independent and a failure of the flow path in one subsystem will not affect the flow path of the other LPCI subsystem.

Acceptable methods of removing power to the operator include opening the breaker, or racking out the breaker, or removing the breaker. If both RHR

System cross tie valves are open or power has not been removed from at least one closed valve operator, both LPCI subsystems must be considered .

inoperable. The Surveillance Frequency is controlled under the Surveillance

~Frequency Control Program.

SR 3.5.1.5 Verification that each 480 Volt AC swing bus transfers automatically from the normal source to the alternate source on loss of power while supplying its respective bus demonstrates that electrical power is available to ensure proper operation of the associated LPCI inboard injection and minimum flow valves and the recirculation pump discharge and bypass valves.

Therefore, each 480 volt AC swing bus must be OPERABLE for the associated LPCI subsystem to be OPERABLE. The test is performed by actuating the load test switch or by disconnecting the preferred power source to the transfer switch and verifying that swing bus automatic transfer is accomplished. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 1 3.5-10

Rev.6 ECCS-Operating 83.5.1 .

BASES SURVEILLANCE SR 3.5.1.6 REQUIREMENTS (continued) Cycling the recirculation pump discharge and bypass valves through one complete cycle of full travel demonstrates that the valves are mechanically OPERABLE and provides assurance that the valves will close when required to ensure the proper LPCI flow path is established. Upon initiation of an automatic LPCI subsystem injection signal, these valves are required to be closed to ensure full LPCI subsystem flow injection in the reactor via the recirculation jet pumps. De-energizing the valve in the closed position will also ensure the proper flow path for the LPCI subsystem. Acceptable methods of de-energizing the valve include opening the breaker, or racking out the breaker, or removing the breaker.

The specified Frequency is once during reactor startup before THERMAL POWER is > 25% RTP. However, this SR is modified by a Note that states the Surveillance is only required to be performed if the last performance was more than 31 days ago. Therefore, implementation of this Note requires this test to be performed during reactor startup before exceeding 25% RTP.

Verification during reactor startup prior to reaching > 25% RTP is an exception to the n<;>rmal lnservice Testing Program generic valve cycling

Frequency, but is considered acceptable due to the demonstrated reliability of these valves. If the valve is inoperable and in the open position, the associated LPCI subsystem must be declared inoperable.

SR 3.5.1.7, SR 3.5.1.8, and SR 3.5.1.9 The performance requirements of the low pressure ECCS pumps are determined through application of the 10 CFR 50, Appendix K criteria (Ref. 8). This periodic Surveillance is performed (in accordance with the ASME OM Code requirements for the ECCS pumps) to verify that the ECCS pumps will develop the flow rates required by the respective analyses. The low pressure ECCS pump flow rates ensure that adequate core cooling is provided to satisfy the acceptance criteria of Reference 10.

The pump flow rates are verified against a system head equivalent to the RPV pressure expected during a LOCA. The total system pump outlet pressure is adequate to overcome the elevation head pressure between the pump suction and the vessel discharge, the piping friction losses, and RPV pressure present during a LOCA. These values may be established during preoperational testing.

(continued)

SUSQUEHANNA - UNIT 1 3.5-11

Rev.6 EGGS-Operating B 3.5.1 BASES SURVEILLANCE SR 3.5.1.7. SR 3.5.1.8, and SR 3.5.1.9 (continued)

REQUIREMENTS (continued) The flow tests for the HPCI System are performed at two different pressure ranges such that system capability to provide rated flow is tested at both the higher and lower operating ranges of the system. Additionally, adequate steam flow must be passing through the main turbine or turbine bypass valves to continue to control reactor pressure when the HPCI System diverts steam flow. Reactor steam pressure is considered adequate when ~ 920 psig to perform SR 3.5.1.8 and : .: : 150 psig to perform SR 3.5.1.9. However, the requirements of SR 3.5.1.9 are met by a successful performance at any pressure ::. 165 psig. *Adequate steam flow is represented by at least 1.25 turbine bypass valves open. Therefore, sufficient time is allowed after adequate pressure and flow are achieved to perform these tests. Reactor startup is allowed prior to performing the low pressure Surveillance test because the reactor pressure is low and the time allowed to satisfactorily perform the Surveillance test is short. The reactor pressure is allowed to be increased to normal operating pressure since it is assumed that the low pressure test has been satisfactorily completed and there is no indication or reason to believe that HPCI is inoperable. Therefore, SR 3.5.1.8 and SR 3.5.1.9 are.modified by Notes that state the Surveillances are not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after the reactor steam pressure and flow are adequate to perform the test.

The Frequency for SR 3.5.1. 7 and SR 3.5.1.8 is in accordance with the lnservice Testing Program requirements. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.1.10 The ECCS subsystems are required to actuate automatically to perform their design functions. This Surveillance verifies that, with a required system initiation signal (actual or simulated), the automatic initiation logic of HPCI, CS, and LPCI will cause the systems or subsystems to operate as designed, including actuation of the system throughout its emergency operating sequence, automatic pump startup and actuation of all automatic valves to their required positions. This functional test includes the LPCI and CS interlocks between Unit 1 and Unit 2 and specifically requires the following:

A functional test of the interlocks associated with the LPCI and CS pump starts in response to an automatic initiation signal in Unit 1 followed by a false automatic initiation signal in Unit 2; (continued)

SUSQUEHANNA - UNIT 1 3.5-12

Rev. 6 EGGS-Operating B 3.5.1 BASES SURVEILLANCE SR 3.5.1.10 (continued)

REQUIREMENTS (continued) A functional test of the interlocks associated with the LPCI and CS pump starts in response to an automatic initiation signal in Unit 2 followed by a false automatic initiation signal in Unit 1; and A functional test of the interlocks associated with the LPCI and CS pump starts in response to simultaneous occurrences of an automatic initiation signal in both Unit 1 and Unit 2 and a loss of Offsite power condition affecting both Unit 1 and Unit 2.

The purpose of this functional test (preferred pump logic) is to assure that if a false LOCA signal were to be received on one Unit simultaneously with an actual LOCA signal on the second Unit, the preferred LPCI and CS pumps are started and the non-preferred LPCI and CS pumps are tripped for each Unit. This functional test is performed by verifying that the non-preferred LPCI and CS pumps are tripped. The verification that preferred LPCI and CS pumps start is performed under a separate surveillance test.

Only one division of LPCI preferred pump logic is required to be OPERABLE for each Unit, because no additional failures needs to be postulated with a false LOCA signal. If the preferred or non-preferred pump logic for CS is inoperable, the associated CS pumps shall be declared inoperable and the pumps should not be operated to ensure that the opposite Unit's CS pumps or 4.16 kV ESS Buses are protected.

This SR also ensures that the HPCI System will automatically restart on an RPV low water level (Level 2) signal received subsequent to an RPV high water level (Level 8) trip and that the suction is automatically transferred from the CST to the suppression pool. The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 overlaps this Surveillance. This SR can be accomplished by any series of sequential overlapping or total steps su.ch that the entire channel is tested.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by: a Note that excludes vessel injection/spray during the Surveillance .. Since all active components are testable and full flow can be demonstrated by recirculation through the test line, coolant injection into the RPV is not required during the Surveillance.

(continued)

SUSQUEHANNA - UNIT 1 3.5-13

Rev. 6 ECCS-Operating B 3.5.1 BASES SURVEILLANCE SR 3.5.1.11 REQUIREMENTS (continued) The ADS designated S/RVs are required to actuate automatically upon receipt of specific initiation signals. A system functional test is performed to demonstrate that the mechanical portions of the ADS function (i.e.,

solenoids) operate as designed when initiated either by an actual or simulated initiation signal, causing proper actuation of all the required components. SR 3.5.1.12 and the LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 overlap this Surveillance to provide complete testing of the assumed safety function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that excludes valve actuation. This prevents an RPV pressure blowdown.

SR 3.5.1.12 A manual actuation of each ADS valve actuator is performed to verify that the valve and solenoid are functioning properly. This is demonstrated by the methods described below. Proper operation of the valve tailpipes is ensured through the use of foreign material exclusion during maintenance.

Valve OPERABILITY and the setpoints for overpressure protection are verified, per ASME requirements, prior to valve installation.

Manual actuation of the actuator at atmospheric temperature and pressure during cold shutdown is performed. Proper functioning of the valve actuator and solenoid is demonstrated by visual observation of actuator movement.

The ADS actuator will be disconnected from the valve to ensure no damage is done to the valve seat or to the valve internals. Each valve shall be bench-tested prior to reinstallation. The bench-test along with the test on the ADS actuator establishes the OPERABILITY of the valves.

SR 3.5.1.11 and the LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.1 overlap this Surveillance to provide complete testing of the assumed safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 1 3.5-14

Rev. 6 ECCS-Operating B 3.5.1 BASES SURVEILLANCE SR 3.5.1.13 REQUIREMENTS (continued) This SR ensures that the ECCS RESPONSE TIME for each ECCS injection/spray subsystem is less than or equal to the maximum value assumed in the accident analysis. Response Time testing acceptance criteria are included in Reference 13. This SR is modified by a Note that allows the instrumentation portion of the response time to be assumed to be based on historical response time data and therefore, is excluded from the ECCS RESPONSE TIME testing. This is allowed since the instrumentation response time is a small part of the ECCS RESPONSE TIME (e.g., sufficient margin exists in the diesel generator start time when compared to the instrumentation response time) (Ref. 14).

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 6.3.2.2.3.

2. FSAR, Section 6.3.2.2.4.

3. FSAR, Section 6.3.2.2.1.

4. FSAR, Section 6.3.2.2.2.

5. FSAR, Section 15.2.4.

6. FSAR, Section 15.2.5.

7. FSAR, Section 15.2.6.

8. 10 CFR 50, Appendix K.

9. FSAR, Section 6.3.3.

10. 10 CFR 50.46.

11. FSAR, Section 6.3.3.

12. Memorandum from R.L. Baer (NRC) to V. Stello, Jr. (NRC),

"Recommended Interim Revisions to LCOs for ECCS Components,"

December 1 , 1975.

(continued)

SUSQUEHANNA - UNIT 1 3.5-15

Rev.6 ECCS-Operating B3.5.1

-- BASES REFl:RENCES 13. FSAR, Section 6.3.3.3.

(Continued)

14. NEDO 32291-A, "System Analysis for the Elimination of Selected Response Time Testing Requirements, October 1995.

15. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

SUSQUEHANNA - UNIT 1 3.5-16

Rev. 3 RPV Water Inventory Control B 3.5.2 B 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS), REACTOR PRESSURE VESSEL (RPV) WATER INVENTORY CONTROL, AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM B 3.5.2 Reactor Pressure Vessel (RPV) Water Inventory Control BASES BACKGROUND The RPV contains penetrations below the top of the active fuel (TAF) that have the potential to drain the reactor coolant inventory to below the TAF.

If the water level should drop below the TAF, the ability to remove decay heat is reduced, which could. lead to elevated cladding temperatures and clad perforation. Safety Limit 2.1.1.3 requires the RPV water level to be above the top of the active irradiated fuel at all times to prevent such elevated cladding temperatures.

APPLICABLE With the unit in MODE 4 or 5, RPV water inventory control is not required SAFETY to mitigate any events or accidents evaluated in the safety analyses. RPV ANALYSES water inventory control is required in MODES 4 .and 5 to protect Safety Limit 2.1.1.3 and the fuel cladding barrier to prevent the release of radioactive material to the environment should an unexpected draining event occur.

A double-ended guillotine break of the Reactor Coolant System (RCS) is not postulated in MODES 4 and 5 due to the reduced RCS pressure, reduced piping stresses, and ductile piping systems. Instead, an event is considered in which single operator error or initiating event allows draining of the RPV water inventory through a single penetration flow path with the highest flow rate, or the sum of the drain rates through multiple penetration flow paths susceptible to a common mode failure (e.g., seismic event, loss of normal power, single human error). It is assumed, based on engineering judgment, that while in MODES 4 and 5, one low pressure ECCS injec-tion/spray subsystem can maintain adequate reactor vessel water level.

As discussed in References 1, 2, 3, 4, and 5, operating experience has shown RPV water inventory to be significant to public health and safety.

Therefore, RPV Water Inventory Control satisfies Criterion 4 of 10 CFR 50.36(c)(2)(ii).

(continued)

SUSQUEHANNA - UNIT 1 3.5-17

Rev. 3 RPV Water Inventory Control B 3.5.2 BASES LCO The RPV water level must be controlled in MODES 4 and 5 to ensure that if an unexpected draining event should occur, the reactor coolant water level remains above the top of the active irradiated fuel as required by Safety Limit 2.1.1.3.

The Limiting Condition for Operation (LCO) requires the DRAIN TIME of RPV water inventory to the TAF to be.:: 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . A DRAIN TIME of 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months is considered reasonable to identify and initiate action to mitigate unexpected draining of reactor coolant. An event that could cause loss of RPV water inventory and result in the RPV water level reaching the TAF in greater than 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months does not represent a significant challenge to Safety Limit 2.1.1.3 and can be managed as part of normal plant operation.

One low pressure ECCS injection/spray subsystem is required to be OPERABLE and capable of being manually started to provide defense-in-depth should an unexpected draining event occur. A low pressure ECCS injection/spray subsystem consists of either one Core Spray (CS) subsystem or one Low Pressure Coolant Injection (LPCI) subsystem. Each CS subsystem consists of one motor driven pump, piping, and valves to transfer water from the suppression pool or condensate storage tank (CST) to the RPV. Each LPCI subsystem consists of one motor driven pump, piping, and valves to transfer water from the suppression pool to the RPV.

In MODES 4 and 5, the RHR System cross tie valves are not required to be closed.

The LCO is modified by a Note which allows a required LPCI subsystem to be considered OPERABLE during alignment and operation for decay heat removal if capable of being manually realigned (remote or local) to the LPCI mode and is not otherwise inoperable. Alignment and operation for decay heat removal includes when the required RHR pump is not operating or when the system is realigned from or to the RHR shutdown cooling mode.

This allowance is necessary since the RHR System may be required to operate in the shutdown cooling mode to remove decay heat and sensible heat from the reactor. Because of the restrictions on DRAIN TIME, sufficient time will be available following an unexpected draining event to manually align and initiate LPCI subsystem operation to maintain RPV water inventory prior to the RPV water level reaching the TAF.

(continued)

SUSQUEHANNA - UNIT 1 3.5-18

Rev. 3 RPV Water Inventory Control B 3.5.2 BASES APPLICABILITY RPV water inventory control is required in MODES 4 and 5. Requirements on water inventory control in other MODES are contained in LCOs in Section 3.3, Instrumentation, and other LCOs in Section 3.5, ECCS, RCIC, and RPV Water Inventory Control. RPV water inventory control is required to protect Safety Limit 2.1.1.3 which is applicable whenever irradiated fuel is in the reactor vessel.

ACTIONS A.1 and 8.1 If the required low pressure ECCS injection/spray subsystem is inoperable, it must be restored to OPERABLE status within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . In this Condition, the LCO controls on DRAIN TIME minimize the possibility that an unexpected draining event could necessitate the use of the ECCS injection/spray subsystem, however the defense-in-depth provided by the ECCS injection/spray subsystem is lost. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time for restoring the required low pressure ECCS injection/spray subsystem to OPERABLE status is based on engineering judgment that considers the LCO controls on DRAIN TIME and the low probability of an unexpected draining event that would result in loss of RPV water inventory.

If the inoperable ECCS injection/spray subsystem is not restored to OPERABLE status within the required Completion Time, action must be initiated immediately to establish a method of water injection capable of operating without offsite electrical power. The method of water injection includes the necessary instrumentation and controls, water sources, and pumps and valves needed to add water to the RPV or refueling cavity should an unexpected draining event occur. The method of water injection may be manually initiated and may consist of one or more systems or subsystems, and must be able to access water inventory capable of maintaining the RPV water level above the TAF for;:: 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . If recirculation of injected water would occur, it may be credited in determining the necessary water volume.

C.1, C.2, and C.3 With the DRAIN TIME less than 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months but greater than or equal to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , compensatory measures should be taken to ensure the ability to implement mitigating actions should an unexpected draining event occur.

Should a draining event lower the reactor coolant level to below the TAF, there is potential for damage to the reactor fuel cladding and release of (continued)

SUSQUEHANNA - UNIT 1 3.5-19

Rev. 3 RPV Water Inventory Control B 3.5.2 BASES ACTIONS C.1, C.2, and C.3 (continued)

(continued) radioactive material. Additional actions are taken to ensure that radioactive material will be contained, diluted, and processed prior to being released to the environment.

The secondary containment provides a controlled volume in which fission products can be contained, diluted, and processed prior to release to the environment. Required Action C.1 requires verification of the capability to establish the secondary containment boundary in less than the DRAIN TIME.

The required verification confirms actions to establish the secondary containment boundary are preplanned and necessary materials are available. The secondary containment boundary is considered established when one Standby Gas Treatment (SGT) subsystem is capable of maintaining a negative pressure in the secondary containment with respect to the environment. Verification that the secondary containment boundary can be established must be performed within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The required verification is an administrative activity and does not require manipulation or testing of equipment. Secondary containment penetration flow paths form a part of the secondary containment boundary. Required Action C.2 requires verification of the capability to isolate each secondary containment penetration flow path in less than the DRAIN TIME. The required verification confirms actions to isolate the secondary containment penetration flow paths are preplanned and necessary materials are available. Power operated valves are not required to receive automatic isolation signals if they can be closed manually within the required time. Verification that the secondary containment penetration flow paths can be isolated must be performed within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The required verification.is an administrative activity and does not require manipulation or testing of equipment.

One SGT subsystem is capable of maintaining the secondary containment at a negative pressure with respect to the environment and filter gaseous releases. Required Action C.3 requires verification of the capability to place one SGT subsystem in operation in less than the DRAIN TIME. The required verification confirms actions to place a SGT subsystem in operation are preplanned and necessary materials are available.

Verification that a SGT subsystem can be placed in operation must be performed within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The required verification is an administrative activity and does not require manipulation or testing of equipment.

(continued)

SUSQUEHANNA - UNIT 1 3.5-20

Rev. 3 RPV Water Inventory Control B 3.5.2 BASES ACTIONS 0.1. D.2. D.3. and D.4 (Continued)

With the DRAIN TIME less than 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , mitigating actions are implemented in case an unexpected draining event should occur. Note that if the DRAIN

- TIME is less than 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , Required Action E.1 is also applicable.

Required Action D.1 requires immediate action to establish an additional method of water injection augmenting the ECCS injection/spray subsystem required by the LCO. The additional method of water injection includes the necessary instrumentation and controls, water sources, and pumps and valves needed to add water to the RPV or refueling cavity should an unexpected draining event occur. The Note to Required Action D.1 states that either the ECCS injection/spray subsystem or the additional method of water injection must be capable of operating without offsite electrical power. The additional method of water injection may be manually initiated and may consist of one or more systems or subsystems. The additional method of wat~r injection must be able to access water inventory capable of being injected to maintain the RPV water level above the TAF for ~ 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The additional method of water injection and the ECCS injec-tion/spray subsystem may share all or part of the same water sources. If recirculation of injected water would occur, it may be credited in determin-ing the required water volume.

Should a draining event lower the reactor coolant level to below the TAF, there is potential for damage to the reactor fuel cladding and release of radioactive material. Additional actions are taken to ensure that radioactive material will be contained, diluted, and processed prior to being released to the environment.

The secondary containment provides a control volume in which fission-products can be contained, diluted, and processed prior to release to the environment. Required Action D.2 requires that actions be immediately initiated to establish the secondary containment boundary. With the secondary containment boundary established, one SGT subsystem is capable of maintaining a negative pressure in the secondary containment with respect to the environment.

Yhe secondary containment penetrations form a part of the secondary containment boundary. Required Action D.3 requires that actions be immediat13ly initiated to verify that each secondary containment penetration flow path is isolated or to verify that it can be manually isolated from the control. room.

(continued)

SUSQUEHANNA - UNIT 1 3.5-21

Rev.3 RPV Water Inventory Control B 3.5.2 BASES ACTIONS D.1, D.2, 0.3, and D.4 (continued)

(continued)

One SGT subsystem is capable of maintaining the secondary containment at a negative pressure with respect to the environment and filter gaseous releases. Required Action D.4 requires that actions be immediately initiated to verify that at least one SGT subsystem is capable of being placed in operation. The required verification is an administrative activity and does not require manipulation or testing of equipment.

If the Required Actions and associated Completion times of Conditions C or Dare not met or if the DRAIN TIME is less than 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , actions must be initiated immediately to restore the DRAIN TIME to :2: 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . In this condition, there may be insufficient time to respond to an unexpected draining event to prevent the RPV water inventory from reaching the TAF.

Note that Required Actions D.1, D.2, D.3, and D.4 are also applicable when DRAIN TIME is less than 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

SURVEILLANCE SR 3.5.2.1 REQUIREMENTS This Surveillance verifies that the DRAIN TIME of RPV water inventory to the TAF is :2: 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The period of 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months is considered reasonable to identify and initiate action to mitigate draining of reactor coolant. Loss of RPV water inventory that would result in the RPV water level reaching the TAF in greater than 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months does not represent a significant challenge to Safety Limit 2.1.1.3 and can be managed as part of normal plant operation.

The definition of DRAIN TIME states that realistic cross-sectional areas and drain rates are used in the calculation. A realistic drain rate may be determined using a single, step-wise, or integrated calculation considering the changing RPV water level during a draining event. For a Control Rod RPV penetration flow path with the Control Rod Drive Mechanism removed and not replaced with a blank flange, the realistic cross-sectional area is based on the control rod blade seated in the control rod guide tube. If the control rod blade will be raised from the penetration to adjust or verify seating of the blade, the exposed cross-sectional area of the RPV penetration flow path is used.

The definition of DRAIN TIME excludes from the calculation those penetration flow paths connected to an intact closed system, or isolated by manual or automatic valves that are locked, sealed, or otherwise secured in (continued)

SUSQUEHANNA - UNIT 1 3.5-22

Rev.3 RPV Water Inventory Control B 3.5.2 BASES SURVEILLANCE SR 3.5.2.1 (continued)

REQUIREMENTS

( continued) the closed position, blank flanges, or other devices that prevent flow of reactor coolant through the penetration flow paths. A blank flange or other bolted device must be connected with a sufficient number of bolts to prevent draining in the event of an Operating Basis Earthquake. Normal or expected leakage from closed systems or past isolation devices is permitted.

Determination that a system is intact and closed or isolated must consider the status of branch lines and ongoing plant maintenance and testing activities.

, The Residual Heat Removal (RHR) Shutdown Cooling System is only

'considered an intact closed system when misalignment issues (Reference 6) have been precluded by functional v.alve interlocks or by isolation devices, such that redirection of RPV water out of an RHR subsystem is precluded.

Further, RHR Shutdown Cooling System is only considered an intact closed system if its controls have not been transferred to Remote Shutdown, which disables the interlocks and isolation signals.

The exclusion of penetration flow paths from the determination of ORAi N TIME must consider the potential effects of a single operator error or initiating event on items supporting maintenance and testing (rigging, scaffolding, temporary shielding, piping plugs, snubber removal, freeze seals, etc.). If failure of such items could result and would cause a draining event from a closed system or between the RPV and the isolation device, the penetration flow path may not be excluded from the DRAIN TIME calculation.

Surveillance Requirement 3.0.1 requires SRs to be met between performances. Therefore, any changes in plant conditions that would change the DRAIN TIME requires that a new DRAIN TIME be determined.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.2 and SR 3.5.2.3 The minimum water level of 20 ft O inches required for the suppression pool is periodically verified to ensure that the suppression pool will provide adequate net positive suction head (NPSH) for the CS subsystem or LPCI subsystem pump, recirculation volume, and vortex prevention. With the suppression pool water level less than the required limit, the required ECCS injection/spray subsystem is inoperable unless aligned to an OPERABLE CST.

(continued)

SUSQUEHANNA - UNIT 1 3.5-23

Rev. 3 RPV Water Inventory Control 83.5.2 BASES SURVEILLANCE SR 3.5.2.2 and SR 3.5.2.3. (continued)

REQUIREMENTS (continued) The required CS System is considered OPERABLE if it can take suction from the CST, and the CST water level is sufficient to provide the required NPSH for the CS pump. Therefore, a verification that either the suppression pool water level is ~ 20 ft O inches or that a required CS subsystem is aligned to take suction from the CST and the CST contains ~ 135,000 gallons of water, equivalent to 49% of capacity, ensures that the CS Subsystem can supply at least 135,000 gallons of makeup water to the RPV.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.4 The flow path piping has the potential to develop voids and pockets of entrained air. Maintaining the pump discharge lines of the required ECCS.

injection/spray subsystems full of water ensures that the ECCS subsystem will perform properly. This may also prevent a water hammer following an ECCS initiation signal. One acceptable method of ensuring that the lines are full is to vent at the high points.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.5 Verifying the correct alignment for manual, power operated, and automatic valves in the required ECCS subsystem flow path provides assurance that the proper flow paths will be available for ECCS operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an initiation signal is allowed to be in a nonaccident position provided the valve will automatical-ly reposition in the proper stroke time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 1 3.5-24

Rev. 3 RPV Water Inventory Control 8 3.5.2 BASES SURVEILLANCE SR 3.5.2.6 REQUIREMENTS (continued) Verifying that the required ECCS injection/spray subsystem can be manually started and operate for at least 10 minutes demonstrates that the subsystem is available to mitigate a draining event. Testing the ECCS injection/spray subsystem through the recirculation line is necessary to avoid overfilling the refueling cavity. The minimum operating time of 1O minutes was based on engineering judgment.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.7 Verifying that each valve credited for automatically isolating a penetration flow path actuates to the isolation position on an actual or simulated RPV water level isolation signal is required to prevent RPV water inventory from

. dropping below the TAF should an unexpected draining event occur.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.5.2.8 The required ECCS subsystem is required to actuate on a manual initiation signal. This Surveillance verifies that a manual initiation signal will cause the required CS subsystem or LPCI subsystem to start and operate as designed, including pump startup and actuation of all automatic valves to their required positions.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that excludes vessel injection/spray during the Surveillance. Since all active components are testable and full flow can be demonstrated by recirculation through the test line, coolant injection into the RPV is not required during the Surveillance.

(continued)

SUSQUEHANNA - UNIT 1 3.5-25

Rev. 3 RPV Water Inventory Control B 3.5.2 BASES REFERENCES 1. Information Notice 84-81 "Inadvertent Reduction in Primary Coolant Inventory in Boiling Water Reactors During Shutdown and Startup,"

November 1984.

2. Information Notice 86-74, "Reduction of Reactor Coolant Inventory Because of Misalignment of RHR Valves," August 1986.

3. Generic Letter 92-04, "Resolution of the Issues Related to Reactor Vessel Water Level Instrumentation in BWRs Pursuant to 10 CFR 50.54(f), "August 1992.

4. NRC Bulletin 93-03, "Resolution of Issues Related to Reactor Vessel Water Level Instrumentation in BWRs," May 1993.

5. Information Notice 94-52, "Inadvertent Containment Spray and Reactor Vessel Draindown at Millstone 1," July 1994.

6. General Electric Service Information Letter No. 388, "RHR Valve Misalignment During Shutdown Cooling Operation for BWR 3/4/5/6,"

February 1983.

SUSQUEHANNA - UNIT 1 3.5-26

Rev. 6 RCICSystem B 3.5.3 83.5 EMERGENCY CORE COOLING SYSTEMS (ECCS), REACTOR PRESSURE VESSEL (RPV) WATER INVENTORY CONTROL, AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEM 83.5.3 RCIC System BASES BACKGROUND The RCIC System is not part of the ECCS; however, the RCIC System is included with the ECCS section because of their similar functions.

The RCIC System is designed to operate either automatically or manually following reactor pressure vessel (RPV) isolation accompanied by a loss of coolant flow from the feedwater system to provide adequate core cooling and control of the RPV water level. Under these conditions, the High Pressure Coolant Injection (HPCI) and RCIC systems perform similar functions. The RCIC System design requirements ensure that the criteria of Reference 1 are satisfied.

The RCIC System (Ref. 2) consists of a steam driven turbine pump unit, piping, and valves to provide steam to the turbine, as well as piping and valves to transfer water from the suction source to the core via the feedwater system line, where the coolant is distributed within the RPV through the feedwater sparger. Suction piping is provided from the condensate storage tank (CST) and the suppression pool. Pump suction is normally aligned to the CST to minimize injection of suppression pool water into the RPV. However, if the CST water supply is low, an automatic transfer to the suppression pool water source ensures an adequate suction head for the pump and an uninterrupted water supply for continuous operation of the RCIC System. The steam supply to the turbine is piped from a main steam line upstream of the associated.inboard main steam line isolation valve.

The RCIC System is designed to provide core cooling for a wide range of reactor pressures (165 psia to 1225 psia). Upon receipt of an initiation signal, the RCIC turbine accelerates to a specified speed. As the RCIC flow increases, the turbine control valve is automatically adjusted to maintain design flow. Exhaust steam from the RCIC turbine is discharged to the suppression pool. A full flow test line is provided to route water to the CST to allow testing of the RCIC System during normal operation without injecting water into the RPV.

(continued)

SUSQUEHANNA - UNIT 1

3.5-27

Rev.6 RCIC System B 3.5.3 BASES BACKGROUND The RCIC pump is provided with a minimum flow bypass line, which (continued) discharges*to the suppression pool. The valve in this line automatically opens to prevent pump damage due to overheating when other discharge line valves are closed. To ensure rapid delivery of water to the RPV and to minimize water hammer effects, the RCIC System discharge piping is kept full of water. The RCIC System is normally aligned to the CST. The RCIC discharge line is kept full of water using a "keep fill" system supplied by the condensate transfer system.

APPLICABLE The function of the RCIC System is to respond to transient events by SAFETY providing makeup coolant to the reactor. The RCIC System is not an ANALSES Engineered Safety Feature System and no credit is taken in the safety analyses for RCIC System operation. Based on its contribution to the reduction of overall plant risk, however, the system is included in the Technical Specifications, as required by the NRC Policy Statement (Ref. 4).

LCO The OPERABILITY of the RCIC System provides adequate core cooling such that actuation of any of the low pressure ECCS subsystems is not required in the even of RPV isolation accompanied by a loss of feedwater flow. The RCIC System has sufficient capacity for maintaining RPV inventory during an isolation event.

APPLICABILITY The RCIC System is required to be OPERABLE during MODE 1, and MODES 2 and 3 with reactor steam dome pressure> 150 psig, since RCIC is the primary non-ECCS water source for core cooling when the reactor is isolated and pressurized. In MODES 2 and 3 with reactor steam dome pressure :o; 150 psig, the low pressure ECCS injection/spray subsystems can provide sufficient flow to the RPV. In MODES 4 and 5, RCIC is not required to be OPERABLE since RPV water inventory control is required by LCO 3.5.2, "Reactor Pressure Vessel (RPV) Water Level Inventory Control."

ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable RCIC system. There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable RCIC system and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.

(continued)

SUSQUEHANNA - UNIT 1 3.5-28

Rev.6 RCIC System B 3.5.3 BASES ACTIONS A.1 and A.2 (continued)

If the RCIC is inoperable during MODE 1, or MODE 2 or 3 with reactor steam dome pressure> 150 psig, and the HPCI System is verified to be OPERABLE, the RCIC System must be restored to OPERABLE status within 14 days. In this Condition, loss of the RCIC System will not affect the overall plant capability to provide makeup inventory at high reactor pressure since the HPCI System is the only high pressure system assumed to function during a loss of coolant accident (LOCA). OPERABILITY of HPCI is therefore verified immediately when the RCIC System is inoperable. This may be performed as an administrative check, by examining logs or other information, to determine if HPCI is out of service for maintenance or other reasons. It does not mean it is necessary to perform the Surveillances needed to demonstrate the OPERABILITY of the HPCI System. If the OPERABILITY of the HPCI System cannot be verified, however, Condition B must be immediately entered. For transients and certain abnormal events with no LOCA, RCIC (as opposed to HPCI) is the preferred source of makeup coolant because of its relatively small capacity, which allows easier control of the RPV water level. Therefore, a limited time is allowed to restore the inoperable RCIC to OPERABLE status.

The 14 day Completion Time is based on a reliability study (Ref. 3) that evaluated the impact on ECCS availability, assuming various components and subsystems were taken out of service. The results were used to calculate the average availability of ECCS equipment needed to mitigate the consequences of a LOCA as a function of allowed outage times (AOTs).

Because of similar functions of HPCI and RCIC, the AOTs (i.e., Completion Times) determined for HPCI are also applied to RCIC.

B.1 and B.2 If the RCIC System cannot be restored to OPERABLE status within the associated Completion Time, or if the HPCI System is simultaneously inoperable, the plant must be brought to a condition in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and reactor steam dome pressure reduced to :,; 150 psig within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in a orderly manner and without challenging plant systems.

(continued)

SUSQUEHANNA - UNIT 1 3.5-29

Rev.6 RCIC System B 3.5.3 BASES SURVEILLANCE SR 3.5.3.1 REQUIREMENTS The flow path piping has the potential to develop voids and pockets of entrained air. Maintaining the pump discharge line of the RCIC System full of water ensures that the system will perform properly, injecting its full capacity into the Reactor Coolant System upon demand. This will also prevent a water hammer following an initiation signal. One acceptable method of ensuring the line is full is to vent at the high points. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR3.5.3.2 Verifying the correct alignment for manual, power operated, and automatic valves in the RCIC flow path provides assurance that the proper flow path will exist for RCIC operation. The SR does not apply to valves that are locked, sealed, or otherwise secured in position since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an initiation signal is allowed to be in a nonaccident position provided the valve will automatically reposition in the proper stroke time. This SR does not require any testing or valve manipulation; rather, it involves verification that those valves capable of potentially being mispositioned are in the correct position. This SR does not apply to valves that cannot be inadvertently misaligned, such as check valves. For the RCIC System, this SR also includes the steam flow path for the turbine and the flow controller position.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 1 3.5-30

Rev. 6 RCICSystem B3.5.3 BASES SURVEILLANCE SR 3.5.3.3 and SR 3.5.3.4 REQUIREMENTS (continued) The RCIC pump flow rates ensure that the system can maintain reactor coolant inventory during pressurized conditions with the RPV isolated. The flow tests for the RCIC System are performed at two different pressure ranges such that system capability to provide rated flow is tested both at the higher and lower operating ranges of the system. Additionally, adequate steam flow must be passing through the main turbine or turbine bypass valves to continue to control reactor pressure when the RCIC System diverts steam flow. Reactor steam pressure is considered adequate when~ 920 psig to perform SR 3.5.3.3 and~ 150 psig to perform SR 3.5.3.4. However, the requirements of SR 3.5.3.4 are met by a successful performance at any pressure~ 165 psig. Adequate steam flow is represented by at least 1.25 turbine bypass valves open. Therefore, sufficient time is allowed after adequate pressure and flow are achieved to perform these SRs. Reactor startup is allowed prior to performing the low pressure Surveillance because the reactor pressure is low and the time allowed to satisfactorily perform the Surveillance is short. The reactor pressure is allowed to be increased to normal operating pressure since it is assumed that the low pressure Surveillance has been satisfactorily completed and there is no indication or reason to believe that RCIC is

inoperable. Therefore, these SRs are modified by Notes that state the Surveillances are not required to be performed until 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after the reactor steam pressure and flow are adequate to perform the test.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 1 3.5-31

Rev. 6 RCIC System B 3.5.3 BASES SURVEILLANCE SR 3.5.3.5 REQUIREMENTS (continued) The RCIC System is required to actuate automatically in order to verify its design function satisfactorily. This Surveillance verifies that, with a required system initiation signal (actual or simulated), the automatic initiation logic of the RCIC System will cause the system to operate as designed, including actuation of the system throughout its emergency operating sequence; that is, automatic pump startup and actuation of all automatic valves to their required positions. This test also ensures the RCIC System will automatically restart on an RPV low water level (Level 2) signal received subsequent to an RPV high water level (Level 8) trip and that the suction is automatically transferred from the CST to the suppression pool. The LOGIC SYSTEM FUNCTIONAL TEST performed in LCO 3.3.5.3 overlaps this Surveillance to provide complete testing of the assumed safety function.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a Note that excludes vessel injection during the Surveillance. Since all active components are testable and full flow can be demonstrated by recirculation through the test line, coolant injection into the RPV is not required during the Surveillance.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 33.

2. FSAR, Section 5.4.6.

3. Memorandum from R. L. Baer (NRC) to V. Stello, Jr. (NRC),

"Recommended Interim Revisions to LCOs for ECCS Components,"

December 1, 1975.

4. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

SUSQUEHANNA - UNIT 1 3.5-32

Rev. 15 PCIVs B 3.6.1.3 B 3.6 CONTAINMENT SYSTEMS B 3.6.1.3 Primary Containment Isolation Valves (PCIVs)

BASES BACKGROUND The function of the PCIVs, in combination with other accident mitigation systems, including secondary containment bypass valves that are not PCIVs, is to limit fission product release during and following postulated Design Basis Accidents (DBAs) to within limits. Primary containment isolation within the time limits specified for those isolation valves designed to close automatically ensures that the release of radioactive material to the environment will be.consistent with the assumptions used in the analyses for a OBA.

The OPERABILITY requirements for PCIVs help ensure that an adequate primary containment boundary is maintained during and after an accident by minimizing potential paths to the environment.

Therefore, the OPERABILITY requirements provide assurance that primary containment function assumed in the safety analyses will be maintained. For PCIVs, the primary containment isolation function is that the valve must be able to close (automatically or manually) and/or remain closed, and maintain leakage within that assumed in the OBA LOCA Dose Analysis. These isolation devices are either passive or active (automatic). Manual valves, de-activated automatic valves secured in their closed position (including check valves with flow through the valve secured), blind flanges, and closed systems are considered passive devices. The OPERABILITY requirements for closed systems are discussed in Technical Requirements Manual (TRM) Bases 3.6.4. Check valves, or other automatic valves designed to close without operator action following an accident, are considered active devices. Two barriers in series are provided for each penetration so that no single credible failure or malfunction of an active component can result in a loss of isolation or leakage that exceeds limits assumed in the safety analyses. One of these barriers may be a closed system.

For each division of H202 Analyzers, the lines, up to and including the first normally closed valves within the H202 Analyzer panels, are extensions of primary containment (i.e., closed system), and are required to be leak rate tested in accordance with the Leakage*

Rate Test Program. The H202Analyzer closed system boundary is identified in the Leakage Rate Test Program. The closed system boundary consists of those components, piping, tubing, fittings, and valves, which meet the guidance of Reference 6. The closed system provides a secondary barrier in the event (continued)

SUSQUEHANNA - UNIT 1 3.6-15

Rev. 15 PCIVs B 3.6.1.3 BASES BACKGROUND of a single failure of the PCIVs, as described below. The closed (continued) system boundary between PASS and the H202 Analyzer system ends at the process sampling solenoid operated isolation valves between the systems (SV-12361, SV-12365, SV-12366, SV-12368, and SV-12369). These solenoid operated isolation valves do not fully meet the guidance of Reference 6 for closed system boundary valves in that they are not powered from a Class 1E power source. However, based upon a risk determination, operating these valves as closed system boundary valves is not risk significant. These valves also form the end of the Seismic Category I boundary between the systems. These process sampling solenoid operated isolation valves are normally closed and are required to be leak rate tested in accordance with the Leakage Rate Test Program as part of the closed system for the H202 Analyzer system. These valves are "closed system boundary valves" and may be opened under administrative control, as delineated in Technical Requirements Manual (TRM)

Bases 3.6.4. Opening of these valves to permit testing of PASS in Modes 1, 2, and 3 is permitted in accordance with TRO 3.6.4.

Each H202 Analyzer Sampling line penetrating primary containment has two PCIVs, located just outside primary containment. While two PCIVs are provided on each line, a single active failure of a relay in the control circuitry for these valves, could result in both valves failing to close or failing to remain closed. Furthermore, a single failure (a hot short in the common raceway to all the valves) could simultaneously affect all of the PCIVs within a H202 Analyzer division. Therefore, the containment isolation barriers for these penetrations consist of two PCIVs and a closed system. For situations where one or both PCIVs are inoperable, the ACTIONS to be taken are similar to the ACTIONS for a single PCIV backed by a closed system.

The drywell vent and purge lines are 24 inches in diameter; the suppression chamber vent and purge lines are 18 inches in diameter. The containment purge valves are normally maintained closed in MODES 1, 2, and 3 to ensure the primary containment boundary is maintained. The outboard isolation valves have 2 inch bypass lines .around them for use during normal reactor operation.

(continued)

SUSQUEHANNA - UNIT 1 3.6-15a

Rev. 15 PCIVs B 3.6.1.3 BASES BACKGROUND The RHR Shutdown Cooling return line containment penetrations (continued) {X-13A(B)}are provided with a normally closed gate valve

{HV-151 F015A(B)} and a normally open globe valve

{HV-151F017A(B)} outside containment and a testable check valve {HV-151 F050A(B)} with a normally closed parallel air operated globe valve {HV-151F122A(B)} inside containment. The gate valve is manually opened and automatically isolates upori a containment isolation signal from the Nuclear Steam Supply Shutoff System or RPV low level 3 when the RHR System is operated in the Shutdown Cooling Mode only. The LPCI subsystem is an operational mode of the RHR System and uses the same injection lines to the RPV as the Shutdown Cooling Mode.

The design of these containment penetrations is unique in that some valves are containment isolation valves while others perform the function of pressure isolation valves. In order to meet the 10 CFR 50 Appendix J leakage testing requirements, the HV-151F015A(B) and the clqsed system outside containment are the only barriers tested in accordance with the Leakage Rate Test Program. Since these containment penetrations {X-13A and X-13B} include a containment isolation valve outside containment that is tested in accordance with 10 CFR 50 Appendix J requirements and a closed system outside containment that meets the requirements of USNRC Standard Review Plan 6.2.4 (September 1975), paragraph 11.3.e, the containment isolation provisions for these penetrations provide an acceptable alternative to the explicit requirements of 10 CFR 50, Appendix A, GDC 55.

Containment penetrations X-13A(B) are also high/low pressure system interfaces. In order to meet the requirements to have two (2) isolation valves between the high pressure and low pressure systems, the HV-151F050A(B), HV-151F122A(B),

151130 and HV-151F015A(B) valves are used to meet this requirement and are tested in accordance with the pressure test program.

APPLICABLE

The PCIVs LCO was derived from the assumptions related SAFETY ANALYSES to minimizing the loss of reactor coolant inventory, and establishing the primary containment boundary during major accidents. As part of the primary containment boundary, PCIV OPERABILITY supports leak tightness of primary containment. Therefore, the safety analysis of any event requiring isolation of primary containment is applicable to this LCO.

(continued)

SUSQUEHANNA - UNIT 1 3.6-15b

Rev. 15 PCIVs B 3.6.1.3 BASES APPLICABLE The DBAs that result in a release of radioactive material within SAFETY ANALYSES primary containment are a LOCA and a main steam line break (continued) (MSLB). In the analysis for each of these accidents, it is assumed that PCIVs are either closed or close within the required isolation times following event initiation. This ensures that potential paths to the environment through PCIVs (including primary containment purge valves) and secondary containment bypass valves that are not PCIVs are minimized. The closure time of the main steam isolation valves (MS IVs) for a MSLB outside primary containment is a significant variable from a radiological standpoint. The MSIVs are required to close within 3 to 5 seconds since the 5 second closure time is assumed in the analysis. The safety analyses assume that the purge valves were closed at event initiation. Likewise, it is assumed that the primary containment is isolated such that release of fission products to the environment is controlled.

The OBA analysis assumes that within the required isolation time leakage is terminated, except for the maximum allowable leakage rate, La.

The single failure criterion required to be imposed in the conduct of unit safety analyses was considered in the original design of the primary containment purge valves. Two valves in series on each purge line provide assurance that both the supply and exhaust lines could be isolated even *if a single failure occurred.

The primary containment purge valves may be unable to close in the environment following a LOCA. Therefore, each of the purge valves is required to remain closed during MODES 1, 2, and 3 except as permitted under the Note of SR 3.6.1.3 .. 1. In this case, the single failure criterion remains applicable to the primary containment purge valve due to failure in the control circuit associated with each valve. The primary containment purge valve design precludes a single failure from compromising the primary containment boundary as long as the system is operated in accordance with this LCO.

Both H202 Analyzer PCIVs may not be able to close given a single failure in the control circuitry of the valves. The single failure is caused by a "hot short" in the cables/raceway to the PCIVs that causes both PCIVs for a given penetration to remain open or to open when required to be closed. This failure is required to be considered in accordance with IEEE-279 as discussed in FSAR Section 7.3.2a. However, the single failure criterion for containment isolation of the H202 Analyzer penetrations is satisfied by virtue .of the combination of the associated PC IVs and the closed (continued)

SUSQUEHANNA - UNIT 1 3.6-16

Rev. 15 PCIVs B 3.6.1.3 BASES APPLICABLE system formed by the H202 Analyzer piping system as discussed SAFETY ANALYSES in the BACKGROUND section above.

(continued)

The closed system boundary between PASS and the H202 Analyzer system ends at the process sampling solenoid operated isolation valves between the systems (SV-12361, SV-12365, SV-12366, SV-12368, and SV-12369). The closed system is not fully qualified to the guidance of Reference 6 in that the closed system boundary valves between the H202 system and PASS are not powered from a Class 1E power source. However, based upon a risk determination, the use of these valves is considered to have no risk significance. This exemption to the requirement of Reference 6 for the closed system boundary is documented in License Amendment No. 195.

PCIVs satisfy Criterion 3 of the NRG Policy Statement. (Ref. 2)

LCO PCIVs form a part of the primary containment boundary, or in the case of SCBL valves limit leakage from the primary containment.

The PCIV safety function is related to minimizing the loss of reactor coolant inventory and establishing the primary containment boundary during a OBA.

The power operated, automatic isolation valves are required to have isolation times within limits and actuate on an automatic isolation signal. The valves covered by this LCO are listed in Table B 3.6.1.3-1 and Table B 3.6.1.3-2.

The normally closed PCIVs, including secondary containment bypass valves listed in Table B 3.6.1.3-2 that are not PCIVs, are considered OPERABLE when manual valves are closed or open in accordance with appropriate administrative controls, automatic valves are in their closed position, blind flanges are in place, and closed systems are intact. These passive isolation valves and devices are those listed in Table B 3.6.1.3-1.

Leak rate testing of the secondary containment bypass valves listed in Table 3.6.1.3-2 is permitted in Modes 1, 2 & 3 as described in the Primary Containment Leakage Rate Testing Program.

Purge valves with resilient seals, secondary containment bypass valves, including secondary containment bypass valves listed in Table B 3.6.1.3-2 that are not PCIVs, MSIVs, and hydrostatically tested valves must meet additional leakage rate requirements.

Other PCIV leakage rates are addressed by LCO 3.6.1.1, "Primary Containment," as Type B or C testing.

(continued)

SUSQUEHANNA - UNIT 1 3.6-17

Rev. 15 PCIVs B 3.6.1.3 BASES LCO This LCO provides assurance that the PCIVs will perform their designed (continued) safety functions to minimize the loss of reactor coolant inventory and establish the primary containment boundary during accidents.

APPLICABILITY In MODES 1, 2, and 3, a OBA could cause a release of radioactive material to primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations of these MODES. Therefore, PCIVs are not required to be OPERABLE and the primary containment purge valves are not required to be closed in MODES 4 and 5.

ACTIONS The ACTIONS are modified by a Note allowing penetration flow path(s) to be unisolated intermittently under administrative controls. These controls consist of stationing a dedicated operator at the controls of the valve, who is in continuous communication with the control room. In this way, the penetration can be rapidly isolated when a need for primary containment isolation is indicated.

A second Note has been added to provide clarification that, for the purpose of this LCO, separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable PCIV.

Complying with the Required Actions may allow for continued operation, and subsequent inoperable PCIVs are governed by subsequent Condition entry and application of associated Required Actions.

The ACTIONS are modified by Notes 3 and 4. Note 3 ensures that appropriate remedial actions are taken, if necessary, if the affected system(s) are rendered inoperable by an inoperable PCIV (e.g., an Emergency Core Cooling System subsystem is inoperable due to a failed open test return valve). Note 4 ensures appropriate remedial actions are taken when the primary containment leakage limits are exceeded.

Pursuant to LCO 3.0.6, these actions are not required even when the associated LCO is not met. Therefore, Notes 3 and 4 are added to require the proper actions be taken.

(continued)

SUSQUEHANNA - UNIT 1 3.6-17a

Rev. 15 PCIVs B 3.6.1.3 BASES ACTIONS A.1 and A.2 (Continued)

With one or more penetration flow paths with one PCIV inoperable except for purge valve leakage not within limit, the affected penetration flow paths must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, a blind flange, and a check valve with flow through the valve secured. For a penetration isolated in accordance with Required Action A.1, the device used to isolate the penetration should be the closest available valve to the primary containment. The Required Action must be completed within the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time (8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months for main steam lines). The Completion Time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is reasonable considering the time required to isolate the penetration and the relative importance of supporting primary containment OPERABILITY during MODES 1, 2, and 3. For main steam lines, an 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time is allowed. The Completion Time of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months for the main steam lines allows a period of time to restore the MS IVs to OPERABLE status given the fact that MSIV closure will result in isolation of the main steam line(s) and* a potential for plant shutdown.

For affected penetrations that have been isolated in accordance with Required Action A.1, the affected penetration flow path(s) must be verified to be isolated on a periodic basis. This is necessary to ensure that primary containment penetrations required to be isolated following an accident, and no longer capable of being automatically isolated, will be in the isolation position should an event occur. This Required Action does not require any testing or device manipulation. Rather, it involves verification that those devices outside containment and capable of potentially being mispositioned are in the correct position. The Completion Time of "once per 31 days for isolation devices outside primary containment" is appropriate because the devices are operated under administrative controls and the probability of their misalignment is low. For the devices inside primary containment, the time period specified "prior to entering MODE 2 or 3 from MODE 4, if primary containment was de-inerted while in MODE 4, if not performed within the previous 92 days" is based on engineering judgment and is considered reasonable in view of the inaccessibility of the devices and other administrative controls ensuring that device misalignment is an unlikely possibility.

(continued)

SUSQUEHANNA - UNIT 1 3.6-18

Rev. 15 PCIVs B 3.6.1.3

- BASES ACTIONS A.1 and A.2 (continued)

(continued)

Condition A is modified by a Note indicating that this Condition is only applicable to those penetration flow paths with two PCIVs except for the H202 Analyzer penetrations. For penetration flow paths with one PCIV, Condition C provides the appropriate Required Actions. For the H202 Analyzer Penetrations, Condition D provides the appropriate Required Actions.

Required Action A.2 is modified by a Note that applies to isolation devices located in high radiation areas, and allows them to be verified by use of administrative means. Allowing verification by administrative means is considered accept,;1ble, since access to these areas is typically restricted. Therefore, the probability of misalignment of these devices, once they have been verified to be in the proper position, is low.

With one or more penetration flow paths with two PCIVs inoperable except for purge valve leakage not within limit, either the inoperable PCIVs must be restored to OPERABLE status or the affected penetration flow path must be iso.lated within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de--activated automatic valve, a closed manual valve, and a blind flange. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Completion Time is consistent with the ACTIONS of LCO 3.6.1.1.

Condition B is modified by a Note indicating this Condition is only applicable to penetration flow paths with two PCIVs except for the H202 Analyzer penetrations. For penetration flow paths with one PCIV, Condition C provides the appropriate Required Actions. For the H202 Analyzer Penetrations, Condition D provides the appropriate Required Actions.

(continued)

SUSQUEHANNA - UNIT' 1 3.6-19

Rev. 15 PCIVs B 3.6.1.3 BASES ACTIONS C.1 and C.2 (continued)

With one or more penetration flow paths with one PCIV inoperable, the inoperable valve must be restored to OPERABLE status or the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure.

Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind .

flange. A check valve may not be used to isolate the affected penetration. Required Action C.1 must be completed within the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time. The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is reasonable considering the relative stability of the closed system (hence, reliability) to act as a penetration isolation boundary and the relative importance of supporting primary containment OPERABILITY during MODES 1, 2, and 3. The closed system must meet the requirements of Reference 6. For conditions where the PCIV and the closed system are inoperable, the Required Actions of TRO 3.6.4, Condition B apply. For the Excess Flow Check Valves (EFCV), the Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is reasonable considering the instrument and the small pipe diameter of penetration (hence, reliability) to act as a penetration isolation boundary and the small pipe diameter of the affected penetrations. In the event the affected penetration flow path is isolated in accordance with Required Action C.1, the affected penetration must be verified to be isolated on a periodic basis.

This is necessary to ensure that primary containment penetrations required to be isolated following an accident are isolated. The Completion Time of once per 31 days for verifying each affected penetration is isolated is appropriate because the valves are operated under administrative controls and the probability of their misalignment is low.

Condition C is modified by a Note indicating that this Condition is only applicable to penetration flow paths with only one PCIV. For penetration flow paths with two PCIVs and the H202 Analyzer Penetration. Conditions A, Band D provide the appropriate Required Actions.

Required Action C.2 is modified by a Note that applies to valves and blind flanges located in high radiation areas and allows them to be verified by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted. Therefore, the probability of misalignment of these valves, once they have been verified to be in the proper position, is low.

(continued)

SUSQUEHANNA - UNIT 1 3.6-20

Rev. 15 PCIVs B 3.6.1.3

- BASES ACTIONS (continued)

D.1 and D.2 With one or more H202 Analyzer penetrations with one or both PCIVs inoperable, the inoperable valve(s) must be restored to OPERABLE status or the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. A check valve may not be used to isolate the affected penetration. Required Action D.1 must be completed within the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time. The Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is reasonable considering the unique design of the H202 Analyzer penetrations. The containment isolation barriers for these penetrations consist of two PCIVs and a closed system. In addition, the Completion Time of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is reasonable considering the relative stability of the closed system (hence, reliability) to act as a penetration isolation boundary and the relative importance of supporting primary containment OPERABILITY during MODES 1, 2, and 3. In the event the affected penetration flow path is isolated in accordance with Required Action D.1, the affected penetration must be verified to be isolated on a periodic basis. This is necessary to ensure that primary containment penetrations required to be isolated following an accident are isolated. The Completion Time of once per 31 days for verifying each affected penetration is isolated is appropriate because the valves are operated under administrative controls and the probability of their misalignment is low.

When an H202 Analyzer penetration PCIV is to be closed and deactivated in accordance with Condition D, this must be accomplished by pulling the fuse for the power supply, and either determinating the power cables at the solenoid valve, or jumpering of the power side of the solenoid to ground.

The OPERABILITY requirements for the closed system are discussed in Technical Requirements Manual (TRM) Bases 3.6.4.

In the event that either one or both of the PCIVs and the closed system are inoperable, the Required Actions of TRO 3.6.4, Condition B apply.

Condition D is modified by a Note indicating that this Condition is only applicable to the H202 Analyzer penetrations.

(continued)

SUSQUEHANNA - UNIT 1 3.6-21

Rev. 15 PCIVs B 3.6.1.3 BASES ACTIONS (continued)

With the secondary containment bypass leakage rate not within limit, the assumptions of the safety analysis may not be met.

Therefore, the leakage must be restored to within limit within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . Restoration can be accomplished by isolating the penetration that caused the limit to be exceeded by use of one closed and de-activated automatic valve, closed manual valve, or blind flange. When a penetration is isolated, the leakage rate for the isolated penetration is assumed to be the actual pathway leakage through the isolation device. If two isolation devices are used to isolate the penetration, the leakage rate is assumed to be the lesser actual pathway leakage of the two devices. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time is reasonable considering the time required to restore the leakage by isolating the penetration and the relative importance of secondary containment bypass leakage to the overall containment function.

F.1 In the event one or more containment purge valves are not within the purge valve leakage limits, purge valve leakage must be restored to within limits. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is reasonable, considering that one containment purge valve remains closed, except as controlled by SR 3.6.1.3.1 so that a gross breach of containment does not exist.

G.1 and G.2 If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

(continued)

SUSQUEHANNA - UNIT 1 3.6-22

Rev. 15 PCIVs B 3.6.1.3 BASES SURVEILLANCE SR 3.6.1.3.1 REQUIREMENTS This SR ensures that the primary containment purge valves are closed as required or, if open, open for an allowable reason. If a purge valve is open in violation of this SR, the valve is considered inoperable. If the inoperable valve is not otherwise known to have excessive leakage when closed, it is not considered to have leakage outside of limits. If a LOCA inside primary containment occurs in MODES 1, 2, or 3, the purge valves may not be capable of closing before the pressure pulse affects systems downstream of the purge valves, or the release of radioactive material will exceed limits prior to the purge valves closing. At other times when the purge valves are required to be capable of closing (e.g.,

during handling of irradiated fuel), pressurization concerns are not present and the purge valves are allowed to be open. The SR is modified by a Note stating that the SR is not required to be met when the purge valves are open for the stated reasons. The Note states that these valves may be opened for inerting, de-inerting, pressure control, ALARA or air quality considerations for personnel entry, or Surveillances that require the valves to be open. The vent and purge valves are capable of closing in the environment following a LOCA. Therefore, these valves are allowed to be open for limited periods of time. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.1.3.2 This SR verifies that each primary containment isolation manual valve and blind flange that is located outside primary containment and not locked, sealed, or otherwise secured and is required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside the primary containment boundary is within design limits.

This SR does not require any testing or valve manipulation.

Rather, it involves verification that those PCIVs outside primary containment, and capable of being mispositioned, are in the correct position. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 1 3.6-23

Rev. 15 PCIVs B 3.6.1.3 BASES SURVEILLANCE SR 3.6.1.3.2 (continued)

REQUIREMENTS (continued) Two Notes have been added to this SR. The first Note allows valves and blind flanges located in high radiation areas to be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable since access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA reasons. Therefore, the probability of misalignment of these PCIVs, once they have been verified to be in the proper position, is low. A second Note has been included to clarify that PCIVs that are open under administrative controls are not required to meet the SR during the time that the PC IVs are open. This SR does not apply to valves that are locked, sealed, or otherwise secured in the closed position, since these were verified to be in the correct position upon locking, sealing, or securing.

SR 3.6.1.3.3 This SR verifies that each primary containment manual isolation valve and blind flange that is located inside primary containment and not locked, sealed, or otherwise secured and is required to be closed during accident conditions is closed. The SR helps to ensure that post accident leakage of radioactive fluids or gases outside the primary containment boundary is within design limits.

For PCIVs inside primary containment, the Frequency defined as "prior to entering MODE 2 or 3 from MODE A if primary containment was de-inerted while in MODE 4, if not performed within the previous 92 days" is appropriate since these PCIVs are operated under- administrative controls and the probability of their misalignment is low. This SR does not apply to valves that are locked, sealed, or otherwise secured in the closed position, since these were verified to be in the correct position upon locking, sealing, or securing. Two Notes have been added to this SR.

The first Note allows valves and blind flanges located in high radiation areas to be verified by use of administrative controls.

Allowing verification by administrative controls is considered acceptable since the primary containment is inerted and access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA reasons. Therefore, the probability of misalignment of these PCIVs, once they have been verified to be in their proper position, is low. A second Note has been included to clarify that PCIVs that are open under administrative controls are not required to meet the SR during the time that the PC IVs are open.

(continued)

SUSQUEHANNA - UNIT 1 3.6-24

Rev. 15 PCIVs B 3.6.1.3 BASES SURVEILLANCE SR 3.6.1.3.4 REQUIREMENTS (continued) The traversing incore probe (TIP) shear isolation valves are actuated by explosive charges. Surveillance of explosive charge continuity provides assurance that Tl P valves will actuate when required. Other administrative controls, such as those that limit the shelf life of the explosive charges, must be followed. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.1.3.5 Verifying the isolation time of each power operated and each automatic PCIV is within limits is required to demonstrate OPERABILITY. MSIVs may be excluded from this SR since MSIV full closure isolation time is demonstrated by SR 3.6.1.3.7. The isolation time test ensures that the valve will isolate in a time period less than or equal to that assumed in the Final Safety Analyses Report. The isolation time and Frequency of this SR are in accordance with the requirements of the lnservice Testing Program.

SR 3.6.1.3.6 For primary containment purge valves with resilient seals, the Appendix J Leakage Rate Test Interval of 24 months is sufficient.

The acceptance criteria for these valves is defined in the Primary Containment Leakage Rate Testing Program, 5.5.12.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

If a LOCA inside primary containment occurs in MODES 1, 2, or 3, purge valve leakage must be minimized to ensure offsite radiological release is within limits. At other times when the purge valves are required to be capable of closing (e.g., during handling of irradiated fuel), pressurization concerns are not present and the purge valves are not required to meet any specific leakage criteria.

(continued)

SUSQUEHANNA - UNIT 1 3.6-25

Rev. 15 PCIVs B 3.6.1.3 BASES SURVEILLANCE SR 3.6.1.3.7 REQUIREMENTS (continued) Verifying that the isolation time of each MSIV is within the specified limits is required to demonstrate OPERABILITY. The isolation time test ensures that the MSIV will isolate in a time period that does not exceed the times assumed in the OBA analyses.

This ensures that the calculated radiological consequences of these events remain within regulatory limits. The Frequency of this SR is in accordance with the requirements of the lnservice Testing Program.

SR 3.6.1.3.8 Automatic PCIVs close on a primary containment isolation signal to prevent leakage of radioactive material from primary containment following a OBA. This SR ensures that each automatic PCIV will actuate to its isolation position on a primary containment isolation signal. The LOGIC SYSTEM FUNCTIONAL TEST in SR 3.3.6.1.5 overlaps this SR to provide complete testing of the safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.1.3.9 This SR requires a demonstration that a representative sample of reactor instrumentation line excess flow check valves (EFCV) are OPERABLE by verifying that the valve actuates to check flow on a simulated instrument line break. As defined in FSAR Section 6.2.4.3.5 (Reference 4), the conditions under which an EFCV will isolate, simulated instrument line break, are at flow rates, which develop a differential pressure of between 3 psid and 1O psid.

This SR provides assurance that the instrumentation line EFCVs will perform its design function to check flow. No specific valve leakage limits are specified because no specific leakage limits are defined in the FSAR. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. The representative sample consists of an approximate equal number of EFCVs such that each EFCV is tested at least once every 1O years (Mminal). The nominal 1O year interval is based on other performance-based testing programs, such as lnservice Testing (snubbers) and Option B to 10 CFR 50, Appendix J. In addition, the EFCVs in the sample are representative of the various plant configurations, models, sizes and operating environments. This ensures that any potential common problems with a specific type or application of EFCV is detected at the earliest possible time.

EFCV failures will be evaluated to determine if additional testing in that test interval is warranted to ensure overall reliability and (continued)

SUSQUEHANNA - UNIT 1 3.6-26

Rev. 15 PCIVs B 3.6.1.3 BASES SURVEILLANCE SR 3.6.1.3.9 (continued)

REQUIREMENTS (continued) that failures to isolate are very infrequent. Therefore, testing of a representative sample was concluded to be acceptable from a reliability standpoint (Reference 7).

SR 3.6.1.3.10 The TIP shear isolation valves are actuated by explosive charges.

An in place functional test is not possible with this design. The explosive squib is removed and tested to provide assurance that the valves will actuate when required. The replacement charge for the explosive squib shall be from the same manufactured batch as the one fired or from another batch that has been certified by having one of the batch successfully fired. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.1.3.11 This SR ensures that the leakage rate of secondary containment bypass leakage paths is less than the specified leakage rate. This provides assurance that the assumptions in the radiological evaluations of Reference 4 are met. The secondary containment leakage pathways and Frequency are defined by the Primary Containment Leakage Rate Testing Program. This SR simply imposes additional acceptance criteria. In MODES other than 1, 2, or 3, the Reactor Coolant System is not pressurized and specific primary containment leakage limits are not required.

SR 3.6.1.3.12 The analyses in References 1 and 4 are based on the specified leakage rate. Leakage through each MSIV must be :::;; 100 scfh for any one MSIV and :::;; 300 scfh for total leakage through the MSIVs combined with the Main Steam Line Drain Isolation Valve, HPCI Steam Supply Isolation Valve and the RCIC Steam Supply Isolation Valve. The MSIVs qan be tested at either~ Pt (24.3 psig) or Pa (48.6 psig). Main Steam Line Drain Isolation, HPCI and RCIC Steam Supply Line Isolation Valves, are tested at Pa (48.6 psig). In MODES other than 1, 2, or 3, the Reactor Coolant System is not pressurized and specific primary containment leakage limits are not required. The Frequency is required by-the Primary Containment Leakage Rate Testing Program.

(continued)

SUSQUEHANNA - UNIT 1 3.6-27

Rev. 15 PCIVs B 3.6.1.3 BASES SURVEILLANCE SR 3.6.1.3.13 REQUIREMENTS (continued) Surveillance of hydrostatically tested lines provides assurance that the calculation assumptions of Reference 2 are met. The acceptance criteria for the combined leakage of all hydrostatically tested lines is 3.3 gpm when tested at 1.1 Pa, (53.46 psig). The combined leakage rates must be demonstrated in accordance with the leakage rate test Frequency required by the Primary Containment Leakage Testing Program.

As noted in Table B 3.6.1.3-1, PCIVs associated with this SR are not Type C tested. Containment bypass leakage is prevented since the line terminates below the minimum water level in the Suppression Chamber. These valves are tested in accordance with the 1ST Program. Therefore, these valves leakage is not included as containment leakage.

In some instances, the valves are required to be capable of automatically closing during MODES other than MODES 1, 2, and 3. However, specific leakage limits are not applicable in these other MODES or conditions.

REFERENCES 1. FSAR, Chapter 15.

2. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

3. 10 CFR 50, Appendix J, Option B.

4. FSAR, Section 6.2.

5. NED0-30851-P-A, "Technical Specification Improvement Analyses for BWR Reactor Protection System,"

March 1988.

6. Standard Review Plan 6.2.4, Rev. 1, September 1975

7. NED0-32977-A, "Excess Flow Check Valve Testing Relaxation," June 2000.

SUSQUEHANNA - UNIT 1 3.6-28

Rev. 15 PCIVs B 3.6.1.3 Table B 3.6.1.3-1 Primary Containment Isolation Valve (Page 1 of 11)

Isolation Signal LCO 3.3.6.1 Function No.

Plant System Valve Number Valve Description Type of Valve (Maximum Isolation Time (Seconds})

Containment 1-57-193 (d) ILRT Manual N/A Atmospheric 1-57-194 (d) ILRT Manual N/A Control HV-15703 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-15704 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-15705 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-15711 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-15713 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-15714 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-15721 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-15722 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-15723 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-15724 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-15725 Containment Purge Automatic Valve 2.b, 2.d, 2.e (15)

HV-15766 (a) Suppression Pool Cleanup Automatic Valve 2.b, 2.d (30)

HV-15768 (a) Suppression Pool Cleanup Automatic Valve 2.b, 2.d (30)

HV-157113 (d) Hardened Containment Vent Power Operated N/A (Air)

HV-157114 (d) Hardened Containment Vent Power Operated N/A (Air)

SV-157100A Containment Radiation Detection Automatic Valve 2.b, 2.d Syst SV-157100 B Containment Radiation Detection Automatic Valve 2.b, 2.d Syst SV-157101 A Containment Radiation Detection Automatic Valve 2.b, 2.d Syst SV-157101 B Containment Radiation Detection Automatic Valve 2.b, 2.d Syst SV-157102 A Containment Radiation Detection Automatic Valve 2.b, 2.d Sys!

SV-157102 B Containment Radiation Detection Automatic Valve 2.b, 2.d Syst SV-157103A Containment Radiation Detection Automatic Valve 2.b, 2.d Syst SV-157103 B Containment Radiation Detection Automatic Valve 2.b, 2.d Syst SV-157104 Containment Radiation Detection Automatic Valve 2.b, 2.d Syst SV-157105 Containment Radiation Detection Automatic Valve 2.b, 2.d Sys!

SV-157106 Containment Radiation Detection Automatic Valve 2.b, 2.d Syst SV-157107 Containment Radiation Detection Automatic Valve 2.b, 2.d Syst SV-15734 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15734 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15736 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15736 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15737 Nitrogen Makeup Automatic Valve 2.b, 2.d, 2.e SUSQUEHANNA - UNIT 1 3.6-29

Rev. 15 PCIVs B 3.6.1.3 Table 8 3.6.1.3-1 Primary Containment Isolation Valve (Page 2 of 11)

Isolation Signal LCD 3.3.6.1 Function No.

Plant System Valve Number Valve Description Type of Valve (Maximum Isolation Time (Seconds))

Containment SV-15738 Nitrogen Makeup Automatic Valve 2.b, 2.d, 2.e Atmospheric SV-15740 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d Control SV-15740 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d (continued) SV-15742 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15742 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15750 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15750 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15752 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15752 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15767 Nitrogen Makeup Automatic Valve 2.b, 2.d, 2.e SV-15774 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15774 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15776 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15776 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15780 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15780 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15782 A (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15782 B (e) Containment Atmosphere Sample Automatic Valve 2.b, 2.d SV-15789 Nitrogen Makeup Automatic Valve 2.b, 2.d, 2.e Containment 1-26-072 (d) Containment Instrument Gas Manual Check NIA Instrument Gas 1-26-074 (d) Containment Instrument Gas Manual Check NIA 1-26-152 (d) Containment Instrument Gas Manual Check NIA 1-26-154 (d) Containment Instrument Gas Manual Check NIA 1-26-164 (d) Containment Instrument Gas Manual Check NIA HV-12603 Containment Instrument Gas Automatic Valve 2.c, 2.d (20)

SV-12605 Containment Instrument Gas Automatic Valve 2.c, 2.d SV-12651 Containment Instrument Gas Automatic Valve 2.c, 2.d SV-12654A Containment Instrument Gas Power Operated NIA SV-12654 B Containment Instrument Gas Power Operated NIA SV-12661 Containment Instrument Gas Automatic Valve 2.b, 2.d SV-12671 Containment Instrument Gas Automatic Valve 2.b, 2.d Core Spray HV-152F001 A (b)(c) CS Suction Valve Power Operated NIA HV-152F001 B (b)(c) CS Suction Valve Power Operated NIA HV-152F005 A CS Injection Power Operated NIA HV-152F005 B CS Injection Valve Power Operated NIA HV-152F006 A CS Injection Valve Air Operated Check NIA Valve HV-152F006 B CS Injection Valve Air Operated Check NIA Valve HV-152F015 A (b)(c) CS Test Valve Automatic Valve 2.c, 2.d (80)

HV-152F015 B (b)(c) CS Test Valve Automatic Valve 2.c, 2.d (80)

SUSQUEHANNA - UNIT 1 3.6-30

Rev. 15 PCIVs B 3.6.1.3 Table B 3.6.1.3-1 (continued)

Primary Containment Isolation Valve (Page 3 of 11)

Isolation Signal LCO 3.3.6.1 Function No.

Plant System Valve Number Valve Description Type of Valve (Maximum Isolation Time (Seconds))

Core Spray HV-152F031 A (b)(c) CS Minimum Recirculation Flow Power Operated N/A (Continued) HV-152F031 B (b)(c) CS Minimum Recirculation Flow Power Operated N/A HV-152F037 A CS Injection Power Operated N/A (Air)

HV-152F037 B CS Injection Power Operated N/A (Air)

XV-152F018 A Core Spray Excess Flow Check N/A Valve XV-152F018 B Core Spray Excess Flow Check N/A Valve HPCI 1-55-038 (d) HPCI Injection Valve Manual N/A 155F046 (b)(c)(d) HPCI Minimum Flow Check Valve Manual Check N/A 155F049 (a)(d) HPCI Turbine Exhaust Valve Manual Check N/A HV-155F002 HPCI Steam Supply Valve ~utomatic Valve 3.a, 3.b, 3.c, 3.e, 3.f, 3.g (50)

HV-155F003 HPCI Steam Supply Valve Automatic Valve 3.a, 3.b, 3.c, 3.e, 3.f, 3.g (50)

HV-155F006 HPCI Injection Valve Power Operated N/A HV-155F012 (b)(c) HPCI Minimum Flow Valve Power Operated N/A HV-155F042 (b)(c) HPCI Suction Valve Automatic Valve 3.a, 3.b, 3.c, 3.e, 3.f, 3.g (115)

HV-155F066 (a) HPCI Turbine Exhaust Valve Power Operated N/A HV-155F075 HPCI Vacuum Breaker Isolation Automatic Valve 3.b, 3.d (15)

Waive HV-155F079 HPCI Vacuum Breaker Isolation Automatic Valve 3.b, 3.d (15)

Valve HV-155F100 HPCI Steam Supply Valve Automatic Valve 3.a, 3.b, 3.c, 3.e, 3.f, 3.g (6)

XV-155F024A HPCIValve Excess Flow Check N/A Valve XV-155F024 B HPCIValve Excess Flow Check N/A Valve XV-155F024 C HPCIValve Excess Flow Check N/A Valve XV-155F024 D HPCIValve Excess Flow Check N/A Valve Liquid Radwaste HV-16108A1 Liquid Radwaste Isolation Valve Automatic Valve 2.b, 2.d (15)

Collection HV-16108A2 Liquid Radwaste Isolation Valve Automatic Valve 2.b, 2.d (15)

HV-16116 A1 Liquid Radwaste Isolation Valve Automatic Valve 2.b, 2.d (15)

HV-16116A2 Liquid Radwaste Isolation Valve Automatic Valve 2.b, 2.d (15)

Demin Water 1-41-017 (d) Demineralized Water Manual N/A 1-41-018 (d) Demineralized Water Manual N/A Nuclear Boiler 141F010A(d) Feedwater Isolation Valve Manual Check N/A 141F010 B (d) Feedwater Isolation Valve Manual Check N/A SUSQUEHANNA - UNIT 1 3.6-31

Rev. 15 PCIVs 8 3.6.1.3 Table B 3.6.1.3-1 (continued)

Primary Containment Isolation Valve (Page 4 of 11)

Isolation Signal LCO 3.3.6.1 Function No.

Plant System Valve Number Valve Description Type of Valve (Maximum Isolation Time (Seconds))

Nuclear Boiler 141F039 A (d) Feedwater Isolation Valve Manual Check NIA (continued) 141FD39 B (d) Feedwater Isolation Valve Manual Check NIA 141818A (d) Feedwater Isolation Valve Manual Check NIA 141818 B (d) Feedwater Isolation Valve Manual Check NIA HV-141F016 MSL Drain Isolation Valve Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (10)

HV-141FD19 MSL Drain Isolation Valve Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (15)

HV-141FD22A MSIV Automatic Valve 1.a, 1,b, 1.c, 1.d, 1.e (5)

HV-141FD22 B MSIV Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (5)

HV-141FD22 C MSIV Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (5)

HV-141FD22 D MSIV Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (5)

HV-141 FD28 A MSIV Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (5)

HV-141F028 B MSIV Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (5)

HV-141FD28 C MSIV Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (5)

HV-141F028 D MSIV Automatic Valve 1.a, 1.b, 1.c, 1.d, 1.e (5)

HV-141FD32A Feedwater Isolation Valve Power Operated NIA Check HV-141FD32 B Feedwater Isolation Valve Power Operated NIA Check XV-141F009 Nuclear Boiler EFCV Excess Flow Check NIA Valve XV-141F070 A Nuclear Boiler EFCV Excess Flow Check NIA Valve XV-141FD70 B Nuclear Boiler EFCV Excess Flow Check NIA Valve XV-141FD70 C Nuclear Boiler EFCV Excess Flow Check NIA Valve XV-141FD70 D Nuclear Boiler EFCV Excess Flow Check NIA Valve XV-141F071 A Nuclear Boiler EFCV Excess Flow Check NIA Valve XV-141FD71 B Nuclear Boiler EFCV Excess Flow Check NIA Valve XV-141FD71 C Nuclear Boiler EFCV Excess Flow Check NIA Valve XV-141FD71 D Nuclear Boiler EFCV Excess Flow Check NIA Valve SUSQUEHANNA - UNIT 1 3.6-32

Rev. 15 PCIVs B 3.6.1.3 Table B 3.6.1.3-1 (continued)

Primary Containment Isolation Valve (Page 5 of 11)

Isolation Signal Plant System LCO 3.3.6.1 Function No.

Valve Number Valve Description Type of Valve (Maximum Isolation Time (Seconds))

Nuclear Boiler XV-141F072 A Nuclear Boiler EFCV Excess Flow Check NIA (continued) Valve XV-141F072 B Nuclear Boiler EFCV Excess Flow Check NIA Valve XV-141F072 C Nuclear Boiler EFCV Excess Flow Check NIA Valve XV-141F072 D Nuclear Boiler EFCV Excess Flow Check NIA Valve XV-141F073 A Nuclear Boiler EFCV Excess Flow Check NIA Valve XV-141F073 B Nuclear Boiler EFCV Excess Flow Check NIA Valve XV-141F073 C Nuclear Boiler EFCV Excess Flow Check NIA Valve XV-141F073 D Nuclear Boiler EFCV Excess Flow Check NIA Valve Nuclear Boiler XV-14201 Nuclear Boiler Vessel Instrument Excess Flow Check NIA Vessel Valve Instrumentation XV-14202 Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F041 Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F043 A Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F043 B Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F045 A Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F045 B Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F047 A Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F047 B Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F051 A Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F051 B Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F051 C Nuclear Boiler Vessel Instrument Excess Flow Check NIA

'Valve XV-142F051 D Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F053 A Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve XV-142F053 B Nuclear Boiler Vessel Instrument Excess Flow Check NIA Valve SUSQUEHANNA - UNIT 1 3.6-33

Rev. 15 PCIVs B 3.6.1.3 Table 8 3.6.1.3-1 (continued)

Primary Containment Isolation Valve (Page 6 of 11)

Isolation Signal LCO 3.3.6.1 Function No.

Plant System Valve Number Valve Description Type of Valve (Maximum Isolation Time (Seconds))

Nuclear Boiler XV-142F053 C Nuclear Boiler Vessel Instrument Excess Flow Check N/A Vessel Valve Instrumentation XV-142F053 D Nuclear Boiler Vessel Instrument Excess Flow Check N/A (continued) Valve XV-142F055 Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F057 Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 A Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 B Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 C Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 D Nuclear Boiler Vessel Instrument Excess Flow Check

N/A Valve XV-142F059 E Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 F Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 G Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 H Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 L Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 M Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 N Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 P Nuclear Boiler Vessel Instrument Excess Flow Check NIA Yalve XV-142F059 R Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 S Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 T Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F059 U Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve XV-142F061 Nuclear Boiler Vessel Instrument Excess Flow Check N/A Valve RBCCW HV-11313 RBCCW Automatic Valve 2.c, 2.d (30)

HV-11314 RBCCW Automatic Valve 2.c, 2.d (30)

HV-11345 RBCCW Automatic Valve 2.c, 2.d (30)

HV-11346 RBCCW Automatic Valve 2.c, 2.d (30)

SUSQUEHANNA - UNIT 1 3.6-34

Rev. 15 PCIVs B 3.6.1.3 Table B 3.6.1.3-1 (continued)

Primary Containment Isolation Valve (Page 7 of 11)

Isolation Signal LCO 3.3.6.1 Function No.

Plant System Valve Number Valve Description Type of Valve (Maximum Isolation Time (Seconds))

RCIC 1-49-020 (d) RCIC INJECTION Manual NIA 149F021 (b)(c)(d) RCIC Minimum Recirculation Flow Manual Check NIA 149F028 (a)(d) RCIC Vacuum Pump Discharge Manual Check NIA 149F040 (a)(d) RCIC Turbine Exhaust Manual Check NIA FV-149F019 (b)(c) RCIC Minimum Recirculation Flow Power Operated NIA HV-149F007 RCIC Steam Supply Automatic Valve 4.a, 4.b, 4.c, 4.e, 4.f, 4.g (20)

HV-149F008 RCIC Steam Supply Automatic Valve 4.a, 4.b, 4.c, 4.e, 4.f, 4.g (20)

HV-149F013 RCIC Injection Power Operated NIA HV-149F031 (b)(c) RCIC Suction Power Operated NIA HV-149F059 (a) RCIC Turbine Exhaust Power Operated NIA HV-149F060 (a) RCIC Vacuum Pump Discharge Power Operated NIA HV-149FD62 RCIC Vacuum Breaker Automatic Valve 4.b, 4.d (10)

HV-149F084 RCIC Vacuum Breaker Automatic Valve 4.b, 4.d (10)

HV-149FD88 RCIC Steam Supply Automatic Valve 4.a, 4.b, 4.c, 4.e, 4.f, 4.g (12)

XV-149F044 A RCIC

Excess Flow Check NIA Valve XV-149F044 B RCIC Excess Flow Check NIA Valve XV-149F044 C RCIC Excess Flow Check NIA Valve XV-149FD44 D RCIC Excess Flow Check NIA Valve RB Chilled HV-18781 A1 RB Chilled Water Automatic Valve 2.c, 2.d (40)

Water System HV-18781 A2 RB Chilled Water Automatic Valve 2.c, 2.d (40)

HV-18781 B1 RB Chilled Water Automatic Valve 2.c, 2.d (40)

HV-18781 B2 RB Chilled Water Automatic Valve 2.c, 2.d (40)

HV-18782A1 RB Chilled Water Automatic Valve 2.c, 2.d (12)

HV-18782A2 RB Chilled Water Automatic Valve 2.c, 2.d (12)

HV-18782 B1 RB Chilled Water Automatic Valve 2.c, 2.d (12)

HV-18782 B2 RB Chilled Water Automatic Valve 2.c, 2.d (12)

HV-18791 A1 RB Chilled Water Automatic Valve 2.b, 2.d (15)

HV-18791 A2 RB Chilled Water Automatic Valve 2.b, 2.d (15)

HV-18791 B1 RB Chilled Water Automatic Valve 2.b, 2.d (15)

HV-18791 B2 RB Chilled Water Automatic Valve 2.b, 2.d (15)

HV-18792 A1 RB Chilled Water Automatic Valve 2.b, 2.d (8)

HV-18792A2 RB Chilled Water Automatic Valve 2.b, 2.d (8)

HV-18792 B1 RB Chilled Water Automatic Valve 2.b, 2.d (8)

HV-18792 B2 RB Chilled Water Automatic Valve 2.b, 2.d (8)

Reactor 143F013 A (d) Recirculation Pump Seal Water Manual Check NIA Recirculation 143F013 B (d) Recirculation Pump Seal Water Manual Check NIA SUSQUEHANNA - UNIT 1 3.6-35

Rev. 15 PCIVs 83613 Table B 3.6.1.3-1 (continued)

Primary Containment Isolation Valve (Page 8 of 11)

Isolation Signal LCO 3.3.6.1 Function No.

Plant System Valve Number Valve Description Type of Valve (Maximum Isolation

' Time (Seconds))

Reactor XV-143F003 A Reactor Recirculation Excess Flow Check NIA Recirculation Valve (continued) XV-143F003 B Reactor Recirculation Excess Flow Check NIA Valve XV-143F004A Reactor Recirculation Excess Flow Check NIA Valve XV-143F004 B Reactor Recirculation Excess Flow Check NIA Valve XV-143F009 A Reactor Recirculation Excess Flow Check NIA Valve XV-143F009 B Reactor Recirculation Excess Flow Check NIA Valve XV-143F009 C Reactor Recirculation Excess Flow Check NIA Valve XV-143F009 D Reactor Recirculation Excess Flow Check NIA Valve XV-143F010 A Reactor Recirculation Excess Flow Check NIA Valve XV-143F010 B Reactor Recirculation Excess Flow Check NIA Valve XV-143F010 C Reactor Recirculation Excess Flow Check NIA Valve XV-143F010 D Reactor Recirculation Excess Flow Check NIA Valve XV-143F011 A Reactor Recirculation Excess Flow Check NIA Valve XV-143F011 B Reactor Recirculation Excess Flow Check NIA Valve XV-143F011 C Reactor Recirculation Excess Flow Check NIA Valve XV-143F011 D Reactor Recirculation Excess Flow Check NIA Valve IXV-143F012 A Reactor Recirculation Excess Flow Check NIA Valve XV-143F012 B Reactor Recirculation Excess Flow Check NIA Valve XV-143F012 C Reactor Recirculation Excess Flow Check NIA Valve XV-143F012 D Reactor Recirculation Excess Flow Check NIA lvalve XV-143F017 A Recirculation Pump Seal Water Excess Flow Check NIA Valve XV-143F017 B Recirculation Pump Seal Water Excess Flow Check NIA Valve XV-143F040 A Reactor Recirculation Excess Flow Check NIA Valve SUSQUEHANNA - UNIT 1 3.6-36

Rev. 15 PCIVs B 3.6.1.3 Table B 3.6.1.3-1 (continued)

Primary Containment Isolation Valve (Page 9 of 11)

Isolation Signal LCD 3.3.6.1 Function No.

Plant System Valve Number Valve Description Type of Valve (Maximum Isolation Time (Seconds))

Reactor XV-143F040 B Reactor Recirculation Excess Flow Check N/A Recirculation Valve (continued) XV-143F040 C Reactor Recirculation Excess Flow Check N/A

~alve XV-143F040 D Reactor Recirculation Excess Flow Check N/A Valve XV-143F057 A Reactor Recirculation Excess Flow Check N/A Valve XV-143F057 B Reactor Recirculation Excess Flow Check N/A Valve HV-143F019 Reactor Coolant Sample Automatic Valve 2.b (9)

HV-143F020 Reactor Coolant Sample ~utomatic Valve 2.b (2)

Residual Heat HV-151 F004 A (b)(c) RHR - Suppression Pool Suction Power Operated N/A Removal HV-151 F004 B (b)(c) RHR - Suppression Pool Suction Power Operated N/A HV-151F004 C (b)(c) RHR - Suppression Pool Suction Power Operated N/A HV-151 F004 D (b)(c) RHR - Suppression Pool Suction Power Operated N/A HV-151F007 A (b)(c) RHR-Minimum Recirculation Flow Power Operated N/A HV-151F007 B (b){c) RHR-Minimum Recirculation Flow Power Operated N/A HV-151F008 RHR - Shutdown Cooling Suction Automatic Valve 6.a, 6.b, 6.c (52)

HV-151F009 RHR - Shutdown Cooling Suction Automatic Valve 6.a, 6.b, 6.c (52)

HV-151F011 A(b)(d) RHR-Suppression Pool Manual N/A Cooling/Spray HV-151F011 B (b)(d) RHR-Suppression Pool Manual N/A Cooling/Spray HV-151 F015 A (f) RHR - Shutdown Cooling Power Operated N/A Return/LPCI Injection HV-151F015 B (f) RHR - Shutdown Cooling Power Operated N/A Return/LPCI Injection HV-151F016 A (b) RHR - Drywell Spray Automatic Valve 2.c, 2.d (90)

HV-151F016 8 (b) RHR - Drywell Spray Automatic Valve 2.c, 2.d (90)

HV-151F022 RHR - Reactor Vessel Head Spray Automatic Valve 2.d, 6.a, 6.b, 6.c (30)

HV-151F023 RHR- Reactor Vessel Head Spray Automatic Valve . 2.d, 6.a, 6.b, 6.c (20)

HV-151F028 A (b) RHR - Suppression Pool Automatic Valve 2.c, 2.d (90)

Cooling/Spray HV-151F028 8 {b) RHR - Suppression Pool Automatic Valve 2.c, 2.d (90)

Cooling/Spray HV-151F050 A (g) RHR - Shutdown Cooling Air Operated Check N/A Return/LPCI Injection Valve Valve HV-151F050 B (g) RHR - Shutdown Cooling Air Operated Check N/A Return/LPCI Injection Valve Valve HV-151F103A(b) RHR Heat Exchanger Vent Power Operated N/A HV-151F103 8 (b) RHR Heat Exchanger Vent Power Operated N/A SUSQUEHANNA - UNIT 1 3.6-37

Rev. 15 PCIVs B 3.6.1.3 Table B 3.6.1.3-1 (continued)

Primary Containment Isolation Valve (Page 10 of 11)

Isolation Signal LCO 3.3.6.1 Function No.

Plant System Valve Number Val~e Description Type of Valve (Maximum Isolation Time (Seconds))

Residual Heat HV-151F122 A(g) RHR - Shutdown Cooling Power Operated NIA Removal ReturnlLPCI Injection Valve (Air)

(continued) HV-151F122 B (g) RHR - Shutdown Cooling Power Operated NIA ReturnlLPCI Injection Valve (Air)

PSV-15106A (b)(d) RHR- Relief Valve Discharge Relief Valve NIA PSV-15106 B (b)(d) RHR- Relief Valve Discharge Relief Valve NIA PSV-151F126 (d) RHR - Shutdown Cooling Suction Relief Valve NIA XV-15109A RHR Excess Flow Check NIA Valve XV-15109 B RHR Excess Flow Check NIA Valve XV-15109 C RHR Excess Flow Check NIA Valve XV-15109 D RHR Excess Flow Check NIA Valve RWCU HV-144F001 (a) RWCU Suction Automatic Valve 5.a, 5.b, 5.c, 5.d, 5.f, 5.g (30)

HV-144F004 (a) RWCU Suction Automatic Valve . 5.a, 5.b, 5.c, 5.d, 5.e, 5.f, 5.g (30)

XV-14411 A RWCU Excess Flow Check NIA Valve XV-14411 B RWCU Excess Flow Check NIA Valve XV-14411 C RWCU Excess Flow Check NIA Valve XV-14411 D RWCU Excess Flow Check NIA Valve XV-144F046 RWCU Excess Flow Check NIA Valve HV-14182 A RWCU Return Isolation Valve Power Operated NIA HV-14182 B RWCU Return Isolation Valve Power Operated NIA SLCS 14BF007 (a)(d) SLCS Manual Check NIA HV-14BF006 (a) SLCS Power Operated NIA Check Valve TIP System C51-J004 A (Shear TIP Shear Valves Squib Valves NIA Valve)

C51-J004 B (Shear TIP Shear Valves Squib Valves NIA Valve)

C51-J004 C (Shear TIP Shear Valves Squib Valves NIA Valve)

C51-J004 D (Shear TIP Shear Valves Squib Valves NIA Valve)

C51-J004 E (Shear TIP Shear Valves Squib Valves NIA Valve)

SUSQUEHANNA - UNIT 1 3.6-38

Rev. 15 PCIVs B 3.6.1.3 Table B 3.6.1.3-1 Primary Containment Isolation Valve (Page 11 of 11)

Isolation Signal LCD 3.3.6.1 Function No.

Plant System Valve Number Valve Description Type of Valve (Maximum Isolation Time (Seconds))

TIP System C51-J004 A (Ball TIP Ball Valves Automatic Valve 7.a, 7.b (5)

(continued) Valve)

C51-J004 B (Ball TIP Ball Valves Automatic Valve 7.a, 7.b (5)

Valve)

C51-J004 C (Ball TIP Ball Valves Automatic Valve 7.a, 7.b (5)

Valve)

C51-J004 D (Ball TIP Ball Valves Automatic Valve 7.a, 7.b (5)

Valve)

C51-J004 E (Ball TIP Ball Valves Automatic Valve 7.a, 7.b (5)

Valve)

(a) Isolation barrier remains water filled or a water seal remains in the line post-LOCA, isolation valve is tested with water. Isolation valve leakage is not included in 0.60 La total Type B and C tests.

(b) Redundant isolation boundary for this valve is provided by the closed system whose integrity is verified by the Leakage Rate Test Program. This footnote does not apply to valve 155F046 (HPCI) when the associated PCIV, HV155F012 is closed and deactivated. Similarly, this footnote does not apply to valve 149F021 (RCIC) when it's associated PCIV, FV149F019 is closed and deactivated.

(c) Containment 1s*o1ation Valves are not Type .c tested. Containment bypass leakage is prevented since the line terminates below the minimum water level in the Suppression Chamber. Refer to the 1ST Program.

(d) LCO 3.3.3.1, "PAM Instrumentation," Table 3.3.3.1-1, Function 6, does not apply since these are relief valves, check valves, manual valves or deactivated and closed.

(e) The containment isolation barriers for the penetration associated with this valve consists of two PC IVs and a closed system. The closed system provides a redundant isolation boundary for both PCIVs, and its integrity is required to be verified by the Leakage Rate Test Program.

(f) Redundant isolation boundary for this valve is provided by the closed system whose integrity is verified by the Leakage Rate Test Program.

(g) These valves are not required to be 10 CFR 50, Appendix J tested since the HV-151 F015A(B) valves and a closed system form the 10 CFR 50, Appendix J boundary. These valves form a high/low pressure interface and are pressure tested in accordance with the pressure test program.

SUSQUEHANNA - UNIT 1 3.6-39

Rev. 15 PCIVs B 3.6.1.3 Table 8 3.6.1.3-2 Secondary Containment Bypass Leakage Isolation Valves (Not PCIVs)

(Page 1 of 1)

Isolation Signal LCO 3.3.6.1 Function No.

Plant System Valve Number Valve Description Type of Valve (Maximum Isolation Time (Seconds))

Residual Heat HV-151F040 RHR - RADWASTE LINE IB ISO Automatic Valve 2.a, 2.d (45)

Removal VLV HV-151F049 RHR - RADWASTE LINE OB ISO Automatic Valve 2.a, 2.d (20)

VLV 1-51-136 RHR - COND TRANSFER OB SCBL Check Valve NIA CHECK VALVE 1-51-137 RHR - COND TRANSFER 1B SCBL Check Valve NIA CHECK VALVE SUSQUEHANNA - UNIT 1 3.6-40

Rev. 2 Suppression Pool Water Level B 3.6.2.2 B3.6 CONTAINMENT SYSTEMS B 3.6.2.2 Suppression Pool Water Level BASES BACKGROUND The primary containment utilizes a Mark II over/under pressure suppression configuration consisting of a drywell and suppression chamber. The drywell is a steel-lined concrete truncated cone located above the steel-lined concrete cylindrical pressure suppression chamber containing a volume of water called the suppression pool. The suppression pool is designed to absorb the energy associated with decay heat and sensible heat released during a reactor blowdown from safety/relief valve (S/RV) discharges or from a Design Basis Accident (OBA). The suppression pool must quench all the steam released through the downcomer lines during a loss of coolant accident (LOCA). This is the essential mitigative feature of a pressure suppression containment, which ensures that the peak containment pressure is maintained below the maximum allowable pressure for containment (53 psig). The suppression pool must also condense steam from the steam exhaust lines in the turbine driven systems (i.e., High Pressure Coolant Injection (HPCI) System and Reactor Core Isolation Cooling (RCIC) System) and provides the main emergency water supply source for the reactor vessel.

The suppression pool volume ranges between 122,41 Oft3 at the low water level limit of 22 ft Oinches and 133,540 ft3 at the high water level limit of 24 ft O inches.

If the suppression pool water level is too low, an insufficient amount of water would be available to adequately condense the steam from the S/RV quenchers, downcomers, or HPCI and RCIC turbine exhaust lines. Low suppression pool water level could also result in an inadequate emergency makeup water source to the Emergency Core Cooling System. The lower volume would also absorb less steam energy before heating up excessively.

Therefore, a minimum suppression pool water level is specified.

If the suppression pool water level is too high, it could result in excessive clearing loads from S/RV discharges and excessive pool swell loads during a OBA LOCA. Therefore, a maximum pool water level is specified. This LCO specifies an acceptable range to prevent the suppression pool water level from being either too high or too low.

(continued)

SUSQUEHANNA - UNIT 1 3.6-59

Rev. 2 Suppression Pool Water Level B 3.6.2.2 BASES APPLICABLE Initial suppression pool water level affects suppression pool temperature SAFETY response calculations, calculated drywell pressure during vent clearing for a ANALYSES OBA, calculated pool swell loads for a OBA LOCA, and calculated loads due to S/RV discharges. Suppression pool water level must be maintained within the limits specified so that the safety analysis of Reference 1 remains valid:

Suppression pool water level satisfies Criteria 2 and 3 of the NRC Policy Statement. (Ref. 2)

LCO A limit that suppression pool water level be ~ 22 ft O inches and

,; 24 ft O inches is required to ensure that the primary containment conditions assumed for the safety analyses are met. Either the high or low water level limits were used in the safety analyses, depending upon which is more conservative for a particular calculation.

APPLICABILITY In MODES 1, 2, and 3, a OBA would cause significant loads on the primary containment. In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES. The requirements for maintaining suppression pool water level within limits in MODE 4 or 5 is addressed in LCO 3.5.2, "Reactor Pressure Vessel (RPV) Water Inventory Control."

ACTIONS With suppression pool water level outside the limits, the conditions assumed for the safety analyses are not met. If water level is below the minimum level, the pressure suppression function still exists as long as downcomers are covered, HPCI and RCIC turbine exhausts are covered, and S/RV quenchers are covered. If suppression pool water level is above the maximum level, protection against overpressurization still exists due to the margin in the peak containment pressure analysis and the capability of the Drywell Spray System. Therefore, continued operation for a limited time* is allowed.

The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Completion Time is sufficient to restore suppression pool water level to within limits. Also, it takes into account the low probability of an event impacting the suppression pool water level occurring during this interval.

(continued)

SUSQUEHANNA - UNIT 1 3.6-60

Rev.2 Suppression Pool Water Level B 3.6.2.2 BASES ACTIONS 8.1 and B.2 (continued)

If suppression pool water level cannot be restored to within limits within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable,- based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

SURVEILLANCE SR 3.6.2.2.1 REQUIREMENTS Verification of the suppression pool water level by at least one water level indicator is to ensure that the required limits are satisfied. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 6.2.

2. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

SUSQUEHANNA - UNIT 1 3.6-61

Rev. 15 Secondary Containment B 3.6.4.1 B 3.6 CONTAINMENT SYSTEMS B 3.6.4.1 Secondary Containment BASES BACKGROUND The secondary containment structure completely encloses the primary containment structure such that a dual-containment design is utilized to limit the spread of radioactivity to the environment to within limits. The function of the secondary containment is to contain, dilute, and hold up fission products that may leak from primary containment into secondary containment following a Design Basis Accident (OBA). In conjunction with operation of the Standby Gas Treatment (SGD System and closure of certain valves whose lines penetrate the secondary containment, the secondary containment is designed to reduce the activity level of the fission products prior to release to the environment and to isolate and contain fission products that are released during certain operations that take place inside primary containment, when primary containment is not required to be OPERABLE, or that take place outside primary containment (Ref. 1).

The secondary containment is a structure that completely encloses the primary containment and reactor coolant pressure boundary components.

This structure forms a control volume that serves to hold up and dilute the fission products. It is possible for the pressure in the control volume to rise relative to the environmental pressure (e.g., due to pump and motor heat load additions).

The secondary containment boundary consists of the reactor building structure and associated removable walls and panels, hatches, doors, dampers, sealed penetrations and valves. Certain plant piping systems (e.g.,

Service Water, RHR Service Water, Emergency Service Water, Feedwater, etc.) penetrate the secondary containment boundary. The intact piping within secondary containment provides a passive barrier which maintains secondary containment requirements. Breaches of these piping systems within secondary containment will be controlled to maintain secondary containment requirements. The secondary containment is divided into Zone I, Zone II and Zone Ill, each of which must be OPERABLE depending on plant status and the alignment of the secondary containment boundary.

Specifically, the Unit 1 secondary containment boundary can be modified to exclude Zone II. Similarly, the Unit 2 secondary containment boundary can be modified to exclude Zone I. Secondary containment may consist of only Zone Ill when in MODE 4 or 5 during CORE ALTERATIONS, or during handling of irradiated fuel within the Zone Ill secondary containment boundary.

(continued)

SUSQUEHANNA - UNIT 1 3.6-84

Rev. 15 Secondary Containment B 3.6..!l-.1 BASES BACKGROUND To prevent ground level exfiltration while allowing the secondary containment (continued) to be designed as a conventional structure, the secondary containment requires support systems to maintain the control volume pressure at less than the external pressure. Requirements for the safety related systems are specified separately in LCO 3.6.4.2, "Secondary Containment Isolation Valves (SCIVs)," and LCO 3.6.4.3, "Standby Gas Treatment (SGT) System."

When one or more zones are excluded from secondary containment, the specific requirements for support systems will also change (e.g., required secondary containment isolation valves).

APPLICABLE There are two principal accidents for which credit is taken for secondary SAFETY containment OPERABILITY. These are a loss of coolant accident (LOCA)

ANALYSES (Ref. 2) and a fuel handling accident inside secondary containment (Ref. 3).

The secondary containment performs no active function in response to either of these limiting events; however, its leak tightness is required to ensure that the release of radioactive materials from the primary containment is restricted to those leakage paths and associated leakage rates assumed in the accident analysis and that fission products entrapped within the secondary containment structure will be treated by the SGT System prior to discharge to

the environment.

Secondary containment satisfies Criterion 3 of the NRG Policy Statement (Ref. 4).

LCO An OPERABLE secondary containment provides a control volume into which fission products that bypass or leak from primary containment, or are released from the reactor coolant pressure boundary components located in secondary containment, can be diluted and processed prior to release to the environment. For the secondary containment to be considered OPERABLE, it must have adequate leak tightness to ensure that the required vacuum can be established and maintained. The leak tightness of secondary containment must also ensure that the release of radioactive materials to the environment is restricted to those leakage paths and associated leakage rates assumed in the accident analysis. For example, secondary containment bypass leakage must be restricted to the leakage rate required by LCO 3.6.1.3. The secondary containment boundary required to be OPERABLE is dependent on the operating status of both units, as well as the configuration of walls, doors, hatches, SCIVs, and available flow paths to the SGT System.

SUSQUEHANNA - UNIT 1 3.6-85 (continued)

Rev. 15 Secondary Containment B 3.6.4.1 BASES APPLICABILITY In MODES 1, 2, and 3, a LOCA could lead to a fission product release to primary containment that leaks to secondary containment. Therefore, secondary containment OPERABILITY is required during the same operating conditions that require primary containment OPERABILITY.

In MODES 4 and 5, the probability and consequences of the LOCA are reduced due to the pressure and temperature limitations in these MODES.

Therefore, maintaining secondary containment OPERABLE is not required in MODE 4 or 5 to ensure a control volume, except for other situations for which significant releases of radioactive material can be postulated, such as during CORE ALTERATIONS or during movement of irradiated fuel assemblies in the secondary containment.

ACTIONS A.1 If secondary containment is inoperable, it must be restored to OPERABLE status within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time provides a period of time to correct the problem that is commensurate with the importance of maintaining secondary containment during MODES 1, 2, and 3. This time period also ensures that the probability of an accident (requiring secondary containment OPERABILITY) occurring during periods where secondary containment is inoperable is minimal.

B.1 and B.2 If secondary containment cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an* orderly manner and without challenging plant systems.

C.1 and C.2 Movement of irradiated fuel assemblies in the secondary containment and CORE ALTERATIONS can be postulated to cause fission product release to the secondary containment. In such cases, the secondary containment is the only barrier to release of fission products to the environment. CORE ALTERATIONS and movement of irradiated fuel assemblies must be immediately suspended if the secondary containment is inoperable.

(continued)

SUSQUEHANNA - UNIT 1 3.6-86

Rev. 15 Secondary Containment B 3.6.4.1 BASES ACTIONS C.1 and C.2 (continued)

(continued)

Suspension of these activities shall not preclude completing an action that involves moving a component to a safe position.

Required Action C.1 has been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason to require a o reactor shutdown.

SURVEILLANCE SR 3.6.4.1.1 REQUIREMENTS This SR ensures that the secondary containment boundary is sufficiently leak tight to preclude exfiltration under expected wind conditions.

The SR is modified by a Note which states the SR is not required to be met for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months if an analysis demonstrates that one SGT subsystem remains capable of establishing the required secondary containment vacuum. Use of the Note is expected to be infrequent but may be necessitated by situations in which secondary containment vacuum may be less than the required containment vacuum, such as, but not limited to, wind gusts or failure or change of opei:_ating normal ventilation subsystems. These conditions do not indicate any change in the leak tightness of the secondary containment boundary.

The analysis should consider the actual conditions (equipment configuration, temperature, atmospheric pressure, wind conditions, measured secondary containment vacuum, etc.) to determine whether, if an accident requiring secondary containment to be OPERABLE were to occur, one train of SGT could establish the assumed secondary containment vacuum within the time assumed in the accident analysis. If so, the SR may be considered met for a period up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The-4 hour limit is based on the expected should duration of the situation when the Note would be applied.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 1 3.6-87

Rev. 15 Secondary Containment B 3.6.4.1 BASES SURVEILLANCE SR 3.6.4.1.2 and SR 3.6.4.1.3 REQUIREMENTS (continued) Verifying that secondary containment equipment hatches, removable walls and one access door in each access opening required to be closed are closed ensures that the infiltration of outside air of such a magnitude as to prevent maintaining the desired negative pressure does not occur.

Verifying that all such openings are closed also provides adequate assurance that exfiltration from the secondary containment will not occur. In this application, the term "sealed" has no connotation of leak tightness.

An access opening typically contains one inner and one outer door.

Maintaining s~condary containment OPERABILITY requires verifying one door in each access opening to secondary containment zones is closed.

In some cases (e.g., railroad bay), secondary containment access openings are shared such that a secondary containment barrier may have multiple inner or multiple outer doors. The intent is to maintain the secondary containment barrier intact, which is achieved by maintaining the inner or outer portion of the barrier closed at all times. However, brief, inadvertent, simultaneous opening of the inner and outer secondary containment doors for personnel entry and exit is allowed. Intentional or extended opening of both doors simultaneously, even for personnel entry and exit, is not permitted and will result in Secondary' Containment being declared INOPERABLE. All secondary containment access doors are normally kept closed, except when the access opening is being used for entry and exit or when maintenance is being performed on an access opening.

When the railroad bay door (No. 101) is closed; all Zone I and Ill hatches, removable walls, dampers, and one door in each access opening connected to the railroad access bay are closed; or, only Zone I removable walls and/or doors are open to the railroad access shaft; or, only Zone Ill hatches and/or dampers are open to the railroad access shaft. When the railroad bay door (No. 101) is open; all Zone I and Ill hatches, removable walls, dampers, and one door in each access opening connected to the railroad access bay are closed. The truck bay hatch is closed and the truck bay door (No. 102) is

.closed unless Zone fl is isolated from Zones I and Ill.

(continued)

SUSQUEHANNA - UNIT 1 3.6-88

Rev. 15 Secondary Containment B 3.6.4.1 BASES SURVEILLANCE SR 3.6.4.1.2 and SR 3.6.4.1.3 (continued)

REQUIREMENTS (continued) The access openings between secondary containment zones which are not _

provided with two doors are administratively controlled to maintain secondary containment integrity during exit and entry. This Surveillance is modified by a Note that allows access openings with a single door (i.e., no airlock) within the secondary containment boundary (i.e., between required secondary containment zones) to be opened for entry and exit. Opening of an access door for entry and exit allows sufficient administrative control by individual personnel making the entries and exits to assure the secondary containment function is not degraded. When one of the zones is not a zone required for secondary containment OPERABILITY, the Note allowance would not apply.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 1 3.6-89

Rev. 15 Secondary Containment B 3.6.4.1 BASES SURVEILLANCE SR 3.6.4.1.4 and SR 3.6.4.1.5 REQUIREMENTS (continued) The SGT System exhausts the secondary containment atmosphere to the environment through appropriate treatment equipment. To ensure that all fission products are treated, SR 3.6.4.1.4 verifies that the SGT System will rapidly establish and maintain a pressure in the secondary containment that is less than the pressure external to the secondary containment boundary.

This is confirmed by demonstrating that one SGT subsystem will draw down the secondary containment to ~ 0 .25 inches of vacuum water gauge in less than or equal to the maximum time allowed. This cannot be accomplished if the secondary containment boundary is not intact. SR 3.6.4.1.5 demonstrates that one SGT subsystem can maintain ~ 0.25 inches of vacuum water gauge for at least 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months at less than or equal to the maximum flow rate permitted for the secondary containment configuration that is operable. The 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months test period allows secondary containment to be in thermal equilibrium at steady state conditions. As noted, both SR 3.6.4.1.4 and SR 3.6.4.1.5 acceptance limits are dependent upon the secondary containment configuration when testing is being performed. The acceptance criteria for the SRs based on secondary containment configuration is defined as follows:

SECONDARY MAXIMUM DRAWDOWN TIME(SEC) MAXIMUM FLOW RATE (CFM)

CONTAINMENT (SR 3.6.4.1.4 (SR 3.6.4.1.5 TEST CONFIGURATION ACCEPTANCE CRITERIA) ACCEPTANCE CRITERIA)

Group 1 Zones I, II and Ill (Unit 1 ~ 300 Seconds ~5400 CFM Railroad Bay aligned to (Zones I, II, and Ill) (From Zones I, II, and Ill)

Secondarv Containment).

Zones I and Ill (Unit 1 Railroad ~ 300 Seconds ~3900 CFM Bay aligned to Secondary (Zones I and Ill) (From Zones I and Ill)

Containment).

Group2 Zones I, II and Ill (Unit 1 ~ 300 Seconds ~5300 CFM Railroad Bay not aligned to (Zones I,. II, and Ill) (From Zones I, II, and Ill)

Secondary Containment).

Zones I and Ill (Unit 1 Railroad ~ 300 Seconds ~3800 CFM Bay not aligned to Secondary (Zones I and Ill) (From Zones I and Ill)

Containment).

Only one of the above listed configurations needs to be tested to confirm secondary containment OPERABILITY.

(continued)

SUSQUEHANNA - UNIT 1 3.6-90

Rev. 15 Secondary Containment B 3.6.4.1 BASES SURVEILLANCE SR 3.6.4.1.4 and SR 3.6.4.1.5 (continued)

REQUIREMENTS (continued) The secondary containment testing configurations are discussed in further detail to ensure the appropriate configurations are tested. Three zone testing (Zones, I, II and Ill aligned to the recirculation plenum) should be performed with the Railroad Bay aligned to secondary containment and another test with the Railroad Bay not aligned to secondary containment. Each test should be performed with each division on a STAGGERED TEST BASIS.

Two zone testing (Zones I and Ill aligned to the recirculation plenum) should be performed with the Railroad Bay aligned to secondary containment and another test with the Railroad Bay not aligned to secondary containment.

Each test should be performed with each division on a STAGGERED TEST BASIS. The normal operating fans of the non-tested HVAC zone (Zone II fans 2V202A&B, 2V205A&B and 2V206A&B) should not be in operation.

Additionally, a controlled opening of adequate size should be maintained in Zone II Secondary Containment during testing to assure that atmospheric conditions are maintained in that zone.

The Unit 1 Railroad Bay can be aligned as a No Zone (isolated from secondary containment) or as part of secondary containment (Zone I or Ill).

Due to the different leakage pathways that exist in the Railroad Bay, the Railroad Bay should be tested when aligned to secondary containment and not aligned to secondary containment. It is preferred to align the Railroad Bay to Zone Ill when testing with the Railroad Bay aligned to secondary containment since Zone Ill is included in all possible secondary containment isolation alignments. Note that aligning the Railroad Bay to either Zone I or Ill is acceptable since either zone is part of secondary containment.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 6.2.3.

2. FSAR, Section 15.6.

3. FSAR, Section 15.7.4.

4. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

SUSQUEHANNA - UNIT 1 3.6-91

Rev. 14 SCIVs B 3.6.4.2 3.6 CONTAINMENT SYSTEMS B 3.6.4.2 Secondary Containment Isolation Valves (SCIVs)

BASES BACKGROUND The function of the SCIVs, in combination with other accident mitigation systems, is to limit fission product release during and following postulated Design Basis Accidents (DBAs) (Ref. 1). Secondary containment isolation within the time limits specified for those isolation valves designed to close automatically ensures that fission products that leak from primary containment into secondary containment following a OBA, or that are released during certain operations when primary containment is not required to be OPERABLE or take place outside primary containment, are maintained within the secondary containment boundary.

The OPERABILITY requirements for SCIVs help ensure that an adequate secondary containment boundary is maintained during and after an accident by minimizing potential paths to the environment. These isolation devices consist of either passive devices or active (automatic) devices. Manual valves or dampers, de-activated automatic valves or dampers secured in their closed position (including check valves with flow through the valve secured), and blind flanges are considered passive devices.

Automatic SCIVs close on a secondary containment isolation signal to establish a boundary for untreated radioactive material within secondary containment following a OBA or other accidents.

Other non-sealed penetrations which cross a secondary containment boundary are isolated by the use of valves in the closed position or blind flanges.

APPLICABLE The SCIVs must be OPERABLE to ensure the secondary containment barrier SAFETY to fission product releases is established. The principal accidents for which the ANALYSES secondary containment boundary is required are a loss of coolant accident (Ref. 1) and a fuel handling accident inside secondary containment (Ref. 2).

The secondary containment performs no active function in response to either of these limiting events, but the boundary established by SC IVs is required to ensure that leakage from the primary containment is processed by the Standby Gas Treatment (SGT) System before being released to the environment.

(continued)

SUSQUEHANNA - UNIT 1 3.6-92

Rev. 14 SCIVs B 3.6.4.2 BASES APPLICABLE Maintaining SCIVs OPERABLE with isolation times within limits ensures that SAFETY fission products will remain trapped inside secondary containment so that they ANALYSES can be treated by the SGT System prior to discharge to the environment.

(continued)

SCIVs satisfy Criterion 3 of the NRC Policy Statement (Ref. 3).

LCO SC IVs that form a part of the secondary containment boundary are required to be OPERABLE. Depending on the configuration of the secondary containment only specific SCIVs are required. The SCIV safety function is related to control of offsite radiation releases resulting from DBAs.

The automatic isolation valves are considered OPERAl;3LE when their isolation times are within limits and the valves actuate on an automatic isolation signal.

The valves covered by this LCO, along with their associated stroke times, are listed in Table B 3.6.4.2-1.

The normally closed isolation valves or blind flanges are considered OPERABLE when manual valves are closed or open in accordance with appropriate administrative controls, automatic SCIVs are deactivated and secured in their closed position, or blind flanges are in place. These passive isolation valves or devices are listed in Table 83.6.4.2-2. Penetrations closed with sealants are considered part of the secondary containment boundary and are not considered penetration flow paths.

Certain plant piping systems (e.g., Service Water, RHR Service Water, Emergency Service Water, Feedwater, etc.) penetrate the secondary containment boundary. The intact piping within secondary containment provides a passive barrier which maintains secondary containment requirements. When the SOHR and temporary chiller system piping is connected and full of water, the piping forms the secondary containment boundary and the passive devices in TS Bases Table 83.6.4.2-2 are no longer required for these systems since the piping forms the barrier. During certain plant evolutions, piping systems may be drained and breached within.

secondary containment. During the pipe breach, system isolation valves can be used to provide secondary containment isolation. The isolation valve alignment will be controlled when the piping system is breached.

(continued)

SUSQUEHANNA - UNIT 1 3.6-93

Rev. 14 SCIVs B 3.6.4.2 BASES APPLICABILITY In MODES 1, 2, and 3, a OBA could lead to a fission product release to the primary containment that leaks to the secondary containment. Therefore, the OPERABILITY of SCIVs is required.

In MODES 4 and 5, the probability and consequences of these events are reduced due to pressure and temperature limitations in these MODES.

Therefore, maintaining SCIVs OPERABLE is not required in MODE 4 or 5, except for other situations under which significant radioactive releases can be postulated, such as during CORE ALTERATIONS or during movement of I-irradiated fuel assemblies in the secondary containment. Moving irradiated fuel assemblies in the secondary containment may also occur in MODES 1, 2, and 3.

ACTIONS The ACTIONS are modified by three Notes. The first Note allows penetration flow paths to be unisolated intermittently under administrative controls. These controls consist of stationing a dedicated operator, who is in continuous communication with the control room, at the controls of the isolation device.

In this way, the penetration can be rapidly isolated when a need for secondary containment isolation is indicated.

The second Note provides clarification that for the purpose of this LCO separate Condition entry is allowed for each penetration flow path. This is acceptable, since the Required Actions for each Condition provide appropriate compensatory actions for each inoperable SCIV. Complying with the Required Actions may allow for continued operation, and subsequent inoperable SCIVs are governed by subsequent Condition entry and application of associated Required Actions.

The third Note ensures appropriate remedial actions are taken, if necessary, if the affected system(s) are rendered inoperable by an inoperable SCIV.

(continued)

SUSQUEHANNA - UNIT 1 3.6-94

Rev. 14 SCIVs B 3.6.4.2 BASES ACTIONS A.1 and A.2 (continued)

In the event that there are one or more required penetration flow paths with one required SCIV inoperable, the affected penetration flow path(s) must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic SCIV, a closed manual valve, .and a blind flange. For penetrations isolated in accordance with Required Action A.1, the device used to isolate the penetration should be the closest available device to secondary containment.

The Required Action must be completed within the 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Completion Time.

The specified time period is reasonable considering the time required to isolate the penetration, and the probability of a OBA, which requires the SCIVs to close, occurring during this short time is very low.

For affected penetrations that have been isolated in accordance with Required Action A.1, the affected penetration must be verified to be isolated on a periodic basis. This is necessary to ensure that secondary containment

. penetrations required to be isolated following an accident, but no longer capable of being automatically isolated, will be in the isolation position should an event occur. The Completion Time of once per 31 days is appropriate because the valves are operated under administrative controls and the probability of their misalignment is low. This Required Action does not require any testing or device manipulation. Rather, it involves verification that the affected penetration remains isolated.*

Condition A is modified by a Note indicating that this Condition is only applicable to those penetration flow paths with two SCIVs. For penetration flow paths with one SCIV, Condition C provides the appropriate Required Actions.

Required Action A.2 is modified by a Note that applies to devices located in high radiation areas and allows them to be verified closed by use of administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted.

Therefore, the probability of misalignment, once they have been verified to be in the proper position, is low.

(continued)

SUSQUEHANNA - UNIT 1 3.6-95

Rev. 14 SCIVs B 3.6.4.2 BASES ACTIONS 8.1 (continued)

With two SCIVs in one or more penetration flow paths inoperable, the affected penetration flow path must be isolated within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time is reasonable considering the time required to isolate the penetration and the probability of a OBA, which requires the SCIVs to close, occurring during this short time, is very low.

The Condition has been modified by a Note stating that Condition B is only applicable to penetration flow paths with two isolation valves. For penetration flow paths with one SCIV, Condition C provides the appropriate Required Actions.

C.1 and C.2 With one or more required penetration flow paths with one required SCIV inoperable, the inoperable valve must be restored to OPERABLE status or the affected penetration flow path must be isolated. The method of isolation must include the use of at least one isolation barrier that cannot be adversely affected by a single active failure. Isolation barriers that meet this criterion are a closed and de-activated automatic valve, a closed manual valve, and a blind flange. A check valve may not be used to isolate the affected penetration.

Required Action C.1 must be completed within the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time.

The Completion Time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is reasonable considering the relative stability of the system (hence, reliability) to act as a penetration isolation boundary and the relative importance of supporting secondary containment OPERABILITY during MODES 1, 2, and 3.

In the event the affected penetration flow path is isolated in accordance with Required Action C.1, the affected penetration m*ust be verified to be isolated on a periodic basis. This is necessary to ensure that secondary containment penetrations required to be isolated following an accident are isolated.

The Completion Time of once per 31 days for verifying each affected penetration is isolated is appropriate because the valves are operated under administrative controls and the probability of their misalignment is low.

Condition C is modified by a Note indicating that this Condition is only applicable to penetration flow paths with only one SCIV. For penetration flow paths with two SCIVs, Conditions A and B provide the appropriate Required Actions.

(continued)

SUSQUEHANNA - UNIT 1 3.6-96

Rev. 14 SCIVs B 3.6.4.2 BASES ACTIONS C.1 and C.2 (continued)

(Continued)

Required Action C.2 is modified by a Note that applies to valves and blind flanges located in high radiation areas and allows them to be verified by use of administrative means. Allowing verification by administrative means is considered acceptable, since access to these areas is typically restricted.

Therefore, the probability of misalignment of these valves, once they have been verified to be in the proper position, is low.

D.1 and D.2 If any Required Action and associated Completion Time cannot be met, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the req1,1ired plant conditions from full power conditions in an orderly manner and without challenging plant systems.

E.1 and E.2 I*

If any Required Action and associated Completion Time are not met, the plant must be placed in a Condition in which the LCO does not apply. If applicable, CORE ALTERATIONS and the movement of irradiated fuel assemblies in the secondary containment must be immediately suspended. Suspension of these activities shall not preclude completion of movement of a component to a safe position.

Required Action E.1 has been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving fuel while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason to require a reactor shutdown.

(continued)

SUSQUEHANNA - UNIT 1 3.6-97

Rev.14 SCIVs B 3.6.4.2 BASES SURVEILLANCE SR 3.6.4.2.1 REQUIREMENTS This SR verifies that each secondary containment manual isolation valve and blind flange that is required to be closed during accident conditions is closed.

The SR helps to ensure that post accident leakage of radioactive fluids or gases outside of the secondary containment boundary is within design limits.

This SR does not require any testing or valve manipulation. Rather, it involves verification (typically visual) that those required SCIVs in secondary containment that are capable of being mispositioned are in the correct position.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

Two Notes have been added to this SR. The first Note applies to valves and blind flanges located in high radiation areas and allows them to be verified by use of administrative controls. Allowing verification by administrative controls is considered acceptable, since access to these areas is typically restricted during MODES 1, 2, and 3 for ALARA reasons. Therefore, the probability of misalignment of these SC IVs, once they have been verified to be in the pr~per position, is low.

A second Note has been included to clarify that SCIVs that are open under administrative controls are not required to meet the SR during the time the SCIVs are open ..

SR 3.6.4.2.2 SCIVs with maximum isolation times specified in Table B 3.6.2.4-1 are tested to verify that the isolation time is within limits to demonstrate OPERABILITY.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. Automatic SCIVs without maximum isolation times

specified in Table B 3.6.4.2-1 are tested under the requirements of SR 3.6.4.2.3. The isolation time test ensures that the SCIV will isolate in a time period less than or equal to that assumed in the safety analyses.

(continued)

SUSQUEHANNA - UNIT 1 3.6-98

Rev. 14 SCIVs B 3.6.4.2 BASES SURVEILLANCE SR 3.6.4.2.3 REQUIREMENTS (continued) Verifying that each automatic required SCIV closes on a secondary containment isolation signal is required to prevent leakage of radioactive material from secondary containment following a OBA or other accidents.

This SR ensures that each automatic SCIV will actuate to the isolation position on a secondary containment isolation signal. The LOGIC SYSTEM FUNCTIONAL TEST in SR 3.3.6.2.5 overlaps this SR to provide complete testing of the safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 6.2.

2. FSAR, Section 15.

3. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

SUSQUEHANNA - UNIT 1 3.6-99

Rev. 14 SCIVs B 3.6.4.2 Table B 3.6.4.2~1 Secondary Containment Ventilation System Automatic Isolation Dampers

{Page 1 of 1)

Maximum Reactor Valve Number Valve Description Type of Valve Isolation Building Time Zone (Seconds)

I HD-17586 A&B Supply System Dampers Automatic Isolation Damper 10.0 I HD-17524A&B Filtered Exhaust System Dampers Automatic Isolation Damper 10.0 I HD-17576A&B Unfiltered Exhaust System Dampers Automatic Isolation Damper 10.0 II HD-27586 A&B Supply System Dampers Automatic Isolation Damper 10.0 II HD-27524 A&B Filtered Exhaust System Dampers Automatic Isolation Damper 10.0 II HD-27576 A&B Unfiltered Exhaust System Dampers Automatic Isolation Damper 10.0 Ill HD-17564A&B Supply System Dampers Automatic Isolation Damper 14.0 Ill HD-17514 A&B Filtered Exhaust System Dampers Automatic Isolation Damper 6.5 Ill HD-17502 A&B Unfiltered Exhaust System Dampers Automatic Isolation Damper 6.0 Ill HD-27564 A&B Supply System Dampers Automatic Isolation Damper 14.0 Ill HD-27514 A&B Filtered Exhaust System Dampers Automatic Isolation Damper 6.5 Ill HD-27502 A&B Unfiltered Exhaust System Dampers Automatic Isolation Damper 6.0 NIA HD-17534A Zone 3 Airlock 1-606 Automatic Isolation Damper NIA NIA HD-17534B Zone 3 Airlock 1;611 Automatic Isolation Damper NIA NIA HD-17534D Zone 3 Airlock 1-803 Automatic Isolation Damper NIA NIA HD-17534E Zone 3 Airlock 1-805 Automatic Isolation Damper NIA NIA HD-17534F Zone 3 Airlock 1-617 Automatic Isolation Damper NIA NIA HD-17534H Zone 3 Airlock 1-618 Automatic Isolation Damper NIA NIA HD-27534A Zone 3 Airlock 11-606 Automatic Isolation Damper NIA NIA HD-275340 Zone 3 Airlock 11-803 Automatic Isolation Damper NIA NIA HD-27534E Zone 3 Airlock 11-805 Automatic Isolation Damper NIA NIA HD-27534G Zone 3 Airlock C-806 Automatic Isolation Damper NIA NIA HD-27534H Zone 3 Airlock 11-618 Automatic Isolation Damper NIA NIA HD-275341 Zone 3 Airlock 11-609 Automatic Isolation Damper NIA SUSQUEHANNA - UNIT 1 3.6-100

Rev. 14 SCIVs B 3.6.4.2 Table B 3.6.4.2-2 Secondary Containment Ventilation System Passive Isolation Valves or Devices (Page 1 of 3)

Device Device Description Area/Elev. Required Position / Notes Number X-29-2-44 SOHR SV$tem to Fuel Pool Cooling Yard/670 Blind Flanged / Note 1 X-29-2-45 SOHR System to Fuel Pool Cooling Yard/670 Blind Flanged / Note 1 110176 SOHR Supply Drain Viv 29/670 Closed Manual Isa Valve/ Note 1 110186 SOHR Discharge Drain Viv 29/670 Closed Manual Isa Valve/ Note 1 110180 SOHR Supply Vent Viv 29/749 Closed Manual Isa Valve/ Note 1 110181 SOHR Discharae Fill Viv 27/749 Closed Manual Isa Valve/ Note 1 110182 SOHR Discharge Vent Viv 27/749 Closed Manual Isa Valve / Note 1 110187 SOHR Supplv Fill Viv 29/749 Closed Manual Isa Valve / Note 1 210186 SDHR Supply Drain Viv 33/749 Closed Manual Isa Valve/ Note 1 210187 SOHR Supply Vent Viv 33/749 Closed Manual Isa Valve/ Note 1 210191 SOHR Discharae Vent Viv 30/749 Closed Manual Isa Valve/ Note 1 210192 SOHR Discharae Drain Viv 30/749 Closed Manual Isa Valve/ Note 1 210193 SOHR Discharae Vent Viv 33/749 Closed Manual Isa Valve/ Note 1

X-29~2-46 Temporary Chiller to RBCW Yard/670 Blind Flanged / Note 2 X-29-2-47 Temporary Chiller to RBCW Yard/670 Blind Flanged / Note 2 X-29-5-95 Temporary Chiller to Unit 1 RBCW 29/749 Blind Flanaed / Note 2 X-29-5-96 Temporary Chiller to Unit 1 RBCW 29/749 Blind Flanged / Note 2 X-29-5-91 Temporary Chiller to Uriit 2 RBCW 33/749 Blind Flanged / Note 2 X-29-5-92 Temporary Chiller to Unit 2 RBCW 33/749 Blind Flanged / Note 2 187388 RBCW Temp Chiller Discharae Isa Viv 29/670 Closed Manual Isa Valve/ Note 2 187389 RBCW Temp Chiller Supply Isa Viv 29/670 Closed Manual Isa Valve/ Note 2 187390 RBCWTemp Chiller Supolv Drain Viv 29/670 Closed Manual Isa Valve/ Note 2 187391 RBCWTemp Chiller Discharae Drain Viv 29/670 Closed Manual Isa Valve/ Note 2 X-28-2-3000 Utilitv Penetration to Unit 1 East Stairwell Yard/670 Blind Flanaed / Note 3 X-29-2-48 Utility Penetration to Unit 1 RR Bay Yard/670 Capped / Note 5 X-33-2-3000 Utility Penetration to Unit 2 East Stairwell Yard/670 Blind Flanaed / Note 4 X-28-2-3000 Utility Penetration to Unit 1 East Stairwell 28/670 Blind Flanqed / Note 3 X-29-2-48 Utility Penetration to Unit 1 RR Bay 29/670 Capped / Note 5 X-33-2-3000 Utility Penetration to Unit 2 East Stairwell 33/670 Blind Flanged/ Note 4 X-29-3-54 Utility Penetration to Unit 1 RBCCW Hx Area 27/683 Blind Flanged / Note 6 X-29-3-55 Utility Penetration to Unit 1 RBCCW Hx Area 27/683 Blind Flanged / Note 6 X-29-5-97 Utility Penetration from Unit 1 RR Bay to Unit 2 Elev. 749 33/749 Capped X-27-6°92 Instrument Tubing Stubs 27/779' Capped X-29-7-4 1" Spare ConduitThreaded Plua 29/818' Installed X-30-6-72 Instrument Tubinq Stubs 30/779' Capped X-30-6-1002 Stairwell #214 Ruoture Disc 30/779' Installed Intact X-30-6-1003 Airlock 11-609 Rupture Disc 30/779' Installed Intact X-25-6-1008 Airlock 1-606 Rupture Disc 25/779' Installed Intact X-29-4,D1-B Penetration at Door 4330 29/719' Blind Flanqe Installed X-29-4-D1-A Penetration at Door 4330 29/719' Blind Flange Installed X-29-4-D1-B Penetration at Door 404 33/719' Blind Flanqe Installed X-29-4-D1-A Penetration at Door 404 33/719' Blind Flange Installed HD17534C Airlock 1-707 Blind Flanae 28/799' Blind Flanqe Installed HD27534C Airlock 11-707 Blind Flanae 33/799' Blind Flanqe Installed XD-17513 Isolation damper for Railroad Bay Zone Ill HVAC Supply 29/799' Position is dependent on Railroad Bav alianment XD-17514 Isolation damper for Railroad Bay Zone Ill HVAC Exhaust 29/719' Position is dependent on Railroad Bay alignment XD-12301 PASS Air Flow Damper 11/729' Closed Damper XD-22301 PASS Air Flow Damper 22/729' Closed Damper SUSQUEHANNA - UNIT 1 3.6-101

Rev. 14 SCIVs B 3.6.4.2 Table B 3.6.4.2-2 Secondary Containment Ventilation System Passive Isolation Valves or Devices (Page 2 of 3)

Device Device Description Area/Elev. Required Position/ Notes Number 161827 HPCI Blowout Steam Vent Drain Valve 25/645' Closed Manual Isa Valve/ Note 3 161828 RCIC Blowout Steam Vent Drain Valve 28/645' Closed Manual Isa Valve / Note 3 161829 'A' RHR Blowout Steam Vent Drain Valve 29/645' Closed Manual Isa Valve/ Note 3 161830 'B' RHR Blowout Steam Vent Drain Valve 28/645' Closed Manual Isa Valve/ Note 3 261820 RCIC Blowout Steam Vent Drain Valve 33/645' Closed Manual Isa Valve / Note 4 261821 'A' RHR Blowout Steam Vent Drain Valve 34/645' Closed Manual Isa Valve/ Note 4 261822 'B' RHR Blowout Steam Vent Drain Valve 33/645' Closed Manual Isa Valve / Note 4 1LRWl810U Zone Ill Floor Drain 29-818 Plumied / Note 7 1LRWl810V Zone Ill Floor Drain 29-818 Pluaaed / Note 7 1LRWl810W Zone Ill Floor Drain 29-818 Pluaqed / Note 7 1LRWl810X Zone Ill Floor Drain 29-818 Pluaaed / Note 7 1LRWl810Y Zone Ill Floor Drain 29-818 Pluqqed / Note 7 1LRWl810Z Zone Ill Floor Drain 29-818 Plugged / Note 7 1LRWl810FF Zone Ill Floor Drain 29-818 Pluqqed / Note 7 1LRWl810GG Zone Ill Floor Drain 29-818 Plugged/ Note 7 1LRW1810HH Zone Ill Floor Drain

29-818 Pluaaed / Note 7 1LRWl810JJ Zone Ill Floor Drain 29-818 Plugged / Note 7 1LRWl810KK Zone Ill Floor Drain 29-818 Pluqaed / Note 7 1LRWl615A Zone I, Zone Ill, or No Zone Floor Drain 29-779 Pluaaed / Note 7 1LRWl100A Zone I, Zone Ill, or No Zone Floor Drain 29-670 Pluqqed / Note 7 1LRWl100B Zone I, Zone Ill, or No Zone Floor Drain 29-670 Plugged/ Note 7 1LRWl100C Zone I, Zone Ill, or No Zone Floor Drain 29-670 Plui:med / Note 7 1LRWl100D Zone I, Zone Ill, or No Zone Floor Drain 29-670 Pluaaed / Note 7 1LRWl100E Zone I, Zone Ill, or No Zone Floor Drain 29-670 Plumied / Note 7 1LRWl100F Zone I, Zone Ill, or No Zone Floor Drain 29-670 Pluaaed / Note 7 1LRWl100G Zone I, Zone Ill, or No Zone Floor Drain 29-670 Plugged / Note 7 2LRWl810L Zone Ill Floor Drain 34-818 Pluaaed / Note 7 2LRWl810M Zone Ill Floor Drain 34-818 Plugged / Note 7 2LRWl810N Zone Ill Floor Drain 34-818 Pluaqed / Note 7 2LRWl810R Zone Ill Floor Drain 34-818 Plugqed / Note 7 2LRWl810S Zone Ill Floor Drain 34-818 Pluaaed / Note 7 2LRWl703A Zone II Floor Drain 34-799 Plugqed / Note 7 2LRWl615A Zone II Floor Drain 34-779 Plugged / Note 7 2LRWl100A Zone II Floor Drain* 34-670 Plum1ed / Note 7 2LRWl100B Zone II Floor Drain 34-670 Plugged / Note 7 2LRW1100C Zone II Floor Drain 34-670 Plugged / Note 7 2LRW1100D Zone II Floor Drain 34-670 Pluaaed / Note 7 2LRW1100E Zone II Floor Drain 34-670 Plugaed / Note 7 2LRWl100F Zone II Floor Drain 34-670 Pluaaed / Note 7 2LRWl100G Zone II Floor Drain 34-670 Plugged / Note 7 2573280R HCVS Rupture Disc Burst Connection Isolation Valves 21/686' Closed Manual Isa Valve/ Note 4 257336 157328 OR HCVS Rupture Disc Burst Connection Isolation Valves 21/686' Closed Manual Isa Valve/ Note 3 157336 SUSQUEHANNA - UNIT 1 3.6-102

Rev. 14 SCIVs B 3.6.4.2 Table B 3.6:4.2-2 Secondary Containment Ventilation System Passive Isolation Valves or Devices (Page 3 of 3)

Note 1: The two blind flanges on the SOHR penetrations (blind flanges for device number X-29-2-44 and X-29-2-45) and all the closed manual valves for the SOHR system (110176, 110186, 110180, 110181, 110182, 110187, 210186, 210187, 210191, 210192, 210193) can each be considered as a separate secondary containment isolation device for the SOHR penetrations. If one or both of the blind flanges is removed and all the above identified manual valves for the SOHR system are closed, the appropriate LCO should be entered for one inoperable SCIV in a penetration flow path with two SCIVs. With the blind flange removed, the manual valves could be opened intermittently under administrative controls per the Technical Specification Note. When both SOHR blind flanges are installed, opening of the manual valves for the SOHR system will be controlled to prevent cross connecting ventilation zones. When the manual valves for the SOHR system are open in this condition, the appropriate LCO should be entered for one inoperable SCIV in a penetration flow path with two SCIVs. When the SOHR system piping is connected and full of water, the piping forms the secondary containment boundary and the above listed SC IVs in Table B3.6.4.2-2 are no longer required for this system since the piping forms the barrier.

Note 2: Due to the multiple alignments of the RBCW temporary chiller, different devices will perform the SCIV function depending on the RBCW configuration. There are three devices/equipment that can perform the SCIV function for the RBCW temporary chiller supply penetration. The first SCIV for the RBCW temporary chiller supply penetration is the installed blind flange on penetration X-29-2-47. The second SCIV for the RBCW temporary chiller supply penetration is isolation valve 187389. The third SCIV for the temporary RBCW chiller supply penetration is closed drain valve 187390 and an installed blind flange on penetrations X-29-5-92 and X-29-5-96. Since there are effectively three SCIVs, any two can be used to satisfy the SCIV requirements for the penetration.

Removal of one of the two required SC IVs requires entry into the appropriate LCO for one inoperable SCIV in a penetration flow path with two SC IVs. Opening of drain valve 187390 and operation of blank flanges X-29-5-96 and X-29-5-92 will be controlled to prevent cross connecting ventilation zones. These three SCIVs prevent air leakage. The isolation of the penetration per the Technical Specification requirement is to assure that one of the above SCIVs is closed so that there is no air leakage.

There are three devices/equipment that can perform the SCIV function for the RBCWtemporary chiller return penetration. The first SCIV for the RBCW temporary chiller return penetration is the installed blind flange on penetration X-29-2-46. The second SCIV for the RBCW temporary chiller return penetration is isolation valve 187388. The third SCIV for the temporary RBCW chiller return penetration is closed drain valve 187391 and an installed blind flange on penetrations X-29-5-91 and X-29-5-95. Since there are effectively three SC IVs, any two can be used to define the SCIV for the penetration. Removal of one of the two required SC IVs requires entry into the appropriate LCO for one inoperable SCIV in a penetration flow path with two SCIVs. Opening of drain valve 187391 and operation of blank flanges X-29-5-91 and X-29-5-95 will be controlled to prevent cross connecting ventilation zones.

These three SC IVs prevent air leakage. The isolation of the penetration per the Technical Specification requirement is to assure that one of the above SC IVs is closed so that there is no air leakage.

When the RBCW temporary chiller piping is connected and full of water, the piping inside secondary containment forms the secondary containment boundary and the above listed SCIVs in Table 83.6.4.2-2 are no longer required for this system.

Note 3: These penetrations connect Secondary Containment Zone I to a No-Zone. When Secondary Containment Zone I is isolated from the recirculation plenum, the above listed SCIVs in Table B3.6.4.2-2 are no longer required.

Note 4: These penetrations connect Secondary Containment Zone II to a No-Zone. When Secondary Containment Zone II is isolated from the recirculation plenum, the above listed SCIVs in Table B3.6.4.2-2 are no longer required.

Note 5: These penetrations connect the Railroad Bay to a No-Zone. When the Railroad Bay is a No-Zone, the above listed SC IVs in Table 83.6.4.2-2 are no longer required.

Note 6: These penetrations connect Secondary Containment Zone I to the Railroad Bay. The above listed SC IVs in Table 83.6.4.2-2 are not required if the Railroad Bay is a No-Zone and Zone I is isolated from the recirculation plenum OR if the Railroad Bay is aligned to Zone I.

Note 7: Due to a drain header containing multiple floor drains in different ventilation zones, drain plugs were installed in all of the drain header floor drains. To provide the passive Secondary Containment boundary only drain plugs in one ventilation zone are required to be installed.

SUSQUEHANNA - UNIT 1 3.6-103

Rev. 7 SGT System B 3.6.4.3 B 3.6 CONTAINMENT SYSTEMS B 3.6.4.3 Standby Gas Treatment (SGT) System BASES BACKGROUND The SGT System is required by 10 CFR 50, Appendix A, GDC 41, "Containment Atmosphere Cleanup" (Ref. 1). The safety function of the SGT System is to ensure that radioactive materials that leak from the primary containment into the secondary containment following a Design Basis Accident (OBA) are filtered and adsorbed prior to exhausting to the environment.

The SGT System consists of two redundant subsystems, each with its own set of dampers, filter train, and a reactor building recirculation fan and associated dampers and controls.

Each filter train consists of (components listed in order of the direction of the airflow):

a. A demister;

b. An electric heater;

c. A prefilter;

d. A high efficiency particulate air (HEPA) filter;

e. A charcoal adsorber;

f. A second HEPA filter; and

g. A centrifugal fan.

The sizing of the SGT System equipment and components is based on handling an incoming air mixture at a maximum of 125°F. The internal pressure of the secondary containment is maintained at a negative pressure of 0.25 inches water gauge when the system is in operation. Maintenance of a negative pressure precludes direct outleakage.

(continued)

SUSQUEHANNA - UNIT 1 3.6-104

Rev. 7 SGT System B 3.6.4.3 BASES BACKGROUND The demister is provided to remove entrained water in the air, while the (continued) electric heater reduces the relative humidity of the airstream to less than 70%

(Ref. 2). The prefilter removes large particulate matter, while the HEPA filter removes fine particulate matter and protects the charcoal from fouling. The charcoal adsorber removes gaseous elemental iodine and organic iodides, and the final HEPA filter collects any carbon fines exhausted from the charcoal adsorber.

The SGT System automatically starts and operates in response to actuation signals indicative of conditions or an accident that could require operation of the system. Following initiation in each division, the associated filter train fan starts. Upon verification that both subsystems are operating, the redundant subsystem may be shut down.

The SGT System also contains a cooling function to remove heat generated by fission product decay on the HEPA filters and charcoal adsorbers during shutdown of an SGT subsystem. The cooling function consists of two separate and independent filter cooling modes per SGT subsystem. The two cooling modes are:

1) Outside air damper and the filter cooling bypass damper open, allowing outside air to flow through the shutdown SGT subsystem's filter train and exit via the opposite SGT subsytem's exhaust fan.

2) Outside air damper opens and the SGT exhaust fan of the shutdown SGT subsystem starts. This configurations draws outside air through the shutdown SGT subsystem's filter train and exits via the associated SGT subsystem's exhaust fan.

APPLICABLE The design basis for the SGT System is to mitigate the consequences of a SAFETY loss of coolant accident and fuel handling accidents (Ref. 2). For all events ANALYSES analyzed, the SGT System is shown to be automatically initiated to reduce, via filtration and adsorption, the radioactive material released to the environment.

The SGT System satisfies Criterion 3 of the NRC Policy Statement (Ref. 3).

(continued)

SUSQUEHANNA - UNIT 1 3.6-105

Rev. 7 SGT System B 3.6.4.3 BASES LCO Following a OBA, a minimum of one SGT subsystem is required to maintain the secondary containment at a negative pressure with respect to the environment and to process gaseous releases. Meeting the LCO requirements for two OPERABLE subsystems ensures operation of at least one SGT subsystem in the event of a single active failure. A SGT subsystem is considered OPERABLE when it has an OPERABLE set of dampers, filter train, one reactor building recirculation fan and associated dampers, and associated controls, including instrumentation. (The reactor building recirculation fans and associated dampers are not dedicated to either SGT subsystem. As a result, when any one reactor building recirculation division is not OPERABLE, one arbitrarily determined SGT subsystem is not operable. This interpretation only applies if both divisions of Secondary Containment Isolation logic are operable). This includes the components required for at least one of the two SGTS filter cooling modes.

APPLICABILITY In MODES 1, 2, and 3, a OBA could lead to a fission product release to primary containment that leaks to secondary containment. Therefore, SGT System OPERABILITY is required during these MODES.

In MODES 4 and 5, the probability and consequences of these events are reduced due to the pressure and temperature limitations in these MODES.

Therefore, maintaining the SGT System in OPERABLE status is not required in MODE 4 or 5, except for other situations under which significant releases of radioactive material can be postulated, such as during CORE ALTERATIONS or during movement of irradiated fuel assemblies in the secondary containment.

ACTIONS A.1 With one SGT subsystem inoperable, the inoperable subsystem must be restored to OPERABLE status in 7 days. In this Condition, the remaining OPERABLE SGT subsystem is adequate to perform the required radioactivity release control function. However, the overall system reliability is reduced because a single failure in the OPERABLE subsystem could result in the radioactivity release control function not being adequately performed. The 7 day Completion Time is based on consideration of such factors as the availability of the OPERABLE redundant SGT System and the low probability of a OBA occurring during this period.

(continued)

SUSQUEHANNA - UNIT 1 3.6-106

Rev. 7 SGT System B 3.6.4.3 BASES ACTIONS B.1 and B.2 (continued)

If the SGT subsystem cannot be restored to OPERABLE status within the required Completion Time in MODE 1, 2, or 3, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

C.1, C.2.1, and C.2.2 During movement of irradiated fuel assemblies in the secondary containment or during CORE ALTERATIONS, when Required Action A.1 cannot be completed within the required Completion Time, the OPERABLE SGT filter train should immediately be placed in operation. This action ensures that the remaining filter train is OPERABLE, that no failures that could prevent automatic actuation have occurred, and that any other failure would be readily detected.

An alternative to Required Action C.1 is to immediately suspend activities that represent a potential for releasing radioactive material to the secondary containment, thus placing the plant in a condition that minimizes risk. If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies must immediately be suspended. Suspension of these activities must not preclude completion of movement of a component to a safe position.

The Required Actions of Condition C have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason to require a reactor shutdown.

(continued)

SUSQUEHANNA - UNIT 1 3.6-107

Rev. 7 SGT System B 3.6.4.3 BASES ACTIONS D.1 (continued)

If both SGT subsystems are inoperable in MODE 1, 2, or 3, the SGT system may not be capable of supporting the required radioactivity release control function. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time provides a period of time to correct the problem that is commensurate with the importance of maintaining the SGT System contribution to secondary containment during MODES 1, 2, and 3. This time period also ensures that the probability of an accident (requiring SGT OPERABILITY) occurring during periods where SGT is inoperable is minimal.

E.1 and E.2 If at least one SGT subsystem cannot be restored to OPERABLE status within the required Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months .

The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

F.1 and F.2 When two SGT subsystems are inoperable, if applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in secondary containment must immediately be suspended. Suspension of these activities shall not preclude completion of movement of a component to a safe position.

Required Action F.1 has been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies*while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations. Therefore, in either case, inability to suspend movement of irradiated fuel assemblies would not be a sufficient reason to require a reactor shutdown.

(continued)

SUSQUEHANNA - UNIT 1 3.6-108

Rev. 7 SGT System B 3.6.4.3 BASES SURVEILLANCE SR 3.6.4.3.1 REQUIREMENTS Operating each SGT filter train for;;.:: 15 continuous minutes with heaters on ensures that both filter trains are OPERABLE and that all associated controls are functioning properly. It also ensures that blockage, fan or motor failure, or excessive vibration can be detected for corrective action.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.4.3.2 This SR verifies that the required SGT filter testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing HEPA filter performance, charcoal adsorber efficiency, minimum system flow rate, and the physical properties of the activated charcoal (general use and following specific operations). Specific test frequencies and additional information are discussed in detail in the VFTP.

SR 3.6.4.3.3 This SR verifies that each SGT subsystem starts on receipt of an actual or simulated initiation signal. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.6.4.3.4 This SR verifies that both cooling modes for each SGT subsystem are available. Although both cooling modes are tested, only one cooling mode for each SGT subsystem is required for an SGT subsystem to be considered OPERABLE. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 41 ~

2. FSAR, Section 6.5.1 3 .. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

4. Regulatory Guide 1.52, Rev. 1.

SUSQUEHANNA - UNIT 1 3.6-109

Rev.4 CREOAS System B 3.7.3 3.7 PLANT SYSTEMS B 3.7.3 Control Room Emergency Outside Air Supply (CREOAS) System BASES BACKGROUND The CREOAS System provides a protected environment from which occupants can control the unit following an uncontrolled release of radioactivity, hazardous chemicals, or smoke. This radiologically controlled environment is termed the Control Room Envelope (CRE) and is comprised of Control Structure floor elevations 697'-0" through 783'-0" including the stairwells as described in FSAR Section 6.4 (Ref. 5).

The safety related function of the CREOAS System includes two independent and redundant high efficiency air filtration subsystems for emergency treatment of outside supply air and a CRE boundary that limits the inleakage of unfiltered air. Each CREOAS subsystem consists of an electric heater, a prefilter, an upstream high efficiency particulate air (HEPA) filter, an activated charcoal adsorber section, a downstream HEPA filter, a CREOAS fan, a control structure heating and ventilation fan, a control room floor cooling fan, a computer room floor cooling fan, and the associated ductwork, valves or dampers, doors, barriers, and instrumentation. Prefilters and HEPA filters remove particulate matter, which may be radioactive. The charcoal adsorbers provide a holdup period for gaseous iodine, allowing time for decay. With the exception of the CREOAS fan, all other CREOAS subsystem fans operate continuously to maintain the affected compartments environment. These other ventilation fans operate independently of the CREOAS fans and are required to operate to ensure a positive pressure in the control structure is maintained utilizing filtered outside air supplied by the CREOAS fans.

The CRE is the area within the confines of the CRE boundary that contains the spaces that control room occupants inhabit to control the unit during normal and accident conditions. This area encompasses the control room, and may encompass other non-critical areas to which frequent personnel access or continuous occupancy is not necessary in the event of an accident. The CRE is protected during normal operation, natural events, and accident conditions. The CRE boundary is the combination of walls, floor, roof, ducting, doors, penetrations and equipment that physically form the CRE. The OPERABILITY of the CRE boundary must be maintained to ensure that the inleakage of unfiltered air into the CRE will not exceed the inleakage assumed in the licensing basis analysis of design basis accident (OBA) consequences to CRE occupants. The CRE and its boundary are defined in the Control Room Envelope Habitability Program.

(continued)

SUSQUEHANNA - UNIT 1 3.7-12

Rev.4 CREOAS System B 3.7.3 BASES BACKGROUND Upon receipt of the initiation signal(s) (indicative of conditions that could

( continued) result in radiation exposure to CRE occupants), the CREOAS System automatically switches to the pressurization/filtration mode of operation to minimize infiltration of contaminated air into the CRE. A system of dampers aligns the outside air intake to the CREOAS fan suction and filter train.

Outside air is taken in at the normal ventilation intake and passed through one of the charcoal adsorber filter subsystems. The filtered air leaving the CREOAS filtration train is routed to the inlet of the other ventilation fans for distribution.

One of the CREOAS System design requirements is to maintain a

habitable environment in the CRE for a 30 day continuous occupancy after a OBA without exceeding 5 rem whole body dose or its equivalent to any part of the body. A single CREOAS subsystem operating at a flow rate of::; 581 O cfm with an intact CRE will pressurize the CRE (which includes the control room) to greater than or equal to 0.125 inches water gauge relative to external areas adjacent to the CRE boundary to minimize infiltration of air from all surrounding areas adjacent to the CRE boundary. CREOAS System operation in maintaining CRE habitability is discussed in the FSAR, Chapters 6 and 9, (Refs. 1 and 2, respectively).

APPLICABLE The ability of the CREOAS System to maintain the habitability of the CRE is SAFETY an explicit assumption for the safety analyses presented in the FSAR, ANALYSES Chapters 6 and 15 (Refs. 1 and 3, respectively). The pressurization/filtration mode of the CREOAS System is assumed to operate following a OBA as discussed in the FSAR, Section 6.4.1 (Ref. 4). The radiological doses to the CRE occupants as a result of the various DBAs are summarized in Reference 3. No single active failure will cause the loss of outside or recirculated air from the CRE.

The CREOAS System provides protection from smoke and hazardous chemicals to the CRE occupants. The analysis of hazardous chemical releases demonstrates that the toxicity limits are not exceeded in the CRE following a hazardous chemical release (Ref. 5). The evaluation of a smoke challenge demonstrates that it will not result in the inability of the CRE occupants to control the reactor either from the control room or from the remote shutdown panels (Ref. 6).

The CREOAS System satisfies Criterion 3 of 10 CFR 50.36(c)(2)(ii).

(continued)

SUSQUEHANNA - UNIT 1 3.7-13

Rev. 4 CREOAS System B 3.7.3 BASES LCO Two redundant subsystems of the CREOAS System are required to be OPERABLE to ensure that at least one is available, if a single active failure disables the other subsystem. Total CREOAS System failure, such as from a loss of both ventilation subsystems or from an inoperable CRE boundary, CO\Jld result in exceeding a dose of 5 rem whole body or equivalent to the CRE occupants in the event of a OBA.

Each CREOAS subsystem is considered OPERABLE when the individual components necessary to limit CRE occupant exposure are OPERABLE.

Both subsystems are considered OPERABLE when:

a. Both filter trains each consisting of a CREOAS fan heater, a HEPA filter, and charcoal adsorber which is not excessively restricting flow is OPERABLE; and

b. Both Control Structure Heating and Ventilation fans, Computer Room

Floor Cooling fans, and Control Room Floor Cooling fans are OPERABLE; and

c. Ductwork, valves, and dampers are OPERABLE, and air circulation can be maintained.

d. Neither Smoke Removal Fan (OV104NB) is in operation.

One subsystem is considered OPERABLE when:

a. One filter train consisting of a CREOAS fan, heater, a HEPA filter, and charcoal adsorber which is not excessively restricting flow is OPERABLE; and

b. The 'A' Control Structure Heating and Ventilation fan (OV103A) and the

'A' Computer Room Floor Cooling fan (OV115A) and the 'A' Control Room Floor Cooling fan (OV117A) are OPERABLE OR The 'B' Control Structure Heating and Ventilaiton fan (OV1038) and the

'B' Computer Room Floor Cooling fan (OV115B) and the 'B' Control Room Floor Cooling fan (OV1178) are OPERABLE (These fans are not dedicated to either CREOAS subsystem. As a result when any one set of fans is not OPERABLE, one arbitrarily determined CREOAS subsystem is not OPERABLE): and (continued)

SUSQUEHANNA - UNIT 1 3.7-14

Rev.4 CREOAS System B 3.7.3 BASES LCO c. Ductwork, valves, and dampers are OPERABLE, and air circulation can (continued) be maintained.

d. Neither Smoke Removal Fan (OV104NB) is in operation.

In order for the CREOAS subsystems to be considered OPERABLE, the CRE boundary must be maintained such that the CRE occupant dose from a large radioactive release does not exceed the calculated dose in the licensing basis consequence analyses for DBAs, and that CRE occupants are protected from hazardous chemicals and smoke. Note the CRE can not be maintained with a smoke removal fan (OV104A or OV104B) in operation.

The LCO is modified by a Note allowing the CRE boundary to be opened intermittently under administrative controls. This Note only applies to openings in the CRE boundary that can be rapidly restored to the design condition, such as doors, hatches, floor plugs, and access panels. For entry and exit through doors the administrative control of the opening is performed by the person(s) entering or exiting the area. For other openings, these controls should be proceduralized and consist of stationing a dedicated individual at the opening who is in continuous communication with the operators in the CRE. This individual will have a method to rapidly close the opening and to restore the CRE boundary to a condition equivalent to the design condition when a need for CRE isolation is indicated.

APPLICABILITY In MODES 1, 2, and 3, the CREOAS System must be OPERABLE to ensure that the CRE will remain habitable during and following a OBA, since the OBA could lead to a fission product release.

In MODES 4 and 5, the probability and consequences of a OBA are reduced because of the pressure and temperature limitations in these MODES.

Therefore, maintaining the CREOAS System OPERABLE is not required in MODE 4 or 5, except during CORE ALTERATIONS and during movement of irradiated fuel assemblies in the secondary containment.

(continued)

SUSQUEHANNA - UNIT 1 3.7-15

Rev. 4 CREOAS System B 3.7.3 BASES ACTIONS A.1 With one CREOAS subsystem inoperable, for reasons other than an inoperable CRE boundary, the inoperable CREOAS subsystem must be restored to OPERABLE status within 7 days. With the unit in this condition, the remaining OPERABLE CREOAS subsystem is adequate to perform the CRE occupant protection function. However, the overall reliability is reduced because a failure in the OPERABLE subsystem could result in loss of the CREOAS System function. The 7 day Completion Time is based on the low probability of a OBA occurring during this time period, and that the remaining subsystem can provide the required capabilities.

B.1, B.2, and B.3 If the unfiltered inleakage of potentially contaminated air past the CRE boundary and into the CRE can result in CRE occupant radiological dose greater than the calculated dose of the licensing basis analyses of OBA consequences (allowed to be up to 5 rem whole body or its equivalent to any part of the body), or inadequate protection of CRE occupants from hazardous chemicals or smoke, the CRE boundary is inoperable. Actions must be taken to restore an OPERABLE CRE boundary within 90 days.

During the period that the CRE boundary is considered inoperable, action must be initiated to implement mitigating actions to lessen the effect on CRE occupants from the potential hazards of a radiological or chemical event or a challenge from smoke. Actions must be taken within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to verify that in the event of a OBA, the mitigating actions will ensure that CRE occupant radiological exposures will not exceed the calculated dose of the licensing basis analyses of OBA consequences, and that CRE occupants are protected from hazardous chemicals and smoke. These mitigating actions (i.e., actions that are taken to offset the consequences of the inoperable CRE boundary) should be preplanned for implementation upon entry into the condition, regardless of whether entry is intentional or unintentional.

The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time is reasonable based on the low probability of a OBA occurring during this time period, and the use of mitigating actions. The 90 day Completion Time is reasonable based on the determination that the mitigating actions will ensure protection of CRE occupants within analyzed limits while limiting the probability that CRE occupants will have to implement protective measures that may adversely affect their ability to control the reactor and maintain it in a safe shutdown condition in the event of a OBA. In addition, the 90 day Completion Time is a reasonable time to diagnose, plan and possibly repair, and test most problems with the CRE boundary.

(continued)

SUSQUEHANNA - UNIT 1 3.7-16

Rev. 4 CREOAS System B 3.7.3 BASES ACTIONS C.1 and C.2 (continued)

In MODE 1, 2, or 3, if the inoperable CREOAS subsystem or the CRE boundary cannot be restored to OPERABLE status within the required Completion Time, the unit must be placed in a MODE that minimizes accident risk. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

0.1, D.2.1 and D.2.2 The Required Actions of Condition D are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE* 1, 2, or 3, the fuel movement is independent of reactor operations.

Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require either an entry into LCO 3.0.3 or a reactor shutdown in accordance with LCO 3.0.3.

During movement of irradiated fuel assemblies in the secondary containment or during CORE ALTERATIONS, if the inoperable CREOAS subsystem cannot be restored to OPERABLE status within the required Completion Time, the OPERABLE CREOAS subsystem may be placed in the pressurization/filtration mode. This action ensures that the remaining subsystem is OPERABLE, that no failures that would prevent automatic actuation will occur, and that any active failure will be readily detected.

An alternative to Required Action D.1 is to immediately suspend activities that present a potential for releasing radioactivity that might require isolation of the CRE. This places the unit in a condition that minimizes the accident risk.

If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended immediately.

Suspension of these activities shall not preclude completion of movement of a component to a safe position.

(continued)

SUSQUEHANNA - UNIT 1 3.7-17

Rev.4 CREOAS System B 3.7.3 BASES ACTIONS (continued)

If both CREOAS subsystems are inoperable in MODE 1, 2, or 3, for reasons other than an inoperable CRE boundary (i.e., Condition B) the CREOAS System may not be capable of performing the intended function and the unit is in a condition outside of the accident analyses. Therefore, LCO 3.0.3 must be entered immediately.

F.1 and F.2 The Required Actions of Condition F are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations.

Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require either an entry into LCO 3.0.3 or a reactor shutdown in accordance with LCO 3.0.3.

During movement of irradiated fuel assemblies in the secondary containment or during CORE ALTERATIONS, with two CREOAS subsystems inoperable or with one or more CREOAS subsystems inoperable due to an inoperable CRE boundary, action must be taken immediately to suspend activities that present a potential for releasing radioactivity that might require pressurization of the CRE. This places the unit in a condition that minimizes the accident risk.

If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended immediately Suspension of these activities shall not preclude completion of movement of a component to a safe position.

SURVEILLANCE SR 3.7.3.1 REQUIREMENTS This SR verifies that a CREOAS fan in a standby mode starts on demand from the control room and continues to operate with flow through the HEPA filters and charcoal adsorbers. Standby systems should be checked periodically to ensure that they start and function properly. As the environmental and normal operating conditions of this system are not severe, testing each subsystem once every month provides an adequate check on this system. Systems with heaters must be operated for ~ 15 continuous minutes with the heaters energized. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 1 3.7-18

Rev. 4 CREOAS System 8 3.7.3 BASES SURVEILLANCE SR 3.7.3.2 REQUIREMENTS (continued) This SR verifies that the required CREOAS testing is performed in accordance with the Ventilation Filter Testing Program (VFTP). The VFTP includes testing HEPA filter performance, charcoal adsorber efficiency, minimum system flow rate, and the physical properties of the activated charcoal (general use and following specific operations).

Specific test Frequencies and additional information are discussed in detail in the VFTP.

SR 3.7.3.3 This SR verifies that on an actual or simulated initiation signal, each CREOAS subsystem starts and operates. The LOGIC SYSTEM FUNCTIONAL TEST in SR 3.3.7.1.5 overlaps this SR to provide complete testing of the safety function. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.7.3.4 This SR verifies the OPERABILITY of the CRE boundary by testing for unfiltered air inleakage past the CRE boundary and into the CRE. The details of the testing are specified in the Control Room Envelope Habitability Program.

The CRE is considered habitable when the radiological dose to CRE occupants calculated in the licensing basis analyses of OBA consequences is no more than 5 rem whole body or its equivalent to any part of the body and the CRE occupants are protected from hazardous chemicals. and smoke. This SR verifies that the unfiltered air inleakage into the CRE is no greater than the flow rate assumed in the licensing basis analyses of OBA consequences. When unfiltered air inleakage is greater than the assumed flow rate, Condition B must be entered. Reqµired Action 8.3 allows time to restore the CRE boundary to OPERABLE status provided mitigating actions can ensure that the CRE remains within the licensing basis habitability limits for the occupants following an accident. Compensatory measures are discussed in Regulatory Guide 1.196, Section C.2. 7 .3, (Ref.

7) which endorses, with exceptions, NEI 99-03, Section 8.4 and Appendix F (Ref. 8). These compensatory measures may also be used as mitigating actions as required by Required Action 8.2. Temporary analytical methods may also be used as compensatory measures to restore OPERABILITY (Ref. 9). Options for restoring the CRE boundary to OPERABLE status include changing the licensing basis OBA consequence analysis, repairing the CRE boundary, or a combination of these actions. Depending upon (continued)

SUSQUEHANNA - UNIT 1 3.7-18a

Rev.4 CREOAS System B 3.7.3 BASES SURVEILLANCE SR 3.7.3.4 (continued)

REQUIREMENTS (continued) the nature of the problem and the corrective action, a full scope inleakage test may not be necessary to establish that the CRE boundary has been restored to OPERABLE status.

REFERENCES 1. FSAR, Chapter 6.

2. FSAR, Chapter 9.

3. FSAR, Chapter 15.

4. FSAR, Section 6.4.1.

5. FSAR, Section 6.4.

6. FSAR, Section 9.5.

7. Regulatory Guide 1.196.

8. NEI 99-03, "Control Room Habitability Assessment," June 2001.

9. Letter from Eric J. Leeds (NRC) to James W. Davis (NEI) dated January 30, 2004, "NEI Draft White Paper, Use of Generic Letter 91-18 Process and Alternative Source Terms in the Context of Control Room Habitability." (ADAMS Accession No. ML040300694).

SUSQUEHANNA - UNIT 1 3.7-19

Rev. 2 Control Room Floor Cooling Syst B 3.7.4 B 3.7 PLANT SYSTEMS B 3.7.4 Control Room Floor Cooling System BASES BACKGROUND The Control Room Floor Cooling System provides temperature control for the control room. The control room floor cooling fans are also needed for pressure control of the habitability envelope.

The Control Room Floor Cooling System consists of two independent, redundant subsystems that provide cooling of recirculated control room air.

Each subsystem consists of cooling coils, fans, chillers, compressors, ductwork, dampers, and instrumentation and controls to provide for control room temperature control.

The Control Room Floor Cooling System is designed to provide a controlled environment under both normal and accident conditions. A single subsystem provides the required temperature control to maintain a suitable control room environment. The design conditions for the control room environment are 75

(+/- 5)°F and 50 (+/- 5)% relative humidity. The Control Room Floor Cooling System operation in maintaining the control room temperature is discussed in the FSAR, Section 6.4 (Ref. 1).

APPLICABLE The design basis of the Control Room Floor Cooling System is to maintain SAFETY the control room temperature for a 30 day continuous occupancy. The ANALYSES control room floor cooling fans are also needed for pressure control of the habitability envelope.

The Control Room Floor Cooling System components are arranged in redundant safety related subsystems. During emergency operation, the Control Room Floor Cooling System maintains a habitable environment and ensures the OPERABILITY of components in the control room. A single failure of a component of the Control Room Floor Cooling System, assuming a loss of offsite power, does not impair the ability of the system to perform its design function. Redundant detectors and controls are provided for control room temperature control. The Control Room Floor Cooling System is designed in accordance with Seismic Category I requirements. The Control Room Floor Cooling System is capable of removing sensible and latent heat loads from the control room, including consideration of equipment heat loads and personnel occupancy requirements to ensure equipment OPERABILITY.

The Control Room Floor Cooling System satisfies Criterion 3 of the NRC Policy Statement. (Ref. 2)

(continued)

SUSQUEHANNA - UNIT 1 3.7-20

Rev.2 Control Room Floor Cooling Syst B 3.7.4 BASES LCO Two independent and redundant subsystems of the Control Room Floor Cooling System are required to be OPERABLE to ensure that at least one is available, assuming a single failure disables the other subsystem. Total system failure could result in the equipment operating temperature exceeding limits.

The Control Room Floor Cooling System is considered OPERABLE when the indivioual components necessary to maintain the control room temperature are OPERABLE in both subsystems. These components include the cooling coils, fans, chillers, compressors, ductwork, dampers, and associated instrumentation and controls. The Control Room Floor Cooling System fans, ductwork, and dampers are also addressed by LCO 3.7.3, "Control Room Emergency Outsiqe Air Supply System".

APPLICABILITY In MODE 1, 2, or 3, the Control Room Floor Cooling System must be OPERABLE to ensure that the control room temperature will not exceed equipment OPERABILITY limits following habitability envelope isolation.

In MODES 4 and 5, the probability and consequences of a Design Basis Accident are reduced due to the pressure and temperature limitations in these MODES. Therefore, maintaining the Control Room Floor Cooling System OPERABLE is not required in MODE 4 or 5, except during CORE ALTERATIONS and during movement of irradiated fuel assemblies in the secondary containment. .

ACTIONS A.1 With one control room floor cooling subsystem inoperable, the inoperable control room floor cooling subsystem must be restored to OPERABLE status within 30 days. With the unit in this condition, the remaining OPERABLE control room floor cooling subsystem is adequate to perform the control room air conditioning function. However, the overall reliability is reduced because a single*failure in the OPERABLE subsystem could result in loss of the control room air conditioning function. The 30 day Completion Time is based on the low probability of an event occurring requiring habitability envelope isolation, the consideration that the remaining subsystem can provide the required protection, and the availability of alternate safety and (continued)

SUSQUEHANNA - UNIT 1 3.7-21

Rev.2 Control Room Floor Cooling Syst B 3.7.4 BASES ACTIONS A.1 (continued)

(continued) nonsafety cooling methods. Since nonsafety alternate cooling methods are available, this Action is less restrictive than 3.7.3 where an alternate method of maintaining the habitability envelope at a positive pressure is not available.

B.1 and B.2 In MODE 1, 2, or 3, if the inoperable control room floor cooling subsystem cannot be restored to OPERABLE status within the associated Completion Time, the unit must be placed in a MODE that minimizes risk. To achieve this status, the unit must be placed in at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and in MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required unit conditions from full power conditions in an orderly manner and without challenging unit systems.

C.1. C.2.1 and C.2.2 The Required Actions of Condition C are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations.

Therefore, inability to suspend movement of irradiated fuel assemblies is not sufficient reason to require entry into LCO 3.0.3 or a reactor shutdown in accordance with LCO 3.0.3.

During movement of irradiated fuel assemblies in the secondary containment or during CORE ALTERATIONS, if Required Action A.1 cannot be completed within the required Completion Time, the OPERABLE control room floor cooling subsystem may be placed immediately in operation. This action ensures that the remaining subsystem is OPERABLE, that no failures that would prevent actuation will occur, and that any active failure will be readily detected.

An alternative to Required Action C.1 is to immediately suspend activities that present a potential for releasing radioactivity that might require isolation of the habitability envelope. This places the unit in a condition that minimizes risk.

If applicable, CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment must be suspended immediately.

Suspension of these activities shall not preclude completion of movement of a component to a safe position.

(continued)

SUSQUEHANNA - UNIT 1 3.7-22

Rev. 2 Control Room Floor Cooling Syst B 3.7.4 BASES ACTIONS D.1 (continued)

If both control room floor cooling subsystems are inoperable in MODE 1, 2, or 3, the Control Room Floor Cooling System may not be capable of performing the intended function. Therefore, LCO 3.0.3 must be entered immediately.

E.1 and E.2 The Required Actions of Condition E are modified by a Note indicating that LCO 3.0.3 does not apply. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations.

Therefore, inability to suspend movement of irradiated fuel assemblies is not a sufficient reason to require entry into LCO 3.0.3 or a reactor shutdown in accordance with LCO 3.0.3.

During movement of irradiated fuel assemblies in the secondary containment or during CORE ALTERATIONS, with two control r.oom floor cooling subsystems inoperable, action must be taken immediately to suspend activities that present a potential for releasing radioactivity that might require isolation of the habitability envelope. This places the unit in a condition that minimizes risk.

If applicable, CORE ALTERATIONS and handling of irradiated fuel in the secondary containment must be suspended immediately.

Suspension of these activities shall not preclude completion of movement of a component to a safe position.

SURVEILLANCE SR 3.7.4.1

_ REQUIREMENTS This SR verifies that the heat removal capability of the system is sufficient to remove the control room heat load assumed in the safety analyses. The SR consists of a combination of testing and calculation. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Section 6.4.

2. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

SUSQUEHANNA - UNIT 1 3.7-23

. (,

Rev. 10 AC Sources - Operating B 3.8.1 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.1 AC Sources - Operating BASES BACKGROUND The unit Class 1E AC Electrical Power Distribution System AC sources consist of two offsite power sources (preferred power sources, normal and alternate), and the onsite standby power sources (diesel generators (DGs) A, B, C and D). A fifth diesel generator, DG E, can be used as a substitute for any one of the four DGs A, 8, C or D. As required by 10 CFR 50, Appendix A, GDC 17 (Ref. 1), the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Feature (ESF) systems.

The Class 1E AC distribution system is divided into redundant load groups, so loss of any one group does not prevent the minimum safety functions from being performed. Each load group has connections to two preferred offsite power supplies and a single DG.

The two qualified circuits between the offsite transmission network and the onsite Class 1E AC Electrical Power Distribution System are supported by two independent offsite power sources. A 230 kV line from the Susquehanna T10 230 kV switching station feeds start-up transformer No. 1O; and, a 230 kV tap from the 500-230 kV tie line feeds the startup transformer No. 20. The term "qualified circuits," as used within TS 3.8.1, is synonymous with the term "physically independent."

The two independent offsite power sources are supplied to and are shared by both units. These two electrically and physically separated circuits provide AC power, through startup transformers (ST) No. 1O and ST No. 20, to the four 4.16 kV Engineered Safeguards System (ESS) buses (A, B, C and D) for both Unit 1 and Unit 2. A detailed description of the offsite power network and circuits to the onsite Class 1E ESS buses is found in the FSAR, Section 8.2 (Ref. 2).

An offsite circuit consists of all breakers, transformers, switches, automatic tap changers, interrupting devices, cabling, and controls required to transmit power from the offsite transmission network to the onsite Class 1E ESS bus or buses.

(continued)

SUSQUEHANNA - UNIT 1 3.8-1

Rev. 10 AC Sources - Operating B 3.8.1 BASES BACKGROUND ST No. 10 and ST No. 20 each provide the normal source of power to (continued) two of the four 4.16 kV ESS buses in each Unit and the alternate source of power to the remaining two 4.16 kV ESS buses in each Unit. If any 4.16 kV ESS bus loses power, an automatic transfer from the normal to the alternate occurs after the normal supply breaker trips.

When off-site power is available to the 4.16 kV ESS Buses following a LOCA signal, the required ESS loads will be sequenced onto the 4.16 kV ESS Buses in order to compensate for voltage drops in the onsite power system when starting large ESS motors.

The onsite standby power source for 4.16 kV ESS buses A, B, C and D consists of five DGs. DGs A, B, C and D are dedicated to ESS buses A, B, C and D, respectively. DG E can be used as a substitute for any one of the four DGs (A, B, C or D) to supply the associated ESS bus. Each DG provides standby power to two 4.16 kV ESS buses-one associated with Unit 1 and one associated with Unit 2. The four "required" DGs are those aligned to a 4.16 kV ESS bus to provide onsite standby power for both Unit 1 and Unit 2.

A DG, when aligned to an ESS bus, starts automatically on a loss of coolant accident (LOCA) signal (i.e., low reactor water level signal or high drywell pressure signal) or on an ESS bus degraded voltage or undervoltage signal. After the DG has started, it automatically ties to its respective bus after offsite power is tripped as a consequence of ESS bus undervoltage or degraded voltage, independent of or coincident with a LOCA signal. The DGs also start and operate in the standby mode without tying to the ESS bus on a LOCA signal alone. Following the trip of offsite power, non-permanent loads are stripped from the 4.16 kV ESS Buses. When a DG is tied to the ESS Bus, loads are then sequentially connected to their respective ESS Bus by individual load timers. The individual load timers control the starting permissive signal to motor breakers to prevent overloading the associated DG.

In the event of loss of normal and alternate offsite power supplies, the 4.16 kV ESS buses will shed all loads except the 480 V load centers and the standby diesel generators will connect to the ESS busses.

When a DG is_ tied to its respective ESS bus, loads are then sequentially connected to the ESS bus by individual load timers which control the permissive and starting signals to motor breakers to prevent overloading the DG.

(continued)

SUSQUEHANNA - UNIT 1 3.8-2

Rev. 10 AC Sources - Operating B 3.8.1 BASES BACKGROUND In the event of a loss of normal and alternate offsite power supplies, the (continued) ESS electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (OBA) such as a LOCA.

Certain required plant loads are returned to service in a predetermined sequence in order to prevent overloading of the DGs in the process.

Within 286 seconds after the initiating signal is received, all automatic and permanently connected loads needed to recover the unit or maintain it in a safe condition are returned to service. Ratings for the DGs satisfy the requirements of Regulatory Guide 1.9 (Ref. 3).

DGs A, 8, C and D have the following ratings:

a. 4000 kW-continuous,

b. 4700 kW-2000 hours, DG E has the following ratings:

a. 5000 kW-continuous,

b. 5500 kW-2000 hours.

APPLICABLE The initial conditions of OBA and transient analyses in the FSAR, SAFETY ANALYSES Chapter 6 (Ref. 4) and Chapter 15 (Ref. 5), assume ESF systems are OPERABLE. The AC electrical power sources are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System (RCS), and containment design limits are not exceeded.

These limits are discussed in more detail in the Bases for Section 3.2, Power Distribution Limits; Section 3.4, Reactor Coolant System (RCS);

and Section 3.6, Containment Systems.

The OPERABILITY of the AC electrical power sources is consistent with the initial assumptions of the accident analyses and is b?sed upon meeting the design basis of the unit and supporting safe shutdown of the other unit. This includes maintaining the onsite or offsite AC sources OPERABLE during accident conditions in the event of an assumed loss of all offsite power or all onsite AC power; and a worst case single failure.

AC sources satisfy Criterion 3 of the NRC Policy Statement (Ref. 6).

(continued)

SUSQUEHANNA - UNIT 1 3.8-3

Rev. 10 AC Sources - Operating B 3.8.1 BASES LCO Two qualified circuits between the offsite transmission network and the onsite Class 1E Distribution System and four separate and independent DGs (A, B, C and D) ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an*

anticipated operational occurrence (AOO) or a postulated DBA. DG E can be used as a substitute for any one of the four DGs A, B, C or D.

Qualified offsite circuits are those that are described in the FSAR, and are part of the licensing basis for the unit. In addition, the required automatic load timers for each ESF bus shall be OPERABLE.

The Safety Analysis for Unit 2 assumes the OPERABILITY of some equipment that receives power from Unit 1 AC Sources. Therefore, Unit 2 Technical Specifications establish requirements for the OPERABILITY of the DG(s) and qualified offsite circuits needed to support the Unit 1 onsite Class 1E AC electrical power distribution subsystem(s) required by LCO 3.8.7, Distribution Systems-Operating.

Each offsite circuit must be capable of maintaining rated frequency and voltage, and accepting required loads during an accident, while connected to the ESS buses.

One OPERABLE offsite circuit exists when all of the following conditions are met:

1. An energized ST. No. 1Otransformer with the load tap changer (LTC) in automatic operation.

2. The respective circuit path including energized ESS transformers 101 and 111 and feeder breakers capable of supplying three of the four 4.16 kV ESS Buses.

3. Acceptable offsite grid voltage, defined as a voltage that is within the grid voltage requirements established for SSES.

The grid voltage requirements include both a minimum grid voltage and an allowable grid voltage drop during normal operation, and for a predicted voltage for a trip of the unit.

The Regional Transmission Operator (PJM), and/or the Transmission Power System Dispatcher, PPL EU, determine, monitor and report actual and/or contingency voltage (Predicted voltage) violations that occur for the SSES monitored offsite 230kV and 500kV buses.

( continued)

SUSQUEHANNA - UNIT 1 3.8-4

Rev. 10 AC Sources - Operating B 3.8.1 BASES LCO The offsite circuit is inoperable for any actual voltage violation, (continued) or a contingency voltage violation that occurs for a trip of a SSES unit, as reported by the transmission RTO or Transmission Power System Dispatcher.

The offsite circuit is operable for any other predicted grid event (i.e., loss of the most critical transmission line or the largest supply) that does not result from the generator trip of a SSES unit. These conditions do not represent an impact on SSES operation that has been caused by a LOCA and subsequent generator trip. The design basis does not require entry into LCOs for predicted grid conditions that can not result in a LOCA, delayed LOOP.

The other offsite circuit is Operable when all the following conditions are met:

1. An energized ST. No. 20 transformer with the load tap changer (LTC) in automatic operation.

2. The respective circuit path including energized ESS transformers 201 and 211 and feeder breakers capable of supplying three of the four 4.16 kV ESS Buses.

3. Acceptable offsite grid voltage, defined as a voltage that is within the grid voltage requirements established for SSES.

The grid voltage requirements include both a minimum grid voltage and an allowable grid voltage drop during normal operation, and for a predicted voltage for a trip of the unit.

The Regional Transmission Operator (PJM), and/or the Transmission Power System Dispatcher, PPL EU, determine, monitor and report actual and/or contingency voltage (Predicted voltage) violations that occur for the SSES monitored offsite 230kV and 500kV buses.

The offsite circuit is inoperable for any actual voltage violation, or a contingency voltage violation that occurs for a trip of a SSES unit, as reported by the transmission RTO or Transmission Power System Dispatcher.

(continued)

SUSQUEHANNA- UNIT 1 3.8-5

Rev. 10 AC Sources - Operating B 3.8.1 BASES LCO The offsite circuit is operable for any other predicted grid (continued) event (i.e., loss of the most critical transmission line or the largest supply) that does not result from the generator trip of a SSES unit. These conditions do not represent an impact on SSES operation that has been caused by a LOCA and subsequent generator trip. The design basis does not require entry into LCOs for predicted grid conditions that can not result in a LOCA, delayed LOOP.

Both offsite circuits are OPERABLE provided each meets the criteria described above and provided that no 4.16 kV ESS Bus has less than one OPERABLE offsite circuit capable of supplying the required loads. If no OPERABLE offsite circuit is capable of supplying any of the 4.16 kV ESS Buses, one offsite source shall be declared inoperable.

Four of the five DGs are required to be Operable to satisfy the initial assumptions of the accident analyses. Each required DG must be capable of starting, accelerating to rated speed and voltage, and connecting to its respective ESS bus on detection of bus undervoltage after the normal and alternate supply breakers open. This sequence must be accomplished within 1O seconds. Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the ESS buses. These capabilities are required to be met from a variety of initial conditions, such as DG in standby with the engine hot and DG in normal standby conditions. Normal standby conditions for a DG mean that the diesel engine oil is being continuously circulated and engine coolant is circulated as necessary to maintain temperature consistent with manufacturer recommendations. Additional DG capabilities must be demonstrated to meet required Surveillances, e.g.,

capability of the DG to revert to standby status on an ECCS signal while operating in parallel test mode.

Although not normally aligned as a required DG, DG Eis normally maintained OPERABLE (i.e., Surveillance Testing completed) so that it can be used as a substitute for any one of the four DGs A, B, C or D.

Proper sequencing of loads, including tripping of nonessential loads, is a required function for DG OPERABILITY.

(continued)

SUSQUEHANNA - UNIT 1 3.8-6

Rev. 10 AC Sources - Operating B 3.8.1 BASES LCO The AC sources must be separate and independent (to the extent (continued) possible) of other AC sources. For the DGs, the separation and independence are complete. For the offsite AC sources, the separation and independence are to the extent practical. A circuit may be connected to more than one ESS bus, with automatic transfer capability to the other circuit OPERABLE, and not violate separation criteria. A circuit that is not connected to an ESS bus is required to have OPERABLE automatic transfer interlock mechanisms to each ESS bus to support OPERABILITY of that offsite circuit.

APPLICABILITY The AC sources are required to be OPERABLE in MODES 1, 2, and 3 to ensure that: *

a. Acceptable fuel design limits and reactor coolant pressure boundary limits are not exceeded as a result of AOOs or abnormal transients; and

b. Adequate core cooling is provided and containment OPERABILITY and other vital functions are maintained in the event of a postulated OBA.

The AC power requirements for MODES 4 and 5 are covered in LCO 3.8.2, "AC Sources-Shutdown."

ACTIONS A Note prohibits the application of LCO 3.0.4.b to an inoperable DG.

There is an increased risk associated with entering a MODE or other specified condition in the Applicability with an inoperable DG and the provisions of LCO 3.0.4.b, which allow entry into a MODE or other specified condition in the Applicability with the LCO not met after performance of a risk assessment addressing inoperable systems and components, should not be applied in this circumstance.

The ACTIONS are modified by a Note which allows entry into associated Conditions and Required Actions to be delayed for up to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months when an OPERABLE diesel generator is placed in an inoperable status for the alignment of diesel generator E to or from the Class 1E distribution system. Use of this allowance requires both offsit~ circuits to be OPERABLE. Entry into the appropriate Conditions and Required Actions shall be made immediately upon the determination that substitution of a required diesel generator will not or can not be completed.

(continued)

SUSQUEHANNA - UNIT 1 3.8-7

Rev. 10 AC Sources - Operating B 3.8.1 BASES ACTIONS (continued)

To ensure a highly reliable power source remains with one offsite circuit inoperable, it is necessary to verify the availability of the remaining required offsite circuit on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action not met. However, if a second required circuit fails SR 3.8.1.1, the second offsite circuit is inoperable, and Condition C, for two offsite circuits inoperable, is entered.

Required Action A.2, which only applies if one 4.16 kV ESS bus cannot be powered from any offsite source, is intended to provide assurance that an event with a coincident single failure of the associated DG does not result in a complete loss of safety function of critical systems. These features (e.g., system, subsystem, division, component, or device) are designed to be powered from redundant safety related 4.16 kV ESS buses. Redundant required features failures consist of inoperable features associated with an emergency bus redundant to the emergency bus that has no offsite power. The Completion Time for Required Action A.2 is intended to allow time for the operator to evaluate and repair any discovered inoperabilities. This Completion Time also allows an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action, the Completion Time only begins on discovery that both:

a. A 4.16 kV ESS bus has no offsite power supplying its loads; and

b. A redundant required feature on another 4.16 kV ESS bus is inoperable.

If, at any time during the existence of this Condition (one offsite circuit

. inoperable) a required feature subsequently becomes inoperable, this Completion Time would begin to be tracked.

Discovering no offsite power to one 4.16 kV ESS bus on the onsite Class 1E Power Distribution System coincident with one or more inoperable required support or supported features, or both, that are associated with any other emergency bus that has offsite power, results in starting the Completion Times for the Required Action. Twenty-four hours is acceptable because it minimizes risk while allowing time for restoration before the unit is subjected to transients associated with shutdown.

(continued)

SUSQUEHANNA - UNIT 1 3.8-8

Rev. 10 AC Sources - Operating B 3.8.1 BASES ACTIONS A.2 (continued)

(continued)

The remaining OPERABLE offsite circuits and DGs are adequate to supply electrical power to the onsite Class 1E Distributi.on System. Thus, on a component basis, single failure protection may have been lost for the required feature's function; however, function is not lost. The 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature.

Additionally, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a OBA occurring during this period.

According to Regulatory Guide 1.93 (Ref. 7), operation may continue in Condition A for a period that should not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the plant safety systems. In this condition, however, the remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class 1E Distribution System.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and the low probability of a OBA occurring during this period.

The second Completion Time for Required Action A.2 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a DG is inoperable, and that DG is subsequently returned OPERABLE, the LCO may already have been not met for up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This situation could lead to a total of 144 hours0.00167 days 0.04 hours 2.380952e-4 weeks 5.4792e-5 months , since initial failure to meet the LCO, to restore the offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (for a total of 9 days) allowed prior to complete restoration of the LCO. The 6 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and 6 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met. *

( continued)

SUSQUEHANNA - UNIT 1 3.8-9

Rev. 10 AC Sources - Operating

. B 3.8.1 BASES ACTIONS A.3 (continued)

(continued)

As in Required Action A.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

This exception results in establishing the "time zero" at the time the LCO was initially not met, instead of at the time that Condition A was entered.

To ensure a highly reliable power source remains with one required DG inoperable, it is necessary to verify the availability of the required offsite circuits on a more frequent basis. Since the Required Action only specifies "perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions must then be entered.

Required Action B.2 is intended to provide assurance that a loss of offsite power, during the period that a DG is inoperable, does not result in a complete loss of safety function of critical systems. These features are designed with redundant safety related divisions (i.e., single division systems are not included). Redundant required features failures consist of inoperable features associated with a division redundant to the division that has an inoperable DG.

The Completion Time is intended to allow the operator time to evaluate and repair any discovered inoperabilities. This Completion Time also allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." In this Required Action the Completion Time only begins on discovery that both:

a. An inoperable DG exists; and

b. A required feature powered from another diesel generator (Division 1 or 2) is inoperable.

If, at any time during the existence of this Condition (one required DG inoperable), a required feature subsequently becomes inoperable, this Completion Time begins to be tracked.

(continued)

SUSQUEHANNA - UNIT 1 3.8-10

Rev. 10 AC Sources - Operating B 3.8.1 BASES ACTIONS B.2 (continued)

(continued)

Discovering one required DG inoperable coincident with one or more inoperable required support or supported features, or both, that are associated with the OPERABLE DGs results in starting the Completion Time for the Required Action. Four hours from the discovery of these events existing concurrently is acceptable because it minimizes risk while allowing time for restoration before subjecting the unit to transients associated with shutdown.

The remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. Thus, on a component basis, single failure protection for the required feature's function may have been lost; however, function has not been lost. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the component OPERABILITY of the redundant counterpart to the inoperable required feature. Additionally, the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a OBA occurring during this period.

B.3.1 and 8.3.2 Required Action B.3.1 provides an allowance to avoid unnecessary testing of OPERABLE DGs. If it can be determined that the cause of the inoperable DG does not exist on the OPERABLE DG, SR 3.8.1. 7 does not have to be performed. If the cause of inoperability exists on other DG(s), they are declared inoperable upon discovery, and Condition E of LCO 3.8.1 is entered. Once the failure is repaired, and the common cause failure no longer exists, Required Action 8.3.1 is satisfied. If the cause of the initial inoperable DG cannot be determined not to exist on the remaining DG(s), performance of SR 3.8.1. 7 suffices to provide assurance of continued OPERABILITY of those DGs.

However, the second Completion Time for Required Action B.3.2 allows a performance of SR 3.8.1. 7 completed up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months prior to entering Condition B to be accepted as demonstration that a DG is not inoperable due to a common cause failure.

In the event the inoperable DG is restored to OPERABLE status prior to completing either B.3.1 or 8.3.2, the plant corrective action program will continue to evaluate the common cause possibility. This continued evaluation, however, is no longer under the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months constraint imposed while in Condition B.

(continued)

SUSQUEHANNA - UNIT 1 3.8-11

Rev. 10 AC Sources - Operating B 3.8.1 BASES ACTIONS B.3.1 and B.3.2 (continued)

(continued)

According to Generic Letter 84-15 (Ref. 8), 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is a reasonable time to confirm that the OPERABLE DGs are not affected by the same problem as the inoperable DG.

B.4 According to Regulatory Guide 1.93 (Ref. 7), operation may continue in Condition B for a period that should not exceed 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . In Condition B, the remaining OPERABLE DGs and offsite circuits are adequate to supply electrical power to the onsite Class 1E Distribution System. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and low probability of a OBA occurring during this period.

The second Completion Time for Required Action B.4 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently restored OPERABLE, the LCO may already have been not met for up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This situation could lead to a total of 144 hours0.00167 days 0.04 hours 2.380952e-4 weeks 5.4792e-5 months , since initial failure of the LCO, to restore the DG. At this time, an offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (for a total of 9 days) allowed prior to complete restoration of the LCO. The 6 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and 6 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive must be met.

As in Required Action B.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock."

This exception results in establishing the "time zero" at the time that the LCO was initially not met, instead of the time that Condition B was entered.

(continued)

SUSQUEHANNA - UNIT 1 3.8-12

Rev. 10 AC Sources - Operating B 3.8.1 BASES ACTIONS (continued)

Required Action C.1 addresses actions to be taken in the event of concurrent inoperability of two offsite circuits. The Completion Time for Required Action C.1 is intended to allow the operator time to evaluate and repair any discovered inoperabilities.

According to Regulatory Guide 1.93 (Ref. 7), operation may continue in Condition C for a period that should not exceed 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This level of degradation means that the offsite electrical power system does not have the capability to effect a safe shutdown and to mitigate the effects of an accident; however, the onsite AC sources have not been degraded. This level of degradation generally corresponds to a total loss of the immediately accessible offsite power sources.

Because of the normally high availability of the offsite sources, this level of degradation may appear to be more severe than other combinations of two AC sources inoperable that involve one or more DGs inoperable.

However, two factors tend to decrease the severity of this degradation level:

a. The configuration of the redundant AC electrical power system that remains available is not susceptible to a single bus or switching failure; and

b. The time required to detect and restore an unavailable offsite power source is generally much less than that required to detect and restore an unavailable onsite AC source.

With both of the required offsite circuits inoperable, sufficient onsite AC sources are available to maintain the unit in a safe shutdown condition in the event of a OBA or transient. In fact, a simultaneous loss of offsite AC sources, a LOCA, and a worst case single failure were postulated as a part of the design basis in the safety analysis. Thus, the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months Completion Time provides a period of time to effect restoration of one of the offsite circuits commensurate with the importance of maintaining an AC electrical power system capable of meeting its design criteria.

According to Regulatory Guide 1.93 (Ref. 7), with the available offsite AC sources two less than required by the LCO, operation may continue for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . If two offsite sources are restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , unrestricted operation may continue. If only one offsite source is restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , power operation continues in accordance with Condition A (continued)

SUSQUEHANNA - UNIT 1 3.8-13

Rev. 10 AC Sources - Operating B 3.8.1.

BASES ACTIONS D.1 and D.2 (continued)

Pursuant to LCO 3.0.6, the Distribution System Actions would not be_

entered even if all AC sources to it were inoperable, resulting in de-energization. Therefore, the Required Actions of Condition D are modified by a Note to indicate that when Condition D is entered with no AC source to any ESS bus, Actions for LCO 3.8.7, "Distribution Systems-Operating," must be immediately entered. This allows Condition D to provide requirements for the loss of the offsite circuit and one DG without regard to whether a division is de-energized. LCO 3.8.7 provides the appropriate restrictions for a de-energized bus.

According to Regulatory Guide 1.93 (Ref. 7), operation may continue in Condition D for a period that should not exceed 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . In Condition D, individual redundancy is lost in both the offsite electrical power system and the onsite AC electrical power system. Since power system redundancy is provided by two diverse sources of power, however, the reliability of the power systems in this Condition may appear higher than that in Condition C (loss of both required offsite circuits). This difference in reliability is offset by the susceptibility of this power system configuration to a single bus or switching failure. The 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

Completion Time takes into account the capacity and capability of the remaining AC sources, reasonable time for repairs, and the low probability of a OBA occurring during this period.

With two or more DGs inoperable and an assumed loss of offsite electrical power, insufficient standby AC sources are available to power the minimum required ESF functions. Since the offsite electrical power system is the only source of AC power for the majority of ESF equipment at this level of degradation, the risk associated with continued operation for a very short time could be less than that associated with an immediate controlled shutdown. (The immediate shutdown could cause grid instability, which co_uld result in a total loss of AC power.) Since any inadvertent unit generator trip could also result in a total loss of offsite AC power, however, the time allowed for continued operation is severely restricted. The intent here is to avoid the risk associated with an immediate controlled shutdown and to minimize the risk associated with this level of degradation.

(continued)

SUSQUEHANNA - UNIT 1 3.8-14

Rev. 10 AC Sources - Operating B 3.8.1 BASES ACTIONS E.1 (continued)

(continued)

According to Regulatory Guide 1.93 (Ref. 7), with two or more DGs inoperable, operation may continue for a period that should not exceed 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

0 F.1 and F.2 If the inoperable AC electrical power sources cannot be restored to OPERABLE status within the associated Completion Time, the unit must be brought to a MODE in which the LCO does not apply. To achieve this status, the unit must be brought to at least MODE 3 within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months and to MODE 4 within 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

Condition G corresponds to a level of degradation in which all redundancy in the AC electrical power supplies has been lost. At this severely degraded level, any further losses in the AC electrical power system will cause a loss of function. Therefore, no additional time is justified for continued operation. The unit is required by LCO 3.0.3 to commence a controlled shutdown.

SURVEILLANCE The AC sources are designed to permit inspection and testing of all REQUIREMENTS important areas and features, especially those that have a standby function, in accordance with 10 CFR 50, GDC 18 (Ref. 9). Periodic component tests are supplemented by extensive functional tests during refueling outages (under simulated accident conditions). The SRs for demonstrating the OPERABILITY of the DGs are in accordance with the recommendations of Regulatory Guide 1.9 (Ref. 3), and Regulatory Guide 1.137 (Ref. 11), as addressed in the FSAR.

The Safety Analysis for Unit 2 assumes the OPERABILITY of some equipment that receives power from Unit 1 AC Sources. Therefore, Surveillance requirements are established for the Unit 1 onsite Class 1E AC electrical power distribution subsystem(s) required to support Unit 2 by LCO 3.8.7, Distribution Systems-Operating. The Unit 1 SRs required to support Unit 2 are identified in the Unit 2 Technical Specifications.

(continued)

SUSQUEHANNA - UNIT 1 3.8-15

Rev. 10 AC Sources - Operating

. B 3.8.1 BASES SURVEILLANCE Where the SRs discussed herein specify voltage and frequency REQUIREMENTS toleran~es, the following summary is applicable. The minimum (continued) steady state output voltage of 4000 V represents the value that will allow the degraded voltage relays to reset after actuation. This value is based on the upper value of the degraded voltage relay reset voltage of 3938 V, representing 94.68% of 4160 V, plus the worst-case voltage drop from the DG to an associated 4.16 kV switchgear bus. The specified maximum steady state output voltage of 4400 V is equal to the maximum operating voltage specified for 4000 V. It ensures that for a lightly loaded distribution system, the voltage at the terminals of 4000 V motors is no more than the maximum rated operating voltages.

The minimum frequency value is derived from the recommendations found in Regulatory Guide 1.9 (Ref. 3). The allowable steady state frequency for all DGs is 60 HZ +/-2%. DG E is also required to maintain a frequency of not less than 57 Hz during transient conditions.

To provide additional margin for DG E to meet the 57 Hz criteria, the 2%

margin allowed for steady state frequency is further reduced to 1%, or 0.6 Hz. This value, added to the tolerance allowed for the DG's electronic governor (0.1 Hz) provides the 59.3 Hz minimum frequency value applicable for alrDGs.

The maximum frequency is derived from analysis based on an iterative approach using voltage and frequency variations of the DG to determine the maximum continuous loading on the DG such that the DG loading does not exceed its continuous rating and still performs its design function. Through a qualitative estimation and a dynamic transient simulation, the maximum frequency meeting the iterative approach is 60.5 Hz.

The Surveillance Table has been modified by a Note, to clarify the testing requirements associated with DG E. The Note is necessary to define the intent of the Surveillance Requirements associated with the integration of DG E. Specifically, the Note defines that a DG is only considered OPERABLE and required when it is aligned to the Class 1E distribution

system. For example, if DG A does not meet the requirements of a specific SR, but DG E is substituted for DG A and aligned to the Class 1E distribution system, DG E is required to be OPERABLE to satisfy the LCO requirement of 4 DGs and DG A is not required to be OPERABLE because it is not aligned to the Class 1E distribution system. This is acceptable because only 4 DGs are assumed in the event analysis.

(continued)

SUSQUEHANNA - UNIT 1 3.8-16

Rev. 10 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE Furthermore, the Note identifies when the Surveillance Requirements, as REQUIREMENTS modified by SR Notes, have been met and performed, DG E can be (continued) substituted for any other [?G and declared OPERABLE after performance of two SRs which verify switch alignment. This is acceptable because the testing regimen defined in the Surveillance Requirement Table ensures DG E is fully capable of performing all DG requirements.

SR 3.8.1.1 This SR ensures proper circuit continuity for the offsite AC electrical power supply to the onsite distribution network and availability of offsite AC electrical power. The breaker alignment verifies that each breaker is in its correct position to ensure that distribution buses and loads are connected to an Operable offsite power source and that appropriate independence of offsite circuits is maintained. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.2 Not Used.

SR 3.8.1.3 This Surveillance verifies that the DGs are capable of synchronizing and accepting greater than or equal to the equivalent of the maximum expected accident loads. A minimum run time of 60 minutes is required to stabilize engine temperatures, while minimizing the time that the DG is connected to the offsite source.

Although no power factor requirements are established by this SR, the DG is normally operated at a power factor between 0.8 lagging and 1.0.

The 0.8 value is the design rating of the machine, while 1.0 is an operational limitation to ensure circulating currents are minimized. The load band is provided to avoid routine overloading of the DG. Routine overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY.

Note 1 modifies this Surveillance to indicate that diesel engine runs for this Surveillance may include gradual loading, as recommended by the Cooper Bessemer Service Bulletin 728, so that mechanical stress and wear on the diesel engine are minimized.

(continued)

SUSQUEHANNA - UNIT 1 3.8-17

Rev. 10 AC Sources - Operating 8 3.8.1 BASES SURVEILLANCE SR 3.8.1.3 (continued)

REQUIREMENTS (continued) Note 2 modifies this Surveillance by stating that momentary transients because of changing bus loads do not invalidate this test. Similarly, momentary power factor transients do not invalidate the test.

Note 3 indicates that this Surveillance should be conducted on only one DG at a time in order to avoid common cause failures that might result from offsite circuit or grid perturbations.

Note 4 stipulates a prerequisite requirement for performance of this SR.

A successful DG start must precede this test to credit satisfactory performance.

Note 5 provides the allowance that DG E, when not aligned as substitute for DG A, B, C and D but being maintained available, may use the test facility to satisfy loading requirements in lieu of synchronization with an ESS bus.

Note 6 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units, with the DG synchronized to the 4.16 kV ESS bus of Unit 1 for one periodic test and synchronized to the 4.16 kV ESS bus of Unit 2 during the next periodic test. This is acceptable because the purpose of the test is to demonstrate the ability of the DG to operate at its continuous rating (with the exception of DG E which is only required to be tested at the continuous rating of DGs A through D) and this attribute is tested at the required Frequency. Each unit's circuit breakers and breaker control circuitry, which are only being tested every second test (due to the staggering of the tests), historically have a very low failure rate. If a DG fails this Surveillance, the DG should be considered inoperable for both units, unless the cause of the failure can be directly related to only one unit. In addition, if the test is scheduled to be performed on the other Unit, and the other Unit's TS allowance that provides an exception to performing the test is used (i.e., the Note to SR 3.8.2.1 for the other Unit provides an exception to performing this test when the other Unit is in MODE 4 or 5, or moving irradiated fuel assemblies in the secondary containment), or it is not possible to perform the test due to equipment availabililty, then the test shall be performed synchronized to this Unit's 4.16 kV ESS bus. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 1 3.8-18

Rev. 10 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.4 REQUIREMENTS (continued) This SR verifies the level of fuel oil in the engine mounted day tank is at or above the level at which fuel oil is automatically added. The level is expressed as an equivalent volume in gallons, and is selected to ensure adequate fuel oil for a minimum of 55 minutes of DG A-D and 62 minutes of DG E operation at DG continuous rated load conditions.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.5 Microbiological fouling is a major cause of fuel oil degradation. There are numerous bacteria that can grow in fuel oil and cause fouling, but all must have a water environment in order to survive. Removal of water from the engine mounted day tanks eliminates the necessary environment for bacterial survival. This is the most effective means of controlling microbiological fouling. In addition, it eliminates the potential for water entrainment in the fuel oil during DG operation. Water may come from any of several sources, including condensation, ground water, rain water, contaminated fuel oil, and breakdown of the fuel oil by bacteria. Frequent checking for and removal of accumulated water minimizes fouling and provides data regarding the watertight integrity of the fuel oil system. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.6 This Surveillance demonstrates that each required fuel oil transfer pump operates and transfers fuel oil from its associated storage tank to its associated day tank. It is required to support continuous operation of standby power sources. This Surveillance provides assurance that the fuel oil transfer pump is OPERABLE, the fuel oil piping system is intact, the fuel delivery piping is not obstructed, and the controls and control systems for automatic fuel transfer systems are OPERABLE.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 1 3.8-19

Rev. 10*

AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.7 REQUIREMENTS (continued) This SR helps to ensure the availability of the standby electrical power supply to mitigate DBAs and transients and maintain the unit in a safe shutdown condition.

To minimize the wear on moving parts that do not get lubricated when the engine is not running, this SR has been modified by Note 1 to indicate that all DG starts fqr these Surveillances may be preceded by an engine prelube period (which for DGs A through D includes operation of the lube oil system to ensure the DGs turbo charger is sufficiently prelubicated to prevent undo wear and tear).

For the purposes of this testing, the DGs are started from standby conditions. Standby conditions for a DG mean that the diesel engine oil is being continuously circulated and diesel engine coolant is being circulated as necessary to maintain temperature consistent with manufacturer recommendations. The DG starts from standby conditions and achieves the minimum required voltage and frequency within 1O seconds and maintains the required voltage and frequency when steady state conditions are reached. The 1O second start requirement supports the assumptions in the design basis LOCA analysis of FSAR, Section 6.3 (Ref. 12).

To minimize testing of the DGs, Note 2 allows a single test to satisfy the requirements for both units (instead of two tests, one for each unit). This is acceptable because this test is intended to demonstrate attributes of the DG that are not associated with either Unit. If the DG fails this Surveillance, the DG should be considered inoperable for both units, unless the cause of the failure can be directly related to one unit.

The time for theDG to reach steady state operation is periodically monitored and the trend evaluated to identify degradation.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.8 Transfer of each 4.16 kV ESS bus power supply from the normal offsite circuit to the alternate offsite circuit demonstrates the OPERABILITY of the alternate circuit distribution network to power the shutdown loads.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

( continued)

SUSQUEHANNA - UNIT 1 3.8-20

Rev. 10 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.8 (continued)

REQUIREMENTS (continued) This SR is modified by a Note. The reason for the Note is that, during operation with the reactor critical, performance of the autom_atic transfer of the unit power supply could cause perturbations to the electrical distribution systems that could challenge continued steady state operation and, as a result, plant safety systems. The manual transfer of unit power supply should not result in any perturbation to the electrical distribution system, therefore, no mode restriction is specified. This Surveillance tests the applicable logic associated with Unit 1.

The-comparable test specified in Unit 2 Technical Specifications tests the applicable logic associated with Unit 2. Consequently, a test must be performed within the specified Frequency for each unit. As the Surveillance represents separate tests, the Note specifying the restriction for not performing the test while the unit is in MODE 1 or 2 does not have applicability to Unit 2. The NOTE only applies to Unit 1, thus the Unit 1 Surveillance shall not be* performed with Unit 1 in MODE 1 or 2.

SR 3.8.1.9 Each DG is provided with an engine overspeed trip to prevent damage to the engine. Recovery from the transient caused by the loss of a large load could cause diesel engine overspeed, which, if excessive, might result in a trip of the engine. This Surveillance demonstrates the DG load respon$e characteristics and capability to reject the largest single load without exceeding predetermined voltage and frequency and while maintaining a specified margin to the overspeed trip. The largest single load for each DG is a residual heat removal (RHR) pump (1425 kW).

This Surveillance may be accomplished by:

a. Tripping the DG output breaker with the DG carrying greater than or equal to its associated single largest post-accident load while-paralleled to offsite power, or while solely supplying the bus; or

b. Tripping its associated single largest post-accident load with the DG solely supplying the bus.

As recommended by Regulatory Guide 1.9 (Ref. 3), the load rejection test is acceptable if the increase in diesel speed does not exceed 75% of the difference between synchronous speed and the overspeed trip setpoint, or 15% above synchronous speed, whichever is lower. For DGs A, B, C, D and E, this represents 64.5 Hz, equivalent to 75% of the difference between nominal speed and the overspeed trip setpoint.

(continued)

SUSQUEHANNA - UNIT 1 3.8-21

Rev. 10 AC Sources - Operating 8 3.8.1 BASES SURVEILLANCE SR 3.8.1.9 (continued)

REQUIREMENTS (continued) The time, voltage, and frequency tolerances specified in this SR are derived from Regulatory Guide 1.9 (Ref. 3) recommendations for response during load sequence intervals. The 4.5 seconds specified is equal to 60% of the 7.5 second load sequence interval between loading of the RHR and core spray pumps during an undervoltage on the bus concurrent with a LOCA. The 6 seconds specified is equal to 80% of that load sequence interval. The voltage and frequency specified are consistent with the design range of the equipment powered by the DG.

SR 3.8.1.9.a corresponds to the maximum frequency excursion, while SR 3.8.1.9.b and SR 3.8.1.9.c specify the steady state voltage and frequency values to which the system must recover following load rejection. -

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

To minimize testing of the DGs, a Note allows a single test to satisfy the requirements for both units (instead of two tests, one for each unit). This is acceptable because this test is intended to demonstrate attributes of the DG that are not associated with either Unit. If the DG fails this Surveillance, the DG should be considered inoperable for both units, unless the cause of the failure can be directly related to only one unit.

SR 3.8.1.10 This Surveillance demonstrates the DG capability to reject a full load without overspeed tripping or exceeding the predetermined voltage limits.

The DG full load rejection may occur because of a system fault or inadvertent breaker tripping_ This Surveillance ensures proper engine generator load response under the simulated test conditions. This test simulates the loss of the total connected load that the DG experiences following a full load rejection and verifies that the DG does not trip upon loss of the load. These acceptance criteria provide DG damage protection. While the DG is not expected to experience this transient during an event, and continues to be available, this response ensures that the DG is not degraded for future application, including reconnection to the bus if the trip initiator can be corrected or isolated.

(continued)

SUSQUEHANNA- UNIT 1 3.8-22

Rev. 10 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.10 (continued)

REQUIREMENTS (continued) To minimize testing of the DGs, a Note allows a single test to satisfy the requirem;nts for both units (instead of two tests, one for each unit). This is acceptable because this test is intended to demonstrate attributes of the DG that are not associated with either Unit. If the DG fails this Surveillance, the DG should be considered inoperable for both units, unless the cause of the failure can be directly related to only one unit.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

SR 3.8.1.11 As required by Regulatory Guide 1.9 (Ref. 3), this Surveillance demonstrates the as designed operation of the standby power sources during loss of the offsite source. This test verifies all actions encountered from the loss of offsite power, including shedding of the nonessential loads and _energization of the ESS buses and respective 4.16kV loads from the DG. It further demonstrates the capability of the DG to automatically achieve and maintain the required voltage and frequency within the specified time.

The DG auto-start time of 1O seconds is derived from requirements of the licensed accident analysis for responding to a design basis large break LOCA. The Surveillance should be continued for a minimum of 5 minutes in order to demonstrate that all starting transients have decayed and stability has been achieved.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by three Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. Note 1 allows all DG starts to be preceded by an engine prelube period (which for DGs A through D includes operation of the lube oil system to ensure the DG's turbo charger is sufficiently prelubricated). For the purpose of this testing, the DGs shall be started from standby conditions that is, with the engine oil being continuously circulated and engine coolant being circulated as necessary to maintain temperature consistent with manufacturer recommendations.

(continued)

SUSQUEHANNA - UNIT 1 3.8-23

Rev. 10 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.11 (continued)

REQUIREMENTS (continued) ' This SR is also modified by Note 2. The Note specifies when this SR is required to be performed for the DGs and the 4.16 kV ESS Buses.

The Note is necessary because this SR involves an integrated test between the DGs and the 4.16 kV ESS. Buses and the need for the testing regimen to include DG E being tested (substituted for all DGs for both* Units) with all 4.16 kV ESS Buses. To ensure the necessary testing is performed, two rotational testing regimens have been established; one for components that are required to be tested every 24 months and one for components that have had their test frequency extended to 48 months in accordance with the Surveillance Frequency Control Program. The two rotational testing regimens are given below:

24 Month Testing Regimen UNIT IN OUTAGE DIESEL E SUBSTITUTED FOR 2 DG E not tested 1 Diesel Generator D 2 Diesel Generator A 1 DG E not tested 2 Diesel Generator B 1 Diesel Generator A 2 Diesel Generator C 1 Diesel Generator B 2 Diesel Generator D 1 Diesel Generator C (continued)

SUSQUEHANNA - UNIT 1 3.8-24

Rev. 10 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.11 (continued)

REQUIREMENTS (continued) 48 Month Testing Regimen UNIT IN OUTAGE DIESEL E SUBSTITUTED FOR 2 DG E not tested 1 Diesel Generator A 2 DG E not tested 1 DG E not tested 2 Diesel Generator B 1 Diesel Generator C 2 DG E not tested 1 DG E not tested 2 Diesel Generator D 1 DG E not tested 2 DG E not tested 1 Diesel Generator B 2 DG E not tested 1 DG E not tested 2 Diesel Generator A 1 Diesel Generator D 2 DG E not tested 1 DG E not tested 2 Diesel Generator C 1 DG E not tested The specified rotational testing regimens can be altered to facilitate unanticipated events which render the testing regimens impractical to implement, but any alternative testing regimen must provide an equivalent level of testing. This SR does not have to be performed with the normally aligned DG when the associated 4.16 kV ESS bus is tested using DG E and DG E does not need to be tested when not substituted or aligned to the Class 1E distribution system. The allowances specified in the Note are acceptable because the tested attributes of each of the five DGs and each unit's four 4.16 kV ESS buses are verified at the specified Frequency (i.e., each DG and each 4.16 kV ESS bus is tested at a frequency controlled under the Surveillance Frequency Control Program). The testing allowances do (continued)

SUSQUEHANNA - UNIT 1 3.8-25

Rev. 10 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.11 (continued)

REQUIREMENTS (continued) result irt some circuit pathways which do not need to change state (i.e.,

cabling) not being tested at the frequency established in accordance with the Surveillance Frequency Control Program. This is acceptable because these components are not required to change state to perform their safety function and when substituted--normal operation of DG E will ensure continuity of most of the cabling not tested.

The reason for Note 3 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This Surveillance tests the applicable logic associated with Unit 1. The comparable test specified in the Unit 2 Technical Specifications tests the applicable logic associated with Unit 2. Consequently, a test must be performed within the specified Frequency for each unit. As the Surveillance represents separate tests, the Note specifying the restriction for ndt performing the test while the unit is in MODE 1, 2, or 3 does not have applicability to Unit 2. The Note only applies to Unit 1, thus the Unit 1 Surveillances shall not be performed with Unit 1 in MODES 1, 2 or 3.

SR 3.8.1.12 This Surveillance demonstrates that the DG automatically starts and achieves the required voltage and frequency within the specified time (10 seconds) from the design basis actuation signal (LOCA signal) and operates for;:::: 5 minutes. The 5 minute period provides sufficient time to demonst.rate stability. SR 3.8.1.12.d and SR 3.8.1.12.e ensure that permanently connected loads and emergency loads are energized from the offsite electrical power _system on a LOCA signal without loss of offsite power.

The requirement to verify the connection and power supply of permanent and autoconnected loads is intended to satisfactorily show the relationship of these loads to the loading logic for loading onto offsite power. In certain circumstances, many of these loads cannot actually be connected or loaded without undue hardship or potential for undesired operation. For instance, ECCS injection valves are not desired to be stroked open, high pressure injection systems are not capable of being operated at full flow, or RHR systems performing a decay heat removal function are not desired to be realigned to the ECCS mode of operation.

In lieu of actual demonstration of the connection and loading of these (continued)

SUSQUEHANNA - UNIT 1 3.8-26

Rev. 10 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.12 (continued)

REQUIREMENTS (continued) loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified. SR 3.8.1.12.a through SR 3.8.1.12.d are performed with the DG running. SR 3.8.1.12.e can be performed when the DG is not running.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by two Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing. Note 1 allows all DG starts to be preceded by an engine prelube period (which for DG A through D includes* operation of the lube oil system to ensure the DG's turbo-charger is sufficiently prelubricated). For the purpose of this testing, the DGs must be started from standby conditions that is, with the engine oil being continuously circulated and engine coolant being circulated as necessary to maintain temperature consistent with manufacturer recommendations.

The reason for Note 2 is to allow DG E, when not aligned as substitute for DG A, B, C or D to use the test facility to satisfy loading requirements in lieu of aligning with the Class 1E distribution system. When tested in this configuration, DG E satisfies the requirements of this test by completion of SR 3.8.1.12.a, b and c only. SR 3.8.1.12.d and 3.8.1.12.e may be performed by any DG aligned with the Class 1E distribution system or by any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified.

SR 3.8.1.13 This Surveillance demonstrates that DG non-critical protective functions (e.g., high jacket water temperature) are bypassed on an ECCS initiation test signal. The non-critical trips are bypassed during DBAs and provide an alarm on an abnormal engine condition. This alarm provides the operator with sufficient time to react appropriately. The DG availability to mitigate the OBA is more critical than protecting the engine against minor problems'that are not immediately detrimental to emergency operation of the DG.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 1 3.8-27

Rev. 10 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.13 (continued)

REQUIREMENTS

( continued) The SR is modified by two Notes. To minimize testing of the DGs, Note 1 to SR 3.8.1.13 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units. This is acceptable because this test is intended to demonstrate attributes of the DG that are not associated with either Unit. If the DG fails this Surveillance, the DG should be considered inoperable for both units, unless the cause of the failure can be directly related to only one unit.

Note 2 provides the allowance that DG E, when not aligned as a substitute for DG A, B, C, and D but being maintained available, may use a simulated ECCS initiation signal.

SR 3.8.1.14 Regulatory Guide 1.9 (Ref. 3), requires demonstration that the DGs can start and run continuously at full load capability for an interval of not less than 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months s-22 hours of which is at a load equivalent to 90% to 100%

of the continuous rating of the DG, and 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months of which is at a load equivalent to 105% to 110% of the continuous duty rating of the DG.

SSES has taken exception to this requirement and performs the two hour run at the 2000 hour0.0231 days 0.556 hours 0.00331 weeks 7.61e-4 months rating for each DG. The requirement to perform the two hour overload test can be performed in any order provided it is performed during a single continuous time period.

The DG starts for this Surveillance can be performed either from standby or hot conditions. The provisions for prelube discussed in SR 3.8.1.7, and for gradual loading, discussed in SR 3.8.1.3, are applicable to this SR.

A load band is provided to avoid routine overloading of the DG. Routine

overloading may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This Surveillance has been modified by four Notes. Note 1 states that momentary transients due to changing bus loads do n~t invalidate this test.

(continued)

SUSQUEHANNA - UNIT 1 3.8-28

Rev. 10 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.14 (continued)

REQUIREMENTS (continued) To minimize testing of the DGs, Note 2 allows a single test (instead of two tests, one for each unit) to satisfy the requirements for both units.

This is acceptable because this test is intended to demonstrate attributes of the DG that are not associated with either Unit. If the DG fails this Surveillance, the DG should be considered inoperable for both units, unless the cause of the failure can be directly related to only one unit.

Note 3 stipulates that DG E, when not aligned as substitute for DG A, B, C or D but being maintained available, may use the test facility to satisfy the specified loading requirements in lieu of synchronization with an ESS bus.

SR 3.8.1.15 This Surveillance demonstrates that the diesel engine can restart from a hot condition, such as subsequent to shutdown from full load temperatures, and achieve the required voltage and frequency within 10 seconds. The 10 second time is derived from the requirements of the accident analysis to respond to a design basis large break LOCA.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by three Notes. Note 1 ensures that the test is performed with the diesel sufficiently hot. The requirement that the diesel has operated for at least 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months at full load conditions prior to performance of this Surveillance is based on manufacturer recommendations for achieving hot conditions. The load band is

provided to avoid routine overloading of the DG. Routine overloads may result in more frequent teardown inspections in accordance with vendor recommendations in order to maintain DG OPERABILITY. Momentary transients due to changing bus loads do not invalidate this test.

Note. 2 allows all DG starts to be preceded by an engine prelube period (which for DGs A through D includes operation of the lube oil system to ensure the DGs turbo charger is sufficiently prelubricated) to minimize wear and tear on the diesel during testing.

(continued)

SUSQUEHANNA - UNIT 1 3.8-29

Rev. 10 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.15 ( continued)

REQUIREMENTS (continued) To minimize testing of the DGs, Note 3 allows a single test to satisfy the requirements for both units (instead of two tests, one for each unit). This is acceptable because this test is intended to demonstrate attributes of the DG that are not associated with either Unit. If the DG fails this Surveillance, the DG should be considered inoperable for both units, unless the cause of the failure can be directly related to only one unit.

SR 3.8.1.16 As required by Regulatory Guide 1.9 (Ref. 3), this Surveillance ensures that the manual synchronization and automatic load transfer from the DG to the offsite source can be made and that the DG can be returned to ready-to-load status when offsite power is restored. It also ensures that the auto-start logic is reset to allow the DG to reload if a subsequent loss of offsite power occurs. The DG is considered to be in ready-to-load status when the DG is at rated speed and voltage, the DG controls are in isochronous and the output breaker is open.

In order to meet his Surveillance Requirement, the Operators must have the capability to manually transfer loads from the D/Gs to the offsite sources. Therefore, in order to accomplish this transfer and meet this Surveillance Requirement, the synchronizing selector switch must be functional. (see ACT-1723538).

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a note to accommodate the testing regimen necessary for DG E. See SR 3.8.1.11 for the Bases of the Note.

SR 3.8.1.17 Demonstration of the test mode override ensures that the DG availability under accident conditions is not compromised as the result of testing.

Interlocks to the LOCA sensing circuits cause the DG to automatically reset to ready-to-load operation if an ECCS initiation signal is received during operation in the test mode. Ready-to-load operation is defined as the DG running at rated speed and voltage, the DG controls in isochronous and the DG output breaker open. These provisions for automatic switchover are required by IEEE-308 (Ref. 10),

paragraph 6.2.6(2).

(continued)

SUSQUEHANNA - UNIT 1 3.8-30

Rev. 10 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.17 (continued)

REQUIREMENTS (continued) The requirement to automatically energize the emergency loads with offsite power is essentially identical to that of SR 3.8.1.12. The intent in the requirements associated with SR 3.8.1.17.b is to show that the emergency ioading is not affected by the DG operation in test mode. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the emergency loads to perform these functions is acceptable. This test is performed by verifying that after the DG is tripped, the offsite source originally in parallel with the DG, remains connected to the affected 4.16 kV ESS Bus. SR 3.8.1.12 is performed separately to verify the proper offsite loading sequence.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by a note to accommodate the testing regimen necessary for DG E. See SR 3.8.1.11 for the Bases of the Note.

SR 3.8.1.18 Under accident conditions, loads are sequentially connected to the bus by individual load timers which control the permissive and starting signals to motor breakers to prevent overloading of the AC Sources due to high motor starting currents. The load sequence time interval tolerance ensures that sufficient time exists for the AC Source to restore frequency and voltage prior to applying the next load and that safety analysis assumptions regarding ESF equipment time delays are not violated.

Reference 2 provides a summary of the automatic loading of ESS buses.

A list of the required timers and the associated setpoints are included in the Bases as Table B 3.8.1-1, Unit 1 and Unit 2 Load Timers. Failure of a timer identified as an offsite power timer may result in both offsite sources being inoperable. Failure of any other timer may result in the associated DG being inoperable. A timer is considered failed for this SR if it will not ensure that the associated load will energize within the Allowable Value in Table B 3.8.1-1. These conditions will require entry into applicable Conditions of this specification. With a load timer inoperable, .the load can be rendered inoperable to restore OPERABILITY to the associated AC sources. In this condition, the Condition and Required Actions of the associated specification shall be entered for the equipment rendered inoperable.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

(continued)

SUSQUEHANNA - UNIT 1 . 3.8-31

Rev. 10 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.18 (continued)

REQUIREMENTS (continued) This SR is modified by a Note that specifies that load timers associated with equipment that has automatic initiation capability disabled are not required to be Operable. This is acceptable because if the load does not start automatically, the adverse effects of an improper loading sequence are eliminated. Furthermore, load timers are associated with individual timers such that a single timer only affects a single load.

SR 3.8.1.19 In the event of a OBA coincident with a loss of offsite power, the DGs are required to supply the necessary power to ESF systems so that the fuel, RCS, and containment design limits are not exceeded.

This Surveillance demonstrates DG operation, as discussed in the Bases for SR 3.8.1.11, during a loss of offsite power actuation test signal in conjunction with an ECCS initiation signal. In lieu of actual demonstration of connection and loading of loads, testing that adequately shows the capability of the DG system to perform these functions is acceptable. This testing may include any series of sequential, overlapping, or total steps so that the entire connection and loading sequence is verified. To simulate the non-LOCA unit 4.16 kV ESS Bus loads on the DG, bounding loads are energized on the tested 4.16 kV ESS Bus after all auto connected energizing loads are energized.

The Surveillance Frequency is controlled under the Surveillance Frequency Control Program. This SR is modified by three Notes. The reason for Note 1 is to minimize wear and tear on the DGs during testing.

Note 1 allows all DG starts to be preceded by an engine prelube period (which for DGs A through D includes operation of the lube oil system to ensure the DG's turbo charger is sufficiently prelubricated.) For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine oil being continuously circulated and engine coolant being circulated as necessary to maintain temperature consistent with manufacturer recommendations.

(continued)

SUSQUEHANNA - UNIT 1 3.8-32

Rev. 10 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.19 (continued)

REQUIREMENTS (continued) Note 2 is necessary to accommodate the testing regimen associated with DG E. See SR 3.8.1.11 for the Bases of the Note.

The reason for Note 3 is that performing the Surveillance would remove a required offsite circuit from service, perturb the electrical distribution system, and challenge safety systems. This Surveillance tests the applicable logic associated with Unit 1. The comparable test specified in the Unit 2 Technical Specifications tests the applicable logic associated with Unit 2. Consequently, a test must be performed within the specified Frequency for each unit. As the Surveillance represents separate tests, the Note specifying the restriction for not performing the test while the unit is in MODE 1, 2 or 3 does not have applicability to Unit 2. The Note only applies to Unit 1, thus the Unit 1 Surveillances shall not be performed with Unit 1 in MODE 1, 2 or 3.

SR 3.8.1.20 This Surveillance demonstrates that the DG starting independence has not been compromised. Also, this Surveillance demonstrates that each engine can achieve proper speed within the specified time when the DGs are started simultaneously. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

This SR is modified by two Notes. The reason for Note 1 is to minimize wear on the DG during testing. The Note allows all DG starts to be preceded by an engine prelube period (which for DGs A through D includes operation of the lube oil system to ensure the DG's turbo charger is sufficiently prelubricated). For the purpose of this testing, the DGs must be started from standby conditions, that is, with the engine oil continuously circulated and engine coolant being circulated as necessary to maintain temperature consistent with manufacturer recommendations.

Note 2 is necessary to identify that this test does not have to be performed with DG E substituted for any DG. The allowance is acceptable based on the design of the DG E transfer switches. The transfer of control, protection, indication, and alarms is by switches at two separate locations. These switches provide a double break between DG E and the redundant system within the transfer switch panel. The transfer of power is through circuit breakers at two separate locations for each redundant system. There are four (continued)

SUSQUEHANNA - UNIT 1 3.8-33

0 Rev. 10 AC Sources - Operating B 3.8.1 BASES SURVEILLANCE SR 3.8.1.20 (continued)

REQUIREMENTS (continued) normally empty switch gear positions at DG E facility, associated with each of the four existing DGs. Only one circuit breaker is available at this location to be inserted into one of the four positions. At each of the existing DGs, there are two switchgear positions with only one circuit breaker available. This design provides two open circuits between redundant power sources. Therefore, based on the described design, it can be concluded that DG redundancy and independence is maintained regardless of whether DG E is substituted for any other DG.

REFERENCES 1. 10 CFR 50, Appendix A, GDC 17.

2. FSAR, Section 8.2.

3. Regulatory Guide 1.9.

4. FSAR, Chapter 6.

5. FSAR, Chapter 15.

6. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

7. Regulatory Guide 1.93.

8. Generic Letter 84-15.

9. 10 CFR 50, Appendix A, GDC 18.

10. IEEE Standard 308. '-

11. Regulatory Guide 1.137.

12. FSAR, Section 6.3.

13. ASME Boiler and Pressure Vessel Code, Section XI.

SUSQUEHANNA - UNIT 1 3.8-34

Rev. 10 AC Sources - Operating B 3.8.1 TABLE B 3.8.1-1 (page 1 of 2)

UNIT 1 AND UNIT 2 LOAD TIMERS NOMINAL DEVICE SETTING ALLOWABLE VALUE TAG NO. SYSTEM LOADING TIMER LOCATION (seconds) (seconds) 62A-20102 RHR Pumo 1A 1A201 3 > 2.7 and< 3.6 62A-20202 RHR Pump 18 1A202 3 ;o: 2.7 and:;; 3.6 62A-20302 RHR Pump 1C 1A203 3 ;o: 2.7 and:;; 3.6 62A-20402 RHR Pumo 10 1A204 3 > 2.7 and:;; 3.6 62A-20102 RHR Pump2A 2A201 3 ;o: 2.7 and:;; 3.6 62A-20202 RHR Pump28 2A202 3 > 2.7 and < 3.6 62A-20302 RHR Pumo2C 2A203 3 > 2.7 and:;; 3.6 62A-20402 RHR Pump20 2A204 3 ;o: 2.7 and:;; 3.6 E11A-K2028 RHR Pump 1C (Offsite Power Timer) 1C618 7.0 ;o: 6.5 and:;; 7.5 E11A-K120A RHR Pump 1C (Offsite Power Timer) 1C617 7.0 > 6.5 and:;; 7.5 E11A-K1208 RHR Pump 1O (Offsite Power Timer) 1C618 7.0 ;o: 6.5 and:;; 7.5 E11A-K202A RHR Pump 10 (Offsite Power Timer) 1C617 7.0 ;o: 6.5 and :;; 7.5 E11A-K120A RHR Pump 2C /Offsite Power Timer) 2C617 7.0 ;o: 6.5 and < 7.5 E11A-K2028 RHR Pump 2C (Offsite Power Timer) 2C618 7.0 ;o: 6.5 and :;; 7.5 E11A-K1208 RHR Pump 20 (Offsite Power Timer) 2C618 7.0 ;o: 6.5 and:;; 7.5 E11A-K202A RHR Pump 20 /Offsite Power Timer) 2C617 7.0 > 6.5 and:;; 7.5 E21A-K116A CS Pump 1A 1C626 10.5 ;o: 9.4 and:;; 11.6 E21A-K1168 CS Pump 18 1C627 10.5 > 9.4 and < 11.6 E21A-K125A CS Pump 1C 1C626 10.5 > 9.4 and :;; 11.6 E21A-K1258 CS Pump 10 1C627 10.5 ;o: 9.4 and:;; 11.6 E21A-K116A CS PumP2A 2C626 10.5 > 9.4 and:;; 11.6 E21A-K1168 CS Pump28 2C627 10.5 ;o: 9.4 and:;; 11.6 E21A-K125A CS Pump2C 2C626 10.5 > 9.4 and< 11.6 E21A-K1258 CS Pump20 2C627 10.5 ;o: 9.4 and:;; 11.6 E21A-K16A CS Pump 1A (Offsite Power Timer) 1C626 15 ;o: 14.0 and:;; 16.0 E21A-K168 CS Pump 18 /Offsite Power Timer) 1C627 15 > 14.0 and< 16.0 E21A-K25A CS Pump 1C (Offsite Power Timer) 1C626 15 ;o: 14.0 and:;; 16.0 E21A-K258 CS Pump 1O (Offsite Power Timer) 1C627 15 ;o: 14.0 and:;; 16.0 E21A-K16A CS Pump 2A /Offsite Power Timer) 2C626 15 > 14.0 and:;; 16.0 E21A-K168 CS Pump 28 (Offsite Power Timer) 2C627 15 ;o: 14.0 and:;; 16.0 E21A-K25A CS Pump 2C (Offsite Power Timer) 2C626 15 > 14.0 and< 16.0 E21A-K258 CS Pump 20 /Offsite Power Timer) 2C627 15 > 14.0 and:;; 16.0 62AX2-20108 Emeraencv Service Water 1A201 40 ;o:36and:;;44 62AX2-20208 Emeraency Service Water 1A202 40 ;o: 36 and:;; 44 62AX2-20303 Emeraencv Service Water 1A203 44 > 39.6 and < 48.4 62AX2-20403 Emeraencv Service Water 1A204 48 ;o: 43.2 and :;; 52.8 62X3-20404 Control Structure Chilled Water System OC8778 60 ;o: 54 62X3-20304 Control Structure Chilled Water Svstem OC877A 60 >54 62X-20104 Emergrmcy Switchgear Rm Cooler A &

RHR SW Pump H&V Fan A OC877A . 60 ;o:54 Emergency Switchgear Rm Cooler 8 &

62X-20204 OC8778 60 ;o: 54 RHR SW Pump H&V Fan 8 62X-5653A OG Room Exhaust Fan E3 08565 60 >54 62X-5652A OG Room Exhausts Fan E4 08565 60 ;o:54 262X-20204 Emeraencv Switchaear Rm Cooler 8 OC8778 120 > 54 262X-20104 Emeraencv Switchaear Rm Cooler A OC877A 120 ;o: 54 (continued)

SUSQUEHANNA - UNIT 1 3.8-35

Rev. 10 AC Sources - Operating B 3.8.1 TABLE B 3.8.1-1 (page 2 of 2)

UNIT 1 AND UNIT 2 LOAD TIMERS NOMINAL DEVICE SETTING ALLOWABLE VALUE TAG NO. SYSTEM LOADING TIMER LOCATION (seconds) (seconds) 62X-546 DG Rm Exh Fan D OB546 120 ;:,,54 62X-536 DG Rm Exh Fan C OB536 120 ;:,, 54 62X-526 DG Rm Exh Fan B OB526 120 ;:,, 54:

62X-516 DG Rm Exh Fan A OB516 120 ;:,,54 CRX-5652A DG Room Supply Fans E1 and E2 OB565 120 ;:,,54 62X2-20410 Control Structure Chilled Water System OC876B 180 ;:,,54 62)(1-20304 Control Structure Chilled Water System OC877A 180 ;:,,54 62X2-20310 Control Structure Chilled Water System OC876A 180 ;:,,54 62X1-20404 Control Structure Chilled Water System OC877B 180 ;:,,54 62X2-20304 Control Structure Chilled Water System OC877A 210 ;:,,54 62X2-20404 Control Structure Chilled Water System OC877B 210 ;:,, 54 Emergency Switchgear Rm Cooling 62X-K11BB 2CB250B 260 ;:,,54 Compressor B Emergency Switchgear Rm Cooling 62X-K11AB 2CB250A 260 ;:,,54 Comoressor A SUSQUEHANNA - UNIT 1 3.8-36

Rev. 10 AC Sources - Operating B 3.8.1 THIS PAGE INTENTIONALLY LEFT BLANK SUSQUEHANNA - UNIT 1 3.8-37

Rev. 1 AC Sources-Shutdown B 3.8.2 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.2 AC Sources-Shutdown BASES BACKGROUND A description of the AC sources is provided in the Bases for LCO 3.8.1, "AC Sources-Operating."

APPLICABLE The OPERABILITY of the minimum AC sources during MODES 4 and 5 SAFETY ANALYSES and during movement of irradiated fuel assemblies ensures that:

a. The facility can be maintained in the shutdown or refueling condition for extended periods;

b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and

c. Adequate AC electrical power is provided to mitigate events postulated during shutdown, such as a fuel handling accident.

In general, when the unit is shut down the Technical Specifications requirements ensure that the unit has the capability to mitigate the consequences of postulated accidents. However, assuming a single failure and concurrent loss of all offsite or loss of all onsite power is not required. The rationale for this is based on the fact that many Design Basis Accidents (DBAs) that are analyzed in MODES 1, 2, and 3 have no specific analyses in MODES 4 and 5. Worst case bounding events are deemed not credible in MODES 4 and 5 because the energy contained within the reactor pressure boundary, reactor coolant temperature and pressure, and corresponding stresses result in the probabilities of occurrences significantly reduced or eliminated, and minimal consequences. These deviations from OBA analysis assumptions and design requirements during shutdown conditions are allowed by the LCO for required systems.

The Safety Analysis for Unit 2 assumes the OPERABILITY of some equipment that receives power from Unit 1 AC Sources.

Therefore, Unit 2 Technical Specifications establish requirements for the OPERABILITY of the DG(s) and qualified offsite circuits needed to support the Unit 1 onsite Class 1E AC electrical power distribution (continued)

SUSQUEHANNA - UNIT 1 3.8-38

Rev.1 AC Sources-Shutdown B 3.8.2 BASES APPLICABLE subsystem(s) required by Unit 2 LCO 3.8.8, Distribution Systems-SAFETY ANALYSES Shutdown.

(continued)

During MODES 1, 2, and 3, various deviations from the analysis assumptions and design requirements are allowed within the ACTIONS.

This allowance is in recognition that certain testing and maintenance activities must be conducted, provided an acceptable level of risk is not exceeded. During MODES 4 and 5, performance of a significant number of required testing and maintenance activities is also required. In MODES 4 and 5, the activities are generally planned and administratively controlled. Relaxations from typical MODES 1, 2, and 3 LCO requirements are acceptable during shutdown MODES, based on:

a. The fact that time in an outage is limited. This is a risk prudent goal as well as a utility economic consideration.

b. Requiring appropriate compensatory measures for certain conditions. These may include administrative controls, reliance on systems that do not necessarily meet typical design requirements applied to systems credited in operation MODE analyses, or both.

c. Prudent utility consideration of the risk associated with multiple activities that could affect multiple systems.

d. Maintaining, to the extent practical, the ability to perform required functions (even if not meeting MODES 1, 2, and 3 OPERABILITY requirements) with systems assumed to function during an event.

In the event of an accident during shutdown, this LCO ensures the capability of supporting systems necessary for avoiding immediate difficulty, assuming either a loss of all offsite power or a loss of all onsite (diesel generator (DG)) power.

The AC sources satisfy Criterion 3 of the NRC Policy Statement (Ref. 1).

LCO One offsite circuit capable of supplying the onsite Class 1E power distribution subsystem(s) of LCO 3.8.8, "Distribution Systems-Shutdown," ensures that all required loads are powered from offsite power. An OPERABLE DG, associated with a Distribution System Engineered Safeguards System (ESS) bus required OPERABLE by (continued)

SUSQUEHANNA - UNIT 1 3.8-39

Rev. 1 AC Sources-Shutdown B 3.8.2 BASES (continued)

LCO LCO 3.8.8, ensures that a diverse power source is available for providing (continued) electrical power support assuming a loss of the offsite circuit. Together, OPERABILITY of the required offsite circuit and DG ensures the availability of sufficient AC sources to operate the plant in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents).

The qualified offsite circuit(s) must be capable of maintaining rated frequency and voltage while connected to their respective ESS bus(es),

and of accepting required loads during an accident. Qualified offsite circuits are those that are described in the FSAR and are part of the licensing basis for the unit. An offsite circuit includes all breakers, transformers, switches, automatic tap changers, interrupting devices, cabling, and controls required to transmit power from the offsite transmission network to the onsite Class 1E ESS bus or buses. The offsite circuit consists of the incoming breaker and disconnect to startup transformers (ST) No. 1O and ST No. 20 and the respective circuit path including feeder breakers to the four 4.16 kV ESS buses (A, B, C and D) for both Unit 1 and Unit 2. A detailed description of the offsite power network and circuits to the onsite Class 1E ESS buses is found in the FSAR, Section 8.2.

The required DG must be capable of starting, accelerating to rated speed and voltage, connecting to its respective ESS bus on detection of bus undervoltage, and capable of accepting required loads. This sequence must be accomplished within 1O seconds. Each DG must also be capable of accepting required loads within the assumed loading sequence intervals, and must continue to operate until offsite power can be restored to the ESS buses. These capabilities are required to be met from a variety of initial conditions such as DG in standby with engine hot. Additional DG capabilities must be demonstrated to meet required Surveillances, e.g., capability of the DG to revert to standby status on an ECCS signal while operating in parallel test mode.

Proper sequencing of loads, including tripping of nonessential loads, is a required function for DG OPERABILITY. In addition, proper sequence operation is an integral part of offsite circuit OPERABILITY since its inoperability impacts the ability to start and maintain energized loads required OPERABLE by LCO 3.8.8.

(continued)

SUSQUEHANNA - UNIT 1 3.8-40

Rev. 1 AC Sources-Shutdown B 3.8.2 BASES APPLICABILITY The AC sources are required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment to provide assurance that:

a. Systems that provide core cooling are available;

b. Systems needed to mitigate a fuel handling accident are available;

c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and

d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.

AC power requirements for MODES 1, 2, and 3 are covered in LCO 3.8.1.

ACTIONS The ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. If moving irradiated fuel assemblies while in MODE 4 or 5, LCO 3.0.3 would not specify any action. If moving irradiated fuel assemblies while in MODE 1, 2, or 3, the fuel movement is independent of reactor operations.

With one or more required AC Sources (DGs or 4.16 kV ESS buses) inoperable, the remaining required sources may be capable of supporting sufficient required features (e.g., system, subsystem, divisions, component or device), to allow continuation of CORE ALTERATIONS and fuel movement. For example, if two or more 4 kV emergency buses are required per LCO 3.8.8, one 4.16 kV emergency bus with offsite I.

power available may be capable of supporting sufficient required features. Therefore, the option provided by Required Action A.1 to declare required features inoperable when not powered from an offsite source or not capable of being powered by the required DG recognizes that appropriate restrictions will be required by ACTIONS in the LCO for the affected feature(s).

(continued)

SUSQUEHANNA - UNIT 1 3.8-41

Rev. 1 AC Sources-Shutdown B 3.8.2 BASES ACTIONS A.2.1, and A.2.2, and A.2.3 (continued)

With one.or more required AC Sources inoperable, the option exists in ACTION A.1 to declare all affected features inoperable. Since this option may involve undesired administrative efforts, the allowance for sufficiently conservative actions is made. With one or more required AC Sources inoperable, the minimum required diversity of AC power sources is not available. It is, therefore, required to suspend CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment.

Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC sources and to continue this action until restoration is accomplished in order to provide the necessary AC power to the plant safety systems.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required AC electrical power sources should be completed as quickly as possible in order to minimize the time during which the plant safety systems may be without sufficient power.

Because of the allowance provided by LCO 3.0.6, the Distribution System ACTIONS would not be entered even if all AC sources to it are inoperable, resulting in de-energization. Therefore, the Required Actions of Condition A have been modified by a Note to indicate that when Condition A is entered with no AC power to any required ESS bus, ACTIONS for LCO 3.8.8 must be immediately entered. This Note allows Condition A to provide requirements for the loss of the offsite circuit whether or not a 4.16 kV ESS bus is de-energized. LCO 3.8.8 provides the appropriate restrictions for the situation involving a de-energized 4.16 kV ESS bus.

(continued)

SUSQUEHANNA - UNIT 1 3.8-42

Rev.1 AC Sources-Shutdown B 3.8.2 BASES SURVEILLANCE SR 3.8.2.1 REQUIREMENTS SR 3.8.2.1 requires the SRs from LCO 3.8.1 that are necessary for ensuring the OPERABILITY of the AC sources in other than MODES 1, 2, and 3. SR 3.8.1.8 is not required to be met since only one offsite circuit is required to be OPERABLE. SR 3.8.1.17 is not required to be met because the required OPERABLE DG(s) is not required to undergo periods of being synchronized to the offsite circuit. SR 3.8.1.20 is excepted because starting independence is not required with the DGs that are not required to be OPERABLE. Refer to the corresponding Bases for LCO 3.8.1 for a discussion of each SR.

This SR is modified by a Note that specified SRs must be met but are not required to be performed. The reason for the Note is to preclude requiring the OPERABLE DG(s) from being paralleled with the offsite power network or otherwise rendered inoperable during the performance of SRs, and to preclude de-energizing a required 4.16 kV ESS bus or disconnecting a required offsite circuit during performance of SRs. With limited AC sources available, a single event could compromise both the required circuit and the DG.

It is the intent that these SRs must still be capable of being met, but actual performance is not required during periods when the DG and offsite circuit is required to be OPERABLE.

REFERENCES 1. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

(continued)

SUSQUEHANNA - UNIT 1 3.8-43

Rev. 1 AC Sources-Shutdown B 3.8.2 BASES THIS PAGE INTENTIONALLY LEFT BLANK SUSQUEHANNA - UNIT 1 3.8-44

Rev.2 DC Sources-Shutdown B 3.8.5 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.5 DC Sources-Shutdown BASES BACKGROUND A description of the DC sources is provided in the Bases for LCO 3.8.4, "DC Sources-Operating."

APPLICABLE The initial conditions of Design Basis Accident and transient analyses in SAFETY ANALYSES the FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume that Engineered Safety Feature systems are OPERABLE. The DC electrical power system provides normal and emergency DC electrical power for the diesel generators (DGs), emergency auxiliaries, and control and switching during all MODES of operation.

The OPERABILITY of the DC subsystems is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

"The OPERABILITY of the minimum DC electrical power sources during MODES 4 and 5 and during movement of irradiated fuel assemblies ensures that:

a. The facility can be maintained in the shutdown or refueling condition for extended periods;

b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and

c. Adequate DC electrical power is provided to mitigate events postulated during shutdown, such as a fuel handling accident.

LCO 3.8.5 is normally satisfied by maintaining the OPERABILITY of all Division I or all Division II DC sources listed in Table 3.8.4-1 and the Diesel Generator E battery bank. However, any combination of DC sources that maintain OPERABILITY of equipment required by Technical Specifications may be used to satisfy this LCO. The DC sources satisfy Criterion 3 of the NRC Policy Statement (Ref. 3).

(continued)

SUSQUEHANNA - UNIT 1 3.8-66

Rev.2 DC Sources-Shutdown B 3.8.5 BASES LCO The DC electrical power subsystems are required to be OPERABLE as needed to support required DC distribution subsystems required OPERABLE by LCO 3.8.8, "Distribution Systems-Shutdown." This requirement ensures the availability of sufficient DC electrical power sources to operate the unit in a safe manner and to mitigate the consequences of postulated events during shutdown (e.g., fuel handling accidents).

The DC electrical power subsystems consist of the following:

a) each Unit 1 DC electrical power subsystem identified in Table 3.8.4-1 including a 125 volt or 250 volt DC battery bank in parallel with a battery charger and the corresponding control equipment and interconnecting cabling supplying power to the associated bus; and, b) the Diesel Generator E DC electrical power subsystem identified in Table 3.8.4-1 including a 125 volt DC battery bank in parallel with a battery charger and the corresponding control equipment and interconnecting cabling supplying power to the associated bus.

APPLICABILITY The DC electrical power sources required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment provide assurance that:

a. Required features to provide core cooling are available;

b. Required features needed to mitigate a fuel handling accident are available;

c. Required features necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and

d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.

The DC electrical power requirements for MODES 1, 2, and 3 are covered in LCO 3.8.4.

(continued)

SUSQUEHANNA - UNIT 1 3.8-67

Rev.2 DC Sources-Shutdown B 3.8.5 BASES ACTIONS The ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. This is acceptable because LCO 3.0.3 would not specify any additional actions while in MODE 4 or 5 and moving irradiated fuel assemblies.

A.1, A.2.1, A.2.2, and A.2.3 If more than one Unit 1 DC distribution subsystem is required according to LCO 3.8.8, the remaining operable Unit 1 DC subsystems may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS and fuel movement. Therefore, the option is provided to declare required features with associated DC power sources inoperable which ensures that appropriate restrictions are implemented in accordance with the affected system LCOs' ACTIONS.

In many instances, this option may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is made (i.e., to suspend CORE ALTERATIONS and movement of irradiated fuel assemblies). Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition. These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required Unit 1 DC electrical power subsystems and to continue this action until restoration is accomplished in order to provide the necessary DC electrical power to the plant safety systems.

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required DC electrical power subsystems should be completed as quickly as possible in order to minimize the time during which the plant safety systems may be without sufficient power.

Condition A is modified by a Note that states that Condition A is not applicable to the DG E DC electrical power subsystem. Condition B or C is applicable to an inoperable DG E DC electrical power subsystem.

If Diesel Generator E is not aligned to the class 1E distribution system, the only supported safety function is for the ESW system. Therefore, under this condition, if Diesel Generator E DC power subsystem is not OPERABLE, to ensure the OPERABILITY of the ESW system, (continued)

SUSQUEHANNA - UNIT 1 3.8-68

Rev. 2 DC Sources-Shutdown B 3.8.5 BASES ACTIONS B.1 (continued)

(continued) actions are taken to restore the battery to OPERABLE status. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

limit is consistent with the allowed time for other inoperable DC sources that result in a loss ofsafety function and provides sufficient time to evaluate the condition of the battery and take the corrective actions.

If the Diesel Generator E is aligned to the class 1E distribution system, the loss of Diesel Generator E DC power subsystem will result in the loss of a on-site Class 1E power source. Therefore, under this condition, if Diesel Generator E DC power subsystem is not OPERABLE actions are taken to either restore the battery to OPERABLE status or declare Diesel Generator E inoperable and take Actions of LCO 3.8.2. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit is consistent with the allowed time for other DC sources that result in a loss of safety function and provides sufficient time to evaluate the condition of the battery and take the necessary corrective actions.

SURVEILLANCE SR 3.8.5.1 REQUIREMENTS SR 3.8.5.1 requires performance of all Surveillances required by SR 3.8.4.1 through SR 3.8.4.3. Therefore, see the corresponding Bases for LCO 3.8.4 for a discussion of each SR.

This SR is modified by a Note. The reason for the Note is to preclude requiring the OPERABLE DC sources from being discharged below their capability to provide the required power supply or otherwise rendered inoperable during the performance of SRs. It is the intent that these SRs must still be capable of being met, but actual performance is not required.

REFERENCES 1. FSAR, Chapter 6.

2. FSAR, Chapter 15.

3. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

(continued)

SUSQUEHANNA - UNIT 1 3.8-69

Rev.2 DC Sources-Shutdown B 3.8.'5 BASES THIS PAGE INTENTIONALLY LEFT BLANK SUSQUEHANNA - UNIT 1 3.8-70

Rev. 2 Distribution Systems-Shutdown B 3.8.8 B 3.8 ELECTRICAL POWER SYSTEMS B 3.8.8 Distribution Systems-Shutdown BASES BACKGROUND A description of the AC and DC electrical power distribution system is provided in the Bases for LCO 3.8.7, "Distribution Systems-Operating."

APPLICABLE The initial conditions of Design Basis Accident and transient analyses in SAFETY ANALYSES the FSAR, Chapter 6 (Ref. 1) and Chapter 15 (Ref. 2), assume Engineered Safety Feature (ESF) systems are OPERABLE. The AC and DC electrical power distribution systems and the DG E DC electrical power distribution subsystem are designed to provide sufficient capacity, capability, redundancy, and reliability to ensure the availability of necessary power to ESF systems so that the fuel, Reactor Coolant System, and containment design limits are not exceeded.

The OPERABILITY of the AC and DC electrical power distribution system is consistent with the initial assumptions of the accident analyses and the requirements for the supported systems' OPERABILITY.

The OPERABILITY of the minimum AC and DC electrical power sources and associated power distribution subsystems during MODES 4 and 5, and during movement of irradiated fuel assemblies in the secondary containment ensures that:

a. The facility can be maintained in the shutdown or refueling condition for extended periods;

b. Sufficient instrumentation and control capability is available for monitoring and maintaining the unit status; and

c. Adequate power is provided to mitigate events postulated during shutdown, such as a fuel handling accident.

LCO 3.8.8 is normally satisfied by maintaining the OPERABILITY of all Division I or all Division II DC distribution subsystems listed in Table 3.8.7-1 and the diesel generator E distribution subsystem. However, any combination of DC distribution subsystems that maintain OPERABILITY of equipment required by Technical Specifications may be used to satisfy this LCO.

(continued)

SUSQUEHANNA - UNIT 1 3.8-86

Rev.2 Distribution Systems-Shutdown B 3.8.8 BASES APPLICABLE The AC and DC electrical power distribution systems satisfy Criterion 3 of SAFETY ANALYSES the NRC Policy Statement (Ref. 3).

(continued)

LCO Various combinations of subsystems, equipment, and components are required OPERABLE by other LCOs, depending on the specific plant condition. Implicit in those requirements is the required OPERABILITY of necessary support required features. This LCO explicitly requires energization of the portions of the electrical distribution system necessary to support OPERABILITY of Technical Specifications required systems, equipment, and components-both specifically addressed by their own LCO, and implicitly required by the definition of OPERABILITY.

Maintaining these portions of the distribution system energized ensures the availability of sufficient power to operate the plant in a safe manner to mitigate the consequences of postulated events during shutdown (e.g.,

fuel handling accidents). The AC and DC electrical power distribution subsystem is only considered inoperable when the subsystem is not energized to its proper voltage.

APPLICABILITY The AC and DC electrical power distribution subsystems required to be OPERABLE in MODES 4 and 5 and during movement of irradiated fuel assemblies in the secondary containment provide assurance that:

a. Systems that provide core cooling are available;

b. Systems needed to mitigate a fuel handling accident are available;

c. Systems necessary to mitigate the effects of events that can lead to core damage during shutdown are available; and

d. Instrumentation and control capability is available for monitoring and maintaining the unit in a cold shutdown condition or refueling condition.

The AC, DC ?nd DG E electrical power distribution subsystem requirements for MODES 1, 2, and 3 are covered in LCO 3.8.7.

(continued)

SUSQUEHANNA - UNIT 1 3.8-87

Rev. 2 Distribution Systems-Shutdown B 3.8.8 BASES ACTIONS The ACTIONS have been modified by a Note stating that LCO 3.0.3 is not applicable. This is acceptable because LCO 3.0.3 would not specify any additional Actions in MODE 4 or 5 moving irradiated fuel assemblies.

The Unit 1 AC and DC subsystems remaining OPERABLE with one or more Unit 1 AC and DC power sources inoperable may be capable of supporting sufficient required features to allow continuation of CORE ALTERATIONS and fuel movement. Therefore, the option is provided to decJare required features with associated power sources inoperable which ensures that appropriate restrictions are implemented in accordance with the affected system LCOs' ACTIONS.

Condition A is modified by a Note that states that Condition A is not applicable to the DG E DC electrical power subsystem. Condition B or C is applicable to an inoperable DG E DC electrical power subsystem.

A.2.1, A.2.2, A.2.3, and A.2.4 In many instances the option above may involve undesired administrative efforts. Therefore, the allowance for sufficiently conservative actions is

_made, (i.e., to suspend CORE ALTERATIONS and movement of irradiated fuel assemblies in the secondary containment).

Suspension of these activities shall not preclude completion of actions to establish a safe conservative condition.

These actions minimize the probability of the occurrence of postulated events. It is further required to immediately initiate action to restore the required AC and DC electrical power distribution subsystems and to continue this action until restoration is accomplished in order to provide the necessary power to the plant safety systems.

Required Actions A.2.1 through A.2.3 do not adequately address the concerns relating to coolant circulation and heat removal. Pursuant to LCO 3.0.6, the RHR-SDC ACTIONS would not be entered. Therefore, Required Action A.2.4 is provided to direct declaring RHR-SDC inoperable and not in operation, which results in taking all appropriate RHR-SDC ACTIONS.

(continued)

SUSQUEHANNA - UNIT 1 3.8-88

Rev. 2 Distribution Systems-Shutdown B 3.8.8 BASES ACTIONS A.2.1, A.2.2, A.2.3, and A.2.4 (continued)

(continued)

The Completion Time of immediately is consistent with the required times for actions requiring prompt attention. The restoration of the required distribution subsystems should be completed as quickly as possible in order to minimize the time the plant safety systems may be without power.

Required Action A.2 is modified by a Note. The Note ensures that appropriate remedial actions are taken, if necessary, if a required ECCS subsystem is rendered inoperable by the in operability of the electrical distribution subsystem. Pursuant to LCO 3.0.6, these actions are not required even when the associated LCO is not met. Therefore, the Note is added to require the proper actions be taken.

If Diesel Generator E is not aligned to the class 1E distribution system, the only supported safety function is the ESW system. Therefore, if Diesel Generator E DC power distribution subsystem is not OPERABLE, actions are taken to either restore the battery to OPERABLE status or shutdown Diesel Generator E and close the associated ESW valves to ensure the OPERABILITY of the ESW system. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit is consistent with the allowed time for other inoperable DC sources and provides sufficient time to evaluate the condition of the battery and take the corrective actions.

If Diesel Generator E is aligned to the class 1E distribution system, the loss of Diesel Generator E DC power distribution subsystem will result in the loss of a on-site Class 1E subsystem source. Therefore, if Diesel Generator E DC poWer subsystem is not OPERABLE actions are taken to either restore the battery to OPERABLE status or declare Diesel Generator E inoperable and take Actions of LCO 3.8.2. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months limit*

is consistent with the allowed time for other DC sources and provides sufficient time to evaluate the condition* of the battery and take the necessary corrective actions.

(continued)

SUSQUEHANNA - UNIT 1 3.8-89

Rev.2 Distribution Systems-Shutdown B 3.8.8 BASES SURVEILLANCE SR 3.8.8.1 REQUIREMENTS This Surveillance verifies that the AC and DC electrical power distribution subsystems are functioning properly, with the buses energized. The verification of proper voltage or indicated power availability on the buses ensures that the required power is readily available for motive as well as control functions for critical system loads connected to these buses. The Surveillance Frequency is controlled under the Surveillance Frequency Control Program.

REFERENCES 1. FSAR, Chapter 6.

2. FSAR, Chapter 15.

3. Final Policy Statement on Technical Specifications Improvements, July 22, 1993 (58 FR 39132).

SUSQUEHANNA - UNIT 1 3.8-90

Rev.2 lnservice Leak and Hydrostatic Testing Operation B 3.10.1 B 3.10 SPECIAL OPERATIONS B 3.10.1 lnservice Leak and Hydrostatic Testing Operation BASES BACKGROUND The purpose of this Special Operations LCO is to allow certain reactor coolant pressure tests to be performed in MODE 4 with temperatures as high as 212°F when operational conditions or the metallurgical characteristics of the reactor pressure vessel (RPV) require the pressure testing at temperatures > 200°F (normally corresponding to MODE 3) or to allow completing these reactor coolant pressure tests when the initial conditions do not require temperatures > 200°F. Furthermore, the purpose is to allow Qontinued performance of control rod scram time testing required by SR 3.1.4.1, SR 3.1.4.3 or SR 3.1.4.4 if reactor coolant temperatures exceed 200°F when the control rod scram time testing is initiated in conjunction with an inservice leak or hydrostatic test. These control rod scram time tests would be performed in accordance with LCO 3.10.4, "Single Control Rod Withdrawal - Cold Shutdown," during MODE 4 operation.

lnservice hydrostatic testing and system leakage pressure tests required by Section XI of the American Society of Mechanical Engineers (ASME) Boiler and Pressure Vessel Code (Ref. 1) are performed prior to the reactor going critical after a refueling outage. Recirculation pump operation and a water solid RPV (except for an air bubble for pressure control) are used to achieve the necessary temperatures and pressures required for these tests. The minimum temperatures (at the required pressures) allowed for these tests are determined from the RPV pressure and temperature (PIT) limits required by LCO 3.4.10, "Reactor Coolant System (RGS) Pressure and Temperature (PIT) Limits." These limits are conservatively based on the fracture toughness of the reactor vessel, taking into account anticipated vessel neutron fluence.

With increased reactor vessel fluence over time, the minimum allowable vessel temperature increases at a given pressure. Periodic updates to the RPV PIT limit curves are performed as necessary, based upon the results of analyses of irradiated surveillance specimens removed from the vessel.

Hydrostatic and leak testing may eventually be required with minimum reactor coolant temperatures> 200°F. However, even with required minimum reactor coolant temperatures < 200°F, maintaining RCS temperatures within a small band during the test can be impractical.

Removal of heat addition from recirculation pump operation and reactor core decay heat is coarsely controlled by control rod drive hydraulic system (continued)

SUSQUEHANNA - UNIT 1 3.10-1

Rev.2 lnservice Leak and Hydrostatic Testing Operation B 3.10.1 BASES BACKGROUND flow and reactor water cleanup system non-regenerative heat exchanger (continued) operation. Test conditions are focused on maintaining a steady state pressure, and tightly limited temperature control poses an unnecessary burden on the operator and may not be achievable in certain instances.

The hydrostatic and RCS system leakage tests require increasing pressure to 1035 (+10, -0) psig. Scram time testing required by SR 3.1.4.1 and SR 3.1.4.4 requires reactor pressures> 800 psig.

Other testing may be performed in conjunction with the allowances for inservice leak or hydrostatic tests and control rod scram time tests.

APPLICABLE Allowing the reactor to be considered in MODE 4, when the reactor SAFETY coolant temperature is > 200°F, during, or as a consequence of ANALYSES hydrostatic or leak testing, or as a consequence of control rod scram time testing initiated in conjunction with an inservice leak or hydrostatic test, effectively provides an exception to MODE 3 requirements, including OPERABILITY of primary containment and the full complement of redundant Emergency Core Cooling Systems. Since the tests are performed nearly water solid, at low decay heat values, and near MODE 4 conditions, the stored energy in the reactor core will be very low. Under these conditions, the potential for failed fuel and a subsequent increase in coolant activity above the LCO 3.4.7, "RCS Specific Activity," limits are minimized. In addition, the secondary containment will be OPERABLE, in accordance with this Special Operations LCO, and will be capable of handling any airborne radioactivity or steam leaks that could occur during the performance of hydrostatic or leak testing. The required pressure testing conditions provide adequate assurance that the consequences of a steam leak will be conservatively bounded by the consequences of the postulated mai'n steam fine break outside of primary containment described in Reference 2. Therefore, these requirements will conservatively limit radiation releases to the environment.

In the unlikely event of any primary system leak that could result in draining the RPV, the reactor vessel would rapidly depressurize. The make-up capability required in MODE 4 by LCO 3.5.2, "Reactor Pressure Vessel (RPV)-Water Inventory Control," would be more than adequate to keep the RPV water level above the TAF under this low decay heat load condition. Small system leaks would be detected by leakage inspections before significant inventory loss occurred.

(continued)

SUSQUEHANNA - UNIT 1 3.10-2

Rev. 2 lnservice Leak and Hydrostatic Testing Operation B 3.10.1 BASES APPLICABLE For the purposes of this test, the protection provided by normally SAFETY required MODE 4 applicable LCOs, in addition to the secondary ANALYSES containment requirements required to be met by this Special (continued) Operations LCO, will ensure acceptable consequences during normal hydrostatic test conditions and during postulated accident conditions.

As described in LCO 3.0.7, compliance with Special Operations LCOs is optional, and therefore, no criteria of the NRC Policy Statement apply. Special Operations LCOs provide flexibility to perform certain operations by appropriately modifying requirements of other LCOs. A discussion of the criteria satisfied for the other LCOs is provided in their respective Bases.

LCO As described in LCO 3.0. 7, compliance with this Special Operations .

LCO is optional. Operation at reactor coolant temperatures > 200°F but~ 212°F can be in accordance with Table 1.1-1 for MODE 3 operation without meeting this Special Operations LCO or its ACTIONS. This option may be required due to plant conditions or PIT limits, however, which require testing at temperatures> 200°F, while the ASME inservice test itself requires the safety/relief valves to be gagged, preventing their OPERABILITY. Additionally, even with required minimum reactor coolant temperatures < 200°F, RCS temperatures may drift above 200°F during the performance of inservice leak and hydrostatic testing or during subsequent control rod scram time testing, which is typically performed in conjunction with inservice leak and hydrostatic testing. While this Special Operations LCO is provided for inservice leak and hydrostatic testing, and for scram time testing initiated in conjunction with an inservice leak or hydrostatic test, parallel performance of other tests and inspections is not precluded.

If it is desired to perform these tests while complying with this Special Operations LCO, then the MODE 4 applicable LCOs and specified LCOs must be met. This Special Operations LCO allows changing Table 1.1-1 temperature limits for MODE 4 to "~ 212" and suspending the requirements of LCO 3.4.9, "Residual Heat Removal (RHR)

Shutdown Cooling System-Cold Shutdown." The additional requirements for secondary containment LCOs to be met will provide sufficient protection for operations at reactor coolant temperatures

> 200°F for the purpose of performing an inservice leak or hydrostatic test, and for control rod scram time testing initiated in conjunction with an inservice leak or hydrostatic test.

(continued)

SUSQUEHANNA- UNIT 1 3.10.:3

Rev.2 lnservice Leak and Hydrostatic Testing Operation B 3.10.1 BASES LCO This LCO allows primary containment to be open for frequent (continued) unobstructed access to perform inspections, and for outage activities on various systems to continue consistent with the MODE 4 applicable requirements.

APPLICABLITY The MODE 4 requirements may only be modified for the performance of, or as a consequence of, inservice leak or hydrostatic tests, or as* a consequence of control rod scram time testing initiated in conjunction with an inservice leak or hydrostatic test, so that these operations can be *considered as in MODE 4, even though the reactor coolant temperature is> 200°F. The additional requirement for secondary containment OPERABILITY according to the imposed MODE 3 requirements provides conservatism in the response of the unit to any event that may occur. Operations in all other MODES are unaffected by this LCO.

ACTIONS A Note has been provided to modify the ACTIONS related to inservice leak and hydrostatic testing operation. Section 1.3, Completion Times, specifies that once a Condition has been entered, subsequent divisions, subsystems, components, or variables expressed in the Condition discovered to be inoperable or not within limits, will not result in separate entry into the Condition. Section 1.3 also specifies that Required Actions of the Condition continue to apply for each additional failure, with Completion Times based on initial entry into the Condition. However, the Required Actions for each requirement of the LCO not met provide appropriate compensatory measures for separate requirements that are not met. As such, a Note has been provided that allows separate Condition entry for each requirement of the LCO.

If an LCO specified in LCO 3.10.1 is not met, the ACTIONS applicable to the stated requirements are entered immediately and complied with. Required Action A.1 has been modified by a Note that clarifies the intent of another LCO's Required Action to be in MODE 4 includes reducing the average reactor coolant temperature to

~ 200°F.

(continued)

SUSQUEHANNA - UNIT 1 3.10-4

Rev.2 lnservice Leak and Hydrostatic Testing Operation B 3.10.1 BASES ACTIONS A.2.1 and A.2.2 (continued)

Required Action A.2.1 and Required Action A.2.2 are alternate Required Actions that can b!3 taken instead of Required Action A.1 to restore compliance with the normal MODE 4 requirements, and thereby exit this Special Operation LCO's Applicability. Activities that could further increase reactor coolant temperature or pressure are suspended immediately, in accordance with Required Action A.2.1, and the reactor coolant temperature is reduced to establish normal MODE 4 requirements. The allowed Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for Required Action A.2.2 is based on engineering judgment and provides sufficient ti.me to reduce the average reactor coolant temperature from the highest expected value to~ 200°F with normal cooldown procedures. The Completion Time is also consistent with the time provided in LCO 3.0.3 to reach MODE 4 from MODE 3.

SURVEILLANCE SR 3.10.1.1 REQUIREMENTS The LCOs made applicable are required to have their Surveillances met to establish that this LCO is being met. A discussion of the applicable SRs is provided in their respective Bases.

REFERENCES 1. American Society of Mechanical Engineers, Boiler and Pressure Vessel Code, Section XI.

2. FSAR, Section 15.6.4.

SUSQUEHANNA- UNIT 1 3.10-5

ML19078A210

Text

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title:

Title: